fix(pkcs12): pre-submission cleanups for RC2-CBC PR

MarkAtwood · MarkAtwood · commit bce7eafedd75 · 2026-04-10T19:41:13.000-07:00
- add #[deprecated] alias for renamed PKCS_12_PBEWITH_SHAAND40_BIT_RC2_CBC
- clarify Zeroizing spare-capacity behavior in decrypt.rs comment
- add non-BMP password rejection tests for both RC2 decrypt methods
- remove redundant rc2 dev-dependency (covered by optional main dep)
diff --git a/pkcs12/Cargo.toml b/pkcs12/Cargo.toml
@@ -37,7 +37,6 @@ cipher = "0.5"
 sha1 = "0.11.0"
 sha2 = "0.11"
 whirlpool = "0.11"
-rc2 = "0.9.0"
 
 [features]
 default = ["pem"]
diff --git a/pkcs12/src/decrypt.rs b/pkcs12/src/decrypt.rs
@@ -195,7 +195,10 @@ fn decrypt_rc2(
     // plaintext *length* from decrypt_padded (dropping the borrow on buf),
     // then truncate buf to that length and return it directly.  This avoids
     // a second allocation and memcpy compared to calling plaintext.to_vec().
-    // The Zeroizing drop still zeroes the full buffer capacity on exit.
+    // `Zeroizing` calls `Vec::zeroize()` on drop; since zeroize v1.6+
+    // zeroes spare capacity in addition to [0..len], the PKCS#7 padding
+    // bytes at [pt_len..] are zeroed on drop even though they are not
+    // included in the returned slice.
     let mut buf = Zeroizing::new(ciphertext.to_vec());
     let pt_len = decryptor
         .decrypt_padded::<Pkcs7>(&mut buf)
diff --git a/pkcs12/src/lib.rs b/pkcs12/src/lib.rs
@@ -72,6 +72,17 @@ pub const PKCS_12_PBE_WITH_SHAAND128_BIT_RC2_CBC: ObjectIdentifier =
 pub const PKCS_12_PBE_WITH_SHAAND40_BIT_RC2_CBC: ObjectIdentifier =
     ObjectIdentifier::new_unwrap("1.2.840.113549.1.12.1.6");
 
+/// Deprecated: the previous name of [`PKCS_12_PBE_WITH_SHAAND40_BIT_RC2_CBC`].
+///
+/// The original constant name was missing an underscore between `PBE` and
+/// `WITH`.  Renamed in 0.2.0; this alias exists for backward compatibility.
+#[deprecated(
+    since = "0.2.0",
+    note = "renamed to PKCS_12_PBE_WITH_SHAAND40_BIT_RC2_CBC"
+)]
+pub const PKCS_12_PBEWITH_SHAAND40_BIT_RC2_CBC: ObjectIdentifier =
+    PKCS_12_PBE_WITH_SHAAND40_BIT_RC2_CBC;
+
 // bag types
 /// `pkcs-12 keyBag` Object Identifier (OID).
 pub const PKCS_12_KEY_BAG_OID: ObjectIdentifier =
diff --git a/pkcs12/tests/decrypt_rc2.rs b/pkcs12/tests/decrypt_rc2.rs
@@ -168,6 +168,34 @@ fn decrypt_rc2_40_iter2048() {
     assert!(!pki.private_key.as_bytes().is_empty());
 }
 
+// ── non-BMP password rejection ────────────────────────────────────────────────
+
+/// Password containing a non-BMP character (U+1F525 FIRE, above U+FFFF) must
+/// return `Err` from both decrypt methods.
+///
+/// RFC 7292 §B.1 requires the password to be encoded as BMP (UTF-16BE without
+/// surrogate pairs).  Code points above U+FFFF are not representable in BMP;
+/// `BmpString::from_utf8` rejects them, so both decrypt methods must return
+/// `Err` before any KDF work is done.
+#[test]
+fn decrypt_rc2_128_non_bmp_password_returns_err() {
+    let epki = find_shrouded_key(include_bytes!("data/test-rc2-128-iter2048.p12"));
+    assert!(
+        epki.decrypt_rc2_128_cbc("🔥").is_err(),
+        "decrypt_rc2_128_cbc must reject a non-BMP password"
+    );
+}
+
+/// RC2-40 variant of the non-BMP password rejection test.
+#[test]
+fn decrypt_rc2_40_non_bmp_password_returns_err() {
+    let epki = find_shrouded_key(include_bytes!("data/test-rc2-40-iter2048.p12"));
+    assert!(
+        epki.decrypt_rc2_40_cbc("🔥").is_err(),
+        "decrypt_rc2_40_cbc must reject a non-BMP password"
+    );
+}
+
 // ── RC2-40 error-path tests ────────────────────────────────────────────────────
 
 /// Wrong password for RC2-40.
