[xmlsec] Problem with some cert which has a negative serial number

Aleksey Sanin aleksey at aleksey.com
Tue Feb 22 01:31:22 PST 2005


Michael,

I have a better patch for you (see attached file). Also I already
tested it and checked in (thanks to Andrew for his openssl trick :) ).

However, there are few things I would like to note:
1) I did test openssl <-> mscrypto interoperability for negative
serial numbers and everything seems to be working. I did not test
NSS <-> mscrypto at all.
2) I noticed that NSS does not handle large serial numbers at all.
It seems that the code just converts a string to regular integer
using NSPR's analog for atoi() function.
3) It turns out that mscrypto does not recognize "emailAddress"
attribute in x509 string. Worse, when it writes a string, it puts
email into "E" attribute but then refuses to read it back (or to
be precise, it reads it in a *different* internal format and then
can not find this cert)! I hacked the code to workaround this
problem but this is really a quick-and-dirty hack and you might
want to think about a better solution.

Aleksey



Aleksey Sanin wrote:
> Just do "patch -p0 < path-to-negative-bn.diff" from the top level
> xmlsec folder.
> 
> Aleksey
> 
> Michael Mi wrote:
> 
>> I'd love to try it.
>>
>> But can you tell me how to merge the diff into my bn.c when I am using 
>> the libxmlsec tarball?
>>
>> Michael
>>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
-------------- next part --------------
Index: src/bn.c
===================================================================
RCS file: /cvs/gnome/xmlsec/src/bn.c,v
retrieving revision 1.14
diff -u -r1.14 bn.c
--- src/bn.c	26 Jan 2005 16:52:09 -0000	1.14
+++ src/bn.c	22 Feb 2005 09:16:51 -0000
@@ -170,9 +170,10 @@
  */
 int 
 xmlSecBnFromString(xmlSecBnPtr bn, const xmlChar* str, xmlSecSize base) {
-    xmlSecSize i, len;
+    xmlSecSize i, len, size;
     xmlSecByte ch;
     xmlSecByte* data;
+    int positive;
     int nn;
     int ret;
 
@@ -184,7 +185,7 @@
     /* trivial case */
     len = xmlStrlen(str);
     if(len == 0) {
-	return(0);
+        return(0);
     }
     
     /* The result size could not exceed the input string length
@@ -192,60 +193,102 @@
      * In truth, it would be likely less than 1/2 input string length
      * because each byte is represented by 2 chars. If needed, 
      * buffer size would be increased by Mul/Add functions.
-     * Finally, we add one byte for 00 prefix if first byte is > 127.
+     * Finally, we can add one byte for 00 or 10 prefix.
      */
     ret = xmlSecBufferSetMaxSize(bn, xmlSecBufferGetSize(bn) + len / 2 + 1 + 1);
     if(ret < 0) {
-	xmlSecError(XMLSEC_ERRORS_HERE,
-		    NULL,
-		    "xmlSecBnRevLookupTable",
-		    XMLSEC_ERRORS_R_XMLSEC_FAILED,
-		    "size=%d", len / 2 + 1);
-	return (-1);
+        xmlSecError(XMLSEC_ERRORS_HERE,
+		        NULL,
+		        "xmlSecBnRevLookupTable",
+		        XMLSEC_ERRORS_R_XMLSEC_FAILED,
+		        "size=%d", len / 2 + 1);
+        return (-1);
+    }
+
+    /* figure out if it is positive or negative number */
+    positive = 1;
+    i = 0;
+    while(i < len) {
+        ch = str[i++];
+
+        /* skip spaces */
+        if(isspace(ch)) {
+	        continue;
+        } 
+        
+        /* check if it is + or - */
+        if(ch == '+') {
+            positive = 1;
+            break;
+        } else if(ch == '-') {
+            positive = 0;
+            break;
+        }
+
+        /* otherwise, it must be start of the number */
+        nn = xmlSecBnLookupTable[ch];
+        if((nn >= 0) && ((xmlSecSize)nn < base)) {
+            xmlSecAssert2(i > 0, -1);
+
+            /* no sign, positive by default */
+            positive = 1;
+            --i; /* make sure that we will look at this character in next loop */
+            break;
+        } else {
+	        xmlSecError(XMLSEC_ERRORS_HERE,
+		        NULL,
+		        NULL,
+		        XMLSEC_ERRORS_R_INVALID_DATA,
+		        "char=%c;base=%d", 
+		        ch, base);
+    	        return (-1);
+        }
     }
 
-    for(i = 0; i < len; i++) {
-	ch = str[i];
-	if(isspace(ch)) {
-	    continue;
-	}
+    /* now parse the number itself */
+    while(i < len) {
+        ch = str[i++];
+        if(isspace(ch)) {
+	        continue;
+        }
 
-	xmlSecAssert2(ch <= sizeof(xmlSecBnLookupTable), -1);
-	nn = xmlSecBnLookupTable[ch];
-	if((nn < 0) || ((xmlSecSize)nn > base)) {
-	    xmlSecError(XMLSEC_ERRORS_HERE,
-			NULL,
-			NULL,
-			XMLSEC_ERRORS_R_INVALID_DATA,
-			"char=%c;base=%d", 
-			ch, base);
-    	    return (-1);
-	}
-	
-	ret = xmlSecBnMul(bn, base);
-	if(ret < 0) {
-	    xmlSecError(XMLSEC_ERRORS_HERE,
-			NULL,
-			"xmlSecBnMul",
-			XMLSEC_ERRORS_R_XMLSEC_FAILED,
-			"base=%d", base);
-	    return (-1);
-	}
+        xmlSecAssert2(ch <= sizeof(xmlSecBnLookupTable), -1);
+        nn = xmlSecBnLookupTable[ch];
+        if((nn < 0) || ((xmlSecSize)nn > base)) {
+	        xmlSecError(XMLSEC_ERRORS_HERE,
+		        NULL,
+		        NULL,
+		        XMLSEC_ERRORS_R_INVALID_DATA,
+		        "char=%c;base=%d", 
+		        ch, base);
+    	        return (-1);
+        }
 
-	ret = xmlSecBnAdd(bn, nn);
-	if(ret < 0) {
-	    xmlSecError(XMLSEC_ERRORS_HERE,
-			NULL,
-			"xmlSecBnAdd",
-			XMLSEC_ERRORS_R_XMLSEC_FAILED,
-			"base=%d", base);
-	    return (-1);
-	}	
+        ret = xmlSecBnMul(bn, base);
+        if(ret < 0) {
+	        xmlSecError(XMLSEC_ERRORS_HERE,
+		        NULL,
+		        "xmlSecBnMul",
+		        XMLSEC_ERRORS_R_XMLSEC_FAILED,
+		        "base=%d", base);
+	        return (-1);
+        }
+
+        ret = xmlSecBnAdd(bn, nn);
+        if(ret < 0) {
+	        xmlSecError(XMLSEC_ERRORS_HERE,
+		        NULL,
+		        "xmlSecBnAdd",
+		        XMLSEC_ERRORS_R_XMLSEC_FAILED,
+		        "base=%d", base);
+	        return (-1);
+}	
     }
 
-    /* check whether need to add 00 prefix */
+    /* check if we need to add 00 prefix */
     data = xmlSecBufferGetData(bn);
-    if(data[0] > 127) {
+    size = xmlSecBufferGetSize(bn);
+    if(size > 0 && data[0] > 127) {
         ch = 0;
         ret = xmlSecBufferPrepend(bn, &ch, 1);
         if(ret < 0) {
@@ -257,6 +300,26 @@
             return (-1);
         }
     }
+
+    /* do 2's compliment and add 1 to represent negative value */
+    if(positive == 0) {
+        data = xmlSecBufferGetData(bn);
+        size = xmlSecBufferGetSize(bn);
+        for(i = 0; i < size; ++i) {
+            data[i] ^= 0xFF;
+        }
+        
+        ret = xmlSecBnAdd(bn, 1);
+        if(ret < 0) {
+            xmlSecError(XMLSEC_ERRORS_HERE,
+                NULL,
+                "xmlSecBnAdd",
+                XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                "base=%d", base);
+            return (-1);
+        }
+    }
+
     return(0);
 }
 
@@ -272,8 +335,12 @@
  */
 xmlChar* 
 xmlSecBnToString(xmlSecBnPtr bn, xmlSecSize base) {
+    xmlSecBn bn2;
+    int positive = 1;
     xmlChar* res;
-    xmlSecSize i, len;
+    xmlSecSize i, len, size;
+    xmlSecByte* data;
+    int ret;
     int nn;
     xmlChar ch;
 
@@ -281,35 +348,86 @@
     xmlSecAssert2(base > 1, NULL);
     xmlSecAssert2(base <= sizeof(xmlSecBnRevLookupTable), NULL);
 
+
+    /* copy bn */
+    data = xmlSecBufferGetData(bn);
+    size = xmlSecBufferGetSize(bn);
+    ret = xmlSecBnInitialize(&bn2, size);
+    if(ret < 0) {
+        xmlSecError(XMLSEC_ERRORS_HERE,
+            NULL,
+            "xmlSecBnCreate",
+            XMLSEC_ERRORS_R_XMLSEC_FAILED,
+            "size=%d", size);
+        return (NULL);
+    }
+    
+    ret = xmlSecBnSetData(&bn2, data, size);
+    if(ret < 0) {
+        xmlSecError(XMLSEC_ERRORS_HERE,
+            NULL,
+            "xmlSecBnSetData",
+            XMLSEC_ERRORS_R_XMLSEC_FAILED,
+            "size=%d", size);
+        xmlSecBnFinalize(&bn2);
+        return (NULL);
+    }
+
+    /* check if it is a negative number or not */
+    data = xmlSecBufferGetData(&bn2);
+    size = xmlSecBufferGetSize(&bn2);
+    if((size > 0) && (data[0] > 127)) {
+        /* subtract 1 and do 2's compliment */
+        ret = xmlSecBnAdd(&bn2, -1);
+        if(ret < 0) {
+            xmlSecError(XMLSEC_ERRORS_HERE,
+                        NULL,
+                        "xmlSecBnAdd",
+                        XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                        "size=%d", size);
+            xmlSecBnFinalize(&bn2);
+            return (NULL);
+        }
+        for(i = 0; i < size; ++i) {
+            data[i] ^= 0xFF;
+        }
+
+        positive = 0;
+    } else {
+        positive = 1;
+    }
+
     /* Result string len is
      *	    len = log base (256) * <bn size>
      * Since the smallest base == 2 then we can get away with 
      *	    len = 8 * <bn size>
      */
-    len = 8 * xmlSecBufferGetSize(bn) + 1;
+    len = 8 * size + 1 + 1;
     res = (xmlChar*)xmlMalloc(len + 1);
     if(res == NULL) {
-	xmlSecError(XMLSEC_ERRORS_HERE,
-		    NULL,
-		    NULL,
-		    XMLSEC_ERRORS_R_MALLOC_FAILED,
-		    "len=%d", len);
-	return (NULL);
+        xmlSecError(XMLSEC_ERRORS_HERE,
+		            NULL,
+		            NULL,
+		            XMLSEC_ERRORS_R_MALLOC_FAILED,
+		            "len=%d", len);
+        xmlSecBnFinalize(&bn2);
+        return (NULL);
     }
     memset(res, 0, len + 1);
 
-    for(i = 0; (xmlSecBufferGetSize(bn) > 0) && (i < len); i++) {
-	if(xmlSecBnDiv(bn, base, &nn) < 0) {
-	    xmlSecError(XMLSEC_ERRORS_HERE,
-			NULL,
-			"xmlSecBnDiv",
-			XMLSEC_ERRORS_R_XMLSEC_FAILED,
-			"base=%d", base);
-	    xmlFree(res);
-    	    return (NULL);
-	}
-	xmlSecAssert2((size_t)nn < sizeof(xmlSecBnRevLookupTable), NULL);
-	res[i] = xmlSecBnRevLookupTable[nn];
+    for(i = 0; (xmlSecBufferGetSize(&bn2) > 0) && (i < len); i++) {
+        if(xmlSecBnDiv(&bn2, base, &nn) < 0) {
+            xmlSecError(XMLSEC_ERRORS_HERE,
+                        NULL,
+                        "xmlSecBnDiv",
+                        XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                        "base=%d", base);
+            xmlFree(res);
+            xmlSecBnFinalize(&bn2);
+            return (NULL);
+        }
+        xmlSecAssert2((size_t)nn < sizeof(xmlSecBnRevLookupTable), NULL);
+        res[i] = xmlSecBnRevLookupTable[nn];
     }
     xmlSecAssert2(i < len, NULL);
 
@@ -317,13 +435,20 @@
     for(len = i; (len > 1) && (res[len - 1] == '0'); len--);
     res[len] = '\0';
 
+    /* add "-" for negative numbers */
+    if(positive == 0) {
+        res[len] = '-';
+        res[++len] = '\0';
+    }
+
     /* swap the string because we wrote it in reverse order */
     for(i = 0; i < len / 2; i++) {
-	ch = res[i];
-	res[i] = res[len - i - 1];
-	res[len - i - 1] = ch;
+        ch = res[i];
+        res[i] = res[len - i - 1];
+        res[len - i - 1] = ch;
     }
 
+    xmlSecBnFinalize(&bn2);
     return(res);
 }
 
@@ -408,7 +533,9 @@
     }
 
     data = xmlSecBufferGetData(bn);
-    for(over = 0, i = xmlSecBufferGetSize(bn); i > 0;) {
+    i = xmlSecBufferGetSize(bn);
+    over = 0; 
+    while(i > 0) {
 	xmlSecAssert2(data != NULL, -1);
 
 	over	= over + multiplier * data[--i];
@@ -503,43 +630,57 @@
  */
 int 
 xmlSecBnAdd(xmlSecBnPtr bn, int delta) {
-    int over;
+    int over, tmp;
     xmlSecByte* data;
     xmlSecSize i;
     xmlSecByte ch;
     int ret;
 
     xmlSecAssert2(bn != NULL, -1);
-    xmlSecAssert2(delta >= 0, -1);
 
     if(delta == 0) {
-	return(0);
+    	return(0);
     }
 
     data = xmlSecBufferGetData(bn);
-    for(over = delta, i = xmlSecBufferGetSize(bn); i > 0;) {
-	xmlSecAssert2(data != NULL, -1);
+    if(delta > 0) {
+        for(over = delta, i = xmlSecBufferGetSize(bn); (i > 0) && (over > 0) ;) {
+	        xmlSecAssert2(data != NULL, -1);
 	
-	over   += data[--i];
-	data[i]	= over % 256;
-	over	= over / 256;
-    }
+            tmp     = data[--i];
+        	over   += tmp;
+	        data[i]	= over % 256;
+	        over	= over / 256;
+        }
     
-    while(over > 0) {
-	ch	= over % 256;
-	over	= over / 256;
+        while(over > 0) {
+	        ch	= over % 256;
+	        over	= over / 256;
 	
