Ticket resolved. I ended up changing ca.c (and ocsp.c in 0.9.7 and up). The change will be visible in the next snapshot.
Thanks for the report and your patience. [levitte - Tue Oct 8 12:29:23 2002]: > [steve - Fri Aug 30 19:52:43 2002]: > > > [[EMAIL PROTECTED] - Mon Aug 26 10:33:29 2002]: > > > > > > > > I found the solution: I just commented out the lines 675-676 in > > apps/ca.c - > > > now everything works as expected. > > > > > > > Since this just disables the check it isn't a good idea. > > > > The error message suggested that index.txt has somehow had an > invalid > > serial number written to it. What does you index.txt and your > serial > > file look like when you get this message? > > > > Steve. > > What happens is that if serial contains '00' when you sign, the > DB_serial field in index.txt will end up containing '0', not '00'. > The next time you try to sign a certificate, 'openssl ca' will > notice that the DB_serial field has an incorrect length (the length > should be a non-zero multiple of 2). > > The reason this happens is that BN_bn2hex has a special case when > the bignum is 0: it gives you "0" back. In all other cases, the > amount of hex digits will always be even. > > The question is, of course, if one should correct BN_bn2hex() to > produce "00" for zero, or if ca.c should be changed to counter this > misfeature. I'd like to make the correction in BN_bn2hex(). > Opinions? -- Richard Levitte ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
