Request - JavaScript Compatible Number Canonicalization
Anders Rundgren
anders.rundgren.net at gmail.com
Sat Aug 5 05:42:45 UTC 2017
This may not sound like a security related issue but it actually is...
Although entirely uncoordinated, there are several "standards" in the workings based on creating JSON-based clear text alternatives to IETF's JWS signature scheme (which encodes data in Base64Url).
All of these schemes share a common and quite intricate interoperability issue, namely serialization of the JSON "Number" type.
Fortunately, ECMA who defines JavaScript have defined a strict format which is already implemented in Node.js (V8), Chrome, Firefox, and Safari.
I would therefore propose that the Double object (Number are always stored as double) is augmented with an additional method like toJsonNotation().
I'm currently relying on code that was featured in a previous version of JDK (Rhino):
https://github.com/cyberphone/openkeystore/blob/master/library/src/org/webpki/json/JSONObjectWriter.java#L188
Newer versions of JDK use another JS engine which produces non-compliant strings :-(
WDYT?
Anders
https://cyberphone.github.io/doc/security/jsonsignatures.html
More information about the security-dev
mailing list