RFR 8239094: PKCS#9 ChallengePassword attribute does not allow for the UTF8String type

Jamil Nimeh jamil.j.nimeh at oracle.com
Tue Feb 18 17:56:14 UTC 2020

Code review updated to integrate changes from JDK-8239264:




On 2/17/20 10:31 AM, Jamil Nimeh wrote:
> Hello all,
> This is a quick fix to our handling of the PKCS#9 challengePassword 
> attribute.  We currently conform to 1.1 of the spec, but RFC 2985 
> (PKCS#9 v2.0) has the type listed as a DirectoryString, which can be 
> PrintableString, TeletexString, BMPString, UniversalString or 
> UTF8String.  With this change, we'll be able to accommodate all those 
> forms.
> I also took the liberty of cleaning up a few warnings that NetBeans 
> had in the file, particularly the replacement of HashTable collections 
> with HashMap since the former collection is obsolete and we really 
> don't need a thread-safe collection for something private that's only 
> written to in static initializers.
> Last question: Does anyone think we should be including IA5String as 
> an allowed string encoding for challengePassword?  I know it is not a 
> DirectoryString allowed type, but I have seen certain configurations 
> for OpenSSL that would make challengePasswords with characters outside 
> the PrintableString character set use IA5String.  Other than not being 
> in line with the letter of the spec, I don't see the harm to allowing 
> it given other sources for this attribute might encode it as 
> IA5String, and you can't put anything in there that we wouldn't have 
> to be able to handle otherwise in other string encodings (e.g. 
> UTF8String).
> Right now, the review doesn't have IA5String, I'm adhering to the spec 
> for this initial review.
> Bug: https://bugs.openjdk.java.net/browse/JDK-8239094
> Webrev: https://cr.openjdk.java.net/~jnimeh/reviews/8239094/webrev.01/
> Thanks,
> --Jamil

More information about the security-dev mailing list