On 11/7/23 09:13, Esko Dijk wrote:
Hi Göran,
In case it’s useful: there’s more X.509 examples including one IDevID
in our draft:
https://datatracker.ietf.org/doc/html/draft-ietf-anima-constrained-voucher#appendix-C.2
(For the IDevID, the “NotAfter” field wasn’t set to the max value
because I couldn’t easily get OpenSSL to do this. In C509 this should
become the ‘null’ value actually.)
It is not too hard. Just hard enough. I got it working. After a month
of conversations back in '18 on the open-ssl list.
It’s not a real device example, but a best-effort approximation of the
802.1AR standard.
Esko
*From:*COSE <[email protected]> *On Behalf Of *Göran Selander
*Sent:* Tuesday, November 7, 2023 14:34
*To:* Robert Moskowitz <[email protected]>; [email protected]
*Subject:* Re: [COSE] 802.1AR example
Thanks, Bob!
I wasn’t clear in the meeting what we have and what we may be missing.
In section A.2 of C509
(https://datatracker.ietf.org/doc/html/draft-ietf-cose-cbor-encoded-cert-07#name-example-ieee-8021ar-profile)
we are referring to section A.2 / C.2 in RFC 9148, which has similar
certificates to the once you just sent. Very similar indeed, they are
also made with your script 😊.
The open issue was whether we should go with these or try to find
deployed IDevID certificates from some device.
Let’s continue the discussion offlist!
Göran
*From: *COSE <[email protected]> on behalf of Robert Moskowitz
<[email protected]>
*Date: *Tuesday, 7 November 2023 at 13:55
*To: *[email protected] <[email protected]>
*Subject: *Re: [COSE] 802.1AR example
On 11/7/23 07:41, Robert Moskowitz wrote:
> I just checke my draft:
>
> draft-moskowitz-ec-pki/draft-moskowitz-ec-pki
>
> And there are no actual examples. So I looked in my files where I did
> the testing for writing this and here is a 1AR DER:
>
> -----BEGIN CERTIFICATE-----
> MIICYzCCAgmgAwIBAgIIUQ3O0GPrmkYwCgYIKoZIzj0EAwIwWDELMAkGA1UEBhMC
> VVMxCzAJBgNVBAgMAk1JMREwDwYDVQQHDAhPYWsgUGFyazEXMBUGA1UECgwOSFRU
> IENvbnN1bHRpbmcxEDAOBgNVBAMMB1Jvb3QgQ0EwIBcNMTcwODE4MTg0MTExWhgP
> OTk5OTEyMzEyMzU5NTlaMDwxFzAVBgNVBAoMDkhUVCBDb25zdWx0aW5nMRAwDgYD
> VQQLDAdEZXZpY2VzMQ8wDQYDVQQFEwZXdDEyMzQwWTATBgcqhkjOPQIBBggqhkjO
> PQMBBwNCAASDND5LR1ti1BF1Cie7sbvYtPxKA55xDVr6SbUPtfkQlux/3G7ld1f7
> E6QstR43jNftY2r3Fewa9h+5NVcAkhSZo4HWMIHTMAkGA1UdEwQCMAAwgYkGA1Ud
> IwSBgTB/gBQm/YWlGql/tNedOcaEzHx40Ur/gqFcpFowWDELMAkGA1UEBhMCVVMx
> CzAJBgNVBAgMAk1JMREwDwYDVQQHDAhPYWsgUGFyazEXMBUGA1UECgwOSFRUIENv
> bnN1bHRpbmcxEDAOBgNVBAMMB1Jvb3QgQ0GCCQDyYdUCUKbOqjAOBgNVHQ8BAf8E
> BAMCBaAwKgYDVR0RBCMwIaAfBggrBgEFBQcIBKATMBEGCSsGAQQBtDsKAQQEAQID
> BDAKBggqhkjOPQQDAgNIADBFAiEAz/lrMNjZO+aaGi+sdsmHwSQWJjaEiBnCyJq5
> 7jiZb3ACIGvMYqqrtgnDPOM/tDQ9UAm2zEzNmrLmGC+6xJDLxqTG
> -----END CERTIFICATE-----
>
>
> See what you get when you cbor it!
openssl x509 -noout -text -in
/home/rgm/data/ca/8021ARintermediate/certs/Wt1234.cert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 5840551686194305606 (0x510dced063eb9a46)
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = US, ST = MI, L = Oak Park, O = HTT Consulting, CN =
Root CA
Validity
Not Before: Aug 18 18:41:11 2017 GMT
Not After : Dec 31 23:59:59 9999 GMT
Subject: O = HTT Consulting, OU = Devices, serialNumber = Wt1234
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:83:34:3e:4b:47:5b:62:d4:11:75:0a:27:bb:b1:
bb:d8:b4:fc:4a:03:9e:71:0d:5a:fa:49:b5:0f:b5:
f9:10:96:ec:7f:dc:6e:e5:77:57:fb:13:a4:2c:b5:
1e:37:8c:d7:ed:63:6a:f7:15:ec:1a:f6:1f:b9:35:
57:00:92:14:99
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Authority Key Identifier:
keyid:26:FD:85:A5:1A:A9:7F:B4:D7:9D:39:C6:84:CC:7C:78:D1:4A:FF:82
DirName:/C=US/ST=MI/L=Oak Park/O=HTT
Consulting/CN=Root CA
serial:F2:61:D5:02:50:A6:CE:AA
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Subject Alternative Name:
othername: 1.3.6.1.5.5.7.8.4::<unsupported>
Signature Algorithm: ecdsa-with-SHA256
Signature Value:
30:45:02:21:00:cf:f9:6b:30:d8:d9:3b:e6:9a:1a:2f:ac:76:
c9:87:c1:24:16:26:36:84:88:19:c2:c8:9a:b9:ee:38:99:6f:
70:02:20:6b:cc:62:aa:ab:b6:09:c3:3c:e3:3f:b4:34:3d:50:
09:b6:cc:4c:cd:9a:b2:e6:18:2f:ba:c4:90:cb:c6:a4:c6
openssl asn1parse -i -in
/home/rgm/data/ca/8021ARintermediate/certs/Wt1234.cert.pem
0:d=0 hl=4 l= 611 cons: SEQUENCE
4:d=1 hl=4 l= 521 cons: SEQUENCE
8:d=2 hl=2 l= 3 cons: cont [ 0 ]
10:d=3 hl=2 l= 1 prim: INTEGER :02
13:d=2 hl=2 l= 8 prim: INTEGER :510DCED063EB9A46
23:d=2 hl=2 l= 10 cons: SEQUENCE
25:d=3 hl=2 l= 8 prim: OBJECT :ecdsa-with-SHA256
35:d=2 hl=2 l= 88 cons: SEQUENCE
37:d=3 hl=2 l= 11 cons: SET
39:d=4 hl=2 l= 9 cons: SEQUENCE
41:d=5 hl=2 l= 3 prim: OBJECT :countryName
46:d=5 hl=2 l= 2 prim: PRINTABLESTRING :US
50:d=3 hl=2 l= 11 cons: SET
52:d=4 hl=2 l= 9 cons: SEQUENCE
54:d=5 hl=2 l= 3 prim: OBJECT :stateOrProvinceName
59:d=5 hl=2 l= 2 prim: UTF8STRING :MI
63:d=3 hl=2 l= 17 cons: SET
65:d=4 hl=2 l= 15 cons: SEQUENCE
67:d=5 hl=2 l= 3 prim: OBJECT :localityName
72:d=5 hl=2 l= 8 prim: UTF8STRING :Oak Park
82:d=3 hl=2 l= 23 cons: SET
84:d=4 hl=2 l= 21 cons: SEQUENCE
86:d=5 hl=2 l= 3 prim: OBJECT :organizationName
91:d=5 hl=2 l= 14 prim: UTF8STRING :HTT Consulting
107:d=3 hl=2 l= 16 cons: SET
109:d=4 hl=2 l= 14 cons: SEQUENCE
111:d=5 hl=2 l= 3 prim: OBJECT :commonName
116:d=5 hl=2 l= 7 prim: UTF8STRING :Root CA
125:d=2 hl=2 l= 32 cons: SEQUENCE
127:d=3 hl=2 l= 13 prim: UTCTIME :170818184111Z
142:d=3 hl=2 l= 15 prim: GENERALIZEDTIME :99991231235959Z
