[xmlsec] Problem with some cert which has a negative serial number

Michael Mi Hao.Mi at Sun.COM
Tue Feb 22 01:50:43 PST 2005


Aleksey,

I will take some time to integrate your patch to my local libxmlsec. 
(You know, I am working on libxmlsec 1.2.6, not the latest one, so I 
have to merge your change manually.)
I will let you know the result when it finishes.

Thanks

Michael

Aleksey Sanin wrote:

> Michael,
>
> I have a better patch for you (see attached file). Also I already
> tested it and checked in (thanks to Andrew for his openssl trick :) ).
>
> However, there are few things I would like to note:
> 1) I did test openssl <-> mscrypto interoperability for negative
> serial numbers and everything seems to be working. I did not test
> NSS <-> mscrypto at all.
> 2) I noticed that NSS does not handle large serial numbers at all.
> It seems that the code just converts a string to regular integer
> using NSPR's analog for atoi() function.
> 3) It turns out that mscrypto does not recognize "emailAddress"
> attribute in x509 string. Worse, when it writes a string, it puts
> email into "E" attribute but then refuses to read it back (or to
> be precise, it reads it in a *different* internal format and then
> can not find this cert)! I hacked the code to workaround this
> problem but this is really a quick-and-dirty hack and you might
> want to think about a better solution.
>
> Aleksey
>
>
>
> Aleksey Sanin wrote:
>
>> Just do "patch -p0 < path-to-negative-bn.diff" from the top level
>> xmlsec folder.
>>
>> Aleksey
>>
>> Michael Mi wrote:
>>
>>> I'd love to try it.
>>>
>>> But can you tell me how to merge the diff into my bn.c when I am 
>>> using the libxmlsec tarball?
>>>
>>> Michael
>>>
>> _______________________________________________
>> xmlsec mailing list
>> xmlsec at aleksey.com
>> http://www.aleksey.com/mailman/listinfo/xmlsec
>
>------------------------------------------------------------------------
>
>Index: src/bn.c
>===================================================================
>RCS file: /cvs/gnome/xmlsec/src/bn.c,v
>retrieving revision 1.14
>diff -u -r1.14 bn.c
>--- src/bn.c	26 Jan 2005 16:52:09 -0000	1.14
>+++ src/bn.c	22 Feb 2005 09:16:51 -0000
>@@ -170,9 +170,10 @@
>  */
> int 
> xmlSecBnFromString(xmlSecBnPtr bn, const xmlChar* str, xmlSecSize base) {
>-    xmlSecSize i, len;
>+    xmlSecSize i, len, size;
>     xmlSecByte ch;
>     xmlSecByte* data;
>+    int positive;
>     int nn;
>     int ret;
> 
>@@ -184,7 +185,7 @@
>     /* trivial case */
>     len = xmlStrlen(str);
>     if(len == 0) {
>-	return(0);
>+        return(0);
>     }
>     
>     /* The result size could not exceed the input string length
>@@ -192,60 +193,102 @@
>      * In truth, it would be likely less than 1/2 input string length
>      * because each byte is represented by 2 chars. If needed, 
>      * buffer size would be increased by Mul/Add functions.
>-     * Finally, we add one byte for 00 prefix if first byte is > 127.
>+     * Finally, we can add one byte for 00 or 10 prefix.
>      */
>     ret = xmlSecBufferSetMaxSize(bn, xmlSecBufferGetSize(bn) + len / 2 + 1 + 1);
>     if(ret < 0) {
>-	xmlSecError(XMLSEC_ERRORS_HERE,
>-		    NULL,
>-		    "xmlSecBnRevLookupTable",
>-		    XMLSEC_ERRORS_R_XMLSEC_FAILED,
>-		    "size=%d", len / 2 + 1);
>-	return (-1);
>+        xmlSecError(XMLSEC_ERRORS_HERE,
>+		        NULL,
>+		        "xmlSecBnRevLookupTable",
>+		        XMLSEC_ERRORS_R_XMLSEC_FAILED,
>+		        "size=%d", len / 2 + 1);
>+        return (-1);
>+    }
>+
>+    /* figure out if it is positive or negative number */
>+    positive = 1;
>+    i = 0;
>+    while(i < len) {
>+        ch = str[i++];
>+
>+        /* skip spaces */
>+        if(isspace(ch)) {
>+	        continue;
>+        } 
>+        
>+        /* check if it is + or - */
>+        if(ch == '+') {
>+            positive = 1;
>+            break;
>+        } else if(ch == '-') {
>+            positive = 0;
>+            break;
>+        }
>+
>+        /* otherwise, it must be start of the number */
>+        nn = xmlSecBnLookupTable[ch];
>+        if((nn >= 0) && ((xmlSecSize)nn < base)) {
>+            xmlSecAssert2(i > 0, -1);
>+
>+            /* no sign, positive by default */
>+            positive = 1;
>+            --i; /* make sure that we will look at this character in next loop */
>+            break;
>+        } else {
>+	        xmlSecError(XMLSEC_ERRORS_HERE,
>+		        NULL,
>+		        NULL,
>+		        XMLSEC_ERRORS_R_INVALID_DATA,
>+		        "char=%c;base=%d", 
>+		        ch, base);
>+    	        return (-1);
>+        }
>     }
> 
>-    for(i = 0; i < len; i++) {
>-	ch = str[i];
>-	if(isspace(ch)) {
>-	    continue;
>-	}
>+    /* now parse the number itself */
>+    while(i < len) {
>+        ch = str[i++];
>+        if(isspace(ch)) {
>+	        continue;
>+        }
> 
>-	xmlSecAssert2(ch <= sizeof(xmlSecBnLookupTable), -1);
>-	nn = xmlSecBnLookupTable[ch];
>-	if((nn < 0) || ((xmlSecSize)nn > base)) {
>-	    xmlSecError(XMLSEC_ERRORS_HERE,
>-			NULL,
>-			NULL,
>-			XMLSEC_ERRORS_R_INVALID_DATA,
>-			"char=%c;base=%d", 
>-			ch, base);
>-    	    return (-1);
>-	}
>-	
>-	ret = xmlSecBnMul(bn, base);
>-	if(ret < 0) {
>-	    xmlSecError(XMLSEC_ERRORS_HERE,
>-			NULL,
>-			"xmlSecBnMul",
>-			XMLSEC_ERRORS_R_XMLSEC_FAILED,
>-			"base=%d", base);
>-	    return (-1);
>-	}
>+        xmlSecAssert2(ch <= sizeof(xmlSecBnLookupTable), -1);
>+        nn = xmlSecBnLookupTable[ch];
>+        if((nn < 0) || ((xmlSecSize)nn > base)) {
>+	        xmlSecError(XMLSEC_ERRORS_HERE,
>+		        NULL,
>+		        NULL,
>+		        XMLSEC_ERRORS_R_INVALID_DATA,
>+		        "char=%c;base=%d", 
>+		        ch, base);
>+    	        return (-1);
>+        }
> 
>-	ret = xmlSecBnAdd(bn, nn);
>-	if(ret < 0) {
>-	    xmlSecError(XMLSEC_ERRORS_HERE,
>-			NULL,
>-			"xmlSecBnAdd",
>-			XMLSEC_ERRORS_R_XMLSEC_FAILED,
>-			"base=%d", base);
>-	    return (-1);
>-	}	
>+        ret = xmlSecBnMul(bn, base);
>+        if(ret < 0) {
>+	        xmlSecError(XMLSEC_ERRORS_HERE,
>+		        NULL,
>+		        "xmlSecBnMul",
>+		        XMLSEC_ERRORS_R_XMLSEC_FAILED,
>+		        "base=%d", base);
>+	        return (-1);
>+        }
>+
>+        ret = xmlSecBnAdd(bn, nn);
>+        if(ret < 0) {
>+	        xmlSecError(XMLSEC_ERRORS_HERE,
>+		        NULL,
>+		        "xmlSecBnAdd",
>+		        XMLSEC_ERRORS_R_XMLSEC_FAILED,
>+		        "base=%d", base);
>+	        return (-1);
>+}	
>     }
> 
>-    /* check whether need to add 00 prefix */
>+    /* check if we need to add 00 prefix */
>     data = xmlSecBufferGetData(bn);
>-    if(data[0] > 127) {
>+    size = xmlSecBufferGetSize(bn);
>+    if(size > 0 && data[0] > 127) {
>         ch = 0;
>         ret = xmlSecBufferPrepend(bn, &ch, 1);
>         if(ret < 0) {
>@@ -257,6 +300,26 @@
>             return (-1);
>         }
>     }
>+
>+    /* do 2's compliment and add 1 to represent negative value */
>+    if(positive == 0) {
>+        data = xmlSecBufferGetData(bn);
>+        size = xmlSecBufferGetSize(bn);
>+        for(i = 0; i < size; ++i) {
>+            data[i] ^= 0xFF;
>+        }
>+        
>+        ret = xmlSecBnAdd(bn, 1);
>+        if(ret < 0) {
>+            xmlSecError(XMLSEC_ERRORS_HERE,
>+                NULL,
>+                "xmlSecBnAdd",
>+                XMLSEC_ERRORS_R_XMLSEC_FAILED,
>+                "base=%d", base);
>+            return (-1);
>+        }
>+    }
>+
>     return(0);
> }
> 
>@@ -272,8 +335,12 @@
>  */
> xmlChar* 
> xmlSecBnToString(xmlSecBnPtr bn, xmlSecSize base) {
>+    xmlSecBn bn2;
>+    int positive = 1;
>     xmlChar* res;
>-    xmlSecSize i, len;
>+    xmlSecSize i, len, size;
>+    xmlSecByte* data;
>+    int ret;
>     int nn;
>     xmlChar ch;
> 
>@@ -281,35 +348,86 @@
>     xmlSecAssert2(base > 1, NULL);
>     xmlSecAssert2(base <= sizeof(xmlSecBnRevLookupTable), NULL);
> 
>+
>+    /* copy bn */
>+    data = xmlSecBufferGetData(bn);
>+    size = xmlSecBufferGetSize(bn);
>+    ret = xmlSecBnInitialize(&bn2, size);
>+    if(ret < 0) {
>+        xmlSecError(XMLSEC_ERRORS_HERE,
>+            NULL,
>+            "xmlSecBnCreate",
>+            XMLSEC_ERRORS_R_XMLSEC_FAILED,
>+            "size=%d", size);
>+        return (NULL);
>+    }
>+    
>+    ret = xmlSecBnSetData(&bn2, data, size);
>+    if(ret < 0) {
>+        xmlSecError(XMLSEC_ERRORS_HERE,
>+            NULL,
>+            "xmlSecBnSetData",
>+            XMLSEC_ERRORS_R_XMLSEC_FAILED,
>+            "size=%d", size);
>+        xmlSecBnFinalize(&bn2);
>+        return (NULL);
>+    }
>+
>+    /* check if it is a negative number or not */
>+    data = xmlSecBufferGetData(&bn2);
>+    size = xmlSecBufferGetSize(&bn2);
>+    if((size > 0) && (data[0] > 127)) {
>+        /* subtract 1 and do 2's compliment */
>+        ret = xmlSecBnAdd(&bn2, -1);
>+        if(ret < 0) {
>+            xmlSecError(XMLSEC_ERRORS_HERE,
>+                        NULL,
>+                        "xmlSecBnAdd",
>+                        XMLSEC_ERRORS_R_XMLSEC_FAILED,
>+                        "size=%d", size);
>+            xmlSecBnFinalize(&bn2);
>+            return (NULL);
>+        }
>+        for(i = 0; i < size; ++i) {
>+            data[i] ^= 0xFF;
>+        }
>+
>+        positive = 0;
>+    } else {
>+        positive = 1;
>+    }
>+
>     /* Result string len is
>      *	    len = log base (256) * <bn size>
>      * Since the smallest base == 2 then we can get away with 
>      *	    len = 8 * <bn size>
>      */
>-    len = 8 * xmlSecBufferGetSize(bn) + 1;
>+    len = 8 * size + 1 + 1;
>     res = (xmlChar*)xmlMalloc(len + 1);
>     if(res == NULL) {
>-	xmlSecError(XMLSEC_ERRORS_HERE,
>-		    NULL,
>-		    NULL,
>-		    XMLSEC_ERRORS_R_MALLOC_FAILED,
>-		    "len=%d", len);
>-	return (NULL);
>+        xmlSecError(XMLSEC_ERRORS_HERE,
>+		            NULL,
>+		            NULL,
>+		            XMLSEC_ERRORS_R_MALLOC_FAILED,
>+		            "len=%d", len);
>+        xmlSecBnFinalize(&bn2);
>+        return (NULL);
>     }
>     memset(res, 0, len + 1);
> 
>-    for(i = 0; (xmlSecBufferGetSize(bn) > 0) && (i < len); i++) {
>-	if(xmlSecBnDiv(bn, base, &nn) < 0) {
>-	    xmlSecError(XMLSEC_ERRORS_HERE,
>-			NULL,
>-			"xmlSecBnDiv",
>-			XMLSEC_ERRORS_R_XMLSEC_FAILED,
>-			"base=%d", base);
>-	    xmlFree(res);
>-    	    return (NULL);
>-	}
>-	xmlSecAssert2((size_t)nn < sizeof(xmlSecBnRevLookupTable), NULL);
>-	res[i] = xmlSecBnRevLookupTable[nn];
>+    for(i = 0; (xmlSecBufferGetSize(&bn2) > 0) && (i < len); i++) {
>+        if(xmlSecBnDiv(&bn2, base, &nn) < 0) {
>+            xmlSecError(XMLSEC_ERRORS_HERE,
>+                        NULL,
>+                        "xmlSecBnDiv",
>+                        XMLSEC_ERRORS_R_XMLSEC_FAILED,
>+                        "base=%d", base);
>+            xmlFree(res);
>+            xmlSecBnFinalize(&bn2);
>+            return (NULL);
>+        }
>+        xmlSecAssert2((size_t)nn < sizeof(xmlSecBnRevLookupTable), NULL);
>+        res[i] = xmlSecBnRevLookupTable[nn];
>     }
>     xmlSecAssert2(i < len, NULL);
> 
>@@ -317,13 +435,20 @@
>     for(len = i; (len > 1) && (res[len - 1] == '0'); len--);
>     res[len] = '\0';
> 
>+    /* add "-" for negative numbers */
>+    if(positive == 0) {
>+        res[len] = '-';
>+        res[++len] = '\0';
>+    }
>+
>     /* swap the string because we wrote it in reverse order */
>     for(i = 0; i < len / 2; i++) {
>-	ch = res[i];
>-	res[i] = res[len - i - 1];
>-	res[len - i - 1] = ch;
>+        ch = res[i];
>+        res[i] = res[len - i - 1];
>+        res[len - i - 1] = ch;
>     }
> 
>+    xmlSecBnFinalize(&bn2);
>     return(res);
> }
> 
>@@ -408,7 +533,9 @@
>     }
> 
>     data = xmlSecBufferGetData(bn);
>-    for(over = 0, i = xmlSecBufferGetSize(bn); i > 0;) {
>+    i = xmlSecBufferGetSize(bn);
>+    over = 0; 
>+    while(i > 0) {
> 	xmlSecAssert2(data != NULL, -1);
> 
> 	over	= over + multiplier * data[--i];
>@@ -503,43 +630,57 @@
>  */
> int 
> xmlSecBnAdd(xmlSecBnPtr bn, int delta) {
>-    int over;
>+    int over, tmp;
>     xmlSecByte* data;
>     xmlSecSize i;
>     xmlSecByte ch;
>     int ret;
> 
>     xmlSecAssert2(bn != NULL, -1);
>-    xmlSecAssert2(delta >= 0, -1);
> 
>     if(delta == 0) {
>-	return(0);
>+    	return(0);
>     }
> 
>     data = xmlSecBufferGetData(bn);
>-    for(over = delta, i = xmlSecBufferGetSize(bn); i > 0;) {
