idnits 2.17.1 draft-ietf-cbor-file-magic-02.txt: -(5): Line appears to be too long, but this could be caused by non-ascii characters in UTF-8 encoding Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == There are 3 instances of lines with non-ascii characters in the document. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (10 July 2021) is 993 days in the past. Is this intentional? Checking references for intended status: Best Current Practice ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-09) exists of draft-ietf-cose-cbor-encoded-cert-01 == Outdated reference: A later version (-25) exists of draft-ietf-rats-eat-10 == Outdated reference: A later version (-24) exists of draft-ietf-sacm-coswid-17 -- Obsolete informational reference (is this intentional?): RFC 8152 (Obsoleted by RFC 9052, RFC 9053) Summary: 0 errors (**), 0 flaws (~~), 5 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 CBOR Working Group M. Richardson 3 Internet-Draft Sandelman Software Works 4 Intended status: Best Current Practice C. Bormann 5 Expires: 11 January 2022 Universität Bremen TZI 6 10 July 2021 8 On storing CBOR encoded items on stable storage 9 draft-ietf-cbor-file-magic-02 11 Abstract 13 This document proposes an on-disk format for CBOR objects that is 14 friendly to common on-disk recognition systems like the Unix file(1) 15 command. 17 This document is being discussed at: https://github.com/cbor-wg/cbor- 18 magic-number 20 Status of This Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at https://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on 11 January 2022. 37 Copyright Notice 39 Copyright (c) 2021 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 44 license-info) in effect on the date of publication of this document. 45 Please review these documents carefully, as they describe your rights 46 and restrictions with respect to this document. Code Components 47 extracted from this document must include Simplified BSD License text 48 as described in Section 4.e of the Trust Legal Provisions and are 49 provided without warranty as described in the Simplified BSD License. 51 Table of Contents 53 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 54 2. Requirements for a Magic Number . . . . . . . . . . . . . . . 4 55 3. Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . 4 56 3.1. The CBOR Protocol Specific Tag . . . . . . . . . . . . . 4 57 3.2. CBOR Tag Wrapped . . . . . . . . . . . . . . . . . . . . 5 58 3.3. CBOR Tag Sequence . . . . . . . . . . . . . . . . . . . . 5 59 4. Advice to Protocol Developers . . . . . . . . . . . . . . . . 6 60 4.1. Is the on-wire format new? . . . . . . . . . . . . . . . 7 61 4.2. Can many items be trivially concatenated? . . . . . . . . 7 62 4.3. Are there tags at the start? . . . . . . . . . . . . . . 7 63 5. Security Considerations . . . . . . . . . . . . . . . . . . . 7 64 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 65 6.1. CBOR Sequence Tag . . . . . . . . . . . . . . . . . . . . 8 66 6.2. CBOR Tags for CoAP Content-Format Numbers . . . . . . . . 8 67 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 68 7.1. Normative References . . . . . . . . . . . . . . . . . . 9 69 7.2. Informative References . . . . . . . . . . . . . . . . . 9 70 Appendix A. CBOR Tags for CoAP Content Formats . . . . . . . . . 10 71 A.1. Content-Format Tag Examples . . . . . . . . . . . . . . . 10 72 Appendix B. Example from Openswan . . . . . . . . . . . . . . . 11 73 Appendix C. Changelog . . . . . . . . . . . . . . . . . . . . . 12 74 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 12 75 Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 12 76 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 78 1. Introduction 80 Since very early in computing, operating systems have sought ways to 81 mark which files could be processed by which programs. 83 For instance, the Unix file(1) command, which has existed since 1973 84 [file], has been able to identify many file formats for decades. 85 Many systems (Linux, MacOS, Windows) will select the correct 86 application based upon the file contents, if the system can not 87 determine it by other means: for instance, the classic MacOS 88 maintained a resource fork that includes media type ("MIME type") 89 information and therefore ideally never needs to know anything about 90 the file. Other systems do this by file extensions. 92 While having a media type associated with the file is a better 93 solution in general, when files become disconnected from their type 94 information, such as when attempting to do forensics on a damaged 95 system, then being able to identify a file type can become very 96 important. 98 It is noted that in the media type registration, that a magic number 99 is asked for, if available, as is a file extension. 101 A challenge for the file(1) program is often that it can be confused 102 by the encoding vs the content. For instance, an Android "apk" used 103 to transfer and store an application may be identified as a ZIP file. 104 Both OpenOffice or MSOffice files are ZIP files of XML files. 105 (Unless OpenOffice files are flat (fodp) files, in which case they 106 may appear to be generic XML files.) 108 As CBOR becomes a more and more common encoding for a wide variety of 109 artifacts, identifying them as just "CBOR" is probably not 110 sufficient. This document provides a way to encode a magic number 111 into the beginning of a CBOR format file. Two options are presented: 112 typically a CBOR Protocol author will specify one. 114 A CBOR Protocol is a specification which uses CBOR as its encoding. 115 Examples of CBOR Protocols currently under development include CoSWID 116 [I-D.ietf-sacm-coswid], and EAT [I-D.ietf-rats-eat]. COSE itself 117 [RFC8152] is considered infrastructure, however the encoding of 118 public keys in CBOR as described in [I-D.ietf-cose-cbor-encoded-cert] 119 would be an identified CBOR Protocol. 121 A major inspiration for this document is observing the mess in ASN.1 122 based systems where most files are PEM encoded, identified by the 123 extension "pem", confusing public keys, private keys, certificate 124 requests and S/MIME content. 126 These proposals are invasive to how CBOR protocols are written to 127 disk, but in both cases, the proposed envelope does not require that 128 the tag be transferred on the wire. 130 In addition to the on-disk identification aspects, there are some 131 protocols which may benefit from having such a magic number on the 132 wire if they presently using a different (legacy) encoding scheme. 133 The presence of the identifiable magic sequence signals that CBOR is 134 being used or a legacy scheme. 136 2. Requirements for a Magic Number 138 A magic number is ideally a unique fingerprint, present in the first 139 4 or 8 bytes of the file, which does not change when the contents 140 change, and does not depend upon the length of the file. 142 Less ideal solutions have a pattern that needs to be matched, but in 143 which some bytes need to be ignored. While the Unix file(1) command 144 can be told to ignore bytes, this can lead to ambiguities. 146 3. Protocol 148 There are two variations of this practice. Both use CBOR Tags in a 149 way that results in a deterministic first 8 to 12 bytes. 151 3.1. The CBOR Protocol Specific Tag 153 CBOR Protocol designers should obtain a tag for each major type of 154 object that they might store on disk. As there are more than 4 155 billion available 4-byte tags, there should be little issue in 156 allocating a few to each available CBOR Protocol. 158 The policy is First Come First Served, so all that is required is an 159 email to IANA, having filled in the small template provided in 160 Section 9.2 of [RFC8949]. 162 This tag should be allocated by the author of the CBOR Protocol, and 163 to be in the four-byte range, it should be at least 0x01000000 164 (decimal 16777216) in value. 166 The use of a sequence of four US-ASCII codes which are mnemonic to 167 the protocol is encouraged, but not required. 169 For CBOR byte strings that happen to contain a representation that is 170 described by a CoAP Content-Format Number (Section 12.3 of [RFC7252], 171 Subregistry Content-Formats of [IANA.core-parameters]), a tag number 172 has been allocated in Section 6.2 (see Appendix A for details and 173 examples). 175 3.2. CBOR Tag Wrapped 177 This proposal starts with the Self-described CBOR tag, 55799, as 178 described in Section 3.4.6 of [RFC8949]. 180 A second CBOR Tag is then allocated to describe the specific Protocol 181 involved, as described above. 183 This proposal wraps the CBOR value as tags usually do. Applications 184 that need to send the CBOR value across a constrained link may wish 185 to remove the two tags if the use is implicitly understood. This is 186 a decision of the CBOR Protocol specification. 188 3.3. CBOR Tag Sequence 190 This proposal makes use of CBOR Sequences as described in [RFC8742]. 192 This proposal consists of two tags and a constant string for a total 193 of 12 bytes. 195 1. The file shall start with the Self-described CBOR Sequence tag, 196 55800. 198 2. The file shall continue with a CBOR tag, from the First Come 199 First Served space, which uniquely identifies the CBOR Protocol. 200 The use of a four-byte tag is encouraged. 202 3. The three byte CBOR byte string containing 0x42_4F_52. When 203 encoded it shows up as "CBOR" 205 The first part identifies the file as being CBOR, and does so with 206 all the desirable properties explained in Section 3.4.6 of [RFC8949]. 207 Specifically, it does not seem to conflict with any known file types, 208 and it is not valid Unicode in any Unicode encoding. 210 The second part identifies which CBOR Protocol is used, as described 211 above. 213 The third part is a constant value 0x43_42_4f_52, "CBOR". That is, 214 the CBOR encoded data item for the three byte sequence 0x42_4f_52 215 ("BOR"). This is the data item that is tagged. 217 The actual CBOR Protocol value then follows as the next data item(s) 218 in the CBOR sequence, without a need for any further specific tag. 219 The use of a CBOR Sequence allows the application to trivially remove 220 the first item with the two tags. 222 This means that should a file be reviewed by a human (directly in an 223 editor, or in a hexdump display), it will include the string "CBOR" 224 prominently. This value is also included simply because the two tags 225 need to tag something. 227 4. Advice to Protocol Developers 229 This document introduces a choice between a CBOR Sequence and a 230 wrapped CBOR Tag. Which should a protocol designer use? 232 In this discussion, one assumes that there is an object stored in a 233 file, perhaps specified by a system operator in a configuration file. 235 For example: a private key used in COSE operations, a public key/ 236 certificate in C509 or CBOR format, a recorded sensor reading stored 237 for later transmission, or a COVID vaccination certificate that needs 238 to be displayed in QRcode form. 240 Both the CBOR Tag Sequence and the wrapped tag can be trivially 241 removed by an application before sending the CBOR content out on the 242 wire. 244 The CBOR Tag Sequence is a little bit easier to remove as in most 245 cases, CBOR parsers will return it as a unit, and then return the 246 actual CBOR item, which could be anything at all, and could include 247 CBOR tags that _do_ need to be sent on wire. 249 On the other hand, having the CBOR Tag Sequence in the file requires 250 that all programs that expect to examine that file are able to skip 251 what appears to be an empty CBOR item. Programs which might not 252 expect the CBOR Tag Sequence, but which would operate without a 253 problem would include any program that expects to process CBOR 254 Sequences from the file. 256 As an example of where there was a problem with previous security 257 systems, "PEM" format certificate files grew to be able to contain 258 multiple certificates by simple concatenation. The PKCS1 format 259 could also contain a private key object followed by a one or more 260 certificate objects: but only when in PEM format. But, when in 261 binary DER format, concatenation of certificates was not compatible 262 with most programs. 264 The use of CBOR Tag Wrapped format is easier to retrofit to an 265 existing format with existing and unchangeable on-disk format. This 266 new sequence of tags are expected to be trivially ignored by an 267 existing program when reading CBOR from disk. But, a naive program 268 might also then transmit them across the network. Removing the CBOR 269 Tag Wrapped format requires knowledge of the two tags involved. 271 Other tags present might be needed. For a representation matching a 272 specific media-type that is carried in a CBOR byte string, the byte 273 string head will already have to be removed for use as such a 274 representation, so it should be easy to remove the enclosing tag 275 heads as well. This is of particular interest with the pre-defined 276 tags provided by Appendix A for media-types with CoAP Content-Format 277 numbers. 279 Here are some considerations: 281 4.1. Is the on-wire format new? 283 If the on-wire format is new, then it could be specified with the 284 CBOR Tag Wrapped format if the extra eight bytes are not a problem. 285 The disk format is then identical to the on-wire format. 287 If the eight bytes are a problem (and they usually are if CBOR is 288 being considered), then the CBOR Tag Sequence format should be 289 adopted for on-disk storage. 291 4.2. Can many items be trivially concatenated? 293 If the programs that read the contents of the file already expect to 294 process all of the items in the file (not just the first), then the 295 CBOR Tag Sequence format may be easily retrofitted. 297 The program involved may throw errors or warnings on the CBOR Tag 298 Sequence if they have not yet been updated, but this may not be a 299 problem. If it is, then consideration should be given to CBOR Tag 300 Wrapped. 302 If only one item is ever expected in the file, the the use of CBOR 303 Tag Sequence may present an implementation hurdle to programs that 304 previously just read a single value and used it. 306 4.3. Are there tags at the start? 308 If the Protocol expects to use other tags values at the top-level, 309 then it may be easier to explain if the CBOR Tag Sequence format is 310 used. 312 5. Security Considerations 314 This document provides a way to identify CBOR Protocol objects. 315 Clearly identifying CBOR contents on disk may have a variety of 316 impacts. 318 The most obvious is that it may allow malware to identify interesting 319 objects on disk, and then corrupt them. 321 6. IANA Considerations 323 Section 6.1 documents the allocation that was done for a CBOR tag to 324 be used in a CBOR sequence to identify the sequence. Section 6.2 325 allocates a CBOR tag for each actual or potential CoAP Content-Format 326 number. 328 6.1. CBOR Sequence Tag 330 IANA has allocated tag 55800 as the CBOR Sequence tag. This tag is 331 from the First Come/First Served area. 333 The value has been picked to have properties similar to the 55799 tag 334 (Section 3.4.6 of [RFC8949]). 336 The hexadecimal representation is: 0xd9_d9_f8. 338 This is not valid UTF-8: the first 0xd9 puts the value into the 339 three-byte value of UTF-8, but the 0xd9 as the second value is not a 340 valid second byte for UTF-8. 342 This is not valid UTF-16: the byte sequence 0xd9d9 (in either endian 343 order) puts this value into the UTF-16 high-half zone, which would 344 signal that this a 32-bit Unicode value. However, the following 345 16-bit big-endian value 0xf8.. is not a valid second sequence 346 according to [RFC2781]. On a little-endian system, it would be 347 necessary to examine the fourth byte to determine if it is valid. 348 That next byte is determined by the subsequent encoding, and 349 Section 3.4.6 of [RFC8949] has already determined that no valid CBOR 350 encodings result in a valid UTF-16. 352 Data Item: 353 byte string 355 Semantics: 356 indicates that the file contains CBOR Sequences 358 6.2. CBOR Tags for CoAP Content-Format Numbers 360 IANA is requested to allocate the tag numbers 1668546560 (0x63740000) 361 to 1668612095 (0x6374FFFF) as follows: 363 Data Item: 364 byte string 366 Semantics: 367 for each tag number NNNN, the representation of content-format 368 (RFC7252) NNNN-1668546560 370 Reference: 371 RFCthis 373 (More details in Appendix A.) 375 7. References 377 7.1. Normative References 379 [RFC8742] Bormann, C., "Concise Binary Object Representation (CBOR) 380 Sequences", RFC 8742, DOI 10.17487/RFC8742, February 2020, 381 . 383 [RFC8949] Bormann, C. and P. Hoffman, "Concise Binary Object 384 Representation (CBOR)", STD 94, RFC 8949, 385 DOI 10.17487/RFC8949, December 2020, 386 . 388 7.2. Informative References 390 [file] Wikipedia, "file (command)", 20 January 2021, 391 . 393 [I-D.ietf-cose-cbor-encoded-cert] 394 Raza, S., Höglund, J., Selander, G., Mattsson, J. P., and 395 M. Furuhed, "CBOR Encoded X.509 Certificates (C509 396 Certificates)", Work in Progress, Internet-Draft, draft- 397 ietf-cose-cbor-encoded-cert-01, 25 May 2021, 398 . 401 [I-D.ietf-rats-eat] 402 Mandyam, G., Lundblade, L., Ballesteros, M., and J. 403 O'Donoghue, "The Entity Attestation Token (EAT)", Work in 404 Progress, Internet-Draft, draft-ietf-rats-eat-10, 7 June 405 2021, . 408 [I-D.ietf-sacm-coswid] 409 Birkholz, H., Fitzgerald-McKay, J., Schmidt, C., and D. 410 Waltermire, "Concise Software Identification Tags", Work 411 in Progress, Internet-Draft, draft-ietf-sacm-coswid-17, 22 412 February 2021, . 