[xmlsec] Problem with some cert which has a negative serial number

Andrew Fan Xuelei.Fan at Sun.COM
Mon Feb 21 20:56:46 PST 2005


Michael Mi wrote:

> For a bn like "FF FF FF FF", the string format can be created as 
> following:
>
I think "FF FF FF FF" is not a legal big integer, as you can get from X.690.

-Andrew

> 1) The first byte is bigger than 127, so a "-" should be added to the 
> result;
> 2) calculate the "complement" code of "FF FF FF FF", it is "00 00 00 01";
> 3) the result is "-0001". (How comes the three-zero? I am not so sure 
> at this moment, but we can find way if necessary.)
>
> Now the "-0001" is written into the xml file. The leading zero is used 
> to recover the 4 "FF". If we just write "-1" into the xml file, how 
> can we re-generate the "FF FF FF FF"?
>
> At this moment, Chander and I are trying to do the test. We'll let you 
> know any result.
>
> Michael
>
>
> Aleksey Sanin wrote:
>
>> Note that this is not only 00s but also FFs for negative values
>> (11, 111, 1111, 11111, etc. all represent the same -1). The real
>> question is how smart are the NSPR (CERT_FindCertByIssuerAndSN)
>> and MSCrypto (CertCompareIntegerBlob) functions? Do they understand
>> that these numbers are the same or not?
>>
>> Anyone wants to test it?
>>
>> Aleksey
>>
>> Michael Mi wrote:
>>
>>> I gree with you than "01", "00 01", "00 00 00 01" are same bns 
>>> theoretically.
>>>
>> _______________________________________________
>> xmlsec mailing list
>> xmlsec at aleksey.com
>> http://www.aleksey.com/mailman/listinfo/xmlsec
>
>
>



More information about the xmlsec mailing list