-	ret = xmlSecBufferPrepend(bn, &ch, 1);
-	if(ret < 0) {
-	    xmlSecError(XMLSEC_ERRORS_HERE,
-			NULL,
-			"xmlSecBufferPrepend",
-			XMLSEC_ERRORS_R_XMLSEC_FAILED,
-			"size=1");
-	    return (-1);
-	}
+        	ret = xmlSecBufferPrepend(bn, &ch, 1);
+	        if(ret < 0) {
+	            xmlSecError(XMLSEC_ERRORS_HERE,
+			        NULL,
+			        "xmlSecBufferPrepend",
+			        XMLSEC_ERRORS_R_XMLSEC_FAILED,
+			        "size=1");
+	            return (-1);
+	        }
+        }
+    } else {
+        for(over = -delta, i = xmlSecBufferGetSize(bn); (i > 0) && (over > 0);) {
+	        xmlSecAssert2(data != NULL, -1);
+	
+            tmp     = data[--i];
+            if(tmp < over) {
+                data[i]	= 0;
+                over = (over - tmp) / 256;
+            } else {
+                data[i] = tmp - over;
+                over = 0;
+            }
+        }
     }
-    
     return(0);
 }
 
Index: src/mscrypto/crypto.c
===================================================================
RCS file: /cvs/gnome/xmlsec/src/mscrypto/crypto.c,v
retrieving revision 1.5
diff -u -r1.5 crypto.c
--- src/mscrypto/crypto.c	12 Nov 2003 02:38:51 -0000	1.5
+++ src/mscrypto/crypto.c	22 Feb 2005 09:16:51 -0000
@@ -330,13 +330,15 @@
 BYTE* 
 xmlSecMSCryptoCertStrToName(DWORD dwCertEncodingType, LPCTSTR pszX500, DWORD dwStrType, DWORD* len) {
     BYTE* str = NULL; 
-    
+    LPCTSTR ppszError = NULL;
+
     xmlSecAssert2(pszX500 != NULL, NULL);
     xmlSecAssert2(len != NULL, NULL);
 
     if (!CertStrToName(dwCertEncodingType, pszX500, dwStrType, 
-			NULL, NULL, len, NULL)) {
+			NULL, NULL, len, &ppszError)) {
 	/* this might not be an error, string might just not exist */
+                DWORD dw = GetLastError();
 	return(NULL);
     }
 	
Index: src/mscrypto/x509.c
===================================================================
RCS file: /cvs/gnome/xmlsec/src/mscrypto/x509.c,v
retrieving revision 1.2
diff -u -r1.2 x509.c
--- src/mscrypto/x509.c	26 Sep 2003 00:58:13 -0000	1.2
+++ src/mscrypto/x509.c	22 Feb 2005 09:16:52 -0000
@@ -1882,7 +1882,7 @@
     xmlSecAssert2(nm->pbData != NULL, NULL);
     xmlSecAssert2(nm->cbData > 0, NULL);
 
-    csz = CertNameToStr(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, nm, CERT_X500_NAME_STR, NULL, 0);
+    csz = CertNameToStr(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, nm, CERT_X500_NAME_STR | CERT_NAME_STR_REVERSE_FLAG, NULL, 0);
     str = (char *)xmlMalloc(csz);
     if (NULL == str) {
 	xmlSecError(XMLSEC_ERRORS_HERE,
@@ -1893,7 +1893,7 @@
 	return (NULL);
     }
 
-    csz = CertNameToStr(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, nm, CERT_X500_NAME_STR, str, csz);
+    csz = CertNameToStr(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, nm, CERT_X500_NAME_STR | CERT_NAME_STR_REVERSE_FLAG, str, csz);
     if (csz < 1) {
 	xmlSecError(XMLSEC_ERRORS_HERE,
 		    NULL,
@@ -1904,17 +1904,37 @@
 	return(NULL);
     }
 
-    res = xmlStrdup(BAD_CAST str);
-    if(res == NULL) {
-	xmlSecError(XMLSEC_ERRORS_HERE,
-		    NULL,
-		    "xmlStrdup",
-		    XMLSEC_ERRORS_R_MALLOC_FAILED,
-		    XMLSEC_ERRORS_NO_MESSAGE);
-	xmlFree(str);
-	return(NULL);
-    }
+    /* aleksey: this is a hack, but mscrypto can not read E= flag and wants Email= instead.
+     * don't ask me how is it possible not to read something you wrote yourself but also
+     * see comment in the xmlSecMSCryptoX509FindCert function. 
+     */
+    if(strncmp(str, "E=", 2) == 0) {
+        res = xmlMalloc(strlen(str) + 13 + 1);
+        if(res == NULL) {
+            xmlSecError(XMLSEC_ERRORS_HERE,
+		            NULL,
+		            "xmlMalloc",
+		            XMLSEC_ERRORS_R_MALLOC_FAILED,
+		            "size=%d",
+                    strlen(str) + 13 + 1);
+            xmlFree(str);
+            return(NULL);
+        }
 
+        memcpy(res, "emailAddress=", 13);
+        strcpy(res + 13, BAD_CAST (str + 2)); 
+    } else {
+        res = xmlStrdup(BAD_CAST str);
+        if(res == NULL) {
+            xmlSecError(XMLSEC_ERRORS_HERE,
+		            NULL,
+		            "xmlStrdup",
+		            XMLSEC_ERRORS_R_MALLOC_FAILED,
+		            XMLSEC_ERRORS_NO_MESSAGE);
+            xmlFree(str);
+            return(NULL);
+        }
+    }
     xmlFree(str);
     return(res);
 }
Index: src/mscrypto/x509vfy.c
===================================================================
RCS file: /cvs/gnome/xmlsec/src/mscrypto/x509vfy.c,v
retrieving revision 1.3
diff -u -r1.3 x509vfy.c
--- src/mscrypto/x509vfy.c	27 Sep 2003 03:12:22 -0000	1.3
+++ src/mscrypto/x509vfy.c	22 Feb 2005 09:16:52 -0000
@@ -567,10 +567,41 @@
 
     if((pCert == NULL) && (NULL != issuerName) && (NULL != issuerSerial)) {
 	xmlSecBn issuerSerialBn;	
+    xmlChar * p;
 	CERT_NAME_BLOB cnb;
+    CRYPT_INTEGER_BLOB cib;
         BYTE *cName = NULL; 
 	DWORD cNameLen = 0;	
+    
+    /* aleksey: for some unknown to me reasons, mscrypto wants Email
+     * instead of emailAddress. This code is not bullet proof and may 
+     * produce incorrect results if someone has "emailAddress=" string
+     * in one of the fields, but it is best I can suggest to fix this problem.
+     * Also see xmlSecMSCryptoX509NameWrite function.
+     */
+    while( (p = (xmlChar*)xmlStrstr(issuerName, BAD_CAST "emailAddress=")) != NULL) {
+        memcpy(p, "       Email=", 13);
+    }
 
+
+
+    /* get issuer name */
+	cName = xmlSecMSCryptoCertStrToName(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
+					   issuerName,
+					   CERT_NAME_STR_ENABLE_UTF8_UNICODE_FLAG | CERT_OID_NAME_STR | CERT_NAME_STR_REVERSE_FLAG,
+					   &cNameLen);
+	if(cName == NULL) {
+	    xmlSecError(XMLSEC_ERRORS_HERE,
+			NULL,
+			"xmlSecMSCryptoCertStrToName",
+			XMLSEC_ERRORS_R_XMLSEC_FAILED,
+			XMLSEC_ERRORS_NO_MESSAGE);
+	    return (NULL);
+	}
+	cnb.pbData = cName;
+	cnb.cbData = cNameLen;
+
+    /* get serial number */
 	ret = xmlSecBnInitialize(&issuerSerialBn, 0);
 	if(ret < 0) {
 	    xmlSecError(XMLSEC_ERRORS_HERE,
@@ -578,6 +609,7 @@
 			"xmlSecBnInitialize",
 			XMLSEC_ERRORS_R_XMLSEC_FAILED,
 			XMLSEC_ERRORS_NO_MESSAGE);
+    	xmlFree(cName);
 	    return(NULL);
 	}
 
@@ -589,26 +621,30 @@
 			XMLSEC_ERRORS_R_XMLSEC_FAILED,
 			XMLSEC_ERRORS_NO_MESSAGE);
 	    xmlSecBnFinalize(&issuerSerialBn);
-	    return(NULL);
+		xmlFree(cName);
+        return(NULL);
 	}
 
-	cName = xmlSecMSCryptoCertStrToName(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
-					   issuerName,
-					   CERT_OID_NAME_STR | CERT_NAME_STR_REVERSE_FLAG,
-					   &cNameLen);
-	if(cName == NULL) {
+	/* I have no clue why at a sudden a swap is needed to 
+     * convert from lsb... This code is purely based upon 
+	 * trial and error :( WK
+	 */
+    ret = xmlSecBnReverse(&issuerSerialBn);
+	if(ret < 0) {
 	    xmlSecError(XMLSEC_ERRORS_HERE,
 			NULL,
-			"xmlSecMSCryptoCertStrToName",
+			"xmlSecBnReverse",
 			XMLSEC_ERRORS_R_XMLSEC_FAILED,
 			XMLSEC_ERRORS_NO_MESSAGE);
 	    xmlSecBnFinalize(&issuerSerialBn);
-	    return (NULL);
+		xmlFree(cName);
+        return(NULL);
 	}
 
