Hello, I have a bug report for OpenSSL 0.9.8o 01 Jun 2010 (latest stable for Debian Squeeze)
OpenSSL has problems encoding OIDs which are at the border of 32 bit range. I tested encoding several OIDs in the "new_oids" section to generate attributes. - OpenSSL encodes the OID 2.999.4294967295 (4294967295 = 2^32-1) correctly. - OpenSSL encodes the OID 2.999.4294967296 (4294967296 = 2^32) into "06 03 88 37 00" which is 2.999.0 ! - OpenSSL encodes the OID 2.999.4294967297 (4294967297 = 2^32+1) into "06 03 88 37 01" which is 2.999.1 ! This seems to be a bug and not a range limitation, since OpenSSL can successfully create certificates with 64-, 128-, 256-, 512- and even 1024-Bit OIDs!! (Which is amazing compared to the Windows CryptoAPI Shell Extensions which are limited to 64 bits) Please note that only the CREATION of such a certificate/attribute is buggy. When I edit the faulty certificate with a hex editor and then listing it with "-text -noout" the value "06 07 88 37 90 80 80 80 00" decodes successfully to 2.999.4294967296 as well as "06 07 88 37 90 80 80 80 01" decodes successfully to 2.999.4294967297. Best regards Daniel Marschall ---- Appendix: How to reproduce: File myconf.cnf: [ new_oids ] testBase32_minus1=2.999.4294967295 testBase32=2.999.4294967296 testBase32_plus1=2.999.4294967297 File myscript.sh: #!/bin/sh openssl genrsa -out private.key 512 openssl req -new -batch -sha1 -key private.key -out request.pem -config myconf.cnf -subj "/testBase32_minus1=Test 4294967295/testBase32=Test 4294967296/testBase32_plus1=Test 4294967297" openssl req -in request.pem -noout -text
smime.p7s
Description: S/MIME cryptographic signature
