[openssl-users] Modulus field in text display of a certificate
Jakob Bohm
jb-openssl at wisemo.com
Sat Apr 4 05:18:54 UTC 2015
On 04/04/2015 04:07, Mabry Tyson wrote:
> I happened to notice what seems to be an output glitch in the textual
> output of a certificate.
>
> I received a copy of the QuoVadis Root CA 2 certificate as a file.
> When I examined the certificate via
> openssl x509 -text -in /tmp/QV.cer (using OpenSSL 1.0.1 14 Mar
> 2012 as installed in Ubuntu 14.04)
> I noticed an extra first zero byte of the Modulus was shown, as
> compared to the display of that certificate in Firefox.
>
>> Certificate:
>> Data:
>> Version: 3 (0x2)
>> Serial Number: 1289 (0x509)
>> Signature Algorithm: sha1WithRSAEncryption
>> Issuer: C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2
>> ...
>> Subject Public Key Info:
>> Public Key Algorithm: rsaEncryption
>> Public-Key: (4096 bit)
>> Modulus:
>> 00:9a:18:ca:4b:94:0d:00:2d:af:03:29:8a:f0:0f:
>> ...
>> 09:62:04:92:16:10:d8:9e:27:47:fb:3b:21:e3:f8:
>> eb:1d:5b
> I believe there should be 4096/8 = 512 bytes in that modulus. There
> are 15 bytes shown per line. 512/15 = 34 with a remainder of 2. This
> output shows 513 bytes (34 lines plus a remainder of 3).
>
>
This is a consequence of the ASN.1 DER/BER encoding rules:
All INTEGER fields are signed, so when the most significant
bit of a 2048 bit value is set, then it needs to be encoded
and processed with an extra leading 0 byte.
OpenSSL displays that leading 0 byte, while NSS (used by
Firefox) apparently hides it.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
More information about the openssl-users
mailing list