> [EMAIL PROTECTED] - Fri Mar 02 09:58:13 2007]: > > openssl pkcs12 -export -in _.pem -nodes -out _.p12 > > generates PFX DER data with MacData in which empty password is used > incorrectly, violating following quote from Chapter B, section B.2, item > 3 of PKCS#12 standard [1]: > > "Note that if the password is the empty string, then so is P." > > However, I verified that openssl uses 2-byte BMPString "00 00" in hex > notation when preparing a string to be hashed. Correct implementation is > to use zero-length BMPString for an empty password. > > I believe that openssl can read correct formatting of PKCS#12, i.e. it > understands both formats, so the problem is limited to export. Another > name of this problem is ' NULL v.s. "" '. > > [1] ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-12/pkcs-12v1.pdf >
As I recall this was a compatibility issue. A zero-length password is interpreted as a valid password by some implementations resulting in a double NULL but as empty by others. OpenSSL chose the option for maximum interoperability. On parsing a file it does try both versions and uses whichever produces the correct MAC. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]