Merge pull request #521 from HastD/canonical-json

chore: replace olpc-cjson with serde_json_canonicalizer

Author: flavio

Cargo.toml

@@ -22,8 +22,8 @@ cosign = [
     "dep:async-trait",
     "dep:cfg-if",
     "dep:oci-client",
-    "dep:olpc-cjson",
     "dep:regex",
+    "dep:serde_json_canonicalizer",
     "registry",
 ]
 fulcio = [
@@ -49,7 +49,7 @@ native-tls = [
     "reqwest?/native-tls",
 ]
 oauth = ["dep:openidconnect", "dep:reqwest"]
-registry = ["dep:async-trait", "dep:oci-client", "dep:olpc-cjson"]
+registry = ["dep:async-trait", "dep:oci-client", "dep:serde_json_canonicalizer"]
 rekor = ["dep:reqwest"]
 rustls-tls = [
     "oci-client?/rustls-tls",
@@ -127,7 +127,6 @@ hex = { version = "0.4", default-features = false, optional = true, features = [
     "std",
 ] }
 oci-client = { version = "0.15", default-features = false, optional = true }
-olpc-cjson = { version = "0.1", default-features = false, optional = true }
 openidconnect = { version = "4.0", default-features = false, features = [
     "reqwest",
     "reqwest-blocking",

src/cosign/bundle.rs

@@ -15,7 +15,6 @@
 
 use std::{cmp::PartialEq, collections::BTreeMap};
 
-use olpc_cjson::CanonicalFormatter;
 use serde::{Deserialize, Serialize};
 
 use crate::{
@@ -87,9 +86,7 @@ impl Bundle {
         bundle: &Bundle,
         rekor_pub_keys: &BTreeMap<String, CosignVerificationKey>,
     ) -> Result<()> {
-        let mut buf = Vec::new();
-        let mut ser = serde_json::Serializer::with_formatter(&mut buf, CanonicalFormatter::new());
-        bundle.payload.serialize(&mut ser).map_err(|e| {
+        let buf = serde_json_canonicalizer::to_vec(&bundle.payload).map_err(|e| {
             SigstoreError::UnexpectedError(format!(
                 "Cannot create canonical JSON representation of bundle: {e:?}"
             ))

src/registry/oci_caching_client.rs

@@ -20,7 +20,6 @@ use crate::errors::{Result, SigstoreError};
 
 use async_trait::async_trait;
 use cached::proc_macro::cached;
-use olpc_cjson::CanonicalFormatter;
 use serde::Serialize;
 use sha2::{Digest, Sha256};
 use tracing::{debug, error};
@@ -105,12 +104,13 @@ impl<'a> PullSettings<'a> {
     // Because of that the method will return the '0' value when something goes
     // wrong during the serialization operation. This is very unlikely to happen
     pub fn hash(&self) -> String {
-        let mut buf = Vec::new();
-        let mut ser = serde_json::Serializer::with_formatter(&mut buf, CanonicalFormatter::new());
-        if let Err(e) = self.serialize(&mut ser) {
-            error!(err=?e, settings=?self, "Cannot perform canonical serialization");
-            return "0".to_string();
-        }
+        let buf = match serde_json_canonicalizer::to_vec(self) {
+            Ok(vec) => vec,
+            Err(e) => {
+                error!(err=?e, settings=?self, "Cannot perform canonical serialization");
+                return "0".to_string();
+            }
+        };
 
         let mut hasher = Sha256::new();
         hasher.update(&buf);
@@ -196,12 +196,13 @@ impl PullManifestSettings {
     // Because of that the method will return the '0' value when something goes
     // wrong during the serialization operation. This is very unlikely to happen
     pub fn hash(&self) -> String {
-        let mut buf = Vec::new();
-        let mut ser = serde_json::Serializer::with_formatter(&mut buf, CanonicalFormatter::new());
-        if let Err(e) = self.serialize(&mut ser) {
-            error!(err=?e, settings=?self, "Cannot perform canonical serialization");
-            return "0".to_string();
-        }
+        let buf = match serde_json_canonicalizer::to_vec(self) {
+            Ok(vec) => vec,
+            Err(e) => {
+                error!(err=?e, settings=?self, "Cannot perform canonical serialization");
+                return "0".to_string();
+            }
+        };
 
         let mut hasher = Sha256::new();
         hasher.update(&buf);