idnits 2.17.1 draft-ietf-cbor-file-magic-04.txt: -(5): Line appears to be too long, but this could be caused by non-ascii characters in UTF-8 encoding Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == There are 3 instances of lines with non-ascii characters in the document. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (4 September 2021) is 962 days in the past. Is this intentional? Checking references for intended status: Best Current Practice ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-09) exists of draft-ietf-cose-cbor-encoded-cert-02 == Outdated reference: A later version (-25) exists of draft-ietf-rats-eat-10 == Outdated reference: A later version (-24) exists of draft-ietf-sacm-coswid-18 -- Obsolete informational reference (is this intentional?): RFC 8152 (Obsoleted by RFC 9052, RFC 9053) Summary: 0 errors (**), 0 flaws (~~), 5 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 CBOR Working Group M. Richardson 3 Internet-Draft Sandelman Software Works 4 Intended status: Best Current Practice C. Bormann 5 Expires: 8 March 2022 Universität Bremen TZI 6 4 September 2021 8 On storing CBOR encoded items on stable storage 9 draft-ietf-cbor-file-magic-04 11 Abstract 13 This document proposes an on-disk format for CBOR objects that is 14 friendly to common on-disk recognition systems like the Unix file(1) 15 command. 17 This document is being discussed at: https://github.com/cbor-wg/cbor- 18 magic-number 20 Status of This Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at https://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on 8 March 2022. 37 Copyright Notice 39 Copyright (c) 2021 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 44 license-info) in effect on the date of publication of this document. 45 Please review these documents carefully, as they describe your rights 46 and restrictions with respect to this document. Code Components 47 extracted from this document must include Simplified BSD License text 48 as described in Section 4.e of the Trust Legal Provisions and are 49 provided without warranty as described in the Simplified BSD License. 51 Table of Contents 53 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 54 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 55 2. Requirements for a Magic Number . . . . . . . . . . . . . . . 4 56 3. Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . 4 57 3.1. The CBOR Protocol Specific Tag . . . . . . . . . . . . . 4 58 3.2. CBOR Tag Wrapped . . . . . . . . . . . . . . . . . . . . 5 59 3.3. CBOR Tag Sequence . . . . . . . . . . . . . . . . . . . . 5 60 4. Advice to Protocol Developers . . . . . . . . . . . . . . . . 6 61 4.1. Is the on-wire format new? . . . . . . . . . . . . . . . 7 62 4.2. Can many items be trivially concatenated? . . . . . . . . 7 63 4.3. Are there tags at the start? . . . . . . . . . . . . . . 8 64 5. Security Considerations . . . . . . . . . . . . . . . . . . . 8 65 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 66 6.1. CBOR Sequence Tag . . . . . . . . . . . . . . . . . . . . 8 67 6.2. CBOR Tags for CoAP Content-Format Numbers . . . . . . . . 9 68 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 69 7.1. Normative References . . . . . . . . . . . . . . . . . . 9 70 7.2. Informative References . . . . . . . . . . . . . . . . . 9 71 Appendix A. CBOR Tags for CoAP Content Formats . . . . . . . . . 10 72 A.1. Content-Format Tag Examples . . . . . . . . . . . . . . . 11 73 Appendix B. Example from Openswan . . . . . . . . . . . . . . . 11 74 Appendix C. Changelog . . . . . . . . . . . . . . . . . . . . . 12 75 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 12 76 Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 12 77 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 79 1. Introduction 81 Since very early in computing, operating systems have sought ways to 82 mark which files could be processed by which programs. 84 For instance, the Unix file(1) command, which has existed since 1973 85 [file], has been able to identify many file formats for decades based 86 upon the contents of the file. 88 Many systems (Linux, MacOS, Windows) will select the correct 89 application based upon the file contents, if the system can not 90 determine it by other means. For instance, the classic MacOS 91 maintained a resource fork that includes media type ("MIME type") 92 information and therefore ideally never needs to know anything about 93 the file. 95 But, many other systems do this by file extensions. Many common web 96 servers derive the MIME-type information from file extensions. 