Kyle it's not required by the RFC but it's required by x.209 (BER, Encoding of integer-values)
Regards Thomas > -----Ursprüngliche Nachricht----- > Von: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Im Auftrag von Kyle Hamilton > Gesendet: Mittwoch, 11. Januar 2006 15:22 > An: openssl-users@openssl.org > Betreff: Re: openssl can don' t handle 20 Octes long Serial > Numbers RFC 32 80 > > My belief is that the presentation should be as an octet > string, as opposed to a string representation of an integer. > Furthermore, serial numbers are unsigned, not signed, and > generally increment. > > The problem is that the CA did not embed "00" before the > serial number of the certificate it signed -- and, by RFC, it > is not required to. > The serial number should be presented to the user as an > opaque string of hex bytes, not (as current) a translation > into an integer. > > -Kyle H > > On 1/11/06, [EMAIL PROTECTED] > <[EMAIL PROTECTED]> wrote: > > > > Michael, > > > > OpenSSL ist working correct because "9a 38 74 00 00 00 00 > 25 be" is a > > negative integer. If you preceedyour serial number with "00" > > everything will work fine... even the presentation of your > number with OpenSSL. > > > > Best regards > > > > Thomas > > > > > > ________________________________ > > Von: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] Im Auftrag von > Bohn, Michael > > Gesendet: Mittwoch, 11. Januar 2006 07:20 > > An: openssl-users@openssl.org > > Betreff: openssl can don' t handle 20 Octes long Serial Numbers RFC > > 3280 > > > > > > > > > > Hi all, > > sorry that I send the same e-mail again but I did't find > any answer to > > my last one. > > > > We have the case that openssl can not handle long serial numbers. > > In ower case we have this Serail Nr. 9a 38 74 00 00 00 00 > 25 be but > > OpenSSL 0.9.7e 25 Oct 2004 print this: > > > > openssl x509 -in file -noout -text > > Certificate: > > Data: > > Version: 3 (0x2) > > Serial Number: > > (Negative)65:c7:8b:ff:ff:ff:ff:da:42 > > > > > > windows cisco and mozilla can handle this SN without any problems. > > > > > > ################ RFC 3280 ############################ > > > > RFC 3280 Internet X.509 Public Key Infrastructure > April 2002 > > > > > > Given the uniqueness requirements above, serial numbers can be > > expected to contain long integers. Certificate users > MUST be able to > > handle serialNumber values up to 20 octets. Conformant > CAs MUST NOT > > use serialNumber values longer than 20 octets. > > > > ############################################################### > > > > > > best regards > > > > > > Michael > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
