Re: [lamps] strugling with CSRAttrs
David von Oheimb <it@von-Oheimb.de> Tue, 19 July 2022 18:58 UTC
Return-Path: <it@von-Oheimb.de>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9C04C159488 for <spasm@ietfa.amsl.com>; Tue, 19 Jul 2022 11:58:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.903
X-Spam-Level:
X-Spam-Status: No, score=-6.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5wDyzDPT6Bsv for <spasm@ietfa.amsl.com>; Tue, 19 Jul 2022 11:58:45 -0700 (PDT)
Received: from server8.webgo24.de (server8.webgo24.de [185.30.32.8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 071D2C157B43 for <spasm@ietf.org>; Tue, 19 Jul 2022 11:58:44 -0700 (PDT)
Received: from tpx390-WLAN.fritz.box (dynamic-095-114-078-153.95.114.pool.telefonica.de [95.114.78.153]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by server8.webgo24.de (Postfix) with ESMTPSA id 6D94D4217A4; Tue, 19 Jul 2022 20:58:41 +0200 (CEST)
Message-ID: <ada963a796ca3fafb42a29751020ff4326fd2a1e.camel@von-Oheimb.de>
From: David von Oheimb <it@von-Oheimb.de>
To: Michael Richardson <mcr+ietf@sandelman.ca>, Sean Turner <sean@sn3rd.com>
Cc: LAMPS WG <spasm@ietf.org>
Date: Tue, 19 Jul 2022 20:58:37 +0200
In-Reply-To: <12352.1657505901@localhost>
References: <12352.1657505901@localhost>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-qVnGaZ5qxtHAEtlPxNQK"
User-Agent: Evolution 3.38.3-1
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/MyYcyfJS1u0_sE0Fns2Gm-HaJEA>
Subject: Re: [lamps] strugling with CSRAttrs
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jul 2022 18:58:47 -0000
Hi Michael, Sean, et al., on Sun, 2022-07-10 at 22:18 -0400, Michael Richardson wrote: > > Sean, sorry to be asking this with less than 24h to ID cut-off. > I didn't want to post an updated ID until I had example code that > produced > what I *thought* you are suggesting. Moving a SEQ/SET around isn't > that > hard... only now I've confused myself. > > We had: > > CsrAttrs ::= SEQUENCE SIZE (0..MAX) OF AttrOrOID > > AttrOrOID ::= CHOICE (oid OBJECT IDENTIFIER, > attribute Attribute } > > Attribute { ATTRIBUTE:IOSet } ::= SEQUENCE { > extType ATTRIBUTE.&id({IOSet}), > extAttr SET SIZE(1..MAX) OF ATTRIBUTE.&Type({IOSet}{@type}) > } Well, this definition is semantically identical to the original one. So better not rename the two fields of the Attribute structure, i.e., we should stick with 'type' and 'values', in particular since there may be attributes that are not X.509 extensions. According to https://datatracker.ietf.org/doc/html/draft-richardson-lamps-rfc7030-csrattrs the only thing that is "changed" is the clarification that the attributes may contain entire X.509 extensions. So BTW I believe we can and should claim that this is bit-on-the wire compatible with RFC 7030. > with the understanding that extAttr could be a SET of Extensions. Better also state that in this case the type/extType field MUST bear the value extensionRequest (1.2.840.113549.1.9.14). > Each Extension is given by: > > Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension The Extensions structure is only needed within certificates (where there is just one extensions field). All needed here is the Extension structure - there are already more than enough of those sequences and sets around ;-) > > Extension ::= SEQUENCE { > extnID OBJECT IDENTIFIER, > critical BOOLEAN DEFAULT FALSE, > extnValue OCTET STRING > -- contains the DER encoding of an ASN.1 value > -- corresponding to the extension type identified > -- by extnID > } > > > 1) I'm not sure why I need a SET of a Sequence, unless your intent was > that > extAttr could be an *Extension* ?? I'm gonna go with yes here, but > I > didn't code that yet. In my view, the set-valued extAttr SET SIZE(1..MAX) OF ATTRIBUTE.&Type({IOSet}{@type}) (or better, as in the original definition in 7030): values SET SIZE(1..MAX) OF ATTRIBUTE.&Type({IOSet}{@type}) is not really needed because multiple attributes can be given anyway using multiple attributes, and each of them may then have a different type. If multiple values are given as a set within a single attribute, all its elements must have the same type. So in practice I suppose that for all attributes the SETs given within each of them usually will have just one value element. > > 2) I think that extnID would be things like subjectAltName, > i.e. OID: 2.5.29.17 Right. > > But, if so, what is extType for this? The (ext)type is needed to provide the information, using "extensionRequest", that an X.509 extension is being given in this attribute. > > ASN1 that I have right now, where I've put subjectAltName in twice: > > obiwan-[projects/pandora/fountain](2.6.6) mcr 10396 %dumpasn1 > tmp/csr_bulb1.der > 0 84: SEQUENCE { > 2 82: SEQUENCE { > 4 3: OBJECT IDENTIFIER subjectAltName (2 5 29 17) <--- WHAT > GOE, uS HERE? Replace this by extensionRequest (1.2.840.113549.1.9.14) > > 9 75: SET { > 11 73: SEQUENCE { <--- SEQUENCE here might be undesired. SEQUENCE here is fine, as demanded by the Extension structure. > 13 3: OBJECT IDENTIFIER subjectAltName (2 5 29 17) > 18 3: [0] { The "[0] {" (and the closing 2}") is likely superfluous/wrong here. > 20 1: BOOLEAN TRUE > : } > 23 61: SEQUENCE { > 25 59: [0] { > 27 57: UTF8String > : > 'rfc8994+fd739fc23c3440112233445500000000+@acp.ex' > : 'ample.com' > : } > : } This encoding of a SAN appears strange to me - which flavor of GeneralName are you aiming at? > : } > : } > : } > : } - David
- [lamps] strugling with CSRAttrs Michael Richardson
- Re: [lamps] strugling with CSRAttrs David von Oheimb
- Re: [lamps] strugling with CSRAttrs Michael Richardson
- Re: [lamps] struggling with CSRAttrs David von Oheimb
- Re: [lamps] struggling with CSRAttrs David von Oheimb
- Re: [lamps] struggling with CSRAttrs Corey Bonnell
- Re: [lamps] struggling with CSRAttrs Russ Housley
- Re: [lamps] struggling with CSRAttrs David von Oheimb
- Re: [lamps] struggling with CSRAttrs Michael Richardson
- Re: [lamps] struggling with CSRAttrs David von Oheimb
- Re: [lamps] struggling with CSRAttrs Corey Bonnell
- [lamps] Fixed the RFC 8994 / ACP Subject Alternat… David von Oheimb
- Re: [lamps] Fixed the RFC 8994 / ACP Subject Alte… Michael Richardson
- Re: [lamps] struggling with CSRAttrs Michael Richardson
- [lamps] examples in lamps-rfc7030-csrattrs Michael Richardson
- Re: [lamps] struggling with CSRAttrs Michael Richardson
- Re: [lamps] examples in lamps-rfc7030-csrattrs Corey Bonnell
- Re: [lamps] struggling with CSRAttrs Michael Richardson
- Re: [lamps] struggling with CSRAttrs Michael Richardson
- Re: [lamps] Fixed the RFC 8994 / ACP Subject Alte… Michael Richardson
- Re: [lamps] struggling with CSRAttrs Russ Housley
- Re: [lamps] Fixed the RFC 8994 / ACP Subject Alte… von Oheimb, David
- [lamps] IANA Considerations text for OID allocati… Michael Richardson
- Re: [lamps] IANA Considerations text for OID allo… Russ Housley
- Re: [lamps] IANA Considerations text for OID allo… Michael Richardson
- Re: [lamps] [EXTERNAL] Re: IANA Considerations te… Mike Ounsworth
- Re: [lamps] IANA Considerations text for OID allo… Tim Hollebeek
- Re: [lamps] Fixed the RFC 8994 / ACP Subject Alte… Esko Dijk
- Re: [lamps] Fixed the RFC 8994 / ACP Subject Alte… Michael Richardson
- Re: [lamps] Fixed the RFC 8994 / ACP Subject Alte… Esko Dijk
- Re: [lamps] examples in lamps-rfc7030-csrattrs Michael Richardson
- Re: [lamps] examples in lamps-rfc7030-csrattrs Corey Bonnell