-	cnb.pbData = cName;
-	cnb.cbData = cNameLen;
-	while((pCert = CertFindCertificateInStore(store, 
+    cib.pbData = xmlSecBufferGetData(&issuerSerialBn);
+    cib.cbData = xmlSecBufferGetSize(&issuerSerialBn);
+
+    while((pCert = CertFindCertificateInStore(store, 
 						  PKCS_7_ASN_ENCODING | X509_ASN_ENCODING,
 						  0,
 						  CERT_FIND_ISSUER_NAME,
@@ -622,10 +658,9 @@
 	    if((pCert->pCertInfo != NULL) && 
 	       (pCert->pCertInfo->SerialNumber.pbData != NULL) && 
 	       (pCert->pCertInfo->SerialNumber.cbData > 0) && 
-	       (0 == xmlSecBnCompareReverse(&issuerSerialBn, pCert->pCertInfo->SerialNumber.pbData, 
-				     pCert->pCertInfo->SerialNumber.cbData))) {
-		
-		break;
+           (CertCompareIntegerBlob(&(pCert->pCertInfo->SerialNumber), &cib) == TRUE)
+           ) {		
+		    break;
 	    }
 	}
 	xmlFree(cName);
Index: tests/testDSig.sh
===================================================================
RCS file: /cvs/gnome/xmlsec/tests/testDSig.sh,v
retrieving revision 1.35
diff -u -r1.35 testDSig.sh
--- tests/testDSig.sh	17 Mar 2004 05:06:48 -0000	1.35
+++ tests/testDSig.sh	22 Feb 2005 09:16:53 -0000
@@ -1,8 +1,15 @@
 #!/bin/sh 
 
+OS_ARCH=`uname -o`
+
+if [ "z$OS_ARCH" = "zCygwin" ] ; then
+	topfolder=`cygpath -wa $2`
+	xmlsec_app=`cygpath -a $3`
+else
+	topfolder=$2
+	xmlsec_app=$3
+fi
 crypto=$1
-topfolder=$2
-xmlsec_app=$3
 file_format=$4
 
 pub_key_format=$file_format
@@ -13,10 +20,15 @@
 if [ "z$TMPFOLDER" = "z" ] ; then
     TMPFOLDER=/tmp
 fi
-
 timestamp=`date +%Y%m%d_%H%M%S` 
-tmpfile=$TMPFOLDER/testDSig.$timestamp-$$.tmp
-logfile=$TMPFOLDER/testDSig.$timestamp-$$.log
+if [ "z$OS_ARCH" = "zCygwin" ] ; then
+	tmpfile=`cygpath -wa $TMPFOLDER/testDSig.$timestamp-$$.tmp`
+	logfile=`cygpath -wa $TMPFOLDER/testDSig.$timestamp-$$.log`
+else
+	tmpfile=$TMPFOLDER/testDSig.$timestamp-$$.tmp
+	logfile=$TMPFOLDER/testDSig.$timestamp-$$.log
+fi
+
 script="$0"
 
 # prepate crypto config folder
@@ -104,7 +116,6 @@
 echo "--- testDSig started for xmlsec-$crypto library ($timestamp)" >> $logfile
 echo "--- LD_LIBRARY_PATH=$LD_LIBRARY_PATH" >> $logfile
 
-
 execDSigTest "" "merlin-xmldsig-twenty-three/signature-enveloped-dsa" \
     " " \
     "$priv_key_option $topfolder/keys/dsakey.$priv_key_format --pwd secret" \
@@ -238,6 +249,11 @@
     "$priv_key_option tests/keys/rsakey.$priv_key_format --pwd secret" \
     "--trusted-$cert_format $topfolder/keys/cacert.$cert_format"
 
+execDSigTest "" "aleksey-xmldsig-01/x509data-sn-test" \
+    "--trusted-$cert_format $topfolder/keys/cacert.$cert_format --untrusted-$cert_format $topfolder/keys/ca2cert.$cert_format  --untrusted-$cert_format $topfolder/keys/rsa2cert.$cert_format --enabled-key-data x509" \
+    "$priv_key_option tests/keys/rsa2key.$priv_key_format --pwd secret" \
+    "--trusted-$cert_format $topfolder/keys/cacert.$cert_format --untrusted-$cert_format $topfolder/keys/ca2cert.$cert_format  --untrusted-$cert_format $topfolder/keys/rsa2cert.$cert_format --enabled-key-data x509"
+
 execDSigTest "" "merlin-exc-c14n-one/exc-signature" \
     ""
     
@@ -249,6 +265,7 @@
 
 execDSigTest "" "merlin-xpath-filter2-three/sign-spec" \
     ""
+
 execDSigTest "phaos-xmldsig-three" "signature-big" \
     "--pubkey-cert-$cert_format certs/rsa-cert.$cert_format" 
 
