CBOR is a concise binary alternative to JSON, and is specified in RFC 7049.
This CBOR library is as easy as Go’s
encoding/json , and a great fit for a wide variety of projects.
It’s small enough for IoT. And reliable enough for WebAuthn (FIDO2) servers. It avoids crashes and exploits when decoding malicious CBOR data.
go get github.com/fxamacker/cbor and use it like Go’s
encoding/json . It supports
fxamacker/cbor is a CBOR library that is:
- Easy – idiomatic API like Go’s encoding/json.
- Small and self-contained – compiles to under 0.5 MB and has no external dependencies.
- Safe and reliable – avoids Go’s unsafe, has >95% coverage, and passes fuzzing each release.
- Standards-compliant – supports CBOR, including canonical CBOR encodings (RFC 7049 and CTAP2) with minor limitations.
Version 1.x has:
- Stable API – won’t make breaking API changes.
- Stable requirements – won’t require Go newer than v1.12.
- Passed fuzzing – no problems detected after 42+ hrs using fxamacker/cbor-fuzz.
Next (v1.3) will improve speed and simplify decoding COSE data (RFC 8152).
Coverage guided fuzzing uses fxamacker/cbor-fuzz. Default corpus has:
- 2 files related to WebAuthn (FIDO U2F key).
- 17 files with COSE examples (RFC 8152 Appendix B & C).
- 82 files with CBOR examples (RFC 7049 Appendix A) .
- 340 files generated by fuzzing for 50 hours with 2 workers on AMD EPYC 7601 virtual machine.
Unit tests include all RFC 7049 examples, bugs found by fuzzing, 2 maliciously crafted CBOR data, and etc. Code coverage (97.8% in v1.2) is among the highest for a library of this type.
Changes in v1.2 include:
- Feature: Add RawMessage, Marshaler, and Unmarshaler (commit 1a29187)
- Speed: Improve decoding into struct speed by +23% (commit 9ff43a1)
- Fix: Return error on decoding unsupported CBOR neg int (commit 47055e7)
- Misc: Add benchmarks using COSE and WebAuthn data (commit 22732d7)
- Misc: Add more tests, including malicious CBOR data (credit: oasislabs/oasis-core)
- Misc: Update README.md
This release passed 42 hours of fuzzing with fxamacker/cbor-fuzz v0.7.0.