Canonicalised JSON format produces invalid JSON #246
Comments
|
Related to #223 |
toby-jn
added a commit
to toby-jn/go-tuf
that referenced
this issue
Mar 29, 2022
toby-jn
added a commit
to toby-jn/go-tuf
that referenced
this issue
Apr 13, 2022
toby-jn
added a commit
to toby-jn/go-tuf
that referenced
this issue
Apr 13, 2022
asraa
pushed a commit
that referenced
this issue
Apr 14, 2022
* fix JSON canonicalisation (see #246)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The go-tuf library appears to mis-use JSON canonicalisation when serialising metadata.
The JSON canonicalisation format (specified here: https://wiki.laptop.org/go/Canonical_JSON) does not escape of control sequences in string values, however the JSON standard (https://www.ecma-international.org/wp-content/uploads/ECMA-404_2nd_edition_december_2017.pdf) requires that all control characters (defined as U+0000 to U+001F) MUST be escaped in strings.
As a result new line characters in strings are not escaped and this produces invalid JSON and go-tuf will fail to marshal metadata containing these sequences. This is particularly problematic for RSA and ECDSA keys where the specification states they are encoded in PEM format, which will inevitably contain newline characters.
I believe the cause of the error is that go-tuf does not just use canonicalisation to calculate the message digest, and also uses it to serialise the metadata for output.
The text was updated successfully, but these errors were encountered: