<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>I'd welcome support for CBOR(-encoded) certificates since they
can save a lot of space<br>
for both the data itself and the code handling it, which may be
vital for IoT scenarios, for instance.<br>
It looks like the standardization of their definition got pretty
far already.</p>
<p>Although it is certainly possible to convert between DER-encoded
ASN.1 (or at least its subset needed for X.509 certs) and CBOR,<br>
this is not strictly needed since there is a definition of
natively signed CBOR certs.<br>
Thus all the ASN.1 fuzz, which is bulky and error-prone to
implement and use, can be avoided then.<br>
</p>
<p><a moz-do-not-send="true"
href="https://tools.ietf.org/html/draft-mattsson-cose-cbor-cert-compress">https://tools.ietf.org/html/draft-mattsson-cose-cbor-cert-compress</a>
writes:<br>
</p>
<pre> The use of natively signed CBOR certificates removes the need for
ASN.1 encoding, which is a rich source of security vulnerabilities.
</pre>
<div class="moz-cite-prefix"><br>
It may be also worth noting in this context that due to it sheer
size the OpenSSL code itself is not suited for constrained
systems.<br>
Yet even then it would make sense if OpenSSL supported CBOR certs
because they could be used by TLS peers on constrained systems.<br>
Moreover, when using only natively signed CBOR certs it should be
possible <br>
(though likely hard to achieve with the current strongly ASN.1
entangled libcrypto code)<br>
to build OpenSSL without any ASN.1 support, which should reduce
code size drastically.<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">I suggest opening a feature request at
<a moz-do-not-send="true"
href="https://github.com/openssl/openssl/issues">https://github.com/openssl/openssl/issues</a><br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Regards,<br>
</div>
<div class="moz-cite-prefix"> David</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">On 21.01.21 02:07, Blumenthal, Uri -
0553 - MITLL wrote:<br>
</div>
<blockquote type="cite"
cite="mid:50D045AE-043C-44AB-84B5-C37ADE90E5A3@ll.mit.edu">
<pre class="moz-quote-pre" wrap="">On 1/20/21, 19:42, "Benjamin Kaduk" <a class="moz-txt-link-rfc2396E" href="mailto:bkaduk@akamai.com"><bkaduk@akamai.com></a> wrote:
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap=""> And again, where do you believe such a conversion is specified?
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
What do you mean "specified"? There's an ASN.1 "specification" of the certificate format, which theoretically can be encoded into whatever - DER, PER, OER, etc. One such tool (<a class="moz-txt-link-freetext" href="https://github.com/mouse07410/asn1c.git">https://github.com/mouse07410/asn1c.git</a> that I use) generates from ASN.1 file codecs for many encoding formats, and is able to convert between them.
Unfortunately, there's no ASN.1 -> CBOR codec generator, AFAIK, which is why I'm asking here.
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap=""> The IETF internet-draft I reference is a way to do so, but it is (to repeat)
very much a work in progress.
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
Understood. Do you know if there's any code behind it? Or just the "theory"?
Thanks!
On Thu, Jan 21, 2021 at 12:35:24AM +0000, Blumenthal, Uri - 0553 - MITLL wrote:
</pre>
<blockquote type="cite" style="font-style: italic; font-size:
large; color: #000033;">
<pre class="moz-quote-pre" wrap="">I meant not "CBOR protocol" (which, in all likelihood, doesn't and shouldn't exist) but CBOR encoding of X.509 certificates (which, hopefully, does exists).
At least, I'm looking for a tool that would convert between these two encodings (DER and CBOR) for specific objects (X.509-conformant certificates).
Thanks
Regards,
Uri
</pre>
<blockquote type="cite" style="font-style: italic; font-size:
large; color: #000033;">
<pre class="moz-quote-pre" wrap="">On Jan 20, 2021, at 19:26, Kaduk, Ben <a class="moz-txt-link-rfc2396E" href="mailto:bkaduk@akamai.com"><bkaduk@akamai.com></a> wrote:
No. OpenSSL does not include any CBOR protocol support.
I'm also not sure what you mean by "CBOR-encoded certificate"; I don't
know of any such thing other than
<a class="moz-txt-link-freetext" href="https://datatracker.ietf.org/doc/draft-mattsson-cose-cbor-cert-compress/">https://datatracker.ietf.org/doc/draft-mattsson-cose-cbor-cert-compress/</a>
which is very much still a work in progress.
-Ben
________________________________________
From: Blumenthal, Uri - 0553 - MITLL <a class="moz-txt-link-rfc2396E" href="mailto:uri@ll.mit.edu"><uri@ll.mit.edu></a>
Sent: Wednesday, January 20, 2021 4:22 PM
To: openssl-users
Subject: Parsing and generating CBOR certificates?
I need to work with CBOR-encoded certificates. Is there any way to use OpenSSL to parse and/or generate certs in CBOR encoding?
Thanks
Regards,
Uri
</pre>
</blockquote>
</blockquote>
<pre class="moz-quote-pre" wrap="">
</pre>
</blockquote>
</body>
</html>