[gnutls-help] certtool: Serial number only 31 bit?

Daniel Kahn Gillmor dkg at fifthhorseman.net
Sun Jan 4 20:57:08 CET 2015


On 01/04/2015 02:38 PM, Nikos Mavrogiannopoulos wrote:
> On Fri, 2015-01-02 at 12:59 -0500, Daniel Kahn Gillmor wrote:
>> [ sorry, digging up an old thread as i happen to be thinking about the
>>   issue today ]
>>
>> On Thu 2014-05-15 07:49:14 -0400, Nikos Mavrogiannopoulos wrote:
>>> On Thu, May 15, 2014 at 12:08 PM, Josef Wolf <jw at raven.inka.de> wrote:
>>>> Hello,
>>>> I am currently trying to use UUIDs (as Bignum) for the serial number of
>>>> certificates. AFAIK, the RFC 5280 allows up to 20 octets. But I have a hard
>>>> time to specify more than 31 bits in the template file.
>>>> With a prefix of 0x (indicating hex number), I get serial number 0. Ough!
>>>> Given as a decimal number, the number is truncated to 0x7fffffff.
>>>> Is this a limitation in certtool or am I missing something?
>>>
>>> It was a limitation. Support for up to 63-bit serial numbers was added in 3.3.0.
>> If the value received from the user for the serial number exceeds 63
>> bits, should GnuTLS throw an error rather than truncate?  I worry that
>> silently proceeding with a truncation seems likely to cause people using
>> certtool to issue multiple certificates with serial numbers of
>> 0x7fffffffffffffff.
> 
> Does it truncate? As far as I see, it already throws an error for
> out-of-range numbers.

sorry, i should have been more clear that i was talking about certtool.

for example:

 certtool -p key.pem
 echo 'serial = 10000000000000000000' > template
 echo 'serial = 10000000000000000001' > template2


then these two commands:

 certtool --generate-self-signed --load-privkey key.pem \
          --template template 2>&1 | grep Serial
 certtool --generate-self-signed --load-privkey key.pem \
          --template template2 2>&1 | grep Serial

both produce:

	Serial Number (hex): 7fffffffffffffff



	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20150104/0e0a78cb/attachment.sig>


More information about the Gnutls-help mailing list