Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

X509SerialNumber schema validation fails with large serial number size #31

Closed
JanDintel opened this issue Oct 28, 2016 · 5 comments
Closed

X509SerialNumber schema validation fails with large serial number size #31

JanDintel opened this issue Oct 28, 2016 · 5 comments

Comments

@JanDintel
Copy link

Technically this is not a bug in the gem, but this issue might be useful for people with the same problem.

The schema validation fails when using a large serial number size in the X509SerialNumber element, with the following error Xmldsig::SchemaError: Element '{http://www.w3.org/2000/09/xmldsig#}X509SerialNumber': '47340127423095676370115142060285204180' is not a valid value of the atomic type 'xs:integer'.

Serial numbers of a X509 certificate can be up to 20 octets long.[1] The xmldsig schema defines the X509SerialNumber element as a xs:integer type. This should be fine, since the type allows a infinite value space.[2] However the libxml2 library bundled in nokogiri only allows a size of 24 digits when validating the xs:integer type.[3] This causes the error mentioned above.

You can work around this issue by just supplying the first 24 digits of the serial number. Are there other workarounds or solutions?

References
[1] http://stackoverflow.com/questions/15228666/xmldsig-x509serialnumber-too-large-to-be-an-int-fails-xsd-validation
[2] https://www.w3.org/TR/2001/REC-xmlschema-2-20010502/#integer
[3] https://mail.gnome.org/archives/xml/2008-March/msg00051.html
@xlgmokha
Copy link
Contributor

@JanDintel thank you very much for posting this issue. I came across this error and had a tough time trying to understand why it was happening.

Do you mind sharing how you were able to determine the root cause was libxml2 and that it only allows a size of 24 digits?

@JanDintel
Copy link
Author

@mokhan I tried to look up the error message in the source code of xmldsig and nokogiri, but couldn't find it. After that I tried searching through existing issues of nokogiri, but that that didn't yield any result either. At that point I was suspecting libxml2.

This lead me to search the existing issues of libxml2. Eventually I stumbled upon a bug report from 12 March 2008 in the libxml2 mailing list. This bug report mentioned the root cause were the xs:integer type is limited to handling at most 24 digit integers.

@xlgmokha
Copy link
Contributor

xlgmokha commented Dec 1, 2016

A non-ideal work around is here: https://github.com/onelogin/ruby-saml/compare/master...mokhan:x509serialnumber?expand=1

Thanks for following up @JanDintel .

This was referenced Jan 4, 2017
Merged
Merged
@xlgmokha
Copy link
Contributor

I did a short write up of how I was able to debug this here.

Also, this change was recently merged in to SAML-Toolkits/ruby-saml#369.

I hope this helps! 🍰

@pitbulk pitbulk mentioned this issue Feb 6, 2017
Closed
@JanDintel
Copy link
Author

I've implemented a fix for this see pull request #41 and it's released in version 0.6.4.

@benoist benoist closed this as completed Sep 8, 2017
@cesarlr cesarlr mentioned this issue Jan 29, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@benoist @xlgmokha @JanDintel