RFR 8239094: PKCS#9 ChallengePassword attribute does not allow for the UTF8String type

Xuelei Fan xuelei.fan at oracle.com
Mon Feb 17 22:54:01 UTC 2020


On 2/17/2020 10:31 AM, Jamil Nimeh wrote:
> Hello all,
> 
> This is a quick fix to our handling of the PKCS#9 challengePassword 
> attribute.  We currently conform to 1.1 of the spec, but RFC 2985 
> (PKCS#9 v2.0) has the type listed as a DirectoryString, which can be 
> PrintableString, TeletexString, BMPString, UniversalString or 
> UTF8String.  With this change, we'll be able to accommodate all those 
> forms.
> 
> I also took the liberty of cleaning up a few warnings that NetBeans had 
> in the file, particularly the replacement of HashTable collections with 
> HashMap since the former collection is obsolete and we really don't need 
> a thread-safe collection for something private that's only written to in 
> static initializers.
> 
> Last question: Does anyone think we should be including IA5String as an 
> allowed string encoding for challengePassword?  I know it is not a 
> DirectoryString allowed type, but I have seen certain configurations for 
> OpenSSL that would make challengePasswords with characters outside the 
> PrintableString character set use IA5String.  Other than not being in 
> line with the letter of the spec, I don't see the harm to allowing it 
> given other sources for this attribute might encode it as IA5String, and 
> you can't put anything in there that we wouldn't have to be able to 
> handle otherwise in other string encodings (e.g. UTF8String).
> 
As IA5String is not included in the DirectoryString definition, I'm not 
sure if there are any potential ASN.1 encoding/decoding problems if it 
is included.  I may not add it for now until there is a request.

> Right now, the review doesn't have IA5String, I'm adhering to the spec 
> for this initial review.
> 
> Bug: https://bugs.openjdk.java.net/browse/JDK-8239094
> Webrev: https://cr.openjdk.java.net/~jnimeh/reviews/8239094/webrev.01/
> 
It looks fine to me.

Thanks,
Xuelei


More information about the security-dev mailing list