[xmlsec] Problem with some cert which has a negative serial number

Michael Mi Hao.Mi at Sun.COM
Mon Feb 21 19:25:20 PST 2005

I gree with you than "01", "00 01", "00 00 00 01" are same bns 

But the current question is whether they are still same in MSCrypto/NSS 
implementation. If not, we have to keep the leading zero in the xml file.


Andrew Fan wrote:

> Aleksey Sanin wrote:
>>> What I suggest is to add minus sign to the string format (no matter 
>>> what base it is) when a bn is negative. When creating bn from this 
>>> string, the minus sign can be used to help converting back to the 
>>> original bn.
>> Yes, I am thinking along the same lines...
>>> Anyway, I just hope any bn in string format is only used in purpose 
>>> of displaying, otherwise, the minus sign may cause some problem.
>> Unfortunately, no. The bn strng is written in xml signature as
>> certificate serial number. And one needs to know how to convert
>> a bn to decimal string and back.
>>> Moreover, I also think the leading zero prefix should be reserved 
>>> converting between bn and string. For instance, when converting a bn 
>>> "01" to a string, the result should be "01", instead of "1". Only in 
>>> this way, when converting back to a bn, the leading zero can be 
>>> recoveredd.
>> Oh, I am really not sure about this. How this would work for decimal
>> string and hex in memory representations? Will it always be 1<->1
>> conversion?
> I'm against that convert bn "01" to string "01". As Aleksey said above 
> the bn is write for xml signature as serial number, so it should ship 
> ASN.1 BER/DER integer encording rules. Decimal string "01", "1", 
> "00001" have the same means, which should be encoded into the same bn.
> Andrew
>> Aleksey
>> _______________________________________________
>> xmlsec mailing list
>> xmlsec at aleksey.com
>> http://www.aleksey.com/mailman/listinfo/xmlsec
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec

More information about the xmlsec mailing list