In message <8ee45344-9bfc-44f9-9db2-c384f7645...@akamai.com> on Mon, 11 Jun
2018 15:25:23 +0000, "Salz, Rich" <rs...@akamai.com> said:
rsalz> > *must* do when getting '-pass8bit' is to do a naïve UTF-8 encode of
rsalz> the input pass phrase string. PKCS12_generate_mac() will then decode
rsalz>
rsalz> I disagree.
rsalz>
rsalz> There are two reasons why users enter "illegal" passwords now,
rsalz> and by now requiring them to make it explicit we can (a) check
rsalz> only for ASCII on current inputs; (b) make them thing about
rsalz> what they're doing and require them to specify; (c) set the
rsalz> expectation that something will change in the future.
[btw, PKCS12_gen_mac(), not PKCS12_generate_mac()]
So wait, if the user enters this:
openssl pkcs12 -export -in foo.pem -out foo.p12 \
-pass8bit -password pass:`echo 72c3a46b61 | xxd -r -p`
... then it seems "natural" that the user would expect the resulting
BMPString to become this set of bytes, right?
0x00, 0x72, 0x00, 0xc3, 0x00, 0xa4, 0x00, 0x6b, 0x00, 0x61, 0x00, 0x00
However, what's going to happen is that PKCS12_gen_mac() will generate
this for a BMPString:
0x00, 0x72, 0x00, 0xe4, 0x00, 0x6b, 0x00, 0x61, 0x00, 0x00
Why? Because the input pass phrase can be interpreted as a UTF-8
encoded string, and PKCS12_gen_mac() will decode it thusly.
>From a user interface point of view, I would fine such behavior very
surprising, and not at all what I'd expect for a flag named '-pass8bit'
Cheers,
Richard
--
Richard Levitte levi...@openssl.org
OpenSSL Project http://www.openssl.org/~levitte/
_______________________________________________
openssl-project mailing list
openssl-project@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-project
