[xmlsec] Problem with some cert which has a negative serial number

[Andrew Fan]

Aleksey Sanin wrote:

>> What I suggest is to add minus sign to the string format (no matter 
>> what base it is) when a bn is negative. When creating bn from this 
>> string, the minus sign can be used to help converting back to the 
>> original bn.
>
> Yes, I am thinking along the same lines...
>
>>
>> Anyway, I just hope any bn in string format is only used in purpose 
>> of displaying, otherwise, the minus sign may cause some problem.
>
> Unfortunately, no. The bn strng is written in xml signature as
> certificate serial number. And one needs to know how to convert
> a bn to decimal string and back.
>
>> Moreover, I also think the leading zero prefix should be reserved 
>> converting between bn and string. For instance, when converting a bn 
>> "01" to a string, the result should be "01", instead of "1". Only in 
>> this way, when converting back to a bn, the leading zero can be 
>> recoveredd.
>
> Oh, I am really not sure about this. How this would work for decimal
> string and hex in memory representations? Will it always be 1<->1
> conversion?
>
I'm against that convert bn "01" to string "01". As Aleksey said above 
the bn is write for xml signature as serial number, so it should ship 
ASN.1 BER/DER integer encording rules. Decimal string "01", "1", "00001" 
have the same means, which should be encoded into the same bn.

Andrew

> Aleksey
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec