On 7/13/2022 7:38 AM, Ravi Patel8 wrote:
We have a customer who is having a security requirement. He wants to know, Is it possible
to have case-sensitive support for PKCS#12? We referred the RFCs for PKCS#12. We found
that PKCS#12 uses a case in-sensitive alias and the alias Name is mapped with
friendlyName attribute, which is specified as "caseIgnoreMatch" as below.
friendlyName ATTRIBUTE ::= {
WITH SYNTAX BMPString (SIZE(1..pkcs-9-ub-friendlyName))
EQUALITY MATCHING RULE caseIgnoreMatch
SINGLE VALUE TRUE
ID pkcs-9-at-friendlyName
}
The RFCs can be found here:
https://datatracker.ietf.org/doc/html/rfc7292
https://datatracker.ietf.org/doc/html/rfc2985#page-19
The JKS key store(case in-sensitive alias) has a special version
(CaseExactJKS) that uses case sensitive aliases.
So similarly, Will it be acceptable to have a case sensitive version of PKCS#12
as CaseExactPKCS12 which will use case sensitive aliases?
Not quite. Not if you're using friendlyName as the alias which the JDK
implementations do. You could define another attribute - something
like this:
caseAliasName ATTRIBUTE ::= {
WITH SYNTAX UniversalString (SIZE(1..newvalue))
EQUALITY MATCHING RULE id-mr-caseExactMatch
SINGLE VALUE TRUE
ID newoid
}
and implement your own version of the pkcs12 key store provider that
understood this and used the caseAliasName as the alias for the KeyStore
entry instead of friendlyName.
Mike
