Le 11/09/2014 19:12, Kurt Roeckx via RT a écrit :
On Thu, Sep 11, 2014 at 09:32:26AM -0400, Salz, Rich wrote:
I think the bug is that we need to ouput a leading zero to avoid confusing the
number as negative.
It's my understanding that for the encoding of the number without
the leading 00 we need to go and add the 00 in front of it because
we would otherwise create a negative number and those aren't allowed
by RFC5280, so we would write that one with the leading 00. But I
don't see a reason why the encoding can't have multiple leading 00s
in it, and for instance always have a fixed size.
BER/DER states that the encoding of an INTEGER MUST be the smallest
possible of octets (X.690, section 8.3.2).
So the question is are serial numbers matched based on the number
themself or on the binary form? I can't find anything currently
that says how to compare them, but I would actually expect that
the binary represenation should be the same. And if the binary
represenation is important, I think we should print the leading
00s if there are any.
We're manipulating serial numbers, which are INTEGERs, not OCTET STRINGs.
The comparison/match is then a numeric one. Leading "00" isn't important
for the comparison/match.
"openssl crl" should print a leading "00" to avoid confusion, but it's
not really important.
--
Erwann ABALEA
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
