[xmlsec] Problem with some cert which has a negative serial number
Andrew Fan
Xuelei.Fan at Sun.COM
Mon Feb 21 20:56:46 PST 2005
Michael Mi wrote:
> For a bn like "FF FF FF FF", the string format can be created as
> following:
>
I think "FF FF FF FF" is not a legal big integer, as you can get from X.690.
-Andrew
> 1) The first byte is bigger than 127, so a "-" should be added to the
> result;
> 2) calculate the "complement" code of "FF FF FF FF", it is "00 00 00 01";
> 3) the result is "-0001". (How comes the three-zero? I am not so sure
> at this moment, but we can find way if necessary.)
>
> Now the "-0001" is written into the xml file. The leading zero is used
> to recover the 4 "FF". If we just write "-1" into the xml file, how
> can we re-generate the "FF FF FF FF"?
>
> At this moment, Chander and I are trying to do the test. We'll let you
> know any result.
>
> Michael
>
>
> Aleksey Sanin wrote:
>
>> Note that this is not only 00s but also FFs for negative values
>> (11, 111, 1111, 11111, etc. all represent the same -1). The real
>> question is how smart are the NSPR (CERT_FindCertByIssuerAndSN)
>> and MSCrypto (CertCompareIntegerBlob) functions? Do they understand
>> that these numbers are the same or not?
>>
>> Anyone wants to test it?
>>
>> Aleksey
>>
>> Michael Mi wrote:
>>
>>> I gree with you than "01", "00 01", "00 00 00 01" are same bns
>>> theoretically.
>>>
>> _______________________________________________
>> xmlsec mailing list
>> xmlsec at aleksey.com
>> http://www.aleksey.com/mailman/listinfo/xmlsec
>
>
>
More information about the xmlsec
mailing list