[openssl-users] Certificate for RSA 2048 key says 2058
Ken Goldman
kgoldman at us.ibm.com
Wed Dec 27 22:45:23 UTC 2017
On 12/14/2017 1:34 PM, Viktor Dukhovni wrote:
>
>
>> On Dec 14, 2017, at 1:11 PM, Ken Goldman <kgoldman at us.ibm.com> wrote:
>>
>> I generate a key and self signed certificate like this:
>>
>>> openssl genrsa -out cakey.pem -aes256 -passout pass:rrrr 2048
>>> openssl req -new -x509 -key cakey.pem -out cacert.pem -days 3650
>>
>> When I dump the certificate, I see
>> ....
>> Subject Public Key Info:
>> Public Key Algorithm: rsaEncryption
>> Public-Key: (2058 bit)
>> Modulus:
>> 02:b1:4c:dd:59:4d:72:8d:93:4b:e5:07:89:53:f7:
>> ....
>>
>> Why 2058 - 10 extra bits? I know that, at times, ASN.1 DER needs an extra byte to make a number positive, but 10 bits?
>
> What version of OpenSSL is this? When I try this with OpenSSL 1.1.0 I get:
>
> $ openssl version
> OpenSSL 1.1.0h-dev xx XXX xxxx
>
> $ for i in $(seq 20); do openssl req -nodes -new -x509 -newkey rsa:2048 -keyout cakey.pem -out cacert.pem -days 3650 -subj "/CN=Root CA" 2>/dev/null; openssl x509 -text -in cacert.pem | grep 'Public-Key:'; done
> Public-Key: (2048 bit)
> Public-Key: (2048 bit)
> Public-Key: (2048 bit)
> Same results with master from git.
>
OpenSSL 1.0.1e-fips 11 Feb 2013 - and I get the same results as you for
1000's of passes. So, apparently, something strange happened to the one
key that I generated for my CA.
It feels like some random leading zero case, but I can't reproduce it
with another key.
More information about the openssl-users
mailing list