Parsing and generating CBOR certificates?

David von Oheimb dev at
Thu Jan 21 12:05:21 UTC 2021

I'd welcome support for CBOR(-encoded) certificates since they can save
a lot of space
for both the data itself and the code handling it, which may be vital
for IoT scenarios, for instance.
It looks like the standardization of their definition got pretty far

Although it is certainly possible to convert between DER-encoded ASN.1
(or at least its subset needed for X.509 certs) and CBOR,
this is not strictly needed since there is a definition of natively
signed CBOR certs.
Thus all the ASN.1 fuzz, which is bulky and error-prone to implement and
use, can be avoided then. writes:

   The use of natively signed CBOR certificates removes the need for
   ASN.1 encoding, which is a rich source of security vulnerabilities.

It may be also worth noting in this context that due to it sheer size
the OpenSSL code itself is not suited for constrained systems.
Yet even then it would make sense if OpenSSL supported CBOR certs
because they could be used by TLS peers on constrained systems.
Moreover, when using only natively signed CBOR certs it should be possible
(though likely hard to achieve with the current strongly ASN.1 entangled
libcrypto code)
to build OpenSSL without any ASN.1 support, which should reduce code
size drastically.

I suggest opening a feature request at


On 21.01.21 02:07, Blumenthal, Uri - 0553 - MITLL wrote:
> On 1/20/21, 19:42, "Benjamin Kaduk" <bkaduk at> wrote:
>>    And again, where do you believe such a conversion is specified?
> What do you mean "specified"? There's an ASN.1 "specification" of the certificate format, which theoretically can be encoded into whatever - DER, PER, OER, etc. One such tool ( that I use) generates from ASN.1 file codecs for many encoding formats, and is able to convert between them.
> Unfortunately, there's no ASN.1 -> CBOR codec generator, AFAIK, which is why I'm asking here.
>>   The IETF internet-draft I reference is a way to do so, but it is (to repeat)
>>   very much a work in progress.
> Understood. Do you know if there's any code behind it? Or just the "theory"?
> Thanks!
> On Thu, Jan 21, 2021 at 12:35:24AM +0000, Blumenthal, Uri - 0553 - MITLL wrote:
>> I meant not "CBOR protocol" (which,  in all likelihood, doesn't and shouldn't exist) but CBOR encoding of X.509 certificates (which, hopefully, does exists).
>> At least, I'm looking for a tool that would convert between these two encodings (DER and CBOR) for specific objects (X.509-conformant certificates).
>> Thanks
>> Regards,
>> Uri
>>> On Jan 20, 2021, at 19:26, Kaduk, Ben <bkaduk at> wrote:
>>> No.  OpenSSL does not include any CBOR protocol support.
>>> I'm also not sure what you mean by "CBOR-encoded certificate"; I don't
>>> know of any such thing other than
>>> which is very much still a work in progress.
>>> -Ben
>>> ________________________________________
>>> From: Blumenthal, Uri - 0553 - MITLL <uri at>
>>> Sent: Wednesday, January 20, 2021 4:22 PM
>>> To: openssl-users
>>> Subject: Parsing and generating CBOR certificates?
>>> I need to work with CBOR-encoded certificates. Is there any way to use OpenSSL to parse and/or generate certs in CBOR encoding?
>>> Thanks
>>> Regards,
>>> Uri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-users mailing list