-
Notifications
You must be signed in to change notification settings - Fork 64
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
X509SerialNumber schema validation fails with large serial number size #31
Comments
@JanDintel thank you very much for posting this issue. I came across this error and had a tough time trying to understand why it was happening. Do you mind sharing how you were able to determine the root cause was libxml2 and that it only allows a size of 24 digits? |
@mokhan I tried to look up the error message in the source code of This lead me to search the existing issues of |
A non-ideal work around is here: https://github.com/onelogin/ruby-saml/compare/master...mokhan:x509serialnumber?expand=1 Thanks for following up @JanDintel . |
I did a short write up of how I was able to debug this here. Also, this change was recently merged in to SAML-Toolkits/ruby-saml#369. I hope this helps! 🍰 |
I've implemented a fix for this see pull request #41 and it's released in version |
Technically this is not a bug in the gem, but this issue might be useful for people with the same problem.
The schema validation fails when using a large serial number size in the
X509SerialNumber
element, with the following errorXmldsig::SchemaError: Element '{http://www.w3.org/2000/09/xmldsig#}X509SerialNumber': '47340127423095676370115142060285204180' is not a valid value of the atomic type 'xs:integer'.
Serial numbers of a X509 certificate can be up to 20 octets long.[1] The xmldsig schema defines the
X509SerialNumber
element as axs:integer
type. This should be fine, since the type allows a infinite value space.[2] However thelibxml2
library bundled innokogiri
only allows a size of 24 digits when validating thexs:integer
type.[3] This causes the error mentioned above.You can work around this issue by just supplying the first 24 digits of the serial number. Are there other workarounds or solutions?
References
[1] http://stackoverflow.com/questions/15228666/xmldsig-x509serialnumber-too-large-to-be-an-int-fails-xsd-validation
[2] https://www.w3.org/TR/2001/REC-xmlschema-2-20010502/#integer
[3] https://mail.gnome.org/archives/xml/2008-March/msg00051.html
The text was updated successfully, but these errors were encountered: