[EXTERNAL] Re: rfc5280 serialNumber question.

Robert Moskowitz rgm at htt-consult.com
Fri Jul 21 18:45:00 UTC 2023 

Ah, as Viktor pointed out asn1parse is not quite lying, but hiding the 
truth.

I don't have any examples of a SN starting with less than 0x80...

OK, but basically there is that extra byte in there so where we are 
counting bytes over highly constrained links it matters, but it does not 
impact adhering to 5280 rules on SN length.

thanks

On 7/21/23 14:20, Erwann Abalea wrote:
> On 8 bits, if the highest bit is set to 1, then the value is between 
> 0x80 and 0xFF.
> In your examples, the highest octet of the integer has its highest bit 
> set (0xFE in the first example, 0xAE in the second), and therefore the 
> DR encoding added a heading 00, making the real length 9 octets (l=9 
> on third column).
>
>
>
> On Fri, Jul 21, 2023 at 8:00 PM Robert Moskowitz <rgm at htt-consult.com> 
> wrote:
>
>     I looked at a couple of certs.  I might think that if the first
>     hex is
>     "F" then the 1st bit is 1, but:
>
>
>
>          8:d=2  hl=2 l=   3 cons:   cont [ 0 ]
>         10:d=3  hl=2 l=   1 prim:    INTEGER           :02
>         13:d=2  hl=2 l=   9 prim:   INTEGER :FE0E6F3753087370
>
>          8:d=2  hl=2 l=   3 cons:   cont [ 0 ]
>         10:d=3  hl=2 l=   1 prim:    INTEGER           :02
>         13:d=2  hl=2 l=   9 prim:   INTEGER :AEB77AEE2A3CBCD3
>
>
>     I am not seeing a difference in the serialNumber field length.
>
>     On 7/21/23 08:58, Robert Moskowitz wrote:
>     > Per sec 4.1.2.2
>     >
>     >    Given the uniqueness requirements above, serial numbers can be
>     >    expected to contain long integers.  Certificate users MUST be
>     able to
>     >    handle serialNumber values up to 20 octets. Conforming CAs
>     MUST NOT
>     >    use serialNumber values longer than 20 octets.
>     >
>     >
>     > At some point some years ago it was pointed out here that
>     serialNumber
>     > OID encoding preappends 0x00 if the first bit is a 1.
>     >
>     > Does this actually make the serialNumber a byte longer? Or is this
>     > only encoding?  Thus IF that first bit is a 1, obviously the OID
>     value
>     > is a byte longer.  But when the serialNumber OID is decoded is this
>     > longer value returned or the original value?
>     >
>     >
>     > I am girding up to debate an implementation where the CP says
>     > serialNumber MUST be unique, and their implementation uses a
>     20-byte
>     > SN.  I don't think they take care at all about the value of the 1st
>     > byte.  I doubt in their testing to date they have generated a SN in
>     > that range.
>     >
>     > So how does the SN with the added byte get decoded?
>     >
>     > thanks
>     >
>     >
>
>
>
> -- 
> Cordialement,
> Erwann Abalea.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230721/c7d734e9/attachment.htm>

More information about the openssl-users mailing list