RFC 8949 | CBOR | November 2020 |
Bormann & Hoffman | Standards Track | [Page] |
The Concise Binary Object Representation (CBOR) is a data format whose design goals include the possibility of extremely small code size, fairly small message size, and extensibility without the need for version negotiation. These design goals make it different from earlier binary serializations such as ASN.1 and MessagePack.¶
This document obsoletes RFC 7049, providing editorial improvements, new details, and errata fixes while keeping full compatibility with the interchange format of RFC 7049. It does not create a new version of the format.¶
This is an Internet Standards Track document.¶
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841.¶
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at https://www.rfc-editor.org/info/rfc8949.¶
Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.¶
There are hundreds of standardized formats for binary representation of structured data (also known as binary serialization formats). Of those, some are for specific domains of information, while others are generalized for arbitrary data. In the IETF, probably the best-known formats in the latter category are ASN.1's BER and DER [ASN.1].¶
The format defined here follows some specific design goals that are not well met by current formats. The underlying data model is an extended version of the JSON data model [RFC8259]. It is important to note that this is not a proposal that the grammar in RFC 8259 be extended in general, since doing so would cause a significant backwards incompatibility with already deployed JSON documents. Instead, this document simply defines its own data model that starts from JSON.¶
Appendix E lists some existing binary formats and discusses how well they do or do not fit the design objectives of the Concise Binary Object Representation (CBOR).¶
This document obsoletes [RFC7049], providing editorial improvements, new details, and errata fixes while keeping full compatibility with the interchange format of RFC 7049. It does not create a new version of the format.¶
The objectives of CBOR, roughly in decreasing order of importance, are:¶
The representation must be able to unambiguously encode most common data formats used in Internet standards.¶
The code for an encoder or decoder must be able to be compact in order to support systems with very limited memory, processor power, and instruction sets.¶
Data must be able to be decoded without a schema description.¶
The serialization must be reasonably compact, but data compactness is secondary to code compactness for the encoder and decoder.¶
The format must be applicable to both constrained nodes and high-volume applications.¶
The format must support all JSON data types for conversion to and from JSON.¶
The format must be extensible, and the extended data must be decodable by earlier decoders.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
The term "byte" is used in its now-customary sense as a synonym for "octet". All multi-byte values are encoded in network byte order (that is, most significant byte first, also known as "big-endian").¶
This specification makes use of the following terminology:¶
Terms and concepts for floating-point values such as Infinity, NaN (not a number), negative zero, and subnormal are defined in [IEEE754].¶
Where bit arithmetic or data types are explained, this document uses the notation familiar from the programming language C [C], except that ".." denotes a range that includes both ends given, and superscript notation denotes exponentiation. For example, 2 to the power of 64 is notated: 264. In the plain-text version of this specification, superscript notation is not available and therefore is rendered by a surrogate notation. That notation is not optimized for this RFC; it is unfortunately ambiguous with C's exclusive-or (which is only used in the appendices, which in turn do not use exponentiation) and requires circumspection from the reader of the plain-text version.¶
Examples and pseudocode assume that signed integers use two's complement representation and that right shifts of signed integers perform sign extension; these assumptions are also specified in Sections 6.8.1 (basic.fundamental) and 7.6.7 (expr.shift) of the 2020 version of C++ (currently available as a final draft, [Cplusplus20]).¶
Similar to the "0x" notation for hexadecimal numbers, numbers in binary notation are prefixed with "0b". Underscores can be added to a number solely for readability, so 0b00100001 (0x21) might be written 0b001_00001 to emphasize the desired interpretation of the bits in the byte; in this case, it is split into three bits and five bits. Encoded CBOR data items are sometimes given in the "0x" or "0b" notation; these values are first interpreted as numbers as in C and are then interpreted as byte strings in network byte order, including any leading zero bytes expressed in the notation.¶
Words may be italicized for emphasis; in the plain text
form of this specification, this is indicated by surrounding words
with underscore characters. Verbatim text (e.g., names from a
programming language) may be set in monospace
type; in plain
text, this is approximated somewhat ambiguously by surrounding the
text in double quotes (which also retain their usual meaning).¶
CBOR is explicit about its generic data model, which defines the set of all data items that can be represented in CBOR. Its basic generic data model is extensible by the registration of "simple values" and tags. Applications can then create a subset of the resulting extended generic data model to build their specific data models.¶
Within environments that can represent the data items in the generic data model, generic CBOR encoders and decoders can be implemented (which usually involves defining additional implementation data types for those data items that do not already have a natural representation in the environment). The ability to provide generic encoders and decoders is an explicit design goal of CBOR; however, many applications will provide their own application-specific encoders and/or decoders.¶
In the basic (unextended) generic data model defined in Section 3, a data item is one of the following:¶
Note that integer and floating-point values are distinct in this model, even if they have the same numeric value.¶
Also note that serialization variants are not visible at the generic data model level. This deliberate absence of visibility includes the number of bytes of the encoded floating-point value. It also includes the choice of encoding for an "argument" (see Section 3) such as the encoding for an integer, the encoding for the length of a text or byte string, the encoding for the number of elements in an array or pairs in a map, or the encoding for a tag number.¶
This basic generic data model has been extended in this document by the registration of a number of simple values and tag numbers, such as:¶
false
, true
, null
, and undefined
(simple values identified by 20..23, Section 3.3)¶
Additional elements of the extended generic data model can be (and have been) defined via the IANA registries created for CBOR. Even if such an extension is unknown to a generic encoder or decoder, data items using that extension can be passed to or from the application by representing them at the application interface within the basic generic data model, i.e., as generic simple values or generic tags.¶
In other words, the basic generic data model is stable as defined in this document, while the extended generic data model expands by the registration of new simple values or tag numbers, but never shrinks.¶
While there is a strong expectation that generic encoders and decoders
can represent false
, true
, and null
(undefined
is intentionally
omitted) in the form appropriate for their programming environment,
the implementation of the data model extensions created by tags is truly
optional and a matter of implementation quality.¶
The specific data model for a CBOR-based protocol usually takes a subset of the extended generic data model and assigns application semantics to the data items within this subset and its components. When documenting such specific data models and specifying the types of data items, it is preferable to identify the types by their generic data model names ("negative integer", "array") instead of referring to aspects of their CBOR representation ("major type 1", "major type 4").¶
Specific data models can also specify value equivalency (including
values of different types) for the purposes of map keys and encoder freedom. For
example, in the generic data model, a valid map MAY have both 0
and
0.0
as keys, and an encoder MUST NOT encode 0.0
as an integer
(major type 0, Section 3.1). However, if a specific data model
declares that floating-point and integer representations of integral
values are equivalent, using both map keys 0
and 0.0
in a single
map would be considered
duplicates, even while encoded as different major types, and so invalid; and an encoder could encode integral-valued
floats as integers or vice versa, perhaps to save encoded bytes.¶
A CBOR data item (Section 2) is encoded to or decoded from a byte string carrying a well-formed encoded data item as described in this section. The encoding is summarized in Table 7 in Appendix B, indexed by the initial byte. An encoder MUST produce only well-formed encoded data items. A decoder MUST NOT return a decoded data item when it encounters input that is not a well-formed encoded CBOR data item (this does not detract from the usefulness of diagnostic and recovery tools that might make available some information from a damaged encoded CBOR data item).¶
The initial byte of each encoded data item contains both information about the major type (the high-order 3 bits, described in Section 3.1) and additional information (the low-order 5 bits). With a few exceptions, the additional information's value describes how to load an unsigned integer "argument":¶
The initial byte and any additional bytes consumed to construct the argument are collectively referred to as the head of the data item.¶
The meaning of this argument depends on the major type. For example, in major type 0, the argument is the value of the data item itself (and in major type 1, the value of the data item is computed from the argument); in major type 2 and 3, it gives the length of the string data in bytes that follow; and in major types 4 and 5, it is used to determine the number of data items enclosed.¶
If the encoded sequence of bytes ends before the end of a data item, that item is not well-formed. If the encoded sequence of bytes still has bytes remaining after the outermost encoded item is decoded, that encoding is not a single well-formed CBOR item. Depending on the application, the decoder may either treat the encoding as not well-formed or just identify the start of the remaining bytes to the application.¶
A CBOR decoder implementation can be based on a jump table with all 256 defined values for the initial byte (Table 7). A decoder in a constrained implementation can instead use the structure of the initial byte and following bytes for more compact code (see Appendix C for a rough impression of how this could look).¶
The following lists the major types and the additional information and other bytes associated with the type.¶
These eight major types lead to a simple table showing which of the 256 possible values for the initial byte of a data item are used (Table 7).¶
In major types 6 and 7, many of the possible values are reserved for future specification. See Section 9 for more information on these values.¶
Table 1 summarizes the major types defined by CBOR, ignoring Section 3.2 for now. The number N in this table stands for the argument.¶
Major Type | Meaning | Content |
---|---|---|
0 | unsigned integer N | - |
1 | negative integer -1-N | - |
2 | byte string | N bytes |
3 | text string | N bytes (UTF-8 text) |
4 | array | N data items (elements) |
5 | map | 2N data items (key/value pairs) |
6 | tag of number N | 1 data item |
7 | simple/float | - |
Four CBOR items (arrays, maps, byte strings, and text strings) can be encoded with an indefinite length using additional information value 31. This is useful if the encoding of the item needs to begin before the number of items inside the array or map, or the total length of the string, is known. (The ability to start sending a data item before all of it is known is often referred to as "streaming" within that data item.)¶
Indefinite-length arrays and maps are dealt with differently than indefinite-length strings (byte strings and text strings).¶
The "break" stop code is encoded with major type 7 and additional information value 31 (0b111_11111). It is not itself a data item: it is just a syntactic feature to close an indefinite-length item.¶
If the "break" stop code appears where a data item is expected, other than directly inside an indefinite-length string, array, or map -- for example, directly inside a definite-length array or map -- the enclosing item is not well-formed.¶
Indefinite-length arrays and maps are represented using their major type with the additional information value of 31, followed by an arbitrary-length sequence of zero or more items for an array or key/value pairs for a map, followed by the "break" stop code (Section 3.2.1). In other words, indefinite-length arrays and maps look identical to other arrays and maps except for beginning with the additional information value of 31 and ending with the "break" stop code.¶
If the "break" stop code appears after a key in a map, in place of that key's value, the map is not well-formed.¶
There is no restriction against nesting indefinite-length array or map items. A "break" only terminates a single item, so nested indefinite-length items need exactly as many "break" stop codes as there are type bytes starting an indefinite-length item.¶
For example, assume an encoder wants to represent the abstract array [1, [2, 3], [4, 5]]. The definite-length encoding would be 0x8301820203820405:¶
83 -- Array of length 3 01 -- 1 82 -- Array of length 2 02 -- 2 03 -- 3 82 -- Array of length 2 04 -- 4 05 -- 5¶
Indefinite-length encoding could be applied independently to each of the three arrays encoded in this data item, as required, leading to representations such as:¶
0x9f018202039f0405ffff 9F -- Start indefinite-length array 01 -- 1 82 -- Array of length 2 02 -- 2 03 -- 3 9F -- Start indefinite-length array 04 -- 4 05 -- 5 FF -- "break" (inner array) FF -- "break" (outer array)¶
0x9f01820203820405ff 9F -- Start indefinite-length array 01 -- 1 82 -- Array of length 2 02 -- 2 03 -- 3 82 -- Array of length 2 04 -- 4 05 -- 5 FF -- "break"¶
0x83018202039f0405ff 83 -- Array of length 3 01 -- 1 82 -- Array of length 2 02 -- 2 03 -- 3 9F -- Start indefinite-length array 04 -- 4 05 -- 5 FF -- "break"¶
0x83019f0203ff820405 83 -- Array of length 3 01 -- 1 9F -- Start indefinite-length array 02 -- 2 03 -- 3 FF -- "break" 82 -- Array of length 2 04 -- 4 05 -- 5¶
An example of an indefinite-length map (that happens to have two key/value pairs) might be:¶
0xbf6346756ef563416d7421ff BF -- Start indefinite-length map 63 -- First key, UTF-8 string length 3 46756e -- "Fun" F5 -- First value, true 63 -- Second key, UTF-8 string length 3 416d74 -- "Amt" 21 -- Second value, -2 FF -- "break"¶
Indefinite-length strings are represented by a byte containing the major type for byte string or text string with an additional information value of 31, followed by a series of zero or more strings of the specified type ("chunks") that have definite lengths, and finished by the "break" stop code (Section 3.2.1). The data item represented by the indefinite-length string is the concatenation of the chunks. If no chunks are present, the data item is an empty string of the specified type. Zero-length chunks, while not particularly useful, are permitted.¶
If any item between the indefinite-length string indicator (0b010_11111 or 0b011_11111) and the "break" stop code is not a definite-length string item of the same major type, the string is not well-formed.¶
The design does not allow nesting indefinite-length strings as chunks into indefinite-length strings. If it were allowed, it would require decoder implementations to keep a stack, or at least a count, of nesting levels. It is unnecessary on the encoder side because the inner indefinite-length string would consist of chunks, and these could instead be put directly into the outer indefinite-length string.¶
If any definite-length text string inside an indefinite-length text string is invalid, the indefinite-length text string is invalid. Note that this implies that the UTF-8 bytes of a single Unicode code point (scalar value) cannot be spread between chunks: a new chunk of a text string can only be started at a code point boundary.¶
For example, assume an encoded data item consisting of the bytes:¶
0b010_11111 0b010_00100 0xaabbccdd 0b010_00011 0xeeff99 0b111_11111 5F -- Start indefinite-length byte string 44 -- Byte string of length 4 aabbccdd -- Bytes content 43 -- Byte string of length 3 eeff99 -- Bytes content FF -- "break"¶
After decoding, this results in a single byte string with seven bytes: 0xaabbccddeeff99.¶
Table 2 summarizes the major types defined by CBOR as used for indefinite-length encoding (with additional information set to 31).¶
Major Type | Meaning | Enclosed up to "break" Stop Code |
---|---|---|
0 | (not well-formed) | - |
1 | (not well-formed) | - |
2 | byte string | definite-length byte strings |
3 | text string | definite-length text strings |
4 | array | data items (elements) |
5 | map | data items (key/value pairs) |
6 | (not well-formed) | - |
7 | "break" stop code | - |
Major type 7 is for two types of data: floating-point numbers and "simple values" that do not need any content. Each value of the 5-bit additional information in the initial byte has its own separate meaning, as defined in Table 3. Like the major types for integers, items of this major type do not carry content data; all the information is in the initial bytes (the head).¶
5-Bit Value | Semantics |
---|---|
0..23 | Simple value (value 0..23) |
24 | Simple value (value 32..255 in following byte) |
25 | IEEE 754 Half-Precision Float (16 bits follow) |
26 | IEEE 754 Single-Precision Float (32 bits follow) |
27 | IEEE 754 Double-Precision Float (64 bits follow) |
28-30 | Reserved, not well-formed in the present document |
31 | "break" stop code for indefinite-length items (Section 3.2.1) |
As with all other major types, the 5-bit value 24 signifies a single-byte extension: it is followed by an additional byte to represent the simple value. (To minimize confusion, only the values 32 to 255 are used.) This maintains the structure of the initial bytes: as for the other major types, the length of these always depends on the additional information in the first byte. Table 4 lists the numeric values assigned and available for simple values.¶
Value | Semantics |
---|---|
0..19 | (unassigned) |
20 | false |
21 | true |
22 | null |
23 | undefined |
24..31 | (reserved) |
32..255 | (unassigned) |
An encoder MUST NOT issue two-byte sequences that
start with 0xf8 (major type 7, additional information 24) and continue
with a byte less than 0x20 (32 decimal). Such sequences are not
well-formed. (This implies that an encoder cannot encode false
, true
,
null
, or undefined
in two-byte sequences and that only the one-byte
variants of these are well-formed; more generally speaking, each
simple value only has a single representation variant).¶
The 5-bit values of 25, 26, and 27 are for 16-bit, 32-bit, and 64-bit IEEE 754 binary floating-point values [IEEE754]. These floating-point values are encoded in the additional bytes of the appropriate size. (See Appendix D for some information about 16-bit floating-point numbers.)¶
For some values at the data model level, CBOR provides multiple serializations. For many applications, it is desirable that an encoder always chooses a preferred serialization (preferred encoding); however, the present specification does not put the burden of enforcing this preference on either the encoder or decoder.¶
Some constrained decoders may be limited in their ability to decode non-preferred serializations: for example, if only integers below 1_000_000_000 (one billion) are expected in an application, the decoder may leave out the code that would be needed to decode 64-bit arguments in integers. An encoder that always uses preferred serialization ("preferred encoder") interoperates with this decoder for the numbers that can occur in this application. Generally speaking, a preferred encoder is more universally interoperable (and also less wasteful) than one that, say, always uses 64-bit integers.¶
Similarly, a constrained encoder may be limited in the variety of representation variants it supports such that it does not emit preferred serializations ("variant encoder"). For instance, a constrained encoder could be designed to always use the 32-bit variant for an integer that it encodes even if a short representation is available (assuming that there is no application need for integers that can only be represented with the 64-bit variant). A decoder that does not rely on receiving only preferred serializations ("variation-tolerant decoder") can therefore be said to be more universally interoperable (it might very well optimize for the case of receiving preferred serializations, though). Full implementations of CBOR decoders are by definition variation tolerant; the distinction is only relevant if a constrained implementation of a CBOR decoder meets a variant encoder.¶
The preferred serialization always uses the shortest form of representing the argument (Section 3); it also uses the shortest floating-point encoding that preserves the value being encoded.¶
The preferred serialization for a floating-point value is the shortest floating-point encoding that preserves its value, e.g., 0xf94580 for the number 5.5, and 0xfa45ad9c00 for the number 5555.5. For NaN values, a shorter encoding is preferred if zero-padding the shorter significand towards the right reconstitutes the original NaN value (for many applications, the single NaN encoding 0xf97e00 will suffice).¶
Definite-length encoding is preferred whenever the length is known at the time the serialization of the item starts.¶
Some protocols may want encoders to only emit CBOR in a particular deterministic format; those protocols might also have the decoders check that their input is in that deterministic format. Those protocols are free to define what they mean by a "deterministic format" and what encoders and decoders are expected to do. This section defines a set of restrictions that can serve as the base of such a deterministic format.¶
A CBOR encoding satisfies the "core deterministic encoding requirements" if it satisfies the following restrictions:¶
Preferred serialization MUST be used. In particular, this means that arguments (see Section 3) for integers, lengths in major types 2 through 5, and tags MUST be as short as possible, for instance:¶
Floating-point values also MUST use the shortest form that preserves the value, e.g., 1.5 is encoded as 0xf93e00 (binary16) and 1000000.5 as 0xfa49742408 (binary32). (One implementation of this is to have all floats start as a 64-bit float, then do a test conversion to a 32-bit float; if the result is the same numeric value, use the shorter form and repeat the process with a test conversion to a 16-bit float. This also works to select 16-bit float for positive and negative Infinity as well.)¶
The keys in every map MUST be sorted in the bytewise lexicographic order of their deterministic encodings. For example, the following keys are sorted correctly:¶
CBOR tags present additional considerations for deterministic encoding. If a CBOR-based protocol were to provide the same semantics for the presence and absence of a specific tag (e.g., by allowing both tag 1 data items and raw numbers in a date/time position, treating the latter as if they were tagged), the deterministic format would not allow the presence of the tag, based on the "shortest form" principle. For example, a protocol might give encoders the choice of representing a URL as either a text string or, using Section 3.4.5.3, tag number 32 containing a text string. This protocol's deterministic encoding needs either to require that the tag is present or to require that it is absent, not allow either one.¶
In a protocol that does require tags in certain places to obtain specific semantics, the tag needs to appear in the deterministic format as well. Deterministic encoding considerations also apply to the content of tags.¶
If a protocol includes a field that can express integers with an absolute value of 264 or larger using tag numbers 2 or 3 (Section 3.4.3), the protocol's deterministic encoding needs to specify whether smaller integers are also expressed using these tags or using major types 0 and 1. Preferred serialization uses the latter choice, which is therefore recommended.¶
Protocols that include floating-point values, whether represented using basic floating-point values (Section 3.3) or using tags (or both), may need to define extra requirements on their deterministic encodings, such as:¶
If a protocol includes a field that can express floating-point values, with a specific data model that declares integer and floating-point values to be interchangeable, the protocol's deterministic encoding needs to specify whether, for example, the integer 1.0 is encoded as 0x01 (unsigned integer), 0xf93c00 (binary16), 0xfa3f800000 (binary32), or 0xfb3ff0000000000000 (binary64). Example rules for this are:¶
Rule 1 straddles the boundaries between integers and floating-point values, and Rule 3 does not use preferred serialization, so Rule 2 may be a good choice in many cases.¶
The core deterministic encoding requirements (Section 4.2.1) sort map keys in a different order from the one suggested by Section 3.9 of [RFC7049] (called "Canonical CBOR" there). Protocols that need to be compatible with the order specified in [RFC7049] can instead be specified in terms of this specification's "length-first core deterministic encoding requirements":¶
A CBOR encoding satisfies the "length-first core deterministic encoding requirements" if it satisfies the core deterministic encoding requirements except that the keys in every map MUST be sorted such that:¶
For example, under the length-first core deterministic encoding requirements, the following keys are sorted correctly:¶
Data formats such as CBOR are often used in environments where there is no format negotiation. A specific design goal of CBOR is to not need any included or assumed schema: a decoder can take a CBOR item and decode it with no other knowledge.¶
Of course, in real-world implementations, the encoder and the decoder will have a shared view of what should be in a CBOR data item. For example, an agreed-to format might be "the item is an array whose first value is a UTF-8 string, second value is an integer, and subsequent values are zero or more floating-point numbers" or "the item is a map that has byte strings for keys and contains a pair whose key is 0xab01".¶
CBOR-based protocols MUST specify how their decoders handle invalid and other unexpected data. CBOR-based protocols MAY specify that they treat arbitrary valid data as unexpected. Encoders for CBOR-based protocols MUST produce only valid items, that is, the protocol cannot be designed to make use of invalid items. An encoder can be capable of encoding as many or as few types of values as is required by the protocol in which it is used; a decoder can be capable of understanding as many or as few types of values as is required by the protocols in which it is used. This lack of restrictions allows CBOR to be used in extremely constrained environments.¶
The rest of this section discusses some considerations in creating CBOR-based protocols. With few exceptions, it is advisory only and explicitly excludes any language from BCP 14 [RFC2119] [RFC8174] other than words that could be interpreted as "MAY" in the sense of BCP 14. The exceptions aim at facilitating interoperability of CBOR-based protocols while making use of a wide variety of both generic and application-specific encoders and decoders.¶
In a streaming application, a data stream may be composed of a sequence of CBOR data items concatenated back-to-back. In such an environment, the decoder immediately begins decoding a new data item if data is found after the end of a previous data item.¶
Not all of the bytes making up a data item may be immediately available to the decoder; some decoders will buffer additional data until a complete data item can be presented to the application. Other decoders can present partial information about a top-level data item to an application, such as the nested data items that could already be decoded, or even parts of a byte string that hasn't completely arrived yet. Such an application also MUST have a matching streaming security mechanism, where the desired protection is available for incremental data presented to the application.¶
Note that some applications and protocols will not want to use indefinite-length encoding. Using indefinite-length encoding allows an encoder to not need to marshal all the data for counting, but it requires a decoder to allocate increasing amounts of memory while waiting for the end of the item. This might be fine for some applications but not others.¶
A generic CBOR decoder can decode all well-formed encoded CBOR data items and present the data items to an application. See Appendix C. (The diagnostic notation, Section 8, may be used to present well-formed CBOR values to humans.)¶
Generic CBOR encoders provide an application interface that allows the application to specify any well-formed value to be encoded as a CBOR data item, including simple values and tags unknown to the encoder.¶
Even though CBOR attempts to minimize these cases, not all well-formed
CBOR data is valid: for example, the encoded text string 0x62c0ae
does not contain valid UTF-8 (because [RFC3629] requires always using the shortest
form) and so is not a valid CBOR item.
Also, specific tags may
make semantic constraints that may be violated, for instance, by a bignum tag
enclosing another tag or by an instance of tag number 0 containing a byte
string or containing a text string with contents that do not match the
date-time
production of [RFC3339]. There is
no requirement that generic encoders and decoders make unnatural
choices for their application interface to enable the processing of
invalid data. Generic encoders and decoders are expected to forward
simple values and tags even if their specific codepoints are not
registered at the time the encoder/decoder is written
(Section 5.4).¶
A well-formed but invalid CBOR data item (Section 1.2) presents a problem with interpreting the data encoded in it in the CBOR data model. A CBOR-based protocol could be specified in several layers, in which the lower layers don't process the semantics of some of the CBOR data they forward. These layers can't notice any validity errors in data they don't process and MUST forward that data as-is. The first layer that does process the semantics of an invalid CBOR item MUST pick one of two choices:¶
A CBOR-based protocol MUST specify which of these options its decoders take for each kind of invalid item they might encounter.¶
Such problems might occur at the basic validity level of CBOR or in the context of tags (tag validity).¶
Two kinds of validity errors can occur in the basic generic data model:¶
Two additional kinds of validity errors are introduced by adding tags to the basic generic data model:¶
A decoder with validity checking will expend the effort to reliably detect data items with validity errors. For example, such a decoder needs to have an API that reports an error (and does not return data) for a CBOR data item that contains any of the validity errors listed in the previous subsection.¶
The set of tags defined in the "Concise Binary Object Representation (CBOR) Tags" registry (Section 9.2), as well as the set of simple values defined in the "Concise Binary Object Representation (CBOR) Simple Values" registry (Section 9.1), can grow at any time beyond the set understood by a generic decoder. A validity-checking decoder can do one of two things when it encounters such a case that it does not recognize:¶
The latter approach, which is also appropriate for decoders that do not support validity checking, provides forward compatibility with newly registered tags and simple values without the requirement to update the encoder at the same time as the calling application. (For this, the decoder's API needs the ability to mark unknown items so that the calling application can handle them in a manner appropriate for the program.)¶
Since some of the processing needed for validity checking may have an appreciable cost (in particular with duplicate detection for maps), support of validity checking is not a requirement placed on all CBOR decoders.¶
Some encoders will rely on their applications to provide input data in such a way that valid CBOR results from the encoder. A generic encoder may also want to provide a validity-checking mode where it reliably limits its output to valid CBOR, independent of whether or not its application is indeed providing API-conformant data.¶
CBOR-based protocols should take into account that different language environments pose different restrictions on the range and precision of numbers that are representable. For example, the basic JavaScript number system treats all numbers as floating-point values, which may result in the silent loss of precision in decoding integers with more than 53 significant bits. Another example is that, since CBOR keeps the sign bit for its integer representation in the major type, it has one bit more for signed numbers of a certain length (e.g., -264..264-1 for 1+8-byte integers) than the typical platform signed integer representation of the same length (-263..263-1 for 8-byte int64_t). A protocol that uses numbers should define its expectations on the handling of nontrivial numbers in decoders and receiving applications.¶
A CBOR-based protocol that includes floating-point numbers can restrict which of the three formats (half-precision, single-precision, and double-precision) are to be supported. For an integer-only application, a protocol may want to completely exclude the use of floating-point values.¶
A CBOR-based protocol designed for compactness may want to exclude specific integer encodings that are longer than necessary for the application, such as to save the need to implement 64-bit integers. There is an expectation that encoders will use the most compact integer representation that can represent a given value. However, a compact application that does not require deterministic encoding should accept values that use a longer-than-needed encoding (such as encoding "0" as 0b000_11001 followed by two bytes of 0x00) as long as the application can decode an integer of the given size. Similar considerations apply to floating-point values; decoding both preferred serializations and longer-than-needed ones is recommended.¶
CBOR-based protocols for constrained applications that provide a choice between representing a specific number as an integer and as a decimal fraction or bigfloat (such as when the exponent is small and nonnegative) might express a quality-of-implementation expectation that the integer representation is used directly.¶
The encoding and decoding applications need to agree on what types of keys are going to be used in maps. In applications that need to interwork with JSON-based applications, conversion is simplified by limiting keys to text strings only; otherwise, there has to be a specified mapping from the other CBOR types to text strings, and this often leads to implementation errors. In applications where keys are numeric in nature, and numeric ordering of keys is important to the application, directly using the numbers for the keys is useful.¶
If multiple types of keys are to be used, consideration should be given to how these types would be represented in the specific programming environments that are to be used. For example, in JavaScript Maps [ECMA262], a key of integer 1 cannot be distinguished from a key of floating-point 1.0. This means that, if integer keys are used, the protocol needs to avoid the use of floating-point keys the values of which happen to be integer numbers in the same map.¶
Decoders that deliver data items nested within a CBOR data item immediately on decoding them ("streaming decoders") often do not keep the state that is necessary to ascertain uniqueness of a key in a map. Similarly, an encoder that can start encoding data items before the enclosing data item is completely available ("streaming encoder") may want to reduce its overhead significantly by relying on its data source to maintain uniqueness.¶
A CBOR-based protocol MUST define what to do when a receiving application sees multiple identical keys in a map. The resulting rule in the protocol MUST respect the CBOR data model: it cannot prescribe a specific handling of the entries with the identical keys, except that it might have a rule that having identical keys in a map indicates a malformed map and that the decoder has to stop with an error. When processing maps that exhibit entries with duplicate keys, a generic decoder might do one of the following:¶
Generic decoders need to document which of these three approaches they implement.¶
The CBOR data model for maps does not allow ascribing semantics to the order of the key/value pairs in the map representation. Thus, a CBOR-based protocol MUST NOT specify that changing the key/value pair order in a map changes the semantics, except to specify that some orders are disallowed, for example, where they would not meet the requirements of a deterministic encoding (Section 4.2). (Any secondary effects of map ordering such as on timing, cache usage, and other potential side channels are not considered part of the semantics but may be enough reason on their own for a protocol to require a deterministic encoding format.)¶
Applications for constrained devices should consider using small integers as keys if they have maps with a small number of frequently used keys; for instance, a set of 24 or fewer keys can be encoded in a single byte as unsigned integers, up to 48 if negative integers are also used. Less frequently occurring keys can then use integers with longer encodings.¶
The specific data model that applies to a CBOR data item is used to determine whether keys occurring in maps are duplicates or distinct.¶
At the generic data model level, numerically equivalent integer and floating-point values are distinct from each other, as they are from the various big numbers (Tags 2 to 5). Similarly, text strings are distinct from byte strings, even if composed of the same bytes. A tagged value is distinct from an untagged value or from a value tagged with a different tag number.¶
Within each of these groups, numeric values are distinct unless they are numerically equal (specifically, -0.0 is equal to 0.0); for the purpose of map key equivalence, NaN values are equivalent if they have the same significand after zero-extending both significands at the right to 64 bits.¶
Both byte strings and text strings are compared byte by byte, arrays are compared element by element, and are equal if they have the same number of bytes/elements and the same values at the same positions. Two maps are equal if they have the same set of pairs regardless of their order; pairs are equal if both the key and value are equal.¶
Tagged values are equal if both the tag number and the tag content are equal. (Note that a generic decoder that provides processing for a specific tag may not be able to distinguish some semantically equivalent values, e.g., if leading zeroes occur in the content of tag 2 or tag 3 (Section 3.4.3).) Simple values are equal if they simply have the same value. Nothing else is equal in the generic data model; a simple value 2 is not equivalent to an integer 2, and an array is never equivalent to a map.¶
As discussed in Section 2.2, specific data models can make values equivalent for the purpose of comparing map keys that are distinct in the generic data model. Note that this implies that a generic decoder may deliver a decoded map to an application that needs to be checked for duplicate map keys by that application (alternatively, the decoder may provide a programming interface to perform this service for the application). Specific data models are not able to distinguish values for map keys that are equal for this purpose at the generic data model level.¶
In some CBOR-based protocols, the simple value (Section 3.3) of
undefined
might be used by an encoder as a substitute for a data item
with an encoding problem, in order to allow the rest of the enclosing
data items to be encoded without harm.¶
This section gives non-normative advice about converting between CBOR and JSON. Implementations of converters MAY use whichever advice here they want.¶
It is worth noting that a JSON text is a sequence of characters, not an encoded sequence of bytes, while a CBOR data item consists of bytes, not characters.¶
Most of the types in CBOR have direct analogs in JSON. However, some do not, and someone implementing a CBOR-to-JSON converter has to consider what to do in those cases. The following non-normative advice deals with these by converting them to a single substitute value, such as a JSON null.¶
A CBOR-to-JSON converter may want to keep to the JSON profile I-JSON [RFC7493], to maximize interoperability and increase confidence that the JSON output can be processed with predictable results. For example, this has implications on the range of integers that can be represented reliably, as well as on the top-level items that may be supported by older JSON implementations.¶
All JSON values, once decoded, directly map into one or more CBOR values. As with any kind of CBOR generation, decisions have to be made with respect to number representation. In a suggested conversion:¶
CBOR has been designed to generally provide a more compact encoding than JSON. One implementation strategy that might come to mind is to perform a JSON-to-CBOR encoding in place in a single buffer. This strategy would need to carefully consider a number of pathological cases, such as that some strings represented with no or very few escapes and longer (or much longer) than 255 bytes may expand when encoded as UTF-8 strings in CBOR. Similarly, a few of the binary floating-point representations might cause expansion from some short decimal representations (1.1, 1e9) in JSON. This may be hard to get right, and any ensuing vulnerabilities may be exploited by an attacker.¶
Successful protocols evolve over time. New ideas appear, implementation platforms improve, related protocols are developed and evolve, and new requirements from applications and protocols are added. Facilitating protocol evolution is therefore an important design consideration for any protocol development.¶
For protocols that will use CBOR, CBOR provides some useful mechanisms to facilitate their evolution. Best practices for this are well known, particularly from JSON format development of JSON-based protocols. Therefore, such best practices are outside the scope of this specification.¶
However, facilitating the evolution of CBOR itself is very well within its scope. CBOR is designed to both provide a stable basis for development of CBOR-based protocols and to be able to evolve. Since a successful protocol may live for decades, CBOR needs to be designed for decades of use and evolution. This section provides some guidance for the evolution of CBOR. It is necessarily more subjective than other parts of this document. It is also necessarily incomplete, lest it turn into a textbook on protocol development.¶
In a protocol design, opportunities for evolution are often included in the form of extension points. For example, there may be a codepoint space that is not fully allocated from the outset, and the protocol is designed to tolerate and embrace implementations that start using more codepoints than initially allocated.¶
Sizing the codepoint space may be difficult because the range required may be hard to predict. Protocol designs should attempt to make the codepoint space large enough so that it can slowly be filled over the intended lifetime of the protocol.¶
CBOR has three major extension points:¶
The human mind is sometimes drawn to filling in little perceived gaps to make something neat. We expect the remaining gaps in the codepoint space for the additional information values to be an attractor for new ideas, just because they are there.¶
The present specification does not manage the additional information codepoint space by an IANA registry. Instead, allocations out of this space can only be done by updating this specification.¶
For an additional information value of n >= 24, the size of the additional data typically is 2n-24 bytes. Therefore, additional information values 28 and 29 should be viewed as candidates for 128-bit and 256-bit quantities, in case a need arises to add them to the protocol. Additional information value 30 is then the only additional information value available for general allocation, and there should be a very good reason for allocating it before assigning it through an update of the present specification.¶
CBOR is a binary interchange format. To facilitate documentation and debugging, and in particular to facilitate communication between entities cooperating in debugging, this section defines a simple human-readable diagnostic notation. All actual interchange always happens in the binary format.¶
Note that this truly is a diagnostic format; it is not meant to be parsed. Therefore, no formal definition (as in ABNF) is given in this document. (Implementers looking for a text-based format for representing CBOR data items in configuration files may also want to consider YAML [YAML].)¶
The diagnostic notation is loosely based on JSON as it is defined in RFC 8259, extending it where needed.¶
The notation borrows the JSON syntax for numbers (integer and floating-point), True (>true<), False (>false<), Null (>null<), UTF-8 strings, arrays, and maps (maps are called objects in JSON; the diagnostic notation extends JSON here by allowing any data item in the key position). Undefined is written >undefined< as in JavaScript. The non-finite floating-point numbers Infinity, -Infinity, and NaN are written exactly as in this sentence (this is also a way they can be written in JavaScript, although JSON does not allow them). A tag is written as an integer number for the tag number, followed by the tag content in parentheses; for instance, a date in the format specified by RFC 3339 (ISO 8601) could be notated as:¶
0("2013-03-21T20:04:00Z")¶
or the equivalent relative time as the following:¶
1(1363896240)¶
Byte strings are notated in one of the base encodings, without padding, enclosed in single quotes, prefixed by >h< for base16, >b32< for base32, >h32< for base32hex, >b64< for base64 or base64url (the actual encodings do not overlap, so the string remains unambiguous). For example, the byte string 0x12345678 could be written h'12345678', b32'CI2FM6A', or b64'EjRWeA'.¶
Unassigned simple values are given as "simple()" with the appropriate integer in the parentheses. For example, "simple(42)" indicates major type 7, value 42.¶
A number of useful extensions to the diagnostic notation defined here are provided in Appendix G of [RFC8610], "Extended Diagnostic Notation" (EDN). Similarly, this notation could be extended in a separate document to provide documentation for NaN payloads, which are not covered in this document.¶
Sometimes it is useful to indicate in the diagnostic notation which of several alternative representations were actually used; for example, a data item written >1.5< by a diagnostic decoder might have been encoded as a half-, single-, or double-precision float.¶
The convention for encoding indicators is that anything starting with
an underscore and all following characters that are alphanumeric or
underscore is an encoding indicator, and can be ignored by anyone not
interested in this information. For example, _
or _3
.
Encoding indicators are always
optional.¶
A single underscore can be written after the opening brace of a map or the opening bracket of an array to indicate that the data item was represented in indefinite-length format. For example, [_ 1, 2] contains an indicator that an indefinite-length representation was used to represent the data item [1, 2].¶
An underscore followed by a decimal digit n indicates that the preceding item (or, for arrays and maps, the item starting with the preceding bracket or brace) was encoded with an additional information value of 24+n. For example, 1.5_1 is a half-precision floating-point number, while 1.5_3 is encoded as double precision. This encoding indicator is not shown in Appendix A. (Note that the encoding indicator "_" is thus an abbreviation of the full form "_7", which is not used.)¶
The detailed chunk structure of byte and text strings of indefinite length can be notated in the form (_ h'0123', h'4567') and (_ "foo", "bar"). However, for an indefinite-length string with no chunks inside, (_ ) would be ambiguous as to whether a byte string (0x5fff) or a text string (0x7fff) is meant and is therefore not used. The basic forms ''_ and ""_ can be used instead and are reserved for the case of no chunks only -- not as short forms for the (permitted, but not really useful) encodings with only empty chunks, which need to be notated as (_ ''), (_ ""), etc., to preserve the chunk structure.¶
IANA has created two registries for new CBOR values. The registries are separate, that is, not under an umbrella registry, and follow the rules in [RFC8126]. IANA has also assigned a new media type, an associated CoAP Content-Format entry, and a structured syntax suffix.¶
IANA has created the "Concise Binary Object Representation (CBOR) Simple Values" registry at [IANA.cbor-simple-values]. The initial values are shown in Table 4.¶
New entries in the range 0 to 19 are assigned by Standards Action [RFC8126]. It is suggested that IANA allocate values starting with the number 16 in order to reserve the lower numbers for contiguous blocks (if any).¶
New entries in the range 32 to 255 are assigned by Specification Required.¶
The Internet media type [RFC6838] ("MIME type") for a single encoded CBOR data item is "application/cbor" as defined in the "Media Types" registry [IANA.media-types]:¶
The CoAP Content-Format for CBOR has been registered in the "CoAP Content-Formats" subregistry within the "Constrained RESTful Environments (CoRE) Parameters" registry [IANA.core-parameters]:¶
The structured syntax suffix [RFC6838] for media types based on a single encoded CBOR data item is +cbor, which IANA has registered in the "Structured Syntax Suffixes" registry [IANA.structured-suffix]:¶
The syntax and semantics of fragment identifiers specified for +cbor SHOULD be as specified for "application/cbor". (At publication of RFC 8949, there is no fragment identification syntax defined for "application/cbor".)¶
The syntax and semantics for fragment identifiers for a specific "xxx/yyy+cbor" SHOULD be processed as follows:¶
A network-facing application can exhibit vulnerabilities in its processing logic for incoming data. Complex parsers are well known as a likely source of such vulnerabilities, such as the ability to remotely crash a node, or even remotely execute arbitrary code on it. CBOR attempts to narrow the opportunities for introducing such vulnerabilities by reducing parser complexity, by giving the entire range of encodable values a meaning where possible.¶
Because CBOR decoders are often used as a first step in processing unvalidated input, they need to be fully prepared for all types of hostile input that may be designed to corrupt, overrun, or achieve control of the system decoding the CBOR data item. A CBOR decoder needs to assume that all input may be hostile even if it has been checked by a firewall, has come over a secure channel such as TLS, is encrypted or signed, or has come from some other source that is presumed trusted.¶
Section 4.1 gives examples of limitations in interoperability when using a constrained CBOR decoder with input from a CBOR encoder that uses a non-preferred serialization. When a single data item is consumed both by such a constrained decoder and a full decoder, it can lead to security issues that can be exploited by an attacker who can inject or manipulate content.¶
As discussed throughout this document, there are many values that can be considered "equivalent" in some circumstances and "not equivalent" in others. As just one example, the numeric value for the number "one" might be expressed as an integer or a bignum. A system interpreting CBOR input might accept either form for the number "one", or might reject one (or both) forms. Such acceptance or rejection can have security implications in the program that is using the interpreted input.¶
Hostile input may be constructed to overrun buffers, to overflow or underflow integer arithmetic, or to cause other decoding disruption. CBOR data items might have lengths or sizes that are intentionally extremely large or too short. Resource exhaustion attacks might attempt to lure a decoder into allocating very big data items (strings, arrays, maps, or even arbitrary precision numbers) or exhaust the stack depth by setting up deeply nested items. Decoders need to have appropriate resource management to mitigate these attacks. (Items for which very large sizes are given can also attempt to exploit integer overflow vulnerabilities.)¶
A CBOR decoder, by definition, only accepts well-formed CBOR; this is the first step to its robustness. Input that is not well-formed CBOR causes no further processing from the point where the lack of well-formedness was detected. If possible, any data decoded up to this point should have no impact on the application using the CBOR decoder.¶
In addition to ascertaining well-formedness, a CBOR decoder might also perform validity checks on the CBOR data. Alternatively, it can leave those checks to the application using the decoder. This choice needs to be clearly documented in the decoder. Beyond the validity at the CBOR level, an application also needs to ascertain that the input is in alignment with the application protocol that is serialized in CBOR.¶
The input check itself may consume resources. This is usually linear in the size of the input, which means that an attacker has to spend resources that are commensurate to the resources spent by the defender on input validation. However, an attacker might be able to craft inputs that will take longer for a target decoder to process than for the attacker to produce. Processing for arbitrary-precision numbers may exceed linear effort. Also, some hash-table implementations that are used by decoders to build in-memory representations of maps can be attacked to spend quadratic effort, unless a secret key (see Section 7 of [SIPHASH_LNCS], also [SIPHASH_OPEN]) or some other mitigation is employed. Such superlinear efforts can be exploited by an attacker to exhaust resources at or before the input validator; they therefore need to be avoided in a CBOR decoder implementation. Note that tag number definitions and their implementations can add security considerations of this kind; this should then be discussed in the security considerations of the tag number definition.¶
CBOR encoders do not receive input directly from the network and are thus not directly attackable in the same way as CBOR decoders. However, CBOR encoders often have an API that takes input from another level in the implementation and can be attacked through that API. The design and implementation of that API should assume the behavior of its caller may be based on hostile input or on coding mistakes. It should check inputs for buffer overruns, overflow and underflow of integer arithmetic, and other such errors that are aimed to disrupt the encoder.¶
Protocols should be defined in such a way that potential multiple interpretations are reliably reduced to a single interpretation. For example, an attacker could make use of invalid input such as duplicate keys in maps, or exploit different precision in processing numbers to make one application base its decisions on a different interpretation than the one that will be used by a second application. To facilitate consistent interpretation, encoder and decoder implementations should provide a validity-checking mode of operation (Section 5.4). Note, however, that a generic decoder cannot know about all requirements that an application poses on its input data; it is therefore not relieving the application from performing its own input checking. Also, since the set of defined tag numbers evolves, the application may employ a tag number that is not yet supported for validity checking by the generic decoder it uses. Generic decoders therefore need to document which tag numbers they support and what validity checking they provide for those tag numbers as well as for basic CBOR (UTF-8 checking, duplicate map key checking).¶
Section 3.4.3 notes that using the non-preferred choice of a bignum representation instead of a basic integer for encoding a number is not intended to have application semantics, but it can have such semantics if an application receiving CBOR data is using a decoder in the basic generic data model. This disparity causes a security issue if the two sets of semantics differ. Thus, applications using CBOR need to specify the data model that they are using for each use of CBOR data.¶
It is common to convert CBOR data to other formats. In many cases, CBOR has more expressive types than other formats; this is particularly true for the common conversion to JSON. The loss of type information can cause security issues for the systems that are processing the less-expressive data.¶
Section 6.2 describes a possibly common usage scenario of converting between CBOR and JSON that could allow an attack if the attacker knows that the application is performing the conversion.¶
Security considerations for the use of base16 and base64 from [RFC4648], and the use of UTF-8 from [RFC3629], are relevant to CBOR as well.¶
The following table provides some CBOR-encoded values in hexadecimal (right column), together with diagnostic notation for these values (left column). Note that the string "\u00fc" is one form of diagnostic notation for a UTF-8 string containing the single Unicode character U+00FC (LATIN SMALL LETTER U WITH DIAERESIS, "ü"). Similarly, "\u6c34" is a UTF-8 string in diagnostic notation with a single character U+6C34 (CJK UNIFIED IDEOGRAPH-6C34, "水"), often representing "water", and "\ud800\udd51" is a UTF-8 string in diagnostic notation with a single character U+10151 (GREEK ACROPHONIC ATTIC FIFTY STATERS, "𐅑"). (Note that all these single-character strings could also be represented in native UTF-8 in diagnostic notation, just not if an ASCII-only specification is required.) In the diagnostic notation provided for bignums, their intended numeric value is shown as a decimal number (such as 18446744073709551616) instead of a tagged byte string (such as 2(h'010000000000000000')).¶
Diagnostic | Encoded |
---|---|
0 | 0x00 |
1 | 0x01 |
10 | 0x0a |
23 | 0x17 |
24 | 0x1818 |
25 | 0x1819 |
100 | 0x1864 |
1000 | 0x1903e8 |
1000000 | 0x1a000f4240 |
1000000000000 | 0x1b000000e8d4a51000 |
18446744073709551615 | 0x1bffffffffffffffff |
18446744073709551616 | 0xc249010000000000000000 |
-18446744073709551616 | 0x3bffffffffffffffff |
-18446744073709551617 | 0xc349010000000000000000 |
-1 | 0x20 |
-10 | 0x29 |
-100 | 0x3863 |
-1000 | 0x3903e7 |
0.0 | 0xf90000 |
-0.0 | 0xf98000 |
1.0 | 0xf93c00 |
1.1 | 0xfb3ff199999999999a |
1.5 | 0xf93e00 |
65504.0 | 0xf97bff |
100000.0 | 0xfa47c35000 |
3.4028234663852886e+38 | 0xfa7f7fffff |
1.0e+300 | 0xfb7e37e43c8800759c |
5.960464477539063e-8 | 0xf90001 |
0.00006103515625 | 0xf90400 |
-4.0 | 0xf9c400 |
-4.1 | 0xfbc010666666666666 |
Infinity | 0xf97c00 |
NaN | 0xf97e00 |
-Infinity | 0xf9fc00 |
Infinity | 0xfa7f800000 |
NaN | 0xfa7fc00000 |
-Infinity | 0xfaff800000 |
Infinity | 0xfb7ff0000000000000 |
NaN | 0xfb7ff8000000000000 |
-Infinity | 0xfbfff0000000000000 |
false | 0xf4 |
true | 0xf5 |
null | 0xf6 |
undefined | 0xf7 |
simple(16) | 0xf0 |
simple(255) | 0xf8ff |
0("2013-03-21T20:04:00Z") | 0xc074323031332d30332d32315432303a 30343a30305a |
1(1363896240) | 0xc11a514b67b0 |
1(1363896240.5) | 0xc1fb41d452d9ec200000 |
23(h'01020304') | 0xd74401020304 |
24(h'6449455446') | 0xd818456449455446 |
32("http://www.example.com") | 0xd82076687474703a2f2f7777772e6578 616d706c652e636f6d |
h'' | 0x40 |
h'01020304' | 0x4401020304 |
"" | 0x60 |
"a" | 0x6161 |
"IETF" | 0x6449455446 |
"\"\\" | 0x62225c |
"\u00fc" | 0x62c3bc |
"\u6c34" | 0x63e6b0b4 |
"\ud800\udd51" | 0x64f0908591 |
[] | 0x80 |
[1, 2, 3] | 0x83010203 |
[1, [2, 3], [4, 5]] | 0x8301820203820405 |
[1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25] | 0x98190102030405060708090a0b0c0d0e 0f101112131415161718181819 |
{} | 0xa0 |
{1: 2, 3: 4} | 0xa201020304 |
{"a": 1, "b": [2, 3]} | 0xa26161016162820203 |
["a", {"b": "c"}] | 0x826161a161626163 |
{"a": "A", "b": "B", "c": "C", "d": "D", "e": "E"} | 0xa5616161416162614261636143616461 4461656145 |
(_ h'0102', h'030405') | 0x5f42010243030405ff |
(_ "strea", "ming") | 0x7f657374726561646d696e67ff |
[_ ] | 0x9fff |
[_ 1, [2, 3], [_ 4, 5]] | 0x9f018202039f0405ffff |
[_ 1, [2, 3], [4, 5]] | 0x9f01820203820405ff |
[1, [2, 3], [_ 4, 5]] | 0x83018202039f0405ff |
[1, [_ 2, 3], [4, 5]] | 0x83019f0203ff820405 |
[_ 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25] | 0x9f0102030405060708090a0b0c0d0e0f 101112131415161718181819ff |
{_ "a": 1, "b": [_ 2, 3]} | 0xbf61610161629f0203ffff |
["a", {_ "b": "c"}] | 0x826161bf61626163ff |
{_ "Fun": true, "Amt": -2} | 0xbf6346756ef563416d7421ff |
For brevity, this jump table does not show initial bytes that are reserved for future extension. It also only shows a selection of the initial bytes that can be used for optional features. (All unsigned integers are in network byte order.)¶
Byte | Structure/Semantics |
---|---|
0x00..0x17 | unsigned integer 0x00..0x17 (0..23) |
0x18 | unsigned integer (one-byte uint8_t follows) |
0x19 | unsigned integer (two-byte uint16_t follows) |
0x1a | unsigned integer (four-byte uint32_t follows) |
0x1b | unsigned integer (eight-byte uint64_t follows) |
0x20..0x37 | negative integer -1-0x00..-1-0x17 (-1..-24) |
0x38 | negative integer -1-n (one-byte uint8_t for n follows) |
0x39 | negative integer -1-n (two-byte uint16_t for n follows) |
0x3a | negative integer -1-n (four-byte uint32_t for n follows) |
0x3b | negative integer -1-n (eight-byte uint64_t for n follows) |
0x40..0x57 | byte string (0x00..0x17 bytes follow) |
0x58 | byte string (one-byte uint8_t for n, and then n bytes follow) |
0x59 | byte string (two-byte uint16_t for n, and then n bytes follow) |
0x5a | byte string (four-byte uint32_t for n, and then n bytes follow) |
0x5b | byte string (eight-byte uint64_t for n, and then n bytes follow) |
0x5f | byte string, byte strings follow, terminated by "break" |
0x60..0x77 | UTF-8 string (0x00..0x17 bytes follow) |
0x78 | UTF-8 string (one-byte uint8_t for n, and then n bytes follow) |
0x79 | UTF-8 string (two-byte uint16_t for n, and then n bytes follow) |
0x7a | UTF-8 string (four-byte uint32_t for n, and then n bytes follow) |
0x7b | UTF-8 string (eight-byte uint64_t for n, and then n bytes follow) |
0x7f | UTF-8 string, UTF-8 strings follow, terminated by "break" |
