IETF Logo Mail Archive

Re: [lamps] is the CSRattr ASN.1 broken or not ... Re: New Version Notification for draft-richardson-lamps-rfc7030-csrattrs-02.txt

Sean Turner <sean@sn3rd.com> Tue, 05 April 2022 19:28 UTC

Return-Path: <sean@sn3rd.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9963A3A1044 for <spasm@ietfa.amsl.com>; Tue, 5 Apr 2022 12:28:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S4leP0_-Vuew for <spasm@ietfa.amsl.com>; Tue, 5 Apr 2022 12:28:20 -0700 (PDT)
Received: from mail-qv1-xf34.google.com (mail-qv1-xf34.google.com [IPv6:2607:f8b0:4864:20::f34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DEB193A1036 for <spasm@ietf.org>; Tue, 5 Apr 2022 12:28:19 -0700 (PDT)
Received: by mail-qv1-xf34.google.com with SMTP id f3so408348qvz.10 for <spasm@ietf.org>; Tue, 05 Apr 2022 12:28:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=nvrDaIKrtrCc+sdWXG404lZZQNNN2fuuGFAtUrjxKmA=; b=meVJp5RAFykkkMg8mox/5iWhT/KdN+V26RX5F4jHgzMo6lPsdVvhMKi0vYSYKqEryk FGtmvnkmTDZpOuGTXULcsE06+j4k1Gj34u8CRILl9SOAoqvusB3hNwr1+oH1Qg0rTBhs qhtyXzZeRHnDWTot8J7Rrno0+eflSjb4Nl2O0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=nvrDaIKrtrCc+sdWXG404lZZQNNN2fuuGFAtUrjxKmA=; b=F7Mq6hvLrfzufpGdM9FW9CYcq9MT2TOkIaz1LFTyPvvwBqmaRZWgrp4y6fNIXvAVKS gwyrTOMokHO8gC5dsLW0Wu6EyCZGuOFxK5fgk4g942KeUeg+puTYwKa0rAjbg9/zMfde /AlvSNxdcbAnGQ6BRAwCCbNW6GdNiaGXOEVfRpxzLJ9Ooa+H1fyFciR5UZf2b7tytqks +ZTO7cfhdFzHcWnHzWOQoJopvhWgHqSwcgOUEnH4UXFIssS5SdgWdsG5SLOrXqvssDt3 kRSNhDlUWCNI4AlvPD1DWcAw7p/k10Z+9Kj+d5u2RXqSYMdpmXuEy/jOsoX56WhBTXKR RYvw==
X-Gm-Message-State: AOAM533RETTtjghUbwJdOSU66eyMOH7+dMzU7a92fb21VJHcIobGPvYx yO7s//FY6LWaalrfjj1qVyTJ1w==
X-Google-Smtp-Source: ABdhPJxt1j3eoz4r5cOV3qk/S9vouE07iNsoSAZF3mvBKOWG3au1IgbFvnV6Su7w1IbVJtXOHKWLzg==
X-Received: by 2002:a05:6214:202a:b0:441:6a41:f710 with SMTP id 10-20020a056214202a00b004416a41f710mr4438778qvf.84.1649186898453; Tue, 05 Apr 2022 12:28:18 -0700 (PDT)
Received: from smtpclient.apple (pool-71-178-177-131.washdc.fios.verizon.net. [71.178.177.131]) by smtp.gmail.com with ESMTPSA id b17-20020a05622a021100b002e1f86db385sm10978394qtx.68.2022.04.05.12.28.17 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 05 Apr 2022 12:28:17 -0700 (PDT)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
From: Sean Turner <sean@sn3rd.com>
In-Reply-To: <A3C15545-8810-482A-A79F-B9350B0CEC51@vigilsec.com>
Date: Tue, 5 Apr 2022 15:28:16 -0400
Cc: Michael Richardson <mcr+ietf@sandelman.ca>, David von Oheimb <David.von.Oheimb@siemens.com>, Dan Harkins <dharkins@lounge.org>, LAMPS WG <spasm@ietf.org>, Owen Friel <ofriel@cisco.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <0230304D-2791-4FEB-8277-39BE046DEE24@sn3rd.com>
References: <164667410940.12091.15394112688281514126@ietfa.amsl.com> <15416.1646681868@localhost> <D095D84D-9633-44BB-AA6F-440B8BC00F68@sn3rd.com> <5cfb6e20b225da072695a4f13088a8065203ca4e.camel@siemens.com> <27441.1649182739@localhost> <A3C15545-8810-482A-A79F-B9350B0CEC51@vigilsec.com>
To: Russ Housley <housley@vigilsec.com>
X-Mailer: Apple Mail (2.3654.120.0.1.13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/QiK-wGwuTCskW0bGvAnzjMyztWY>
Subject: Re: [lamps] is the CSRattr ASN.1 broken or not ... Re: New Version Notification for draft-richardson-lamps-rfc7030-csrattrs-02.txt
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Apr 2022 19:28:25 -0000


> On Apr 5, 2022, at 14:40, Russ Housley <housley@vigilsec.com> wrote:
> 
> 
> 
>> On Apr 5, 2022, at 2:18 PM, Michael Richardson <mcr+ietf@sandelman.ca> wrote:
>> 
>> David von Oheimb <David.von.Oheimb@siemens.com> wrote:
>>> As I wrote earlier, the way CSRattrs are defined for EST in RFC
>>> 7030 section 4.5.2:
>> 
>>> CsrAttrs ::= SEQUENCE SIZE (0..MAX) OF AttrOrOID
>> 
>>> AttrOrOID ::= CHOICE (oid OBJECT IDENTIFIER, attribute Attribute }
>> 
>>> Attribute { ATTRIBUTE:IOSet } ::= SEQUENCE {
>>> type ATTRIBUTE.&id({IOSet}),
>>> values SET SIZE(1..MAX) OF ATTRIBUTE.&Type({IOSet}{@type}) }
>> 
>> Is there another way to express the same concept that would be understandable
>> to more people?
> 
> 
> I do not know whether the OLD ASN.1 syntax is easier to read for some.  This would be:
> 
>    CsrAttrs ::= SEQUENCE SIZE (0..MAX) OF AttrOrOID
> 
>    AttrOrOID ::= CHOICE (oid OBJECT IDENTIFIER, attribute Attribute }
> 
>    Attribute ::= SEQUENCE {
>      type     AttributeType,
>      values    SET SIZE(1..MAX) OF AttributeValue }
> 
>    AttributeType ::= OBJECT IDENTIFIER
> 
>    AttributeValue ::= ANY DEFINED BY AttributeType
> 
> Russ

The problem really comes down to how extensionRequest is encoded. extensionRequest is defined in RFC 2985) as:

   extensionRequest ATTRIBUTE ::= {
           WITH SYNTAX ExtensionRequest
           SINGLE VALUE TRUE
           ID pkcs-9-at-extensionRequest
   }

   ExtensionRequest ::= Extensions

Then Extensions (using old syntax from 5280):

Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension

   Extension  ::=  SEQUENCE  {
        extnID      OBJECT IDENTIFIER,
        critical    BOOLEAN DEFAULT FALSE,
        extnValue   OCTET STRING
                    -- contains the DER encoding of an ASN.1 value
                    -- corresponding to the extension type identified
                    -- by extnID
        }

So, if you’re going to encode that you need a lot more than just an OID, as is in the example:

In the example:

SEQUENCE (4 elem)
… snip
  SEQUENCE (2 elem)
    OBJECT IDENTIFIER 1.2.840.113549.1.9.14 extensionRequest (PKCS #9 via CRMF)
    SET (1 elem)
      OBJECT IDENTIFIER 1.3.6.1.1.1.1.22 (macAddress). <—“values" here
..snip

If macAddress is included as an extension, then it would need to say whether it’s critical or not and we’d need to provide a value. The “values” portion of the SET OF needs to be:
SEQ OF (for Extensions)
  SEQ (for Extension)
   { extrnID=macAddress OID,
    criticality=T/F (CP dependent),
    extnValue=? } 

I just want to double check again that the macAddress attribute is being carried in the certificate as an actual extension and NOT as a naming attribute?

Cheers,
spt

v2.8.7 | Report a Bug | By Email