IETF Logo Mail Archive

Re: [lamps] strugling with CSRAttrs

David von Oheimb <it@von-Oheimb.de> Tue, 19 July 2022 18:58 UTC

Return-Path: <it@von-Oheimb.de>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9C04C159488 for <spasm@ietfa.amsl.com>; Tue, 19 Jul 2022 11:58:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.903
X-Spam-Level:
X-Spam-Status: No, score=-6.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5wDyzDPT6Bsv for <spasm@ietfa.amsl.com>; Tue, 19 Jul 2022 11:58:45 -0700 (PDT)
Received: from server8.webgo24.de (server8.webgo24.de [185.30.32.8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 071D2C157B43 for <spasm@ietf.org>; Tue, 19 Jul 2022 11:58:44 -0700 (PDT)
Received: from tpx390-WLAN.fritz.box (dynamic-095-114-078-153.95.114.pool.telefonica.de [95.114.78.153]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by server8.webgo24.de (Postfix) with ESMTPSA id 6D94D4217A4; Tue, 19 Jul 2022 20:58:41 +0200 (CEST)
Message-ID: <ada963a796ca3fafb42a29751020ff4326fd2a1e.camel@von-Oheimb.de>
From: David von Oheimb <it@von-Oheimb.de>
To: Michael Richardson <mcr+ietf@sandelman.ca>, Sean Turner <sean@sn3rd.com>
Cc: LAMPS WG <spasm@ietf.org>
Date: Tue, 19 Jul 2022 20:58:37 +0200
In-Reply-To: <12352.1657505901@localhost>
References: <12352.1657505901@localhost>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-qVnGaZ5qxtHAEtlPxNQK"
User-Agent: Evolution 3.38.3-1
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/MyYcyfJS1u0_sE0Fns2Gm-HaJEA>
Subject: Re: [lamps] strugling with CSRAttrs
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jul 2022 18:58:47 -0000

Hi Michael, Sean, et al.,

on Sun, 2022-07-10 at 22:18 -0400, Michael Richardson wrote:
> 
> Sean, sorry to be asking this with less than 24h to ID cut-off.
> I didn't want to post an updated ID until I had example code that
> produced
> what I *thought* you are suggesting.  Moving a SEQ/SET around isn't
> that
> hard... only now I've confused myself.
> 
> We had:
> 
>    CsrAttrs ::= SEQUENCE SIZE (0..MAX) OF AttrOrOID
> 
>    AttrOrOID ::= CHOICE (oid OBJECT IDENTIFIER,
>                          attribute Attribute }
> 
>    Attribute { ATTRIBUTE:IOSet } ::= SEQUENCE {
>         extType  ATTRIBUTE.&id({IOSet}),
>         extAttr  SET SIZE(1..MAX) OF ATTRIBUTE.&Type({IOSet}{@type})
>    }

Well, this definition is semantically identical to the original one.
So better not rename the two fields of the Attribute structure, i.e., we
should stick with 'type' and 'values',
in particular since there may be attributes that are not X.509
extensions.

According
to https://datatracker.ietf.org/doc/html/draft-richardson-lamps-rfc7030-csrattrs
the only thing that is "changed" is the clarification that the
attributes may contain entire X.509 extensions.
So BTW I believe we can and should claim that this is bit-on-the wire
compatible with RFC 7030.


> with the understanding that extAttr could be a SET of Extensions.

Better also state that in this case the type/extType field MUST bear the
value extensionRequest (1.2.840.113549.1.9.14).


> Each Extension is given by:
> 
>    Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension

The Extensions structure is only needed within certificates (where there
is just one extensions field).
All needed here is the Extension structure - there are already more than
enough of those sequences and sets around ;-)

> 
>    Extension  ::=  SEQUENCE  {
>         extnID      OBJECT IDENTIFIER,
>         critical    BOOLEAN DEFAULT FALSE,
>         extnValue   OCTET STRING
>                     -- contains the DER encoding of an ASN.1 value
>                     -- corresponding to the extension type identified
>                     -- by extnID
>         }
> 
> 
> 1) I'm not sure why I need a SET of a Sequence, unless your intent was
> that
>    extAttr could be an *Extension* ??  I'm gonna go with yes here, but
> I
>    didn't code that yet.

In my view, the set-valued 

 extAttr SET SIZE(1..MAX) OF ATTRIBUTE.&Type({IOSet}{@type})
(or better, as in the original definition in 7030):
 values SET SIZE(1..MAX) OF ATTRIBUTE.&Type({IOSet}{@type})

is not really needed because multiple attributes can be given anyway
using multiple attributes, and each of them may then have a different
type.
If multiple values are given as a set within a single attribute, all its
elements must have the same type.
So in practice I suppose that for all attributes the SETs given within
each of them usually will have just one value element.

> 
> 2) I think that extnID would be things like subjectAltName,
>    i.e. OID: 2.5.29.17

Right.

> 
> But, if so, what is extType for this?

The (ext)type is needed to provide the information, using
"extensionRequest", that an X.509 extension is being given in this
attribute.


> 
> ASN1 that I have right now, where I've put subjectAltName in twice:
> 
> obiwan-[projects/pandora/fountain](2.6.6) mcr 10396 %dumpasn1
> tmp/csr_bulb1.der
>   0  84: SEQUENCE {
>   2  82:   SEQUENCE {
>   4   3:     OBJECT IDENTIFIER subjectAltName (2 5 29 17)  <--- WHAT
> GOE, uS HERE?
Replace this by                         extensionRequest
(1.2.840.113549.1.9.14)

> 
>   9  75:     SET {
>  11  73:       SEQUENCE {   <--- SEQUENCE here might be undesired.
SEQUENCE here is fine, as demanded by the Extension structure.

>  13   3:         OBJECT IDENTIFIER subjectAltName (2 5 29 17)
>  18   3:         [0] {
The "[0] {" (and the closing 2}") is likely superfluous/wrong here.

>  20   1:           BOOLEAN TRUE
>        :           }
>  23  61:         SEQUENCE {
>  25  59:           [0] {
>  27  57:             UTF8String
>        :              
> 'rfc8994+fd739fc23c3440112233445500000000+@acp.ex'
>        :               'ample.com'
>        :             }
>        :           }
This encoding of a SAN appears strange to me - which flavor of
GeneralName are you aiming at?

>        :         }
>        :       }
>        :     }
>        :   }

- David

v2.23.0 | Report a Bug | By Email