[xmlsec] Problem with some cert which has a negative serial number
Aleksey Sanin
aleksey at aleksey.com
Mon Feb 21 19:40:29 PST 2005
>>
>> Unfortunately, no. The bn strng is written in xml signature as
>> certificate serial number. And one needs to know how to convert
>> a bn to decimal string and back.
>
> It doesn't matter. When I say "to add minus sign", I don't mean adding
> minus sign directly to the unsigned string format, instead, we should
> use the correct "complement" representation for a negative.
>
> For instance, for a bn "fe", it should be represented as "-02" in string
> format, not "-254".
Yes, this is what I meant too. I just wanted to point out that
this conversions *are* used in crypto processing. These are not
only display level functions.
> Can a bn like "00 00 01" can be a legal serial number?
Yes. It is equal to "1".
> If so (*assumption #1*), I think the leading zero should be reserved in string
> format, this can guarantee when converting back to a bn, it is "00 00
> 01" again.
Not necessary. "00 00 01" and "01" both represent the same bn. The
functions that searches for a certificate MUST understand this.
Aleksey
More information about the xmlsec
mailing list