159:d=2 hl=2 l= 60 cons: SEQUENCE
161:d=3 hl=2 l= 23 cons: SET
163:d=4 hl=2 l= 21 cons: SEQUENCE
165:d=5 hl=2 l= 3 prim: OBJECT :organizationName
170:d=5 hl=2 l= 14 prim: UTF8STRING :HTT Consulting
186:d=3 hl=2 l= 16 cons: SET
188:d=4 hl=2 l= 14 cons: SEQUENCE
190:d=5 hl=2 l= 3 prim: OBJECT :organizationalUnitName
195:d=5 hl=2 l= 7 prim: UTF8STRING :Devices
204:d=3 hl=2 l= 15 cons: SET
206:d=4 hl=2 l= 13 cons: SEQUENCE
208:d=5 hl=2 l= 3 prim: OBJECT :serialNumber
213:d=5 hl=2 l= 6 prim: PRINTABLESTRING :Wt1234
221:d=2 hl=2 l= 89 cons: SEQUENCE
223:d=3 hl=2 l= 19 cons: SEQUENCE
225:d=4 hl=2 l= 7 prim: OBJECT :id-ecPublicKey
234:d=4 hl=2 l= 8 prim: OBJECT :prime256v1
244:d=3 hl=2 l= 66 prim: BIT STRING
312:d=2 hl=3 l= 214 cons: cont [ 3 ]
315:d=3 hl=3 l= 211 cons: SEQUENCE
318:d=4 hl=2 l= 9 cons: SEQUENCE
320:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Basic
Constraints
325:d=5 hl=2 l= 2 prim: OCTET STRING [HEX DUMP]:3000
329:d=4 hl=3 l= 137 cons: SEQUENCE
332:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Authority
Key Identifier
337:d=5 hl=3 l= 129 prim: OCTET STRING [HEX
DUMP]:307F801426FD85A51AA97FB4D79D39C684CC7C78D14AFF82A15CA45A3058310B3009060355040613025553310B300906035504080C024D493111300F06035504070C084F616B205061726B31173015060355040A0C0E48545420436F6E73756C74696E673110300E06035504030C07526F6F74204341820900F261D50250A6CEAA
469:d=4 hl=2 l= 14 cons: SEQUENCE
471:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage
476:d=5 hl=2 l= 1 prim: BOOLEAN :255
479:d=5 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205A0
485:d=4 hl=2 l= 42 cons: SEQUENCE
487:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject
Alternative Name
492:d=5 hl=2 l= 35 prim: OCTET STRING [HEX
DUMP]:3021A01F06082B06010505070804A013301106092B06010401B43B0A01040401020304
529:d=1 hl=2 l= 10 cons: SEQUENCE
531:d=2 hl=2 l= 8 prim: OBJECT :ecdsa-with-SHA256
541:d=1 hl=2 l= 72 prim: BIT STRING
openssl asn1parse -i -strparse 492 -in
/home/rgm/data/ca/8021ARintermediate/certs/Wt1234.cert.pem
0:d=0 hl=2 l= 33 cons: SEQUENCE
2:d=1 hl=2 l= 31 cons: cont [ 0 ]
4:d=2 hl=2 l= 8 prim: OBJECT :1.3.6.1.5.5.7.8.4
14:d=2 hl=2 l= 19 cons: cont [ 0 ]
16:d=3 hl=2 l= 17 cons: SEQUENCE
18:d=4 hl=2 l= 9 prim: OBJECT :1.3.6.1.4.1.6715.10.1
29:d=4 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:01020304
Bob
_______________________________________________
COSE mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/cose
<https://www.ietf.org/mailman/listinfo/cose>
_______________________________________________
COSE mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/cose
