[xmlsec] Problem with some cert which has a negative serial number

Aleksey Sanin aleksey at aleksey.com
Mon Feb 21 19:40:29 PST 2005

>> Unfortunately, no. The bn strng is written in xml signature as
>> certificate serial number. And one needs to know how to convert
>> a bn to decimal string and back. 
> It doesn't matter. When I say "to add minus sign", I don't mean adding 
> minus sign directly to the unsigned string format, instead, we should 
> use the correct "complement" representation for a negative.
> For instance, for a bn "fe", it should be represented as "-02" in string 
> format, not "-254".
Yes, this is what I meant too. I just wanted to point out that
this conversions *are* used in crypto processing. These are not
only display level functions.

> Can a bn like "00 00 01" can be a legal serial number? 
Yes. It is equal to "1".

> If so  (*assumption #1*), I think the leading zero should be reserved in string 
> format, this can guarantee when converting back to a bn, it is "00 00 
> 01" again.
Not necessary. "00 00 01" and "01" both represent the same bn. The
functions that searches for a certificate MUST understand this.


More information about the xmlsec mailing list