Giving up on XML DSig => JSON from Anders Rundgren on 2013-08-26 (public-xmlsec-comments@w3.org from August 2013)

From: Anders Rundgren <anders.rundgren@telia.com>
Date: Mon, 26 Aug 2013 10:55:37 +0200
To: public-xmlsec-comments@w3.org
Message-ID: <521B1809.3090608@telia.com>
Since Google doesn't support XSD or XML DSig in Android I began looking at other alternatives.
There were none :-(   Therefore I created a 2000-line system that writes and reads JSON from Java.
In addition, I adopted a scaled-down version of XML DSig's enveloped-signatures.

The concept of enveloped signatures have been slammed by the JOSE WG due to a belief that canonicalization issues will be hard.
FWIW, I just wrote the entire thing in just a week and I didn't find any problems all.

https://code.google.com/p/openkeystore/source/browse/#svn%2Flibrary%2Ftrunk%2Fsrc%2Forg%2Fwebpki%2Fjson

It seems that I will be able to replace 200,000 lines of Apache code with about 2,000 lines of custom code.

  {
    "MyLittleSignature":
      {
        "Version": "http://example.com/signature",
        "Now": "2013-08-25T20:31:23+02:00",
        "HRT":
          {
            "RTl": "67",
            "YT":
              {
                "HTL": "656756#",
                "INTEGER": -689,
                "Fantastic": false
              },
            "er": "33"
          },
        "ARR": [],
        "BARR":
          [{
             "HTL": "656756#",
             "INTEGER": -689,
             "Fantastic": true
           },
           {
             "HTL": "656756#",
             "INTEGER": -689,
             "Fantastic": false
           }],
        "ID": "ihqQONXvN5_LnmdAG7YU",
        "STRINGS": ["One","Two","Three"],
        "Intra": 78,
        "EnvelopedSignature":
          {
            "SignatureInfo":
              {
                "Algorithm": "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256",
                "Reference":
                  {
                    "Name": "ID",
                    "Value": "ihqQONXvN5_LnmdAG7YU"
                  },
                "KeyInfo":
                  {
                    "PublicKey":
                      {
                        "EC":
                          {
                            "NamedCurve": "http://xmlns.webpki.org/sks/algorithm#ec.p256",
                            "X": "lNxNvAUEE8t7DSQBft93LVSXxKCiVjhbWWfyg023FCk",
                            "Y": "LmTlQxXB3LgZrNLmhOfMaCnDizczC/RfQ6Kx8iNwfFA"
                          }
                      }
                  }
              },
            "SignatureValue": "MEUCIEhZtArhp8O7d1n7SRWRQcs3qePGBCrnKY8x2O3o+nvPAiEA0On5hez2EHmEwJIm/UK7GxqZeWWcaFzK9OVAhygAWVk"
          }
      }
  }

Why bother with this you may wonder?  Well I can't imagine converting the previous cool stuff to something yucky like JOSE's JWS:

{
"message": "eyJ0eXAiOibGciOiJIUzI1NiJ9.LmNvbS9pc19yb290Ijp0cnVlfQ.2K27uhbUJU1p1r_wW1gFWFOEjXk"
}

Canonicalization (=removal of whitespace):

"MyLittleSignature":{"Version":"http://example.com/signature","Now":"2013-08-25T20:31:23+02:00","HRT":{"RTl":"67","YT":{"HTL":"656756#","INTEGER":-689,"Fantastic":false},"er":"33"},"ARR":[],"BARR":[{"HTL":"656756#","INTEGER":-689,"Fantastic":true},{"HTL":"656756#","INTEGER":-689,"Fantastic":false}],"ID":"ihqQONXvN5_LnmdAG7YU","STRINGS":["One","Two","Three"],"Intra":78,"EnvelopedSignature":{"SignatureInfo":{"Algorithm":"http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256","Reference":{"Name":"ID","Value":"ihqQONXvN5_LnmdAG7YU"},"KeyInfo":{"PublicKey":{"EC":{"NamedCurve":"http://xmlns.webpki.org/sks/algorithm#ec.p256","X":"lNxNvAUEE8t7DSQBft93LVSXxKCiVjhbWWfyg023FCk"," Y":"LmTlQxXB3LgZrNLmhOfMaCnDizczC/RfQ6Kx8iNwfFA"}}}}

Cheers,
Anders
Received on Monday, 26 August 2013 08:56:13 UTC