Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Determine if CBOR map key sort order setting should be updated because RFC 9052 obsoleted RFC 8152 #110

Closed
fxamacker opened this issue Oct 9, 2022 · 4 comments · Fixed by #113
Closed

Determine if CBOR map key sort order setting should be updated because RFC 9052 obsoleted RFC 8152 #110

fxamacker opened this issue Oct 9, 2022 · 4 comments · Fixed by #113
Assignees
@qmuntal @thomas-fossati @yogeshbdeshpande @shizhMSFT @roywill

Comments

@fxamacker
Copy link
Contributor

fxamacker commented Oct 9, 2022
edited
Loading

I used cbor.SortCanonical setting in mozilla-services/go-cose before RFC 8949 (CBOR) and RFC 9052 (COSE) were published. More recently,

  • RFC 8949 (CBOR) obsoleted RFC 7049 (CBOR).
  • RFC 9052 (COSE) obsoleted RFC 8152 (COSE).

RFC 8152 required Canonical encoding from RFC 7049, which uses length-first sort order for map keys.

RFC 9052 specifies, "The new encoding restrictions are aligned with the Core Deterministic Encoding Requirement" from RFC 8949. Additionally, the narrowed down requirements in RFC 9052 doesn't mention the old length-first sort order.

RFC 8949 specifies Core Deterministic Encoding Requirements with a newer sort order for map keys (bytewise lexicographic order of deterministic encoding).

RFC 8949 refers to the length-first-ordered version of "Canonical CBOR" specified in RFC 7049 as "Old Canonical CBOR".

Given this, go-cose can:

  • Use the newer sort order defined in RFC 8949 (CBOR) for Core Deterministic Encoding Requirements, or
  • Continue using length-first sort order from obsoleted RFC 7049, or
  • Maybe not sort map keys (for faster encoding speed at the cost of deterministic encoding).

For example, go-cose can specify cbor.SortCoreDeterministic here for map keys:

go-cose/cbor.go

Lines 30 to 33 in ac30917

encOpts := cbor.EncOptions{
Sort: cbor.SortCanonical, // sort map keys
IndefLength: cbor.IndefLengthForbidden, // no streaming
}

Just wanted to provide some context (not a recommendation to choose a specific sort).
@qmuntal
Copy link
Contributor

qmuntal commented Oct 10, 2022

Thanks for the heads up @fxamacker. I don't recall having discussed this topic with the go-cose team, we should take a conscious decision before cutting a new release.

@cabo
Copy link

cabo commented Oct 10, 2022

COSE does not rely on deterministic (was: canonical) encoding for maps. So moving to RFC 8949's deterministic encoding should not make a difference. Or not deterministically encoding, for that matter. You do need to keep to deterministic encoding for length encoding, but any reasonable CBOR library does that already.

@fxamacker
Copy link
Contributor Author

I agree with Carsten about COSE requirements for encoding maps. 👍

There are 3 choices and a tradeoff as mentioned in the issue. Since deterministic encoding can simplify testing, fuzzing, and troubleshooting, it would be helpful to know if the cost of sorting map keys, etc. outweighs those benefits for go-cose.

@yogeshbdeshpande
Copy link
Contributor

@qmuntal: @shizhMSFT We agreed to change the Encode Option to cbor.SortCoreDeterministic
@qmuntal to modify and test the change!

@qmuntal qmuntal mentioned this issue Nov 4, 2022
Merged
@yogeshbdeshpande yogeshbdeshpande mentioned this issue Nov 4, 2022
Closed
4 tasks
@shizhMSFT shizhMSFT mentioned this issue Nov 4, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@qmuntal qmuntal

@thomas-fossati thomas-fossati

@yogeshbdeshpande yogeshbdeshpande

@shizhMSFT shizhMSFT

@roywill roywill

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Use cbor.SortCoreDeterministic for CBOR encoding qmuntal/go-cose
7 participants
@cabo @qmuntal @thomas-fossati @yogeshbdeshpande @shizhMSFT @fxamacker @roywill