Incorrect encoding of PKCS12 bag attributes

Osipov, Michael (LDA IT PLM) michael.osipov at siemens.com
Mon Jun 14 19:21:49 UTC 2021


Folks,

can someone confirm the following bug or tell me I am too stupid to read 
the RFCs:

I have recently created a PKCS12-based trust store and had one CA from 
Hungary with non-ASCII chars in the subject's CN RDN.

RFC 7292 for friendlyName refers to RFC 2985, section 5.5.1:
> 
>    friendlyName ATTRIBUTE ::= {
>            WITH SYNTAX BMPString (SIZE(1..pkcs-9-ub-friendlyName))
>            EQUALITY MATCHING RULE caseIgnoreMatch
>            SINGLE VALUE TRUE
>            ID pkcs-9-at-friendlyName
>    }

So a BMPString -- which is UCS-2 encoding. Looking at [1] shows that 
Java ignores the RFC and always creates an UTF8String regardless of the 
attribute OID, thus breaking the semantics of friendlyName.

Who's wrong here?

For some strange reason OpenSSL does it in a similar fashion:
In pkcs12.h.in:
 > # define PKCS12_add_friendlyname PKCS12_add_friendlyname_utf8
where the function contains:
> if (X509at_add1_attr_by_NID(&bag->attrib, NID_friendlyName,
>                                 MBSTRING_UTF8, (unsigned char *)name, namelen) != NULL)


[1] 
https://github.com/openjdk/jdk/blob/739769c8fc4b496f08a92225a12d07414537b6c0/src/java.base/share/classes/java/security/PKCS12Attribute.java#L230-L245

Regards,

Michael



More information about the security-dev mailing list