RFR 8239094: PKCS#9 ChallengePassword attribute does not allow for the UTF8String type

Jamil Nimeh jamil.j.nimeh at oracle.com
Mon Feb 17 18:31:26 UTC 2020


Hello all,

This is a quick fix to our handling of the PKCS#9 challengePassword 
attribute.  We currently conform to 1.1 of the spec, but RFC 2985 
(PKCS#9 v2.0) has the type listed as a DirectoryString, which can be 
PrintableString, TeletexString, BMPString, UniversalString or 
UTF8String.  With this change, we'll be able to accommodate all those forms.

I also took the liberty of cleaning up a few warnings that NetBeans had 
in the file, particularly the replacement of HashTable collections with 
HashMap since the former collection is obsolete and we really don't need 
a thread-safe collection for something private that's only written to in 
static initializers.

Last question: Does anyone think we should be including IA5String as an 
allowed string encoding for challengePassword?  I know it is not a 
DirectoryString allowed type, but I have seen certain configurations for 
OpenSSL that would make challengePasswords with characters outside the 
PrintableString character set use IA5String.  Other than not being in 
line with the letter of the spec, I don't see the harm to allowing it 
given other sources for this attribute might encode it as IA5String, and 
you can't put anything in there that we wouldn't have to be able to 
handle otherwise in other string encodings (e.g. UTF8String).

Right now, the review doesn't have IA5String, I'm adhering to the spec 
for this initial review.

Bug: https://bugs.openjdk.java.net/browse/JDK-8239094
Webrev: https://cr.openjdk.java.net/~jnimeh/reviews/8239094/webrev.01/


Thanks,

--Jamil


More information about the security-dev mailing list