Thanks Stephen. I was not aware other implementations used both forms. What if OpenSSL implemented one of these options:
1) Don't change p12_key.c. Don't change the default behavior of pkcs8.c. But at least add a command line option to pkcs8.c (-stdemptypw) to be standard-compliant (make P empty). 2) Don't change p12_key.c. Change the default behavior of pkcs8.c to be standard-compliant. And add a command line option to pkcs8.c (-brokenemptypw) to force the broken behavior (make P an array of 2 NUL bytes). 3) Change p12_key.c to handle a NULL or "" password identically. In both cases, the code would try to automatically figure out how to decrypt the data. If it fails with an empty P, it would try with P being 2 NUL bytes. I am willing to submit a patch for any option. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
