Support JSON Canonicalization Scheme to support cryptographic signing scenarios #2013
Description
Issue description / feature objectives
In investigating the opportunity for using signing in the oscal release process one of the issues is verifiability. For verifiability binary exact outputs need to be repeatable, ideally across systems and implementations.
e.g. given an oscal json object there are potentially different ways this can be represented even as json.**
Json canonicalization scheme RFC 8785 is a method to get a repeatable output for a given functional.
- Introduce RFC8785 formatted json (aka JCS) as a supported output type.
- Introduce flags throughout CLI commands to support this.
- Introduce a command to allow object canonicalisation.
** note yaml does not have a approved normalisation standard see here so we have excluded for now.
Caveats / Assumptions
- YAML is out of scope
- XML is out of scope
- The
jcslibrary is out of scope - This is purely canonicalisation. It will not examine other aspects of the build process which are required to get reproducible builds, however, it's addresses a core concern.