RFC Errata
RFC 5878, "Transport Layer Security (TLS) Authorization Extensions", May 2010
Note: This RFC has been updated by RFC 8447, RFC 8996
Source of RFC: IETF - NON WORKING GROUPArea Assignment: sec
Errata ID: 3515
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: Ben Laurie
Date Reported: 2013-03-08
Section 3.3 says:
struct { AuthzDataFormat authz_format; select (AuthzDataFormat) { case x509_attr_cert: X509AttrCert; case saml_assertion: SAMLAssertion; case x509_attr_cert_url: URLandHash; case saml_assertion_url: URLandHash; } } AuthorizationDataEntry; enum { x509_attr_cert(0), saml_assertion(1), x509_attr_cert_url(2), saml_assertion_url(3), (255) } AuthzDataFormat;opaque X509AttrCert<1..2^161>; opaque SAMLAssertion<1..2^161>; struct { opaque url<1..2^161>; HashAlgorithm hash_alg; select (hash_alg) { case md5: MD5Hash; case sha1: SHA1Hash; case sha224: SHA224Hash; case sha256: SHA256Hash; case sha384: SHA384Hash; case sha512: SHA512Hash; } hash; } URLandHash;
It should say:
struct { AuthzDataFormat authz_format; uint16 authz_data_length; select (AuthzDataFormat) { case x509_attr_cert: X509AttrCert; case saml_assertion: SAMLAssertion; case x509_attr_cert_url: URLandHash; case saml_assertion_url: URLandHash; } } AuthorizationDataEntry; authz_data_length This field is the length (in bytes) of the data selected by AuthzDataFormat. enum { x509_attr_cert(0), saml_assertion(1), x509_attr_cert_url(2), saml_assertion_url(3), (255) } AuthzDataFormat; opaque X509AttrCert[authz_data_length]; opaque SAMLAssertion[authz_data_length]; struct { opaque url<1..2^161>; HashAlgorithm hash_alg; select (hash_alg) { case md5: MD5Hash; case sha1: SHA1Hash; case sha224: SHA224Hash; case sha256: SHA256Hash; case sha384: SHA384Hash; case sha512: SHA512Hash; } hash; } URLandHash; Example: similarly to the example on p. 7, authorization data consisting of an X509 attribute cert a SAML assertion URL is encoded as 17 # Handshake.msg_type == supplemental_data(23) 00 00 38 # Handshake.length = 56 00 00 53 # length of SupplementalData.supp_data = 53 40 02 # SupplementalDataEntry.supp_data_type = 16386 00 31 # SupplementalDataEntry.supp_data_length = 49 00 # authz_format = x509_attr_cert(0) 00 05 # authz_data_length = 5 aa aa aa aa aa # X509AttrCert fictitious: "aa aa aa aa aa" 01 # authz_format = saml_assertion_url(3) 00 26 # authz_data_length = 38 00 03 # length of URLAndHash url bb bb bb # url fictitious: "bb bb bb" 04 # hash_alg = sha256(4) 00 01 02 03 # sha256 hash: "00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 04 05 06 07 # 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f" 08 09 0a 0b # 0c 0d 0e 0f # 10 11 12 13 # 14 15 16 17 # 18 19 1a 1b # 1c 1d 1e 1f #
Notes:
Proposed change: Allow opaque parsing of AuthorizationData entries. As AuthorizationData
may be intended for use by applications rather than the handshake itself, it is desirable that TLS
servers and clients be able to parse this data without being aware of its structure.