Skip to content

create a canonicalize function complying with RFC8259 #12

New issue
New issue
Closed
#27
Closed
create a canonicalize function complying with RFC8259#12
#27
Assignees
cmwhited
Milestone
Phase 1: Developers can build an app using private data
@nikgraf

Description

@nikgraf
nikgraf
opened on Nov 6, 2024

Why do we need it?

When dealing with data that is signed you want to avoid concatenation attacks e.g.

value = "Hello" + "Max" // attacker controls the second part
sign(value)

// in case you now only have `He` instead of `Hello` and attacker could use this to forge a signature
value = "He" + "lloMax" // attacker controls the second part
sign(value)

The best practice is to canonicalize data so this can't happen e.g.

const value = canonicalize({ greeting: "Hello", name: "Max" });
sign(value)

Why is JSON.stringify not good enough? Beause the order in objects might now be the same depending on how you create the object. canonicalize ensures that an object with the identical structure will result in the same string output.

RFC: https://datatracker.ietf.org/doc/html/rfc8259

Implementation

There are a handful implementations out there. I wonder if it makes sense to inline it to reduce dependencies. Happy to work with an existing one for now if you find one that works with an ESM setup.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions