Parsing and generating CBOR certificates?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Parsing and generating CBOR certificates?

Blumenthal, Uri - 0553 - MITLL
I need to work with CBOR-encoded certificates. Is there any way to use OpenSSL to parse and/or generate certs in CBOR encoding?

Thanks

Regards,
Uri

smime.p7s (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Parsing and generating CBOR certificates?

OpenSSL - User mailing list
No.  OpenSSL does not include any CBOR protocol support.
I'm also not sure what you mean by "CBOR-encoded certificate"; I don't
know of any such thing other than
https://datatracker.ietf.org/doc/draft-mattsson-cose-cbor-cert-compress/
which is very much still a work in progress.

-Ben

________________________________________
From: Blumenthal, Uri - 0553 - MITLL <[hidden email]>
Sent: Wednesday, January 20, 2021 4:22 PM
To: openssl-users
Subject: Parsing and generating CBOR certificates?

I need to work with CBOR-encoded certificates. Is there any way to use OpenSSL to parse and/or generate certs in CBOR encoding?

Thanks

Regards,
Uri
Reply | Threaded
Open this post in threaded view
|

Re: Parsing and generating CBOR certificates?

Blumenthal, Uri - 0553 - MITLL
I meant not "CBOR protocol" (which,  in all likelihood, doesn't and shouldn't exist) but CBOR encoding of X.509 certificates (which, hopefully, does exists).

At least, I'm looking for a tool that would convert between these two encodings (DER and CBOR) for specific objects (X.509-conformant certificates).

Thanks

Regards,
Uri

On Jan 20, 2021, at 19:26, Kaduk, Ben <[hidden email]> wrote:

No.  OpenSSL does not include any CBOR protocol support.
I'm also not sure what you mean by "CBOR-encoded certificate"; I don't
know of any such thing other than
https://datatracker.ietf.org/doc/draft-mattsson-cose-cbor-cert-compress/
which is very much still a work in progress.

-Ben

________________________________________
From: Blumenthal, Uri - 0553 - MITLL <[hidden email]>
Sent: Wednesday, January 20, 2021 4:22 PM
To: openssl-users
Subject: Parsing and generating CBOR certificates?

I need to work with CBOR-encoded certificates. Is there any way to use OpenSSL to parse and/or generate certs in CBOR encoding?

Thanks

Regards,
Uri

smime.p7s (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Parsing and generating CBOR certificates?

OpenSSL - User mailing list
And again, where do you believe such a conversion is specified?
The IETF internet-draft I reference is a way to do so, but it is (to repeat)
very much a work in progress.

-Ben

On Thu, Jan 21, 2021 at 12:35:24AM +0000, Blumenthal, Uri - 0553 - MITLL wrote:

> I meant not "CBOR protocol" (which,  in all likelihood, doesn't and shouldn't exist) but CBOR encoding of X.509 certificates (which, hopefully, does exists).
>
> At least, I'm looking for a tool that would convert between these two encodings (DER and CBOR) for specific objects (X.509-conformant certificates).
>
> Thanks
>
> Regards,
> Uri
>
> > On Jan 20, 2021, at 19:26, Kaduk, Ben <[hidden email]> wrote:
> >
> > No.  OpenSSL does not include any CBOR protocol support.
> > I'm also not sure what you mean by "CBOR-encoded certificate"; I don't
> > know of any such thing other than
> > https://datatracker.ietf.org/doc/draft-mattsson-cose-cbor-cert-compress/
> > which is very much still a work in progress.
> >
> > -Ben
> >
> > ________________________________________
> > From: Blumenthal, Uri - 0553 - MITLL <[hidden email]>
> > Sent: Wednesday, January 20, 2021 4:22 PM
> > To: openssl-users
> > Subject: Parsing and generating CBOR certificates?
> >
> > I need to work with CBOR-encoded certificates. Is there any way to use OpenSSL to parse and/or generate certs in CBOR encoding?
> >
> > Thanks
> >
> > Regards,
> > Uri


Reply | Threaded
Open this post in threaded view
|

Re: Parsing and generating CBOR certificates?

Blumenthal, Uri - 0553 - MITLL
On 1/20/21, 19:42, "Benjamin Kaduk" <[hidden email]> wrote:
>    And again, where do you believe such a conversion is specified?

What do you mean "specified"? There's an ASN.1 "specification" of the certificate format, which theoretically can be encoded into whatever - DER, PER, OER, etc. One such tool (https://github.com/mouse07410/asn1c.git that I use) generates from ASN.1 file codecs for many encoding formats, and is able to convert between them.

Unfortunately, there's no ASN.1 -> CBOR codec generator, AFAIK, which is why I'm asking here.

>   The IETF internet-draft I reference is a way to do so, but it is (to repeat)
>   very much a work in progress.

Understood. Do you know if there's any code behind it? Or just the "theory"?

Thanks!

    On Thu, Jan 21, 2021 at 12:35:24AM +0000, Blumenthal, Uri - 0553 - MITLL wrote:
    > I meant not "CBOR protocol" (which,  in all likelihood, doesn't and shouldn't exist) but CBOR encoding of X.509 certificates (which, hopefully, does exists).
    >
    > At least, I'm looking for a tool that would convert between these two encodings (DER and CBOR) for specific objects (X.509-conformant certificates).
    >
    > Thanks
    >
    > Regards,
    > Uri
    >
    > > On Jan 20, 2021, at 19:26, Kaduk, Ben <[hidden email]> wrote:
    > >
    > > No.  OpenSSL does not include any CBOR protocol support.
    > > I'm also not sure what you mean by "CBOR-encoded certificate"; I don't
    > > know of any such thing other than
    > > https://datatracker.ietf.org/doc/draft-mattsson-cose-cbor-cert-compress/
    > > which is very much still a work in progress.
    > >
    > > -Ben
    > >
    > > ________________________________________
    > > From: Blumenthal, Uri - 0553 - MITLL <[hidden email]>
    > > Sent: Wednesday, January 20, 2021 4:22 PM
    > > To: openssl-users
    > > Subject: Parsing and generating CBOR certificates?
    > >
    > > I need to work with CBOR-encoded certificates. Is there any way to use OpenSSL to parse and/or generate certs in CBOR encoding?
    > >
    > > Thanks
    > >
    > > Regards,
    > > Uri



smime.p7s (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Parsing and generating CBOR certificates?

David von Oheimb-2

I'd welcome support for CBOR(-encoded) certificates since they can save a lot of space
for both the data itself and the code handling it, which may be vital for IoT scenarios, for instance.
It looks like the standardization of their definition got pretty far already.

Although it is certainly possible to convert between DER-encoded ASN.1 (or at least its subset needed for X.509 certs) and CBOR,
this is not strictly needed since there is a definition of natively signed CBOR certs.
Thus all the ASN.1 fuzz, which is bulky and error-prone to implement and use, can be avoided then.

https://tools.ietf.org/html/draft-mattsson-cose-cbor-cert-compress writes:

   The use of natively signed CBOR certificates removes the need for
   ASN.1 encoding, which is a rich source of security vulnerabilities.

It may be also worth noting in this context that due to it sheer size the OpenSSL code itself is not suited for constrained systems.
Yet even then it would make sense if OpenSSL supported CBOR certs because they could be used by TLS peers on constrained systems.
Moreover, when using only natively signed CBOR certs it should be possible
(though likely hard to achieve with the current strongly ASN.1 entangled libcrypto code)
to build OpenSSL without any ASN.1 support, which should reduce code size drastically.

I suggest opening a feature request at https://github.com/openssl/openssl/issues

Regards,
    David

On 21.01.21 02:07, Blumenthal, Uri - 0553 - MITLL wrote:
On 1/20/21, 19:42, "Benjamin Kaduk" [hidden email] wrote:
   And again, where do you believe such a conversion is specified?
What do you mean "specified"? There's an ASN.1 "specification" of the certificate format, which theoretically can be encoded into whatever - DER, PER, OER, etc. One such tool (https://github.com/mouse07410/asn1c.git that I use) generates from ASN.1 file codecs for many encoding formats, and is able to convert between them.

Unfortunately, there's no ASN.1 -> CBOR codec generator, AFAIK, which is why I'm asking here.

  The IETF internet-draft I reference is a way to do so, but it is (to repeat)
  very much a work in progress.
Understood. Do you know if there's any code behind it? Or just the "theory"?

Thanks!

On Thu, Jan 21, 2021 at 12:35:24AM +0000, Blumenthal, Uri - 0553 - MITLL wrote:
I meant not "CBOR protocol" (which,  in all likelihood, doesn't and shouldn't exist) but CBOR encoding of X.509 certificates (which, hopefully, does exists).

At least, I'm looking for a tool that would convert between these two encodings (DER and CBOR) for specific objects (X.509-conformant certificates).

Thanks

Regards,
Uri

On Jan 20, 2021, at 19:26, Kaduk, Ben [hidden email] wrote:

No.  OpenSSL does not include any CBOR protocol support.
I'm also not sure what you mean by "CBOR-encoded certificate"; I don't
know of any such thing other than
https://datatracker.ietf.org/doc/draft-mattsson-cose-cbor-cert-compress/
which is very much still a work in progress.

-Ben

________________________________________
From: Blumenthal, Uri - 0553 - MITLL [hidden email]
Sent: Wednesday, January 20, 2021 4:22 PM
To: openssl-users
Subject: Parsing and generating CBOR certificates?

I need to work with CBOR-encoded certificates. Is there any way to use OpenSSL to parse and/or generate certs in CBOR encoding?

Thanks

Regards,
Uri

    
Reply | Threaded
Open this post in threaded view
|

Re: Parsing and generating CBOR certificates?

Russ Housley
In reply to this post by Blumenthal, Uri - 0553 - MITLL
Uri:

Unfortunately, there's no ASN.1 -> CBOR codec generator, AFAIK, which is why I'm asking here.

Nope, and if there were, it would not generate the same result as the compressions routines that Ben referenced.

Russ


Reply | Threaded
Open this post in threaded view
|

Re: Parsing and generating CBOR certificates?

Blumenthal, Uri - 0553 - MITLL
In reply to this post by David von Oheimb-2
> I'd welcome support for CBOR(-encoded) certificates since they can save a lot of space
> for both the data itself and the code handling it, which may be vital for IoT scenarios, for instance.
> It looks like the standardization of their definition got pretty far already.

Exactly! And there’s been a bunch of publications, describing/defining CBOR encoding for IoT certificates, such as
http://kth.diva-portal.org/smash/get/diva2:1153958/FULLTEXT01.pdf 
 
> Although it is certainly possible to convert between DER-encoded ASN.1 (or at least its subset needed for X.509 certs) and CBOR,
> this is not strictly needed since there is a definition of natively signed CBOR certs.
> Thus all the ASN.1 fuzz, which is bulky and error-prone to implement and use, can be avoided then.

Yes. My primary goal is to reduce the overhead on the wire – but simplifying the processing code would be welcome as well.

> It may be also worth noting in this context that due to it sheer size the OpenSSL code itself is not suited for constrained systems.
> Yet even then it would make sense if OpenSSL supported CBOR certs because they could be used by TLS peers on constrained systems.

Yes.

> Moreover, when using only natively signed CBOR certs it should be possible
> (though likely hard to achieve with the current strongly ASN.1 entangled libcrypto code)
> to build OpenSSL without any ASN.1 support, which should reduce code size drastically.

Something I don't urgently need, but would welcome regardless.

> I suggest opening a feature request at https://github.com/openssl/openssl/issues

Done: https://github.com/openssl/openssl/issues/13925 

Thanks!


On 21.01.21 02:07, Blumenthal, Uri - 0553 - MITLL wrote:
On 1/20/21, 19:42, "Benjamin Kaduk" mailto:[hidden email] wrote:
   And again, where do you believe such a conversion is specified?
What do you mean "specified"? There's an ASN.1 "specification" of the certificate format, which theoretically can be encoded into whatever - DER, PER, OER, etc. One such tool (https://github.com/mouse07410/asn1c.git that I use) generates from ASN.1 file codecs for many encoding formats, and is able to convert between them.

Unfortunately, there's no ASN.1 -> CBOR codec generator, AFAIK, which is why I'm asking here.

  The IETF internet-draft I reference is a way to do so, but it is (to repeat)
  very much a work in progress.
Understood. Do you know if there's any code behind it? Or just the "theory"?

Thanks!

On Thu, Jan 21, 2021 at 12:35:24AM +0000, Blumenthal, Uri - 0553 - MITLL wrote:
I meant not "CBOR protocol" (which,  in all likelihood, doesn't and shouldn't exist) but CBOR encoding of X.509 certificates (which, hopefully, does exists).

At least, I'm looking for a tool that would convert between these two encodings (DER and CBOR) for specific objects (X.509-conformant certificates).

Thanks

Regards,
Uri

On Jan 20, 2021, at 19:26, Kaduk, Ben mailto:[hidden email] wrote:

No.  OpenSSL does not include any CBOR protocol support.
I'm also not sure what you mean by "CBOR-encoded certificate"; I don't
know of any such thing other than
https://datatracker.ietf.org/doc/draft-mattsson-cose-cbor-cert-compress/
which is very much still a work in progress.

-Ben

________________________________________
From: Blumenthal, Uri - 0553 - MITLL mailto:[hidden email]
Sent: Wednesday, January 20, 2021 4:22 PM
To: openssl-users
Subject: Parsing and generating CBOR certificates?

I need to work with CBOR-encoded certificates. Is there any way to use OpenSSL to parse and/or generate certs in CBOR encoding?

Thanks

Regards,
Uri

smime.p7s (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Parsing and generating CBOR certificates?

Hubert Kario
In reply to this post by David von Oheimb-2
On Thursday, 21 January 2021 13:05:21 CET, David von Oheimb wrote:

> I'd welcome support for CBOR(-encoded) certificates since they can save
> a lot of space
> for both the data itself and the code handling it, which may be vital
> for IoT scenarios, for instance.
> It looks like the standardization of their definition got pretty far
> already.
>
> Although it is certainly possible to convert between DER-encoded ASN.1
> (or at least its subset needed for X.509 certs) and CBOR,
> this is not strictly needed since there is a definition of natively
> signed CBOR certs.
> Thus all the ASN.1 fuzz, which is bulky and error-prone to implement and
> use, can be avoided then.
>
> https://tools.ietf.org/html/draft-mattsson-cose-cbor-cert-compress writes:
>
>    The use of natively signed CBOR certificates removes the need for
>    ASN.1 encoding, which is a rich source of security vulnerabilities.

that's a huge and rather crucial difference

as X.509 certificate signatures are specified over byte strings that are
the DER
encoding of the tbsCertificate structure

you can send that certificate however you want, including by translating it
into
XML variant of ASN.1

but for verification you still need to turn that XML into DER so that you
can verify that the signature that the CA created is correct

if the signature is expected to be made over CBOR serialising of
tbsCertificate,
then that's a completely different certificate and it's the CA that needs
to produce it, it's not something that openssl could do (convert from DER
to
CBOR)

--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic