Re: Case-sensitive Keystore for PKCS#12

Wed, 13 Jul 2022 14:21:22 -0700 

On 7/13/2022 3:26 PM, Xuelei Fan wrote:

Is it possible make it in the application layer?  For example, mapping 
case-sensitive name to case-in-sensitive name before calling into the standard 
KeyStore APIs.  It may be not good to break the standards for corner cases?

Xuelei


Hi Xuelei -
It wouldn't actually be breaking the PKCS12 spec - the addition of more attributes is part of the standard.  Nor, given the CaseExactJKS implementation, would it be breaking the JDK spec AFAICT.  There is this in the KeyStore javadoc:
Whether aliases are case sensitive is implementation dependent. In order to avoid problems, it is recommended not to use aliases in a KeyStore that only differ in case.
The approach you suggest wouldn't work, because you couldn't store one key with "MikesKey" and another with "MIKESKEY" in the Keystore.
Hmm - let me rephrase that slightly.  You could use this approach, but not in the way you suggested.  Instead, you'd need a transform from a String to a unique string that you could use inside the key store.  The actual alias within the keystore would be the unique string.
One way of doing that: Lowercase the string.  Prepend the string with a 2 character length field.   Post pend the string with a hex field of CEIL(length/16) characters, each hex character representing 16 bits that indicate the case of the string. 

e.g. "Mike" -> "04mike8"

Just a thought - Mike




On Jul 13, 2022, at 4:38 AM, Ravi Patel8 <ravi.pat...@ibm.com> wrote:

We have a customer who is having a security requirement. He wants to know, Is it possible 
to have case-sensitive support for PKCS#12? We referred the RFCs for PKCS#12. We found 
that PKCS#12 uses a case in-sensitive alias and the alias Name is mapped with 
friendlyName attribute, which is specified as  "caseIgnoreMatch" as below.

friendlyName ATTRIBUTE ::= {
           WITH SYNTAX BMPString (SIZE(1..pkcs-9-ub-friendlyName))
           EQUALITY MATCHING RULE caseIgnoreMatch
           SINGLE VALUE TRUE
           ID pkcs-9-at-friendlyName
   }

The RFCs can be found here:
https://datatracker.ietf.org/doc/html/rfc7292
https://datatracker.ietf.org/doc/html/rfc2985#page-19

The JKS key store(case in-sensitive alias)  has a special version 
(CaseExactJKS) that uses case sensitive aliases.
So similarly, Will it be acceptable to have a case sensitive version of PKCS#12 
as CaseExactPKCS12 which will use case sensitive aliases?

Reply via email to