[xmlsec] Problem with some cert which has a negative serial number

Andrew Fan Xuelei.Fan at Sun.COM
Mon Feb 21 19:43:44 PST 2005


Michael Mi wrote:

> I gree with you than "01", "00 01", "00 00 00 01" are same bns 
> theoretically.
>
> But the current question is whether they are still same in 
> MSCrypto/NSS implementation. If not, we have to keep the leading zero 
> in the xml file.
>
As I known, MSCrypto/NSS only accept big number ( in DER format ) 
instead of decimal string, so I don't think decimal string format 
matters so much. For a integer ( in decimal or hex, or anyother base ), 
DER encoding have only one form.

I think the question is when getting a negative serial number, we treat 
it as positive integer and convert it to positive decimal string. So 
while convert the decimal string back, we treat it as positive instead 
of negative, so we get a wrong serial number. So keep "0" at the head 
helps nothing. What we need is convert a negative big number into a 
decial string with '-' sign, I think it is also the stand form of XML 
integer representation. The decimal string also should ship XML strands, 
I think.

I'll try to show how to encode a negative in another mail.

-Andrew

> Michael
>
> Andrew Fan wrote:
>
>> Aleksey Sanin wrote:
>>
>>>> What I suggest is to add minus sign to the string format (no matter 
>>>> what base it is) when a bn is negative. When creating bn from this 
>>>> string, the minus sign can be used to help converting back to the 
>>>> original bn.
>>>
>>>
>>>
>>> Yes, I am thinking along the same lines...
>>>
>>>>
>>>> Anyway, I just hope any bn in string format is only used in purpose 
>>>> of displaying, otherwise, the minus sign may cause some problem.
>>>
>>>
>>>
>>> Unfortunately, no. The bn strng is written in xml signature as
>>> certificate serial number. And one needs to know how to convert
>>> a bn to decimal string and back.
>>>
>>>> Moreover, I also think the leading zero prefix should be reserved 
>>>> converting between bn and string. For instance, when converting a 
>>>> bn "01" to a string, the result should be "01", instead of "1". 
>>>> Only in this way, when converting back to a bn, the leading zero 
>>>> can be recoveredd.
>>>
>>>
>>>
>>> Oh, I am really not sure about this. How this would work for decimal
>>> string and hex in memory representations? Will it always be 1<->1
>>> conversion?
>>>
>> I'm against that convert bn "01" to string "01". As Aleksey said 
>> above the bn is write for xml signature as serial number, so it 
>> should ship ASN.1 BER/DER integer encording rules. Decimal string 
>> "01", "1", "00001" have the same means, which should be encoded into 
>> the same bn.
>>
>> Andrew
>>
>>> Aleksey
>>> _______________________________________________
>>> xmlsec mailing list
>>> xmlsec at aleksey.com
>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>
>>
>>
>>
>> _______________________________________________
>> xmlsec mailing list
>> xmlsec at aleksey.com
>> http://www.aleksey.com/mailman/listinfo/xmlsec
>
>
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec




More information about the xmlsec mailing list