<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">Hi Ravi - <br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Not speaking for the openjdk folk, I
would expect you would be better off implementing this as an
external KeyStore provider yourself as I would guess there isn't a
broad demand for something that meets your requirements at this
point.</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Later, Mike</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">On 7/20/2022 6:39 AM, Ravi Patel8
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:BN7PR15MB2321C89DF26D49D1C42AE215A58E9@BN7PR15MB2321.namprd15.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<style type="text/css" style="display:none;">P {margin-top:0;margin-bottom:0;}</style>
<div class="elementToProof"
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
Hi Mike and <span style="font-size:14.6667px;
background-color:rgb(255,255,255); display:inline!important">Xuelei,<br>
<br>
</span></div>
<div class="elementToProof"
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
<span style="font-size:14.6667px;
background-color:rgb(255,255,255); display:inline!important"><span
style="font-size:16px;background-color:rgb(255, 255,
255);display:inline !important">Thank you for the suggested
solutions with an added attribute and a new provider. Do you
think it is something that could be contributed to the JDK,
or do you suggest this should be taken up as an external
provider?</span><br>
</span></div>
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt"
face="Calibri, sans-serif" color="#000000"><b>From:</b> Ravi
Patel8 <a class="moz-txt-link-rfc2396E" href="mailto:Ravi.Patel8@ibm.com"><Ravi.Patel8@ibm.com></a><br>
<b>Sent:</b> Thursday, July 14, 2022 6:26 PM<br>
<b>To:</b> Xuelei Fan <a class="moz-txt-link-rfc2396E" href="mailto:xuelei.f@gmail.com"><xuelei.f@gmail.com></a>; Michael
StJohns <a class="moz-txt-link-rfc2396E" href="mailto:mstjohns@comcast.net"><mstjohns@comcast.net></a><br>
<b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:security-dev@openjdk.org">security-dev@openjdk.org</a>
<a class="moz-txt-link-rfc2396E" href="mailto:security-dev@openjdk.org"><security-dev@openjdk.org></a><br>
<b>Subject:</b> Re: [EXTERNAL] Re: Case-sensitive Keystore for
PKCS#12</font>
<div class="elementToProof"> </div>
</div>
<div dir="ltr">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)" class="elementToProof">
Thank you for the suggested solutions with an added attribute
and a new provider. Do you think it is something that could be
contributed to the JDK, or do you suggest this should be taken
up as an external provider?<br>
</div>
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="x_divRplyFwdMsg" dir="ltr"><font style="font-size:11pt"
class="elementToProof" face="Calibri, sans-serif"
color="#000000"><b>From:</b> security-dev
<a class="moz-txt-link-rfc2396E" href="mailto:security-dev-retn@openjdk.org"><security-dev-retn@openjdk.org></a> on behalf of Xuelei
Fan <a class="moz-txt-link-rfc2396E" href="mailto:xuelei.f@gmail.com"><xuelei.f@gmail.com></a><br>
<b>Sent:</b> Thursday, July 14, 2022 3:10 AM<br>
<b>To:</b> Michael StJohns <a class="moz-txt-link-rfc2396E" href="mailto:mstjohns@comcast.net"><mstjohns@comcast.net></a><br>
<b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:security-dev@openjdk.org">security-dev@openjdk.org</a>
<a class="moz-txt-link-rfc2396E" href="mailto:security-dev@openjdk.org"><security-dev@openjdk.org></a><br>
<b>Subject:</b> [EXTERNAL] Re: Case-sensitive Keystore for
PKCS#12</font>
<div> </div>
</div>
<div class="x_BodyFragment"><font size="2"><span
style="font-size:11pt">
<div class="x_PlainText elementToProof"><br>
<br>
> On Jul 13, 2022, at 2:20 PM, Michael StJohns
<a class="moz-txt-link-rfc2396E" href="mailto:mstjohns@comcast.net"><mstjohns@comcast.net></a> wrote:<br>
> <br>
> On 7/13/2022 3:26 PM, Xuelei Fan wrote:<br>
>> Is it possible make it in the application
layer? For example, mapping case-sensitive name to
case-in-sensitive name before calling into the standard
KeyStore APIs. It may be not good to break the
standards for corner cases?<br>
>> <br>
>> Xuelei<br>
> <br>
> Hi Xuelei -<br>
> <br>
> It wouldn't actually be breaking the PKCS12 spec -
the addition of more attributes is part of the standard.<br>
I agreed it could not break PKCS12 spec. I referred to
the friendlyName spec in PKCS12. An additional
attribute could be used for the case-in-sensitive name
support. But there is a need to define and support the
attribute in the KeyStore implementation, just as you
described in your previous reply.<br>
<br>
<br>
> Nor, given the CaseExactJKS implementation, would
it be breaking the JDK spec AFAICT. There is this in
the KeyStore javadoc:<br>
> <br>
>> Whether aliases are case sensitive is
implementation dependent. In order to avoid problems, it
is recommended not to use aliases in a KeyStore that
only differ in case.
