[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5070) Issues in X.509 certificate parsing

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#5070) Issues in X.509 certificate parsing
From: ando@sys-net.it
Date: Sat, 29 Sep 2007 12:45:47 GMT

hyc@symas.com wrote:
> Howard Chu wrote:
>> I just got tripped trying to import an LDIF with a cert with 16 byte 
>> SerialNumber. I've patched this to just use the same hexadecimal format that 
>> OpenSSL uses when the number is larger than ber_int_t. We really don't want 
>> the format to change just because someone has a BigNum library available; it 
>> needs to stay consistent.
> 
> But we still need to fix serialNumberAndIssuerNormalize() to normalize to Hex now. 
> And in case somebody feeds in a very large decimal integer, we still need a 
> multi-word decimal-to-binary converter. As such, this bug cannot be closed yet.

OK.  Does it make any sense to just move to a hex-only syntax, perfixed
by "0x", with no sign as you mentioned earlier, or should we preserve
compatibility with the original form, where the minus sign is allowed
while a number not starting with "0x" should be treated as decimal?  The
latter would be probably better, but we'd need to convert decimal to
hex, and this could fail if decimals are too large.

p.

Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------

Prev by Date: Re: (ITS#5070) Issues in X.509 certificate parsing
Next by Date: Re: (ITS#4467) snprintf is consistenly used wrongly
Index(es):
- Chronological
- Thread