Hi Göran, In case it’s useful: there’s more X.509 examples including one IDevID in our draft: https://datatracker.ietf.org/doc/html/draft-ietf-anima-constrained-voucher#appendix-C.2 (For the IDevID, the “NotAfter” field wasn’t set to the max value because I couldn’t easily get OpenSSL to do this. In C509 this should become the ‘null’ value actually.)
It’s not a real device example, but a best-effort approximation of the 802.1AR standard. Esko From: COSE <[email protected]> On Behalf Of Göran Selander Sent: Tuesday, November 7, 2023 14:34 To: Robert Moskowitz <[email protected]>; [email protected] Subject: Re: [COSE] 802.1AR example Thanks, Bob! I wasn’t clear in the meeting what we have and what we may be missing. In section A.2 of C509 (https://datatracker.ietf.org/doc/html/draft-ietf-cose-cbor-encoded-cert-07#name-example-ieee-8021ar-profile) we are referring to section A.2 / C.2 in RFC 9148, which has similar certificates to the once you just sent. Very similar indeed, they are also made with your script 😊. The open issue was whether we should go with these or try to find deployed IDevID certificates from some device. Let’s continue the discussion offlist! Göran From: COSE <[email protected]<mailto:[email protected]>> on behalf of Robert Moskowitz <[email protected]<mailto:[email protected]>> Date: Tuesday, 7 November 2023 at 13:55 To: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> Subject: Re: [COSE] 802.1AR example On 11/7/23 07:41, Robert Moskowitz wrote: > I just checke my draft: > > draft-moskowitz-ec-pki/draft-moskowitz-ec-pki > > And there are no actual examples. So I looked in my files where I did > the testing for writing this and here is a 1AR DER: > > -----BEGIN CERTIFICATE----- > MIICYzCCAgmgAwIBAgIIUQ3O0GPrmkYwCgYIKoZIzj0EAwIwWDELMAkGA1UEBhMC > VVMxCzAJBgNVBAgMAk1JMREwDwYDVQQHDAhPYWsgUGFyazEXMBUGA1UECgwOSFRU > IENvbnN1bHRpbmcxEDAOBgNVBAMMB1Jvb3QgQ0EwIBcNMTcwODE4MTg0MTExWhgP > OTk5OTEyMzEyMzU5NTlaMDwxFzAVBgNVBAoMDkhUVCBDb25zdWx0aW5nMRAwDgYD > VQQLDAdEZXZpY2VzMQ8wDQYDVQQFEwZXdDEyMzQwWTATBgcqhkjOPQIBBggqhkjO > PQMBBwNCAASDND5LR1ti1BF1Cie7sbvYtPxKA55xDVr6SbUPtfkQlux/3G7ld1f7 > E6QstR43jNftY2r3Fewa9h+5NVcAkhSZo4HWMIHTMAkGA1UdEwQCMAAwgYkGA1Ud > IwSBgTB/gBQm/YWlGql/tNedOcaEzHx40Ur/gqFcpFowWDELMAkGA1UEBhMCVVMx > CzAJBgNVBAgMAk1JMREwDwYDVQQHDAhPYWsgUGFyazEXMBUGA1UECgwOSFRUIENv > bnN1bHRpbmcxEDAOBgNVBAMMB1Jvb3QgQ0GCCQDyYdUCUKbOqjAOBgNVHQ8BAf8E > BAMCBaAwKgYDVR0RBCMwIaAfBggrBgEFBQcIBKATMBEGCSsGAQQBtDsKAQQEAQID > BDAKBggqhkjOPQQDAgNIADBFAiEAz/lrMNjZO+aaGi+sdsmHwSQWJjaEiBnCyJq5 > 7jiZb3ACIGvMYqqrtgnDPOM/tDQ9UAm2zEzNmrLmGC+6xJDLxqTG > -----END CERTIFICATE----- > > > See what you get when you cbor it! openssl x509 -noout -text -in /home/rgm/data/ca/8021ARintermediate/certs/Wt1234.cert.pem Certificate: Data: Version: 3 (0x2) Serial Number: 5840551686194305606 (0x510dced063eb9a46) Signature Algorithm: ecdsa-with-SHA256 Issuer: C = US, ST = MI, L = Oak Park, O = HTT Consulting, CN = Root CA Validity Not Before: Aug 18 18:41:11 2017 GMT Not After : Dec 31 23:59:59 9999 GMT Subject: O = HTT Consulting, OU = Devices, serialNumber = Wt1234 Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:83:34:3e:4b:47:5b:62:d4:11:75:0a:27:bb:b1: bb:d8:b4:fc:4a:03:9e:71:0d:5a:fa:49:b5:0f:b5: f9:10:96:ec:7f:dc:6e:e5:77:57:fb:13:a4:2c:b5: 1e:37:8c:d7:ed:63:6a:f7:15:ec:1a:f6:1f:b9:35: 57:00:92:14:99 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Authority Key Identifier: keyid:26:FD:85:A5:1A:A9:7F:B4:D7:9D:39:C6:84:CC:7C:78:D1:4A:FF:82 DirName:/C=US/ST=MI/L=Oak Park/O=HTT Consulting/CN=Root CA serial:F2:61:D5:02:50:A6:CE:AA X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Subject Alternative Name: othername: 1.3.6.1.5.5.7.8.4::<unsupported> Signature Algorithm: ecdsa-with-SHA256 Signature Value: 30:45:02:21:00:cf:f9:6b:30:d8:d9:3b:e6:9a:1a:2f:ac:76: c9:87:c1:24:16:26:36:84:88:19:c2:c8:9a:b9:ee:38:99:6f: 70:02:20:6b:cc:62:aa:ab:b6:09:c3:3c:e3:3f:b4:34:3d:50: 09:b6:cc:4c:cd:9a:b2:e6:18:2f:ba:c4:90:cb:c6:a4:c6 openssl asn1parse -i -in /home/rgm/data/ca/8021ARintermediate/certs/Wt1234.cert.pem 0:d=0 hl=4 l= 611 cons: SEQUENCE 4:d=1 hl=4 l= 521 cons: SEQUENCE 8:d=2 hl=2 l= 3 cons: cont [ 0 ] 10:d=3 hl=2 l= 1 prim: INTEGER :02 13:d=2 hl=2 l= 8 prim: INTEGER :510DCED063EB9A46 23:d=2 hl=2 l= 10 cons: SEQUENCE 25:d=3 hl=2 l= 8 prim: OBJECT :ecdsa-with-SHA256 35:d=2 hl=2 l= 88 cons: SEQUENCE 37:d=3 hl=2 l= 11 cons: SET 39:d=4 hl=2 l= 9 cons: SEQUENCE 41:d=5 hl=2 l= 3 prim: OBJECT :countryName 46:d=5 hl=2 l= 2 prim: PRINTABLESTRING :US 50:d=3 hl=2 l= 11 cons: SET 52:d=4 hl=2 l= 9 cons: SEQUENCE 54:d=5 hl=2 l= 3 prim: OBJECT :stateOrProvinceName 59:d=5 hl=2 l= 2 prim: UTF8STRING :MI 63:d=3 hl=2 l= 17 cons: SET 65:d=4 hl=2 l= 15 cons: SEQUENCE 67:d=5 hl=2 l= 3 prim: OBJECT :localityName 72:d=5 hl=2 l= 8 prim: UTF8STRING :Oak Park 82:d=3 hl=2 l= 23 cons: SET 84:d=4 hl=2 l= 21 cons: SEQUENCE 86:d=5 hl=2 l= 3 prim: OBJECT :organizationName 91:d=5 hl=2 l= 14 prim: UTF8STRING :HTT Consulting 107:d=3 hl=2 l= 16 cons: SET 109:d=4 hl=2 l= 14 cons: SEQUENCE 111:d=5 hl=2 l= 3 prim: OBJECT :commonName 116:d=5 hl=2 l= 7 prim: UTF8STRING :Root CA 125:d=2 hl=2 l= 32 cons: SEQUENCE 127:d=3 hl=2 l= 13 prim: UTCTIME :170818184111Z 142:d=3 hl=2 l= 15 prim: GENERALIZEDTIME :99991231235959Z 159:d=2 hl=2 l= 60 cons: SEQUENCE 161:d=3 hl=2 l= 23 cons: SET 163:d=4 hl=2 l= 21 cons: SEQUENCE 165:d=5 hl=2 l= 3 prim: OBJECT :organizationName 170:d=5 hl=2 l= 14 prim: UTF8STRING :HTT Consulting 186:d=3 hl=2 l= 16 cons: SET 188:d=4 hl=2 l= 14 cons: SEQUENCE 190:d=5 hl=2 l= 3 prim: OBJECT :organizationalUnitName 195:d=5 hl=2 l= 7 prim: UTF8STRING :Devices 204:d=3 hl=2 l= 15 cons: SET 206:d=4 hl=2 l= 13 cons: SEQUENCE 208:d=5 hl=2 l= 3 prim: OBJECT :serialNumber 213:d=5 hl=2 l= 6 prim: PRINTABLESTRING :Wt1234 221:d=2 hl=2 l= 89 cons: SEQUENCE 223:d=3 hl=2 l= 19 cons: SEQUENCE 225:d=4 hl=2 l= 7 prim: OBJECT :id-ecPublicKey 234:d=4 hl=2 l= 8 prim: OBJECT :prime256v1 244:d=3 hl=2 l= 66 prim: BIT STRING 312:d=2 hl=3 l= 214 cons: cont [ 3 ] 315:d=3 hl=3 l= 211 cons: SEQUENCE 318:d=4 hl=2 l= 9 cons: SEQUENCE 320:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints 325:d=5 hl=2 l= 2 prim: OCTET STRING [HEX DUMP]:3000 329:d=4 hl=3 l= 137 cons: SEQUENCE 332:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier 337:d=5 hl=3 l= 129 prim: OCTET STRING [HEX DUMP]:307F801426FD85A51AA97FB4D79D39C684CC7C78D14AFF82A15CA45A3058310B3009060355040613025553310B300906035504080C024D493111300F06035504070C084F616B205061726B31173015060355040A0C0E48545420436F6E73756C74696E673110300E06035504030C07526F6F74204341820900F261D50250A6CEAA 469:d=4 hl=2 l= 14 cons: SEQUENCE 471:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage 476:d=5 hl=2 l= 1 prim: BOOLEAN :255 479:d=5 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205A0 485:d=4 hl=2 l= 42 cons: SEQUENCE 487:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name 492:d=5 hl=2 l= 35 prim: OCTET STRING [HEX DUMP]:3021A01F06082B06010505070804A013301106092B06010401B43B0A01040401020304 529:d=1 hl=2 l= 10 cons: SEQUENCE 531:d=2 hl=2 l= 8 prim: OBJECT :ecdsa-with-SHA256 541:d=1 hl=2 l= 72 prim: BIT STRING openssl asn1parse -i -strparse 492 -in /home/rgm/data/ca/8021ARintermediate/certs/Wt1234.cert.pem 0:d=0 hl=2 l= 33 cons: SEQUENCE 2:d=1 hl=2 l= 31 cons: cont [ 0 ] 4:d=2 hl=2 l= 8 prim: OBJECT :1.3.6.1.5.5.7.8.4 14:d=2 hl=2 l= 19 cons: cont [ 0 ] 16:d=3 hl=2 l= 17 cons: SEQUENCE 18:d=4 hl=2 l= 9 prim: OBJECT :1.3.6.1.4.1.6715.10.1 29:d=4 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:01020304 Bob _______________________________________________ COSE mailing list [email protected]<mailto:[email protected]> https://www.ietf.org/mailman/listinfo/cose
_______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