<br>
> The approach you suggest wouldn't work, because you
couldn't store one key with "MikesKey" and another with
"MIKESKEY" in the Keystore.<br>
> <br>
<br>
I did not meant to cover the case. It may be fine to
use a map, in which “MikesKey” may be mapped to
“mikeskkey-1000100”, and MIKESKEY to
“mikeskkey-0000000”, or something else like you
described below ("Mike" -> "04mike8”).<br>
<br>
Xuelei<br>
<br>
<br>
> Hmm - let me rephrase that slightly. You could use
this approach, but not in the way you suggested.
Instead, you'd need a transform from a String to a
unique string that you could use inside the key store.
The actual alias within the keystore would be the unique
string.<br>
> <br>
> One way of doing that: Lowercase the string.
Prepend the string with a 2 character length field.
Post pend the string with a hex field of CEIL(length/16)
characters, each hex character representing 16 bits that
indicate the case of the string.<br>
> <br>
> e.g. "Mike" -> "04mike8"<br>
> <br>
> Just a thought - Mike<br>
> <br>
>> <br>
>>> On Jul 13, 2022, at 4:38 AM, Ravi Patel8
<a class="moz-txt-link-rfc2396E" href="mailto:Ravi.Patel8@ibm.com"><Ravi.Patel8@ibm.com></a> wrote:<br>
>>> <br>
>>> We have a customer who is having a security
requirement. He wants to know, Is it possible to have
case-sensitive support for PKCS#12? We referred the RFCs
for PKCS#12. We found that PKCS#12 uses a case
in-sensitive alias and the alias Name is mapped with
friendlyName attribute, which is specified as
"caseIgnoreMatch" as below.<br>
>>> <br>
>>> friendlyName ATTRIBUTE ::= {<br>
>>> WITH SYNTAX BMPString
(SIZE(1..pkcs-9-ub-friendlyName))<br>
>>> EQUALITY MATCHING RULE
caseIgnoreMatch<br>
>>> SINGLE VALUE TRUE<br>
>>> ID pkcs-9-at-friendlyName<br>
>>> }<br>
>>> <br>
>>> The RFCs can be found here:<br>
>>> <a
href="https://datatracker.ietf.org/doc/html/rfc7292"
data-auth="NotApplicable" moz-do-not-send="true"
class="moz-txt-link-freetext">https://datatracker.ietf.org/doc/html/rfc7292</a>
<br>
>>> <a
href="https://datatracker.ietf.org/doc/html/rfc2985#page-19"
data-auth="NotApplicable" moz-do-not-send="true"
class="moz-txt-link-freetext">https://datatracker.ietf.org/doc/html/rfc2985#page-19</a>
<br>
>>> <br>
>>> The JKS key store(case in-sensitive alias)
has a special version (CaseExactJKS) that uses case
sensitive aliases.<br>
>>> So similarly, Will it be acceptable to have
a case sensitive version of PKCS#12 as CaseExactPKCS12
which will use case sensitive aliases?<br>
> <br>
> <br>
<br>
</div>
</span></font></div>
</div>
</blockquote>
<p><br>
</p>
</body>
</html>