> On Jan 28, 2017, at 10:01 AM, Matthias Ballreich <matthias.ballreich@xxxxxxxxxx> wrote: > > is it normal that OpenSSL removes the leading Zeros in an ASN1_INTEGER? > I tried to read the Certificate Serial and the Certificate Serial in the > AuthorityKeyID-Extension with C++, which works very well, but i noticed > that OpenSSL removes the leading Zeros on it. > > The real ASN1-Value is: 00BEED73EE for example, but i got only BEED73EE. > If i view the Certificate inside Microsoft Cert Tool (Certmgr.exe) the > leading Zeros are listed there. Same on Firefox, if i Import and view > the Certificate there. So is this the correct way of handling inside > OpenSSL or is it a bug or? Integers don't have leading zeros. Octet strings representing integers (in non-DER form) might have leading zeros, but you should not confuse the data type with its representation. OpenSSL outputs the correct DER form of the serial *number* in certificates. Leading zeros are needed in the DER representation of positive integers whose most significant nibble is in the range from 8 to F. Otherwise the leading bit would cause the integer to be interpreted as negative. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
