#178 - Implement Audit payload canonical JSON serialization
Strongly enforce canonical JSON structuring before signing to prevent hash mismatches across different OS targets.
-
internal/cmd/canonical.go
- Implements canonical JSON serialization with sorted object keys
- Functions:
marshalCanonical(),canonicalJSON(),encodeObject(),encodeArray() - Ensures deterministic JSON output across all platforms
-
internal/cmd/canonical_test.go
- Comprehensive test suite with 10 test functions
- Tests key ordering, arrays, data types, structs, determinism, and edge cases
- Validates cross-platform consistency
-
internal/cmd/audit_test.go
- Tests for audit log generation and verification
- Tests for signature validation and tampering detection
- Tests for deterministic hash generation
- 12 test functions covering all audit functionality
-
docs/CANONICAL_JSON.md
- Complete documentation of the canonical JSON implementation
- Explains the problem, solution, and usage
- Includes examples and testing instructions
-
examples/canonical_json_demo.go
- Practical demonstration of canonical JSON behavior
- Shows deterministic hashing, verification, and tampering detection
- Educational example for understanding the implementation
-
test_canonical_json.sh
- Test script for running all canonical JSON tests
- Validates the implementation works correctly
-
internal/cmd/audit.go
- Updated
Generate()to usemarshalCanonical()instead ofjson.Marshal() - Added documentation comments explaining canonical JSON usage
- Ensures deterministic payload hashing
- Updated
-
internal/cmd/verify.go
- Updated
Verify()to usemarshalCanonical()instead ofjson.Marshal() - Added documentation comments
- Ensures verification uses same canonical serialization
- Updated
- All object keys sorted alphabetically
- No extra whitespace or indentation
- Consistent encoding for all data types
- Recursive application to nested structures
- Array order preservation
- Cross-platform hash consistency
- Reproducible audit logs
- Version-independent verification
- Prevention of hash mismatch exploits
- Easier debugging and comparison
- Key ordering tests
- Array handling tests
- Data type validation tests
- Struct serialization tests
- Determinism verification tests
- Cross-platform consistency tests
- Edge case handling (empty values, nil arrays)
- Tampering detection tests
- Signature verification tests
# Run all tests
go test ./internal/cmd -v
# Run specific test suites
go test ./internal/cmd -run TestCanonicalJSON -v
go test ./internal/cmd -run TestGenerate -v
go test ./internal/cmd -run TestVerify -v
# Use the test script
./test_canonical_json.shThe implementation can be verified by:
- Running the test suite (all tests pass)
- Running the example demo:
go run examples/canonical_json_demo.go - Checking that audit logs generated on different platforms produce identical hashes
- Verifying that signatures validate correctly across platforms
- No lints suppressed
- All code follows project conventions
- Comprehensive test coverage
- Complete documentation
- Clean commit history
feat/audit-issue-178
feat(audit): Implement Audit payload canonical JSON serialization
- Add canonical JSON serialization to ensure deterministic hashing
- Implement marshalCanonical function with sorted object keys
- Update Generate and Verify functions to use canonical JSON
- Add comprehensive test suite for canonical JSON behavior
- Add cross-platform determinism tests
- Add documentation explaining canonical JSON implementation
- Add example demonstrating canonical JSON usage
- Ensure hash consistency across different OS targets
Resolves #178
- Push the branch:
git push origin feat/audit-issue-178 - Create a Pull Request
- Wait for CI to run and verify all tests pass
- Address any review comments
- Merge when approved