I'd welcome support for CBOR(-encoded) certificates since they
can save a lot of space
for both the data itself and the code handling it, which may be
vital for IoT scenarios, for instance.
It looks like the standardization of their definition got pretty
far already.
Although it is certainly possible to convert between DER-encoded
ASN.1 (or at least its subset needed for X.509 certs) and CBOR,
this is not strictly needed since there is a definition of
natively signed CBOR certs.
Thus all the ASN.1 fuzz, which is bulky and error-prone to
implement and use, can be avoided then.
https://tools.ietf.org/html/draft-mattsson-cose-cbor-cert-compress
writes:
The use of natively signed CBOR certificates removes the need for ASN.1 encoding, which is a rich source of security vulnerabilities.
It may be also worth noting in this context that due to it sheer size the OpenSSL code itself is not suited for constrained systems.
Yet even then it would make sense if OpenSSL supported CBOR certs because they could be used by TLS peers on constrained systems.
Moreover, when using only natively signed CBOR certs it should be possible
(though likely hard to achieve with the current strongly ASN.1 entangled libcrypto code)
to build OpenSSL without any ASN.1 support, which should reduce code size drastically.
I suggest opening a feature request at
https://github.com/openssl/openssl/issues
Regards,
David
On 21.01.21 02:07, Blumenthal, Uri -
0553 - MITLL wrote:
On 1/20/21, 19:42, "Benjamin Kaduk" <bkaduk@xxxxxxxxxx> wrote:And again, where do you believe such a conversion is specified?What do you mean "specified"? There's an ASN.1 "specification" of the certificate format, which theoretically can be encoded into whatever - DER, PER, OER, etc. One such tool (https://github.com/mouse07410/asn1c.git that I use) generates from ASN.1 file codecs for many encoding formats, and is able to convert between them. Unfortunately, there's no ASN.1 -> CBOR codec generator, AFAIK, which is why I'm asking here.The IETF internet-draft I reference is a way to do so, but it is (to repeat) very much a work in progress.Understood. Do you know if there's any code behind it? Or just the "theory"? Thanks! On Thu, Jan 21, 2021 at 12:35:24AM +0000, Blumenthal, Uri - 0553 - MITLL wrote:I meant not "CBOR protocol" (which, in all likelihood, doesn't and shouldn't exist) but CBOR encoding of X.509 certificates (which, hopefully, does exists). At least, I'm looking for a tool that would convert between these two encodings (DER and CBOR) for specific objects (X.509-conformant certificates). Thanks Regards, UriOn Jan 20, 2021, at 19:26, Kaduk, Ben <bkaduk@xxxxxxxxxx> wrote: No. OpenSSL does not include any CBOR protocol support. I'm also not sure what you mean by "CBOR-encoded certificate"; I don't know of any such thing other than https://datatracker.ietf.org/doc/draft-mattsson-cose-cbor-cert-compress/ which is very much still a work in progress. -Ben ________________________________________ From: Blumenthal, Uri - 0553 - MITLL <uri@xxxxxxxxxx> Sent: Wednesday, January 20, 2021 4:22 PM To: openssl-users Subject: Parsing and generating CBOR certificates? I need to work with CBOR-encoded certificates. Is there any way to use OpenSSL to parse and/or generate certs in CBOR encoding? Thanks Regards, Uri
