Fwd: ASN1_generate_nconf - incorrect integer encoding?

Matt Caswell matt at openssl.org
Tue Oct 1 16:06:46 UTC 2019

On 01/10/2019 16:30, Rafał Arciszewski wrote:
> Hi all,
> I am trying to use OpenSSL libraries (libssl-dev 1.0.2 or 1.1.1)  to encode
> integers into DER format.I am using ASN1_generate_nconf but it seems that this
> function incorrectly encodes integers. It should encode in two's complement
> format and should prepend 0x00 byte if the first byte of encoded integer is
> greater then 0x80. But it is not doing that.
> Here is my simple program where I check the length of encoded integer. For
> example for int = 128 the length should be 2. But the length is 2 beginning from
> int = 256.
> Am I using correct function or should I use different one?

I think you've misunderstood what the function actually does. It enables you to
create an ASN1_TYPE object based on an input string. An ASN1_TYPE object does
*not* give you the DER encoding of that object. It is an internal representation
of ASN1 data. You can convert it to DER using the i2d_ASN1_TYPE function:


If all you need to do is create a DER encoding of an INTEGER then
ASN1_generate_nconf() is probably overkill. Perhaps simpler would be to create
an ASN1_INTEGER object like this (untested and error checking omitted):

    ASN1_INTEGER *myval = ASN1_INTEGER_new();

    ASN1_INTEGER_set_uint64(myval, 123456);

You can then create the DER encoding of that INTEGER using the i2d_ASN1_INTEGER
function (on the same man page as above).


More information about the openssl-users mailing list