RFR 8239094: PKCS#9 ChallengePassword attribute does not allow for the UTF8String type
Jamil Nimeh
jamil.j.nimeh at oracle.com
Mon Feb 17 18:31:26 UTC 2020
Hello all,
This is a quick fix to our handling of the PKCS#9 challengePassword
attribute. We currently conform to 1.1 of the spec, but RFC 2985
(PKCS#9 v2.0) has the type listed as a DirectoryString, which can be
PrintableString, TeletexString, BMPString, UniversalString or
UTF8String. With this change, we'll be able to accommodate all those forms.
I also took the liberty of cleaning up a few warnings that NetBeans had
in the file, particularly the replacement of HashTable collections with
HashMap since the former collection is obsolete and we really don't need
a thread-safe collection for something private that's only written to in
static initializers.
Last question: Does anyone think we should be including IA5String as an
allowed string encoding for challengePassword? I know it is not a
DirectoryString allowed type, but I have seen certain configurations for
OpenSSL that would make challengePasswords with characters outside the
PrintableString character set use IA5String. Other than not being in
line with the letter of the spec, I don't see the harm to allowing it
given other sources for this attribute might encode it as IA5String, and
you can't put anything in there that we wouldn't have to be able to
handle otherwise in other string encodings (e.g. UTF8String).
Right now, the review doesn't have IA5String, I'm adhering to the spec
for this initial review.
Bug: https://bugs.openjdk.java.net/browse/JDK-8239094
Webrev: https://cr.openjdk.java.net/~jnimeh/reviews/8239094/webrev.01/
Thanks,
--Jamil
More information about the security-dev
mailing list