Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Missing the extensionValue's syntax for several extensions #176

Open
xipki opened this issue Apr 16, 2024 · 7 comments
Open

Missing the extensionValue's syntax for several extensions #176

xipki opened this issue Apr 16, 2024 · 7 comments
Assignees

Comments

@xipki
Copy link
Contributor

xipki commented Apr 16, 2024

Syntax for the following extensions needs to be added:

  • code 36, Biometric Information (RFC 3739)
  • code 37, Precertificate Signing Certificate (RFC 6962)
  • code 38, OCSP No Check (RFC 6960)
  • code 39, Qualified Certificate Statements (RFC 3739)
  • code 40, S/MIME Capabilities (RFC 8551)
  • code 41, TLS Features (RFC 7633)
@highlunder
Copy link
Collaborator

Indeed I see that we haven't specified "raw bytes" as the intended extension value! Our intention as authors is to have raw byte encodings for the extension values, for the recently added extension types. But if someone is proposing a new CDDL encoding, together with representative example X.509 certificates we are open for further discussions.

@xipki
Copy link
Contributor Author

xipki commented Apr 16, 2024

For Precertificate Signing Certificate (code) and OCSP No Check (code 38), I will suggest to use nullfor the extensionValue.

@highlunder highlunder self-assigned this Apr 18, 2024
@xipki
Copy link
Contributor Author

xipki commented Apr 28, 2024

For TLS Feature, the ASN.1 syntax is defined in RFC 7633 as follows:

   id-pe-tlsfeature OBJECT IDENTIFIER ::=  { id-pe 24 }

   Features ::= SEQUENCE OF INTEGER

The feature contains the TLS extension which are between [0, 65535] (see https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#tls-extensiontype-values-1), and can be encoded in CBOR uint.

Thus I suggest to use following C509 syntax:

  TLSFeatures = [* feature: uint]

@xipki
Copy link
Contributor Author

xipki commented Apr 28, 2024

For the Biometric Information (code 36):

The ASN.1 definition in RFC 3739 is as follows:

      BiometricSyntax ::= SEQUENCE OF BiometricData

      BiometricData ::= SEQUENCE {
          typeOfBiometricData  TypeOfBiometricData,
          hashAlgorithm        AlgorithmIdentifier,
          biometricDataHash    OCTET STRING,
          sourceDataUri        IA5String OPTIONAL }

      TypeOfBiometricData ::= CHOICE {
          predefinedBiometricType    PredefinedBiometricType,
          biometricDataID            OBJECT IDENTIFIER }

      PredefinedBiometricType ::= INTEGER { picture(0),
          handwritten-signature(1)} (picture|handwritten-signature,...)

I suggest to use the following CDDL in C509:

BiometricSyntax = [ * BiometricData ] 
BiometricData = (
 typeOfBiometricData: int / ~oid / pen,
 hashAlgorithm: int / ~oid / pen,
 biometricDataHash: bstr,
 ? sourceDataUri: tstr
)

For the hashAlgorithm, we may define new constants or use the constants defined in RFC 9054 (https://datatracker.ietf.org/doc/rfc9054/).

The int choice of typeOfBiometricData has then two groups:

  • Non-Negative value: the value specified in RFC 3739
      PredefinedBiometricType ::= INTEGER { picture(0),
          handwritten-signature(1)} (picture|handwritten-signature,...)
  • Negative value: mapping from OBJECT IDENTNFIER to an int, managed in the C.509 specification.

@xipki
Copy link
Contributor Author

xipki commented Apr 28, 2024

Suggestion to encode SMIMECapabilities in CBOR:

If all capabilities do not contain parameters or the parameters field is of ASN.1 type INTEGERand its value is in the range [0, 0xFFFFFFFFFFFFFFFF] (64 bit unsigned integer), then the SMIME extension can be CBOR encoded. Below is the syntax:

SMIMECapability = (capabilityID: ~oid/pen, ? parameters : uint)

SMIMECapabilities = [ * SMIMECapability ]

@xipki
Copy link
Contributor Author

xipki commented Apr 28, 2024

Related to the QCStatements, it is quite difficult to define a CBOR syntax.

Here are some examples of QC statements:

I created a new issue #193 to cover the extension QCStatements.

@highlunder
Copy link
Collaborator

For now we keep 38 & 41 as relevant, and wait for a PR/PRs from Lijun

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants