Re: [OpenCA-Devel] CA Certificate serial number.

[Alexei Chetroi]

On Thu, Mar 24, 2005 at 04:08:43PM +0100, Michael Bell wrote:
> Date: Thu, 24 Mar 2005 16:08:43 +0100
> From: Michael Bell <[EMAIL PROTECTED]>
> Subject: Re: [OpenCA-Devel] CA Certificate serial number.
> 
> Alexei Chetroi wrote:
 [ snip ]

> The problem is a sprintf statement again. Can you fix this with Martin's 
> workaround too?
> 
>     $max = sprintf ("%lX", $max);
>     $max = "0".$max if (length ($max) % 2);
 yep, I've fixed this and posted diff to the list. Also need to fix
eximDownloadCAs in export-import.lib as I can tell.

> 
> If you can fix it then we could build a patch for crypto-utils.lib. 
> Perhaps we should create some extreme testcases for the new 
> testenvironment in the CVS head.
> 
> The problem is in fact really huge because we have to change perhaps our 
> complete database code. PKIX requires 20 byte serial numbers. We only 
> support today 8 byte integers. Does somebody know how lexical ordering 
> on integers work? Does it sort correctly?

  Are we talking about 32bit platforms :) It's funny, but perl's printf
is 32bits wide. Here's output of this small script:

for ($i=0; $i<4; $i++) {                                                        
        $val = 4294967294+$i;                                                   
        print "Hex of ".$val." is ";                                            
        printf ("%llX\n", $val);                                                
}                                                                               

Give's us:
Hex of 4294967294 is FFFFFFFE
Hex of 4294967295 is FFFFFFFF
Hex of 4294967296 is FFFFFFFF
Hex of 4294967297 is FFFFFFFF

And I don't think that lexical sorting of integers works as expected.
Perhaps we could serial numbers with heading zeros, sort them and remove
them in the output.

So far I've tried to issue certificate for RA admin, it fails with:
Error 6761
General Error Error while issuing Certificate to RA Administrator
(filename: /var/lib/openca/tmp/b6aeb51cd84562f3.req). OpenCA::OpenSSL
returns errocode 7731001 (OpenCA::OpenSSL->issueCert: Cannot create
X500::DN-object.).

In the mean time I was thinking, maybe we're trying to fix wrong problem.
What about taking serial number for the self signed CA cert from
crypto/serial file? 

  Best wishes

--
Alexei Chetroi

Smile... Tomorrow will be worse. (c) Murphy's Law


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
OpenCA-Devel mailing list
OpenCA-Devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-devel