long X509IssuerSerial elements cause interoperability issues
Basics
Technical
Logistics
Basics
Technical
Logistics
Description
The Shibboleth 2.0 SP provides a facility to generate metadata according to the configuration. This includes the X.509 certificates in use in the form of KeyDescriptor elements. At some point during development, this started to include not just the certificate data but other information, in particular the X509IssuerSerial.
This would be fine if it were not for the fact that some CAs use large random numbers as serial numbers to prevent sequence guessing. Not all XML libraries are capable of dealing with very long X509IssuerSerial elements, which are typed in XML-DSIG as integers even though "minimally conformant" XML processors only have to deal with integers up to 18 digits long. Bad XML-DSIG, no biscuit for you.
You will see that libxml2 is more than minimally conformant, but still only deals with up to 24 characters before deciding that an X509IssuerSerial is not schema-valid. This causes interoperability issues with at least one (non-Shibboleth) consumer of metadata in the UK federation.
In order to avoid such issues in the future it would be preferable if the generated metadata didn't include long X509IssuerSerial values (not including them at all would be one option that we wouldn't object to).
I believe the code that performs this is actually around line 78 et seq of BasicX509Credential.cpp in the cpp-xmltooling project.
The Shibboleth 2.0 SP provides a facility to generate metadata according to the configuration. This includes the X.509 certificates in use in the form of KeyDescriptor elements. At some point during development, this started to include not just the certificate data but other information, in particular the X509IssuerSerial.
This would be fine if it were not for the fact that some CAs use large random numbers as serial numbers to prevent sequence guessing. Not all XML libraries are capable of dealing with very long X509IssuerSerial elements, which are typed in XML-DSIG as integers even though "minimally conformant" XML processors only have to deal with integers up to 18 digits long. Bad XML-DSIG, no biscuit for you.
See, for example, the finger pointing discussion at: http://bugzilla.gnome.org/show_bug.cgi?id=350248
You will see that libxml2 is more than minimally conformant, but still only deals with up to 24 characters before deciding that an X509IssuerSerial is not schema-valid. This causes interoperability issues with at least one (non-Shibboleth) consumer of metadata in the UK federation.
In order to avoid such issues in the future it would be preferable if the generated metadata didn't include long X509IssuerSerial values (not including them at all would be one option that we wouldn't object to).
I believe the code that performs this is actually around line 78 et seq of BasicX509Credential.cpp in the cpp-xmltooling project.