Since Google doesn't support XSD or XML DSig in Android I began looking at other alternatives. There were none :-( Therefore I created a 2000-line system that writes and reads JSON from Java. In addition, I adopted a scaled-down version of XML DSig's enveloped-signatures.
The concept of enveloped signatures have been slammed by the JOSE WG due to a belief that canonicalization issues will be hard. FWIW, I just wrote the entire thing in just a week and I didn't find any problems all. https://code.google.com/p/openkeystore/source/browse/#svn%2Flibrary%2Ftrunk%2Fsrc%2Forg%2Fwebpki%2Fjson It seems that I will be able to replace 200,000 lines of Apache code with about 2,000 lines of custom code. { "MyLittleSignature": { "Version": "http://example.com/signature";, "Now": "2013-08-25T20:31:23+02:00", "HRT": { "RTl": "67", "YT": { "HTL": "656756#", "INTEGER": -689, "Fantastic": false }, "er": "33" }, "ARR": [], "BARR": [{ "HTL": "656756#", "INTEGER": -689, "Fantastic": true }, { "HTL": "656756#", "INTEGER": -689, "Fantastic": false }], "ID": "ihqQONXvN5_LnmdAG7YU", "STRINGS": ["One","Two","Three"], "Intra": 78, "EnvelopedSignature": { "SignatureInfo": { "Algorithm": "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256";, "Reference": { "Name": "ID", "Value": "ihqQONXvN5_LnmdAG7YU" }, "KeyInfo": { "PublicKey": { "EC": { "NamedCurve": "http://xmlns.webpki.org/sks/algorithm#ec.p256";, "X": "lNxNvAUEE8t7DSQBft93LVSXxKCiVjhbWWfyg023FCk", "Y": "LmTlQxXB3LgZrNLmhOfMaCnDizczC/RfQ6Kx8iNwfFA" } } } }, "SignatureValue": "MEUCIEhZtArhp8O7d1n7SRWRQcs3qePGBCrnKY8x2O3o+nvPAiEA0On5hez2EHmEwJIm/UK7GxqZeWWcaFzK9OVAhygAWVk" } } } Why bother with this you may wonder? Well I can't imagine converting the previous cool stuff to something yucky like JOSE's JWS: { "message": "eyJ0eXAiOibGciOiJIUzI1NiJ9.LmNvbS9pc19yb290Ijp0cnVlfQ.2K27uhbUJU1p1r_wW1gFWFOEjXk" } Canonicalization (=removal of whitespace): "MyLittleSignature":{"Version":"http://example.com/signature","Now":"2013-08-25T20:31:23+02:00","HRT":{"RTl":"67","YT":{"HTL":"656756#","INTEGER":-689,"Fantastic":false},"er":"33"},"ARR":[],"BARR":[{"HTL":"656756#","INTEGER":-689,"Fantastic":true},{"HTL":"656756#","INTEGER":-689,"Fantastic":false}],"ID":"ihqQONXvN5_LnmdAG7YU","STRINGS":["One","Two","Three"],"Intra":78,"EnvelopedSignature":{"SignatureInfo":{"Algorithm":"http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256","Reference":{"Name":"ID","Value":"ihqQONXvN5_LnmdAG7YU"},"KeyInfo":{"PublicKey":{"EC":{"NamedCurve":"http://xmlns.webpki.org/sks/algorithm#ec.p256","X":"lNxNvAUEE8t7DSQBft93LVSXxKCiVjhbWWfyg023FCk","; Y":"LmTlQxXB3LgZrNLmhOfMaCnDizczC/RfQ6Kx8iNwfFA"}}}} Cheers, Anders -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to android-security-discuss+unsubscr...@googlegroups.com. To post to this group, send email to android-security-discuss@googlegroups.com. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/groups/opt_out.
