On Fri, Mar 25, 2005 at 12:13:58PM +0200, Alexei Chetroi wrote: > Date: Fri, 25 Mar 2005 12:13:58 +0200 > From: Alexei Chetroi <[EMAIL PROTECTED]> > User-Agent: Mutt/1.5.6+20040907i > To: [email protected] > Reply-To: [email protected] > Subject: Re: [OpenCA-Devel] CA Certificate serial number. > > On Thu, Mar 24, 2005 at 04:08:43PM +0100, Michael Bell wrote: > > Date: Thu, 24 Mar 2005 16:08:43 +0100 > > From: Michael Bell <[EMAIL PROTECTED]> > > Subject: Re: [OpenCA-Devel] CA Certificate serial number. > > > > Alexei Chetroi wrote: > [snip] > > > If you can fix it then we could build a patch for crypto-utils.lib. > > Perhaps we should create some extreme testcases for the new > > testenvironment in the CVS head. > > > > The problem is in fact really huge because we have to change perhaps our > > complete database code. PKIX requires 20 byte serial numbers. We only > > support today 8 byte integers. Does somebody know how lexical ordering > > on integers work? Does it sort correctly? > > I've tried to issue certificate for the RA admin. It fails with: > Error 6761 > General Error Error while issuing Certificate to RA Administrator > (filename: /var/lib/openca/tmp/b6aeb51cd84562f3.req). > OpenCA::OpenSSL returns errocode 7731001 > (OpenCA::OpenSSL->issueCert: Cannot create X500::DN-object.). > > Any ideas what is wrong?
I know what is wrong :) Integer overflow in hexadecimal number at /usr/share/openca/functions/crypto-utils.lib line 705. OpenCA::OpenSSL->setParams: key: CONFIG OpenCA::OpenSSL->setParams: value: /etc/openca/openssl/openssl/RA_Operator.conf OpenCA::OpenSSL->issueCert: subject_rfc2253: serialNumber=1.31636578963427e+19, CN=RA Administrator, OU=Trustcenter, O=Uniflux-Line, C=MD OpenCA::OpenSSL->issueCert: subject parsed by X500::DN OpenCA::OpenSSL->issueCert: cannot create X500::DN-object OpenCA::OpenSSL->setError: errno: 7731001 OpenCA::OpenSSL->setError: errval: OpenCA::OpenSSL->issueCert: Cannot create X500::DN-object. OpenCA::Tools->copyFiles: variable dump Do we really need serial numbers of 20 octets? On the other hand, I still remember Billy saying: "640KB is plenty of RAM and we won't ever need more than that" :) -- Alexei Chetroi Smile... Tomorrow will be worse. (c) Murphy's Law ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ OpenCA-Devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-devel
