This repository was archived by the owner on May 13, 2022. It is now read-only.
This repository was archived by the owner on May 13, 2022. It is now read-only.
Lack of normalization step creates invalid signatures #10
Description
The LR-PGP.1.0 specification calls for normalization of JSON prior to the bencode step. LRJavaLib skips this step, so native booleans are converted into integers by bencode. This creates a different bencoded string than the canonical LRSignature module. For example:
// with normalization
d3:TOSd14:submission_TOS45:http://www.learningregistry.org/tos/cc0/v0-5/e6:active4:true8:doc_type13:resource_data11:doc_version6:0.49.0 ...
// without normalization
d3:TOSd14:submission_TOS45:http://www.learningregistry.org/tos/cc0/v0-5/e6:activei1e8:doc_type13:resource_data11:doc_version6:0.49.0 ...
Note how the required "active" property encodes to "4:true" when normalized to the string literal "true" but is encoded as "i1e" when left as a primitive boolean. This cascades later on, and since the Learning Registry server software appears to accept documents with invalid signatures, no indication is given to a developer that the signature is incorrect.