Re: [openssl-users] Leading Zeros in ASN1_INTEGER?

2017-01-30 Thread Erwann Abalea 
Why not?

This serial number could also be displayed as 3203232750, or 000BEED73EE, or 
03203232750.

Cordialement,
Erwann Abalea

Le 30 janv. 2017 à 11:03, Matthias Ballreich 
<matthias.ballre...@outlook.de<mailto:matthias.ballre...@outlook.de>> a écrit :

thanks for explanation.

But why did Windows Cert Manager and Firefox Cert Manager show 00BEED73EE as 
serial number instead of BEED73EE (which openssl shows)?


Von: openssl-users 
<openssl-users-boun...@openssl.org<mailto:openssl-users-boun...@openssl.org>> 
im Auftrag von Viktor Dukhovni 
<openssl-us...@dukhovni.org<mailto:openssl-us...@dukhovni.org>>
Gesendet: Samstag, 28. Januar 2017 17:00:53
An: openssl-users@openssl.org<mailto:openssl-users@openssl.org>
Betreff: Re: [openssl-users] Leading Zeros in ASN1_INTEGER?


> On Jan 28, 2017, at 10:01 AM, Matthias Ballreich 
> <matthias.ballre...@outlook.de<mailto:matthias.ballre...@outlook.de>> wrote:
>
> is it normal that OpenSSL removes the leading Zeros in an ASN1_INTEGER?
> I tried to read the Certificate Serial and the Certificate Serial in the
> AuthorityKeyID-Extension with C++, which works very well, but i noticed
> that OpenSSL removes the leading Zeros on it.
>
> The real ASN1-Value is: 00BEED73EE for example, but i got only BEED73EE.
> If i view the Certificate inside Microsoft Cert Tool (Certmgr.exe) the
> leading Zeros are listed there. Same on Firefox, if i Import and view
> the Certificate there. So is this the correct way of handling inside
> OpenSSL or is it a bug or?

Integers don't have leading zeros.  Octet strings representing integers
(in non-DER form) might have leading zeros, but you should not confuse
the data type with its representation.  OpenSSL outputs the correct DER
form of the serial *number* in certificates.

Leading zeros are needed in the DER representation of positive integers
whose most significant nibble is in the range from 8 to F.  Otherwise
the leading bit would cause the integer to be interpreted as negative.

--
Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Leading Zeros in ASN1_INTEGER?

2017-01-30 Thread Jeffrey Walton 
On Mon, Jan 30, 2017 at 5:03 AM, Matthias Ballreich
 wrote:
> thanks for explanation.
>
> But why did Windows Cert Manager and Firefox Cert Manager show 00BEED73EE as
> serial number instead of BEED73EE (which openssl shows)?

Its just a presentation detail. It appears Microsoft and Mozilla take
the content octets of the ASN.1 integer and they hex encoded it.
OpenSSL appears to convert the it into a binary number/big endian
array and hex encodes it before presenting it to you.

Another tool could have turned it into a binary number and Base64
encoded it before presenting it to you.

The important detail is the underlying data. You can use tools like
OpenSSL's asn1parse or Gutmann's dumpasn1 to see the raw data, if
needed.

Jeff
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Leading Zeros in ASN1_INTEGER?

2017-01-30 Thread Matthias Ballreich 
thanks for explanation.


But why did Windows Cert Manager and Firefox Cert Manager show 00BEED73EE as 
serial number instead of BEED73EE (which openssl shows)?



Von: openssl-users <openssl-users-boun...@openssl.org> im Auftrag von Viktor 
Dukhovni <openssl-us...@dukhovni.org>
Gesendet: Samstag, 28. Januar 2017 17:00:53
An: openssl-users@openssl.org
Betreff: Re: [openssl-users] Leading Zeros in ASN1_INTEGER?


> On Jan 28, 2017, at 10:01 AM, Matthias Ballreich 
> <matthias.ballre...@outlook.de> wrote:
>
> is it normal that OpenSSL removes the leading Zeros in an ASN1_INTEGER?
> I tried to read the Certificate Serial and the Certificate Serial in the
> AuthorityKeyID-Extension with C++, which works very well, but i noticed
> that OpenSSL removes the leading Zeros on it.
>
> The real ASN1-Value is: 00BEED73EE for example, but i got only BEED73EE.
> If i view the Certificate inside Microsoft Cert Tool (Certmgr.exe) the
> leading Zeros are listed there. Same on Firefox, if i Import and view
> the Certificate there. So is this the correct way of handling inside
> OpenSSL or is it a bug or?

Integers don't have leading zeros.  Octet strings representing integers
(in non-DER form) might have leading zeros, but you should not confuse
the data type with its representation.  OpenSSL outputs the correct DER
form of the serial *number* in certificates.

Leading zeros are needed in the DER representation of positive integers
whose most significant nibble is in the range from 8 to F.  Otherwise
the leading bit would cause the integer to be interpreted as negative.

--
Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Leading Zeros in ASN1_INTEGER?

2017-01-28 Thread Viktor Dukhovni 

> On Jan 28, 2017, at 10:01 AM, Matthias Ballreich 
>  wrote:
> 
> is it normal that OpenSSL removes the leading Zeros in an ASN1_INTEGER?
> I tried to read the Certificate Serial and the Certificate Serial in the
> AuthorityKeyID-Extension with C++, which works very well, but i noticed
> that OpenSSL removes the leading Zeros on it.
> 
> The real ASN1-Value is: 00BEED73EE for example, but i got only BEED73EE.
> If i view the Certificate inside Microsoft Cert Tool (Certmgr.exe) the
> leading Zeros are listed there. Same on Firefox, if i Import and view
> the Certificate there. So is this the correct way of handling inside
> OpenSSL or is it a bug or?

Integers don't have leading zeros.  Octet strings representing integers
(in non-DER form) might have leading zeros, but you should not confuse
the data type with its representation.  OpenSSL outputs the correct DER
form of the serial *number* in certificates.

Leading zeros are needed in the DER representation of positive integers
whose most significant nibble is in the range from 8 to F.  Otherwise
the leading bit would cause the integer to be interpreted as negative.

-- 
Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Leading Zeros in ASN1_INTEGER?

2017-01-28 Thread Matthias Ballreich 
Hi there,

is it normal that OpenSSL removes the leading Zeros in an ASN1_INTEGER?
I tried to read the Certificate Serial and the Certificate Serial in the 
AuthorityKeyID-Extension with C++, which works very well, but i noticed that 
OpenSSL removes the leading Zeros on it.
The real ASN1-Value is: 00BEED73EE for example, but i got only BEED73EE.
If i view the Certificate inside Microsoft Cert Tool (Certmgr.exe) the leading 
Zeros are listed there. Same on Firefox, if i Import and view the Certificate 
there.
So is this the correct way of handling inside OpenSSL or is it a bug or?

Is there a way to prevent that?

I’m using  OpenSSL 1.0.2j.

Hope someone could explain it a little bit.
Thanks!
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users