From 874d1f7be78e0e62f8850fe175ec6efc57fa1fa1 Mon Sep 17 00:00:00 2001
From: Brian Hill <bhill@keyfactor.com>
Date: Mon, 4 May 2026 11:43:46 -0400
Subject: [PATCH] Fix revoke for short (1-byte) certificate serial numbers

Idnomic's revoke SOAP API expects the serial in canonical form
(no leading zeros, lowercase hex). X509Certificate2.SerialNumber
returns padded uppercase hex (e.g. "05" for a 1-byte serial), which
the API rejects. Normalize to "5" before submitting, with a guard
so an all-zero serial doesn't trim to an empty string.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 Idnomic/IdnomicClient.cs | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/Idnomic/IdnomicClient.cs b/Idnomic/IdnomicClient.cs
index 5ba12c6..25a6ba5 100644
--- a/Idnomic/IdnomicClient.cs
+++ b/Idnomic/IdnomicClient.cs
@@ -683,7 +683,10 @@ await flow.StepAsync("FetchCertificate", async () =>
 
             var cert = LoadCertificateFromPem(Encoding.ASCII.GetBytes(pem));
             issuer = cert.Issuer;
-            serialNumber = cert.SerialNumber;
+            // Idnomic revoke API expects the canonical serial form (no leading zeros, lowercase hex).
+            // Without this normalization, short (e.g. 1-byte) serials such as "05" are rejected.
+            var canonicalSerial = cert.SerialNumber.TrimStart('0').ToLowerInvariant();
+            serialNumber = canonicalSerial.Length == 0 ? "0" : canonicalSerial;
             reason = _requestManager.GetRevokeReasonText(revocationReason);
 
             _logger.LogTrace("RevokeCertificate: Parsed cert. Issuer='{Issuer}', SerialNumber='{Serial}', Reason='{Reason}'",