[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: [xml] validating xmld:dsig schema with a large size serial number

From: Daniel Veillard <veillard redhat com>
To: Jean-Marc Desperrier <xs04 jmdesp free org>
Cc: xml gnome org
Subject: Re: [xml] validating xmld:dsig schema with a large size serial number
Date: Wed, 12 Mar 2008 05:41:36 -0400

On Sun, Mar 09, 2008 at 10:47:43AM +0100, Jean-Marc Desperrier wrote:
> Hi,
> 
> I found a limitation in libxml2 schema validation that is really 
> annoying in the context of xml:dsig.
> (after writing the first version of this bug, I found out it's already 
> reported in bug 350248)
> The xs:integer type is limited to handling at most 24 digit integers.
> The trouble is that that the X509SerialNumber field in the xml dsig 
> schema uses that type ( 
> http://www.w3.org/TR/xmldsig-core/xmldsig-core-schema.xsd ), and x509 
> certificate serial number can have a size of up to 20 byte (in 
> 2-complement binary representation).
> 
> A generic solution to handle integers of any size would probably be 
> hard, but would it be possible to have a work around just for that case 
> ? Currently, libxml2 hard codes the the size limit to 24 digits because 
> it then stores the value in 3 long integer variables. Using 5 variables 
> might be enough to handle the values X509SerialNumber will take.
> 
> What would be the consequences of removing the test for the 24 digits on 
> a local instance of libxml2 ? Just making facets applied to integer 
> larger than the limit buggy ?

  the problem is then we would have no way to store the value. I think
having a disconnection between what we accept in the representation and what
we handle in the type system, would be very confusing in general.

> I see Daniel complains in the bug that using integer for this field is 
> just a bad choice, but the trouble is that it's in the xml:dsig norm, 
> that has been accepted as a W3C Recommendation.
> http://www.w3.org/TR/xmldsig-core/
> I approve it's been badly conceived, another point that shows that is 
> that almost all X509 experts don't understand why that field uses 
> decimal, and think it should be using hexadecimal instead.

  If you provide a patch to grow to 5 long and it doesn't look silly
I may apply it to avoid the problem, but really this is a bad case of
misuse affecting implementation.

Daniel

-- 
Red Hat Virtualization group http://redhat.com/virtualization/
Daniel Veillard      | virtualization library  http://libvirt.org/
veillard redhat com  | libxml GNOME XML XSLT toolkit  http://xmlsoft.org/
http://veillard.com/ | Rpmfind RPM search engine  http://rpmfind.net/

Follow-Ups:
- Re: [xml] validating xmld:dsig schema with a large size serial number
  - From: Tim Van Holder

References:
- [xml] validating xmld:dsig schema with a large size serial number
  - From: Jean-Marc Desperrier

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]