Uploaded image for project: 'SimplyE 2.0'
  1. SimplyE 2.0
  2. SIMPLY-2301 Implement DPLA Audiobooks in Android interface
  3. SIMPLY-2507

Validate signature of Feedbooks audio manifest on each publication open

XMLWordPrintable

    • Icon: Sub-task Sub-task
    • Resolution: Done
    • Icon: Medium Medium
    • 5.0.8 (Android)
    • Android
    • None
    • SIMPLY S3 January 21 - Feb 4, SIMPLY S4 February 4 - 18, SIMPLY S5 Feb 18 - March 3, SIMPLY S6 March 3 - March 17, SIMPLY S7 March 17 - March 31, SIMPLY S8 March 31 - April 14, SIMPLY S9 April 14 - 28, SIMPLY S10 April 28 - May 12, SIMPLY S11 May 12 - May 26, SIMPLY S12 May 26 - June 9, SIMPLY S13 June 9 - June 23, SIMPLY S14 June 23 - July 7, SIMPLY S15 July 7 - July 21, SIMPLY S16 July 21 - August 4, SIMPLY S17 August 4 - 18, SIMPLY S18 August 18 - Sep 1, SIMPLY S19 September 1 - 15, SIMPLY 22 Oct 14 - Oct 27, SIMPLY S20 September 15 - 29, SIMPLY S21 Sep 29 - Oct 13, SIMPLY S23 Oct 27 - Nov 10, SIMPLY S24 Nov 10 - 24, SIMPLY S25 Nov 24 - Dec 8, SIMPLY Sprint 26 Dec 8 - 22, SIMPLY S0 Dec 22 - Jan 5, SIMPLY S1 January 5 - 19

      From the spec:

       

      To confirm the validity of a manifest, a signature is included in every manifest.
User Agents <strong class="rfc">must</strong> validate the signature of a manifest whenever the publication is opened.
Signature for the audiobook manifest is very similar to Readium LCP and reuses terms defined in the Readium Web Publication Manifest for individual resources in the reading order.
Signature information is contained in `http://www.feedbooks.com/audiobooks/signature` object in `metadata`:
| Key | Semantics | Type | Required? |
| ----- | --------- | -------- | --------- |
| `algorithm` | Identifies the algorithm used to sign the manifest. | URI | Yes |
| `issuer` | Identifies the issuer of the signature. | URI | Yes |
| `value` | Contains the signature. | Base-64 encoded octet sequence | Yes |
To calculate the validity of this signature, the User Agent <strong class="rfc">must</strong>:
- ensure that the `issuer` is present in a list of well-known issuers and that its associated certificate is still valid
- use the JSON from the manifest, but remove the `http://www.feedbooks.com/audiobooks/signature` section from it
- follow the [guidelines from the Readium LCP specification regarding JSON canonicalization](https://readium.org/lcp-specs/lcp.html#53-canonical-form-of-the-license-document)
- validate the signature according to the `algorithm` specificed in the manifest
*Example 3: Signature Object*
```json
"http://www.feedbooks.com/audiobooks/signature": {
 "algorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
 "issuer": "https://www.cantookaudio.com",
 "value": "eKLux/4TtJc6VH6RTOi5lBMh9mT1j2y1z50OruWZgy8QjyPMjDV+aVZWUt7OUTinUHQfWNPBB6DxixgTZ07TQsix4uScL2dJZRQTjUKKHv3he7oJdOkcxjWDh51Q6U2KbDfC2MReG/+Qa4meoI5BN0Q8FKIEFMDZJ2KQTSRj13ZETaD0Nwz+8d6IN7csQGFJHvW/bBJthty+eZNzIr+VE0Kf02OS4yX+wvsExfRabvHlfimT1uUTWc89CgPAuM+Y7vdtjb+B3YFr7ibXATk6lQJkXzKol9ms6vkNwnvxzXwsQ+p1ZjejH1LOYADvedl/ItPrBGkhmq7bbUz91jUd+w=="
}
```

       

      We need to get the "list of well-known issuers" and the corresponding list of certificates. It's not clear to me whether this list is static or dynamically generated.

            RayLee Ray Lee
            leonardrichardson Leonard Richardson [X] (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: