<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1">
  <title></title>
</head>
<body text="#000000" bgcolor="#ffffff">
Aleksey,<br>
<br>
I will take some time to integrate your patch to my local libxmlsec.
(You know, I am working on libxmlsec 1.2.6, not the latest one, so I
have to merge your change manually.)<br>
I will let you know the result when it finishes.<br>
<br>
Thanks<br>
<br>
Michael<br>
<br>
Aleksey Sanin wrote:<br>
<blockquote type="cite" cite="mid421AFBEA.1080700@aleksey.com">Michael,
  <br>
  <br>
I have a better patch for you (see attached file). Also I already
  <br>
tested it and checked in (thanks to Andrew for his openssl trick :) ).
  <br>
  <br>
However, there are few things I would like to note:
  <br>
1) I did test openssl &lt;-&gt; mscrypto interoperability for negative
  <br>
serial numbers and everything seems to be working. I did not test
  <br>
NSS &lt;-&gt; mscrypto at all.
  <br>
2) I noticed that NSS does not handle large serial numbers at all.
  <br>
It seems that the code just converts a string to regular integer
  <br>
using NSPR's analog for atoi() function.
  <br>
3) It turns out that mscrypto does not recognize "emailAddress"
  <br>
attribute in x509 string. Worse, when it writes a string, it puts
  <br>
email into "E" attribute but then refuses to read it back (or to
  <br>
be precise, it reads it in a *different* internal format and then
  <br>
can not find this cert)! I hacked the code to workaround this
  <br>
problem but this is really a quick-and-dirty hack and you might
  <br>
want to think about a better solution.
  <br>
  <br>
Aleksey
  <br>
  <br>
  <br>
  <br>
Aleksey Sanin wrote:
  <br>
  <blockquote type="cite">Just do "patch -p0 &lt;
path-to-negative-bn.diff" from the top level
    <br>
xmlsec folder.
    <br>
    <br>
Aleksey
    <br>
    <br>
Michael Mi wrote:
    <br>
    <br>
    <blockquote type="cite">I'd love to try it.
      <br>
      <br>
But can you tell me how to merge the diff into my bn.c when I am using
the libxmlsec tarball?
      <br>
      <br>
Michael
      <br>
      <br>
    </blockquote>
_______________________________________________
    <br>
xmlsec mailing list
    <br>
<a class="moz-txt-link-abbreviated" href="mailto:xmlsec@aleksey.com">xmlsec@aleksey.com</a>
    <br>
<a class="moz-txt-link-freetext" href="http://www.aleksey.com/mailman/listinfo/xmlsec">http://www.aleksey.com/mailman/listinfo/xmlsec</a>
    <br>
  </blockquote>
  <pre wrap="">
<hr width="90%" size="4">
Index: src/bn.c
===================================================================
RCS file: /cvs/gnome/xmlsec/src/bn.c,v
retrieving revision 1.14
diff -u -r1.14 bn.c
--- src/bn.c        26 Jan 2005 16:52:09 -0000        1.14
+++ src/bn.c        22 Feb 2005 09:16:51 -0000
@@ -170,9 +170,10 @@
  */
 int 
 xmlSecBnFromString(xmlSecBnPtr bn, const xmlChar* str, xmlSecSize base) {
-    xmlSecSize i, len;
+    xmlSecSize i, len, size;
     xmlSecByte ch;
     xmlSecByte* data;
+    int positive;
     int nn;
     int ret;
 
@@ -184,7 +185,7 @@
     /* trivial case */
     len = xmlStrlen(str);
     if(len == 0) {
-        return(0);
+        return(0);
     }
     
     /* The result size could not exceed the input string length
@@ -192,60 +193,102 @@
      * In truth, it would be likely less than 1/2 input string length
      * because each byte is represented by 2 chars. If needed, 
      * buffer size would be increased by Mul/Add functions.
-     * Finally, we add one byte for 00 prefix if first byte is &gt; 127.
+     * Finally, we can add one byte for 00 or 10 prefix.
      */
     ret = xmlSecBufferSetMaxSize(bn, xmlSecBufferGetSize(bn) + len / 2 + 1 + 1);
     if(ret &lt; 0) {
-        xmlSecError(XMLSEC_ERRORS_HERE,
-                    NULL,
-                    "xmlSecBnRevLookupTable",
-                    XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                    "size=%d", len / 2 + 1);
-        return (-1);
+        xmlSecError(XMLSEC_ERRORS_HERE,
+                        NULL,
+                        "xmlSecBnRevLookupTable",
+                        XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                        "size=%d", len / 2 + 1);
+        return (-1);
+    }
+
+    /* figure out if it is positive or negative number */
+    positive = 1;
+    i = 0;
+    while(i &lt; len) {
+        ch = str[i++];
+
+        /* skip spaces */
+        if(isspace(ch)) {
+                continue;
+        } 
+        
+        /* check if it is + or - */
+        if(ch == '+') {
+            positive = 1;
+            break;
+        } else if(ch == '-') {
+            positive = 0;
+            break;
+        }
+
+        /* otherwise, it must be start of the number */
+        nn = xmlSecBnLookupTable[ch];
+        if((nn &gt;= 0) &amp;&amp; ((xmlSecSize)nn &lt; base)) {
+            xmlSecAssert2(i &gt; 0, -1);
+
+            /* no sign, positive by default */
+            positive = 1;
+            --i; /* make sure that we will look at this character in next loop */
+            break;
+        } else {
+                xmlSecError(XMLSEC_ERRORS_HERE,
+                        NULL,
+                        NULL,
+                        XMLSEC_ERRORS_R_INVALID_DATA,
+                        "char=%c;base=%d", 
+                        ch, base);
+                    return (-1);
+        }
     }
 
-    for(i = 0; i &lt; len; i++) {
-        ch = str[i];
-        if(isspace(ch)) {
-            continue;
-        }
+    /* now parse the number itself */
+    while(i &lt; len) {
+        ch = str[i++];
+        if(isspace(ch)) {
+                continue;
+        }
 
-        xmlSecAssert2(ch &lt;= sizeof(xmlSecBnLookupTable), -1);
-        nn = xmlSecBnLookupTable[ch];
-        if((nn &lt; 0) || ((xmlSecSize)nn &gt; base)) {
-            xmlSecError(XMLSEC_ERRORS_HERE,
-                        NULL,
-                        NULL,
-                        XMLSEC_ERRORS_R_INVALID_DATA,
-                        "char=%c;base=%d", 
-                        ch, base);
-                return (-1);
-        }
-        
-        ret = xmlSecBnMul(bn, base);
-        if(ret &lt; 0) {
-            xmlSecError(XMLSEC_ERRORS_HERE,
-                        NULL,
-                        "xmlSecBnMul",
-                        XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                        "base=%d", base);
-            return (-1);
-        }
+        xmlSecAssert2(ch &lt;= sizeof(xmlSecBnLookupTable), -1);
+        nn = xmlSecBnLookupTable[ch];
+        if((nn &lt; 0) || ((xmlSecSize)nn &gt; base)) {
+                xmlSecError(XMLSEC_ERRORS_HERE,
+                        NULL,
+                        NULL,
+                        XMLSEC_ERRORS_R_INVALID_DATA,
+                        "char=%c;base=%d", 
+                        ch, base);
+                    return (-1);
+        }
 
-        ret = xmlSecBnAdd(bn, nn);
-        if(ret &lt; 0) {
-            xmlSecError(XMLSEC_ERRORS_HERE,
-                        NULL,
-                        "xmlSecBnAdd",
-                        XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                        "base=%d", base);
-            return (-1);
-        }        
+        ret = xmlSecBnMul(bn, base);
+        if(ret &lt; 0) {
+                xmlSecError(XMLSEC_ERRORS_HERE,
+                        NULL,
+                        "xmlSecBnMul",
+                        XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                        "base=%d", base);
+                return (-1);
+        }
+
+        ret = xmlSecBnAdd(bn, nn);
+        if(ret &lt; 0) {
+                xmlSecError(XMLSEC_ERRORS_HERE,
+                        NULL,
+                        "xmlSecBnAdd",
+                        XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                        "base=%d", base);
+                return (-1);
+}        
     }
 
-    /* check whether need to add 00 prefix */
+    /* check if we need to add 00 prefix */
     data = xmlSecBufferGetData(bn);
-    if(data[0] &gt; 127) {
+    size = xmlSecBufferGetSize(bn);
+    if(size &gt; 0 &amp;&amp; data[0] &gt; 127) {
         ch = 0;
         ret = xmlSecBufferPrepend(bn, &amp;ch, 1);
         if(ret &lt; 0) {
@@ -257,6 +300,26 @@
             return (-1);
         }
     }
+
+    /* do 2's compliment and add 1 to represent negative value */
+    if(positive == 0) {
+        data = xmlSecBufferGetData(bn);
+        size = xmlSecBufferGetSize(bn);
+        for(i = 0; i &lt; size; ++i) {
+            data[i] ^= 0xFF;
+        }
+        
+        ret = xmlSecBnAdd(bn, 1);
+        if(ret &lt; 0) {
+            xmlSecError(XMLSEC_ERRORS_HERE,
+                NULL,
+                "xmlSecBnAdd",
+                XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                "base=%d", base);
+            return (-1);
+        }
+    }
+
     return(0);
 }
 
@@ -272,8 +335,12 @@
  */
 xmlChar* 
 xmlSecBnToString(xmlSecBnPtr bn, xmlSecSize base) {
+    xmlSecBn bn2;
+    int positive = 1;
     xmlChar* res;
-    xmlSecSize i, len;
+    xmlSecSize i, len, size;
+    xmlSecByte* data;
+    int ret;
     int nn;
     xmlChar ch;
 
@@ -281,35 +348,86 @@
     xmlSecAssert2(base &gt; 1, NULL);
     xmlSecAssert2(base &lt;= sizeof(xmlSecBnRevLookupTable), NULL);
 
+
+    /* copy bn */
+    data = xmlSecBufferGetData(bn);
+    size = xmlSecBufferGetSize(bn);
+    ret = xmlSecBnInitialize(&amp;bn2, size);
+    if(ret &lt; 0) {
+        xmlSecError(XMLSEC_ERRORS_HERE,
+            NULL,
+            "xmlSecBnCreate",
+            XMLSEC_ERRORS_R_XMLSEC_FAILED,
+            "size=%d", size);
+        return (NULL);
+    }
+    
+    ret = xmlSecBnSetData(&amp;bn2, data, size);
+    if(ret &lt; 0) {
+        xmlSecError(XMLSEC_ERRORS_HERE,
+            NULL,
+            "xmlSecBnSetData",
+            XMLSEC_ERRORS_R_XMLSEC_FAILED,
+            "size=%d", size);
+        xmlSecBnFinalize(&amp;bn2);
+        return (NULL);
+    }
+
+    /* check if it is a negative number or not */
+    data = xmlSecBufferGetData(&amp;bn2);
+    size = xmlSecBufferGetSize(&amp;bn2);
+    if((size &gt; 0) &amp;&amp; (data[0] &gt; 127)) {
+        /* subtract 1 and do 2's compliment */
+        ret = xmlSecBnAdd(&amp;bn2, -1);
+        if(ret &lt; 0) {
+            xmlSecError(XMLSEC_ERRORS_HERE,
+                        NULL,
+                        "xmlSecBnAdd",
+                        XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                        "size=%d", size);
+            xmlSecBnFinalize(&amp;bn2);
+            return (NULL);
+        }
+        for(i = 0; i &lt; size; ++i) {
+            data[i] ^= 0xFF;
+        }
+
+        positive = 0;
+    } else {
+        positive = 1;
+    }
+
     /* Result string len is
      *            len = log base (256) * &lt;bn size&gt;
      * Since the smallest base == 2 then we can get away with 
      *            len = 8 * &lt;bn size&gt;
      */
-    len = 8 * xmlSecBufferGetSize(bn) + 1;
+    len = 8 * size + 1 + 1;
     res = (xmlChar*)xmlMalloc(len + 1);
     if(res == NULL) {
-        xmlSecError(XMLSEC_ERRORS_HERE,
-                    NULL,
-                    NULL,
-                    XMLSEC_ERRORS_R_MALLOC_FAILED,
-                    "len=%d", len);
-        return (NULL);
+        xmlSecError(XMLSEC_ERRORS_HERE,
+                            NULL,
+                            NULL,
+                            XMLSEC_ERRORS_R_MALLOC_FAILED,
+                            "len=%d", len);
+        xmlSecBnFinalize(&amp;bn2);
+        return (NULL);
     }
     memset(res, 0, len + 1);
 
-    for(i = 0; (xmlSecBufferGetSize(bn) &gt; 0) &amp;&amp; (i &lt; len); i++) {
-        if(xmlSecBnDiv(bn, base, &amp;nn) &lt; 0) {
-            xmlSecError(XMLSEC_ERRORS_HERE,
-                        NULL,
-                        "xmlSecBnDiv",
-                        XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                        "base=%d", base);
-            xmlFree(res);
-                return (NULL);
-        }
-        xmlSecAssert2((size_t)nn &lt; sizeof(xmlSecBnRevLookupTable), NULL);
-        res[i] = xmlSecBnRevLookupTable[nn];
+    for(i = 0; (xmlSecBufferGetSize(&amp;bn2) &gt; 0) &amp;&amp; (i &lt; len); i++) {
+        if(xmlSecBnDiv(&amp;bn2, base, &amp;nn) &lt; 0) {
+            xmlSecError(XMLSEC_ERRORS_HERE,
+                        NULL,
+                        "xmlSecBnDiv",
+                        XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                        "base=%d", base);
+            xmlFree(res);
+            xmlSecBnFinalize(&amp;bn2);
+            return (NULL);
+        }
+        xmlSecAssert2((size_t)nn &lt; sizeof(xmlSecBnRevLookupTable), NULL);
+        res[i] = xmlSecBnRevLookupTable[nn];
     }
     xmlSecAssert2(i &lt; len, NULL);
 
@@ -317,13 +435,20 @@
     for(len = i; (len &gt; 1) &amp;&amp; (res[len - 1] == '0'); len--);
     res[len] = '\0';
 
+    /* add "-" for negative numbers */
+    if(positive == 0) {
+        res[len] = '-';
+        res[++len] = '\0';
+    }
+
     /* swap the string because we wrote it in reverse order */
     for(i = 0; i &lt; len / 2; i++) {
-        ch = res[i];
-        res[i] = res[len - i - 1];
-        res[len - i - 1] = ch;
+        ch = res[i];
+        res[i] = res[len - i - 1];
+        res[len - i - 1] = ch;
     }
 
+    xmlSecBnFinalize(&amp;bn2);
     return(res);
 }
 
@@ -408,7 +533,9 @@
     }
 
     data = xmlSecBufferGetData(bn);
-    for(over = 0, i = xmlSecBufferGetSize(bn); i &gt; 0;) {
+    i = xmlSecBufferGetSize(bn);
+    over = 0; 
+    while(i &gt; 0) {
         xmlSecAssert2(data != NULL, -1);
 
         over        = over + multiplier * data[--i];
@@ -503,43 +630,57 @@
  */
 int 
 xmlSecBnAdd(xmlSecBnPtr bn, int delta) {
-    int over;
+    int over, tmp;
     xmlSecByte* data;
     xmlSecSize i;
     xmlSecByte ch;
     int ret;
 
     xmlSecAssert2(bn != NULL, -1);
-    xmlSecAssert2(delta &gt;= 0, -1);
 
     if(delta == 0) {
-        return(0);
+            return(0);
     }
 
     data = xmlSecBufferGetData(bn);
-    for(over = delta, i = xmlSecBufferGetSize(bn); i &gt; 0;) {
-        xmlSecAssert2(data != NULL, -1);
+    if(delta &gt; 0) {
+        for(over = delta, i = xmlSecBufferGetSize(bn); (i &gt; 0) &amp;&amp; (over &gt; 0) ;) {
+                xmlSecAssert2(data != NULL, -1);
         
-        over   += data[--i];
-        data[i]        = over % 256;
-        over        = over / 256;
-    }
+            tmp     = data[--i];
+                over   += tmp;
+                data[i]        = over % 256;
+                over        = over / 256;
+        }
     
-    while(over &gt; 0) {
-        ch        = over % 256;
-        over        = over / 256;
+        while(over &gt; 0) {
+                ch        = over % 256;
+                over        = over / 256;
         
-        ret = xmlSecBufferPrepend(bn, &amp;ch, 1);
-        if(ret &lt; 0) {
-            xmlSecError(XMLSEC_ERRORS_HERE,
-                        NULL,
-                        "xmlSecBufferPrepend",
-                        XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                        "size=1");
-            return (-1);
-        }
+                ret = xmlSecBufferPrepend(bn, &amp;ch, 1);
+                if(ret &lt; 0) {
+                    xmlSecError(XMLSEC_ERRORS_HERE,
+                                NULL,
+                                "xmlSecBufferPrepend",
+                                XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                                "size=1");
+                    return (-1);
+                }
+        }
+    } else {
+        for(over = -delta, i = xmlSecBufferGetSize(bn); (i &gt; 0) &amp;&amp; (over &gt; 0);) {
+                xmlSecAssert2(data != NULL, -1);
+        
+            tmp     = data[--i];
+            if(tmp &lt; over) {
+                data[i]        = 0;
+                over = (over - tmp) / 256;
+            } else {
+                data[i] = tmp - over;
+                over = 0;
+            }
+        }
     }
-    
     return(0);
 }
 
Index: src/mscrypto/crypto.c
===================================================================
RCS file: /cvs/gnome/xmlsec/src/mscrypto/crypto.c,v
retrieving revision 1.5
diff -u -r1.5 crypto.c
--- src/mscrypto/crypto.c        12 Nov 2003 02:38:51 -0000        1.5
+++ src/mscrypto/crypto.c        22 Feb 2005 09:16:51 -0000
@@ -330,13 +330,15 @@
 BYTE* 
 xmlSecMSCryptoCertStrToName(DWORD dwCertEncodingType, LPCTSTR pszX500, DWORD dwStrType, DWORD* len) {
     BYTE* str = NULL; 
-    
+    LPCTSTR ppszError = NULL;
+
     xmlSecAssert2(pszX500 != NULL, NULL);
     xmlSecAssert2(len != NULL, NULL);
 
     if (!CertStrToName(dwCertEncodingType, pszX500, dwStrType, 
-                        NULL, NULL, len, NULL)) {
+                        NULL, NULL, len, &amp;ppszError)) {
         /* this might not be an error, string might just not exist */
+                DWORD dw = GetLastError();
         return(NULL);
     }
         
Index: src/mscrypto/x509.c
===================================================================
RCS file: /cvs/gnome/xmlsec/src/mscrypto/x509.c,v
retrieving revision 1.2
diff -u -r1.2 x509.c
--- src/mscrypto/x509.c        26 Sep 2003 00:58:13 -0000        1.2
+++ src/mscrypto/x509.c        22 Feb 2005 09:16:52 -0000
@@ -1882,7 +1882,7 @@
     xmlSecAssert2(nm-&gt;pbData != NULL, NULL);
     xmlSecAssert2(nm-&gt;cbData &gt; 0, NULL);
 
-    csz = CertNameToStr(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, nm, CERT_X500_NAME_STR, NULL, 0);
+    csz = CertNameToStr(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, nm, CERT_X500_NAME_STR | CERT_NAME_STR_REVERSE_FLAG, NULL, 0);
     str = (char *)xmlMalloc(csz);
     if (NULL == str) {
         xmlSecError(XMLSEC_ERRORS_HERE,
@@ -1893,7 +1893,7 @@
         return (NULL);
     }
 
-    csz = CertNameToStr(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, nm, CERT_X500_NAME_STR, str, csz);
+    csz = CertNameToStr(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, nm, CERT_X500_NAME_STR | CERT_NAME_STR_REVERSE_FLAG, str, csz);
     if (csz &lt; 1) {
         xmlSecError(XMLSEC_ERRORS_HERE,
                     NULL,
@@ -1904,17 +1904,37 @@
         return(NULL);
     }
 
-    res = xmlStrdup(BAD_CAST str);
-    if(res == NULL) {
-        xmlSecError(XMLSEC_ERRORS_HERE,
-                    NULL,
-                    "xmlStrdup",
-                    XMLSEC_ERRORS_R_MALLOC_FAILED,
-                    XMLSEC_ERRORS_NO_MESSAGE);
-        xmlFree(str);
-        return(NULL);
-    }
+    /* aleksey: this is a hack, but mscrypto can not read E= flag and wants Email= instead.
+     * don't ask me how is it possible not to read something you wrote yourself but also
+     * see comment in the xmlSecMSCryptoX509FindCert function. 
+     */
+    if(strncmp(str, "E=", 2) == 0) {
+        res = xmlMalloc(strlen(str) + 13 + 1);
+        if(res == NULL) {
+            xmlSecError(XMLSEC_ERRORS_HERE,
+                            NULL,
+                            "xmlMalloc",
+                            XMLSEC_ERRORS_R_MALLOC_FAILED,
+                            "size=%d",
+                    strlen(str) + 13 + 1);
+            xmlFree(str);
+            return(NULL);
+        }
 
+        memcpy(res, "emailAddress=", 13);
+        strcpy(res + 13, BAD_CAST (str + 2)); 
+    } else {
+        res = xmlStrdup(BAD_CAST str);
+        if(res == NULL) {
+            xmlSecError(XMLSEC_ERRORS_HERE,
+                            NULL,
+                            "xmlStrdup",
+                            XMLSEC_ERRORS_R_MALLOC_FAILED,
+                            XMLSEC_ERRORS_NO_MESSAGE);
+            xmlFree(str);
+            return(NULL);
+        }
+    }
     xmlFree(str);
     return(res);
 }
Index: src/mscrypto/x509vfy.c
===================================================================
RCS file: /cvs/gnome/xmlsec/src/mscrypto/x509vfy.c,v
retrieving revision 1.3
diff -u -r1.3 x509vfy.c
--- src/mscrypto/x509vfy.c        27 Sep 2003 03:12:22 -0000        1.3
+++ src/mscrypto/x509vfy.c        22 Feb 2005 09:16:52 -0000
@@ -567,10 +567,41 @@
 
     if((pCert == NULL) &amp;&amp; (NULL != issuerName) &amp;&amp; (NULL != issuerSerial)) {
         xmlSecBn issuerSerialBn;        
+    xmlChar * p;
         CERT_NAME_BLOB cnb;
+    CRYPT_INTEGER_BLOB cib;
         BYTE *cName = NULL; 
         DWORD cNameLen = 0;        
+    
+    /* aleksey: for some unknown to me reasons, mscrypto wants Email
+     * instead of emailAddress. This code is not bullet proof and may 
+     * produce incorrect results if someone has "emailAddress=" string
+     * in one of the fields, but it is best I can suggest to fix this problem.
+     * Also see xmlSecMSCryptoX509NameWrite function.
+     */
+    while( (p = (xmlChar*)xmlStrstr(issuerName, BAD_CAST "emailAddress=")) != NULL) {
+        memcpy(p, "       Email=", 13);
+    }
 
+
+
+    /* get issuer name */
+        cName = xmlSecMSCryptoCertStrToName(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
+                                           issuerName,
+                                           CERT_NAME_STR_ENABLE_UTF8_UNICODE_FLAG | CERT_OID_NAME_STR | CERT_NAME_STR_REVERSE_FLAG,
+                                           &amp;cNameLen);
+        if(cName == NULL) {
+            xmlSecError(XMLSEC_ERRORS_HERE,
+                        NULL,
+                        "xmlSecMSCryptoCertStrToName",
+                        XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                        XMLSEC_ERRORS_NO_MESSAGE);
+            return (NULL);
+        }
+        cnb.pbData = cName;
+        cnb.cbData = cNameLen;
+
+    /* get serial number */
         ret = xmlSecBnInitialize(&amp;issuerSerialBn, 0);
         if(ret &lt; 0) {
             xmlSecError(XMLSEC_ERRORS_HERE,
@@ -578,6 +609,7 @@
                         "xmlSecBnInitialize",
                         XMLSEC_ERRORS_R_XMLSEC_FAILED,
                         XMLSEC_ERRORS_NO_MESSAGE);
+            xmlFree(cName);
             return(NULL);
         }
 
@@ -589,26 +621,30 @@
                         XMLSEC_ERRORS_R_XMLSEC_FAILED,
                         XMLSEC_ERRORS_NO_MESSAGE);
             xmlSecBnFinalize(&amp;issuerSerialBn);
-            return(NULL);
+                xmlFree(cName);
+        return(NULL);
         }
 
-        cName = xmlSecMSCryptoCertStrToName(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
-                                           issuerName,
-                                           CERT_OID_NAME_STR | CERT_NAME_STR_REVERSE_FLAG,
-                                           &amp;cNameLen);
-        if(cName == NULL) {
+        /* I have no clue why at a sudden a swap is needed to 
+     * convert from lsb... This code is purely based upon 
+         * trial and error :( WK
+         */
+    ret = xmlSecBnReverse(&amp;issuerSerialBn);
+        if(ret &lt; 0) {
             xmlSecError(XMLSEC_ERRORS_HERE,
                         NULL,
-                        "xmlSecMSCryptoCertStrToName",
+                        "xmlSecBnReverse",
                         XMLSEC_ERRORS_R_XMLSEC_FAILED,
                         XMLSEC_ERRORS_NO_MESSAGE);
             xmlSecBnFinalize(&amp;issuerSerialBn);
-            return (NULL);
+                xmlFree(cName);
+        return(NULL);
         }
 
-        cnb.pbData = cName;
-        cnb.cbData = cNameLen;
-        while((pCert = CertFindCertificateInStore(store, 
+    cib.pbData = xmlSecBufferGetData(&amp;issuerSerialBn);
+    cib.cbData = xmlSecBufferGetSize(&amp;issuerSerialBn);
+
+    while((pCert = CertFindCertificateInStore(store, 
                                                   PKCS_7_ASN_ENCODING | X509_ASN_ENCODING,
                                                   0,
                                                   CERT_FIND_ISSUER_NAME,
@@ -622,10 +658,9 @@
             if((pCert-&gt;pCertInfo != NULL) &amp;&amp; 
                (pCert-&gt;pCertInfo-&gt;SerialNumber.pbData != NULL) &amp;&amp; 
                (pCert-&gt;pCertInfo-&gt;SerialNumber.cbData &gt; 0) &amp;&amp; 
-               (0 == xmlSecBnCompareReverse(&amp;issuerSerialBn, pCert-&gt;pCertInfo-&gt;SerialNumber.pbData, 
-                                     pCert-&gt;pCertInfo-&gt;SerialNumber.cbData))) {
-                
-                break;
+           (CertCompareIntegerBlob(&amp;(pCert-&gt;pCertInfo-&gt;SerialNumber), &amp;cib) == TRUE)
+           ) {                
+                    break;
             }
         }
         xmlFree(cName);
Index: tests/testDSig.sh
===================================================================
RCS file: /cvs/gnome/xmlsec/tests/testDSig.sh,v
retrieving revision 1.35
diff -u -r1.35 testDSig.sh
--- tests/testDSig.sh        17 Mar 2004 05:06:48 -0000        1.35
+++ tests/testDSig.sh        22 Feb 2005 09:16:53 -0000
@@ -1,8 +1,15 @@
 #!/bin/sh 
 
+OS_ARCH=`uname -o`
+
+if [ "z$OS_ARCH" = "zCygwin" ] ; then
+        topfolder=`cygpath -wa $2`
+        xmlsec_app=`cygpath -a $3`
+else
+        topfolder=$2
+        xmlsec_app=$3
+fi
 crypto=$1
-topfolder=$2
-xmlsec_app=$3
 file_format=$4
 
 pub_key_format=$file_format
@@ -13,10 +20,15 @@
 if [ "z$TMPFOLDER" = "z" ] ; then
     TMPFOLDER=/tmp
 fi
-
 timestamp=`date +%Y%m%d_%H%M%S` 
-tmpfile=$TMPFOLDER/testDSig.$timestamp-$$.tmp
-logfile=$TMPFOLDER/testDSig.$timestamp-$$.log
+if [ "z$OS_ARCH" = "zCygwin" ] ; then
+        tmpfile=`cygpath -wa $TMPFOLDER/testDSig.$timestamp-$$.tmp`
+        logfile=`cygpath -wa $TMPFOLDER/testDSig.$timestamp-$$.log`
+else
+        tmpfile=$TMPFOLDER/testDSig.$timestamp-$$.tmp
+        logfile=$TMPFOLDER/testDSig.$timestamp-$$.log
+fi
+
 script="$0"
 
 # prepate crypto config folder
@@ -104,7 +116,6 @@
 echo "--- testDSig started for xmlsec-$crypto library ($timestamp)" &gt;&gt; $logfile
 echo "--- LD_LIBRARY_PATH=$LD_LIBRARY_PATH" &gt;&gt; $logfile
 
-
 execDSigTest "" "merlin-xmldsig-twenty-three/signature-enveloped-dsa" \
     " " \
     "$priv_key_option $topfolder/keys/dsakey.$priv_key_format --pwd secret" \
@@ -238,6 +249,11 @@
     "$priv_key_option tests/keys/rsakey.$priv_key_format --pwd secret" \
     "--trusted-$cert_format $topfolder/keys/cacert.$cert_format"
 
+execDSigTest "" "aleksey-xmldsig-01/x509data-sn-test" \
+    "--trusted-$cert_format $topfolder/keys/cacert.$cert_format --untrusted-$cert_format $topfolder/keys/ca2cert.$cert_format  --untrusted-$cert_format $topfolder/keys/rsa2cert.$cert_format --enabled-key-data x509" \
+    "$priv_key_option tests/keys/rsa2key.$priv_key_format --pwd secret" \
+    "--trusted-$cert_format $topfolder/keys/cacert.$cert_format --untrusted-$cert_format $topfolder/keys/ca2cert.$cert_format  --untrusted-$cert_format $topfolder/keys/rsa2cert.$cert_format --enabled-key-data x509"
+
 execDSigTest "" "merlin-exc-c14n-one/exc-signature" \
     ""
     
@@ -249,6 +265,7 @@
 
 execDSigTest "" "merlin-xpath-filter2-three/sign-spec" \
     ""
+
 execDSigTest "phaos-xmldsig-three" "signature-big" \
     "--pubkey-cert-$cert_format certs/rsa-cert.$cert_format" 
 
Index: tests/aleksey-xmldsig-01/x509data-sn-test.tmpl
===================================================================
RCS file: tests/aleksey-xmldsig-01/x509data-sn-test.tmpl
diff -N tests/aleksey-xmldsig-01/x509data-sn-test.tmpl
--- /dev/null        1 Jan 1970 00:00:00 -0000
+++ tests/aleksey-xmldsig-01/x509data-sn-test.tmpl        22 Feb 2005 09:16:53 -0000
@@ -0,0 +1,27 @@
+&lt;?xml version="1.0" encoding="UTF-8"?&gt;
+&lt;Document&gt;
+  &lt;ToBeSigned&gt;
+    Some very secret data
+  &lt;/ToBeSigned&gt;
+  &lt;Signature xmlns=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2000/09/xmldsig#">"http://www.w3.org/2000/09/xmldsig#"</a>&gt;
+    &lt;SignedInfo&gt;
+      &lt;CanonicalizationMethod Algorithm=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/TR/2001/REC-xml-c14n-20010315">"http://www.w3.org/TR/2001/REC-xml-c14n-20010315"</a> /&gt;
+      &lt;SignatureMethod Algorithm=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2000/09/xmldsig#rsa-sha1">"http://www.w3.org/2000/09/xmldsig#rsa-sha1"</a> /&gt;
+      &lt;Reference URI=""&gt;
+        &lt;Transforms&gt;
+          &lt;Transform Algorithm=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2002/06/xmldsig-filter2">"http://www.w3.org/2002/06/xmldsig-filter2"</a>&gt;
+            &lt;XPath xmlns=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2002/06/xmldsig-filter2">"http://www.w3.org/2002/06/xmldsig-filter2"</a> Filter="intersect"&gt; //ToBeSigned &lt;/XPath&gt;
+          &lt;/Transform&gt;
+        &lt;/Transforms&gt;
+        &lt;DigestMethod Algorithm=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2000/09/xmldsig#sha1">"http://www.w3.org/2000/09/xmldsig#sha1"</a> /&gt;
+        &lt;DigestValue/&gt;
+      &lt;/Reference&gt;
+    &lt;/SignedInfo&gt;
+    &lt;SignatureValue/&gt;
+    &lt;KeyInfo&gt;
+      &lt;X509Data&gt;
+        &lt;X509IssuerSerial/&gt;
+      &lt;/X509Data&gt;
+    &lt;/KeyInfo&gt;
+  &lt;/Signature&gt;
+&lt;/Document&gt;
Index: tests/aleksey-xmldsig-01/x509data-sn-test.xml
===================================================================
RCS file: tests/aleksey-xmldsig-01/x509data-sn-test.xml
diff -N tests/aleksey-xmldsig-01/x509data-sn-test.xml
--- /dev/null        1 Jan 1970 00:00:00 -0000
+++ tests/aleksey-xmldsig-01/x509data-sn-test.xml        22 Feb 2005 09:16:53 -0000
@@ -0,0 +1,33 @@
+&lt;?xml version="1.0" encoding="UTF-8"?&gt;
+&lt;Document&gt;
+  &lt;ToBeSigned&gt;
+    Some very secret data
+  &lt;/ToBeSigned&gt;
+  &lt;Signature xmlns=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2000/09/xmldsig#">"http://www.w3.org/2000/09/xmldsig#"</a>&gt;
+    &lt;SignedInfo&gt;
+      &lt;CanonicalizationMethod Algorithm=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/TR/2001/REC-xml-c14n-20010315">"http://www.w3.org/TR/2001/REC-xml-c14n-20010315"</a>/&gt;
+      &lt;SignatureMethod Algorithm=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2000/09/xmldsig#rsa-sha1">"http://www.w3.org/2000/09/xmldsig#rsa-sha1"</a>/&gt;
+      &lt;Reference URI=""&gt;
+        &lt;Transforms&gt;
+          &lt;Transform Algorithm=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2002/06/xmldsig-filter2">"http://www.w3.org/2002/06/xmldsig-filter2"</a>&gt;
+            &lt;XPath xmlns=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2002/06/xmldsig-filter2">"http://www.w3.org/2002/06/xmldsig-filter2"</a> Filter="intersect"&gt; //ToBeSigned &lt;/XPath&gt;
+          &lt;/Transform&gt;
+        &lt;/Transforms&gt;
+        &lt;DigestMethod Algorithm=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2000/09/xmldsig#sha1">"http://www.w3.org/2000/09/xmldsig#sha1"</a>/&gt;
+        &lt;DigestValue&gt;3om1gINPzaogcdLuDdjIQlls4NE=&lt;/DigestValue&gt;
+      &lt;/Reference&gt;
+    &lt;/SignedInfo&gt;
+    &lt;SignatureValue&gt;pcsM3Uz0+85OJTV28sg+mQ5khOCxeToam9ojj5F7D5IVXoQAnCNDuyDbKLsn0UKv
+I06RXzlb4MXb88fBJaFd4ygfpy3Ude8n6erjwxtwU6tPiesHyJB64GSD9yeSGDZt
+UnD0EYB9ammZxoqVUlZR5FiqG/vTUtjHN+Fo6DTuY+g=&lt;/SignatureValue&gt;
+    &lt;KeyInfo&gt;
+      &lt;X509Data&gt;
+        
+      &lt;X509IssuerSerial&gt;
+&lt;X509IssuerName&gt;<a class="moz-txt-link-abbreviated" href="mailto:emailAddress=xmlsec@aleksey.com,CN=Aleksey">emailAddress=xmlsec@aleksey.com,CN=Aleksey</a> Sanin,OU=Second Level Certificate,O=XML Security Library (<a class="moz-txt-link-freetext" href="http://www.aleksey.com/xmlsec">http://www.aleksey.com/xmlsec</a>),ST=California,C=US&lt;/X509IssuerName&gt;
+&lt;X509SerialNumber&gt;-1&lt;/X509SerialNumber&gt;
+&lt;/X509IssuerSerial&gt;
+&lt;/X509Data&gt;
+    &lt;/KeyInfo&gt;
+  &lt;/Signature&gt;
+&lt;/Document&gt;
Index: tests/keys/README
===================================================================
RCS file: /cvs/gnome/xmlsec/tests/keys/README,v
retrieving revision 1.6
diff -u -r1.6 README
--- tests/keys/README        30 Jul 2003 02:47:22 -0000        1.6
+++ tests/keys/README        22 Feb 2005 09:16:53 -0000
@@ -17,6 +17,8 @@
  hmackey.bin        HMAC key ('secret')
  expired.key        key for expired cert 
  expired.crt        expired certificate 
+ rsa2key.pem        RSA private key
+ rsa2cert.pem         Self signed RSA certificate with negative serial number
 
 2. How certificates were generated:
 
@@ -66,6 +68,9 @@
    
   Convert PEM cert file to DER file
     &gt; openssl x509 -outform DER -in ca2cert.pem -out ca2cert.der 
+
+  Convert DER cert file to PEM file
+   &gt; openssl x509 -inform DER -outform PEM -in ca2cert.der -out ca2cert.pem
 
 4. Converting an unencrypted PEM or DER file containing a private key
    to an encrypted PEM or DER file containing the same private key but
Index: tests/keys/rsa2cert.der
===================================================================
RCS file: tests/keys/rsa2cert.der
diff -N tests/keys/rsa2cert.der
Binary files /dev/null and rsa2cert.der differ
Index: tests/keys/rsa2cert.pem
===================================================================
RCS file: tests/keys/rsa2cert.pem
diff -N tests/keys/rsa2cert.pem
--- /dev/null        1 Jan 1970 00:00:00 -0000
+++ tests/keys/rsa2cert.pem        22 Feb 2005 09:16:53 -0000
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICujCCAmQCAf8wDQYJKoZIhvcNAQEEBQAwgb8xCzAJBgNVBAYTAlVTMRMwEQYD
+VQQIEwpDYWxpZm9ybmlhMT0wOwYDVQQKEzRYTUwgU2VjdXJpdHkgTGlicmFyeSAo
+aHR0cDovL3d3dy5hbGVrc2V5LmNvbS94bWxzZWMpMSEwHwYDVQQLExhTZWNvbmQg
+TGV2ZWwgQ2VydGlmaWNhdGUxFjAUBgNVBAMTDUFsZWtzZXkgU2FuaW4xITAfBgkq
+hkiG9w0BCQEWEnhtbHNlY0BhbGVrc2V5LmNvbTAeFw0wNTAyMjIwODAxNDJaFw0x
+NTAyMjAwODAxNDJaMIHLMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5p
+YTESMBAGA1UEBxMJU3Vubnl2YWxlMT0wOwYDVQQKEzRYTUwgU2VjdXJpdHkgTGli
+cmFyeSAoaHR0cDovL3d3dy5hbGVrc2V5LmNvbS94bWxzZWMpMTwwOgYDVQQLEzNU
+aGlyZCBsZXZlbCBjZXJ0aWZpY2F0ZSB3aXRoIG5lZ2F0aXZlIHNlcmlhbCBudW1i
+ZXIxFjAUBgNVBAMTDUFsZWtzZXkgU2FuaW4wgZ8wDQYJKoZIhvcNAQEBBQADgY0A
+MIGJAoGBAONHVDP5sBVclV0pClZYjcB6Os70uGmKZzAFgq8+lUZmu9utk78ZCK0A
+NtvxjQ/C+/17plevhXFGeWgjGGbEq6OpEkAjDyXX+j5ZMI6b6zYwVEo0+Eh15Sbb
+LIYat1m4kR5A7/gIhsVKT8GfWAYzamPYrPmsa9JVDKEqsh9PPaz7AgMBAAEwDQYJ
+KoZIhvcNAQEEBQADQQAOTj9O30MjCt8darphiTDSYaLof5IvJiDfu38UnSukH/Ut
+t5C7EU+1X5/uKacfYnHs/0UQYbmq5Zsm4Zky+ht9
+-----END CERTIFICATE-----
Index: tests/keys/rsa2key.der
===================================================================
RCS file: tests/keys/rsa2key.der
diff -N tests/keys/rsa2key.der
Binary files /dev/null and rsa2key.der differ
Index: tests/keys/rsa2key.p12
===================================================================
RCS file: tests/keys/rsa2key.p12
diff -N tests/keys/rsa2key.p12
Binary files /dev/null and rsa2key.p12 differ
Index: tests/keys/rsa2key.pem
===================================================================
RCS file: tests/keys/rsa2key.pem
diff -N tests/keys/rsa2key.pem
--- /dev/null        1 Jan 1970 00:00:00 -0000
+++ tests/keys/rsa2key.pem        22 Feb 2005 09:16:53 -0000
@@ -0,0 +1,18 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,4500DDD8194CE192
+
+E1FQxiq6hX9GbvWm2HyzvfgDvFXFLjruys4cL6gCXLl7kNPBEUsi3geICO3bFVsk
+XTI/JYZQosR3mhglydDQU/JJ0JXid6T9wxdRxokr8K2O2KGFjN2n95RZ2gkDyYfd
+4/4OmGymm1g8VFUqeJuR6x2Lwh9ML2k2R8dqJqLhuoLlfp14fqlMRvzni53aTDSU
+xxLYQ0SphGpE2gdEbowZDKLx8v+w7tZvTES/4jZQL3rosPJgcSy4Hif9pSHYDK91
+e3N8rz/lyrQ1sb0z808GXVrK2h8nrJiuBAcS3S4smvKbV3fl0nu2um/ZFZPqAjiQ
+4rNa77a+uA0FmRHrtb4zL6aRwoybkaO7TwwKhCjDtM1OdCia5+sINXBdswtBwvGf
+lURgIBiORsdDNjmk4TYb3g9V3cAccnWzA80GqefiokzFteATl02c2aN+AsV2BCxv
+fBCV/mX/+ygzctK0W/auaVl/qN0kezbkrZiCr7FB/Im2IRsVJ+NZoe7BW5/LiC+F
+5mn6ExkuLwQ6o7OZpUkjQunFFE+hwiCvObSv3dhTBRn3iQg/0i7Ufb8FcQfF7Mfy
+4oK1yZqvnHoH8BbeTuGYY/PRFIdXwM+mEJy1Sk8pBcGwMNlJf6UdTCvRoQ1SB+a0
+EpMP1/AgZ2F4MVOuZLYOp7OOLTaB9Yu92Gtm9g0YbMg6OKkkoW5SVuk+Kvo8tv/3
+ITY8bLfSn2T0MRRwds71uW9vo4IhN/IT6Js+xEteY4kaufXtcSIZ+h6XrmjuoxZR
+voBxkA4KgGUKKU1aemeHUCxzdqYlhrLvlXcjxvPmCjKdFjc9PX1/Ag==
+-----END RSA PRIVATE KEY-----
Index: win32/Makefile.msvc
===================================================================
RCS file: /cvs/gnome/xmlsec/win32/Makefile.msvc,v
retrieving revision 1.27
diff -u -r1.27 Makefile.msvc
--- win32/Makefile.msvc        9 Jun 2004 14:35:12 -0000        1.27
+++ win32/Makefile.msvc        22 Feb 2005 09:16:54 -0000
@@ -456,21 +456,21 @@
 check-keys : $(BINDIR)\$(APP_NAME)
         cd ..
         if not exist win32\tmp mkdir win32\tmp
-        set TMPFOLDER=win32\tmp
+        set TMPFOLDER=win32/tmp
         sh ./tests/testKeys.sh default ./tests win32/$(BINDIR)/$(APP_NAME) der
         cd win32
 
 check-dsig : $(BINDIR)\$(APP_NAME)        
         cd ..
         if not exist win32\tmp mkdir win32\tmp
-        set TMPFOLDER=win32\tmp
+        set TMPFOLDER=win32/tmp
         sh ./tests/testDSig.sh default ./tests win32/$(BINDIR)/$(APP_NAME) der
         cd win32
 
 check-enc : $(BINDIR)\$(APP_NAME)
         cd ..
         if not exist win32\tmp mkdir win32\tmp
-        set TMPFOLDER=win32\tmp
+        set TMPFOLDER=win32/tmp
         sh ./tests/testEnc.sh default ./tests win32/$(BINDIR)/$(APP_NAME) der
         cd win32
 
  </pre>
  <pre wrap="">
<hr width="90%" size="4">
_______________________________________________
xmlsec mailing list
<a class="moz-txt-link-abbreviated" href="mailto:xmlsec@aleksey.com">xmlsec@aleksey.com</a>
<a class="moz-txt-link-freetext" href="http://www.aleksey.com/mailman/listinfo/xmlsec">http://www.aleksey.com/mailman/listinfo/xmlsec</a>
  </pre>
</blockquote>
</body>
</html>