IETF Logo Mail Archive

[Json] A Crypto-compliant JSON Implementation

Anders Rundgren <anders.rundgren.net@gmail.com> Wed, 07 October 2015 06:16 UTC

Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: json@ietfa.amsl.com
Delivered-To: json@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 412681A92E7 for <json@ietfa.amsl.com>; Tue, 6 Oct 2015 23:16:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vNBqbstPrOzZ for <json@ietfa.amsl.com>; Tue, 6 Oct 2015 23:16:35 -0700 (PDT)
Received: from mail-wi0-x236.google.com (mail-wi0-x236.google.com [IPv6:2a00:1450:400c:c05::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 657841ACDE7 for <json@ietf.org>; Tue, 6 Oct 2015 23:16:35 -0700 (PDT)
Received: by wicfx3 with SMTP id fx3so12546257wic.0 for <json@ietf.org>; Tue, 06 Oct 2015 23:16:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=to:from:subject:message-id:date:user-agent:mime-version :content-type:content-transfer-encoding; bh=PX4MynJJNncuf/f1VWM8qm6LTwcfDcMCCXTCAMocdSI=; b=At4egBsj4uObQQOEU2FwJkU9ygFVbZnj5rQ44a14WVbWENnPu0IOWQtUjm7x9VsQ6D xmf7Dlxwq2BqnqqTPd0bTRgo+VSD8kEcOPzctji0powv2Xj5End8z+iFT80Yg4EBck9J njeMBpKMsxcoC7ZbLiYv3tCKVNgPpw6gdd5FOSOK46SGsVmt3F47SSe+PP/gc181Jwl6 d44YuKh7J6hdPaA9iZgmcckgt98Sq7Hdh7wMJqsXyl6ZbNjHXYFhjRE9XDsyBJJq0r0c +1mX7++Qdabo0pzEMEQUZVcR6BimGhIVWeUVdsCjg0IK3myYJRLpj5jJ5oBLyLfXMfyP tWew==
X-Received: by 10.180.102.195 with SMTP id fq3mr22042964wib.7.1444198594019; Tue, 06 Oct 2015 23:16:34 -0700 (PDT)
Received: from [192.168.1.79] (148.198.130.77.rev.sfr.net. [77.130.198.148]) by smtp.googlemail.com with ESMTPSA id i10sm36900170wjz.41.2015.10.06.23.16.32 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 06 Oct 2015 23:16:32 -0700 (PDT)
To: json@ietf.org
From: Anders Rundgren <anders.rundgren.net@gmail.com>
Message-ID: <5614B8B9.2050405@gmail.com>
Date: Wed, 07 Oct 2015 08:16:25 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/json/wfyXZ6mzDwQqVMUw-UT_-L1fhQU>
Subject: [Json] A Crypto-compliant JSON Implementation
X-BeenThere: json@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "JavaScript Object Notation \(JSON\) WG mailing list" <json.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/json>, <mailto:json-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/json/>
List-Post: <mailto:json@ietf.org>
List-Help: <mailto:json-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/json>, <mailto:json-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Oct 2015 06:16:37 -0000

A Crypto-compliant JSON Implementation
==================================

Although maybe not a topic for the IETF, I would anyway like (for those who don't follow the JOSE list) to describe a JSON implementation which enables "Signed JSON".

Didn't the JOSE WG just finished that?  No, the JOSE WG have rather created a set of JSON-flavored and URL-friendly cryptographic containers where the actual data has no relation to JSON ; the data is Base64URL-encoded to be neutral to the content.

Anyway, for me working payment systems and similar where signed JSON messages are wrapped by other signed JSON messages like "Russian dolls", Base64 simply wasn't an option:
http://xmlns.webpki.org/webpay/v1/webpay-card-payment-messages.html#p11

How much did I have to "violate" the JSON specification to accomplish this?  Not a single bit.
What I did was simply parsing properties using LinkedHashMap (to maintain a predictive order) plus a minute fix for numbers keeping the original textual representation in the background for serialization.

This also has the benefit that properties are serialized in the same order as they were created which is a feature often requested by the JSON community at large which isn't too surprising since XML elements, EDI, ASN.1, and plain-text always had this quality.

Anders
https://mobilepki.org/jcs

v2.23.0 | Report a Bug | By Email