[xml] validating xmld:dsig schema with a large size serial number


I found a limitation in libxml2 schema validation that is really annoying in the context of xml:dsig. (after writing the first version of this bug, I found out it's already reported in bug 350248)
The xs:integer type is limited to handling at most 24 digit integers.
The trouble is that that the X509SerialNumber field in the xml dsig schema uses that type ( http://www.w3.org/TR/xmldsig-core/xmldsig-core-schema.xsd ), and x509 certificate serial number can have a size of up to 20 byte (in 2-complement binary representation).

A generic solution to handle integers of any size would probably be hard, but would it be possible to have a work around just for that case ? Currently, libxml2 hard codes the the size limit to 24 digits because it then stores the value in 3 long integer variables. Using 5 variables might be enough to handle the values X509SerialNumber will take.

What would be the consequences of removing the test for the 24 digits on a local instance of libxml2 ? Just making facets applied to integer larger than the limit buggy ?

I see Daniel complains in the bug that using integer for this field is just a bad choice, but the trouble is that it's in the xml:dsig norm, that has been accepted as a W3C Recommendation.
I approve it's been badly conceived, another point that shows that is that almost all X509 experts don't understand why that field uses decimal, and think it should be using hexadecimal instead.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]