Case-sensitive Keystore for PKCS#12

Michael StJohns mstjohns at comcast.net
Wed Jul 13 21:20:24 UTC 2022


On 7/13/2022 3:26 PM, Xuelei Fan wrote:
> Is it possible make it in the application layer?  For example, mapping case-sensitive name to case-in-sensitive name before calling into the standard KeyStore APIs.  It may be not good to break the standards for corner cases?
>
> Xuelei

Hi Xuelei -

It wouldn't actually be breaking the PKCS12 spec - the addition of more 
attributes is part of the standard.  Nor, given the CaseExactJKS 
implementation, would it be breaking the JDK spec AFAICT.  There is this 
in the KeyStore javadoc:

> Whether aliases are case sensitive is implementation dependent. In 
> order to avoid problems, it is recommended not to use aliases in a 
> KeyStore that only differ in case. 
The approach you suggest wouldn't work, because you couldn't store one 
key with "MikesKey" and another with "MIKESKEY" in the Keystore.

Hmm - let me rephrase that slightly.  You could use this approach, but 
not in the way you suggested.  Instead, you'd need a transform from a 
String to a unique string that you could use inside the key store.  The 
actual alias within the keystore would be the unique string.

One way of doing that: Lowercase the string.  Prepend the string with a 
2 character length field.   Post pend the string with a hex field of 
CEIL(length/16) characters, each hex character representing 16 bits that 
indicate the case of the string.

e.g. "Mike" -> "04mike8"

Just a thought - Mike

>
>> On Jul 13, 2022, at 4:38 AM, Ravi Patel8 <Ravi.Patel8 at ibm.com> wrote:
>>
>> We have a customer who is having a security requirement. He wants to know, Is it possible to have case-sensitive support for PKCS#12? We referred the RFCs for PKCS#12. We found that PKCS#12 uses a case in-sensitive alias and the alias Name is mapped with friendlyName attribute, which is specified as  "caseIgnoreMatch" as below.
>>
>> friendlyName ATTRIBUTE ::= {
>>            WITH SYNTAX BMPString (SIZE(1..pkcs-9-ub-friendlyName))
>>            EQUALITY MATCHING RULE caseIgnoreMatch
>>            SINGLE VALUE TRUE
>>            ID pkcs-9-at-friendlyName
>>    }
>>
>> The RFCs can be found here:
>> https://datatracker.ietf.org/doc/html/rfc7292
>> https://datatracker.ietf.org/doc/html/rfc2985#page-19
>>
>> The JKS key store(case in-sensitive alias)  has a special version (CaseExactJKS) that uses case sensitive aliases.
>> So similarly, Will it be acceptable to have a case sensitive version of PKCS#12 as CaseExactPKCS12 which will use case sensitive aliases?




More information about the security-dev mailing list