Index: tests/aleksey-xmldsig-01/x509data-sn-test.tmpl
===================================================================
RCS file: tests/aleksey-xmldsig-01/x509data-sn-test.tmpl
diff -N tests/aleksey-xmldsig-01/x509data-sn-test.tmpl
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ tests/aleksey-xmldsig-01/x509data-sn-test.tmpl	22 Feb 2005 09:16:53 -0000
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Document>
+  <ToBeSigned>
+    Some very secret data
+  </ToBeSigned>
+  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
+    <SignedInfo>
+      <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
+      <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
+      <Reference URI="">
+        <Transforms>
+          <Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2">
+            <XPath xmlns="http://www.w3.org/2002/06/xmldsig-filter2" Filter="intersect"> //ToBeSigned </XPath>
+          </Transform>
+        </Transforms>
+        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
+        <DigestValue/>
+      </Reference>
+    </SignedInfo>
+    <SignatureValue/>
+    <KeyInfo>
+      <X509Data>
+        <X509IssuerSerial/>
+      </X509Data>
+    </KeyInfo>
+  </Signature>
+</Document>
Index: tests/aleksey-xmldsig-01/x509data-sn-test.xml
===================================================================
RCS file: tests/aleksey-xmldsig-01/x509data-sn-test.xml
diff -N tests/aleksey-xmldsig-01/x509data-sn-test.xml
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ tests/aleksey-xmldsig-01/x509data-sn-test.xml	22 Feb 2005 09:16:53 -0000
@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Document>
+  <ToBeSigned>
+    Some very secret data
+  </ToBeSigned>
+  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
+    <SignedInfo>
+      <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
+      <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+      <Reference URI="">
+        <Transforms>
+          <Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2">
+            <XPath xmlns="http://www.w3.org/2002/06/xmldsig-filter2" Filter="intersect"> //ToBeSigned </XPath>
+          </Transform>
+        </Transforms>
+        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+        <DigestValue>3om1gINPzaogcdLuDdjIQlls4NE=</DigestValue>
+      </Reference>
+    </SignedInfo>
+    <SignatureValue>pcsM3Uz0+85OJTV28sg+mQ5khOCxeToam9ojj5F7D5IVXoQAnCNDuyDbKLsn0UKv
+I06RXzlb4MXb88fBJaFd4ygfpy3Ude8n6erjwxtwU6tPiesHyJB64GSD9yeSGDZt
+UnD0EYB9ammZxoqVUlZR5FiqG/vTUtjHN+Fo6DTuY+g=</SignatureValue>
+    <KeyInfo>
+      <X509Data>
+        
+      <X509IssuerSerial>
+<X509IssuerName>emailAddress=xmlsec at aleksey.com,CN=Aleksey Sanin,OU=Second Level Certificate,O=XML Security Library (http://www.aleksey.com/xmlsec),ST=California,C=US</X509IssuerName>
+<X509SerialNumber>-1</X509SerialNumber>
+</X509IssuerSerial>
+</X509Data>
+    </KeyInfo>
+  </Signature>
+</Document>
Index: tests/keys/README
===================================================================
RCS file: /cvs/gnome/xmlsec/tests/keys/README,v
retrieving revision 1.6
diff -u -r1.6 README
--- tests/keys/README	30 Jul 2003 02:47:22 -0000	1.6
+++ tests/keys/README	22 Feb 2005 09:16:53 -0000
@@ -17,6 +17,8 @@
  hmackey.bin	HMAC key ('secret')
  expired.key	key for expired cert 
  expired.crt	expired certificate 
+ rsa2key.pem	RSA private key
+ rsa2cert.pem 	Self signed RSA certificate with negative serial number
 
 2. How certificates were generated:
 
@@ -66,6 +68,9 @@
    
   Convert PEM cert file to DER file
     > openssl x509 -outform DER -in ca2cert.pem -out ca2cert.der 
+
+  Convert DER cert file to PEM file
+   > openssl x509 -inform DER -outform PEM -in ca2cert.der -out ca2cert.pem
 
 4. Converting an unencrypted PEM or DER file containing a private key
    to an encrypted PEM or DER file containing the same private key but
Index: tests/keys/rsa2cert.der
===================================================================
RCS file: tests/keys/rsa2cert.der
diff -N tests/keys/rsa2cert.der
Binary files /dev/null and rsa2cert.der differ
Index: tests/keys/rsa2cert.pem
===================================================================
RCS file: tests/keys/rsa2cert.pem
diff -N tests/keys/rsa2cert.pem
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ tests/keys/rsa2cert.pem	22 Feb 2005 09:16:53 -0000
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICujCCAmQCAf8wDQYJKoZIhvcNAQEEBQAwgb8xCzAJBgNVBAYTAlVTMRMwEQYD
+VQQIEwpDYWxpZm9ybmlhMT0wOwYDVQQKEzRYTUwgU2VjdXJpdHkgTGlicmFyeSAo
+aHR0cDovL3d3dy5hbGVrc2V5LmNvbS94bWxzZWMpMSEwHwYDVQQLExhTZWNvbmQg
+TGV2ZWwgQ2VydGlmaWNhdGUxFjAUBgNVBAMTDUFsZWtzZXkgU2FuaW4xITAfBgkq
+hkiG9w0BCQEWEnhtbHNlY0BhbGVrc2V5LmNvbTAeFw0wNTAyMjIwODAxNDJaFw0x
+NTAyMjAwODAxNDJaMIHLMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5p
+YTESMBAGA1UEBxMJU3Vubnl2YWxlMT0wOwYDVQQKEzRYTUwgU2VjdXJpdHkgTGli
+cmFyeSAoaHR0cDovL3d3dy5hbGVrc2V5LmNvbS94bWxzZWMpMTwwOgYDVQQLEzNU
+aGlyZCBsZXZlbCBjZXJ0aWZpY2F0ZSB3aXRoIG5lZ2F0aXZlIHNlcmlhbCBudW1i
+ZXIxFjAUBgNVBAMTDUFsZWtzZXkgU2FuaW4wgZ8wDQYJKoZIhvcNAQEBBQADgY0A
+MIGJAoGBAONHVDP5sBVclV0pClZYjcB6Os70uGmKZzAFgq8+lUZmu9utk78ZCK0A
+NtvxjQ/C+/17plevhXFGeWgjGGbEq6OpEkAjDyXX+j5ZMI6b6zYwVEo0+Eh15Sbb
+LIYat1m4kR5A7/gIhsVKT8GfWAYzamPYrPmsa9JVDKEqsh9PPaz7AgMBAAEwDQYJ
+KoZIhvcNAQEEBQADQQAOTj9O30MjCt8darphiTDSYaLof5IvJiDfu38UnSukH/Ut
+t5C7EU+1X5/uKacfYnHs/0UQYbmq5Zsm4Zky+ht9
+-----END CERTIFICATE-----
Index: tests/keys/rsa2key.der
===================================================================
RCS file: tests/keys/rsa2key.der
diff -N tests/keys/rsa2key.der
Binary files /dev/null and rsa2key.der differ
Index: tests/keys/rsa2key.p12
===================================================================
RCS file: tests/keys/rsa2key.p12
diff -N tests/keys/rsa2key.p12
Binary files /dev/null and rsa2key.p12 differ
Index: tests/keys/rsa2key.pem
===================================================================
RCS file: tests/keys/rsa2key.pem
diff -N tests/keys/rsa2key.pem
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ tests/keys/rsa2key.pem	22 Feb 2005 09:16:53 -0000
@@ -0,0 +1,18 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,4500DDD8194CE192
+
+E1FQxiq6hX9GbvWm2HyzvfgDvFXFLjruys4cL6gCXLl7kNPBEUsi3geICO3bFVsk
+XTI/JYZQosR3mhglydDQU/JJ0JXid6T9wxdRxokr8K2O2KGFjN2n95RZ2gkDyYfd
+4/4OmGymm1g8VFUqeJuR6x2Lwh9ML2k2R8dqJqLhuoLlfp14fqlMRvzni53aTDSU
+xxLYQ0SphGpE2gdEbowZDKLx8v+w7tZvTES/4jZQL3rosPJgcSy4Hif9pSHYDK91
+e3N8rz/lyrQ1sb0z808GXVrK2h8nrJiuBAcS3S4smvKbV3fl0nu2um/ZFZPqAjiQ
+4rNa77a+uA0FmRHrtb4zL6aRwoybkaO7TwwKhCjDtM1OdCia5+sINXBdswtBwvGf
+lURgIBiORsdDNjmk4TYb3g9V3cAccnWzA80GqefiokzFteATl02c2aN+AsV2BCxv
+fBCV/mX/+ygzctK0W/auaVl/qN0kezbkrZiCr7FB/Im2IRsVJ+NZoe7BW5/LiC+F
+5mn6ExkuLwQ6o7OZpUkjQunFFE+hwiCvObSv3dhTBRn3iQg/0i7Ufb8FcQfF7Mfy
+4oK1yZqvnHoH8BbeTuGYY/PRFIdXwM+mEJy1Sk8pBcGwMNlJf6UdTCvRoQ1SB+a0
+EpMP1/AgZ2F4MVOuZLYOp7OOLTaB9Yu92Gtm9g0YbMg6OKkkoW5SVuk+Kvo8tv/3
+ITY8bLfSn2T0MRRwds71uW9vo4IhN/IT6Js+xEteY4kaufXtcSIZ+h6XrmjuoxZR
+voBxkA4KgGUKKU1aemeHUCxzdqYlhrLvlXcjxvPmCjKdFjc9PX1/Ag==
+-----END RSA PRIVATE KEY-----
Index: win32/Makefile.msvc
===================================================================
RCS file: /cvs/gnome/xmlsec/win32/Makefile.msvc,v
retrieving revision 1.27
diff -u -r1.27 Makefile.msvc
--- win32/Makefile.msvc	9 Jun 2004 14:35:12 -0000	1.27
+++ win32/Makefile.msvc	22 Feb 2005 09:16:54 -0000
@@ -456,21 +456,21 @@
 check-keys : $(BINDIR)\$(APP_NAME)
 	cd ..
 	if not exist win32\tmp mkdir win32\tmp
-	set TMPFOLDER=win32\tmp
+	set TMPFOLDER=win32/tmp
 	sh ./tests/testKeys.sh default ./tests win32/$(BINDIR)/$(APP_NAME) der
 	cd win32
 
 check-dsig : $(BINDIR)\$(APP_NAME)	
 	cd ..
 	if not exist win32\tmp mkdir win32\tmp
-	set TMPFOLDER=win32\tmp
+	set TMPFOLDER=win32/tmp
 	sh ./tests/testDSig.sh default ./tests win32/$(BINDIR)/$(APP_NAME) der
 	cd win32
 
 check-enc : $(BINDIR)\$(APP_NAME)
 	cd ..
 	if not exist win32\tmp mkdir win32\tmp
-	set TMPFOLDER=win32\tmp
+	set TMPFOLDER=win32/tmp
 	sh ./tests/testEnc.sh default ./tests win32/$(BINDIR)/$(APP_NAME) der
 	cd win32
 


More information about the xmlsec mailing list