Re: [ldapext] X.509, RFC4523, RFC3641, big Ints

[Steven Legg <steven.legg@eb2bcom.com>]

Howard,

Howard Chu wrote:
> Something that we've recently encountered while testing our Certificate 
> validation rules is certificates whose serial numbers are integers whose 
> values are larger than 4 octets. I'm wondering how other folks deal with 
> these things. Integers that occur within the LDAP protocol are generally 
> constrained to maxInt, 2^31 - 1, but no such constraint applies anywhere 
> else. Do you use a multi-precision math library to generate the decimal 
> representation of these integers?

I represent large integers in two's complement as a variable length array
of octets. I wrote my own routines to do the multiply by 10 and divide by 10
that is required to convert to and from decimal. I treat the octet array
as a number in base 256 (so each octet is a "digit") and coded the routines
to perform the operations in the way I would if I were doing it by hand
(with carries and remainders and such). The operations turn out to be
fairly simple because one of the operands is only ever one "digit".

> For now we've copied the OpenSSL library's behavior, which is to use 
> decimal for up to 31 bit numbers, and just output the hexadecimal octets 
> for anything larger. But this clearly doesn't conform to the GSER 
> definition of INTEGER.
>
> As an aside, I really wish we were using hex for the canonical Integer 
> representation; then any system could manipulate integers of any size 
> independently of any native word size...

It would always be possible to define hexadecimal as an alternative
representation for integers in GSER, perhaps distinguished from decimal
by a leading 0x .

Regards,
Steven

_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext