<?xmlversion="1.0" encoding="US-ASCII"?>version='1.0' encoding='utf-8'?> <!DOCTYPE rfcSYSTEM "rfc2629.dtd"[ <!ENTITYRFC2104 SYSTEM "http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.2104.xml">nbsp " "> <!ENTITYRFC2119 SYSTEM "http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml">zwsp "​"> <!ENTITYRFC6194 SYSTEM "http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.6194.xml">nbhy "‑"> <!ENTITYRFC7292 SYSTEM "http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7292.xml"> <!ENTITY RFC7914 SYSTEM "http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7914.xml"> <!ENTITY RFC8018 SYSTEM "http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8018.xml"> <!ENTITY RFC8174 SYSTEM "http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml">wj "⁠"> ]><?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?> <?rfc strict="yes" ?> <?rfc toc="yes"?> <?rfc tocdepth="4"?> <?rfc symrefs="yes"?> <!-- use symbolic references tags, i.e, [RFC2119] instead of [1] --> <?rfc sortrefs="yes" ?> <!-- control vertical white space (using these PIs as follows is recommended by the RFC Editor) --> <?rfc compact="yes" ?> <!-- do not start each main section on a new page --> <?rfc subcompact="no" ?> <!-- keep one blank line between list items --> <!-- end of list of popular I-D processing instructions --><rfc xmlns:xi="http://www.w3.org/2001/XInclude" category="info" docName="draft-ietf-lamps-pkcs12-pbmac1-08" number="9579" ipr="trust200902" updates="7292,8018">8018" obsoletes="" submissionType="IETF" xml:lang="en" consensus="true" tocInclude="true" tocDepth="4" symRefs="true" sortRefs="true" version="3"> <!--***** FRONT MATTER *****[rfced] *AD, please review the change from "pbkc12-pbamc1-2023" to "id-pkcs12-pbmac1-2023" in Appendix B and let us know if you approve. This change was made after version -08 was approved. IANA has already updated the registry (see https://www.iana.org/assignments/smi-numbers). You can view the change in this diff file: https://www.rfc-editor.org/authors/rfc9579-diff.html --> <front> <title abbrev="PBMAC1 inPKCS#12">UsePKCS #12">Use ofPassword BasedPassword-Based Message Authentication Code 1 (PBMAC1) in PKCS #12 Syntax</title> <seriesInfo name="RFC" value="9579"/> <author fullname="Hubert Kario" initials="H." role="editor" surname="Kario"> <organization>Red Hat, Inc.</organization> <address> <postal> <street>Purkynova 115</street> <city>Brno</city><region></region><code>61200</code> <country>Czech Republic</country> </postal><phone></phone><email>hkario@redhat.com</email> </address> </author> <dateday="22" month="February" year="2024" /> <area>General</area> <workgroup>Internet Engineering Task Force</workgroup> <keyword>pbmac1, pkcs12, pbkdf2</keyword>month="May" year="2024"/> <area>SEC</area> <workgroup>lamps</workgroup> <keyword>pbmac1</keyword> <keyword>pkcs12</keyword> <keyword>pbkdf2</keyword> <abstract> <t>This document specifies additions and amendments to RFCs 7292 and 8018. It defines a way to use thePassword BasedPassword-Based Message Authentication Code1,1 (PBMAC1), defined in RFC 8018, inside the PKCS #12 syntax. The purpose of this specification is to permit the use of more modern Password-Based Key Derivation Functions (PBKDFs) and allow for regulatory compliance. </t> </abstract> </front> <middle> <sectiontitle="Introduction"> <t>The <xref target="RFC7292">PKCS #12</xref>numbered="true" toc="default"> <name>Introduction</name> <!--[rfced] Will it be clear to readers what "the original specification" refers to in the second sentence below (first sentence included for context)? Does "the original specification" refer to RFC 7292? If so, please note that we do not see "PBKDF1" in RFC 7292, though we do see "PBKDF2". We see "PBKDF1" in RFC 8018. Please review and let us know if any updates are needed. Original: The PKCS #12 [RFC7292] format is widely used for interoperable transfer of certificate, key, and other miscellaneous secrets between machines, applications, browsers, etc. Unfortunately, the original specification mandates the use of a specific password based key derivation function, the PBKDF1, allowing only for change of the underlying message digest function. --> <t>The PKCS #12 format <xref target="RFC7292" format="default"/> is widely used for the interoperable transfer of certificate, key, and other miscellaneous secrets between machines, applications, browsers, etc. Unfortunately, the original specification mandates the use of a specific password-based key derivation function, the PBKDF1, that only allows for change of the underlying message digest function.</t> </section> <sectiontitle="Rationale">numbered="true" toc="default"> <name>Rationale</name> <t>Due to security concerns with PBKDF1 and the much higher extensibility of PBMAC1 <xreftarget="RFC8018"/>,target="RFC8018" format="default"/>, we propose the use of PBMAC1 for integrity protection of PKCS #12 structures. The new syntax is designed to allow legacy applications to still be able to decrypt the key material, even if they are unable to interpret the new integrity protection, provided that they can ignore failures inMACMessage Authentication Code (MAC) verification. This change allows for the use of PBKDF2 <xreftarget="RFC8018"/>target="RFC8018" format="default"/> or scrypt PBKDFs <xreftarget="RFC7914"/> KDFstarget="RFC7914" format="default"/> for derivation of MAC keys and future extensibility. Use of the extensible PBMAC1 mechanism also allows for greater flexibility and alignmenttowith different government regulations, for example, in environments where PBKDF2 is the only allowed password-based key derivation function. </t> <t>As the recommended methods for key protection require both encryption and integrity protection,we'vewe decided to amend the PKCS #12 format to support different key derivation functions rather than extending the PKCS #5 format by a new fieldallowingthat allows integrity protection. </t> <t>Wehaveincluded an ASN.1 module <xreftarget="x680"/>target="x680" format="default"/> <xref target="x681" format="default"/> <xreftarget="x681"/><xref target="x682"/><xref target="x683"/>target="x682" format="default"/> <xreftarget="x690"/>target="x683" format="default"/> <xref target="x690" format="default"/> that can be combined with the ASN.1 module in <xreftarget="RFC8018"/>target="RFC8018" format="default"/> to incorporate additional MAC algorithms.</t> </section> <sectiontitle="Requirements Language"> <t>Thenumbered="true" toc="default"> <name>Requirements Language</name> <t> The key words"MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY","<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and"OPTIONAL""<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as described in BCP 14 <xref target="RFC2119"/> <xreftarget="RFC2119">BCP 14</xref><xreftarget="RFC8174"/> when, and only when, they appear in allcapitabls,capitals, as shownhere.</t>here. </t> </section><!-- This PI places the pagebreak correctly (before the section title) in the text output. --> <?rfc needLines="8" ?><sectiontitle="Embeddingnumbered="true" toc="default"> <name>Embedding PBMAC1 in PKCS#12"> <t>The MacData structure in#12</name> <!-- [rfced] Because thePFX object, as described in <xref target="RFC7292">bulletfollowing list updates item #3 insectionSection 4 of RFC7292</xref>, is updated7292, would it be helpful toinclude this additional PBMAC1-specific guidance: <list style="numbers"> <t>theuse a different numbering scheme here (perhaps bullets or a, b, c, d)? Original: 1. the id-PBMAC1 object identifier is permitted as a valid type for the DigestAlgorithmIdentifier inside the DigestInfo object. If the algorithm field of the DigestAlgorithmIdentifier isid-PBMAC1,id- PBMAC1, then the parameters field MUST be present and have the value consistent withPBMAC1-params</t> <t>ifPBMAC1-params 2. if the PBMAC1 algorithm is used, the digest value of the DigestInfo object MUST be the result of the PBMAC1 calculation over the authSafe field using the PBMAC1-paramsparameters</t> <t>ifparameters 3. if the PBMAC1 algorithm is used, the macSalt value MUST be ignored, for backwards compatibility it SHOULD NOT beempty</t> <t>ifempty 4. if the PBMAC1 algorithm is used, the iterations value MUST be ignored, for backwards compatibility it SHOULD have a non-zero positivevalue</t> </list>value --> <!--[rfced] We have a couple of questions about the sentence below: a) Is "over" correct in the phrase "the PBMAC1 calculation over the authSafe field"? Or should "over" be updated to "of" or something else? b) Should "the PBMAC1-params parameters" be updated to "PBMAC1-params"? Or is the current okay? Original: 2. if the PBMAC1 algorithm is used, the digest value of the DigestInfo object MUST be the result of the PBMAC1 calculation over the authSafe field using the PBMAC1-params parameters Perhaps 2. If the PBMAC1 algorithm is used, the digest value of the DigestInfo object MUST be the result of the PBMAC1 calculation of the authSafe field using PBMAC1-params. --> <t>The MacData structure in the Personal Information Exchange (PFX) object, as described in item #3 in <xref target="RFC7292" sectionFormat="of" section="4"/>, is updated to include the following PBMAC1-specific guidance: </t> <ol spacing="normal" type="1"> <li> The id-PBMAC1 object identifier is permitted as a valid type for the DigestAlgorithmIdentifier inside the DigestInfo object. If the algorithm field of the DigestAlgorithmIdentifier is id-PBMAC1, then the parameters field <bcp14>MUST</bcp14> be present and have a value consistent with PBMAC1-params. </li> <li> If the PBMAC1 algorithm is used, the digest value of the DigestInfo object <bcp14>MUST</bcp14> be the result of the PBMAC1 calculation over the authSafe field using the PBMAC1-params parameters. </li> <li> If the PBMAC1 algorithm is used, the macSalt value <bcp14>MUST</bcp14> be ignored. For backwards compatibility, it <bcp14>SHOULD NOT</bcp14> be empty. </li> <li> If the PBMAC1 algorithm is used, the iterations value <bcp14>MUST</bcp14> be ignored. For backwards compatibility, it <bcp14>SHOULD</bcp14> have a non-zero positive value. </li> </ol> </section> <sectiontitle="Recommended parameters"> <t>Tonumbered="true" toc="default"> <name>Recommended Parameters</name> <!-- [rfced] We have a few questions about these sentences in Section 5: a) Please review "the PBKDF2 key derivation function" (first sentence), "the PBKDF2" (second sentence), and "PBKDF2 KDF" (third sentence). Should these be updated to simply "PBKDF2" or otherwise be made consistent?? b) In the first sentence, should "integrity check" be updated to "integrity protection"? Also, how may we update "for both integrity check and as the PBKDF2 pseudorandom function (PRF)" to create parallel structure? c) In the second and third sentences, please confirm that "keyLen field" is correct. We ask because we see "keyLength field" in Appendix B (and in RFCs 7914 and 8018). d) In the third sentence, is "PBKDF2-params" singular or plural? Should "with PBKDF2-params that omit the keyLen field" be updated to "with a PBKDF2-params that omits the keyLen field"? Original: To provide interoperability between different implementations, all implementations of this specification MUST support the PBKDF2 key derivation function paired with SHA-256 HMAC [SHA2] [RFC2104] for both integrity check and as the PBKDF2 pseudorandom function (PRF). ... In particular, when using the PBKDF2, the implementations MUST include the keyLen field in the encoded PBKDF2-params. ... Implementations MUST NOT accept PBKDF2 KDF with PBKDF2-params that omit the keyLen field. Perhaps: To provide interoperability between different implementations, all implementations of this specification MUST support PBKDF2 paired with SHA-256 HMAC [SHA2] [RFC2104] both for integrity protection and as the PBKDF2 pseudorandom function (PRF). ... In particular, when using PBKDF2, implementations MUST include the keyLength field in the encoded PBKDF2-params. ... Implementations MUST NOT accept PBKDF2 with a PBKDF2-params that omits the keyLength field. --> <t>To provide interoperability between different implementations, all implementations of this specification <bcp14>MUST</bcp14> support the PBKDF2 key derivation function paired with SHA-256 HMAC <xreftarget="SHA2"/>target="SHA2" format="default"/> <xreftarget="RFC2104"/>target="RFC2104" format="default"/> for both integrity check and as the PBKDF2 pseudorandom function (PRF). It'sRECOMMENDED<bcp14>RECOMMENDED</bcp14> for implementations to support otherSHA-2 basedSHA-2-based HMACs. ImplementationsMAY<bcp14>MAY</bcp14> use other hash functions, like the SHA-3 family of hash functions <xreftarget="SHA3">SHA-3</xref>.target="SHA3" format="default"/>. ImplementationsMAY<bcp14>MAY</bcp14> use other KDF methods, like the scrypt PBKDF <xreftarget="RFC7914"/>.target="RFC7914" format="default"/>. </t> <t>The length of the key generated by the used KDFMUST<bcp14>MUST</bcp14> be encoded explicitly in the parameters field andSHOULD<bcp14>SHOULD</bcp14> be the same size as the HMAC function output size.ThatThis means that PBMAC1-params specifying SHA-256 HMAC should also include KDF parameters that generate32 octet longa 32-octet key. In particular, when using the PBKDF2,theimplementationsMUST<bcp14>MUST</bcp14> include the keyLen field in the encoded PBKDF2-params. ImplementationsMUST NOT<bcp14>MUST NOT</bcp14> accept PBKDF2 KDF with PBKDF2-params that omit the keyLen field. </t> </section> <sectiontitle="Password encoding">numbered="true" toc="default"> <name>Password Encoding</name> <t>As documented in <xreftarget="RFC7292">Appendix B.1 of RFC 7292</xref>target="RFC7292" sectionFormat="of" section="B.1"/>, the handling of password encoding in the underlying standards is underspecified. However, just as with PBES1 and PBES2 when used in the context ofPKCS#12PKCS #12 objects, all passwords used with PBMAC1MUST<bcp14>MUST</bcp14> be created from BMPStrings with a NULL terminator. </t> </section> <sectiontitle="Deprecated Algorithms"> <t>Whilenumbered="true" toc="default"> <name>Deprecated Algorithms</name> <!--[rfced] Please confirm that "practical" is the correct word choice here (we do not see this word in RFC 6194). Also, we see "SHA-1" and "HMAC-SHA-1" in RFC 6194, but this sentence uses "SHA-1 HMACs". Is this okay? Last, may we update as follows to include a semicolon to improve readability? Original: While attacks against SHA-1 HMACs are not considered practical<xref target="RFC6194"/>[RFC6194] to limit the number of algorithms needed for interoperatbility, implementations of this specification SHOULD NOT use PBKDF2 with the SHA-1 HMAC.AdditionallyPerhaps: Attacks against SHA-1 HMACs are not considered practical [RFC6194]; to limit theimplementation MUSTnumber of algorithms needed for interoperability, implementations of this specification SHOULD NOT use PBKDF2 with the SHA-1 HMAC. --> <t>While attacks against SHA-1 HMACs are not considered practical <xref target="RFC6194" format="default"/> to limit the number of algorithms needed for interoperability, implementations of this specification <bcp14>SHOULD NOT</bcp14> use PBKDF2 with the SHA-1 HMAC. In addition, implementations <bcp14>MUST NOT</bcp14> use any other message digest functions with an output of 160 bits orsmaller.</t>less.</t> </section><!-- Possibly a 'Contributors' section ... --><section anchor="IANA"title="IANA Considerations">numbered="true" toc="default"> <name>IANA Considerations</name> <t>IANAis requested to assign anhas registered the following object identifierfromin theSMI"SMI Security for S/MIME Module Identifierregistry(1.2.840.113549.1.9.16.0)" registry. See <xref target="asn1-module"/> for the ASN.1module found in Appendix B.</t>module. </t> <table anchor="iana-table"> <name></name> <thead> <tr> <th>Decimal</th> <th>Description</th> <th>Reference</th> </tr> </thead> <tbody> <tr> <td>76</td> <td>id-pkcs12-pbmac1-2023</td> <td>RFC 9579</td> </tr> </tbody> </table> </section> <section anchor="Security"title="Security Considerations">numbered="true" toc="default"> <name>Security Considerations</name> <t>Except for the use of different key derivation functions, this document doesn't change how the integrity protection on PKCS #12 objects is computed;thereforetherefore, all theoriginalsecurity considerations from <xreftarget="RFC7292">RFC 7292</xref>target="RFC7292" format="default"/> apply. </t> <t>Use of PBMAC1 and PBKDF2 is unchanged from <xreftarget="RFC8018"> RFC 8018</xref>; thereforetarget="RFC8018" format="default"/>; therefore, all theoriginalsecurity considerations from <xref target="RFC8018" format="default"/> apply. </t> <t>The KDFs generally don't have a lower limit for the generated key size, allowingspecifyingthe specification of very small key sizes (of 1 octet), which can facilitate brute-force attacks on the HMAC. Since the KDF parameters are not cryptographically protected and HMACs accept arbitrary key sizes, implementationsMAY<bcp14>MAY</bcp14> refuse to process KDF parameters that specify small key output sizes or weak parameters. It'sRECOMMENDED<bcp14>RECOMMENDED</bcp14> to reject any KDF parameters that specify key lengthsbelowless than 20 octets. </t> </section> </middle><!-- *****BACK MATTER ***** --><back><!-- References split into informative and normative --> <references title="Normative References"> &RFC2104; &RFC2119; &RFC6194; &RFC7292; &RFC8018; &RFC8174;<references> <name>References</name> <references> <name>Normative References</name> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2104.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6194.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7292.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8018.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/> <reference anchor="x680" target="https://www.itu.int/rec/T-REC-X.680"> <front> <title>InformationTechnologytechnology - Abstract Syntax Notation One (ASN.1): Specification of basic notation</title> <author> <organization>ITU-T </organization> </author> <date month="February" year="2021"/> </front> <seriesInfo name="ITU-T Recommendation" value="X.680"/> <seriesInfo name="ISO/IEC"value="8824-1:2021"/>value="8824-1:2021" /> </reference> <reference anchor="x681" target="https://www.itu.int/rec/T-REC-X.681"> <front> <title>InformationTechnologytechnology - Abstract Syntax Notation One (ASN.1): Information object specification</title> <author> <organization>ITU-T </organization> </author> <date month="February" year="2021"/> </front> <seriesInfo name="ITU-T Recommendation" value="X.681"/> <seriesInfo name="ISO/IEC"value="8824-2:2021"/>value="8824-2:2021" /> </reference> <reference anchor="x682" target="https://www.itu.int/rec/T-REC-X.682"> <front> <title>InformationTechnologytechnology - Abstract Syntax Notation One (ASN.1): Constraint specification</title> <author> <organization>ITU-T </organization> </author> <date month="February" year="2021"/> </front> <seriesInfo name="ITU-T Recommendation" value="X.682"/> <seriesInfo name="ISO/IEC"value="8824-3:2021"/>value="8824-3:2021" /> </reference> <reference anchor="x683" target="https://www.itu.int/rec/T-REC-X.683"> <front> <title>InformationTechnologytechnology - Abstract Syntax Notation One (ASN.1): Parameterization of ASN.1 specifications</title> <author> <organization>ITU-T </organization> </author> <date month="February" year="2021"/> </front> <seriesInfo name="ITU-T Recommendation" value="X.683"/> <seriesInfo name="ISO/IEC"value="8824-4:2021"/>value="8824-4:2021" /> </reference> <reference anchor="x690" target="https://www.itu.int/rec/T-REC-X.690"> <front> <title>InformationTechnologytechnology - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER)</title> <author> <organization>ITU-T </organization> </author> <date month="February" year="2021"/> </front> <seriesInfo name="ITU-T Recommendation" value="X.690"/> <seriesInfo name="ISO/IEC"value="8825-1:2021"/>value="8825-1:2021" /> </reference> <reference anchor="SHA2"target="https://doi.org/10.6028/NIST.FIPS.180-4 ">target="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf"> <front> <title>Secure Hash Standard (SHS)</title> <author> <organization>National Institute of Standards and Technology (NIST) </organization> </author> <date month="August" year="2015"/> </front> <seriesInfo name="FIPS PUB" value="180-4"/> <seriesInfo name="DOI" value="10.6028/NIST.FIPS.180-4"/> </reference> </references><references title="Informative References"> &RFC7914;<references> <name>Informative References</name> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7914.xml"/> <reference anchor="SHA3"target="https://doi.org/10.6028/NIST.FIPS.202">target="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf"> <front> <title>SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions</title> <author> <organization>National Institute of Standards and Technology (NIST) </organization> </author> <date month="August" year="2015"/> </front> <seriesInfo name="FIPS PUB" value="202"/> <seriesInfo name="DOI" value="10.6028/NIST.FIPS.202"/> </reference> </references> </references> <section anchor="test-vectors"title="Test Vectors">numbered="true" toc="default"> <name>Test Vectors</name> <t>All test vectors use "1234" as the password for both encryption and integrity protection.</t> <sectiontitle="Valid PKCS#12 filenumbered="true" toc="default"> <name>Valid PKCS #12 File with SHA-256 HMAC andPRF">PRF</name> <t>The followingbase64 encoded PKCS#12base64-encoded PKCS #12 fileMUST<bcp14>MUST</bcp14> be readable by implementations following this RFC.<artwork></t> <sourcecode type="test-vectors"><![CDATA[ MIIKigIBAzCCCgUGCSqGSIb3DQEHAaCCCfYEggnyMIIJ7jCCBGIGCSqGSIb3DQEH BqCCBFMwggRPAgEAMIIESAYJKoZIhvcNAQcBMFcGCSqGSIb3DQEFDTBKMCkGCSqG SIb3DQEFDDAcBAg9pxXxY2yscwICCAAwDAYIKoZIhvcNAgkFADAdBglghkgBZQME ASoEEK7yYaFQDi1pYwWzm9F/fs+AggPgFIT2XapyaFgDppdvLkdvaF3HXw+zjzKb 7xFC76DtVPhVTWVHD+kIss+jsj+XyvMwY0aCuAhAG/Dig+vzWomnsqB5ssw5/kTb +TMQ5PXLkNeoBmB6ArKeGc/QmCBQvQG/a6b+nXSWmxNpP+71772dmWmB8gcSJ0kF Fj75NrIbmNiDMCb71Q8gOzBMFf6BpXf/3xWAJtxyic+tSNETfOJa8zTZb0+lV0w9 5eUmDrPUpuxEVbb0KJtIc63gRkcfrPtDd6Ii4Zzbzj2Evr4/S4hnrQBsiryVzJWy IEjaD0y6+DmG0JwMgRuGi1wBoGowi37GMrDCOyOZWC4n5wHLtYyhR6JaElxbrhxP H46z2USLKmZoF+YgEQgYcSBXMgP0t36+XQocFWYi2N5niy02TnctwF430FYsQlhJ Suma4I33E808dJuMv8T/soF66HsD4Zj46hOf4nWmas7IaoSAbGKXgIa7KhGRJvij xM3WOX0aqNi/8bhnxSA7fCmIy/7opyx5UYJFWGBSmHP1pBHBVmx7Ad8SAsB9MSsh nbGjGiUk4h0QcOi29/M9WwFlo4urePyI8PK2qtVAmpD3rTLlsmgzguZ69L0Q/CFU fbtqsMF0bgEuh8cfivd1DYFABEt1gypuwCUtCqQ7AXK2nQqOjsQCxVz9i9K8NDeD aau98VAl0To2sk3/VR/QUq0PRwU1jPN5BzUevhE7SOy/ImuJKwpGqqFljYdrQmj5 jDe+LmYH9QGVRlfN8zuU+48FY8CAoeBeHn5AAPml0PYPVUnt3/jQN1+v+CahNVI+ La8q1Nen+j1R44aa2I3y/pUgtzXRwK+tPrxTQbG030EU51LYJn8amPWmn3w75ZIA MJrXWeKj44de7u4zdUsEBVC2uM44rIHM8MFjyYAwYsey0rcp0emsaxzar+7ZA67r lDoXvvS3NqsnTXHcn3T9tkPRoee6L7Dh3x4Od96lcRwgdYT5BwyH7e34ld4VTUmJ bDEq7Ijvn4JKrwQJh1RCC+Z/ObfkC42xAm7G010u3g08xB0Qujpdg4a7VcuWrywF c7hLNquuaF4qoDaVwYXHH3iuX6YlJ/3siTKbYCVXPEZOAMBP9lF/OU76UMJBQNfU 0xjDx+3AhUVgnGuCsmYlK6ETDp8qOZKGyV0KrNSGtqLx3uMhd7PETeW+ML3tDQ/0 X9fMkcZHi4C2fXnoHV/qa2dGhBj4jjQ0Xh1poU6mxGn2Mebe2hDsBZkkBpnn7pK4 wP/VqXdQTwqEuvzGHLVFsCuADe40ZFBmtBrf70wG7ZkO8SUZ8Zz1IX3+S024g7yj QRev/6x6TtkwggWEBgkqhkiG9w0BBwGgggV1BIIFcTCCBW0wggVpBgsqhkiG9w0B DAoBAqCCBTEwggUtMFcGCSqGSIb3DQEFDTBKMCkGCSqGSIb3DQEFDDAcBAhTxzw+ VptrYAICCAAwDAYIKoZIhvcNAgkFADAdBglghkgBZQMEASoEEK9nSqc1I2t4tMVG bWHpdtQEggTQzCwI7j34gCTvfj6nuOSndAjShGv7mN2j7WMV0pslTpq2b9Bn3vn1 Y0JMvL4E7sLrUzNU02pdOcfCnEpMFccNv2sQrLp1mOCKxu8OjSqHZLoKVL0ROVsZ 8dMECLLigDlPKRiSyLErl14tErX4/zbkUaWMROO28kFbTbubQ8YoHlRUwsKW1xLg vfi0gRkG/zHXRfQHjX/8NStv7hXlehn7/Gy2EKPsRFhadm/iUHAfmCMkMgHTU248 JER9+nsXltd59H+IeDpj/kbxZ+YvHow9XUZKu828d3MQnUpLZ1BfJGhMBPVwbVUD A40CiQBVdCoGtPJyalL28xoS3H0ILFCnwQOr6u0HwleNJPGHq78HUyH6Hwxnh0b0 5o163r6wTFZn5cMOxpbs/Ttd+3TrxmrYpd2XnuRme3cnaYJ0ILvpc/8eLLR7SKjD T4JhZ0h/CfcV2WWvhpQugkY0pWrZ+EIMneB1dZB96mJVLxOi148OeSgi0PsxZMNi YM33rTpwQT5WqOsEyDwUQpne5b8Kkt/s7EN0LJNnPyJJRL1LcqOdr6j+6YqRtPa7 a9oWJqMcuTP+bqzGRJh+3HDlFBw2Yzp9iadv4KmB2MzhStLUoi2MSjvnnkkd5Led sshAd6WbKfF7kLAHQHT4Ai6dMEO4EKkEVF9JBtxCR4JEn6C98Lpg+Lk+rfY7gHOf ZxtgGURwgXRY3aLUrdT55ZKgk3ExVKPzi5EhdpAau7JKhpOwyKozAp/OKWMNrz6h obu2Mbn1B+IA60psYHHxynBgsJHv7WQmbYh8HyGfHgVvaA8pZCYqxxjpLjSJrR8B Bu9H9xkTh7KlhxgreXYv19uAYbUd95kcox9izad6VPnovgFSb+Omdy6PJACPj6hF W6PJbucP0YPpO0VtWtQdZZ3df1P0hZ7qvKwOPFA+gKZSckgqASfygiP9V3Zc8jIi wjNzoDM2QT+UUJKiiGYXJUEOO9hxzFHlGj759DcNRhpgl5AgR57ofISD9yBuCAJY PQ/aZHPFuRTrcVG3RaIbCAS73nEznKyFaLOXfzyfyaSmyhsH253tnyL1MejC+2bR Eko/yldgFUxvU5JI+Q3KJ6Awj+PnduHXx71E4UwSuu2xXYMpxnQwI6rroQpZBX82 HhqgcLV83P8lpzQwPdHjH5zkoxmWdC0+jU/tcQfNXYpJdyoaX7tDmVclLhwl9ps/ O841pIsNLJWXwvxG6B+3LN/kw4QjwN194PopiOD7+oDm5mhttO78CrBrRxHMD/0Q qniZjKzSZepxlZq+J792u8vtMnuzzChxu0Bf3PhIXcJNcVhwUtr0yKe/N+NvC0tm p8wyik/BlndxN9eKbdTOi2wIi64h2QG8nOk66wQ/PSIJYwZl6eDNEQSzH/1mGCfU QnUT17UC/p+Qgenf6Auap2GWlvsJrB7u/pytz65rtjt/ouo6Ih6EwWqwVVpGXZD0 7gVWH0Ke/Vr6aPGNvkLcmftPuDZsn9jiig3guhdeyRVf10Ox369kKWcG75q77hxE IzSzDyUlBNbnom9SIjut3r+qVYmWONatC6q/4D0I42Lnjd3dEyZx7jmH3g/S2ASM FzWr9pvXc61dsYOkdZ4PYa9XPUZxXFagZsoS3F1sU799+IJVU0tC0MExJTAjBgkq hkiG9w0BCRUxFgQUwWO5DorvVWYF3BWUmAw0rUEajScwfDBtMEkGCSqGSIb3DQEF DjA8MCwGCSqGSIb3DQEFDDAfBAhvRzw4sC4xcwICCAACASAwDAYIKoZIhvcNAgkF ADAMBggqhkiG9w0CCQUABCB6pW2FOdcCNj87zS64NUXG36K5aXDnFHctIk5Bf4kG 3QQITk9UIFVTRUQCAQE=</artwork></t>]]></sourcecode> </section> <sectiontitle="Valid PKCS#12 filenumbered="true" toc="default"> <name>Valid PKCS #12 File with SHA-256 HMAC and SHA-512PRF">PRF</name> <t>The followingbase64 encoded PKCS#12base64-encoded PKCS #12 fileSHOULD<bcp14>SHOULD</bcp14> be readable by implementations following this RFC.<artwork></t> <sourcecode type="test-vectors"><![CDATA[ MIIKigIBAzCCCgUGCSqGSIb3DQEHAaCCCfYEggnyMIIJ7jCCBGIGCSqGSIb3DQEH BqCCBFMwggRPAgEAMIIESAYJKoZIhvcNAQcBMFcGCSqGSIb3DQEFDTBKMCkGCSqG SIb3DQEFDDAcBAi4j6UBBY2iOgICCAAwDAYIKoZIhvcNAgkFADAdBglghkgBZQME ASoEEFpHSS5zrk/9pkDo1JRbtE6AggPgtbMLGoFd5KLpVXMdcxLrT129L7/vCr0B 0I2tnhPPA7aFtRjjuGbwooCMQwxw9qzuCX1eH4xK2LUw6Gbd2H47WimSOWJMaiUb wy4alIWELYufe74kXPmKPCyH92lN1hqu8s0EGhIl7nBhWbFzow1+qpIc9/lpujJo wodSY+pNBD8oBeoU1m6DgOjgc62apL7m0nwavDUqEt7HAqtTBxKxu/3lpb1q8nbl XLTqROax5feXErf+GQAqs24hUJIPg3O1eCMDVzH0h5pgZyRN9ZSIP0HC1i+d1lnb JwHyrAhZv8GMdAVKaXHETbq8zTpxT3UE/LmH1gyZGOG2B21D2dvNDKa712sHOS/t 3XkFngHDLx+a9pVftt6p7Nh6jqI581tb7fyc7HBV9VUc/+xGgPgHZouaZw+I3PUz fjHboyLQer22ndBz+l1/S2GhhZ4xLXg4l0ozkgn7DX92S/UlbmcZam1apjGwkGY/ 7ktA8BarNW211mJF+Z+hci+BeDiM7eyEguLCYRdH+/UBiUuYjG1hi5Ki3+42pRZD FZkTHGOrcG6qE2KJDsENj+RkGiylG98v7flm4iWFVAB78AlAogT38Bod40evR7Ok c48sOIW05eCH/GLSO0MHKcttYUQNMqIDiG1TLzP1czFghhG97AxiTzYkKLx2cYfs pgg5PE9drq1fNzBZMUmC2bSwRhGRb5PDu6meD8uqvjxoIIZQAEV53xmD63umlUH1 jhVXfcWSmhU/+vV/IWStZgQbwhF7DmH2q6S8itCkz7J7Byp5xcDiUOZ5Gpf9RJnk DTZoOYM5iA8kte6KCwA+jnmCgstI5EbRbnsNcjNvAT3q/X776VdmnehW0VeL+6k4 z+GvQkr+D2sxPpldIb5hrb+1rcp9nOQgtpBnbXaT16Lc1HdTNe5kx4ScujXOWwfd Iy6bR6H0QFq2SLKAAC0qw4E8h1j3WPxll9e0FXNtoRKdsRuX3jzyqDBrQ6oGskkL wnyMtVjSX+3c9xbFc4vyJPFMPwb3Ng3syjUDrOpU5RxaMEAWt4josadWKEeyIC2F wrS1dzFn/5wv1g7E7xWq+nLq4zdppsyYOljzNUbhOEtJ2lhme3NJ45fxnxXmrPku gBda1lLf29inVuzuTjwtLjQwGk+usHJm9R/K0hTaSNRgepXnjY0cIgS+0gEY1/BW k3+Y4GE2JXds2cQToe5rCSYH3QG0QTyUAGvwX6hAlhrRRgUG3vxtYSixQ3UUuwzs eQW2SUFLl1611lJ7cQwFSPyr0sL0p81vdxWiigwjkfPtgljZ2QpmzR5rX2xiqItH Dy4E+iVigIYwggWEBgkqhkiG9w0BBwGgggV1BIIFcTCCBW0wggVpBgsqhkiG9w0B DAoBAqCCBTEwggUtMFcGCSqGSIb3DQEFDTBKMCkGCSqGSIb3DQEFDDAcBAhDiwsh 4wt3aAICCAAwDAYIKoZIhvcNAgkFADAdBglghkgBZQMEASoEELNFnEpJT65wsXwd fZ1g56cEggTQRo04bP/fWfPPZrTEczq1qO1HHV86j76Sgxau2WQ9OQAG998HFtNq NxO8R66en6QFhqpWCI73tSJD+oA29qOsT+Xt2bR2z5+K7D4QoiXuLa3gXv62VkjB 0DLCHAS7Mu+hkp5OKCpXCS7fo0OnAiQjM4EluAsiwwLrHu7z1E16UwpmlgKQnaC1 S44fV9znS9TxofRTnuCq1lupdn2qQjSydOU6inQeKLBflKRiLrJHOobaFmjWwp1U OQAMuZrALhHyIbOFXMPYk3mmU/1UPuRGcbcV5v2Ut2UME+WYExXSCOYR3/R4UfVk IfEzeRPFs2slJMIDS2fmMyFkEEElBckhKO9IzhQV3koeKUBdM066ufyax/uIyXPm MiB9fAqbQQ4jkQTT80bKkBAP1Bvyg2L8BssstR5iCoZgWnfA9Uz4RI5GbRqbCz7H iSkuOIowEqOox3IWbXty5VdWBXNjZBHpbE0CyMLSH/4QdGVw8R0DiCAC0mmaMaZq 32yrBR32E472N+2KaicvX31MwB/LkZN46c34TGanL5LJZx0DR6ITjdNgP8TlSSrp 7y2mqi7VbKp/C/28Cj5r+m++Gk6EOUpLHsZ2d2hthrr7xqoPzUAEkkyYWedHJaoQ TkoIisZb0MGlXb9thjQ8Ee429ekfjv7CQfSDS6KTE/+mhuJ33mPz1ZcIacHjdHhE 6rbrKhjSrLbgmrGa8i7ezd89T4EONu0wkG9KW0wM2cn5Gb12PF6rxjTfzypG7a50 yc1IJ2Wrm0B7gGuYpVoCeIohr7IlxPYdeQGRO/SlzTd0xYaJVm9FzJaMNK0ZqnZo QMEPaeq8PC3kMjpa8eAiHXk9K3DWdOWYviGVCPVYIZK6Cpwe+EwfXs+2hZgZlYzc vpUWg60md1PD4UsyLQagaj37ubR6K4C4mzlhFx5NovV/C/KD+LgekMbjCtwEQeWy agev2l9KUEz73/BT4TgQFM5K2qZpVamwmsOmldPpekGPiUCu5YxYg/y4jUKvAqj1 S9t4wUAScCJx8OvXUfgpmS2+mhFPBiFps0M4O3nWG91Q6mKMqbNHPUcFDn9P7cUh s1xu3NRLyJ+QIfVfba3YBTV8A6WBYEmL9lxf1uL1WS2Bx6+Crh0keyNUPo9cRjpx 1oj/xkInoc2HQODEkvuK9DD7VrLr7sDhfmJvr1mUfJMQ5/THk7Z+E+NAuMdMtkM2 yKXxghZAbBrQkU3mIW150i7PsjlUw0o0/LJvQwJIsh6yeJDHY8mby9mIdeP3LQAF clYKzNwmgwbdtmVAXmQxLuhmEpXfstIzkBrNJzChzb2onNSfa+r5L6XEHNHl7wCw TuuV/JWldNuYXLfVfuv3msfSjSWkv6aRtRWIvmOv0Qba2o05LlwFMd1PzKM5uN4D DYtsS9A6yQOXEsvUkWcLOJnCs8SkJRdXhJTxdmzeBqM1JttKwLbgGMbpjbxlg3ns N+Z+sEFox+2ZWOglgnBHj0mCZOiAC8wqUu+sxsLT4WndaPWKVqoRQChvDaZaNOaN qHciF9HPUcfZow+fH8TnSHneiQcDe6XcMhSaQ2MtpY8/jrgNKguZt22yH9gw/VpT 3/QOB7FBgKFIEbvUaf3nVjFIlryIheg+LeiBd2isoMNNXaBwcg2YXukxJTAjBgkq hkiG9w0BCRUxFgQUwWO5DorvVWYF3BWUmAw0rUEajScwfDBtMEkGCSqGSIb3DQEF DjA8MCwGCSqGSIb3DQEFDDAfBAgUr2yP+/DBrgICCAACASAwDAYIKoZIhvcNAgsF ADAMBggqhkiG9w0CCQUABCA5zFL93jw8ItGlcbHKhqkNwbgpp6layuOuxSju4/Vd 6QQITk9UIFVTRUQCAQE=</artwork></t>]]></sourcecode> </section> <sectiontitle="Valid PKCS#12 filenumbered="true" toc="default"> <name>Valid PKCS #12 File with SHA-512 HMAC andPRF">PRF</name> <t>The followingbase64 encoded PKCS#12base64-encoded PKCS #12 fileSHOULD<bcp14>SHOULD</bcp14> be readable by implementations following this RFC.<artwork></t> <sourcecode type="test-vectors"><![CDATA[ MIIKrAIBAzCCCgUGCSqGSIb3DQEHAaCCCfYEggnyMIIJ7jCCBGIGCSqGSIb3DQEH BqCCBFMwggRPAgEAMIIESAYJKoZIhvcNAQcBMFcGCSqGSIb3DQEFDTBKMCkGCSqG SIb3DQEFDDAcBAisrqL8obSBaQICCAAwDAYIKoZIhvcNAgkFADAdBglghkgBZQME ASoEECjXYYca0pwsgn1Imb9WqFGAggPgT7RcF5YzEJANZU9G3tSdpCHnyWatTlhm iCEcBGgwI5gz0+GoX+JCojgYY4g+KxeqznyCu+6GeD00T4Em7SWme9nzAfBFzng0 3lYCSnahSEKfgHerbzAtq9kgXkclPVk0Liy92/buf0Mqotjjs/5o78AqP86Pwbj8 xYNuXOU1ivO0JiW2c2HefKYvUvMYlOh99LCoZPLHPkaaZ4scAwDjFeTICU8oowVk LKvslrg1pHbfmXHMFJ4yqub37hRtj2CoJNy4+UA2hBYlBi9WnuAJIsjv0qS3kpLe 4+J2DGe31GNG8pD01XD0l69OlailK1ykh4ap2u0KeD2z357+trCFbpWMMXQcSUCO OcVjxYqgv/l1++9huOHoPSt224x4wZfJ7cO2zbAAx/K2CPhdvi4CBaDHADsRq/c8 SAi+LX5SCocGT51zL5KQD6pnr2ExaVum+U8a3nMPPMv9R2MfFUksYNGgFvS+lcZf R3qk/G9iXtSgray0mwRA8pWzoXl43vc9HJuuCU+ryOc/h36NChhQ9ltivUNaiUc2 b9AAQSrZD8Z7KtxjbH3noS+gjDtimDB0Uh199zaCwQ95y463zdYsNCESm1OT979o Y+81BWFMFM/Hog5s7Ynhoi2E9+ZlyLK2UeKwvWjGzvcdPvxHR+5l/h6PyWROlpaZ zmzZBm+NKmbXtMD2AEa5+Q32ZqJQhijXZyIji3NS65y81j/a1ZrvU0lOVKA+MSPN KU27/eKZuF1LEL6qaazTUmpznLLdaVQy5aZ1qz5dyCziKcuHIclhh+RCblHU6XdE 6pUTZSRQQiGUIkPUTnU9SFlZc7VwvxgeynLyXPCSzOKNWYGajy1LxDvv28uhMgNd WF51bNkl1QYl0fNunGO7YFt4wk+g7CQ/Yu2w4P7S3ZLMw0g4eYclcvyIMt4vxXfp VTKIPyzMqLr+0dp1eCPm8fIdaBZUhMUC/OVqLwgnPNY9cXCrn2R1cGKo5LtvtjbH 2skz/D5DIOErfZSBJ8LE3De4j8MAjOeC8ia8LaM4PNfW/noQP1LBsZtTDTqEy01N Z5uliIocyQzlyWChErJv/Wxh+zBpbk1iXc2Owmh2GKjx0VSe7XbiqdoKkONUNUIE siseASiU/oXdJYUnBYVEUDJ1HPz7qnKiFhSgxNJZnoPfzbbx1hEzV+wxQqNnWIqQ U0s7Jt22wDBzPBHGao2tnGRLuBZWVePJGbsxThGKwrf3vYsNJTxme5KJiaxcPMwE r+ln2AqVOzzXHXgIxv/dvK0Qa7pH3AvGzcFjQChTRipgqiRrLor0//8580h+Ly2l IFo7bCuztmcwggWEBgkqhkiG9w0BBwGgggV1BIIFcTCCBW0wggVpBgsqhkiG9w0B DAoBAqCCBTEwggUtMFcGCSqGSIb3DQEFDTBKMCkGCSqGSIb3DQEFDDAcBAi1c7S5 IEG77wICCAAwDAYIKoZIhvcNAgkFADAdBglghkgBZQMEASoEEN6rzRtIdYxqOnY+ aDS3AFYEggTQNdwUoZDXCryOFBUI/z71vfoyAxlnwJLRHNXQUlI7w0KkH22aNnSm xiaXHoCP1HgcmsYORS7p/ITi/9atCHqnGR4zHmePNhoMpNHFehdjlUUWgt004vUJ 5ZwTdXweM+K4We6CfWA/tyvsyGNAsuunel+8243Zsv0mGLKpjA+ZyALt51s0knmX OD2DW49FckImUVnNC5LmvEIAmVC/ZNycryZQI+2EBkJKe+BC3834GexJnSwtUBg3 Xg33ZV7X66kw8tK1Ws5zND5GQAJyIu47mnjZkIWQBY+XbWowrBZ8uXIQuxMZC0p8 u62oIAtZaVQoVTR1LyR/7PISFW6ApwtbTn6uQxsb16qF8lEM0S1+x0AfJY6Zm11t yCqbb2tYZF+X34MoUkR/IYC/KCq/KJdpnd8Yqgfrwjg8dR2WGIxbp2GBHq6BK/DI ehOLMcLcsOuP0DEXppfcelMOGNIs+4h4KsjWiHVDMPsqLdozBdm6FLGcno3lY5FO +avVrlElAOB+9evgaBbD2lSrEMoOjAoD090tgXXwYBEnWnIpdk+56cf5IpshrLBA /+H13LBLes+X1o5dd0Mu+3abp5RtAv7zLPRRtXkDYJPzgNcTvJ2Wxw2C+zrAclzZ 7IRdcLESUa4CsN01aEvQgOtkCNVjSCtkJGP0FstsWM4hP7lfSB7P2tDL+ugy6GvB X1sz9fMC7QMAFL98nDm/yqcnejG1BcQXZho8n0svSfbcVByGlPZGMuI9t25+0B2M TAx0f6zoD8+fFmhcVgS6MQPybGKFawckYl0zulsePqs+G4voIW17owGKsRiv06Jm ZSwd3KoGmjM49ADzuG9yrQ5PSa0nhVk1tybNape4HNYHrAmmN0ILlN+E0Bs/Edz4 ntYZuoc/Z35tCgm79dV4/Vl6HUZ1JrLsLrEWCByVytwVFyf3/MwTWdf+Ac+XzBuC yEMqPlvnPWswdnaid35pxios79fPl1Hr0/Q6+DoA5GyYq8SFdP7EYLrGMGa5GJ+x 5nS7z6U4UmZ2sXuKYHnuhB0zi6Y04a+fhT71x02eTeC7aPlEB319UqysujJVJnso bkcwOu/Jj0Is9YeFd693dB44xeZuYyvlwoD19lqcim0TSa2Tw7D1W/yu47dKrVP2 VKxRqomuAQOpoZiuSfq1/7ysrV8U4hIlIU2vnrSVJ8EtPQKsoBW5l70dQGwXyxBk BUTHqfJ4LG/kPGRMOtUzgqFw2DjJtbym1q1MZgp2ycMon4vp7DeQLGs2XfEANB+Y nRwtjpevqAnIuK6K3Y02LY4FXTNQpC37Xb04bmdIQAcE0MaoP4/hY87aS82PQ68g 3bI79uKo4we2g+WaEJlEzQ7147ZzV2wbDq89W69x1MWTfaDwlEtd4UaacYchAv7B TVaaVFiRAUywWaHGePpZG2WV1feH/zd+temxWR9qMFgBZySg1jipBPVciwl0LqlW s/raIBYmLmAaMMgM3759UkNVznDoFHrY4z2EADXp0RHHVzJS1x+yYvp/9I+AcW55 oN0UP/3uQ6eyz/ix22sovQwhMJ8rmgR6CfyRPKmXu1RPK3puNv7mbFTfTXpYN2vX vhEZReXY8hJF/9o4G3UrJ1F0MgUHMCG86cw1z0bhPSaXVoufOnx/fRoxJTAjBgkq hkiG9w0BCRUxFgQUwWO5DorvVWYF3BWUmAw0rUEajScwgZ0wgY0wSQYJKoZIhvcN AQUOMDwwLAYJKoZIhvcNAQUMMB8ECFDaXOUaOcUPAgIIAAIBQDAMBggqhkiG9w0C CwUAMAwGCCqGSIb3DQILBQAEQHIAM8C9OAsHUCj9CmOJioqf7YwD4O/b3UiZ3Wqo F6OmQIRDc68SdkZJ6024l4nWlnhTE7a4lb2Tru4k3NOTa1oECE5PVCBVU0VEAgEB</artwork> </t>]]></sourcecode> </section> <sectiontitle="Invalid PKCS#12 filenumbered="true" toc="default"> <name>Invalid PKCS #12 File withincorrect iteration count">Incorrect Iteration Count</name> <t>The followingbase64 encoded PKCS#12base64-encoded PKCS #12 fileMUST NOT<bcp14>MUST NOT</bcp14> be readable by an implementation following this RFC when it is verifyingitegrityintegrity protection.