use canonical json form for signed responses

Question

use canonical json form for signed responses

Opened this issue 5 years ago · 5 comments

Currently, we don't have any guarantees that our JSON responses will be bit-for-bit the same for the same request. This means that any time the response format changes, we'll have to generate additional, possibly unnecessary, signatures (because we use the hashed, dumped-to-a-string, json as our cache key).

Something like https://github.com/Kinto/kinto-signer/blob/master/kinto_signer/canonicaljson.py or https://pypi.org/project/canonicaljson/.

Thanks to glasserc for the idea and pointers.

(Imported from https://bugzilla.mozilla.org/show_bug.cgi?id=1590609)

Answer 1 · 2023-10-07T11:18:14.000Z

Kindly assign this task to me

Answer 2 · 2023-10-10T15:05:10.000Z

Hi, please feel free to work on the issue and open a PR when you feel it is ready.

Answer 3 · 2023-10-18T14:02:49.000Z

Could I have more info about this issue ? @bhearsum @gabrielBusta
Could you provide the file(s) where the changes should be made?

Answer 4 · 2023-10-19T18:38:46.000Z

This issue boils down to the fact that the JSON responses we return are not deterministic: it is possible that we may return exactly the same data but in a different order for different requests.

Fixing it requires ensuring the response object is built deterministically, probably by using one of the linked libraries.

Answer 5 · 2023-11-24T15:13:29.000Z

Reopening because the fix in #3035 had to be reverted in #3058.

Changing json.dumps to canonicaljson.encode_canonical_json changed a text string to a byte string, which when passed to make_hash returns a bogus hash, and thus causes us to end up with a bogus signature.