openssl pkcs12 -export -in _.pem -nodes -out _.p12 generates PFX DER data with MacData in which empty password is used incorrectly, violating following quote from Chapter B, section B.2, item 3 of PKCS#12 standard [1]:
"Note that if the password is the empty string, then so is P." However, I verified that openssl uses 2-byte BMPString "00 00" in hex notation when preparing a string to be hashed. Correct implementation is to use zero-length BMPString for an empty password. I believe that openssl can read correct formatting of PKCS#12, i.e. it understands both formats, so the problem is limited to export. Another name of this problem is ' NULL v.s. "" '. [1] ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-12/pkcs-12v1.pdf Thank you. The tail of make report is attached. I didn't attach the whole thing, since I think the issue is s design issue. ... OpenSSL self-test report: OpenSSL version: 0.9.8d Last change: Introduce limits to prevent malicious keys being able t... Options: -mcpu=pentium no-camellia no-gmp no-krb5 no-mdc2 no-rc5 no-shared no-zlib no-zlib-dynamic OS (uname): Linux tcm 2.6.18-mh1aj #8 PREEMPT Sun Sep 24 00:26:08 PDT 2006 i686 i686 i386 GNU/Linux OS (config): i686-whatever-linux2 Target (default): linux-elf Target: linux-elf Compiler: Using built-in specs. Target: i386-redhat-linux Configured with: ../configure --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --enable-shared --enable-threads=posix --enable-checking=release --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-libgcj-multifile --enable-languages=c,c++,objc,obj-c++,java,fortran,ada --enable-java-awt=gtk --disable-dssi --with-java-home=/usr/lib/jvm/java-1.4.2-gcj-1.4.2.0/jre --with-cpu=generic --host=i386-redhat-linux Thread model: posix gcc version 4.1.0 20060304 (Red Hat 4.1.0-3) Test passed. Test report in file testlog I also filed http://rt.openssl.org/Ticket/Display.html?ShowHeaders=1&id=1496 first by mistake. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]