Re: [OpenCA-Devel] CA Certificate serial number.

Fri, 25 Mar 2005 02:12:19 -0800 

On Thu, Mar 24, 2005 at 04:08:43PM +0100, Michael Bell wrote:
> Date: Thu, 24 Mar 2005 16:08:43 +0100
> From: Michael Bell <[EMAIL PROTECTED]>
> Subject: Re: [OpenCA-Devel] CA Certificate serial number.
> 
> Alexei Chetroi wrote:
 [snip]
> The problem is a sprintf statement again. Can you fix this with Martin's 
> workaround too?
> 
>     $max = sprintf ("%lX", $max);
>     $max = "0".$max if (length ($max) % 2);
> 
> If you can fix it then we could build a patch for crypto-utils.lib. 
> Perhaps we should create some extreme testcases for the new 
> testenvironment in the CVS head.
  I've already posted diff to the list, but it is incomplete. We should
also fix eximDownloadCAs in export-import.lib

> 
> The problem is in fact really huge because we have to change perhaps our 
> complete database code. PKIX requires 20 byte serial numbers. We only 
> support today 8 byte integers. Does somebody know how lexical ordering 
> on integers work? Does it sort correctly?

  It's funny, but printf is 32bits wide. So effectively we have 4 byte ints.
Here's output of this small script:

for ($i=0; $i<4; $i++) {
        $val = 4294967294+$i;
        print "Hex of ".$val." is ";
        printf ("%015llX\n", $val);
}

Gives us:
[lex.lexa]$ ./printf.pl 
Hex of 4294967294 is 0000000FFFFFFFE
Hex of 4294967295 is 0000000FFFFFFFF
Hex of 4294967296 is 0000000FFFFFFFF
Hex of 4294967297 is 0000000FFFFFFFF

  I don't think lexial sorting of integers works as expected, perhaps
for sorting, we could pad serials with heading zeros to fixed width,
sort them and strip them off in the output.

  In the mean time, I think we could remedy situation by taking serial
number for the self signed CA cert from the crypto/serial. What do you
think about it?

  Best wishes

--
Alexei Chetroi

Smile... Tomorrow will be worse. (c) Murphy's Law


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
OpenCA-Devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-devel

Reply via email to