[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: CertificateExactMatch for the ldap HEAD branch (ITS#2719/ITS#2771).





I have not checked your patch, but notice that some OpenSSL routines
were not able to handle serial numbers larger that 32 bits (that are
legal and the Microsoft Certificate Server customarily creates) unless
they are not represented as integers but as some non
standard-compliant series of decimal or even hexadecimal thingies
separated by colons.  I painfully wrote code what would produce an
integer of unrestricted length (that OpenLDAP's own integerMatch
supported).  And I could not do it with standard OpenSSL routines.

The openssl routines that I tried (0.9.6 and higher) handle serials longer the 32 bit like
102199425239041956261964087300121083924 without problems.


Are there even longer / stranger serials then these around? I now that some CA's seem to want
to encode lots of private extension information and the kitchen sink into this field. :-)


--
-------------------------------------------- ___ _ __ _ _
/ __/| ` |\ \/ / Mark Ruijter
\__ \| | | ) ( mark.ruijter@siennax.com
|___/|__|_|/_/\_\ 06 - 53713459


--------------------------------------------