[openssl-users] Leading Zeros in ASN1_INTEGER?

Mon Jan 30 10:03:49 UTC 2017

thanks for explanation.

But why did Windows Cert Manager and Firefox Cert Manager show 00BEED73EE as serial number instead of BEED73EE (which openssl shows)?

________________________________
Von: openssl-users <openssl-users-bounces at openssl.org> im Auftrag von Viktor Dukhovni <openssl-users at dukhovni.org>
Gesendet: Samstag, 28. Januar 2017 17:00:53
An: openssl-users at openssl.org
Betreff: Re: [openssl-users] Leading Zeros in ASN1_INTEGER?

> On Jan 28, 2017, at 10:01 AM, Matthias Ballreich <matthias.ballreich at outlook.de> wrote:
>
> is it normal that OpenSSL removes the leading Zeros in an ASN1_INTEGER?
> I tried to read the Certificate Serial and the Certificate Serial in the
> AuthorityKeyID-Extension with C++, which works very well, but i noticed
> that OpenSSL removes the leading Zeros on it.
>
> The real ASN1-Value is: 00BEED73EE for example, but i got only BEED73EE.
> If i view the Certificate inside Microsoft Cert Tool (Certmgr.exe) the
> leading Zeros are listed there. Same on Firefox, if i Import and view
> the Certificate there. So is this the correct way of handling inside
> OpenSSL or is it a bug or?

Integers don't have leading zeros.  Octet strings representing integers
(in non-DER form) might have leading zeros, but you should not confuse
the data type with its representation.  OpenSSL outputs the correct DER
form of the serial *number* in certificates.

Leading zeros are needed in the DER representation of positive integers
whose most significant nibble is in the range from 8 to F.  Otherwise
the leading bit would cause the integer to be interpreted as negative.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170130/e998b3f0/attachment-0001.html>