Closed naveensrinivasan closed 2 years ago
Are there better alternatives? https://github.com/gibson042/canonicaljson-go also doesn't seem active
Right: to me, a project doesn't necessarily need to be active to remain secure. Having said that, it does look like go-tuf and go-in-toto may need to maintain its own canonicalization library in go-securesystemslib @adityasaky @lukpueh
Right: to me, a project doesn't necessarily need to be active to remain secure.
The project doesn't get updates on its dependencies which is a red flag. How does the project handle zero days when the project isn't active and no one to respond or take care of?
Hmm, I just looked at what in-toto-golang uses, and it looks like @lukpueh ported encode_canonical
from python-sslib here: https://github.com/in-toto/in-toto-golang/blob/master/in_toto/canonicaljson.go. I propose creating a go-sslib/cjson package and moving this there. I also found https://github.com/in-toto/in-toto-golang/pull/47 where re-using this in other implementations was discussed.
Hmm, I just looked at what in-toto-golang uses, and it looks like @lukpueh ported
encode_canonical
from python-sslib here: https://github.com/in-toto/in-toto-golang/blob/master/in_toto/canonicaljson.go. I propose creating a go-sslib/cjson package and moving this there. I also found in-toto/in-toto-golang#47 where re-using this in other implementations was discussed.
Naveen, this seems like the best course of action. Perhaps you can help us with this?
Sorry, I don't have the bandwidth. One recommendation I would recommend fuzzing that package especially.
Sorry, I don't have the bandwidth. One recommendation I would recommend fuzzing that package especially.
While fuzzing is important, I think it would take about the same effort to correctly set it up as to move to our own canonicalization code.
This project is archived and hasn't been updated in the last 9 years. This is a risk.
json
parsing and marshaling is hard and could have potential issues.https://github.com/theupdateframework/go-tuf/blob/52193a283c302acaeb39bf8045292815abc568c6/sign/sign.go#L4
https://github.com/tent/canonical-json-go