Stability of Boost::Serialization XML Output
Hi List, I have to provide digital signatures of serialized C++ objects, I'm planing on using Boost::Serialization for the XML part. Since XML signatures and XMLDsig in particular are difficult [1] and littered with pitfalls I was wondering if maybe the XML output of Boost::Serialization is stable enough to do a plain byte-oriented PKCSwhatever signature? To summarize: - C++ objects are serialized to XML with Boost::Serialization (XML is used since date has to be as human readable as possible). - Serialized XML has to be digitally signed. - XMLDsig is complicated [1] Question: Does Boost::Serialization with the XML backend produce bytewise the same data every time? I sincerely hope that I made myself clear. Andreas [1] http://www.cs.auckland.ac.nz/~pgut001/pubs/xmlsec.txt
Andreas Neustifter wrote:
Hi List,
I have to provide digital signatures of serialized C++ objects, I'm planing on using Boost::Serialization for the XML part.
Since XML signatures and XMLDsig in particular are difficult [1] and littered with pitfalls I was wondering if maybe the XML output of Boost::Serialization is stable enough to do a plain byte-oriented PKCSwhatever signature?
To summarize:
- C++ objects are serialized to XML with Boost::Serialization (XML is used since date has to be as human readable as possible).
- Serialized XML has to be digitally signed.
- XMLDsig is complicated [1]
Question:
Does Boost::Serialization with the XML backend produce bytewise the same data every time?
This would not and could not be guarenteed across differing library versions and platforms. I would guess that the best way to handle this would be to incorporate XMLDsig compliance into the xml serialization (xml_?archive) itself. I have no doubt what this is a difficult task - but that's why we make the big bucks. Robert Ramey
On 13 August 2013 18:11, Robert Ramey
Andreas Neustifter wrote:
To summarize:
- C++ objects are serialized to XML with Boost::Serialization (XML is used since date has to be as human readable as possible).
- Serialized XML has to be digitally signed.
- XMLDsig is complicated [1]
Question:
Does Boost::Serialization with the XML backend produce bytewise the same data every time?
This would not and could not be guarenteed across differing library versions and platforms.
I thought so but still: thanks for your answer...
I would guess that the best way to handle this would be to incorporate XMLDsig compliance into the xml serialization (xml_?archive) itself. I have no doubt what this is a difficult task - but that's why we make the big bucks.
Who is? :) No honestly: its out of the scope of my project to implement a complicated thing as XMLDsig into the boost archiver... So I guess I will hack something together and hope it works... Andreas
participants (2)
-
Andreas Neustifter -
Robert Ramey