You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on May 13, 2022. It is now read-only.
The LR-PGP.1.0 specification calls for normalization of JSON prior to the bencode step. LRJavaLib skips this step, so native booleans are converted into integers by bencode. This creates a different bencoded string than the canonical LRSignature module. For example:
// with normalization
d3:TOSd14:submission_TOS45:http://www.learningregistry.org/tos/cc0/v0-5/e6:active4:true8:doc_type13:resource_data11:doc_version6:0.49.0 ...
// without normalization
d3:TOSd14:submission_TOS45:http://www.learningregistry.org/tos/cc0/v0-5/e6:activei1e8:doc_type13:resource_data11:doc_version6:0.49.0 ...
Note how the required "active" property encodes to "4:true" when normalized to the string literal "true" but is encoded as "i1e" when left as a primitive boolean. This cascades later on, and since the Learning Registry server software appears to accept documents with invalid signatures, no indication is given to a developer that the signature is incorrect.
The LR-PGP.1.0 specification calls for normalization of JSON prior to the bencode step. LRJavaLib skips this step, so native booleans are converted into integers by bencode. This creates a different bencoded string than the canonical LRSignature module. For example:
Note how the required "active" property encodes to "4:true" when normalized to the string literal "true" but is encoded as "i1e" when left as a primitive boolean. This cascades later on, and since the Learning Registry server software appears to accept documents with invalid signatures, no indication is given to a developer that the signature is incorrect.