[xmlsec] Problem with some cert which has a negative serial number

Andrew Fan Xuelei.Fan at Sun.COM
Mon Feb 21 02:18:57 PST 2005 

Hi Aleksey,

If I rembered, we convert big number and decimal string with 
xmlSecBnToString() or xmlSecBnFromString(). I don't know what's the 
exact means of "big number" at bn.h and bn.c. If "big number" is an 
ASN.1 DER encoded integer, I think it has a little drawback that it only 
accept positive number. I think it is useful if "big number' accepts 
negative integer as well.

Thanks,
Andrew

Aleksey Sanin wrote:

> OK, I see it now. However, I am not sure I understand how to fix
> your problem w/o breaking Michael's code because it seems that
> in his case "B2 ..." is *always* a positive integer. I am coping
> this email to Michael too get his opinion.
>
> Meantime, it would be great if you can try to parse your certificate
> with openssl and check if it would consider this number negative or
> positive.
>
> Aleksey
>
>
> Chandler Peng wrote:
>
>> Dear Aleksey ,
>>  
>> That bug  you refer to resolved a  problem how to transfer a positive 
>> decimal string to a positive integer . For example , there is a 
>> serial number "00 B2 2F 00 00 /00 02 20 73 3B 25 34 C4 42 6F"/ in the 
>> certificate , the serial number is a positive integer for the first 
>> byte is 0x00(the first bit is 0) . The libxmlsec will transfer the SN 
>> to "/3613992633088206991095317234205295" /in decimal format and 
>> transfer back to /"B2 2F 00 00 00 02 20 73 3B 25 34 C4 42 6F" /in der 
>> format . That is a bug for the integer "00 B2 2F 00 00 /00 02 20 73 
>> 3B 25 34 C4 42 6F" is not equal to /the integer  "B2 2F 00 00 /00 02 
>> 20 73 3B 25 34 C4 42 6F". /That bug has been fixed in CVS./
>>
>> /This bug we reported is different with that bug.
>> For example , if there is a serial number "B2 2F 00 00 /00 02 20 73 
>> 3B 25 34 C4 42 6F"/ in the certificate , the serial number is a 
>> negative integer for the first byte is 0xB2(the first bit is 1) . The 
>> libxmlsec will transfer the SN to 
>> "/3613992633088206991095317234205295" /in decimal format and transfer 
>> back to /"00 B2 2F 00 00 00 02 20 73 3B 25 34 C4 42 6F" /in der 
>> format . This is a bug for "B2 2F 00 00 /00 02 20 73 3B 25 34 C4 42 
>> 6F" /is a  negative integer and 
>> "/3613992633088206991095317234205295"/ is a positive decimal format 
>> string. They are not equal.
>>
>> It seem that there should be a flag in decimal format to distinguish 
>> whether the decimal string is positive or not , does'nt it?
>>
>> --Chandler
>>  
>> Aleksey Sanin wrote:
>>
>>> I guess you are using xmlsec-mscrypto library and if this is
>>> the case then I believe that this bug was already fixed in CVS:
>>>
>>> http://www.aleksey.com/pipermail/xmlsec/2005/002487.html
>>>
>>> It would be great if you can try the CVS version and report if your
>>> problem still exists.
>>>
>>> Thanks,
>>> Aleksey
>>> _______________________________________________
>>> xmlsec mailing list
>>> xmlsec at aleksey.com
>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> xmlsec mailing list
>> xmlsec at aleksey.com
>> http://www.aleksey.com/mailman/listinfo/xmlsec
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec

More information about the xmlsec mailing list