> From: owner-openssl-...@openssl.org On Behalf Of Kurt Roeckx via RT > Sent: Thursday, September 11, 2014 13:12
> On Thu, Sep 11, 2014 at 09:32:26AM -0400, Salz, Rich wrote: > > I think the bug is that we need to ouput a leading zero to avoid confusing > the number as negative. > *On the wire* yes. For human display we can use plus/minus chars and I think we do (but don't have some 5280-invalid data handy to test) > It's my understanding that for the encoding of the number without > the leading 00 we need to go and add the 00 in front of it because > we would otherwise create a negative number and those aren't allowed > by RFC5280, so we would write that one with the leading 00. But I > don't see a reason why the encoding can't have multiple leading 00s > in it, and for instance always have a fixed size. > X.690 8.3.2. > So the question is are serial numbers matched based on the number > themself or on the binary form? I can't find anything currently > that says how to compare them, but I would actually expect that > the binary represenation should be the same. And if the binary > represenation is important, I think we should print the leading > 00s if there are any. > Since they are defined in ASN.1 as integers, they should be compared as integers. asn1/x_crl.c does so. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
