@@ -33,13 +33,16 @@ The signature format is a JSON message of the following form:
3333 "payload" : " <Base64(SERIALIZED_BODY)>"
3434 "payloadType" : " <PAYLOAD_TYPE>"
3535 "signatures" : [{
36- … ,
36+ "keyid" : " <KEYID> "
3737 "sig" : " <Base64(Sign(PAE(UTF8(PAYLOAD_TYPE), SERIALIZED_BODY)))>"
38- }, … ]
38+ }]
3939}
4040```
4141
42- where:
42+ Empty fields may be omitted. [ Multiple signatures] ( #multiple-signatures ) are
43+ allowed.
44+
45+ Parameters:
4346
4447* SERIALIZED_BODY is the byte sequence to be signed.
4548
@@ -55,6 +58,11 @@ where:
5558 - https://theupdateframework.com/Root/v1.0.5
5659 - etc...
5760
61+ * KEYID is an optional, unauthenticated hint indicating what key was used to
62+ sign the message. It ** must not** be used for security decisions.
63+
64+ Functions:
65+
5866* PAE() is the
5967 [ PASETO Pre-Authentication Encoding] ( https://github.com/paragonie/paseto/blob/master/docs/01-Protocol-Versions/Common.md#authentication-padding ) ,
6068 where parameters ` type ` and ` body ` are byte sequences:
@@ -88,6 +96,7 @@ To sign:
8896 SERIALIZED_BODY.
8997- Sign PAE(UTF8(PAYLOAD_TYPE), SERIALIZED_BODY), base64-encode the result, and
9098 store it in `sig`.
99+ - Optionally, compute a KEYID and store it in `keyid`.
91100- Base64-encode SERIALIZED_BODY and store it in `payload`.
92101- Store PAYLOAD_TYPE in `payloadType`.
93102
@@ -116,9 +125,9 @@ valid while avoiding the verifier from having to use [Canonical JSON].
116125 "payload": "<Base64(CanonicalJson(BODY))>",
117126 "payloadType": "<URI>/backwards-compatible-json",
118127 "signatures" : [{
119- … ,
120- "sig" : "<Base64(Sign(CanonicalJson(BODY)))>"
121- }, … ]
128+ "keyid": "<KEYID>" ,
129+ "sig": "<Base64(Sign(CanonicalJson(BODY)))>"
130+ }]
122131}
123132```
124133
@@ -129,6 +138,7 @@ To sign:
129138- BODY ** must** be an object type (` {...} ` ).
130139- Serialize BODY as [ Canonical JSON] ; call this SERIALIZED_BODY.
131140- Sign SERIALIZED_BODY, base64-encode the result, and store it in ` sig ` .
141+ - Optionally, compute a KEYID and store it in ` keyid ` .
132142- Base64-encode SERIALIZED_BODY and store it in ` payload ` .
133143- Store ` "<URI>/backwards-compatible-json" ` in ` payloadType ` .
134144
@@ -152,6 +162,25 @@ This scheme is safe from rollback attacks because the first byte of
152162SERIALIZED_BODY must be 0x7b (` { ` ) in backwards compatibility mode and 0x02 in
153163regular mode.
154164
165+ ### Multiple signatures
166+
167+ A file may have more than one signature, which is equivalent to separate files
168+ with individual signatures.
169+
170+ ``` json
171+ {
172+ "payload" : " <Base64(SERIALIZED_BODY)>"
173+ "payloadType" : " <PAYLOAD_TYPE>"
174+ "signatures" : [{
175+ "keyid" : " <KEYID_1>"
176+ "sig" : " <SIG_1>"
177+ }, {
178+ "keyid" : " <KEYID_2>"
179+ "sig" : " <SIG_2>"
180+ }]
181+ }
182+ ```
183+
155184### Optional changes to wrapper
156185
157186The standard wrapper is JSON with an explicit ` payloadType ` . Optionally,
@@ -286,9 +315,9 @@ over the [Canonical JSON] serialization of BODY.
286315{
287316 "signed" : <BODY>,
288317 "signatures" : [{
289- … ,
318+ "keyid" : " <KEYID> "
290319 "sig" : " <Hex(Sign(CanonicalJson(BODY)))>"
291- }, … ]
320+ }]
292321}
293322```
294323
@@ -307,11 +336,13 @@ To convert an existing signature to the new format:
307336- ` new.payload = base64encode(CanonicalJson(orig.signed)) `
308337- ` new.payloadType = "<URI>/backwards-compatible-json" `
309338- ` new.signatures[*].sig = base64encode(hexdecode(orig.signatures[*].sig)) `
339+ - ` new.signatures[*].keyid = orig.signatures[*].keyid `
310340
311341To convert a backwards compatible signature to the old format:
312342
313343- ` old.signed = jsonparse(base64decode(new.payload)) `
314344- ` old.signatures[*].sig = hexencode(base64decode(new.signatures[*].sig)) `
345+ - ` old.signatures[*].keyid = new.signatures[*].keyid `
315346
316347## Testing
317348
0 commit comments