[xmlsec] Problem with some cert which has a negative serial number

Chandler Peng Chuandong.Peng at sun.com
Sun Feb 20 18:33:31 PST 2005

Hello , Aleksey ,
We found there will be failed using some certificate to sign when these 
certificate have one negative integer in  the serial number field .  we 
will get an KEY_NOT_FOUND error indicate the cert or the privatekey can 
not found in the cert store or the key store . we think there is the 
cert not found when searching the cert with issuer name and serial 
number . At the begining , we got the raw strings of IssuerName(DN) and 
SerialNumber(SN) from the certificate without any change . Then we 
passed the DN and SN to the libxmlsec . The SN has been changed from der 
format to decimal format in xmlSecBnToString() and there are no sign to 
record whether the integer is negative or not.  So the correct der 
string  can not come back from decimal string when the integer is 
negative and this cause searching cert process failed when using  the DN 
and the 'wrong' SN as the parameter of CertFindCertificateInStore().

According  to RFC3280 , the serial number MUST be a positive integer 
assigned by the CA to each certificate, BUT according to X509 , a serial 
number in certificate can be positive or negative.

"RFC 3280 mandates that serial numbers be positive integers that are at 
most 20 octets long, but X.509 simply states that serial numbers are 
integers.  So, if a certificate with a negative serial number is not 
incorrect, it simply was not generated in a PKIX compliant manner."
--from NIST, the author org of X509.

So , what should we do on this scene ? Does the libxmlsec will support 
these certificate in the coming version?

--Chandler Peng.

More information about the xmlsec mailing list