000013243 - Approving PKCS#10 requests with RSA key modulus set to a negative value

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000013243
Applies ToRSA Certificate Manager 6.7
IssueApproving PKCS#10 requests with RSA key modulus set to a negative value
RSA Certificate Manager accepts PKCS#10 requests where RSA key modulus is set to a negative value, with no warning to end-user submitting the request or to vettor/administrator approving the request.  A certificate can be issued from RSA Certificate Manager for such a PKCS#10 request.
Some applications do not accept certificates containing RSA keys with negative modulus
RFC 3447 PKCS #1: RSA Cryptography Specifications describe the RSA public key modulus and exponent components as positive integers.
RSAKeyimplementation in Java does not allow negative modulus:
Sun Developer Network site shows that JDK 5 may have been updated to allow negative modulus in existing certificates:
ResolutionRSA Certificate Manager 6.7 build 423, or later builds, show the following warning to end-users submitting PKCS#10 requests with RSA key modulus set to a negative value:  "This certificate request has been refused because it contains a RSA key with negative modulus."

Such PKCS#10 requests are automatically sent to the Refused queue.  A vettor or administrator can issue certificates for such requests in the Refused queue.  If certificates are issued, they are marked as having a negative modulus.  RSA Secure Logging Server logs issuance of certificates where RSA key has negative modulus.
NotesA negative modulus in the above context can be better described as a modulus value (which is always assumed to be a positive integer) not padded with leading 0's when its most significant bit (left-most bit) is 1.
Legacy Article IDa43707