98 While having a media type associated with the file is a better 99 solution in general, when files become disconnected from their type 100 information, such as when attempting to do forensics on a damaged 101 system, then being able to identify a file type can become very 102 important. 104 It is noted that in the media type registration, that a magic number 105 is asked for, if available, as is a file extension. 107 A challenge for the file(1) program is often that it can be confused 108 by the encoding vs the content. For instance, an Android "apk" used 109 to transfer and store an application may be identified as a ZIP file. 110 Additionaly, both OpenOffice or MSOffice files are ZIP files of XML 111 files. 113 As CBOR becomes a more and more common encoding for a wide variety of 114 artifacts, identifying them as just "CBOR" is probably not 115 sufficient. This document provides a way to encode a magic number 116 into the beginning of a CBOR format file. Two possible methods are 117 presented: a CBOR Protocol author will specify one. (A CBOR Protocol 118 is a specification which uses CBOR as its encoding) 120 Examples of CBOR Protocols currently under development include CoSWID 121 [I-D.ietf-sacm-coswid], and EAT [I-D.ietf-rats-eat]. COSE itself 122 [RFC8152] is considered infrastructure, however the encoding of 123 public keys in CBOR as described in [I-D.ietf-cose-cbor-encoded-cert] 124 would be an identified CBOR Protocol as well. 126 A major inspiration for this document is observing the mess in ASN.1 127 based systems where most files are PEM encoded, identified by the 128 extension "pem", confusing public keys, private keys, certificate 129 requests and S/MIME content. 131 While these proposals are invasive to how CBOR Protocols are stored 132 in files, but in both cases, the proposed envelope does not require 133 that the tag be transferred on the wire. 135 In addition to the on-disk identification aspects, there are some 136 protocols which may benefit from having such a magic number on the 137 wire if they are presently using a different (legacy) encoding 138 scheme. The presence of the identifiable magic sequence signals that 139 CBOR is being used vs a legacy scheme. 141 1.1. Terminology 143 The term "diagnostic notation" refers to the human-readable notation 144 for CBOR data items defined in Section 8 of [RFC8949] and Appendix G 145 of [RFC8610]. 147 The term CDDL (Concise Data Definition Language) refers to the 148 language defined in [RFC8610]. 150 2. Requirements for a Magic Number 152 A magic number is ideally a unique fingerprint, present in the first 153 4 or 8 bytes of the file, which does not change when the contents 154 change, and does not depend upon the length of the file. 156 Less ideal solutions have a pattern that needs to be matched, but in 157 which some bytes need to be ignored. While the Unix file(1) command 158 can be told to ignore bytes, this can lead to ambiguities. 160 3. Protocol 162 There are two methods presented. Which one is to be used is up to 163 the CBOR Protocol author to determined. Both use CBOR Tags in a way 164 that results in a deterministic first 8 to 12 bytes. 166 3.1. The CBOR Protocol Specific Tag 168 CBOR Protocol designers are to obtain a CBOR tag for each major type 169 of object that they might store on disk. As there are more than 4 170 billion available 4-byte tags, there should be little issue in 171 allocating a few to each available CBOR Protocol. 173 The IANA policy for 4-byte CBOR Tags is First Come First Served, so 174 all that is required is an email to IANA, having filled in the small 175 template provided in Section 9.2 of [RFC8949]. 177 This tag is to be allocated by the author of the CBOR Protocol. It 178 is to be in the four-byte range, and it is to be at least 0x01000000 179 (decimal 16777216) in value so that there are no leading zeros. 181 The use of a sequence of four US-ASCII codes which are mnemonic to 182 the protocol is encouraged, but not required. 184 For CBOR byte strings that happen to contain a representation that is 185 described by a CoAP Content-Format Number (Section 12.3 of [RFC7252], 186 Subregistry Content-Formats of [IANA.core-parameters]), a tag number 187 has already been allocated in Section 6.2 (see Appendix A for details 188 and examples). 190 3.2. CBOR Tag Wrapped 192 The CBOR Tag Wrapped method starts with the Self-described CBOR tag, 193 55799, as described in Section 3.4.6 of [RFC8949]. 195 A second CBOR Tag is then allocated to describe the specific Protocol 196 involved, as described above. 198 This proposal wraps the CBOR value as tags usually do. Applications 199 that need to send the CBOR value across a constrained link may wish 200 to remove the two tags if the use is implicitly understood. 202 Whether or not to remove the tag is a decision made by the CBOR 203 Protocol specification. 205 3.3. CBOR Tag Sequence 207 The CBOR Taq Sequence method makes use of CBOR Sequences as described 208 in [RFC8742]. 210 This method consists of two tags and a constant string for a total of 211 12 bytes. 213 1. The file shall start with the Self-described CBOR Sequence tag, 214 55800. 216 2. The file shall continue with a CBOR tag, from the First Come 217 First Served space, which uniquely identifies the CBOR Protocol. 218 The use of a four-byte tag is encouraged. 220 3. The three byte CBOR byte string containing 0x42_4F_52. 222 The first part identifies the file as being a CBOR Sequence, and does 223 so with all the desirable properties explained in Section 3.4.6 of 224 [RFC8949]. Specifically, it does not seem to conflict with any known 225 file types, and it is not valid Unicode in any Unicode encoding. 227 The second part identifies which CBOR Protocol is used, as described 228 above. 230 The third part is represented as a constant byte sequence 231 0x43_42_4f_52, the ASCII characters "CBOR", which is the CBOR encoded 232 data item for the three byte sequence 0x42_4f_52 ('BOR' in diagnostic 233 notation). This is the data item that is being tagged. 235 The actual CBOR Protocol value then follows as the next data item(s) 236 in the CBOR sequence, without a need for any further specific tag. 237 The use of a CBOR Sequence allows the application to trivially remove 238 the first item with the two tags. 240 Should this file be reviewed by a human (directly in an editor, or in 241 a hexdump display), it will include the ASCII characters "CBOR" 242 prominently. This value is also included simply because the two tags 243 need to tag something. 245 4. Advice to Protocol Developers 247 This document introduces a choice between a CBOR Sequence and a 248 wrapped CBOR Tag. Which should a protocol designer use? 250 In this discussion, one assumes that there is an object stored in a 251 file, perhaps specified by a system operator in a configuration file. 253 For example: a private key used in COSE operations, a public key/ 254 certificate in C509 or CBOR format, a recorded sensor reading stored 255 for later transmission, or a COVID vaccination certificate that needs 256 to be displayed in QRcode form. 258 Both the CBOR Tag Sequence and the wrapped tag can be trivially 259 removed by an application before sending the CBOR content out on the 260 wire. 262 The CBOR Tag Sequence is a little bit easier to remove as in most 263 cases, CBOR parsers will return it as a unit, and then return the 264 actual CBOR item, which could be anything at all, and could include 265 CBOR tags that _do_ need to be sent on wire. 267 On the other hand, having the CBOR Tag Sequence in the file requires 268 that all programs that expect to examine that file are able to skip 269 what appears to be an empty CBOR item. Programs which might not 270 expect the CBOR Tag Sequence, but which would operate without a 271 problem would include any program that expects to process CBOR 272 Sequences from the file. 274 As an example of where there was a problem with previous security 275 systems, "PEM" format certificate files grew to be able to contain 276 multiple certificates by simple concatenation. The PKCS1 format 277 could also contain a private key object followed by a one or more 278 certificate objects: but only when in PEM format. Perversely, when 279 in binary DER format (which like CBOR is self-limiting), 280 concatenation of certificates was not compatible with most programs 281 as they did not expect to read more than one item in the file. 283 The use of CBOR Tag Wrapped format is easier to retrofit to an 284 existing format with existing and unchangeable on-disk format. This 285 new sequence of tags are expected to be trivially ignored by an 286 existing program when reading CBOR from disk, even if the program 287 only supports decoding a single data item (and not a CBOR sequence). 288 But, a naive program might also then transmit the additional tags 289 across the network. Removing the CBOR Tag Wrapped format requires 290 knowledge of the two tags involved. Other tags present might be 291 needed. 293 For a representation matching a specific media-type that is carried 294 in a CBOR byte string, the byte string head will already have to be 295 removed for use as such a representation, so it should be easy to 296 remove the enclosing tag heads as well. This is of particular 297 interest with the pre-defined tags provided by Appendix A for media- 298 types with CoAP Content-Format numbers. 300 Here are some considerations in the form of survey questions: 302 4.1. Is the on-wire format new? 304 If the on-wire format is new, then it could be specified with the 305 CBOR Tag Wrapped format if the extra eight bytes are not a problem. 306 The disk format is then identical to the on-wire format. 308 If the eight bytes are a problem (and they usually are if CBOR is 309 being considered), then the CBOR Tag Sequence format should be 310 adopted for on-disk storage. 312 4.2. Can many items be trivially concatenated? 314 If the programs that read the contents of the file already expect to 315 process all of the items in the file (not just the first), then the 316 CBOR Tag Sequence format may be easily retrofitted. 318 The program involved may throw errors or warnings on the CBOR Tag 319 Sequence if they have not yet been updated, but this may not be a 320 problem. If it is, then consideration should be given to CBOR Tag 321 Wrapped. 323 If only one item is ever expected in the file, the the use of CBOR 324 Tag Sequence may present an implementation hurdle to programs that 325 previously just read a single value and used it. 327 4.3. Are there tags at the start? 329 If the Protocol expects to use other tags values at the top-level, 330 then it may be easier to explain if the CBOR Tag Sequence format is 331 used. 333 5. Security Considerations 335 This document provides a way to identify CBOR Protocol objects. 336 Clearly identifying CBOR contents on disk may have a variety of 337 impacts. 339 The most obvious is that it may allow malware to identify interesting 340 objects on disk, and then corrupt them. 342 6. IANA Considerations 344 Section 6.1 documents the allocation that was done for a CBOR tag to 345 be used in a CBOR sequence to identify the sequence (an example for 346 using this tag is found in Appendix B). Section 6.2 allocates a CBOR 347 tag for each actual or potential CoAP Content-Format number (examples 348 are in Appendix A). 350 6.1. CBOR Sequence Tag 352 IANA has allocated tag 55800 as the CBOR Sequence tag. This tag is 353 from the First Come/First Served area. 355 The value has been picked to have properties similar to the 55799 tag 356 (Section 3.4.6 of [RFC8949]). 358 The hexadecimal representation is: 0xd9_d9_f8. 360 This is not valid UTF-8: the first 0xd9 puts the value into the 361 three-byte value of UTF-8, but the 0xd9 as the second value is not a 362 valid second byte for UTF-8. 364 This is not valid UTF-16: the byte sequence 0xd9d9 (in either endian 365 order) puts this value into the UTF-16 high-half zone, which would 366 signal that this a 32-bit Unicode value. However, the following 367 16-bit big-endian value 0xf8.. is not a valid second sequence 368 according to [RFC2781]. On a little-endian system, it would be 369 necessary to examine the fourth byte to determine if it is valid. 370 That next byte is determined by the subsequent encoding, and 371 Section 3.4.6 of [RFC8949] has already determined that no valid CBOR 372 encodings result in a valid UTF-16. 374 Data Item: 376 byte string 378 Semantics: 379 indicates that the file contains CBOR Sequences 381 6.2. CBOR Tags for CoAP Content-Format Numbers 383 IANA is requested to allocate the tag numbers 1668546560 (0x63740000) 384 to 1668612095 (0x6374FFFF) as follows: 386 Data Item: 387 byte string 389 Semantics: 390 for each tag number NNNN, the representation of content-format 391 (RFC7252) NNNN-1668546560 393 Reference: 394 RFCthis 396 7. References 398 7.1. Normative References 400 [RFC8742] Bormann, C., "Concise Binary Object Representation (CBOR) 401 Sequences", RFC 8742, DOI 10.17487/RFC8742, February 2020, 402 . 404 [RFC8949] Bormann, C. and P. Hoffman, "Concise Binary Object 405 Representation (CBOR)", STD 94, RFC 8949, 406 DOI 10.17487/RFC8949, December 2020, 407 . 409 7.2. Informative References 411 [file] Wikipedia, "file (command)", 20 January 2021, 412 . 414 [I-D.ietf-cose-cbor-encoded-cert] 415 Mattsson, J. P., Selander, G., Raza, S., Höglund, J., and 416 M. Furuhed, "CBOR Encoded X.509 Certificates (C509 417 Certificates)", Work in Progress, Internet-Draft, draft- 418 ietf-cose-cbor-encoded-cert-02, 12 July 2021, 419 . 422 [I-D.ietf-rats-eat] 423 Mandyam, G., Lundblade, L., Ballesteros, M., and J. 424 O'Donoghue, "The Entity Attestation Token (EAT)", Work in 425 Progress, Internet-Draft, draft-ietf-rats-eat-10, 7 June 426 2021, . 429 [I-D.ietf-sacm-coswid] 430 Birkholz, H., Fitzgerald-McKay, J., Schmidt, C., and D. 431 Waltermire, "Concise Software Identification Tags", Work 432 in Progress, Internet-Draft, draft-ietf-sacm-coswid-18, 12 433 July 2021, . 436 [IANA.core-parameters] 437 IANA, "Constrained RESTful Environments (CoRE) 438 Parameters", 439 . 441 [RFC2781] Hoffman, P. and F. Yergeau, "UTF-16, an encoding of ISO 442 10646", RFC 2781, DOI 10.17487/RFC2781, February 2000, 443 . 445 [RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained 446 Application Protocol (CoAP)", RFC 7252, 447 DOI 10.17487/RFC7252, June 2014, 448 . 450 [RFC8152] Schaad, J., "CBOR Object Signing and Encryption (COSE)", 451 RFC 8152, DOI 10.17487/RFC8152, July 2017, 452 . 454 [RFC8610] Birkholz, H., Vigano, C., and C. Bormann, "Concise Data 455 Definition Language (CDDL): A Notational Convention to 456 Express Concise Binary Object Representation (CBOR) and 457 JSON Data Structures", RFC 8610, DOI 10.17487/RFC8610, 458 June 2019, . 460 Appendix A. CBOR Tags for CoAP Content Formats 462 Often, there is a need to identify a media type (or content type, 463 i.e., media type optionally used with parameters) that describes a 464 byte string in a CBOR data item. 466 Section 5.10.3 of [RFC7252] defines the concept of a Content-Format, 467 which is a short 16-bit unsigned integer that identifies a specific 468 content type (media type plus optionally parameters), optionally 469 together with a content encoding. 471 This specification allocates CBOR tag numbers 1668546560 (0x63740000) 472 to 1668612095 (0x6374FFFF) for the tagging of representations of 473 specific content formats. The tag content tagged with tag number 474 NNNNNNNN (in above range) is a byte string that is to be interpreted 475 as a representation of the content format NNNNNNNN-1668546560. 477 A.1. Content-Format Tag Examples 479 Subregistry Content-Formats of [IANA.core-parameters] defines content 480 formats that can be used as examples: 482 * Content-Format 432 stands for media type application/td+json (no 483 parameters). The corresponding tag number is 1668546992 (i.e., 484 1668546560+432). 486 So the following CDDL snippet can be used to identify application/ 487 td+json representations: 489 td-json = #6.1668546992(bstr) 491 Note that a byte string is used as the type of the tag content, 492 because a media type representation in general can be any byte 493 string. 495 * Content-Format 11050 stands for media type application/json in 496 deflate encoding. 498 The corresponding tag number is 1668557610 (i.e., 499 1668546560+11050). 501 So the following CDDL snippet can be used to identify application/ 502 json representations compressed in deflate encoding: 504 json-deflate = #6.1668557610(bstr) 506 The byte string is appropriate here as the type for the tag 507 content, because the compressed form is an instance of a general 508 byte string. 510 Appendix B. Example from Openswan 512 The Openswan IPsec project has a daemon ("pluto"), and two control 513 programs ("addconn", and "whack"). They communicate via a Unix- 514 domain socket, over which a C-structure containing pointers to 515 strings is serialized using a bespoke mechanism. This is normally 516 not a problem as the structure is compiled by the same compiler; but 517 when there are upgrades it is possible for the daemon and the control 518 programs to get out of sync by the bespoke serialization. As a 519 result, there are extra compensations to deal with shutting the 520 daemon down. During testing it is sometimes the case that upgrades 521 are backed out. 523 In addition, when doing unit testing, the easiest way to load policy 524 is to use the normal policy reading process, but that is not normally 525 loaded in the daemon. Instead the IPC that is normally sent across 526 the wire is compiled/serialized and placed in a file. The above 527 magic number is included in the file, and also on the IPC in order to 528 distinguish the "shutdown" command CBOR operation. 530 In order to reduce the problems due to serialization, the 531 serialization is being changed to CBOR. Additionally, this change 532 allows the IPC to be described by CDDL, and for any language that 533 encode to CBOR can be used. 535 IANA has allocated the tag 1330664270, or 0x4f_50_53_4e for this 536 purpose. As a result, each file and each IPC is prefixed a CBOR TAG 537 Sequence. 539 In diagnostic notation: 541 55800(1330664270(h'424F52')) 543 Or in hex: 545 00000000 d9 d9 f8 da 4f 50 53 4e 43 42 4f 52 |....OPSNCBOR| 547 Appendix C. Changelog 549 Acknowledgements 551 The CBOR WG brainstormed this protocol on January 20, 2021 via a 552 number of productive email exchanges on the mailing list. 554 Contributors 556 Josef 'Jeff' Sipek 558 Email: jeffpc@josefsipek.net 560 Authors' Addresses 562 Michael Richardson 563 Sandelman Software Works 565 Email: mcr+ietf@sandelman.ca 566 Carsten Bormann 567 Universität Bremen TZI 568 Germany 570 Email: cabo@tzi.org