>-	xmlSecAssert2(data != NULL, -1);
>+    if(delta > 0) {
>+        for(over = delta, i = xmlSecBufferGetSize(bn); (i > 0) && (over > 0) ;) {
>+	        xmlSecAssert2(data != NULL, -1);
> 	
>-	over   += data[--i];
>-	data[i]	= over % 256;
>-	over	= over / 256;
>-    }
>+            tmp     = data[--i];
>+        	over   += tmp;
>+	        data[i]	= over % 256;
>+	        over	= over / 256;
>+        }
>     
>-    while(over > 0) {
>-	ch	= over % 256;
>-	over	= over / 256;
>+        while(over > 0) {
>+	        ch	= over % 256;
>+	        over	= over / 256;
> 	
>-	ret = xmlSecBufferPrepend(bn, &ch, 1);
>-	if(ret < 0) {
>-	    xmlSecError(XMLSEC_ERRORS_HERE,
>-			NULL,
>-			"xmlSecBufferPrepend",
>-			XMLSEC_ERRORS_R_XMLSEC_FAILED,
>-			"size=1");
>-	    return (-1);
>-	}
>+        	ret = xmlSecBufferPrepend(bn, &ch, 1);
>+	        if(ret < 0) {
>+	            xmlSecError(XMLSEC_ERRORS_HERE,
>+			        NULL,
>+			        "xmlSecBufferPrepend",
>+			        XMLSEC_ERRORS_R_XMLSEC_FAILED,
>+			        "size=1");
>+	            return (-1);
>+	        }
>+        }
>+    } else {
>+        for(over = -delta, i = xmlSecBufferGetSize(bn); (i > 0) && (over > 0);) {
>+	        xmlSecAssert2(data != NULL, -1);
>+	
>+            tmp     = data[--i];
>+            if(tmp < over) {
>+                data[i]	= 0;
>+                over = (over - tmp) / 256;
>+            } else {
>+                data[i] = tmp - over;
>+                over = 0;
>+            }
>+        }
>     }
>-    
>     return(0);
> }
> 
>Index: src/mscrypto/crypto.c
>===================================================================
>RCS file: /cvs/gnome/xmlsec/src/mscrypto/crypto.c,v
>retrieving revision 1.5
>diff -u -r1.5 crypto.c
>--- src/mscrypto/crypto.c	12 Nov 2003 02:38:51 -0000	1.5
>+++ src/mscrypto/crypto.c	22 Feb 2005 09:16:51 -0000
>@@ -330,13 +330,15 @@
> BYTE* 
> xmlSecMSCryptoCertStrToName(DWORD dwCertEncodingType, LPCTSTR pszX500, DWORD dwStrType, DWORD* len) {
>     BYTE* str = NULL; 
>-    
>+    LPCTSTR ppszError = NULL;
>+
>     xmlSecAssert2(pszX500 != NULL, NULL);
>     xmlSecAssert2(len != NULL, NULL);
> 
>     if (!CertStrToName(dwCertEncodingType, pszX500, dwStrType, 
>-			NULL, NULL, len, NULL)) {
>+			NULL, NULL, len, &ppszError)) {
> 	/* this might not be an error, string might just not exist */
>+                DWORD dw = GetLastError();
> 	return(NULL);
>     }
> 	
>Index: src/mscrypto/x509.c
>===================================================================
>RCS file: /cvs/gnome/xmlsec/src/mscrypto/x509.c,v
>retrieving revision 1.2
>diff -u -r1.2 x509.c
>--- src/mscrypto/x509.c	26 Sep 2003 00:58:13 -0000	1.2
>+++ src/mscrypto/x509.c	22 Feb 2005 09:16:52 -0000
>@@ -1882,7 +1882,7 @@
>     xmlSecAssert2(nm->pbData != NULL, NULL);
>     xmlSecAssert2(nm->cbData > 0, NULL);
> 
>-    csz = CertNameToStr(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, nm, CERT_X500_NAME_STR, NULL, 0);
>+    csz = CertNameToStr(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, nm, CERT_X500_NAME_STR | CERT_NAME_STR_REVERSE_FLAG, NULL, 0);
>     str = (char *)xmlMalloc(csz);
>     if (NULL == str) {
> 	xmlSecError(XMLSEC_ERRORS_HERE,
>@@ -1893,7 +1893,7 @@
> 	return (NULL);
>     }
> 
>-    csz = CertNameToStr(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, nm, CERT_X500_NAME_STR, str, csz);
>+    csz = CertNameToStr(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, nm, CERT_X500_NAME_STR | CERT_NAME_STR_REVERSE_FLAG, str, csz);
>     if (csz < 1) {
> 	xmlSecError(XMLSEC_ERRORS_HERE,
> 		    NULL,
>@@ -1904,17 +1904,37 @@
> 	return(NULL);
>     }
> 
>-    res = xmlStrdup(BAD_CAST str);
>-    if(res == NULL) {
>-	xmlSecError(XMLSEC_ERRORS_HERE,
>-		    NULL,
>-		    "xmlStrdup",
>-		    XMLSEC_ERRORS_R_MALLOC_FAILED,
>-		    XMLSEC_ERRORS_NO_MESSAGE);
>-	xmlFree(str);
>-	return(NULL);
>-    }
>+    /* aleksey: this is a hack, but mscrypto can not read E= flag and wants Email= instead.
>+     * don't ask me how is it possible not to read something you wrote yourself but also
>+     * see comment in the xmlSecMSCryptoX509FindCert function. 
