Re: [Opensc-devel] Signed JavaScript/JSON

[Andreas S. <and...@ca...>]

Interesting.

But how does this approach address the issue of a canonical format for
the signature input ?

If you use different JSON encoders generating valid, but different JSON
textual presentations (e.g. different white-space), then signature
validation will fail. I would have expected that white-space is
eliminated during canonicalization, but don't see that in the code sample.

It's the same issue as in XML Signatures and the transformation in a
canonical XML format before hashing.

Andreas

On 01/14/2016 10:41 AM, Anders Rundgren wrote:
> The samples below should be comparable with respect to securing the integrity of the payload and the signature parameters, but they obviously differ a lot in the way they get the work done.
> 
> JCS was developed to match information-rich, multi-signature schemes like
> https://www.w3.org/Payments/IG/wiki/Main_Page/ProposalsQ42015/SCAI#The_SCAI_line
> and similar.  JCS has recently been upgraded to match ECMAScript revision 6.
> 
> 
> JSON Cleartext Signature (JCS): https://cyberphone.github.io/openkeystore/resources/docs/jcs.html#ECMAScript_Compatibility_Mode
> 
> var signedObject = {
>       // The data
>       statement: "Hello signed world!",
>       otherProperties: [2000, true],
>       // The signature
>       signature: {
>           algorithm: "ES256",
>           publicKey: {
>               type: "EC",
>               curve: "P-256",
>               x: "vlYxD4dtFJOp1_8_QUcieWCW-4KrLMmFL2rpkY1bQDs",
>               y: "fxEF70yJenP3SPHM9hv-EnvhG6nXr3_S-fDqoj-F6yM"
>           },
>           value: "2H__TkcV28QpGWPkyVbR1CW0I8L4xARrVGL0LjOeHJLOPozdzRqCTyYfmAippJXqdzgNAonnFPVCSI5A6novMQ"
>       }
> };
> 
> 
> JSON Web Signature (JWS): https://tools.ietf.org/rfc/rfc7515.txt
> 
> var signedObject = {
>       "payload": "eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ",
>       "protected": "eyJhbGciOiJFUzI1NiJ9",
>       "signature": "DtEhU3ljbEg8L38VWAfUAqOyKAM6-Xx-F4GawxaepmXFCgfTjDxw5djxLa8IS lSApmWQxfKTUJqPP3-Kg6NU1Q"
> };
> 
> 
> 
> Anders
> 
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
> 


-- 

    ---------    CardContact Software & System Consulting
   |.##> <##.|   Andreas Schwier
   |#       #|   Schülerweg 38
   |#       #|   32429 Minden, Germany
   |'##> <##'|   Phone +49 571 56149
    ---------    http://www.cardcontact.de
                 http://www.tscons.de
                 http://www.openscdp.org
                 http://www.smartcard-hsm.com