Replace ugorji/go with fxamacker/cbor to improve security

mozilla-services / go-cose

go library for CBOR Object Signing and Encryption (COSE)

Mozilla Public License 2.0

40 stars 18 forks source link

Replace ugorji/go with fxamacker/cbor to improve security #64

Closed fxamacker closed 4 years ago

fxamacker commented 4 years ago

Replaced ugorji/go with fxamacker/cbor without changing go-cose API.

Also this PR improves performance and memory usage for encoding and decoding SignMessage.

Using ugorji/go library:

BenchmarkDecodeCOSE-2         6362 ns/op        3843 B/op         62 allocs/op
BenchmarkEncodeCOSE-2         4717 ns/op        4816 B/op         57 allocs/op

Using fxamacker/cbor/v2 library:

BenchmarkDecodeCOSE-2         4319 ns/op        2328 B/op         39 allocs/op
BenchmarkEncodeCOSE-2         3480 ns/op        2275 B/op         26 allocs/op

Benchmarks use RFC 8152 Appendix C.1.1 data.

Closes #62

x448 commented 4 years ago

Why are you using an unreleased version of fxamacker/cbor? Was it fuzz tested?

I know the answer but how would anyone else know unless you tell them?

fxamacker commented 4 years ago

@x448 I needed to add features to fxamacker/cbor to make changes to go-cose smaller. Each commit was fuzz-tested using 1500+ corpus files.

Fuzzing duration for new release is much longer. Fuzzing for release 2.2 was 300+ hours. I'm waiting for additional features to make a 2.3 release worth the fuzzing overhead.

fxamacker commented 4 years ago

@g-k I'm not sure why CI checks appear to be stuck.

Please let me know if you need any changes. Thanks!

g-k commented 4 years ago

Awesome! I'll take a look tomorrow.