[xmlsec] Problem with some cert which has a negative serial number

Michael Mi Hao.Mi at Sun.COM
Mon Feb 21 21:38:23 PST 2005


Yes, the "FF FF FF FF" is illegal according to X.690.  So we can get rid 
of all useless leading zero.

Michael

Andrew Fan wrote:

> Michael Mi wrote:
>
>> For a bn like "FF FF FF FF", the string format can be created as 
>> following:
>>
> I think "FF FF FF FF" is not a legal big integer, as you can get from 
> X.690.
>
> -Andrew
>
>> 1) The first byte is bigger than 127, so a "-" should be added to the 
>> result;
>> 2) calculate the "complement" code of "FF FF FF FF", it is "00 00 00 
>> 01";
>> 3) the result is "-0001". (How comes the three-zero? I am not so sure 
>> at this moment, but we can find way if necessary.)
>>
>> Now the "-0001" is written into the xml file. The leading zero is 
>> used to recover the 4 "FF". If we just write "-1" into the xml file, 
>> how can we re-generate the "FF FF FF FF"?
>>
>> At this moment, Chander and I are trying to do the test. We'll let 
>> you know any result.
>>
>> Michael
>>
>>
>> Aleksey Sanin wrote:
>>
>>> Note that this is not only 00s but also FFs for negative values
>>> (11, 111, 1111, 11111, etc. all represent the same -1). The real
>>> question is how smart are the NSPR (CERT_FindCertByIssuerAndSN)
>>> and MSCrypto (CertCompareIntegerBlob) functions? Do they understand
>>> that these numbers are the same or not?
>>>
>>> Anyone wants to test it?
>>>
>>> Aleksey
>>>
>>> Michael Mi wrote:
>>>
>>>> I gree with you than "01", "00 01", "00 00 00 01" are same bns 
>>>> theoretically.
>>>>
>>> _______________________________________________
>>> xmlsec mailing list
>>> xmlsec at aleksey.com
>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>
>>
>>
>>
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec




More information about the xmlsec mailing list