Re: Parsing and generating CBOR certificates?
On Thursday, 21 January 2021 13:05:21 CET, David von Oheimb wrote: I'd welcome support for CBOR(-encoded) certificates since they can save a lot of space for both the data itself and the code handling it, which may be vital for IoT scenarios, for instance. It looks like the standardization of their definition got pretty far already. Although it is certainly possible to convert between DER-encoded ASN.1 (or at least its subset needed for X.509 certs) and CBOR, this is not strictly needed since there is a definition of natively signed CBOR certs. Thus all the ASN.1 fuzz, which is bulky and error-prone to implement and use, can be avoided then. https://tools.ietf.org/html/draft-mattsson-cose-cbor-cert-compress writes: The use of natively signed CBOR certificates removes the need for ASN.1 encoding, which is a rich source of security vulnerabilities. that's a huge and rather crucial difference as X.509 certificate signatures are specified over byte strings that are the DER encoding of the tbsCertificate structure you can send that certificate however you want, including by translating it into XML variant of ASN.1 but for verification you still need to turn that XML into DER so that you can verify that the signature that the CA created is correct if the signature is expected to be made over CBOR serialising of tbsCertificate, then that's a completely different certificate and it's the CA that needs to produce it, it's not something that openssl could do (convert from DER to CBOR) -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic
Re: Parsing and generating CBOR certificates?
> I'd welcome support for CBOR(-encoded) certificates since they can save a lot > of space > for both the data itself and the code handling it, which may be vital for IoT > scenarios, for instance. > It looks like the standardization of their definition got pretty far already. Exactly! And there’s been a bunch of publications, describing/defining CBOR encoding for IoT certificates, such as http://kth.diva-portal.org/smash/get/diva2:1153958/FULLTEXT01.pdf > Although it is certainly possible to convert between DER-encoded ASN.1 (or at > least its subset needed for X.509 certs) and CBOR, > this is not strictly needed since there is a definition of natively signed > CBOR certs. > Thus all the ASN.1 fuzz, which is bulky and error-prone to implement and use, > can be avoided then. Yes. My primary goal is to reduce the overhead on the wire – but simplifying the processing code would be welcome as well. > It may be also worth noting in this context that due to it sheer size the > OpenSSL code itself is not suited for constrained systems. > Yet even then it would make sense if OpenSSL supported CBOR certs because > they could be used by TLS peers on constrained systems. Yes. > Moreover, when using only natively signed CBOR certs it should be possible > (though likely hard to achieve with the current strongly ASN.1 entangled > libcrypto code) > to build OpenSSL without any ASN.1 support, which should reduce code size > drastically. Something I don't urgently need, but would welcome regardless. > I suggest opening a feature request at > https://github.com/openssl/openssl/issues Done: https://github.com/openssl/openssl/issues/13925 Thanks! On 21.01.21 02:07, Blumenthal, Uri - 0553 - MITLL wrote: On 1/20/21, 19:42, "Benjamin Kaduk" mailto:bka...@akamai.com wrote: And again, where do you believe such a conversion is specified? What do you mean "specified"? There's an ASN.1 "specification" of the certificate format, which theoretically can be encoded into whatever - DER, PER, OER, etc. One such tool (https://github.com/mouse07410/asn1c.git that I use) generates from ASN.1 file codecs for many encoding formats, and is able to convert between them. Unfortunately, there's no ASN.1 -> CBOR codec generator, AFAIK, which is why I'm asking here. The IETF internet-draft I reference is a way to do so, but it is (to repeat) very much a work in progress. Understood. Do you know if there's any code behind it? Or just the "theory"? Thanks! On Thu, Jan 21, 2021 at 12:35:24AM +, Blumenthal, Uri - 0553 - MITLL wrote: I meant not "CBOR protocol" (which, in all likelihood, doesn't and shouldn't exist) but CBOR encoding of X.509 certificates (which, hopefully, does exists). At least, I'm looking for a tool that would convert between these two encodings (DER and CBOR) for specific objects (X.509-conformant certificates). Thanks Regards, Uri On Jan 20, 2021, at 19:26, Kaduk, Ben mailto:bka...@akamai.com wrote: No. OpenSSL does not include any CBOR protocol support. I'm also not sure what you mean by "CBOR-encoded certificate"; I don't know of any such thing other than https://datatracker.ietf.org/doc/draft-mattsson-cose-cbor-cert-compress/ which is very much still a work in progress. -Ben From: Blumenthal, Uri - 0553 - MITLL mailto:u...@ll.mit.edu Sent: Wednesday, January 20, 2021 4:22 PM To: openssl-users Subject: Parsing and generating CBOR certificates? I need to work with CBOR-encoded certificates. Is there any way to use OpenSSL to parse and/or generate certs in CBOR encoding? Thanks Regards, Uri smime.p7s Description: S/MIME cryptographic signature
Re: Parsing and generating CBOR certificates?
Uri: > > Unfortunately, there's no ASN.1 -> CBOR codec generator, AFAIK, which is why > I'm asking here. Nope, and if there were, it would not generate the same result as the compressions routines that Ben referenced. Russ
Re: Parsing and generating CBOR certificates?
I'd welcome support for CBOR(-encoded) certificates since they can save a lot of space for both the data itself and the code handling it, which may be vital for IoT scenarios, for instance. It looks like the standardization of their definition got pretty far already. Although it is certainly possible to convert between DER-encoded ASN.1 (or at least its subset needed for X.509 certs) and CBOR, this is not strictly needed since there is a definition of natively signed CBOR certs. Thus all the ASN.1 fuzz, which is bulky and error-prone to implement and use, can be avoided then. https://tools.ietf.org/html/draft-mattsson-cose-cbor-cert-compress writes: The use of natively signed CBOR certificates removes the need for ASN.1 encoding, which is a rich source of security vulnerabilities. It may be also worth noting in this context that due to it sheer size the OpenSSL code itself is not suited for constrained systems. Yet even then it would make sense if OpenSSL supported CBOR certs because they could be used by TLS peers on constrained systems. Moreover, when using only natively signed CBOR certs it should be possible (though likely hard to achieve with the current strongly ASN.1 entangled libcrypto code) to build OpenSSL without any ASN.1 support, which should reduce code size drastically. I suggest opening a feature request at https://github.com/openssl/openssl/issues Regards, David On 21.01.21 02:07, Blumenthal, Uri - 0553 - MITLL wrote: > On 1/20/21, 19:42, "Benjamin Kaduk" wrote: >>And again, where do you believe such a conversion is specified? > What do you mean "specified"? There's an ASN.1 "specification" of the > certificate format, which theoretically can be encoded into whatever - DER, > PER, OER, etc. One such tool (https://github.com/mouse07410/asn1c.git that I > use) generates from ASN.1 file codecs for many encoding formats, and is able > to convert between them. > > Unfortunately, there's no ASN.1 -> CBOR codec generator, AFAIK, which is why > I'm asking here. > >> The IETF internet-draft I reference is a way to do so, but it is (to >> repeat) >> very much a work in progress. > Understood. Do you know if there's any code behind it? Or just the "theory"? > > Thanks! > > On Thu, Jan 21, 2021 at 12:35:24AM +, Blumenthal, Uri - 0553 - MITLL > wrote: >> I meant not "CBOR protocol" (which, in all likelihood, doesn't and >> shouldn't exist) but CBOR encoding of X.509 certificates (which, hopefully, >> does exists). >> >> At least, I'm looking for a tool that would convert between these two >> encodings (DER and CBOR) for specific objects (X.509-conformant >> certificates). >> >> Thanks >> >> Regards, >> Uri >> >>> On Jan 20, 2021, at 19:26, Kaduk, Ben wrote: >>> >>> No. OpenSSL does not include any CBOR protocol support. >>> I'm also not sure what you mean by "CBOR-encoded certificate"; I don't >>> know of any such thing other than >>> https://datatracker.ietf.org/doc/draft-mattsson-cose-cbor-cert-compress/ >>> which is very much still a work in progress. >>> >>> -Ben >>> >>> >>> From: Blumenthal, Uri - 0553 - MITLL >>> Sent: Wednesday, January 20, 2021 4:22 PM >>> To: openssl-users >>> Subject: Parsing and generating CBOR certificates? >>> >>> I need to work with CBOR-encoded certificates. Is there any way to use >>> OpenSSL to parse and/or generate certs in CBOR encoding? >>> >>> Thanks >>> >>> Regards, >>> Uri
Re: Parsing and generating CBOR certificates?
On 1/20/21, 19:42, "Benjamin Kaduk" wrote: >And again, where do you believe such a conversion is specified? What do you mean "specified"? There's an ASN.1 "specification" of the certificate format, which theoretically can be encoded into whatever - DER, PER, OER, etc. One such tool (https://github.com/mouse07410/asn1c.git that I use) generates from ASN.1 file codecs for many encoding formats, and is able to convert between them. Unfortunately, there's no ASN.1 -> CBOR codec generator, AFAIK, which is why I'm asking here. > The IETF internet-draft I reference is a way to do so, but it is (to repeat) > very much a work in progress. Understood. Do you know if there's any code behind it? Or just the "theory"? Thanks! On Thu, Jan 21, 2021 at 12:35:24AM +, Blumenthal, Uri - 0553 - MITLL wrote: > I meant not "CBOR protocol" (which, in all likelihood, doesn't and shouldn't exist) but CBOR encoding of X.509 certificates (which, hopefully, does exists). > > At least, I'm looking for a tool that would convert between these two encodings (DER and CBOR) for specific objects (X.509-conformant certificates). > > Thanks > > Regards, > Uri > > > On Jan 20, 2021, at 19:26, Kaduk, Ben wrote: > > > > No. OpenSSL does not include any CBOR protocol support. > > I'm also not sure what you mean by "CBOR-encoded certificate"; I don't > > know of any such thing other than > > https://datatracker.ietf.org/doc/draft-mattsson-cose-cbor-cert-compress/ > > which is very much still a work in progress. > > > > -Ben > > > > ____________ > > From: Blumenthal, Uri - 0553 - MITLL > > Sent: Wednesday, January 20, 2021 4:22 PM > > To: openssl-users > > Subject: Parsing and generating CBOR certificates? > > > > I need to work with CBOR-encoded certificates. Is there any way to use OpenSSL to parse and/or generate certs in CBOR encoding? > > > > Thanks > > > > Regards, > > Uri smime.p7s Description: S/MIME cryptographic signature
Re: Parsing and generating CBOR certificates?
And again, where do you believe such a conversion is specified? The IETF internet-draft I reference is a way to do so, but it is (to repeat) very much a work in progress. -Ben On Thu, Jan 21, 2021 at 12:35:24AM +, Blumenthal, Uri - 0553 - MITLL wrote: > I meant not "CBOR protocol" (which, in all likelihood, doesn't and shouldn't > exist) but CBOR encoding of X.509 certificates (which, hopefully, does > exists). > > At least, I'm looking for a tool that would convert between these two > encodings (DER and CBOR) for specific objects (X.509-conformant certificates). > > Thanks > > Regards, > Uri > > > On Jan 20, 2021, at 19:26, Kaduk, Ben wrote: > > > > No. OpenSSL does not include any CBOR protocol support. > > I'm also not sure what you mean by "CBOR-encoded certificate"; I don't > > know of any such thing other than > > https://datatracker.ietf.org/doc/draft-mattsson-cose-cbor-cert-compress/ > > which is very much still a work in progress. > > > > -Ben > > > > > > From: Blumenthal, Uri - 0553 - MITLL > > Sent: Wednesday, January 20, 2021 4:22 PM > > To: openssl-users > > Subject: Parsing and generating CBOR certificates? > > > > I need to work with CBOR-encoded certificates. Is there any way to use > > OpenSSL to parse and/or generate certs in CBOR encoding? > > > > Thanks > > > > Regards, > > Uri
Re: Parsing and generating CBOR certificates?
I meant not "CBOR protocol" (which, in all likelihood, doesn't and shouldn't exist) but CBOR encoding of X.509 certificates (which, hopefully, does exists). At least, I'm looking for a tool that would convert between these two encodings (DER and CBOR) for specific objects (X.509-conformant certificates). Thanks Regards, Uri > On Jan 20, 2021, at 19:26, Kaduk, Ben wrote: > > No. OpenSSL does not include any CBOR protocol support. > I'm also not sure what you mean by "CBOR-encoded certificate"; I don't > know of any such thing other than > https://datatracker.ietf.org/doc/draft-mattsson-cose-cbor-cert-compress/ > which is very much still a work in progress. > > -Ben > > > From: Blumenthal, Uri - 0553 - MITLL > Sent: Wednesday, January 20, 2021 4:22 PM > To: openssl-users > Subject: Parsing and generating CBOR certificates? > > I need to work with CBOR-encoded certificates. Is there any way to use > OpenSSL to parse and/or generate certs in CBOR encoding? > > Thanks > > Regards, > Uri smime.p7s Description: S/MIME cryptographic signature
Re: Parsing and generating CBOR certificates?
No. OpenSSL does not include any CBOR protocol support. I'm also not sure what you mean by "CBOR-encoded certificate"; I don't know of any such thing other than https://datatracker.ietf.org/doc/draft-mattsson-cose-cbor-cert-compress/ which is very much still a work in progress. -Ben From: Blumenthal, Uri - 0553 - MITLL Sent: Wednesday, January 20, 2021 4:22 PM To: openssl-users Subject: Parsing and generating CBOR certificates? I need to work with CBOR-encoded certificates. Is there any way to use OpenSSL to parse and/or generate certs in CBOR encoding? Thanks Regards, Uri
Parsing and generating CBOR certificates?
I need to work with CBOR-encoded certificates. Is there any way to use OpenSSL to parse and/or generate certs in CBOR encoding? Thanks Regards, Uri smime.p7s Description: S/MIME cryptographic signature