long X509IssuerSerial elements cause interoperability issues

Description

The Shibboleth 2.0 SP provides a facility to generate metadata according to the configuration. This includes the X.509 certificates in use in the form of KeyDescriptor elements. At some point during development, this started to include not just the certificate data but other information, in particular the X509IssuerSerial.

This would be fine if it were not for the fact that some CAs use large random numbers as serial numbers to prevent sequence guessing. Not all XML libraries are capable of dealing with very long X509IssuerSerial elements, which are typed in XML-DSIG as integers even though "minimally conformant" XML processors only have to deal with integers up to 18 digits long. Bad XML-DSIG, no biscuit for you.

See, for example, the finger pointing discussion at: http://bugzilla.gnome.org/show_bug.cgi?id=350248

You will see that libxml2 is more than minimally conformant, but still only deals with up to 24 characters before deciding that an X509IssuerSerial is not schema-valid. This causes interoperability issues with at least one (non-Shibboleth) consumer of metadata in the UK federation.

In order to avoid such issues in the future it would be preferable if the generated metadata didn't include long X509IssuerSerial values (not including them at all would be one option that we wouldn't object to).

I believe the code that performs this is actually around line 78 et seq of BasicX509Credential.cpp in the cpp-xmltooling project.

Environment

None

Activity

Scott Cantor June 4, 2008 at 12:02 PM

http://svn.middleware.georgetown.edu/view/cpp-xmltooling?view=rev&revision=497

To avoid API changes for now, I have to pull issuer/serial out. Leaving open so I can add it back later once I can make it configurable.

Scott Cantor May 15, 2008 at 8:05 AM

Link to entertaining bug flame war appreciated. Have I mentioned I hate certs?

Fixed

Details

Assignee

Reporter

Fix versions

Affects versions

Created May 15, 2008 at 7:10 AM
Updated August 13, 2008 at 11:01 AM
Resolved July 15, 2008 at 3:10 PM