>> I have make the change you specified above and I am now passing the >> above binary string. Now the x500UniqueIdentifer has the following >> DER encoded value: >> 03:06:00:A1:B2:C3:D4:E5 >> which contains a null Byte 0x00 in error before the 0xA1B2C3D4E5 value. >> How can I remove the null Byte so that I can get the desired DER >> encoded value instead? The value should be set to: >> 03:05:A1:B2:C3:D4:E5 > Err no you don't want to remove the zero. That is the number of unused bits. > If you set it to 0xA1 that would be illegal, it cann take a value from 0-7 > only and in the case of a BIT STRING without named bits it will always take > the value 0.
Now that I think about it, you are correct. It is the same problem that occurs with the PKCS1 signature in a certificate which is also bitstring, and also has a null character prepended before the RSA encrypted value. I guess the real problem is that the PKIX idiots decided to use bitstrings instead of octetstrings for signatures, unique identifiers, etc.! I cannot find any valid reason why they would do this. If it would up to me, I would replaced all bitstrings containing unnamed bits with octetstrings, since they are only binary blobs of data. Thank you for your help Steve. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
