Re: [openssl-users] Leading Zeros in ASN1_INTEGER?
Why not? This serial number could also be displayed as 3203232750, or 000BEED73EE, or 03203232750. Cordialement, Erwann Abalea Le 30 janv. 2017 à 11:03, Matthias Ballreich mailto:matthias.ballre...@outlook.de>> a écrit : thanks for explanation. But why did Windows Cert Manager and Firefox Cert Manager show 00BEED73EE as serial number instead of BEED73EE (which openssl shows)? Von: openssl-users mailto:openssl-users-boun...@openssl.org>> im Auftrag von Viktor Dukhovni mailto:openssl-us...@dukhovni.org>> Gesendet: Samstag, 28. Januar 2017 17:00:53 An: openssl-users@openssl.org<mailto:openssl-users@openssl.org> Betreff: Re: [openssl-users] Leading Zeros in ASN1_INTEGER? > On Jan 28, 2017, at 10:01 AM, Matthias Ballreich > mailto:matthias.ballre...@outlook.de>> wrote: > > is it normal that OpenSSL removes the leading Zeros in an ASN1_INTEGER? > I tried to read the Certificate Serial and the Certificate Serial in the > AuthorityKeyID-Extension with C++, which works very well, but i noticed > that OpenSSL removes the leading Zeros on it. > > The real ASN1-Value is: 00BEED73EE for example, but i got only BEED73EE. > If i view the Certificate inside Microsoft Cert Tool (Certmgr.exe) the > leading Zeros are listed there. Same on Firefox, if i Import and view > the Certificate there. So is this the correct way of handling inside > OpenSSL or is it a bug or? Integers don't have leading zeros. Octet strings representing integers (in non-DER form) might have leading zeros, but you should not confuse the data type with its representation. OpenSSL outputs the correct DER form of the serial *number* in certificates. Leading zeros are needed in the DER representation of positive integers whose most significant nibble is in the range from 8 to F. Otherwise the leading bit would cause the integer to be interpreted as negative. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Leading Zeros in ASN1_INTEGER?
On Mon, Jan 30, 2017 at 5:03 AM, Matthias Ballreich wrote: > thanks for explanation. > > But why did Windows Cert Manager and Firefox Cert Manager show 00BEED73EE as > serial number instead of BEED73EE (which openssl shows)? Its just a presentation detail. It appears Microsoft and Mozilla take the content octets of the ASN.1 integer and they hex encoded it. OpenSSL appears to convert the it into a binary number/big endian array and hex encodes it before presenting it to you. Another tool could have turned it into a binary number and Base64 encoded it before presenting it to you. The important detail is the underlying data. You can use tools like OpenSSL's asn1parse or Gutmann's dumpasn1 to see the raw data, if needed. Jeff -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Leading Zeros in ASN1_INTEGER?
thanks for explanation. But why did Windows Cert Manager and Firefox Cert Manager show 00BEED73EE as serial number instead of BEED73EE (which openssl shows)? Von: openssl-users im Auftrag von Viktor Dukhovni Gesendet: Samstag, 28. Januar 2017 17:00:53 An: openssl-users@openssl.org Betreff: Re: [openssl-users] Leading Zeros in ASN1_INTEGER? > On Jan 28, 2017, at 10:01 AM, Matthias Ballreich > wrote: > > is it normal that OpenSSL removes the leading Zeros in an ASN1_INTEGER? > I tried to read the Certificate Serial and the Certificate Serial in the > AuthorityKeyID-Extension with C++, which works very well, but i noticed > that OpenSSL removes the leading Zeros on it. > > The real ASN1-Value is: 00BEED73EE for example, but i got only BEED73EE. > If i view the Certificate inside Microsoft Cert Tool (Certmgr.exe) the > leading Zeros are listed there. Same on Firefox, if i Import and view > the Certificate there. So is this the correct way of handling inside > OpenSSL or is it a bug or? Integers don't have leading zeros. Octet strings representing integers (in non-DER form) might have leading zeros, but you should not confuse the data type with its representation. OpenSSL outputs the correct DER form of the serial *number* in certificates. Leading zeros are needed in the DER representation of positive integers whose most significant nibble is in the range from 8 to F. Otherwise the leading bit would cause the integer to be interpreted as negative. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Leading Zeros in ASN1_INTEGER?
> On Jan 28, 2017, at 10:01 AM, Matthias Ballreich > wrote: > > is it normal that OpenSSL removes the leading Zeros in an ASN1_INTEGER? > I tried to read the Certificate Serial and the Certificate Serial in the > AuthorityKeyID-Extension with C++, which works very well, but i noticed > that OpenSSL removes the leading Zeros on it. > > The real ASN1-Value is: 00BEED73EE for example, but i got only BEED73EE. > If i view the Certificate inside Microsoft Cert Tool (Certmgr.exe) the > leading Zeros are listed there. Same on Firefox, if i Import and view > the Certificate there. So is this the correct way of handling inside > OpenSSL or is it a bug or? Integers don't have leading zeros. Octet strings representing integers (in non-DER form) might have leading zeros, but you should not confuse the data type with its representation. OpenSSL outputs the correct DER form of the serial *number* in certificates. Leading zeros are needed in the DER representation of positive integers whose most significant nibble is in the range from 8 to F. Otherwise the leading bit would cause the integer to be interpreted as negative. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Leading Zeros in ASN1_INTEGER?
Hi there, is it normal that OpenSSL removes the leading Zeros in an ASN1_INTEGER? I tried to read the Certificate Serial and the Certificate Serial in the AuthorityKeyID-Extension with C++, which works very well, but i noticed that OpenSSL removes the leading Zeros on it. The real ASN1-Value is: 00BEED73EE for example, but i got only BEED73EE. If i view the Certificate inside Microsoft Cert Tool (Certmgr.exe) the leading Zeros are listed there. Same on Firefox, if i Import and view the Certificate there. So is this the correct way of handling inside OpenSSL or is it a bug or? Is there a way to prevent that? I’m using OpenSSL 1.0.2j. Hope someone could explain it a little bit. Thanks! -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users