Skip to content

refactor: Add explicit canonicalization tests for signing pipeline #15

New issue
New issue
Open
Open
refactor: Add explicit canonicalization tests for signing pipeline#15
Labels
documentationImprovements or additions to documentationsecuritySecurity-related
@rampyg

Description

@rampyg
rampyg
opened on Jan 3, 2026

Summary

Enhance the signing/verification pipeline with explicit canonicalization tests and documentation to ensure deterministic signature verification.

Current State

The current implementation already uses canonical JSON:

json.dumps(claims, sort_keys=True, separators=(',', ':'))

This is correct and secure. However, we can add defense-in-depth.

Proposed Enhancement

  1. Add unit tests proving canonicalization is deterministic
  2. Document the 'Frozen Payload' pattern in code comments
  3. Consider explicit Base64 encoding step for additional clarity

Why This Matters

  • Ensures future refactors don't break deterministic serialization
  • Documents the security-critical serialization behavior
  • Provides test coverage for edge cases (unicode, floats, etc.)

Not a Critical Fix

The current implementation is secure. This is a hardening/documentation task.

References

  • RFC 8785 (JSON Canonicalization Scheme)
  • JWS RFC 7515

Metadata

Metadata

Assignees

No one assigned

    Labels

    documentationImprovements or additions to documentationsecuritySecurity-related

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions