errata logo graphic

Found 4 records.

Status: Reported (4)

RFC5878, "Transport Layer Security (TLS) Authorization Extensions", May 2010

Source of RFC: IETF - NON WORKING GROUP
Area Assignment: sec

Errata ID: 3512

Status: Reported
Type: Technical

Reported By: Ben Laurie
Date Reported: 2013-03-08

Section 3 says:

struct {
  SupplementalDataType supplemental_data_type;
  select(SupplementalDataType) {
    case authz_data: AuthorizationData;
  }
} SupplementalData;

It should say:

struct {
  SupplementalDataType supp_data_type;
  uint16 supp_data_length;
  select(SupplementalDataType) {
    case authz_data: AuthorizationData;
  }
} SupplementalDataEntry;

supp_data_length This field is the length (in bytes) of the data 
selected by SupplementalDataType.

Errata ID: 3513

Status: Reported
Type: Technical

Reported By: Ben Laurie
Date Reported: 2013-03-08

Section 3.3 says:

struct{
  AuthorizationDataEntry authz_data_list<1..2^16­1>;
} AuthorizationData;

It should say:

struct{
  AuthorizationDataEntry authz_data_list[supp_data_length];
} AuthorizationData;


Errata ID: 3514

Status: Reported
Type: Technical

Reported By: Ben Laurie
Date Reported: 2013-03-08

Section 3.3 says:

17 # Handshake.msg_type == supplemental_data(23)
00 00 11 # Handshake.length = 17
00 00 0e # length of SupplementalData.supp_data = 14
40 02 # SupplementalDataEntry.supp_data_type = 16386
00 0a # SupplementalDataEntry.supp_data_length = 10
00 08 # length of AuthorizationData.authz_data_list = 8
01 # authz_format = saml_assertion(1)
00 05 # length of SAMLAssertion
aa aa aa aa aa # SAML assertion (fictitious: "aa aa aa aa aa")

It should say:

17 # Handshake.msg_type == supplemental_data(23)
00 00 0f # Handshake.length = 15
00 00 0d # length of SupplementalData.supp_data = 13
40 02 # SupplementalDataEntry.supp_data_type = 16386
00 0a # SupplementalDataEntry.supp_data_length = 8
01 # authz_format = saml_assertion(1)
00 05 # length of SAMLAssertion
aa aa aa aa aa # SAML assertion (fictitious: "aa aa aa aa aa")

Errata ID: 3515

Status: Reported
Type: Technical

Reported By: Ben Laurie
Date Reported: 2013-03-08

Section 3.3 says:

struct {
  AuthzDataFormat authz_format;
  select (AuthzDataFormat) {
    case x509_attr_cert: X509AttrCert;
    case saml_assertion: SAMLAssertion;
    case x509_attr_cert_url: URLandHash;
    case saml_assertion_url: URLandHash;
  }
} AuthorizationDataEntry;

enum {
  x509_attr_cert(0), saml_assertion(1), x509_attr_cert_url(2),
  saml_assertion_url(3), (255)
} AuthzDataFormat;opaque X509AttrCert<1..2^16­1>;

opaque SAMLAssertion<1..2^16­1>;

struct {
  opaque url<1..2^16­1>;
  HashAlgorithm hash_alg;
  select (hash_alg) {
    case md5: MD5Hash;
    case sha1: SHA1Hash;
    case sha224: SHA224Hash;
    case sha256: SHA256Hash;
    case sha384: SHA384Hash;
    case sha512: SHA512Hash;
  } hash;
} URLandHash;

It should say:

struct {
  AuthzDataFormat authz_format;
  uint16 authz_data_length;
  select (AuthzDataFormat) {
    case x509_attr_cert: X509AttrCert;
    case saml_assertion: SAMLAssertion;
    case x509_attr_cert_url: URLandHash;
    case saml_assertion_url: URLandHash;
  }
} AuthorizationDataEntry;

authz_data_length This field is the length (in bytes) of the data selected by AuthzDataFormat.

enum {
  x509_attr_cert(0), saml_assertion(1), x509_attr_cert_url(2),
  saml_assertion_url(3), (255)
} AuthzDataFormat;

opaque X509AttrCert[authz_data_length];

opaque SAMLAssertion[authz_data_length];

struct {
  opaque url<1..2^16­1>;
  HashAlgorithm hash_alg;
  select (hash_alg) {
    case md5: MD5Hash;
    case sha1: SHA1Hash;
    case sha224: SHA224Hash;
    case sha256: SHA256Hash;
    case sha384: SHA384Hash;
    case sha512: SHA512Hash;
  } hash;
} URLandHash;

Example: similarly to the example on p. 7, authorization data consisting of an X509 attribute cert
a SAML assertion URL is encoded as

17 # Handshake.msg_type == supplemental_data(23)
00 00 38 # Handshake.length = 56
00 00 53 # length of SupplementalData.supp_data = 53
40 02 # SupplementalDataEntry.supp_data_type = 16386
00 31 # SupplementalDataEntry.supp_data_length = 49
00 # authz_format = x509_attr_cert(0)
00 05 # authz_data_length = 5
aa aa aa aa aa # X509AttrCert fictitious: "aa aa aa aa aa"
01 # authz_format = saml_assertion_url(3)
00 26 # authz_data_length = 38
00 03 # length of URLAndHash url
bb bb bb # url fictitious: "bb bb bb"
04 # hash_alg = sha256(4)
00 01 02 03 # sha256 hash: "00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d
04 05 06 07 # 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f"
08 09 0a 0b #
0c 0d 0e 0f #
10 11 12 13 #
14 15 16 17 #
18 19 1a 1b #
1c 1d 1e 1f #

Notes:

Proposed change: Allow opaque parsing of AuthorizationData entries. As AuthorizationData
may be intended for use by applications rather than the handshake itself, it is desirable that TLS
servers and clients be able to parse this data without being aware of its structure.


Report New Errata