[xmlsec] Problem with some cert which has a negative serial number

Michael Mi Hao.Mi at Sun.COM
Mon Feb 21 19:52:32 PST 2005

For a bn like "FF FF FF FF", the string format can be created as following:

1) The first byte is bigger than 127, so a "-" should be added to the 
2) calculate the "complement" code of "FF FF FF FF", it is "00 00 00 01";
3) the result is "-0001". (How comes the three-zero? I am not so sure at 
this moment, but we can find way if necessary.)

Now the "-0001" is written into the xml file. The leading zero is used 
to recover the 4 "FF". If we just write "-1" into the xml file, how can 
we re-generate the "FF FF FF FF"?

At this moment, Chander and I are trying to do the test. We'll let you 
know any result.


Aleksey Sanin wrote:

> Note that this is not only 00s but also FFs for negative values
> (11, 111, 1111, 11111, etc. all represent the same -1). The real
> question is how smart are the NSPR (CERT_FindCertByIssuerAndSN)
> and MSCrypto (CertCompareIntegerBlob) functions? Do they understand
> that these numbers are the same or not?
> Anyone wants to test it?
> Aleksey
> Michael Mi wrote:
>> I gree with you than "01", "00 01", "00 00 00 01" are same bns 
>> theoretically.
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec

More information about the xmlsec mailing list