Incorrect encoding of PKCS12 bag attributes
Sean Mullan
sean.mullan at oracle.com
Thu Jul 29 14:05:34 UTC 2021
Are you calling the PKCS12Attribute(String, String) constructor from
your code? That API currently specifies that String values are encoded
as UTF-8, so we could not change the behavior without a specification
change. Can you use the PKCS12Attribute(byte[]) constructor instead
which takes a DER-encoded value?
--Sean
On 6/14/21 3:21 PM, Osipov, Michael (LDA IT PLM) wrote:
> Folks,
>
> can someone confirm the following bug or tell me I am too stupid to read
> the RFCs:
>
> I have recently created a PKCS12-based trust store and had one CA from
> Hungary with non-ASCII chars in the subject's CN RDN.
>
> RFC 7292 for friendlyName refers to RFC 2985, section 5.5.1:
>>
>> friendlyName ATTRIBUTE ::= {
>> WITH SYNTAX BMPString (SIZE(1..pkcs-9-ub-friendlyName))
>> EQUALITY MATCHING RULE caseIgnoreMatch
>> SINGLE VALUE TRUE
>> ID pkcs-9-at-friendlyName
>> }
>
> So a BMPString -- which is UCS-2 encoding. Looking at [1] shows that
> Java ignores the RFC and always creates an UTF8String regardless of the
> attribute OID, thus breaking the semantics of friendlyName.
>
> Who's wrong here?
>
> For some strange reason OpenSSL does it in a similar fashion:
> In pkcs12.h.in:
> > # define PKCS12_add_friendlyname PKCS12_add_friendlyname_utf8
> where the function contains:
>> if (X509at_add1_attr_by_NID(&bag->attrib, NID_friendlyName,
>> MBSTRING_UTF8, (unsigned char *)name, namelen) != NULL)
>
>
> [1]
> https://github.com/openjdk/jdk/blob/739769c8fc4b496f08a92225a12d07414537b6c0/src/java.base/share/classes/java/security/PKCS12Attribute.java#L230-L245
>
> Regards,
>
> Michael
>
More information about the security-dev
mailing list