Fxamacker/cbor v1.2 - CBOR library that's easy, small, safe and reliable


(Faye Amacker) #1

CBOR is a concise binary alternative to JSON, and is specified in RFC 7049.

This CBOR library is as easy as Go’s encoding/json , and a great fit for a wide variety of projects.

It’s small enough for IoT. And reliable enough for WebAuthn (FIDO2) servers. It avoids crashes and exploits when decoding malicious CBOR data.

Install with go get github.com/fxamacker/cbor and use it like Go’s encoding/json . It supports json:"name" keys!

fxamacker/cbor is a CBOR library that is:

  • Easy – idiomatic API like Go’s encoding/json.
  • Small and self-contained – compiles to under 0.5 MB and has no external dependencies.
  • Safe and reliable – avoids Go’s unsafe, has >95% coverage, and passes fuzzing each release.
  • Standards-compliant – supports CBOR, including canonical CBOR encodings (RFC 7049 and CTAP2) with minor limitations.

Version 1.x has:

  • Stable API – won’t make breaking API changes.
  • Stable requirements – won’t require Go newer than v1.12.
  • Passed fuzzing – no problems detected after 42+ hrs using fxamacker/cbor-fuzz.

Next (v1.3) will improve speed and simplify decoding COSE data (RFC 8152).


Coverage guided fuzzing uses fxamacker/cbor-fuzz. Default corpus has:

Unit tests include all RFC 7049 examples, bugs found by fuzzing, 2 maliciously crafted CBOR data, and etc. Code coverage (97.8% in v1.2) is among the highest for a library of this type.

Changes in v1.2 include:

  • Feature: Add RawMessage, Marshaler, and Unmarshaler (commit 1a29187)
  • Speed: Improve decoding into struct speed by +23% (commit 9ff43a1)
  • Fix: Return error on decoding unsupported CBOR neg int (commit 47055e7)
  • Misc: Add benchmarks using COSE and WebAuthn data (commit 22732d7)
  • Misc: Add more tests, including malicious CBOR data (credit: oasislabs/oasis-core)
  • Misc: Update README.md

This release passed 42 hours of fuzzing with fxamacker/cbor-fuzz v0.7.0.


(Jakob Borg) #2

I’ve used this and was happy to see a well tested high quality implementation! :+1:


(Faye Amacker) #3

Your kind words prompted me to include this in my project’s How to Contribute. :smiley:

When I announced v1.2 on Go Forum, Jakob Borg (calmh) responded with a thumbs up and encouragement. Another project of equal priority needed my time and Jakob’s kind words tipped the scale for me to work on this one (speedups for milestone v1.3.) So words of appreciation or encouragement is nice way to contribute to open source projects.