[xmlsec] Problem with some cert which has a negative serial number
Hao.Mi at Sun.COM
Mon Feb 21 19:22:44 PST 2005
Aleksey Sanin wrote:
>> What I suggest is to add minus sign to the string format (no matter
>> what base it is) when a bn is negative. When creating bn from this
>> string, the minus sign can be used to help converting back to the
>> original bn.
> Yes, I am thinking along the same lines...
>> Anyway, I just hope any bn in string format is only used in purpose
>> of displaying, otherwise, the minus sign may cause some problem.
> Unfortunately, no. The bn strng is written in xml signature as
> certificate serial number. And one needs to know how to convert
> a bn to decimal string and back.
It doesn't matter. When I say "to add minus sign", I don't mean adding
minus sign directly to the unsigned string format, instead, we should
use the correct "complement" representation for a negative.
For instance, for a bn "fe", it should be represented as "-02" in string
format, not "-254".
>> Moreover, I also think the leading zero prefix should be reserved
>> converting between bn and string. For instance, when converting a bn
>> "01" to a string, the result should be "01", instead of "1". Only in
>> this way, when converting back to a bn, the leading zero can be
> Oh, I am really not sure about this. How this would work for decimal
> string and hex in memory representations? Will it always be 1<->1
Can a bn like "00 00 01" can be a legal serial number? If so (assumption
#1), I think the leading zero should be reserved in string format, this
can guarantee when converting back to a bn, it is "00 00 01" again.
Why? I think it is much more possible for MSCrypto/NSS to find the cert
with "00 00 01" than using "01". (assumption #2, I am not so sure about
Anyway, if any of my above assumptions is incorrect, just forget it. I
will try to do some test soon.
Regarding to the memory representations, I think the purpose of
reserving the leading zero is to ensure that a string can be converted
back to the exact original bn, so we can find some rules to make the
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the xmlsec