> Alright, there's a SEVERE disconnect here versus the description of an
> integer as described in the thread "openssl can don' t handle 20 Octes
> long Serial Numbers RFC 3280".


If you think there's a disconnect, you are confused.

> This needs to be rectified soonest.


There is no disconnect.

For a negative number, prefixing it with a zero-byte changes the meaning,
because the most significant bit is the sign bit. For a positive number,
adding a zero-byte to the beginning does not change the value. However, the
DER specification requires you to encode an integer in as few bytes as
possible.

Of course, it is impossible to remove the leading zero byte from a negative
number if the high bit of the next byte is not zero, as that would change
the value. However, it is possible to remove the leading zero byte from a
positive number, so such leading zero bytes are prohibited by the DER
specification.

The BER specification defines what the encodings mean. The DER
specification specifies a unique way to encode any given value. Analogously,
we all know what number "03" is, but if we were picking a unique way to
encode the number three, it would be "3" not "03".

What exactly do you think is the disconnect?

DS


__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org