This is a discussion on Re: ASN1_INTEGER <==> int - Openssl ; David Schwartz wrote: >> Alright, there's a SEVERE disconnect here versus the description of an >> integer as described in the thread "openssl can don' t handle 20 Octes >> long Serial Numbers RFC 3280". > > If you think ...
David Schwartz wrote:
>> Alright, there's a SEVERE disconnect here versus the description of an
>> integer as described in the thread "openssl can don' t handle 20 Octes
>> long Serial Numbers RFC 3280".
> If you think there's a disconnect, you are confused.
>> This needs to be rectified soonest.
> There is no disconnect.
> For a negative number, prefixing it with a zero-byte changes the meaning,
> because the most significant bit is the sign bit. For a positive number,
> adding a zero-byte to the beginning does not change the value. However, the
> DER specification requires you to encode an integer in as few bytes as
> Of course, it is impossible to remove the leading zero byte from a negative
> number if the high bit of the next byte is not zero, as that would change
> the value.
You could remove the leading 0xff byte from such number, if the next
octet has bit 7 (0x80) set.
> However, it is possible to remove the leading zero byte from a
> positive number, so such leading zero bytes are prohibited by the DER
In DER, the following is prohibited:
1. leading zero bytes if the next non-zero octet does not start with bit
7 set (0x80 mask).
2. leading 0xff (-1, 255) bytes, if the next non-0xff octet starts with
bit 7 set (0x80 mask).
> The BER specification defines what the encodings mean. The DER
> specification specifies a unique way to encode any given value. Analogously,
> we all know what number "03" is, but if we were picking a unique way to
> encode the number three, it would be "3" not "03".
> What exactly do you think is the disconnect?
> __________________________________________________ ____________________
> OpenSSL Project http://www.openssl.org
> Development Mailing List email@example.com
> Automated List Manager firstname.lastname@example.org
OpenSSL Project http://www.openssl.org
Development Mailing List email@example.com
Automated List Manager firstname.lastname@example.org