Hi Fabio, ok, thanks for the details. That sheds some ligh indeed.
Maybe doing it as a two-step process like what I sketched below could work better. It makes you independent of any implementation details, although of course at the cost of having two levels of serialization.
You could however also go some alternative road and implement a custom "layered" transport. Just as an example, have a look at the TFramedTransport. The idea here is that the transport adds its own data to the stream. In the case of TFramedTransport this is simply a preceding int32 that holds the total byte length of the message. One could easily imagine a custom transport that covers your use case: to add some integrity data to the byte stream and validate the signature on read. Since this would happen after the writer wrote and before the reader reads, both signature and validation operates on plain bytes and therefore also entirely independent of any implementation surprises.
Have fun, JensG Am 10.05.2023 um 08:53 schrieb Fabio Ronca:
Hi Jens first of all, thanks for your reply. The idea is the following: Let's suppose to have the following RPC struct EmployInfo { 1: string name, 2: string surname, 3: i32 age, 4: i64 hireDate } oneway void registerEmploy { 1: i32 Id, 2: EmployInfo employInfo, 3: string integrityTag } the sender before calling the registerEmploy function computes the integrityTag. The integrity tag is computed as secretFunc(message_str) where the message_str is obtained as: message_str = String.valueOf(Id)+serializer.toString(employInfo) where serializer is defined as: Tserializer serializer = new TSerializer(new TSimpleJSONProtocol.Factory()) The receiver before elaborating the requestId and employInfo data shall check the integrity re-computing the integrity tag using the same secretFunc(message_str) used by the sender. The receiver needs also to compute the message_str. It applies the same mechanism used by the sender. In case the integrity tag matches we can assume that the data are ok. I want to leverage on TJSONProtocol to convert the structured data in JSON string. But I have some doubts that this solution is portable across the different programming languages. I have scenario where sender and receiver use different programming languages Best Regards Il giorno mar 9 mag 2023 alle ore 21:18 Jens Geyer <jensge...@hotmail.com> ha scritto:Hi Fabio, > Is it correct to assume that the JSON string resulting from conversion > is always the same (assuming to have the same input data) across > different programming languages? in theory ... probably, depends. I can think of cases where the resulting data might be different, including the compatibility case where we have a new version of embedded data with default values or the like. So I would not really bet on it. But what puzzles me most is this. As I understand it, the idea is - Alice serializes data to JSON - Alice stores the data into some envelope and puts an SHA-256 along with it, say: struct Envelope { 1 : string data // Thrift JSON data 2 : binary check // SHA-256 hash on data } - Bob reads the data and validates the checksum - Bob deserializes data from JSON (or whatever else the format is) Questions: -> Why could Bob need to write the exact same data again? -> And if that is really necessary, why can't Bob just calculate the SHA-256 again? I probably overlook something here ... Have fun, JensG Am 09.05.2023 um 10:22 schrieb Fabio Ronca:Hi there, I have a question about the Tserializer and the TJSONProtocol offered by Thrift. I'm using Thrift to implement a RPC between applications written in different programming languages. I need to add new functionality in my solution implementing an integrity check on the data exchanged between client and server. The idea is to compute an integrity on the data (defined in the IDL Thrift) exchanged between sender and clients. The integrity tag will be computed by the sender and re-compute by the receiver. To ensure the integrity the tag computed by the receiver shall match with the one received from the sender. For structured data types, I want to leverage on the Tserializer based on TJSONProtocol to obtain a JSON string (representing the data to protect) to provide as input to the algorithm for integrity calculation. Is it correct to assume that the JSON string resulting from conversion is always the same (assuming to have the same input data) across different programming languages? I mean, can I assume that the behaviour of TSerializer (based on TJSONProtocol) is the same across the different implementations of Thrift libraries available for the different programming languages? Thanks in advance Best Regards
