Signed JavaScript/JSON

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Signed JavaScript/JSON

Anders Rundgren-2
The samples below should be comparable with respect to securing the integrity of the payload and the signature parameters, but they obviously differ a lot in the way they get the work done.

JCS was developed to match information-rich, multi-signature schemes like
https://www.w3.org/Payments/IG/wiki/Main_Page/ProposalsQ42015/SCAI#The_SCAI_line
and similar.  JCS has recently been upgraded to match ECMAScript revision 6.


JSON Cleartext Signature (JCS): https://cyberphone.github.io/openkeystore/resources/docs/jcs.html#ECMAScript_Compatibility_Mode

var signedObject = {
      // The data
      statement: "Hello signed world!",
      otherProperties: [2000, true],
      // The signature
      signature: {
          algorithm: "ES256",
          publicKey: {
              type: "EC",
              curve: "P-256",
              x: "vlYxD4dtFJOp1_8_QUcieWCW-4KrLMmFL2rpkY1bQDs",
              y: "fxEF70yJenP3SPHM9hv-EnvhG6nXr3_S-fDqoj-F6yM"
          },
          value: "2H__TkcV28QpGWPkyVbR1CW0I8L4xARrVGL0LjOeHJLOPozdzRqCTyYfmAippJXqdzgNAonnFPVCSI5A6novMQ"
      }
};


JSON Web Signature (JWS): https://tools.ietf.org/rfc/rfc7515.txt

var signedObject = {
      "payload": "eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ",
      "protected": "eyJhbGciOiJFUzI1NiJ9",
      "signature": "DtEhU3ljbEg8L38VWAfUAqOyKAM6-Xx-F4GawxaepmXFCgfTjDxw5djxLa8IS lSApmWQxfKTUJqPP3-Kg6NU1Q"
};



Anders

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Signed JavaScript/JSON

Andreas Schwier (ML)
Interesting.

But how does this approach address the issue of a canonical format for
the signature input ?

If you use different JSON encoders generating valid, but different JSON
textual presentations (e.g. different white-space), then signature
validation will fail. I would have expected that white-space is
eliminated during canonicalization, but don't see that in the code sample.

It's the same issue as in XML Signatures and the transformation in a
canonical XML format before hashing.

Andreas

On 01/14/2016 10:41 AM, Anders Rundgren wrote:

> The samples below should be comparable with respect to securing the integrity of the payload and the signature parameters, but they obviously differ a lot in the way they get the work done.
>
> JCS was developed to match information-rich, multi-signature schemes like
> https://www.w3.org/Payments/IG/wiki/Main_Page/ProposalsQ42015/SCAI#The_SCAI_line
> and similar.  JCS has recently been upgraded to match ECMAScript revision 6.
>
>
> JSON Cleartext Signature (JCS): https://cyberphone.github.io/openkeystore/resources/docs/jcs.html#ECMAScript_Compatibility_Mode
>
> var signedObject = {
>       // The data
>       statement: "Hello signed world!",
>       otherProperties: [2000, true],
>       // The signature
>       signature: {
>           algorithm: "ES256",
>           publicKey: {
>               type: "EC",
>               curve: "P-256",
>               x: "vlYxD4dtFJOp1_8_QUcieWCW-4KrLMmFL2rpkY1bQDs",
>               y: "fxEF70yJenP3SPHM9hv-EnvhG6nXr3_S-fDqoj-F6yM"
>           },
>           value: "2H__TkcV28QpGWPkyVbR1CW0I8L4xARrVGL0LjOeHJLOPozdzRqCTyYfmAippJXqdzgNAonnFPVCSI5A6novMQ"
>       }
> };
>
>
> JSON Web Signature (JWS): https://tools.ietf.org/rfc/rfc7515.txt
>
> var signedObject = {
>       "payload": "eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ",
>       "protected": "eyJhbGciOiJFUzI1NiJ9",
>       "signature": "DtEhU3ljbEg8L38VWAfUAqOyKAM6-Xx-F4GawxaepmXFCgfTjDxw5djxLa8IS lSApmWQxfKTUJqPP3-Kg6NU1Q"
> };
>
>
>
> Anders
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>


--

    ---------    CardContact Software & System Consulting
   |.##> <##.|   Andreas Schwier
   |#       #|   Sch├╝lerweg 38
   |#       #|   32429 Minden, Germany
   |'##> <##'|   Phone +49 571 56149
    ---------    http://www.cardcontact.de
                 http://www.tscons.de
                 http://www.openscdp.org
                 http://www.smartcard-hsm.com


------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Signed JavaScript/JSON

Anders Rundgren-2
On 2016-01-14 11:29, Andreas Schwier wrote:
> Interesting.

Hi Andreas,

> But how does this approach address the issue of a canonical format for
> the signature input ?

The described approach does not depend on a canonical JSON representation but
on a normalized ditto which is what ECMAScript (using the specified constraints)
does automatically.


> If you use different JSON encoders generating valid, but different JSON
> textual presentations (e.g. different white-space), then signature
> validation will fail. I would have expected that white-space is
> eliminated during canonicalization, but don't see that in the code sample.

White-space is ignored by ECMAScript which means that other systems MUST
also do that in order to utilize this scheme.

Relying on the number algorithms featured in
https://developers.google.com/v8/ may appear slightly "hacky" but OTOH
there are already tons of systems out there building on this platform
including https://nodejs.org/en/ so it is about as "standard" you can get.


> It's the same issue as in XML Signatures and the transformation in a
> canonical XML format before hashing.

I believe there is 1 to 25 difference in complexity.

Anders

>
> Andreas
>
> On 01/14/2016 10:41 AM, Anders Rundgren wrote:
>> The samples below should be comparable with respect to securing the integrity of the payload and the signature parameters, but they obviously differ a lot in the way they get the work done.
>>
>> JCS was developed to match information-rich, multi-signature schemes like
>> https://www.w3.org/Payments/IG/wiki/Main_Page/ProposalsQ42015/SCAI#The_SCAI_line
>> and similar.  JCS has recently been upgraded to match ECMAScript revision 6.
>>
>>
>> JSON Cleartext Signature (JCS): https://cyberphone.github.io/openkeystore/resources/docs/jcs.html#ECMAScript_Compatibility_Mode
>>
>> var signedObject = {
>>        // The data
>>        statement: "Hello signed world!",
>>        otherProperties: [2000, true],
>>        // The signature
>>        signature: {
>>            algorithm: "ES256",
>>            publicKey: {
>>                type: "EC",
>>                curve: "P-256",
>>                x: "vlYxD4dtFJOp1_8_QUcieWCW-4KrLMmFL2rpkY1bQDs",
>>                y: "fxEF70yJenP3SPHM9hv-EnvhG6nXr3_S-fDqoj-F6yM"
>>            },
>>            value: "2H__TkcV28QpGWPkyVbR1CW0I8L4xARrVGL0LjOeHJLOPozdzRqCTyYfmAippJXqdzgNAonnFPVCSI5A6novMQ"
>>        }
>> };
>>
>>
>> JSON Web Signature (JWS): https://tools.ietf.org/rfc/rfc7515.txt
>>
>> var signedObject = {
>>        "payload": "eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ",
>>        "protected": "eyJhbGciOiJFUzI1NiJ9",
>>        "signature": "DtEhU3ljbEg8L38VWAfUAqOyKAM6-Xx-F4GawxaepmXFCgfTjDxw5djxLa8IS lSApmWQxfKTUJqPP3-Kg6NU1Q"
>> };
>>
>>
>>
>> Anders
>>
>> ------------------------------------------------------------------------------
>> Site24x7 APM Insight: Get Deep Visibility into Application Performance
>> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
>> Monitor end-to-end web transactions and take corrective actions now
>> Troubleshoot faster and improve end-user experience. Signup Now!
>> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
>> _______________________________________________
>> Opensc-devel mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>
>
>


------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel