What does this do? fxamacker/cbor encodes and decodes CBOR, like encoding/json does for JSON.
What is CBOR? CBOR (RFC 7049) is a binary data format inspired by JSON and MessagePack. CBOR is used in IETF Internet Standards such as COSE (RFC 8152) and CWT (RFC 8392 CBOR Web Token). WebAuthn also uses CBOR.
Why was this created when others exist? I needed to use CBOR (in Go) without bloat and without worrying about a tiny malicious CBOR message being able to bring down the entire system.
I found a github project replaced a 1000+ star library with this one because an external security audit found tiny malicious CBOR messages being able to exhaust system resources with the other one.
Why should projects choose this CBOR library? It doesn’t crash and it has well-balanced qualities: small, fast, reliable and easy.
Small and self-contained. It compiles to under 0.5 MB, has no external dependencies, and no code gen. Compiled program size difference vs another library can be as extreme as 8+ MB (see chart.)
Fast (esp. since v1.3). It soley uses safe optimizations. Faster libraries will always exist, but speed is only one factor. Choose this library if you value your time, program size, and system reliability.
Reliable and safe. It prevents crashes on malicious CBOR data by using extensive tests, coverage-guided fuzzing, data validation, and avoiding Go’s
Easy and saves time. It has the same API as Go’s
encoding/json. Existing structs don’t require changes. Go struct tags like
`json:"name,omitempty"`work as expected. Extra struct tags like
toarraymake CBOR, COSE, CWT, and SenML very easy to use.
go get github.com/fxamacker/cbor and use it like Go’s
Example: CBOR Web Token (CWT)
toarray struct tags simplify decoding Signed CWT to an easy-to-use Go struct. These tags make decoding simple:
err := cbor.Unmarshal(b, &v).
Doing your own comparisons is recommended. Use your most common message sizes and data types.
Additional comparisons may be added from time to time (esp. speed comparisons!)
Version 1.x has:
- Stable API – won’t make breaking API changes.
- Stable requirements – will always support Go v1.12.
- Passed fuzzing – v1.3 passed 2+ billion execs in 72+ hours of coverage-guided fuzzing.
- Release v1.2 – add RawMessage type, Marshaler and Unmarshaler interfaces.
- Release v1.3 – faster encoding and decoding.
Release v1.3 – add struct to/from CBOR array (
toarraystruct tag) for more compact data.
Release v1.3 – add struct to/from CBOR map with int keys (
keyasintstruct tag). Simplifies using CBOR and esp. COSE, CWT, SenML, etc.
- Milestone v1.4 – (maybe) Add support for CBOR tags (major type 6.) Please let me know if this feature matters to you!