> I'd welcome support for CBOR(-encoded) certificates since they can save a lot of space > for both the data itself and the code handling it, which may be vital for IoT scenarios, for instance. > It looks like the standardization of their definition got pretty far already. Exactly! And there’s been a bunch of publications, describing/defining CBOR encoding for IoT certificates, such as http://kth.diva-portal.org/smash/get/diva2:1153958/FULLTEXT01.pdf > Although it is certainly possible to convert between DER-encoded ASN.1 (or at least its subset needed for X.509 certs) and CBOR, > this is not strictly needed since there is a definition of natively signed CBOR certs. > Thus all the ASN.1 fuzz, which is bulky and error-prone to implement and use, can be avoided then. Yes. My primary goal is to reduce the overhead on the wire – but simplifying the processing code would be welcome as well. > It may be also worth noting in this context that due to it sheer size the OpenSSL code itself is not suited for constrained systems. > Yet even then it would make sense if OpenSSL supported CBOR certs because they could be used by TLS peers on constrained systems. Yes. > Moreover, when using only natively signed CBOR certs it should be possible > (though likely hard to achieve with the current strongly ASN.1 entangled libcrypto code) > to build OpenSSL without any ASN.1 support, which should reduce code size drastically. Something I don't urgently need, but would welcome regardless. > I suggest opening a feature request at https://github.com/openssl/openssl/issues Done: https://github.com/openssl/openssl/issues/13925 Thanks! On 21.01.21 02:07, Blumenthal, Uri - 0553 - MITLL wrote: On 1/20/21, 19:42, "Benjamin Kaduk" mailto:bkaduk@xxxxxxxxxx wrote: And again, where do you believe such a conversion is specified? What do you mean "specified"? There's an ASN.1 "specification" of the certificate format, which theoretically can be encoded into whatever - DER, PER, OER, etc. One such tool (https://github.com/mouse07410/asn1c.git that I use) generates from ASN.1 file codecs for many encoding formats, and is able to convert between them. Unfortunately, there's no ASN.1 -> CBOR codec generator, AFAIK, which is why I'm asking here. The IETF internet-draft I reference is a way to do so, but it is (to repeat) very much a work in progress. Understood. Do you know if there's any code behind it? Or just the "theory"? Thanks! On Thu, Jan 21, 2021 at 12:35:24AM +0000, Blumenthal, Uri - 0553 - MITLL wrote: I meant not "CBOR protocol" (which, in all likelihood, doesn't and shouldn't exist) but CBOR encoding of X.509 certificates (which, hopefully, does exists). At least, I'm looking for a tool that would convert between these two encodings (DER and CBOR) for specific objects (X.509-conformant certificates). Thanks Regards, Uri On Jan 20, 2021, at 19:26, Kaduk, Ben mailto:bkaduk@xxxxxxxxxx wrote: No. OpenSSL does not include any CBOR protocol support. I'm also not sure what you mean by "CBOR-encoded certificate"; I don't know of any such thing other than https://datatracker.ietf.org/doc/draft-mattsson-cose-cbor-cert-compress/ which is very much still a work in progress. -Ben ________________________________________ From: Blumenthal, Uri - 0553 - MITLL mailto:uri@xxxxxxxxxx Sent: Wednesday, January 20, 2021 4:22 PM To: openssl-users Subject: Parsing and generating CBOR certificates? I need to work with CBOR-encoded certificates. Is there any way to use OpenSSL to parse and/or generate certs in CBOR encoding? Thanks Regards, Uri
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
