rfc5280 serialNumber question
Corey.Bonnell at digicert.com
Fri Jul 21 13:11:58 UTC 2023
Are you referring to the serialNumber field of a certificate, or the
serialNumber name attribute? The former is encoded as an ASN.1 INTEGER, not an
From: openssl-users <openssl-users-bounces at openssl.org> On Behalf Of Robert
Sent: Friday, July 21, 2023 8:59 AM
To: openssl-users at openssl.org
Subject: rfc5280 serialNumber question
Per sec 18.104.22.168
Given the uniqueness requirements above, serial numbers can be
expected to contain long integers. Certificate users MUST be able to
handle serialNumber values up to 20 octets. Conforming CAs MUST NOT
use serialNumber values longer than 20 octets.
At some point some years ago it was pointed out here that serialNumber OID
encoding preappends 0x00 if the first bit is a 1.
Does this actually make the serialNumber a byte longer? Or is this only
encoding? Thus IF that first bit is a 1, obviously the OID value is a byte
longer. But when the serialNumber OID is decoded is this longer value
returned or the original value?
I am girding up to debate an implementation where the CP says serialNumber
MUST be unique, and their implementation uses a 20-byte SN. I don't think
they take care at all about the value of the 1st byte. I doubt in their
testing to date they have generated a SN in that range.
So how does the SN with the added byte get decoded?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 5257 bytes
Desc: not available
More information about the openssl-users