Re: [Opensc-devel] Signed JavaScript/JSON

[Anders R. <and...@gm...>]

On 2016-01-14 11:29, Andreas Schwier wrote:
> Interesting.

Hi Andreas,

> But how does this approach address the issue of a canonical format for
> the signature input ?

The described approach does not depend on a canonical JSON representation but
on a normalized ditto which is what ECMAScript (using the specified constraints)
does automatically.


> If you use different JSON encoders generating valid, but different JSON
> textual presentations (e.g. different white-space), then signature
> validation will fail. I would have expected that white-space is
> eliminated during canonicalization, but don't see that in the code sample.

White-space is ignored by ECMAScript which means that other systems MUST
also do that in order to utilize this scheme.

Relying on the number algorithms featured in
https://developers.google.com/v8/ may appear slightly "hacky" but OTOH
there are already tons of systems out there building on this platform
including https://nodejs.org/en/ so it is about as "standard" you can get.


> It's the same issue as in XML Signatures and the transformation in a
> canonical XML format before hashing.

I believe there is 1 to 25 difference in complexity.

Anders

>
> Andreas
>
> On 01/14/2016 10:41 AM, Anders Rundgren wrote:
>> The samples below should be comparable with respect to securing the integrity of the payload and the signature parameters, but they obviously differ a lot in the way they get the work done.
>>
>> JCS was developed to match information-rich, multi-signature schemes like
>> https://www.w3.org/Payments/IG/wiki/Main_Page/ProposalsQ42015/SCAI#The_SCAI_line
>> and similar.  JCS has recently been upgraded to match ECMAScript revision 6.
>>
>>
>> JSON Cleartext Signature (JCS): https://cyberphone.github.io/openkeystore/resources/docs/jcs.html#ECMAScript_Compatibility_Mode
>>
>> var signedObject = {
>>        // The data
>>        statement: "Hello signed world!",
>>        otherProperties: [2000, true],
>>        // The signature
>>        signature: {
>>            algorithm: "ES256",
>>            publicKey: {
>>                type: "EC",
>>                curve: "P-256",
>>                x: "vlYxD4dtFJOp1_8_QUcieWCW-4KrLMmFL2rpkY1bQDs",
>>                y: "fxEF70yJenP3SPHM9hv-EnvhG6nXr3_S-fDqoj-F6yM"
>>            },
>>            value: "2H__TkcV28QpGWPkyVbR1CW0I8L4xARrVGL0LjOeHJLOPozdzRqCTyYfmAippJXqdzgNAonnFPVCSI5A6novMQ"
>>        }
>> };
>>
>>
>> JSON Web Signature (JWS): https://tools.ietf.org/rfc/rfc7515.txt
>>
>> var signedObject = {
>>        "payload": "eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ",
>>        "protected": "eyJhbGciOiJFUzI1NiJ9",
>>        "signature": "DtEhU3ljbEg8L38VWAfUAqOyKAM6-Xx-F4GawxaepmXFCgfTjDxw5djxLa8IS lSApmWQxfKTUJqPP3-Kg6NU1Q"
>> };
>>
>>
>>
>> Anders
>>
>> ------------------------------------------------------------------------------
>> Site24x7 APM Insight: Get Deep Visibility into Application Performance
>> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
>> Monitor end-to-end web transactions and take corrective actions now
>> Troubleshoot faster and improve end-user experience. Signup Now!
>> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
>> _______________________________________________
>> Opensc-devel mailing list
>> Ope...@li...
>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>
>
>