[xmlsec] RE: FW: X509SerialNumber

Wes Thomas wes at encomia.com
Thu Sep 2 09:41:45 PDT 2004


Does the X509SerialNumber node within the X509IssuerSerial node, *NOT* refer
to the serial number for the issuer certificate?
<X509IssuerSerial> 
	<X509IssuerName>My CA for Certificate A</X509IssuerName>
	<X509SerialNumber>12345678</X509SerialNumber>
</X509IssuerSerial>

The way I read
http://www.w3.org/TR/2000/WD-xmldsig-core-20000510/#sec-X509Data and the
example they give (listed above), the X509SerialNumber should contain the
issuer's serial number, NOT the serial number of the certificate used for
signing. Is this correct? 

-----Original Message-----
From: Aleksey Sanin [mailto:aleksey at aleksey.com] 
Sent: Wednesday, August 25, 2004 11:17 AM
To: Wes Thomas; xmlsec at aleksey.com
Subject: Re: FW: X509SerialNumber

Mailing list is the right place but you need to be subscribed to the list :)

If you are using xmlsec-openssl then I would probably trust xmlsec output
because it gets the number directly from openssl.
On the other hand, if you use the xmlsec-mscrypto then it can easily be a
bug in xmlsec-mscrypto code that produces the number. If you have the
certificate, I would recommend to use openssl to print it out and look at
the number.

Anyway, the first certificate number has only one DWORD and the second
certificate has multiple DWORDs. One of possible options is that when you
calculate the number you need to revert bytes in DWORDs but keep DWORDs
order:

1F 14 11 14 8A 53 F2 B6 49 F4 F8 4D A3 A8 14 76

which is equal to ~1.5695617 × 10^38 frome google's point of view.
This results seems closer to the number reported by xmlsec. However, it is a
pure speculation because I have no idea how you got this number in the first
place :)

Aleksey

Wes Thomas wrote:
> I originally sent this to the list serv by accident... Wasn't sure if 
> that's the right place to submit questions, so I'm forwarding this to you.
> Thanks!
> 
> -----Original Message-----
> From: Wes Thomas [mailto:wes at encomia.com]
> Sent: Tuesday, August 24, 2004 4:15 PM
> To: 'xmlsec at aleksey.com'
> Cc: 'ilya at encomia.com'
> Subject: X509SerialNumber
> 
> Hey Aleksey!
> 
> Got a question.. 
> Using XMLSec 1.2.4
> Windows 2000 etc.
> 
> I'm trying to arrive at the correct integer value for X509SerialNumber 
> node in the X509IssuerSerial element.
> 
> We've made a little calculator to test and see if our formula is correct.
> 
> With one certificate I get a serial value of 0D 22 75 91 in hex and 
> our calc from the right goes like this:
> 
> 91 75 22 0D
> We convert each to their integer counterparts,
> 145 117 34 13
> Add each together multiplied by 256 to the power of their position
> 145 + 117(256) + 34(256^2) + 13(256^3)
> 
> Google and our calculator say the result is = 220 362 129 which is 
> what XMLSec signing says.
> 
> Our 2nd certificate has a value of 1411141FB6F2538A4DF8F4497614A8A3 
> Calc starting from the right:
> 
> A3 A8 14 76 49 F4 F8 4D 8A 53 F2 B6 1F 14 11 14
> 163 + 168*256 + 20*256^2 + 118*256^3 + 73*256^4 + 244*256^5 + 
> 248*256^6 +
> 77*256^7 + 138*256^8 + 83*256^9 + 242*256^10 + 182*256^11 + 31*256^12 
> +
> 20*256^13 + 17*256^14 + 20*256^15
> 
> Google has a rounding error and gives:
> 2.66732371 × 10^37 or 26673237100000000000000000000000000000
> 
> We use a Big Integer class in .NET to get a value of:
> 26673237123177746846882916240247269539
> 
> However XMLSec reports a value of:
> 16863389628646640081019990102011455077
> 
> Is there something I'm doing wrong? This works with a smaller RSA 
> keyed cert but not on the larger one.
> 
> Wes Thomas
> Encomia, L.P.
> www.encomia.com
> 
> Iguana: The other green meat.
> 




More information about the xmlsec mailing list