Parsing and generating CBOR certificates?
Blumenthal, Uri - 0553 - MITLL
uri at ll.mit.edu
Thu Jan 21 21:31:21 UTC 2021
> I'd welcome support for CBOR(-encoded) certificates since they can save a lot of space
> for both the data itself and the code handling it, which may be vital for IoT scenarios, for instance.
> It looks like the standardization of their definition got pretty far already.
Exactly! And there’s been a bunch of publications, describing/defining CBOR encoding for IoT certificates, such as
> Although it is certainly possible to convert between DER-encoded ASN.1 (or at least its subset needed for X.509 certs) and CBOR,
> this is not strictly needed since there is a definition of natively signed CBOR certs.
> Thus all the ASN.1 fuzz, which is bulky and error-prone to implement and use, can be avoided then.
Yes. My primary goal is to reduce the overhead on the wire – but simplifying the processing code would be welcome as well.
> It may be also worth noting in this context that due to it sheer size the OpenSSL code itself is not suited for constrained systems.
> Yet even then it would make sense if OpenSSL supported CBOR certs because they could be used by TLS peers on constrained systems.
> Moreover, when using only natively signed CBOR certs it should be possible
> (though likely hard to achieve with the current strongly ASN.1 entangled libcrypto code)
> to build OpenSSL without any ASN.1 support, which should reduce code size drastically.
Something I don't urgently need, but would welcome regardless.
> I suggest opening a feature request at https://github.com/openssl/openssl/issues
On 21.01.21 02:07, Blumenthal, Uri - 0553 - MITLL wrote:
On 1/20/21, 19:42, "Benjamin Kaduk" mailto:bkaduk at akamai.com wrote:
And again, where do you believe such a conversion is specified?
What do you mean "specified"? There's an ASN.1 "specification" of the certificate format, which theoretically can be encoded into whatever - DER, PER, OER, etc. One such tool (https://github.com/mouse07410/asn1c.git that I use) generates from ASN.1 file codecs for many encoding formats, and is able to convert between them.
Unfortunately, there's no ASN.1 -> CBOR codec generator, AFAIK, which is why I'm asking here.
The IETF internet-draft I reference is a way to do so, but it is (to repeat)
very much a work in progress.
Understood. Do you know if there's any code behind it? Or just the "theory"?
On Thu, Jan 21, 2021 at 12:35:24AM +0000, Blumenthal, Uri - 0553 - MITLL wrote:
I meant not "CBOR protocol" (which, in all likelihood, doesn't and shouldn't exist) but CBOR encoding of X.509 certificates (which, hopefully, does exists).
At least, I'm looking for a tool that would convert between these two encodings (DER and CBOR) for specific objects (X.509-conformant certificates).
On Jan 20, 2021, at 19:26, Kaduk, Ben mailto:bkaduk at akamai.com wrote:
No. OpenSSL does not include any CBOR protocol support.
I'm also not sure what you mean by "CBOR-encoded certificate"; I don't
know of any such thing other than
which is very much still a work in progress.
From: Blumenthal, Uri - 0553 - MITLL mailto:uri at ll.mit.edu
Sent: Wednesday, January 20, 2021 4:22 PM
Subject: Parsing and generating CBOR certificates?
I need to work with CBOR-encoded certificates. Is there any way to use OpenSSL to parse and/or generate certs in CBOR encoding?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 5249 bytes
Desc: not available
More information about the openssl-users