[jose] How to "extend" signatures?
Martin Boßlet <martin.bosslet@gmail.com> Tue, 30 July 2013 00:14 UTC
Return-Path: <martin.bosslet@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80C5421F9B6A for <jose@ietfa.amsl.com>; Mon, 29 Jul 2013 17:14:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.3
X-Spam-Level:
X-Spam-Status: No, score=-2.3 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k0IXbH5R+qL6 for <jose@ietfa.amsl.com>; Mon, 29 Jul 2013 17:14:12 -0700 (PDT)
Received: from mail-wi0-x233.google.com (mail-wi0-x233.google.com [IPv6:2a00:1450:400c:c05::233]) by ietfa.amsl.com (Postfix) with ESMTP id 6D5E821F935A for <jose@ietf.org>; Mon, 29 Jul 2013 17:14:12 -0700 (PDT)
Received: by mail-wi0-f179.google.com with SMTP id hr7so2021277wib.6 for <jose@ietf.org>; Mon, 29 Jul 2013 17:14:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=c8kOxs09/RkD9QcjjGh85tvTI/okcDFBJHfNcckdhaM=; b=Fh6Kd4Ja4CH9zW9/JXmsbNdFk5ett0Z5KesmDtY3GfEksa+tz6wN/usXVR4j0kdGUM yzJyEuEkSwKTNkpbQFx0IM0APp89SfWAthrfXxcQMm1y2mJT6ItWyipd+ywDQAnEOi29 6fvW1/Yz10/DYgVdwUi+IA1P+nyjK28/cVD81Ri4ap3OAQffna17I+fpyBnSMAhqDwL9 5XUpZSITNk2eld62vlO3UoDqjQt3MA0mgLLLgMlXyFHnJOl73QodndsZVy2B3/SjDaO+ glDcdy2w9Ia+I+wVthyTIqL/zkPaEdxxvh4nMjnO8XfRWEvdRq1dSIiLFPdRL2S8D7vZ ciog==
MIME-Version: 1.0
X-Received: by 10.194.178.138 with SMTP id cy10mr44695182wjc.61.1375143250245; Mon, 29 Jul 2013 17:14:10 -0700 (PDT)
Received: by 10.216.178.66 with HTTP; Mon, 29 Jul 2013 17:14:10 -0700 (PDT)
Date: Tue, 30 Jul 2013 02:14:10 +0200
Message-ID: <CAFfYYxLx-hqTHV7YF7mKrMGyEGBARTnoKO=GW4WF5Vo0qLY1WA@mail.gmail.com>
From: Martin Boßlet <martin.bosslet@gmail.com>
To: jose@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: [jose] How to "extend" signatures?
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jul 2013 00:18:03 -0000
Hi, is it correct that there is no explicit canonicalization step needed in order to get from a JSON object to a "JSON Text Object" that constitutes the final "JWS payload"? The examples only talk about the UTF-8 representation of JSON objects, but this is not canonical IIRC? I'm asking because this would make "extending" signatures like it is practiced in the CAdES or XAdES standards [e.g. 1] much harder. There, you typically need to reserialize parts of / the entire payload in order to compute digests that will be used in "extension fields". While those extension fields could certainly be embedded in the non-integrity-protected header part of the JWS JSON Serialization format, I'm not sure how to reserialize a JSON object parsed from a signed JSON Text Object in order to reliably produce the same JSON Text object again. This is not a problem with ASN.1 or XML because ASN.1 DER (unlike BER) encoding is canonical by default, and the XML is canonicalized before any digests are computed. In order to serialize a JWS again after having parsed its contents, does this mean I will always have to drag the original JWS encoding along? Or did I overlook something, and there is some canonicalization procedure that would ensure that I arrive at the same encoding again when reserializing a parsed JSON object? Thanks a lot in advance, Martin Boßlet [1] http://www.etsi.org/deliver/etsi_ts%5C101900_101999%5C101903%5C01.04.02_60%5Cts_101903v010402p.pdf
- [jose] How to "extend" signatures? Martin Boßlet