<artwork></t> <sourcecode type="test-vectors"><![CDATA[ MIIKiwIBAzCCCgUGCSqGSIb3DQEHAaCCCfYEggnyMIIJ7jCCBGIGCSqGSIb3DQEH BqCCBFMwggRPAgEAMIIESAYJKoZIhvcNAQcBMFcGCSqGSIb3DQEFDTBKMCkGCSqG SIb3DQEFDDAcBAg9pxXxY2yscwICCAAwDAYIKoZIhvcNAgkFADAdBglghkgBZQME ASoEEK7yYaFQDi1pYwWzm9F/fs+AggPgFIT2XapyaFgDppdvLkdvaF3HXw+zjzKb 7xFC76DtVPhVTWVHD+kIss+jsj+XyvMwY0aCuAhAG/Dig+vzWomnsqB5ssw5/kTb +TMQ5PXLkNeoBmB6ArKeGc/QmCBQvQG/a6b+nXSWmxNpP+71772dmWmB8gcSJ0kF Fj75NrIbmNiDMCb71Q8gOzBMFf6BpXf/3xWAJtxyic+tSNETfOJa8zTZb0+lV0w9 5eUmDrPUpuxEVbb0KJtIc63gRkcfrPtDd6Ii4Zzbzj2Evr4/S4hnrQBsiryVzJWy IEjaD0y6+DmG0JwMgRuGi1wBoGowi37GMrDCOyOZWC4n5wHLtYyhR6JaElxbrhxP H46z2USLKmZoF+YgEQgYcSBXMgP0t36+XQocFWYi2N5niy02TnctwF430FYsQlhJ Suma4I33E808dJuMv8T/soF66HsD4Zj46hOf4nWmas7IaoSAbGKXgIa7KhGRJvij xM3WOX0aqNi/8bhnxSA7fCmIy/7opyx5UYJFWGBSmHP1pBHBVmx7Ad8SAsB9MSsh nbGjGiUk4h0QcOi29/M9WwFlo4urePyI8PK2qtVAmpD3rTLlsmgzguZ69L0Q/CFU fbtqsMF0bgEuh8cfivd1DYFABEt1gypuwCUtCqQ7AXK2nQqOjsQCxVz9i9K8NDeD aau98VAl0To2sk3/VR/QUq0PRwU1jPN5BzUevhE7SOy/ImuJKwpGqqFljYdrQmj5 jDe+LmYH9QGVRlfN8zuU+48FY8CAoeBeHn5AAPml0PYPVUnt3/jQN1+v+CahNVI+ La8q1Nen+j1R44aa2I3y/pUgtzXRwK+tPrxTQbG030EU51LYJn8amPWmn3w75ZIA MJrXWeKj44de7u4zdUsEBVC2uM44rIHM8MFjyYAwYsey0rcp0emsaxzar+7ZA67r lDoXvvS3NqsnTXHcn3T9tkPRoee6L7Dh3x4Od96lcRwgdYT5BwyH7e34ld4VTUmJ bDEq7Ijvn4JKrwQJh1RCC+Z/ObfkC42xAm7G010u3g08xB0Qujpdg4a7VcuWrywF c7hLNquuaF4qoDaVwYXHH3iuX6YlJ/3siTKbYCVXPEZOAMBP9lF/OU76UMJBQNfU 0xjDx+3AhUVgnGuCsmYlK6ETDp8qOZKGyV0KrNSGtqLx3uMhd7PETeW+ML3tDQ/0 X9fMkcZHi4C2fXnoHV/qa2dGhBj4jjQ0Xh1poU6mxGn2Mebe2hDsBZkkBpnn7pK4 wP/VqXdQTwqEuvzGHLVFsCuADe40ZFBmtBrf70wG7ZkO8SUZ8Zz1IX3+S024g7yj QRev/6x6TtkwggWEBgkqhkiG9w0BBwGgggV1BIIFcTCCBW0wggVpBgsqhkiG9w0B DAoBAqCCBTEwggUtMFcGCSqGSIb3DQEFDTBKMCkGCSqGSIb3DQEFDDAcBAhTxzw+ VptrYAICCAAwDAYIKoZIhvcNAgkFADAdBglghkgBZQMEASoEEK9nSqc1I2t4tMVG bWHpdtQEggTQzCwI7j34gCTvfj6nuOSndAjShGv7mN2j7WMV0pslTpq2b9Bn3vn1 Y0JMvL4E7sLrUzNU02pdOcfCnEpMFccNv2sQrLp1mOCKxu8OjSqHZLoKVL0ROVsZ 8dMECLLigDlPKRiSyLErl14tErX4/zbkUaWMROO28kFbTbubQ8YoHlRUwsKW1xLg vfi0gRkG/zHXRfQHjX/8NStv7hXlehn7/Gy2EKPsRFhadm/iUHAfmCMkMgHTU248 JER9+nsXltd59H+IeDpj/kbxZ+YvHow9XUZKu828d3MQnUpLZ1BfJGhMBPVwbVUD A40CiQBVdCoGtPJyalL28xoS3H0ILFCnwQOr6u0HwleNJPGHq78HUyH6Hwxnh0b0 5o163r6wTFZn5cMOxpbs/Ttd+3TrxmrYpd2XnuRme3cnaYJ0ILvpc/8eLLR7SKjD T4JhZ0h/CfcV2WWvhpQugkY0pWrZ+EIMneB1dZB96mJVLxOi148OeSgi0PsxZMNi YM33rTpwQT5WqOsEyDwUQpne5b8Kkt/s7EN0LJNnPyJJRL1LcqOdr6j+6YqRtPa7 a9oWJqMcuTP+bqzGRJh+3HDlFBw2Yzp9iadv4KmB2MzhStLUoi2MSjvnnkkd5Led sshAd6WbKfF7kLAHQHT4Ai6dMEO4EKkEVF9JBtxCR4JEn6C98Lpg+Lk+rfY7gHOf ZxtgGURwgXRY3aLUrdT55ZKgk3ExVKPzi5EhdpAau7JKhpOwyKozAp/OKWMNrz6h obu2Mbn1B+IA60psYHHxynBgsJHv7WQmbYh8HyGfHgVvaA8pZCYqxxjpLjSJrR8B Bu9H9xkTh7KlhxgreXYv19uAYbUd95kcox9izad6VPnovgFSb+Omdy6PJACPj6hF W6PJbucP0YPpO0VtWtQdZZ3df1P0hZ7qvKwOPFA+gKZSckgqASfygiP9V3Zc8jIi wjNzoDM2QT+UUJKiiGYXJUEOO9hxzFHlGj759DcNRhpgl5AgR57ofISD9yBuCAJY PQ/aZHPFuRTrcVG3RaIbCAS73nEznKyFaLOXfzyfyaSmyhsH253tnyL1MejC+2bR Eko/yldgFUxvU5JI+Q3KJ6Awj+PnduHXx71E4UwSuu2xXYMpxnQwI6rroQpZBX82 HhqgcLV83P8lpzQwPdHjH5zkoxmWdC0+jU/tcQfNXYpJdyoaX7tDmVclLhwl9ps/ O841pIsNLJWXwvxG6B+3LN/kw4QjwN194PopiOD7+oDm5mhttO78CrBrRxHMD/0Q qniZjKzSZepxlZq+J792u8vtMnuzzChxu0Bf3PhIXcJNcVhwUtr0yKe/N+NvC0tm p8wyik/BlndxN9eKbdTOi2wIi64h2QG8nOk66wQ/PSIJYwZl6eDNEQSzH/1mGCfU QnUT17UC/p+Qgenf6Auap2GWlvsJrB7u/pytz65rtjt/ouo6Ih6EwWqwVVpGXZD0 7gVWH0Ke/Vr6aPGNvkLcmftPuDZsn9jiig3guhdeyRVf10Ox369kKWcG75q77hxE IzSzDyUlBNbnom9SIjut3r+qVYmWONatC6q/4D0I42Lnjd3dEyZx7jmH3g/S2ASM FzWr9pvXc61dsYOkdZ4PYa9XPUZxXFagZsoS3F1sU799+IJVU0tC0MExJTAjBgkq hkiG9w0BCRUxFgQUwWO5DorvVWYF3BWUmAw0rUEajScwfTBtMEkGCSqGSIb3DQEF DjA8MCwGCSqGSIb3DQEFDDAfBAhvRzw4sC4xcwICCAECASAwDAYIKoZIhvcNAgkF ADAMBggqhkiG9w0CCQUABCB6pW2FOdcCNj87zS64NUXG36K5aXDnFHctIk5Bf4kG 3QQITk9UIFVTRUQCAggA</artwork> </t>]]></sourcecode> </section> <sectiontitle="Invalid PKCS#12 filenumbered="true" toc="default"> <name>Invalid PKCS #12 File withincorrect salt">Incorrect Salt</name> <t>The followingbase64 encoded PKCS#12base64-encoded PKCS #12 fileMUST NOT<bcp14>MUST NOT</bcp14> be readable by an implementation following this RFC when it is verifyingitegrityintegrity protection.<artwork></t> <sourcecode type="test-vectors"><![CDATA[ MIIKigIBAzCCCgUGCSqGSIb3DQEHAaCCCfYEggnyMIIJ7jCCBGIGCSqGSIb3DQEH BqCCBFMwggRPAgEAMIIESAYJKoZIhvcNAQcBMFcGCSqGSIb3DQEFDTBKMCkGCSqG SIb3DQEFDDAcBAg9pxXxY2yscwICCAAwDAYIKoZIhvcNAgkFADAdBglghkgBZQME ASoEEK7yYaFQDi1pYwWzm9F/fs+AggPgFIT2XapyaFgDppdvLkdvaF3HXw+zjzKb 7xFC76DtVPhVTWVHD+kIss+jsj+XyvMwY0aCuAhAG/Dig+vzWomnsqB5ssw5/kTb +TMQ5PXLkNeoBmB6ArKeGc/QmCBQvQG/a6b+nXSWmxNpP+71772dmWmB8gcSJ0kF Fj75NrIbmNiDMCb71Q8gOzBMFf6BpXf/3xWAJtxyic+tSNETfOJa8zTZb0+lV0w9 5eUmDrPUpuxEVbb0KJtIc63gRkcfrPtDd6Ii4Zzbzj2Evr4/S4hnrQBsiryVzJWy IEjaD0y6+DmG0JwMgRuGi1wBoGowi37GMrDCOyOZWC4n5wHLtYyhR6JaElxbrhxP H46z2USLKmZoF+YgEQgYcSBXMgP0t36+XQocFWYi2N5niy02TnctwF430FYsQlhJ Suma4I33E808dJuMv8T/soF66HsD4Zj46hOf4nWmas7IaoSAbGKXgIa7KhGRJvij xM3WOX0aqNi/8bhnxSA7fCmIy/7opyx5UYJFWGBSmHP1pBHBVmx7Ad8SAsB9MSsh nbGjGiUk4h0QcOi29/M9WwFlo4urePyI8PK2qtVAmpD3rTLlsmgzguZ69L0Q/CFU fbtqsMF0bgEuh8cfivd1DYFABEt1gypuwCUtCqQ7AXK2nQqOjsQCxVz9i9K8NDeD aau98VAl0To2sk3/VR/QUq0PRwU1jPN5BzUevhE7SOy/ImuJKwpGqqFljYdrQmj5 jDe+LmYH9QGVRlfN8zuU+48FY8CAoeBeHn5AAPml0PYPVUnt3/jQN1+v+CahNVI+ La8q1Nen+j1R44aa2I3y/pUgtzXRwK+tPrxTQbG030EU51LYJn8amPWmn3w75ZIA MJrXWeKj44de7u4zdUsEBVC2uM44rIHM8MFjyYAwYsey0rcp0emsaxzar+7ZA67r lDoXvvS3NqsnTXHcn3T9tkPRoee6L7Dh3x4Od96lcRwgdYT5BwyH7e34ld4VTUmJ bDEq7Ijvn4JKrwQJh1RCC+Z/ObfkC42xAm7G010u3g08xB0Qujpdg4a7VcuWrywF c7hLNquuaF4qoDaVwYXHH3iuX6YlJ/3siTKbYCVXPEZOAMBP9lF/OU76UMJBQNfU 0xjDx+3AhUVgnGuCsmYlK6ETDp8qOZKGyV0KrNSGtqLx3uMhd7PETeW+ML3tDQ/0 X9fMkcZHi4C2fXnoHV/qa2dGhBj4jjQ0Xh1poU6mxGn2Mebe2hDsBZkkBpnn7pK4 wP/VqXdQTwqEuvzGHLVFsCuADe40ZFBmtBrf70wG7ZkO8SUZ8Zz1IX3+S024g7yj QRev/6x6TtkwggWEBgkqhkiG9w0BBwGgggV1BIIFcTCCBW0wggVpBgsqhkiG9w0B DAoBAqCCBTEwggUtMFcGCSqGSIb3DQEFDTBKMCkGCSqGSIb3DQEFDDAcBAhTxzw+ VptrYAICCAAwDAYIKoZIhvcNAgkFADAdBglghkgBZQMEASoEEK9nSqc1I2t4tMVG bWHpdtQEggTQzCwI7j34gCTvfj6nuOSndAjShGv7mN2j7WMV0pslTpq2b9Bn3vn1 Y0JMvL4E7sLrUzNU02pdOcfCnEpMFccNv2sQrLp1mOCKxu8OjSqHZLoKVL0ROVsZ 8dMECLLigDlPKRiSyLErl14tErX4/zbkUaWMROO28kFbTbubQ8YoHlRUwsKW1xLg vfi0gRkG/zHXRfQHjX/8NStv7hXlehn7/Gy2EKPsRFhadm/iUHAfmCMkMgHTU248 JER9+nsXltd59H+IeDpj/kbxZ+YvHow9XUZKu828d3MQnUpLZ1BfJGhMBPVwbVUD A40CiQBVdCoGtPJyalL28xoS3H0ILFCnwQOr6u0HwleNJPGHq78HUyH6Hwxnh0b0 5o163r6wTFZn5cMOxpbs/Ttd+3TrxmrYpd2XnuRme3cnaYJ0ILvpc/8eLLR7SKjD T4JhZ0h/CfcV2WWvhpQugkY0pWrZ+EIMneB1dZB96mJVLxOi148OeSgi0PsxZMNi YM33rTpwQT5WqOsEyDwUQpne5b8Kkt/s7EN0LJNnPyJJRL1LcqOdr6j+6YqRtPa7 a9oWJqMcuTP+bqzGRJh+3HDlFBw2Yzp9iadv4KmB2MzhStLUoi2MSjvnnkkd5Led sshAd6WbKfF7kLAHQHT4Ai6dMEO4EKkEVF9JBtxCR4JEn6C98Lpg+Lk+rfY7gHOf ZxtgGURwgXRY3aLUrdT55ZKgk3ExVKPzi5EhdpAau7JKhpOwyKozAp/OKWMNrz6h obu2Mbn1B+IA60psYHHxynBgsJHv7WQmbYh8HyGfHgVvaA8pZCYqxxjpLjSJrR8B Bu9H9xkTh7KlhxgreXYv19uAYbUd95kcox9izad6VPnovgFSb+Omdy6PJACPj6hF W6PJbucP0YPpO0VtWtQdZZ3df1P0hZ7qvKwOPFA+gKZSckgqASfygiP9V3Zc8jIi wjNzoDM2QT+UUJKiiGYXJUEOO9hxzFHlGj759DcNRhpgl5AgR57ofISD9yBuCAJY PQ/aZHPFuRTrcVG3RaIbCAS73nEznKyFaLOXfzyfyaSmyhsH253tnyL1MejC+2bR Eko/yldgFUxvU5JI+Q3KJ6Awj+PnduHXx71E4UwSuu2xXYMpxnQwI6rroQpZBX82 HhqgcLV83P8lpzQwPdHjH5zkoxmWdC0+jU/tcQfNXYpJdyoaX7tDmVclLhwl9ps/ O841pIsNLJWXwvxG6B+3LN/kw4QjwN194PopiOD7+oDm5mhttO78CrBrRxHMD/0Q qniZjKzSZepxlZq+J792u8vtMnuzzChxu0Bf3PhIXcJNcVhwUtr0yKe/N+NvC0tm p8wyik/BlndxN9eKbdTOi2wIi64h2QG8nOk66wQ/PSIJYwZl6eDNEQSzH/1mGCfU QnUT17UC/p+Qgenf6Auap2GWlvsJrB7u/pytz65rtjt/ouo6Ih6EwWqwVVpGXZD0 7gVWH0Ke/Vr6aPGNvkLcmftPuDZsn9jiig3guhdeyRVf10Ox369kKWcG75q77hxE IzSzDyUlBNbnom9SIjut3r+qVYmWONatC6q/4D0I42Lnjd3dEyZx7jmH3g/S2ASM FzWr9pvXc61dsYOkdZ4PYa9XPUZxXFagZsoS3F1sU799+IJVU0tC0MExJTAjBgkq hkiG9w0BCRUxFgQUwWO5DorvVWYF3BWUmAw0rUEajScwfDBtMEkGCSqGSIb3DQEF DjA8MCwGCSqGSIb3DQEFDDAfBAhOT1QgVVNFRAICCAACASAwDAYIKoZIhvcNAgkF ADAMBggqhkiG9w0CCQUABCB6pW2FOdcCNj87zS64NUXG36K5aXDnFHctIk5Bf4kG 3QQIb0c8OLAuMXMCAQE=</artwork> </t>]]></sourcecode> </section> <sectiontitle="Invalid PKCS#12 filenumbered="true" toc="default"> <name>Invalid PKCS #12 File withmissing key length">Missing Key Length</name> <t>The followingbase64 encoded PKCS#12base64-encoded PKCS #12 fileMUST NOT<bcp14>MUST NOT</bcp14> be readable by an implementation following this RFC when it is verifyingitegrityintegrity protection.<artwork></t> <sourcecode type="test-vectors"><![CDATA[ MIIKiAIBAzCCCgUGCSqGSIb3DQEHAaCCCfYEggnyMIIJ7jCCBGIGCSqGSIb3DQEH BqCCBFMwggRPAgEAMIIESAYJKoZIhvcNAQcBMFcGCSqGSIb3DQEFDTBKMCkGCSqG SIb3DQEFDDAcBAg9pxXxY2yscwICCAAwDAYIKoZIhvcNAgkFADAdBglghkgBZQME ASoEEK7yYaFQDi1pYwWzm9F/fs+AggPgFIT2XapyaFgDppdvLkdvaF3HXw+zjzKb 7xFC76DtVPhVTWVHD+kIss+jsj+XyvMwY0aCuAhAG/Dig+vzWomnsqB5ssw5/kTb +TMQ5PXLkNeoBmB6ArKeGc/QmCBQvQG/a6b+nXSWmxNpP+71772dmWmB8gcSJ0kF Fj75NrIbmNiDMCb71Q8gOzBMFf6BpXf/3xWAJtxyic+tSNETfOJa8zTZb0+lV0w9 5eUmDrPUpuxEVbb0KJtIc63gRkcfrPtDd6Ii4Zzbzj2Evr4/S4hnrQBsiryVzJWy IEjaD0y6+DmG0JwMgRuGi1wBoGowi37GMrDCOyOZWC4n5wHLtYyhR6JaElxbrhxP H46z2USLKmZoF+YgEQgYcSBXMgP0t36+XQocFWYi2N5niy02TnctwF430FYsQlhJ Suma4I33E808dJuMv8T/soF66HsD4Zj46hOf4nWmas7IaoSAbGKXgIa7KhGRJvij xM3WOX0aqNi/8bhnxSA7fCmIy/7opyx5UYJFWGBSmHP1pBHBVmx7Ad8SAsB9MSsh nbGjGiUk4h0QcOi29/M9WwFlo4urePyI8PK2qtVAmpD3rTLlsmgzguZ69L0Q/CFU fbtqsMF0bgEuh8cfivd1DYFABEt1gypuwCUtCqQ7AXK2nQqOjsQCxVz9i9K8NDeD aau98VAl0To2sk3/VR/QUq0PRwU1jPN5BzUevhE7SOy/ImuJKwpGqqFljYdrQmj5 jDe+LmYH9QGVRlfN8zuU+48FY8CAoeBeHn5AAPml0PYPVUnt3/jQN1+v+CahNVI+ La8q1Nen+j1R44aa2I3y/pUgtzXRwK+tPrxTQbG030EU51LYJn8amPWmn3w75ZIA MJrXWeKj44de7u4zdUsEBVC2uM44rIHM8MFjyYAwYsey0rcp0emsaxzar+7ZA67r lDoXvvS3NqsnTXHcn3T9tkPRoee6L7Dh3x4Od96lcRwgdYT5BwyH7e34ld4VTUmJ bDEq7Ijvn4JKrwQJh1RCC+Z/ObfkC42xAm7G010u3g08xB0Qujpdg4a7VcuWrywF c7hLNquuaF4qoDaVwYXHH3iuX6YlJ/3siTKbYCVXPEZOAMBP9lF/OU76UMJBQNfU 0xjDx+3AhUVgnGuCsmYlK6ETDp8qOZKGyV0KrNSGtqLx3uMhd7PETeW+ML3tDQ/0 X9fMkcZHi4C2fXnoHV/qa2dGhBj4jjQ0Xh1poU6mxGn2Mebe2hDsBZkkBpnn7pK4 wP/VqXdQTwqEuvzGHLVFsCuADe40ZFBmtBrf70wG7ZkO8SUZ8Zz1IX3+S024g7yj QRev/6x6TtkwggWEBgkqhkiG9w0BBwGgggV1BIIFcTCCBW0wggVpBgsqhkiG9w0B DAoBAqCCBTEwggUtMFcGCSqGSIb3DQEFDTBKMCkGCSqGSIb3DQEFDDAcBAhTxzw+ VptrYAICCAAwDAYIKoZIhvcNAgkFADAdBglghkgBZQMEASoEEK9nSqc1I2t4tMVG bWHpdtQEggTQzCwI7j34gCTvfj6nuOSndAjShGv7mN2j7WMV0pslTpq2b9Bn3vn1 Y0JMvL4E7sLrUzNU02pdOcfCnEpMFccNv2sQrLp1mOCKxu8OjSqHZLoKVL0ROVsZ 8dMECLLigDlPKRiSyLErl14tErX4/zbkUaWMROO28kFbTbubQ8YoHlRUwsKW1xLg vfi0gRkG/zHXRfQHjX/8NStv7hXlehn7/Gy2EKPsRFhadm/iUHAfmCMkMgHTU248 JER9+nsXltd59H+IeDpj/kbxZ+YvHow9XUZKu828d3MQnUpLZ1BfJGhMBPVwbVUD A40CiQBVdCoGtPJyalL28xoS3H0ILFCnwQOr6u0HwleNJPGHq78HUyH6Hwxnh0b0 5o163r6wTFZn5cMOxpbs/Ttd+3TrxmrYpd2XnuRme3cnaYJ0ILvpc/8eLLR7SKjD T4JhZ0h/CfcV2WWvhpQugkY0pWrZ+EIMneB1dZB96mJVLxOi148OeSgi0PsxZMNi YM33rTpwQT5WqOsEyDwUQpne5b8Kkt/s7EN0LJNnPyJJRL1LcqOdr6j+6YqRtPa7 a9oWJqMcuTP+bqzGRJh+3HDlFBw2Yzp9iadv4KmB2MzhStLUoi2MSjvnnkkd5Led sshAd6WbKfF7kLAHQHT4Ai6dMEO4EKkEVF9JBtxCR4JEn6C98Lpg+Lk+rfY7gHOf ZxtgGURwgXRY3aLUrdT55ZKgk3ExVKPzi5EhdpAau7JKhpOwyKozAp/OKWMNrz6h obu2Mbn1B+IA60psYHHxynBgsJHv7WQmbYh8HyGfHgVvaA8pZCYqxxjpLjSJrR8B Bu9H9xkTh7KlhxgreXYv19uAYbUd95kcox9izad6VPnovgFSb+Omdy6PJACPj6hF W6PJbucP0YPpO0VtWtQdZZ3df1P0hZ7qvKwOPFA+gKZSckgqASfygiP9V3Zc8jIi wjNzoDM2QT+UUJKiiGYXJUEOO9hxzFHlGj759DcNRhpgl5AgR57ofISD9yBuCAJY PQ/aZHPFuRTrcVG3RaIbCAS73nEznKyFaLOXfzyfyaSmyhsH253tnyL1MejC+2bR Eko/yldgFUxvU5JI+Q3KJ6Awj+PnduHXx71E4UwSuu2xXYMpxnQwI6rroQpZBX82 HhqgcLV83P8lpzQwPdHjH5zkoxmWdC0+jU/tcQfNXYpJdyoaX7tDmVclLhwl9ps/ O841pIsNLJWXwvxG6B+3LN/kw4QjwN194PopiOD7+oDm5mhttO78CrBrRxHMD/0Q qniZjKzSZepxlZq+J792u8vtMnuzzChxu0Bf3PhIXcJNcVhwUtr0yKe/N+NvC0tm p8wyik/BlndxN9eKbdTOi2wIi64h2QG8nOk66wQ/PSIJYwZl6eDNEQSzH/1mGCfU QnUT17UC/p+Qgenf6Auap2GWlvsJrB7u/pytz65rtjt/ouo6Ih6EwWqwVVpGXZD0 7gVWH0Ke/Vr6aPGNvkLcmftPuDZsn9jiig3guhdeyRVf10Ox369kKWcG75q77hxE IzSzDyUlBNbnom9SIjut3r+qVYmWONatC6q/4D0I42Lnjd3dEyZx7jmH3g/S2ASM FzWr9pvXc61dsYOkdZ4PYa9XPUZxXFagZsoS3F1sU799+IJVU0tC0MExJTAjBgkq hkiG9w0BCRUxFgQUwWO5DorvVWYF3BWUmAw0rUEajScwejBqMEYGCSqGSIb3DQEF DjA5MCkGCSqGSIb3DQEFDDAcBAhvRzw4sC4xcwICCAAwDAYIKoZIhvcNAgkFADAM BggqhkiG9w0CCQUABCB6pW2FOdcCNj87zS64NUXG36K5aXDnFHctIk5Bf4kG3QQI b0c8OLAuMXMCAggA</artwork> </t>]]></sourcecode> </section> </section> <section anchor="asn1-module"title="ASN.1 Module"> <t>Note to RFC Editor: please change the TBD value below with the value assigned by IANA</t>numbered="true" toc="default"> <name>ASN.1 Module</name> <t>This appendix documents ASN.1 <xreftarget="x680"/>target="x680" format="default"/> <xref target="x681" format="default"/> <xreftarget="x681"/><xref target="x682"/><xref target="x683"/>target="x682" format="default"/> <xreftarget="x690"/>target="x683" format="default"/> <xref target="x690" format="default"/> types, values, and object sets for this specification. It does so by providing an ASN.1 module called PKCS12-PBMAC1-2023.</t><t>Combine<!--[rfced] We have a few question about the text below: a) We believe that "Appendix D" here should be updated to "Appendix C". Please confirm. b) Is "PKCS-12" correct? We do not see "PKCS-12" in this document or in RFC 8018. c) Will readers understand "by replacing the PBKDF2-PRFs class found therein"? Original: Combine this module with the PKCS-12 ASN.1 module found in Appendix D of<xref target="RFC8018"/>[RFC8018] to add SHA-2 based HMACs by replacing the PBKDF2-PRFs class found therein. Perhaps: This module can be combined with the ASN.1 module found in Appendix C of [RFC8018] to add SHA-2-based HMACs by replacing the PBKDF2-PRFs class in this module with those in [RFC8018]. Or: To add SHA-2-based HMACs, this module can be combined with the ASN.1 module found in Appendix C of [RFC8018] by replacing the PBKDF2-PRFs class in [RFC8018] with those in this module. --> <!-- [rfced] Please review these two sentences (one from Section 2 and the other from Appendix B), and let us know if any updates needed. We ask because Section 2 says "to incorporate additional MAC algorithms" and Appendix B says "to add SHA-2 based HMACs". Also, would it be helpful to add "See Appendix B" to the text in Section 2? Section 2: We have included an ASN.1 module [x680] [x681][x682][x683] [x690] that can be combined with the ASN.1 module in [RFC8018] to incorporate additional MAC algorithms. Appendix B: Combine this module with the PKCS-12 ASN.1 module found in Appendix D of [RFC8018] to add SHA-2 based HMACs by replacing the PBKDF2-PRFs class found therein. --> <t>Combine this module with the PKCS-12 ASN.1 module found in <xref target="RFC8018" sectionFormat="of" section="D"/> to add SHA-2-based HMACs by replacing the PBKDF2-PRFs class found therein.</t><artwork><sourcecode type="asn.1"><![CDATA[ PKCS12-PBMAC1-2023 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) id-mod(0)pbkc12-pbamc1-2023(TBD)id-pkcs12-pbmac1-2023(76) } DEFINITIONS EXPLICIT TAGS ::= BEGIN IMPORTS AlgorithmIdentifier, ALGORITHM-IDENTIFIER, rsadsi FROM PKCS5v2-1 -- From [RFC8018] { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-5(5) modules(16) pkcs5v2-1(2) } ; -- object identifier arcs pkcs OBJECT IDENTIFIER ::= { rsadsi 1 } pkcs-5 OBJECT IDENTIFIER ::= { pkcs 5 } digestAlgorithm OBJECT IDENTIFIER ::= { rsadsi 2 } -- HMAC object identifiers id-hmacWithSHA1 OBJECT IDENTIFIER ::= { digestAlgorithm 7 } id-hmacWithSHA224 OBJECT IDENTIFIER ::= { digestAlgorithm 8 } id-hmacWithSHA256 OBJECT IDENTIFIER ::= { digestAlgorithm 9 } id-hmacWithSHA384 OBJECT IDENTIFIER ::= { digestAlgorithm 10 } id-hmacWithSHA512 OBJECT IDENTIFIER ::= { digestAlgorithm 11 } id-hmacWithSHA512-224 OBJECT IDENTIFIER ::= { digestAlgorithm 12 } id-hmacWithSHA512-256 OBJECT IDENTIFIER ::= { digestAlgorithm 13 } -- PBKDF2-PRF algorithm identifiers PBKDF2-PRFs ALGORITHM-IDENTIFIER ::= { { NULL IDENTIFIED BY id-hmacWithSHA1 } | { NULL IDENTIFIED BY id-hmacWithSHA224 } | { NULL IDENTIFIED BY id-hmacWithSHA256 } | { NULL IDENTIFIED BY id-hmacWithSHA384 } | { NULL IDENTIFIED BY id-hmacWithSHA512 } | { NULL IDENTIFIED BY id-hmacWithSHA512-224 } | { NULL IDENTIFIED BY id-hmacWithSHA512-256 }, ... } -- HMAC algorithm identifiers algid-hmacWithSHA1 AlgorithmIdentifier {{PBKDF2-PRFs}} ::= { algorithm id-hmacWithSHA1, parameters NULL : NULL } algid-hmacWithSHA224 AlgorithmIdentifier {{PBKDF2-PRFs}} ::= { algorithm id-hmacWithSHA224, parameters NULL : NULL } algid-hmacWithSHA256 AlgorithmIdentifier {{PBKDF2-PRFs}} ::= { algorithm id-hmacWithSHA256, parameters NULL : NULL } algid-hmacWithSHA384 AlgorithmIdentifier {{PBKDF2-PRFs}} ::= { algorithm id-hmacWithSHA384, parameters NULL : NULL } algid-hmacWithSHA512 AlgorithmIdentifier {{PBKDF2-PRFs}} ::= { algorithm id-hmacWithSHA512, parameters NULL : NULL } algid-hmacWithSHA512-224 AlgorithmIdentifier {{PBKDF2-PRFs}} ::= { algorithm id-hmacWithSHA512-224, parameters NULL : NULL } algid-hmacWithSHA512-256 AlgorithmIdentifier {{PBKDF2-PRFs}} ::= { algorithm id-hmacWithSHA512-256, parameters NULL : NULL } -- PBMAC1-params PBMAC1-params ::= SEQUENCE { keyDerivationFunc AlgorithmIdentifier {{PBMAC1-KDFs}}, messageAuthScheme AlgorithmIdentifier {{PBMAC1-MACs}} } PBMAC1-KDFs ALGORITHM-IDENTIFIER ::= { { PBKDF2-params IDENTIFIED BY id-PBKDF2}, ... } PBMAC1-MACs ALGORITHM-IDENTIFIER ::= { ... } id-PBKDF2 OBJECT IDENTIFIER ::= { pkcs-5 12 } PBKDF2-params ::= SEQUENCE { salt CHOICE { specified OCTET STRING, otherSource AlgorithmIdentifier {{PBKDF2-SaltSources}} }, iterationCount INTEGER (1..MAX), keyLength INTEGER (1..MAX) OPTIONAL, prf AlgorithmIdentifier {{PBKDF2-PRFs}} DEFAULT algid-hmacWithSHA1 } PBKDF2-SaltSources ALGORITHM-IDENTIFIER ::= { ... } END</artwork>]]></sourcecode> </section> </back> <!--[rfced] We have the following questions about the terminology used in this document. a) We see the following terms in the document: Original: SHA-1 HMAC SHA-256 HMAC SHA-512 HMAC SHA-512 PRF SHA-256 HMAC and PRF SHA-256 HMAC and SHA-512 PRF SHA-512 HMAC and PRF We don't see this particular phrasing in published RFCs. Are these okay as is, or are any updates needed? Here are some examples of what we see in published RFCs. Note that the form with hyphens (e.g., HMAC-SHA-256) appears in RFCS 6194, 7914, and 8018 (all cited in this document). HMAC-SHA-1 HMAC-SHA-2 HMAC-SHA-256 HMAC with SHA-1 HMAC with SHA-256 HMAC with SHA-512 HMAC SHA-1 HMAC SHA-256 HMAC SHA-512 PRF with SHA-256 b) We updated instances of "SHA-2 based HMAC" to "SHA-2-based HMAC" (hyphen before "based"). Should these be further updated per the question above? c) We note inconsistencies in the terms listed below. We chose the form on the right. Please let us know any objections. PKCS#12 vs. PKCS #12 Note: "PKCS #12" is used in RFCs 7292 and 8018 (and other published RFCs). scrypt KDF vs. scrypt PBKDF Note: "scrypt PBKDF" is used in RFC 7914. --> <!--[rfced] FYI - We have added expansions for abbreviations upon first use per Section 3.6 of RFC 7322 ("RFC Style Guide"). Please review each expansion in the document carefully to ensure correctness. Message Authentication Code (MAC) Personal Information Exchange (PFX) --> <!--[rfced] We have updated <artwork> to <sourcecode type="test-vectors"> and <sourcecode type="asn.1"> in Appendices A and B, respectively. Please review and confirm that the "type" attribute of these sourcecode elements have been set correctly. The current list of preferred values for "type" is available at https://www.rfc-editor.org/materials/sourcecode-types.txt. If the current list does not contain an applicable type, feel free to suggest additions for consideration. Note that it is also acceptable to leave the "type" attribute not set. --> <!--[rfced] Please review the "Inclusive Language" portion of the online Style Guide <https://www.rfc-editor.org/styleguide/part2/#inclusive_language> and let us know if any changes are needed. Note that our script did not flag any words in particular, but this should still be reviewed as a best practice. --> </rfc>