On-line Demo/Test of JSON Clear Text Signatures

https://mobilepki.org/jcs/home

Enjoy!

Canonicalization

Precondition: Valid JSON data as described on http://www.json.org has been received.

Restriction: The only permitted (and required) escape sequences are \\ and \" because JSON supplied as a part of a web-page must anyway be escaped according to web-rules, while JSON supplied through HTTP etc. only needs to be parsable.

Another reason for this somewhat radical step is that the JSON world appears to be severely divided on escapes sequences in general:
http://stackoverflow.com/questions/6011012/making-json-not-escape-forward-slashes.

The canonicalization steps are as follows:
- Whitespace is removed which in practical terms means removal of all characters outside of quoted strings having a value <= ASCII space
- Properties are sorted in lexical UNICODE order using their unescaped form.  Zero-length properties are not allowed
- The JSON object associated with the Signature is recreated using the actual textual data.  Rationale: Numbers are ambiguously defined in JSON which means that encoding and decoding most likely will differ among JSON implementations.  There is another, more subtle issue as well.  If a sender for example assigns a large number such as 0.99999999999999999999 to a JSON property there is a possibility that a receiver due to limitations in arithmetic precision rather interprets it as 1.0.  To cope with these potential problems, a compliant parser must preserve the original textual representation internally in order to perform proper canonicalization

Anders

Received on Saturday, 7 September 2013 11:08:11 UTC