[openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl
David Woodhouse
dwmw2 at infradead.org
Wed Nov 23 21:10:26 UTC 2016
> On Tue, 2016-11-22 at 15:49 +0000, David Woodhouse wrote:
>> On Tue, 2016-11-22 at 16:14 +0100, Richard Levitte wrote:
>> > The more interesting part is when it tries to load files it guesses
>> > are raw DER. It's currently only trying a few chosen content
>> > types,
>> > I'm happy to add more as time goes. However, I suspect that
>> > nothing
>> > in your test suite will trigger that part.
>>
>> There's a selection of .der and .p12 files there too.
>>
>> Adding non-ASCII passwords and running in different locales (and
>> stress-testing both the old and the new PKCS#12 BMPstring bugs) is
>> still on my TODO list.
>
> Locales is not the only thing you have to worry about. UTF-8 and UTF-16
> can express the same string in various (different) ways, so they cannot
> be directly used as passwords. I have recently added RFC7613
> "normalization" to gnutls, to address the differences.
>
> https://lists.gnupg.org/pipermail/gnutls-devel/2016-November/008240.html
Right. You normalise to NFC, yes? That's what my draft recommends. It's a
shame that PKCS#12 doesn't *mandate* that... but hey, at least it does
better than PKCS#8 :)
--
dwmw2
More information about the openssl-dev
mailing list