Will a PKCS#12 safeContentsBag change affect anyone?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Will a PKCS#12 safeContentsBag change affect anyone?

Richard Levitte - VMS Whacker-2
Since the dawn of time, it seems that OpenSSL has had an incorrect
implementation of safeContentsBag.  The current RFC defines it as
follows:

    SafeContents ::= SEQUENCE OF SafeBag
   
    safeContentsBag BAG-TYPE ::=
         {SafeContents        IDENTIFIED BY {bagtypes 6}}

However, the OpenSSL implementation is this:

     ASN1_ADB(PKCS12_SAFEBAG) = {
             ADB_ENTRY(NID_keyBag, ASN1_EXP(PKCS12_SAFEBAG, value.keybag, PKCS8_PRIV_KEY_INFO, 0)),
             ADB_ENTRY(NID_pkcs8ShroudedKeyBag, ASN1_EXP(PKCS12_SAFEBAG, value.shkeybag, X509_SIG, 0)),
             ADB_ENTRY(NID_safeContentsBag, ASN1_EXP_SET_OF(PKCS12_SAFEBAG, value.safes, PKCS12_SAFEBAG, 0)),
             ADB_ENTRY(NID_certBag, ASN1_EXP(PKCS12_SAFEBAG, value.bag, PKCS12_BAGS, 0)),
             ADB_ENTRY(NID_crlBag, ASN1_EXP(PKCS12_SAFEBAG, value.bag, PKCS12_BAGS, 0)),
             ADB_ENTRY(NID_secretBag, ASN1_EXP(PKCS12_SAFEBAG, value.bag, PKCS12_BAGS, 0))
     } ASN1_ADB_END(PKCS12_SAFEBAG, 0, type, 0, &safebag_default_tt, NULL);

Note ASN1_EXP_SET_OF, i.e. it's implemented as a SET OF, rather than a
SEQUENCE OF.  See https://github.com/openssl/openssl/issues/6665 for
the discussion that we've had so far.

A fix is already on the way, but there's the question if this will
affect anyone.  As far as the voices on github say so far, this
particular bag appears to be unused...  so that's the question we want
to ask you; has anyone here used this particular bag and will
therefore be affected by a change, or do you know anyone who will?

Cheers,
Richard

--
Richard Levitte         [hidden email]
OpenSSL Project         http://www.openssl.org/~levitte/
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users