RFR 8239094: PKCS#9 ChallengePassword attribute does not allow for the UTF8String type
Jamil Nimeh
jamil.j.nimeh at oracle.com
Tue Feb 18 17:56:14 UTC 2020
Code review updated to integrate changes from JDK-8239264:
https://cr.openjdk.java.net/~jnimeh/reviews/8239094/webrev.02/
Thanks,
--Jamil
On 2/17/20 10:31 AM, Jamil Nimeh wrote:
> Hello all,
>
> This is a quick fix to our handling of the PKCS#9 challengePassword
> attribute. We currently conform to 1.1 of the spec, but RFC 2985
> (PKCS#9 v2.0) has the type listed as a DirectoryString, which can be
> PrintableString, TeletexString, BMPString, UniversalString or
> UTF8String. With this change, we'll be able to accommodate all those
> forms.
>
> I also took the liberty of cleaning up a few warnings that NetBeans
> had in the file, particularly the replacement of HashTable collections
> with HashMap since the former collection is obsolete and we really
> don't need a thread-safe collection for something private that's only
> written to in static initializers.
>
> Last question: Does anyone think we should be including IA5String as
> an allowed string encoding for challengePassword? I know it is not a
> DirectoryString allowed type, but I have seen certain configurations
> for OpenSSL that would make challengePasswords with characters outside
> the PrintableString character set use IA5String. Other than not being
> in line with the letter of the spec, I don't see the harm to allowing
> it given other sources for this attribute might encode it as
> IA5String, and you can't put anything in there that we wouldn't have
> to be able to handle otherwise in other string encodings (e.g.
> UTF8String).
>
> Right now, the review doesn't have IA5String, I'm adhering to the spec
> for this initial review.
>
> Bug: https://bugs.openjdk.java.net/browse/JDK-8239094
> Webrev: https://cr.openjdk.java.net/~jnimeh/reviews/8239094/webrev.01/
>
>
> Thanks,
>
> --Jamil
More information about the security-dev
mailing list