> On Tue, 2016-11-22 at 15:49 +0000, David Woodhouse wrote: >> On Tue, 2016-11-22 at 16:14 +0100, Richard Levitte wrote: >> > The more interesting part is when it tries to load files it guesses >> > are raw DER. It's currently only trying a few chosen content >> > types, >> > I'm happy to add more as time goes. However, I suspect that >> > nothing >> > in your test suite will trigger that part. >> >> There's a selection of .der and .p12 files there too. >> >> Adding non-ASCII passwords and running in different locales (and >> stress-testing both the old and the new PKCS#12 BMPstring bugs) is >> still on my TODO list. > > Locales is not the only thing you have to worry about. UTF-8 and UTF-16 > can express the same string in various (different) ways, so they cannot > be directly used as passwords. I have recently added RFC7613 > "normalization" to gnutls, to address the differences. > > https://lists.gnupg.org/pipermail/gnutls-devel/2016-November/008240.html
Right. You normalise to NFC, yes? That's what my draft recommends. It's a shame that PKCS#12 doesn't *mandate* that... but hey, at least it does better than PKCS#8 :) -- dwmw2 -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev