Parsing and generating CBOR certificates?

Thu Jan 21 21:31:21 UTC 2021

> I'd welcome support for CBOR(-encoded) certificates since they can save a lot of space
> for both the data itself and the code handling it, which may be vital for IoT scenarios, for instance.
> It looks like the standardization of their definition got pretty far already.

Exactly! And there’s been a bunch of publications, describing/defining CBOR encoding for IoT certificates, such as 
http://kth.diva-portal.org/smash/get/diva2:1153958/FULLTEXT01.pdf 

> Although it is certainly possible to convert between DER-encoded ASN.1 (or at least its subset needed for X.509 certs) and CBOR,
> this is not strictly needed since there is a definition of natively signed CBOR certs.
> Thus all the ASN.1 fuzz, which is bulky and error-prone to implement and use, can be avoided then.

Yes. My primary goal is to reduce the overhead on the wire – but simplifying the processing code would be welcome as well.

> It may be also worth noting in this context that due to it sheer size the OpenSSL code itself is not suited for constrained systems.
> Yet even then it would make sense if OpenSSL supported CBOR certs because they could be used by TLS peers on constrained systems.

Yes.

> Moreover, when using only natively signed CBOR certs it should be possible 
> (though likely hard to achieve with the current strongly ASN.1 entangled libcrypto code)
> to build OpenSSL without any ASN.1 support, which should reduce code size drastically.

Something I don't urgently need, but would welcome regardless.

> I suggest opening a feature request at https://github.com/openssl/openssl/issues

Done: https://github.com/openssl/openssl/issues/13925 

Thanks!

On 21.01.21 02:07, Blumenthal, Uri - 0553 - MITLL wrote:
On 1/20/21, 19:42, "Benjamin Kaduk" mailto:bkaduk at akamai.com wrote:
   And again, where do you believe such a conversion is specified?
What do you mean "specified"? There's an ASN.1 "specification" of the certificate format, which theoretically can be encoded into whatever - DER, PER, OER, etc. One such tool (https://github.com/mouse07410/asn1c.git that I use) generates from ASN.1 file codecs for many encoding formats, and is able to convert between them.

Unfortunately, there's no ASN.1 -> CBOR codec generator, AFAIK, which is why I'm asking here.

  The IETF internet-draft I reference is a way to do so, but it is (to repeat)
  very much a work in progress.
Understood. Do you know if there's any code behind it? Or just the "theory"?

Thanks!

On Thu, Jan 21, 2021 at 12:35:24AM +0000, Blumenthal, Uri - 0553 - MITLL wrote:
I meant not "CBOR protocol" (which,  in all likelihood, doesn't and shouldn't exist) but CBOR encoding of X.509 certificates (which, hopefully, does exists).

At least, I'm looking for a tool that would convert between these two encodings (DER and CBOR) for specific objects (X.509-conformant certificates).

Thanks

Regards,
Uri

On Jan 20, 2021, at 19:26, Kaduk, Ben mailto:bkaduk at akamai.com wrote:

No.  OpenSSL does not include any CBOR protocol support.
I'm also not sure what you mean by "CBOR-encoded certificate"; I don't
know of any such thing other than
https://datatracker.ietf.org/doc/draft-mattsson-cose-cbor-cert-compress/
which is very much still a work in progress.

-Ben

________________________________________
From: Blumenthal, Uri - 0553 - MITLL mailto:uri at ll.mit.edu
Sent: Wednesday, January 20, 2021 4:22 PM
To: openssl-users
Subject: Parsing and generating CBOR certificates?

I need to work with CBOR-encoded certificates. Is there any way to use OpenSSL to parse and/or generate certs in CBOR encoding?

Thanks

Regards,
Uri
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5249 bytes
Desc: not available
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20210121/ac2abe8c/attachment.bin>