IETF Logo Mail Archive

Re: [pkix] OID encoding help

Russ Housley <housley@vigilsec.com> Sun, 07 May 2023 15:18 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 81232C14CE4C for <pkix@ietfa.amsl.com>; Sun, 7 May 2023 08:18:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.795
X-Spam-Level:
X-Spam-Status: No, score=-1.795 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, TRACKER_ID=0.1, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bRgJjgA-mHX6 for <pkix@ietfa.amsl.com>; Sun, 7 May 2023 08:18:49 -0700 (PDT)
Received: from mail3.g24.pair.com (mail3.g24.pair.com [66.39.134.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8D8B6C14CE42 for <pkix@ietf.org>; Sun, 7 May 2023 08:18:49 -0700 (PDT)
Received: from mail3.g24.pair.com (localhost [127.0.0.1]) by mail3.g24.pair.com (Postfix) with ESMTP id BDD7315DAAB; Sun, 7 May 2023 11:18:47 -0400 (EDT)
Received: from [192.168.1.161] (unknown [96.241.2.243]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail3.g24.pair.com (Postfix) with ESMTPSA id A188B15DB85; Sun, 7 May 2023 11:18:47 -0400 (EDT)
From: Russ Housley <housley@vigilsec.com>
Message-Id: <678D438C-D3A3-4002-9C12-D10C79272117@vigilsec.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_C7821436-A47D-43B7-960D-90FF92F2F14E"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\))
Date: Sun, 07 May 2023 11:18:47 -0400
In-Reply-To: <37ea5bd2-ac9e-4190-0936-5c04b1bffb9c@htt-consult.com>
Cc: IETF PKIX <pkix@ietf.org>
To: Robert Moskowitz <rgm-sec@htt-consult.com>
References: <37ea5bd2-ac9e-4190-0936-5c04b1bffb9c@htt-consult.com>
X-Mailer: Apple Mail (2.3445.104.21)
X-Scanned-By: mailmunge 3.11 on 66.39.134.11
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/DykphSQrKAwwjk_EVHEgTHJfYtI>
Subject: Re: [pkix] OID encoding help
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 May 2023 15:18:51 -0000

I'm nor sure how CERT RR is solving your problem, but that is not your question.

Since you are using pyasn1...

>>> from pyasn1.type import univ
>>> from pyasn1.codec.der.decoder import decode as der_decoder
>>> from pyasn1.codec.der.encoder import encode as der_encoder
>>> import binascii
>>> oid = univ.ObjectIdentifier('1.3.6.1.4.1.6715.2.6.6')
>>> s = der_encoder(oid)
>>> print(binascii.hexlify(s))
060a2b06010401b43b020606
>>> 

Russ


> On May 7, 2023, at 9:02 AM, Robert Moskowitz <rgm-sec@htt-consult.com> wrote:
> 
> I am asking here, as this seems like a place I can at least get directions on where to ask for help.
> 
> Challenge:  write simple python code to create an OID object.
> 
> Background:
> 
> In draft-ietf-drip-registries, there is a 126-byte RATS-styled Endorsement object call the DRIP Broadcast Endorsement (sec B.3). This object is intended to be available publically via DNS.  For testing and perhaps onwards all we are finding is to use the CERT RR and encode this as a private OID object.  For initial work we will use oid = "1.3.6.1.4.1.6715.2.6.6", with the Endorsement as type BIT-STRING.
> 
> So....
> 
> But I cannot google up any advise on how to do this.  Given how fixed this is, it might even be possible to hand-figure this out and just make the object without involking some python asn1 library. But I am just stuck.
> 
> So can anyone pitch in, or at least point me to some advise postings.
> 
> Oh, I am doing this in F38 which has the python3-pyasn1 libary.
> 
> thanks
> 
> Oh course an 'easier' way would be to extent the TLSA RR to support this type of 'certificate'.  We are already using the TLSA RR for the SPKI we get when we make DETs (rfc 9374).  That is easy, as we get the DER with the keypair generation.  But then this would be a change to TLSA and changes like that to existing RR rarely go well.
> 
> Bob
> 
> 
> _______________________________________________
> pkix mailing list
> pkix@ietf.org
> https://www.ietf.org/mailman/listinfo/pkix

v2.23.0 | Report a Bug | By Email