David Schwartz wrote:
>> Alright, there's a SEVERE disconnect here versus the description of an
>> integer as described in the thread "openssl can don' t handle 20 Octes
>> long Serial Numbers RFC 3280".

>
> If you think there's a disconnect, you are confused.
>
>> This needs to be rectified soonest.

>
> There is no disconnect.
>
> For a negative number, prefixing it with a zero-byte changes the meaning,
> because the most significant bit is the sign bit. For a positive number,
> adding a zero-byte to the beginning does not change the value. However, the
> DER specification requires you to encode an integer in as few bytes as
> possible.
>
> Of course, it is impossible to remove the leading zero byte from a negative
> number if the high bit of the next byte is not zero, as that would change
> the value.


Addition:

You could remove the leading 0xff byte from such number, if the next
octet has bit 7 (0x80) set.

> However, it is possible to remove the leading zero byte from a
> positive number, so such leading zero bytes are prohibited by the DER
> specification.


Clarification:

In DER, the following is prohibited:
1. leading zero bytes if the next non-zero octet does not start with bit
7 set (0x80 mask).
2. leading 0xff (-1, 255) bytes, if the next non-0xff octet starts with
bit 7 set (0x80 mask).

> The BER specification defines what the encodings mean. The DER
> specification specifies a unique way to encode any given value. Analogously,
> we all know what number "03" is, but if we were picking a unique way to
> encode the number three, it would be "3" not "03".
>
> What exactly do you think is the disconnect?
>
> DS
>
>
> __________________________________________________ ____________________
> OpenSSL Project http://www.openssl.org
> Development Mailing List openssl-dev@openssl.org
> Automated List Manager majordomo@openssl.org


__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org