Case-sensitive Keystore for PKCS#12
Michael StJohns
mstjohns at comcast.net
Wed Jul 13 21:20:24 UTC 2022
On 7/13/2022 3:26 PM, Xuelei Fan wrote:
> Is it possible make it in the application layer? For example, mapping case-sensitive name to case-in-sensitive name before calling into the standard KeyStore APIs. It may be not good to break the standards for corner cases?
>
> Xuelei
Hi Xuelei -
It wouldn't actually be breaking the PKCS12 spec - the addition of more
attributes is part of the standard. Nor, given the CaseExactJKS
implementation, would it be breaking the JDK spec AFAICT. There is this
in the KeyStore javadoc:
> Whether aliases are case sensitive is implementation dependent. In
> order to avoid problems, it is recommended not to use aliases in a
> KeyStore that only differ in case.
The approach you suggest wouldn't work, because you couldn't store one
key with "MikesKey" and another with "MIKESKEY" in the Keystore.
Hmm - let me rephrase that slightly. You could use this approach, but
not in the way you suggested. Instead, you'd need a transform from a
String to a unique string that you could use inside the key store. The
actual alias within the keystore would be the unique string.
One way of doing that: Lowercase the string. Prepend the string with a
2 character length field. Post pend the string with a hex field of
CEIL(length/16) characters, each hex character representing 16 bits that
indicate the case of the string.
e.g. "Mike" -> "04mike8"
Just a thought - Mike
>
>> On Jul 13, 2022, at 4:38 AM, Ravi Patel8 <Ravi.Patel8 at ibm.com> wrote:
>>
>> We have a customer who is having a security requirement. He wants to know, Is it possible to have case-sensitive support for PKCS#12? We referred the RFCs for PKCS#12. We found that PKCS#12 uses a case in-sensitive alias and the alias Name is mapped with friendlyName attribute, which is specified as "caseIgnoreMatch" as below.
>>
>> friendlyName ATTRIBUTE ::= {
>> WITH SYNTAX BMPString (SIZE(1..pkcs-9-ub-friendlyName))
>> EQUALITY MATCHING RULE caseIgnoreMatch
>> SINGLE VALUE TRUE
>> ID pkcs-9-at-friendlyName
>> }
>>
>> The RFCs can be found here:
>> https://datatracker.ietf.org/doc/html/rfc7292
>> https://datatracker.ietf.org/doc/html/rfc2985#page-19
>>
>> The JKS key store(case in-sensitive alias) has a special version (CaseExactJKS) that uses case sensitive aliases.
>> So similarly, Will it be acceptable to have a case sensitive version of PKCS#12 as CaseExactPKCS12 which will use case sensitive aliases?
More information about the security-dev
mailing list