- From: Johan Verrept via GitHub <sysbot+gh@w3.org>
- Date: Tue, 12 Sep 2017 08:14:31 +0000
- To: public-webauthn@w3.org
@selfissued Validating canonical CBOR and handling non-canonical CBOR are of a different order altogether. For example, when comparing map keys in canonical CBOR, I can rely on them being a single, fixed length string (ie, use strncmp straight form the input buffer). Validating that the tag is fixed length is essentially free because I have to parse the tag and check the length anyway. If I have to handle normal CBOR, I would have to extract the string into a separate buffer because they are allowed to be indefinite length strings with multiple parts. (key "alg" can be 63616C67, 7F62616C6167FF, 7F6161616C6167FF,... ). Although it would be 15 minutes of fun to write a strncmp routine that can handle indefinite length CBOR strings straight from the input buffer, the complexity is not desirable. As for testing, if you want to test for normal cbor, you would need to test every field in both fixed and indefinite length versions, preferably with a few different segmentations. -- GitHub Notification of comment by jovasco Please view or discuss this issue at https://github.com/w3c/webauthn/issues/455#issuecomment-328777074 using your GitHub account
Received on Tuesday, 12 September 2017 08:14:24 UTC