[xmlsec] Problem with some cert which has a negative serial number
Xuelei.Fan at Sun.COM
Mon Feb 21 20:56:46 PST 2005
Michael Mi wrote:
> For a bn like "FF FF FF FF", the string format can be created as
I think "FF FF FF FF" is not a legal big integer, as you can get from X.690.
> 1) The first byte is bigger than 127, so a "-" should be added to the
> 2) calculate the "complement" code of "FF FF FF FF", it is "00 00 00 01";
> 3) the result is "-0001". (How comes the three-zero? I am not so sure
> at this moment, but we can find way if necessary.)
> Now the "-0001" is written into the xml file. The leading zero is used
> to recover the 4 "FF". If we just write "-1" into the xml file, how
> can we re-generate the "FF FF FF FF"?
> At this moment, Chander and I are trying to do the test. We'll let you
> know any result.
> Aleksey Sanin wrote:
>> Note that this is not only 00s but also FFs for negative values
>> (11, 111, 1111, 11111, etc. all represent the same -1). The real
>> question is how smart are the NSPR (CERT_FindCertByIssuerAndSN)
>> and MSCrypto (CertCompareIntegerBlob) functions? Do they understand
>> that these numbers are the same or not?
>> Anyone wants to test it?
>> Michael Mi wrote:
>>> I gree with you than "01", "00 01", "00 00 00 01" are same bns
>> xmlsec mailing list
>> xmlsec at aleksey.com
More information about the xmlsec