Skip to content

Fix base64 format for JSON #37

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
kentakayama wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Fix base64 format for JSON #37

kentakayama wants to merge 5 commits into from
+289 −16

Conversation

@kentakayama
Copy link
Contributor

@kentakayama kentakayama commented Nov 21, 2025

EAT basically uses base64-url-text without '=' padding, except for the nonce-type.
However, Go's encoding/json package encodes binary data using standard base64 with padding by default.

This PR resolves that mismatch by ensuring base64url encoding without padding is used where required.

As part of this change, the swid.HashEntry has been replaced with Digest.
The former encodes a hash like [swid.Sha256, h'0000...'] as a string "sha256;AA...=".
In contrast, the new Digest type encodes it as an array [1,"AA..."] where "AA..." is base64url-encoded without padding.

This aligns with the following specifications:

binary-data = JC< base64-url-text, bstr>
base64-url-text = tstr .regexp "[A-Za-z0-9_-]+"

ueid-type = JC<base64-url-text .size (10..44) , bstr .size (7..33)>
hardware-model-type = JC<base64-url-text .size (4..44),
                         bytes .size (1..32)>
$$Claims-Set-Claims //=  (boot-seed-label => binary-data)

bytes-b64u = text .b64u bytes
bytes8 = bytes .size 8
bytes8-b64u = text .b64u bytes8

digest = [
  alg: (int / text)
  val: digest-value-type
]

digest-value-type = eat.JC<bytes-b64u, bytes>

@kentakayama
Copy link
Contributor Author

kentakayama commented Dec 2, 2025

This PR should be ready for review. @thomas-fossati , could you please take a look when you have time?

@kentakayama kentakayama mentioned this pull request Dec 2, 2025
Open
thomas-fossati
thomas-fossati reviewed Dec 3, 2025
View reviewed changes
measured_component_test.go
}

func TestMeasuredComponent_MarshalJSON_OK(t *testing.T) {
data := []byte(`{"id":["Foo",["1.3.4","multipartnumeric"]],"measurement":[1,"3q2-796tvu_erb7v3q2-796tvu_erb7v3q2-796tvu8"]}`)
Copy link
Contributor

@thomas-fossati thomas-fossati Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One quick check: AFAIR, there is no special encoding for coswid.$version-scheme in the JSON serialisation. I.e., instead of ”multipartnumeric" it should be 1, no?

Copy link
Contributor Author

@kentakayama kentakayama Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Exactly.
RFC 9393 states that CoSWID does not define any specific encoding or decoding rules for JSON.
https://datatracker.ietf.org/doc/html/rfc9393#name-the-concise-swid-tag-map

The string "multipartnumeric" comes from the veraison/swid implementation specification:
https://github.com/veraison/swid/blob/main/versionscheme.go#L40-L56

Copy link
Contributor

@thomas-fossati thomas-fossati Dec 3, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK, thanks for double checking. We will need to fix it in veraison/swid then.

(EDIT: raised veraison/swid#47)

@thomas-fossati thomas-fossati mentioned this pull request Dec 3, 2025
Open
thomas-fossati
thomas-fossati approved these changes Dec 3, 2025
View reviewed changes
Copy link
Contributor

@thomas-fossati thomas-fossati left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks @kentakayama !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thomas-fossati thomas-fossati thomas-fossati approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kentakayama @thomas-fossati