415 [IANA.core-parameters] 416 IANA, "Constrained RESTful Environments (CoRE) 417 Parameters", 418 . 420 [RFC2781] Hoffman, P. and F. Yergeau, "UTF-16, an encoding of ISO 421 10646", RFC 2781, DOI 10.17487/RFC2781, February 2000, 422 . 424 [RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained 425 Application Protocol (CoAP)", RFC 7252, 426 DOI 10.17487/RFC7252, June 2014, 427 . 429 [RFC8152] Schaad, J., "CBOR Object Signing and Encryption (COSE)", 430 RFC 8152, DOI 10.17487/RFC8152, July 2017, 431 . 433 Appendix A. CBOR Tags for CoAP Content Formats 435 Often, there is a need to identify a media type (or content type, 436 i.e., media type optionally used with parameters) that describes a 437 byte string in a CBOR data item. 439 Section 5.10.3 of [RFC7252] defines the concept of a Content-Format, 440 which is a short 16-bit unsigned integer that identifies a specific 441 content type (media type plus optionally parameters), optionally 442 together with a content encoding. 444 This specification allocates CBOR tag numbers 1668546560 (0x63740000) 445 to 1668612095 (0x6374FFFF) for the tagging of representations of 446 specific content formats. The tag content tagged with tag number 447 NNNN (in above range) is a byte string that is to be interpreted as a 448 representation of the content format NNNN-1668546560. 450 A.1. Content-Format Tag Examples 452 Subregistry Content-Formats of [IANA.core-parameters] defines content 453 formats that can be used as examples: 455 * Content-Format 432 stands for media type application/td+json (no 456 parameters). The corresponding tag number is 1668546992 (i.e., 457 1668546560+432). 459 So the following CDDL snippet can be used to identify application/ 460 td+json representations: 462 td-json = #6.1668546992(bstr) 463 Note that a byte string is used as the type of the tag content, 464 because a media type representation in general can be any byte 465 string. 467 * Content-Format 11050 stands for media type application/json in 468 deflate encoding. 470 The corresponding tag number is 1668557610 (i.e., 471 1668546560+11050). 473 So the following CDDL snippet can be used to identify application/ 474 json representations compressed in deflate encoding: 476 json-deflate = #6.1668557610(bstr) 478 The byte string is appropriate here as the type for the tag 479 content, because the compressed form is an instance of a general 480 byte string. 482 Appendix B. Example from Openswan 484 The Openswan IPsec project has a daemon ("pluto"), and two control 485 programs ("addconn", and "whack"). They communicate via a Unix- 486 domain socket, over which a C-structure containing pointers to 487 strings is serialized using a bespoke mechanism. This is normally 488 not a problem as the structure is compiled by the same compiler; but 489 when there are upgrades it is possible for the daemon and the control 490 programs to get out of sync by the bespoke serialization. As a 491 result, there are extra compensations to deal with shutting the 492 daemon down. During testing it is sometimes the case that upgrades 493 are backed out. 495 In addition, when doing unit testing, the easiest way to load policy 496 is to use the normal policy reading process, but that is not normally 497 loaded in the daemon. Instead the IPC that is normally sent across 498 the wire is compiled/serialized and placed in a file. The above 499 magic number is included in the file, and also on the IPC in order to 500 distinguish the "shutdown" command CBOR operation. 502 In order to reduce the problems due to serialization, the 503 serialization is being changed to CBOR. Additionally, this change 504 allows the IPC to be described by CDDL, and for any language that 505 encode to CBOR can be used. 507 IANA has allocated the tag 1330664270, or 0x4f_50_53_4e for this 508 purpose. As a result, each file and each IPC is prefixed with: 510 In diagnostic notation: 512 55800(1330664270(h'424F52')) 514 Or in hex: 516 00000000 d9 d9 f8 da 4f 50 53 4e 43 42 4f 52 |....OPSNCBOR| 518 Appendix C. Changelog 520 Acknowledgements 522 The CBOR WG brainstormed this protocol on January 20, 2021. 524 Contributors 526 Josef 'Jeff' Sipek 528 Email: jeffpc@josefsipek.net 530 Authors' Addresses 532 Michael Richardson 533 Sandelman Software Works 535 Email: mcr+ietf@sandelman.ca 537 Carsten Bormann 538 Universität Bremen TZI 539 Germany 541 Email: cabo@tzi.org