[openssl-users] Leading Zeros in ASN1_INTEGER?

Erwann Abalea Erwann.Abalea at docusign.com
Mon Jan 30 10:25:49 UTC 2017 

Why not?

This serial number could also be displayed as 3203232750, or 000BEED73EE, or 03203232750.

Cordialement,
Erwann Abalea

Le 30 janv. 2017 à 11:03, Matthias Ballreich <matthias.ballreich at outlook.de<mailto:matthias.ballreich at outlook.de>> a écrit :

thanks for explanation.

But why did Windows Cert Manager and Firefox Cert Manager show 00BEED73EE as serial number instead of BEED73EE (which openssl shows)?

________________________________
Von: openssl-users <openssl-users-bounces at openssl.org<mailto:openssl-users-bounces at openssl.org>> im Auftrag von Viktor Dukhovni <openssl-users at dukhovni.org<mailto:openssl-users at dukhovni.org>>
Gesendet: Samstag, 28. Januar 2017 17:00:53
An: openssl-users at openssl.org<mailto:openssl-users at openssl.org>
Betreff: Re: [openssl-users] Leading Zeros in ASN1_INTEGER?


> On Jan 28, 2017, at 10:01 AM, Matthias Ballreich <matthias.ballreich at outlook.de<mailto:matthias.ballreich at outlook.de>> wrote:
>
> is it normal that OpenSSL removes the leading Zeros in an ASN1_INTEGER?
> I tried to read the Certificate Serial and the Certificate Serial in the
> AuthorityKeyID-Extension with C++, which works very well, but i noticed
> that OpenSSL removes the leading Zeros on it.
>
> The real ASN1-Value is: 00BEED73EE for example, but i got only BEED73EE.
> If i view the Certificate inside Microsoft Cert Tool (Certmgr.exe) the
> leading Zeros are listed there. Same on Firefox, if i Import and view
> the Certificate there. So is this the correct way of handling inside
> OpenSSL or is it a bug or?

Integers don't have leading zeros.  Octet strings representing integers
(in non-DER form) might have leading zeros, but you should not confuse
the data type with its representation.  OpenSSL outputs the correct DER
form of the serial *number* in certificates.

Leading zeros are needed in the DER representation of positive integers
whose most significant nibble is in the range from 8 to F.  Otherwise
the leading bit would cause the integer to be interpreted as negative.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170130/c677b5b9/attachment.html>

More information about the openssl-users mailing list