[xmlsec] RE: FW: X509SerialNumber
Wes Thomas
wes at encomia.com
Wed Aug 25 09:56:23 PDT 2004
Yes, we're relying on the fact that openssl is correct. And we're also using
openssl as the crypto for this signing code.
When doing the DWORD swap, we also arrive at 156956...
Unfortunately, close isn't what we need :-)
The target number (16863389628646640081019990102011455077) is what openssl
gave XMLSec, for the certificate we're using. That's how we got that number.
We just can't seem to duplicate that number. We can with the small one (one
DWORD) but not in the larger.
We're going through openssl source to see if we can figure out exactly
they're doing :-) any other ideas?
-----Original Message-----
From: Aleksey Sanin [mailto:aleksey at aleksey.com]
Sent: Wednesday, August 25, 2004 11:17 AM
To: Wes Thomas; xmlsec at aleksey.com
Subject: Re: FW: X509SerialNumber
Mailing list is the right place but you need to be subscribed to the list :)
If you are using xmlsec-openssl then I would probably trust xmlsec output
because it gets the number directly from openssl.
On the other hand, if you use the xmlsec-mscrypto then it can easily be a
bug in xmlsec-mscrypto code that produces the number. If you have the
certificate, I would recommend to use openssl to print it out and look at
the number.
Anyway, the first certificate number has only one DWORD and the second
certificate has multiple DWORDs. One of possible options is that when you
calculate the number you need to revert bytes in DWORDs but keep DWORDs
order:
1F 14 11 14 8A 53 F2 B6 49 F4 F8 4D A3 A8 14 76
which is equal to ~1.5695617 × 10^38 frome google's point of view.
This results seems closer to the number reported by xmlsec. However, it is a
pure speculation because I have no idea how you got this number in the first
place :)
Aleksey
Wes Thomas wrote:
> I originally sent this to the list serv by accident... Wasn't sure if
> that's the right place to submit questions, so I'm forwarding this to you.
> Thanks!
>
> -----Original Message-----
> From: Wes Thomas [mailto:wes at encomia.com]
> Sent: Tuesday, August 24, 2004 4:15 PM
> To: 'xmlsec at aleksey.com'
> Cc: 'ilya at encomia.com'
> Subject: X509SerialNumber
>
> Hey Aleksey!
>
> Got a question..
> Using XMLSec 1.2.4
> Windows 2000 etc.
>
> I'm trying to arrive at the correct integer value for X509SerialNumber
> node in the X509IssuerSerial element.
>
> We've made a little calculator to test and see if our formula is correct.
>
> With one certificate I get a serial value of 0D 22 75 91 in hex and
> our calc from the right goes like this:
>
> 91 75 22 0D
> We convert each to their integer counterparts,
> 145 117 34 13
> Add each together multiplied by 256 to the power of their position
> 145 + 117(256) + 34(256^2) + 13(256^3)
>
> Google and our calculator say the result is = 220 362 129 which is
> what XMLSec signing says.
>
> Our 2nd certificate has a value of 1411141FB6F2538A4DF8F4497614A8A3
> Calc starting from the right:
>
> A3 A8 14 76 49 F4 F8 4D 8A 53 F2 B6 1F 14 11 14
> 163 + 168*256 + 20*256^2 + 118*256^3 + 73*256^4 + 244*256^5 +
> 248*256^6 +
> 77*256^7 + 138*256^8 + 83*256^9 + 242*256^10 + 182*256^11 + 31*256^12
> +
> 20*256^13 + 17*256^14 + 20*256^15
>
> Google has a rounding error and gives:
> 2.66732371 × 10^37 or 26673237100000000000000000000000000000
>
> We use a Big Integer class in .NET to get a value of:
> 26673237123177746846882916240247269539
>
> However XMLSec reports a value of:
> 16863389628646640081019990102011455077
>
> Is there something I'm doing wrong? This works with a smaller RSA
> keyed cert but not on the larger one.
>
> Wes Thomas
> Encomia, L.P.
> www.encomia.com
>
> Iguana: The other green meat.
>
More information about the xmlsec
mailing list