Stephen Henson via RT wrote:
[EMAIL PROTECTED] - Fri Mar 02 09:58:13 2007]:
openssl pkcs12 -export -in _.pem -nodes -out _.p12
generates PFX DER data with MacData in which empty password is used
incorrectly, violating following quote from Chapter B, section B.2, item
3 of PKCS#12 standard [1]:
"Note that if the password is the empty string, then so is P."
However, I verified that openssl uses 2-byte BMPString "00 00" in hex
notation when preparing a string to be hashed. Correct implementation is
to use zero-length BMPString for an empty password.
I believe that openssl can read correct formatting of PKCS#12, i.e. it
understands both formats, so the problem is limited to export. Another
name of this problem is ' NULL v.s. "" '.
[1] ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-12/pkcs-12v1.pdf
As I recall this was a compatibility issue. A zero-length password is
interpreted as a valid password by some implementations resulting in a
double NULL but as empty by others. OpenSSL chose the option for maximum
interoperability.
On parsing a file it does try both versions and uses whichever produces
the correct MAC.
Thank you for the reply.
Would it be time to re-consider the issue again and perhaps consider
using correct format, given that many applications that expected
incorrect format, Internet Explorer for example, have been since fixed?
Thank you.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager [EMAIL PROTECTED]
