Skip to content

Commit

Permalink
fix JSON canonicalisation (see theupdateframework#246)
Browse files Browse the repository at this point in the history
toby-jn committed Apr 13, 2022

Unverified

This commit is not signed, but one or more authors requires that any commit attributed to them is signed.
1 parent 5b81b7e commit d92cf6a
Showing 3 changed files with 26 additions and 21 deletions.
16 changes: 2 additions & 14 deletions repo.go
Original file line number Diff line number Diff line change
@@ -11,7 +11,6 @@ import (
"strings"
"time"

"github.com/secure-systems-lab/go-securesystemslib/cjson"
"github.com/theupdateframework/go-tuf/data"
"github.com/theupdateframework/go-tuf/internal/roles"
"github.com/theupdateframework/go-tuf/internal/signer"
@@ -485,21 +484,10 @@ func (r *Repo) RevokeKeyWithExpires(keyRole, id string, expires time.Time) error
}

func (r *Repo) jsonMarshal(v interface{}) ([]byte, error) {
b, err := cjson.EncodeCanonical(v)
if err != nil {
return []byte{}, err
}

if r.prefix == "" && r.indent == "" {
return b, nil
return json.Marshal(v)
}

var out bytes.Buffer
if err := json.Indent(&out, b, r.prefix, r.indent); err != nil {
return []byte{}, err
}

return out.Bytes(), nil
return json.MarshalIndent(v, r.prefix, r.indent)
}

func (r *Repo) setTopLevelMeta(roleFilename string, meta interface{}) error {
20 changes: 15 additions & 5 deletions repo_test.go
Original file line number Diff line number Diff line change
@@ -1692,7 +1692,9 @@ func (rs *RepoSuite) TestAddOrUpdateSignatures(c *C) {
// generate signatures externally and append
rootMeta, err := r.SignedMeta("root.json")
c.Assert(err, IsNil)
rootSig, err := rootKey.SignMessage(rootMeta.Signed)
rootCanonical, err := cjson.EncodeCanonical(rootMeta.Signed)
c.Assert(err, IsNil)
rootSig, err := rootKey.SignMessage(rootCanonical)
c.Assert(err, IsNil)
for _, id := range rootKey.PublicData().IDs() {
c.Assert(r.AddOrUpdateSignature("root.json", data.Signature{
@@ -1704,7 +1706,9 @@ func (rs *RepoSuite) TestAddOrUpdateSignatures(c *C) {
c.Assert(r.AddTarget("foo.txt", nil), IsNil)
targetsMeta, err := r.SignedMeta("targets.json")
c.Assert(err, IsNil)
targetsSig, err := targetsKey.SignMessage(targetsMeta.Signed)
targetsCanonical, err := cjson.EncodeCanonical(targetsMeta.Signed)
c.Assert(err, IsNil)
targetsSig, err := targetsKey.SignMessage(targetsCanonical)
c.Assert(err, IsNil)
for _, id := range targetsKey.PublicData().IDs() {
r.AddOrUpdateSignature("targets.json", data.Signature{
@@ -1716,7 +1720,9 @@ func (rs *RepoSuite) TestAddOrUpdateSignatures(c *C) {
c.Assert(r.Snapshot(), IsNil)
snapshotMeta, err := r.SignedMeta("snapshot.json")
c.Assert(err, IsNil)
snapshotSig, err := snapshotKey.SignMessage(snapshotMeta.Signed)
snapshotCanonical, err := cjson.EncodeCanonical(snapshotMeta.Signed)
c.Assert(err, IsNil)
snapshotSig, err := snapshotKey.SignMessage(snapshotCanonical)
c.Assert(err, IsNil)
for _, id := range snapshotKey.PublicData().IDs() {
r.AddOrUpdateSignature("snapshot.json", data.Signature{
@@ -1727,7 +1733,9 @@ func (rs *RepoSuite) TestAddOrUpdateSignatures(c *C) {
c.Assert(r.Timestamp(), IsNil)
timestampMeta, err := r.SignedMeta("timestamp.json")
c.Assert(err, IsNil)
timestampSig, err := timestampKey.SignMessage(timestampMeta.Signed)
timestampCanonical, err := cjson.EncodeCanonical(timestampMeta.Signed)
c.Assert(err, IsNil)
timestampSig, err := timestampKey.SignMessage(timestampCanonical)
c.Assert(err, IsNil)
for _, id := range timestampKey.PublicData().IDs() {
r.AddOrUpdateSignature("timestamp.json", data.Signature{
@@ -1769,7 +1777,9 @@ func (rs *RepoSuite) TestBadAddOrUpdateSignatures(c *C) {
// add a signature with a bad role
rootMeta, err := r.SignedMeta("root.json")
c.Assert(err, IsNil)
rootSig, err := rootKey.Sign(rand.Reader, rootMeta.Signed, crypto.Hash(0))
rootCanonical, err := cjson.EncodeCanonical(rootMeta.Signed)
c.Assert(err, IsNil)
rootSig, err := rootKey.Sign(rand.Reader, rootCanonical, crypto.Hash(0))
c.Assert(err, IsNil)
for _, id := range rootKey.PublicData().IDs() {
c.Assert(r.AddOrUpdateSignature("invalid_root.json", data.Signature{
11 changes: 9 additions & 2 deletions sign/sign.go
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
package sign

import (
"encoding/json"

"github.com/secure-systems-lab/go-securesystemslib/cjson"
"github.com/theupdateframework/go-tuf/data"
"github.com/theupdateframework/go-tuf/pkg/keys"
@@ -22,7 +24,12 @@ func Sign(s *data.Signed, k keys.Signer) error {
}
}

sig, err := k.SignMessage(s.Signed)
canonical, err := cjson.EncodeCanonical(s.Signed)
if err != nil {
return err
}

sig, err := k.SignMessage(canonical)
if err != nil {
return err
}
@@ -39,7 +46,7 @@ func Sign(s *data.Signed, k keys.Signer) error {
}

func Marshal(v interface{}, keys ...keys.Signer) (*data.Signed, error) {
b, err := cjson.EncodeCanonical(v)
b, err := json.Marshal(v)
if err != nil {
return nil, err
}

0 comments on commit d92cf6a

Please sign in to comment.