Correction: Re: JOSE author didn't use JWS. Was: Digital Signatures for Credentials from Anders Rundgren on 2014-12-03 (public-credentials@w3.org from December 2014)

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Wed, 03 Dec 2014 06:21:24 +0100
To: Manu Sporny <msporny@digitalbazaar.com>, "David I. Lehn" <dil@lehn.org>
CC: Richard Barnes <rlb@ipv.sx>, W3C Credentials Community Group <public-credentials@w3.org>
Message-ID: <547E9DD4.4090900@gmail.com>

Hi Manu,
Other people out on a limb...

http://stackoverflow.com/questions/8931967/is-there-a-deterministic-equivalent-of-json-stringify

The problem you found doesn't really have anything to do with JSON parsers
but how (apparently most) JavaScript engines store and sort dictionary data
internally.

I does mean that you may have to supply your own parser occasionally.

For browsers there are several including one of my own design which
does a lot of things you may want like verifying that you haven't
read a specific property which probably means that either the sender
supplied something it shouldn't or you got a bug in your decoder.

But anyway, thank you for finding the problem!

Anders


On 2014-12-03 02:53, Manu Sporny wrote:
> On 12/02/2014 03:53 PM, Anders Rundgren wrote:
>> On https://mobilepki.org/jcs you can test my take on the JSON clear
>> text signature concept, JCS.
>
> I got the JCS algorithm to fail in 5 minutes :), read on to find out how:
>
> Try this out:
>
> JSON.stringify({"foo":"bar", "3": "three", "2":"two", "1": "one"});
>
> You get this in Chromium 34, Firefox Nightly, and IE 11:
>
> {"1":"one","2":"two","3":"three","foo":"bar"}
>
> and this in Python2, Python3 (if you do it the right way and use
> OrderedDict):
>
>>>> json.dumps(json.JSONDecoder(object_pairs_hook=collections.OrderedDict).decode("""{"foo":"bar",
> "3": "three", "2":"two", "1": "one"}"""))
>
> {"foo": "bar", "3": "three", "2": "two", "1": "one"}
>
>> Only a bad programmer would design a parser so it would output data
>> in a different order than it was supplied in
>
> Your claim that input order is preserved in browser implementations is
> false. :)
>
> Thus, any JSON Cleartext Signature that contains a number as a key will
> fail to be created/verified between at least those programming
> environments. I didn't check other programming environments like PHP5,
> which I expect would be a horror show and only further underscore the issue.
>
> -- manu
>

Received on Wednesday, 3 December 2014 05:22:00 UTC