From 89bc690642c0f1c9b312ab28316df9ba950652db Mon Sep 17 00:00:00 2001 From: "mark a. foltz" Date: Wed, 7 Sep 2022 11:25:24 -0700 Subject: [PATCH 1/3] [Open Screen Protocol] Update certificate serial number. This is a WIP patch for Issue #280. --- index.bs | 26 +++++++++++++++++++++++--- 1 file changed, 23 insertions(+), 3 deletions(-) diff --git a/index.bs b/index.bs index 1c73be2..1f1d2eb 100644 --- a/index.bs +++ b/index.bs @@ -55,6 +55,7 @@ url: https://tools.ietf.org/html/rfc8122#section-5; type: dfn; spec: RFC8122; te url: https://tools.ietf.org/html/rfc8122#section-5; type: dfn; spec: RFC8122; text: md5 url: https://tools.ietf.org/html/rfc6381#section-3; type: dfn; spec: RFC6381; text: codecs parameter url: https://tools.ietf.org/html/rfc8610#section-3; type: dfn; spec: RFC8610; text: concise data definition language +url: https://datatracker.ietf.org/doc/html/rfc4122#section-4.4; type: dfn; spec: RFC4122; text: version 4 uuid Introduction {#introduction} @@ -375,6 +376,26 @@ The [=agent certificate=] must have the following characteristics: * secp521r1_sha512 * Valid for signing +Let the certificate serial number be the result of the following steps: + +
    +
  1. If the agent has never generated an agent certificate: +
      +
    1. Let the `certificate serial number base` be a 96-bit integer value. +
    2. Assign the upper 40 bits of the [=certificate serial number base=] to the IEEE 802 MAC address of one of the agent's network interfaces, or a pseudorandom number if no interfaces are available.
      3. +
    3. Assign the lower 56 bits of the [=certificate serial number base=] to a pseudorandom number.
      4. +
    4. Let the `certificate serial number counter` be a 32-bit unsigned integer.
      5. +
    5. Assign the [=certificate serial number counter=] to 0.
      6. +
    +
    2. +
  2. Generate an 128-bit value as follows: +
      +
    1. Increment the [=agent serial number counter=] by one.
      2. +
    2. Assign the upper 96 bits to the [=certificate serial number base=].
      3. +
    3. Assign the lower 32 bits to the [=certificate serial number counter=]. +
    +
+ The following X.509 v3 fields are to be set as follows: @@ -389,7 +410,7 @@ The following X.509 v3 fields are to be set as follows: - + @@ -423,8 +444,7 @@ The following X.509 v3 fields are to be set as follows: Mandatory fields not mentioned above should be set according to [[!RFC5280]]. -The value `` above should be substituted with the [=agent fingerprint=] (as -serialized in mDNS TXT). +The value `` above should be substituted with the [=agent serial number=]. Note: The OSP agent may use the implementer or device model name as the value for the `O` key for user interface and debugging purposes. It may use the agent From a2ed6474c30e732a6d8b002bcd400dc08a37f7ec Mon Sep 17 00:00:00 2001 From: "mark a. foltz" Date: Wed, 7 Sep 2022 14:31:11 -0700 Subject: [PATCH 2/3] Simplify algorithm and fix xrefs. --- index.bs | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/index.bs b/index.bs index 1f1d2eb..3a35a06 100644 --- a/index.bs +++ b/index.bs @@ -55,7 +55,6 @@ url: https://tools.ietf.org/html/rfc8122#section-5; type: dfn; spec: RFC8122; te url: https://tools.ietf.org/html/rfc8122#section-5; type: dfn; spec: RFC8122; text: md5 url: https://tools.ietf.org/html/rfc6381#section-3; type: dfn; spec: RFC6381; text: codecs parameter url: https://tools.ietf.org/html/rfc8610#section-3; type: dfn; spec: RFC8610; text: concise data definition language -url: https://datatracker.ietf.org/doc/html/rfc4122#section-4.4; type: dfn; spec: RFC4122; text: version 4 uuid Introduction {#introduction} @@ -381,17 +380,17 @@ Let the certificate serial number be the result of the following step
  1. If the agent has never generated an agent certificate:
      -
    1. Let the `certificate serial number base` be a 96-bit integer value. -
    2. Assign the upper 40 bits of the [=certificate serial number base=] to the IEEE 802 MAC address of one of the agent's network interfaces, or a pseudorandom number if no interfaces are available.
      3. -
    3. Assign the lower 56 bits of the [=certificate serial number base=] to a pseudorandom number.
      4. -
    4. Let the `certificate serial number counter` be a 32-bit unsigned integer.
      5. +
    5. Let the certificate serial number base be a 32-bit + pseudorandom integer value. +
    6. Let the certificate serial number counter be a 32-bit + unsigned integer.
    7. Assign the [=certificate serial number counter=] to 0.
    2. -
  2. Generate an 128-bit value as follows: +
  3. Generate a 64-bit value as follows:
      -
    1. Increment the [=agent serial number counter=] by one.
      2. -
    2. Assign the upper 96 bits to the [=certificate serial number base=].
      3. +
    3. Increment the [=certificate serial number counter=] by one.
      4. +
    4. Assign the upper 32 bits to the [=certificate serial number base=].
    5. Assign the lower 32 bits to the [=certificate serial number counter=].
@@ -444,7 +443,8 @@ The following X.509 v3 fields are to be set as follows: Mandatory fields not mentioned above should be set according to [[!RFC5280]]. -The value `` above should be substituted with the [=agent serial number=]. +The value `` above should be substituted with the [=certificate serial +number=]. Note: The OSP agent may use the implementer or device model name as the value for the `O` key for user interface and debugging purposes. It may use the agent From a90f8df80433dc4fdad9d7c11fb768ef5f6c878b Mon Sep 17 00:00:00 2001 From: "mark a. foltz" Date: Mon, 22 Jan 2024 11:45:33 -0800 Subject: [PATCH 3/3] Address comment --- index.bs | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/index.bs b/index.bs index 3ad0fed..e66ded1 100644 --- a/index.bs +++ b/index.bs @@ -385,8 +385,7 @@ Let the certificate serial number be the result of the following step
  • Let the certificate serial number base be a 32-bit pseudorandom integer value.
  • Let the certificate serial number counter be a 32-bit - unsigned integer.
    • -
  • Assign the [=certificate serial number counter=] to 0.
    • + unsigned integer, initially set to 0.
  • Generate a 64-bit value as follows:
    • Serial Number``The [=certificate serial number=].
    Signature Algorithm ID