[gnutls-help] certtool: Serial number only 31 bit?

Nikos Mavrogiannopoulos nmav at gnutls.org
Sun Jan 4 20:38:37 CET 2015

On Fri, 2015-01-02 at 12:59 -0500, Daniel Kahn Gillmor wrote:
> [ sorry, digging up an old thread as i happen to be thinking about the
>   issue today ]
> On Thu 2014-05-15 07:49:14 -0400, Nikos Mavrogiannopoulos wrote:
> > On Thu, May 15, 2014 at 12:08 PM, Josef Wolf <jw at raven.inka.de> wrote:
> >> Hello,
> >> I am currently trying to use UUIDs (as Bignum) for the serial number of
> >> certificates. AFAIK, the RFC 5280 allows up to 20 octets. But I have a hard
> >> time to specify more than 31 bits in the template file.
> >> With a prefix of 0x (indicating hex number), I get serial number 0. Ough!
> >> Given as a decimal number, the number is truncated to 0x7fffffff.
> >> Is this a limitation in certtool or am I missing something?
> >
> > It was a limitation. Support for up to 63-bit serial numbers was added in 3.3.0.
> If the value received from the user for the serial number exceeds 63
> bits, should GnuTLS throw an error rather than truncate?  I worry that
> silently proceeding with a truncation seems likely to cause people using
> certtool to issue multiple certificates with serial numbers of
> 0x7fffffffffffffff.

Does it truncate? As far as I see, it already throws an error for
out-of-range numbers.


More information about the Gnutls-help mailing list