RFC Errata
RFC 9579, "Use of Password-Based Message Authentication Code 1 (PBMAC1) in PKCS #12 Syntax", May 2024
Source of RFC: lamps (sec)
Errata ID: 7974
Status: Reported
Type: Technical
Publication Format(s) : TEXT, PDF, HTML
Reported By: Hubert Kario
Date Reported: 2024-06-07
Section 6 says:
As documented in Appendix B.1 of [RFC7292], the handling of password encoding in the underlying standards is underspecified. However, just as with PBES1 and PBES2 when used in the context of PKCS #12 objects, all passwords used with PBMAC1 MUST be created from BMPStrings with a NULL terminator.
It should say:
As documented in Appendix B.1 of [RFC7292], the handling of password encoding in the underlying standards is underspecified. However, unlike with PBES1 and PBES2 when used in the context of PKCS #12 objects, all passwords used with PBMAC1 MUST be created from UTF-8 encoding without a NULL terminator or Byte Order Mark (BOM).
Notes:
Turns out that in the implementation we used for creating the test vectors, the conversion between the user-provided password and the BMPStrings used for encryption happened in a different place in the call stack than we expected, and the way we generated them, the passwords stayed in UTF-8 format instead of being converted to big-endian UTF-16.
Given that we already have the UTF-8 code implemented in GnuTLS (https://gitlab.com/gnutls/gnutls/-/merge_requests/1833), NSS (https://phabricator.services.mozilla.com/D201833), and that the test-vectors are self-consistent otherwise, I think it will be easier to just redefine how the passwords are passed in to the KDF in the PBMAC1 than to change all the implementations and test vectors.
Thanks space88man on github for noticing this: https://github.com/openssl/openssl/issues/24546#issuecomment-2154729339