> From: owner-openssl-us...@openssl.org On Behalf Of Peter Sylvester
> Sent: Sunday, 29 August, 2010 05:44

> The encoding is invalid BER.
> The openssl is tolerant but also destructive in copy.
> whenever  you use openssl x509 -in -out ... you remove one 
> leading 0 octet.
> IMHO openssl should reject the cert because of invalid encoding.
> On 08/29/2010 04:17 AM, Mounir IDRASSI wrote:
> >  Hi,
> >
> > The problem you are encountering is partly caused by the 
> way OpenSSL 
> > handles integers whose DER encoded value starts with one or 
> more zeros 
> > : in this case, OpenSSL removes the leading zero when creating the 
> > corresponding ASN1_INTEGER structure thus leading to the fact that 
> > computed DER of this structure and the original one will be 
> different!!
> >
Nit: redundant leading 00 (or FF) in an INTEGER is VALID *B*ER 
but INVALID *D*ER. And signed things like certs are *D*ER 
for exactly this reason, so a reconstructed encoding is 
bit for bit identical and hashes and signatures etc. work.

OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to