Case-sensitive Keystore for PKCS#12
Michael StJohns
mstjohns at comcast.net
Wed Jul 13 19:19:24 UTC 2022
On 7/13/2022 7:38 AM, Ravi Patel8 wrote:
> We have a customer who is having a security requirement. He wants to know, Is it possible to have case-sensitive support for PKCS#12? We referred the RFCs for PKCS#12. We found that PKCS#12 uses a case in-sensitive alias and the alias Name is mapped with friendlyName attribute, which is specified as "caseIgnoreMatch" as below.
>
> friendlyName ATTRIBUTE ::= {
> WITH SYNTAX BMPString (SIZE(1..pkcs-9-ub-friendlyName))
> EQUALITY MATCHING RULE caseIgnoreMatch
> SINGLE VALUE TRUE
> ID pkcs-9-at-friendlyName
> }
>
> The RFCs can be found here:
> https://datatracker.ietf.org/doc/html/rfc7292
> https://datatracker.ietf.org/doc/html/rfc2985#page-19
>
> The JKS key store(case in-sensitive alias) has a special version (CaseExactJKS) that uses case sensitive aliases.
> So similarly, Will it be acceptable to have a case sensitive version of PKCS#12 as CaseExactPKCS12 which will use case sensitive aliases?
Not quite. Not if you're using friendlyName as the alias which the JDK
implementations do. You could define another attribute - something
like this:
caseAliasName ATTRIBUTE ::= {
WITH SYNTAX UniversalString (SIZE(1..newvalue))
EQUALITY MATCHING RULE id-mr-caseExactMatch
SINGLE VALUE TRUE
ID newoid
}
and implement your own version of the pkcs12 key store provider that
understood this and used the caseAliasName as the alias for the KeyStore
entry instead of friendlyName.
Mike
More information about the security-dev
mailing list