[xmlsec] Problem with some cert which has a negative serial number

Michael Mi Hao.Mi at Sun.COM
Mon Feb 21 19:22:44 PST 2005


Aleksey Sanin wrote:

>> What I suggest is to add minus sign to the string format (no matter 
>> what base it is) when a bn is negative. When creating bn from this 
>> string, the minus sign can be used to help converting back to the 
>> original bn.
> Yes, I am thinking along the same lines...
>> Anyway, I just hope any bn in string format is only used in purpose 
>> of displaying, otherwise, the minus sign may cause some problem.
> Unfortunately, no. The bn strng is written in xml signature as
> certificate serial number. And one needs to know how to convert
> a bn to decimal string and back. 

It doesn't matter. When I say "to add minus sign", I don't mean adding 
minus sign directly to the unsigned string format, instead, we should 
use the correct "complement" representation for a negative.

For instance, for a bn "fe", it should be represented as "-02" in string 
format, not "-254".

>> Moreover, I also think the leading zero prefix should be reserved 
>> converting between bn and string. For instance, when converting a bn 
>> "01" to a string, the result should be "01", instead of "1". Only in 
>> this way, when converting back to a bn, the leading zero can be 
>> recoveredd.
> Oh, I am really not sure about this. How this would work for decimal
> string and hex in memory representations? Will it always be 1<->1
> conversion? 

Can a bn like "00 00 01" can be a legal serial number? If so (assumption 
#1), I think the leading zero should be reserved in string format, this 
can guarantee when converting back to a bn, it is "00 00 01" again.
Why? I think it is much more possible for MSCrypto/NSS to find the cert 
with "00 00 01" than using "01". (assumption #2, I am not so sure about 
Anyway, if any of my above assumptions is incorrect, just forget it. I 
will try to do some test soon.

Regarding to the memory representations, I think the purpose of 
reserving the leading zero is to ensure that a string can be converted 
back to the exact original bn, so we can find some rules to make the 
convertion reversible.


> Aleksey

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.aleksey.com/pipermail/xmlsec/attachments/20050222/749f8a9c/attachment-0002.htm

More information about the xmlsec mailing list