>+     */
>+    if(strncmp(str, "E=", 2) == 0) {
>+        res = xmlMalloc(strlen(str) + 13 + 1);
>+        if(res == NULL) {
>+            xmlSecError(XMLSEC_ERRORS_HERE,
>+		            NULL,
>+		            "xmlMalloc",
>+		            XMLSEC_ERRORS_R_MALLOC_FAILED,
>+		            "size=%d",
>+                    strlen(str) + 13 + 1);
>+            xmlFree(str);
>+            return(NULL);
>+        }
> 
>+        memcpy(res, "emailAddress=", 13);
>+        strcpy(res + 13, BAD_CAST (str + 2)); 
>+    } else {
>+        res = xmlStrdup(BAD_CAST str);
>+        if(res == NULL) {
>+            xmlSecError(XMLSEC_ERRORS_HERE,
>+		            NULL,
>+		            "xmlStrdup",
>+		            XMLSEC_ERRORS_R_MALLOC_FAILED,
>+		            XMLSEC_ERRORS_NO_MESSAGE);
>+            xmlFree(str);
>+            return(NULL);
>+        }
>+    }
>     xmlFree(str);
>     return(res);
> }
>Index: src/mscrypto/x509vfy.c
>===================================================================
>RCS file: /cvs/gnome/xmlsec/src/mscrypto/x509vfy.c,v
>retrieving revision 1.3
>diff -u -r1.3 x509vfy.c
>--- src/mscrypto/x509vfy.c	27 Sep 2003 03:12:22 -0000	1.3
>+++ src/mscrypto/x509vfy.c	22 Feb 2005 09:16:52 -0000
>@@ -567,10 +567,41 @@
> 
>     if((pCert == NULL) && (NULL != issuerName) && (NULL != issuerSerial)) {
> 	xmlSecBn issuerSerialBn;	
>+    xmlChar * p;
> 	CERT_NAME_BLOB cnb;
>+    CRYPT_INTEGER_BLOB cib;
>         BYTE *cName = NULL; 
> 	DWORD cNameLen = 0;	
>+    
>+    /* aleksey: for some unknown to me reasons, mscrypto wants Email
>+     * instead of emailAddress. This code is not bullet proof and may 
>+     * produce incorrect results if someone has "emailAddress=" string
>+     * in one of the fields, but it is best I can suggest to fix this problem.
>+     * Also see xmlSecMSCryptoX509NameWrite function.
>+     */
>+    while( (p = (xmlChar*)xmlStrstr(issuerName, BAD_CAST "emailAddress=")) != NULL) {
>+        memcpy(p, "       Email=", 13);
>+    }
> 
>+
>+
>+    /* get issuer name */
>+	cName = xmlSecMSCryptoCertStrToName(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
>+					   issuerName,
>+					   CERT_NAME_STR_ENABLE_UTF8_UNICODE_FLAG | CERT_OID_NAME_STR | CERT_NAME_STR_REVERSE_FLAG,
>+					   &cNameLen);
>+	if(cName == NULL) {
>+	    xmlSecError(XMLSEC_ERRORS_HERE,
>+			NULL,
>+			"xmlSecMSCryptoCertStrToName",
>+			XMLSEC_ERRORS_R_XMLSEC_FAILED,
>+			XMLSEC_ERRORS_NO_MESSAGE);
>+	    return (NULL);
>+	}
>+	cnb.pbData = cName;
>+	cnb.cbData = cNameLen;
>+
>+    /* get serial number */
> 	ret = xmlSecBnInitialize(&issuerSerialBn, 0);
> 	if(ret < 0) {
> 	    xmlSecError(XMLSEC_ERRORS_HERE,
>@@ -578,6 +609,7 @@
> 			"xmlSecBnInitialize",
> 			XMLSEC_ERRORS_R_XMLSEC_FAILED,
> 			XMLSEC_ERRORS_NO_MESSAGE);
>+    	xmlFree(cName);
> 	    return(NULL);
> 	}
> 
>@@ -589,26 +621,30 @@
> 			XMLSEC_ERRORS_R_XMLSEC_FAILED,
> 			XMLSEC_ERRORS_NO_MESSAGE);
> 	    xmlSecBnFinalize(&issuerSerialBn);
>-	    return(NULL);
>+		xmlFree(cName);
>+        return(NULL);
> 	}
> 
>-	cName = xmlSecMSCryptoCertStrToName(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
>-					   issuerName,
>-					   CERT_OID_NAME_STR | CERT_NAME_STR_REVERSE_FLAG,
>-					   &cNameLen);
>-	if(cName == NULL) {
>+	/* I have no clue why at a sudden a swap is needed to 
>+     * convert from lsb... This code is purely based upon 
>+	 * trial and error :( WK
>+	 */
>+    ret = xmlSecBnReverse(&issuerSerialBn);
>+	if(ret < 0) {
> 	    xmlSecError(XMLSEC_ERRORS_HERE,
> 			NULL,
>-			"xmlSecMSCryptoCertStrToName",
>+			"xmlSecBnReverse",
> 			XMLSEC_ERRORS_R_XMLSEC_FAILED,
> 			XMLSEC_ERRORS_NO_MESSAGE);
> 	    xmlSecBnFinalize(&issuerSerialBn);
>-	    return (NULL);
>+		xmlFree(cName);
>+        return(NULL);
> 	}
> 
>-	cnb.pbData = cName;
>-	cnb.cbData = cNameLen;
>-	while((pCert = CertFindCertificateInStore(store, 
>+    cib.pbData = xmlSecBufferGetData(&issuerSerialBn);
>+    cib.cbData = xmlSecBufferGetSize(&issuerSerialBn);
>+
>+    while((pCert = CertFindCertificateInStore(store, 
> 						  PKCS_7_ASN_ENCODING | X509_ASN_ENCODING,
> 						  0,
> 						  CERT_FIND_ISSUER_NAME,
>@@ -622,10 +658,9 @@
> 	    if((pCert->pCertInfo != NULL) && 
> 	       (pCert->pCertInfo->SerialNumber.pbData != NULL) && 
> 	       (pCert->pCertInfo->SerialNumber.cbData > 0) && 
>-	       (0 == xmlSecBnCompareReverse(&issuerSerialBn, pCert->pCertInfo->SerialNumber.pbData, 
>-				     pCert->pCertInfo->SerialNumber.cbData))) {
>-		
>-		break;
>+           (CertCompareIntegerBlob(&(pCert->pCertInfo->SerialNumber), &cib) == TRUE)
>+           ) {		
>+		    break;
> 	    }
> 	}
> 	xmlFree(cName);
>Index: tests/testDSig.sh
>===================================================================
>RCS file: /cvs/gnome/xmlsec/tests/testDSig.sh,v
>retrieving revision 1.35
>diff -u -r1.35 testDSig.sh
>--- tests/testDSig.sh	17 Mar 2004 05:06:48 -0000	1.35
>+++ tests/testDSig.sh	22 Feb 2005 09:16:53 -0000
>@@ -1,8 +1,15 @@
> #!/bin/sh 
> 
>+OS_ARCH=`uname -o`
>+
>+if [ "z$OS_ARCH" = "zCygwin" ] ; then
>+	topfolder=`cygpath -wa $2`
>+	xmlsec_app=`cygpath -a $3`
>+else
>+	topfolder=$2
>+	xmlsec_app=$3
>+fi
> crypto=$1
>-topfolder=$2
>-xmlsec_app=$3
> file_format=$4
> 
> pub_key_format=$file_format
>@@ -13,10 +20,15 @@
> if [ "z$TMPFOLDER" = "z" ] ; then
>     TMPFOLDER=/tmp
> fi
>-
> timestamp=`date +%Y%m%d_%H%M%S` 
>-tmpfile=$TMPFOLDER/testDSig.$timestamp-$$.tmp
>-logfile=$TMPFOLDER/testDSig.$timestamp-$$.log
>+if [ "z$OS_ARCH" = "zCygwin" ] ; then
>+	tmpfile=`cygpath -wa $TMPFOLDER/testDSig.$timestamp-$$.tmp`
>+	logfile=`cygpath -wa $TMPFOLDER/testDSig.$timestamp-$$.log`
>+else
>+	tmpfile=$TMPFOLDER/testDSig.$timestamp-$$.tmp
>+	logfile=$TMPFOLDER/testDSig.$timestamp-$$.log
>+fi
>+
> script="$0"
> 
> # prepate crypto config folder
>@@ -104,7 +116,6 @@
> echo "--- testDSig started for xmlsec-$crypto library ($timestamp)" >> $logfile
> echo "--- LD_LIBRARY_PATH=$LD_LIBRARY_PATH" >> $logfile
> 
>-
> execDSigTest "" "merlin-xmldsig-twenty-three/signature-enveloped-dsa" \
>     " " \
>     "$priv_key_option $topfolder/keys/dsakey.$priv_key_format --pwd secret" \
>@@ -238,6 +249,11 @@
>     "$priv_key_option tests/keys/rsakey.$priv_key_format --pwd secret" \
>     "--trusted-$cert_format $topfolder/keys/cacert.$cert_format"
> 
>+execDSigTest "" "aleksey-xmldsig-01/x509data-sn-test" \
>+    "--trusted-$cert_format $topfolder/keys/cacert.$cert_format --untrusted-$cert_format $topfolder/keys/ca2cert.$cert_format  --untrusted-$cert_format $topfolder/keys/rsa2cert.$cert_format --enabled-key-data x509" \
>+    "$priv_key_option tests/keys/rsa2key.$priv_key_format --pwd secret" \
>+    "--trusted-$cert_format $topfolder/keys/cacert.$cert_format --untrusted-$cert_format $topfolder/keys/ca2cert.$cert_format  --untrusted-$cert_format $topfolder/keys/rsa2cert.$cert_format --enabled-key-data x509"
>+
> execDSigTest "" "merlin-exc-c14n-one/exc-signature" \
>     ""
>     
>@@ -249,6 +265,7 @@
> 
> execDSigTest "" "merlin-xpath-filter2-three/sign-spec" \
>     ""
>+
> execDSigTest "phaos-xmldsig-three" "signature-big" \
>     "--pubkey-cert-$cert_format certs/rsa-cert.$cert_format" 
> 
>Index: tests/aleksey-xmldsig-01/x509data-sn-test.tmpl
>===================================================================
>RCS file: tests/aleksey-xmldsig-01/x509data-sn-test.tmpl
>diff -N tests/aleksey-xmldsig-01/x509data-sn-test.tmpl
>--- /dev/null	1 Jan 1970 00:00:00 -0000
>+++ tests/aleksey-xmldsig-01/x509data-sn-test.tmpl	22 Feb 2005 09:16:53 -0000
>@@ -0,0 +1,27 @@
>+<?xml version="1.0" encoding="UTF-8"?>
>+<Document>
>+  <ToBeSigned>
>+    Some very secret data
>+  </ToBeSigned>
>+  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>+    <SignedInfo>
>+      <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
>+      <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
>+      <Reference URI="">
>+        <Transforms>
>+          <Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2">
>+            <XPath xmlns="http://www.w3.org/2002/06/xmldsig-filter2" Filter="intersect"> //ToBeSigned </XPath>
>+          </Transform>
>+        </Transforms>
>+        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
>+        <DigestValue/>
>+      </Reference>
>+    </SignedInfo>
>+    <SignatureValue/>
>+    <KeyInfo>
>+      <X509Data>
>+        <X509IssuerSerial/>
>+      </X509Data>
>+    </KeyInfo>
>+  </Signature>
>+</Document>
>Index: tests/aleksey-xmldsig-01/x509data-sn-test.xml
>===================================================================
>RCS file: tests/aleksey-xmldsig-01/x509data-sn-test.xml
>diff -N tests/aleksey-xmldsig-01/x509data-sn-test.xml
>--- /dev/null	1 Jan 1970 00:00:00 -0000
>+++ tests/aleksey-xmldsig-01/x509data-sn-test.xml	22 Feb 2005 09:16:53 -0000
>@@ -0,0 +1,33 @@
>+<?xml version="1.0" encoding="UTF-8"?>
>+<Document>
>+  <ToBeSigned>
>+    Some very secret data
>+  </ToBeSigned>
>+  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>+    <SignedInfo>
>+      <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
>+      <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>+      <Reference URI="">
>+        <Transforms>
>+          <Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2">
>+            <XPath xmlns="http://www.w3.org/2002/06/xmldsig-filter2" Filter="intersect"> //ToBeSigned </XPath>
>+          </Transform>
>+        </Transforms>
>+        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>+        <DigestValue>3om1gINPzaogcdLuDdjIQlls4NE=</DigestValue>
>+      </Reference>
>+    </SignedInfo>
>+    <SignatureValue>pcsM3Uz0+85OJTV28sg+mQ5khOCxeToam9ojj5F7D5IVXoQAnCNDuyDbKLsn0UKv
>+I06RXzlb4MXb88fBJaFd4ygfpy3Ude8n6erjwxtwU6tPiesHyJB64GSD9yeSGDZt
>+UnD0EYB9ammZxoqVUlZR5FiqG/vTUtjHN+Fo6DTuY+g=</SignatureValue>
>+    <KeyInfo>
>+      <X509Data>
>+        
>+      <X509IssuerSerial>
>+<X509IssuerName>emailAddress=xmlsec at aleksey.com,CN=Aleksey Sanin,OU=Second Level Certificate,O=XML Security Library (http://www.aleksey.com/xmlsec),ST=California,C=US</X509IssuerName>
>+<X509SerialNumber>-1</X509SerialNumber>
>+</X509IssuerSerial>
>+</X509Data>
>+    </KeyInfo>
>+  </Signature>
>+</Document>
>Index: tests/keys/README
>===================================================================
>RCS file: /cvs/gnome/xmlsec/tests/keys/README,v
>retrieving revision 1.6
>diff -u -r1.6 README
>--- tests/keys/README	30 Jul 2003 02:47:22 -0000	1.6
>+++ tests/keys/README	22 Feb 2005 09:16:53 -0000
>@@ -17,6 +17,8 @@
>  hmackey.bin	HMAC key ('secret')
>  expired.key	key for expired cert 
>  expired.crt	expired certificate 
>+ rsa2key.pem	RSA private key
>+ rsa2cert.pem 	Self signed RSA certificate with negative serial number
> 
> 2. How certificates were generated:
> 
>@@ -66,6 +68,9 @@
>    
>   Convert PEM cert file to DER file
>     > openssl x509 -outform DER -in ca2cert.pem -out ca2cert.der 
>+
>+  Convert DER cert file to PEM file
>+   > openssl x509 -inform DER -outform PEM -in ca2cert.der -out ca2cert.pem
> 
> 4. Converting an unencrypted PEM or DER file containing a private key
>    to an encrypted PEM or DER file containing the same private key but
>Index: tests/keys/rsa2cert.der
>===================================================================
>RCS file: tests/keys/rsa2cert.der
>diff -N tests/keys/rsa2cert.der
>Binary files /dev/null and rsa2cert.der differ
>Index: tests/keys/rsa2cert.pem
>===================================================================
>RCS file: tests/keys/rsa2cert.pem
>diff -N tests/keys/rsa2cert.pem
>--- /dev/null	1 Jan 1970 00:00:00 -0000
>+++ tests/keys/rsa2cert.pem	22 Feb 2005 09:16:53 -0000
>@@ -0,0 +1,17 @@
>+-----BEGIN CERTIFICATE-----
>+MIICujCCAmQCAf8wDQYJKoZIhvcNAQEEBQAwgb8xCzAJBgNVBAYTAlVTMRMwEQYD
>+VQQIEwpDYWxpZm9ybmlhMT0wOwYDVQQKEzRYTUwgU2VjdXJpdHkgTGlicmFyeSAo
>+aHR0cDovL3d3dy5hbGVrc2V5LmNvbS94bWxzZWMpMSEwHwYDVQQLExhTZWNvbmQg
>+TGV2ZWwgQ2VydGlmaWNhdGUxFjAUBgNVBAMTDUFsZWtzZXkgU2FuaW4xITAfBgkq
>+hkiG9w0BCQEWEnhtbHNlY0BhbGVrc2V5LmNvbTAeFw0wNTAyMjIwODAxNDJaFw0x
>+NTAyMjAwODAxNDJaMIHLMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5p
>+YTESMBAGA1UEBxMJU3Vubnl2YWxlMT0wOwYDVQQKEzRYTUwgU2VjdXJpdHkgTGli
>+cmFyeSAoaHR0cDovL3d3dy5hbGVrc2V5LmNvbS94bWxzZWMpMTwwOgYDVQQLEzNU
>+aGlyZCBsZXZlbCBjZXJ0aWZpY2F0ZSB3aXRoIG5lZ2F0aXZlIHNlcmlhbCBudW1i
>+ZXIxFjAUBgNVBAMTDUFsZWtzZXkgU2FuaW4wgZ8wDQYJKoZIhvcNAQEBBQADgY0A
>+MIGJAoGBAONHVDP5sBVclV0pClZYjcB6Os70uGmKZzAFgq8+lUZmu9utk78ZCK0A
>+NtvxjQ/C+/17plevhXFGeWgjGGbEq6OpEkAjDyXX+j5ZMI6b6zYwVEo0+Eh15Sbb
>+LIYat1m4kR5A7/gIhsVKT8GfWAYzamPYrPmsa9JVDKEqsh9PPaz7AgMBAAEwDQYJ
>+KoZIhvcNAQEEBQADQQAOTj9O30MjCt8darphiTDSYaLof5IvJiDfu38UnSukH/Ut
>+t5C7EU+1X5/uKacfYnHs/0UQYbmq5Zsm4Zky+ht9
>+-----END CERTIFICATE-----
>Index: tests/keys/rsa2key.der
>===================================================================
>RCS file: tests/keys/rsa2key.der
>diff -N tests/keys/rsa2key.der
>Binary files /dev/null and rsa2key.der differ
>Index: tests/keys/rsa2key.p12
>===================================================================
>RCS file: tests/keys/rsa2key.p12
>diff -N tests/keys/rsa2key.p12
>Binary files /dev/null and rsa2key.p12 differ
>Index: tests/keys/rsa2key.pem
>===================================================================
>RCS file: tests/keys/rsa2key.pem
>diff -N tests/keys/rsa2key.pem
>--- /dev/null	1 Jan 1970 00:00:00 -0000
>+++ tests/keys/rsa2key.pem	22 Feb 2005 09:16:53 -0000
>@@ -0,0 +1,18 @@
>+-----BEGIN RSA PRIVATE KEY-----
>+Proc-Type: 4,ENCRYPTED
>+DEK-Info: DES-EDE3-CBC,4500DDD8194CE192
>+
>+E1FQxiq6hX9GbvWm2HyzvfgDvFXFLjruys4cL6gCXLl7kNPBEUsi3geICO3bFVsk
>+XTI/JYZQosR3mhglydDQU/JJ0JXid6T9wxdRxokr8K2O2KGFjN2n95RZ2gkDyYfd
>+4/4OmGymm1g8VFUqeJuR6x2Lwh9ML2k2R8dqJqLhuoLlfp14fqlMRvzni53aTDSU
>+xxLYQ0SphGpE2gdEbowZDKLx8v+w7tZvTES/4jZQL3rosPJgcSy4Hif9pSHYDK91
>+e3N8rz/lyrQ1sb0z808GXVrK2h8nrJiuBAcS3S4smvKbV3fl0nu2um/ZFZPqAjiQ
>+4rNa77a+uA0FmRHrtb4zL6aRwoybkaO7TwwKhCjDtM1OdCia5+sINXBdswtBwvGf
>+lURgIBiORsdDNjmk4TYb3g9V3cAccnWzA80GqefiokzFteATl02c2aN+AsV2BCxv
>+fBCV/mX/+ygzctK0W/auaVl/qN0kezbkrZiCr7FB/Im2IRsVJ+NZoe7BW5/LiC+F
>+5mn6ExkuLwQ6o7OZpUkjQunFFE+hwiCvObSv3dhTBRn3iQg/0i7Ufb8FcQfF7Mfy
>+4oK1yZqvnHoH8BbeTuGYY/PRFIdXwM+mEJy1Sk8pBcGwMNlJf6UdTCvRoQ1SB+a0
>+EpMP1/AgZ2F4MVOuZLYOp7OOLTaB9Yu92Gtm9g0YbMg6OKkkoW5SVuk+Kvo8tv/3
>+ITY8bLfSn2T0MRRwds71uW9vo4IhN/IT6Js+xEteY4kaufXtcSIZ+h6XrmjuoxZR
>+voBxkA4KgGUKKU1aemeHUCxzdqYlhrLvlXcjxvPmCjKdFjc9PX1/Ag==
>+-----END RSA PRIVATE KEY-----
>Index: win32/Makefile.msvc
>===================================================================
>RCS file: /cvs/gnome/xmlsec/win32/Makefile.msvc,v
>retrieving revision 1.27
>diff -u -r1.27 Makefile.msvc
>--- win32/Makefile.msvc	9 Jun 2004 14:35:12 -0000	1.27
>+++ win32/Makefile.msvc	22 Feb 2005 09:16:54 -0000
>@@ -456,21 +456,21 @@
> check-keys : $(BINDIR)\$(APP_NAME)
> 	cd ..
> 	if not exist win32\tmp mkdir win32\tmp
>-	set TMPFOLDER=win32\tmp
>+	set TMPFOLDER=win32/tmp
> 	sh ./tests/testKeys.sh default ./tests win32/$(BINDIR)/$(APP_NAME) der
> 	cd win32
> 
> check-dsig : $(BINDIR)\$(APP_NAME)	
> 	cd ..
> 	if not exist win32\tmp mkdir win32\tmp
>-	set TMPFOLDER=win32\tmp
>+	set TMPFOLDER=win32/tmp
> 	sh ./tests/testDSig.sh default ./tests win32/$(BINDIR)/$(APP_NAME) der
> 	cd win32
> 
> check-enc : $(BINDIR)\$(APP_NAME)
> 	cd ..
> 	if not exist win32\tmp mkdir win32\tmp
>-	set TMPFOLDER=win32\tmp
>+	set TMPFOLDER=win32/tmp
> 	sh ./tests/testEnc.sh default ./tests win32/$(BINDIR)/$(APP_NAME) der
> 	cd win32
> 
>  
>
>------------------------------------------------------------------------
>
>_______________________________________________
>xmlsec mailing list
>xmlsec at aleksey.com
>http://www.aleksey.com/mailman/listinfo/xmlsec
>  
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.aleksey.com/pipermail/xmlsec/attachments/20050222/d71c9a64/attachment-0001.htm


More information about the xmlsec mailing list