0x80..0x97 | array (0x00..0x17 data items follow) |
0x98 | array (one-byte uint8_t for n, and then n data items follow) |
0x99 | array (two-byte uint16_t for n, and then n data items follow) |
0x9a | array (four-byte uint32_t for n, and then n data items follow) |
0x9b | array (eight-byte uint64_t for n, and then n data items follow) |
0x9f | array, data items follow, terminated by "break" |
0xa0..0xb7 | map (0x00..0x17 pairs of data items follow) |
0xb8 | map (one-byte uint8_t for n, and then n pairs of data items follow) |
0xb9 | map (two-byte uint16_t for n, and then n pairs of data items follow) |
0xba | map (four-byte uint32_t for n, and then n pairs of data items follow) |
0xbb | map (eight-byte uint64_t for n, and then n pairs of data items follow) |
0xbf | map, pairs of data items follow, terminated by "break" |
0xc0 | text-based date/time (data item follows; see Section 3.4.1) |
0xc1 | epoch-based date/time (data item follows; see Section 3.4.2) |
0xc2 | unsigned bignum (data item "byte string" follows) |
0xc3 | negative bignum (data item "byte string" follows) |
0xc4 | decimal Fraction (data item "array" follows; see Section 3.4.4) |
0xc5 | bigfloat (data item "array" follows; see Section 3.4.4) |
0xc6..0xd4 | (tag) |
0xd5..0xd7 | expected conversion (data item follows; see Section 3.4.5.2) |
0xd8..0xdb | (more tags; 1/2/4/8 bytes of tag number and then a data item follow) |
0xe0..0xf3 | (simple value) |
0xf4 | false |
0xf5 | true |
0xf6 | null |
0xf7 | undefined |
0xf8 | (simple value, one byte follows) |
0xf9 | half-precision float (two-byte IEEE 754) |
0xfa | single-precision float (four-byte IEEE 754) |
0xfb | double-precision float (eight-byte IEEE 754) |
0xff | "break" stop code |
The well-formedness of a CBOR item can be checked by the pseudocode in Figure 1. The data is well-formed if and only if:¶
The pseudocode has the following prerequisites:¶
Note that well_formed
returns the major type for well-formed
definite-length items, but 99 for an indefinite-length item (or -1 for
a "break" stop code, only if breakable
is set). This is used in
well_formed_indefinite
to ascertain that indefinite-length strings
only contain definite-length strings as chunks.¶
Note that the remaining complexity of a complete CBOR decoder is about presenting data that has been decoded to the application in an appropriate form.¶
Major types 0 and 1 are designed in such a way that they can be encoded in C from a signed integer without actually doing an if-then-else for positive/negative (Figure 2). This uses the fact that (-1-n), the transformation for major type 1, is the same as ~n (bitwise complement) in C unsigned arithmetic; ~n can then be expressed as (-1)^n for the negative case, while 0^n leaves n unchanged for nonnegative. The sign of a number can be converted to -1 for negative and 0 for nonnegative (0 or positive) by arithmetic-shifting the number by one bit less than the bit length of the number (for example, by 63 for 64-bit numbers).¶
See Section 1.2 for some specific assumptions about the profile of the C language used in these pieces of code.¶
As half-precision floating-point numbers were only added to IEEE 754 in 2008 [IEEE754], today's programming platforms often still only have limited support for them. It is very easy to include at least decoding support for them even without such support. An example of a small decoder for half-precision floating-point numbers in the C language is shown in Figure 3. A similar program for Python is in Figure 4; this code assumes that the 2-byte value has already been decoded as an (unsigned short) integer in network byte order (as would be done by the pseudocode in Appendix C).¶
The proposal for CBOR follows a history of binary formats that is as long as the history of computers themselves. Different formats have had different objectives. In most cases, the objectives of the format were never stated, although they can sometimes be implied by the context where the format was first used. Some formats were meant to be universally usable, although history has proven that no binary format meets the needs of all protocols and applications.¶
CBOR differs from many of these formats due to it starting with a set of objectives and attempting to meet just those. This section compares a few of the dozens of formats with CBOR's objectives in order to help the reader decide if they want to use CBOR or a different format for a particular protocol or application.¶
Note that the discussion here is not meant to be a criticism of any format: to the best of our knowledge, no format before CBOR was meant to cover CBOR's objectives in the priority we have assigned them. A brief recap of the objectives from Section 1.1 is:¶
A discussion of CBOR and other formats with respect to a different set of design objectives is provided in Section 5 and Appendix C of [RFC8618].¶
[ASN.1] has many serializations. In the IETF, DER and BER are the most common. The serialized output is not particularly compact for many items, and the code needed to decode numeric items can be complex on a constrained device.¶
Few (if any) IETF protocols have adopted one of the several variants of Packed Encoding Rules (PER). There could be many reasons for this, but one that is commonly stated is that PER makes use of the schema even for parsing the surface structure of the data item, requiring significant tool support. There are different versions of the ASN.1 schema language in use, which has also hampered adoption.¶
[MessagePack] is a concise, widely implemented counted binary serialization format, similar in many properties to CBOR, although somewhat less regular. While the data model can be used to represent JSON data, MessagePack has also been used in many remote procedure call (RPC) applications and for long-term storage of data.¶
MessagePack has been essentially stable since it was first published around 2011; it has not yet had a transition. The evolution of MessagePack is impeded by an imperative to maintain complete backwards compatibility with existing stored data, while only few bytecodes are still available for extension. Repeated requests over the years from the MessagePack user community to separate out binary and text strings in the encoding recently have led to an extension proposal that would leave MessagePack's "raw" data ambiguous between its usages for binary and text data. The extension mechanism for MessagePack remains unclear.¶
[BSON] is a data format that was developed for the storage of JSON-like maps (JSON objects) in the MongoDB database. Its major distinguishing feature is the capability for in-place update, which prevents a compact representation. BSON uses a counted representation except for map keys, which are null-byte terminated. While BSON can be used for the representation of JSON-like objects on the wire, its specification is dominated by the requirements of the database application and has become somewhat baroque. The status of how BSON extensions will be implemented remains unclear.¶
Message Services Data Transmission (MSDTP) is a very early example of a compact message format; it is described in [RFC0713], written in 1976. It is included here for its historical value, not because it was ever widely used.¶
While CBOR's design objective of code compactness for encoders and decoders is a higher priority than its objective of conciseness on the wire, many people focus on the wire size. Table 8 shows some encoding examples for the simple nested array [1, [2, 3]]; where some form of indefinite-length encoding is supported by the encoding, [_ 1, [2, 3]] (indefinite length on the outer array) is also shown.¶
Format | [1, [2, 3]] | [_ 1, [2, 3]] |
---|---|---|
RFC 713 | c2 05 81 c2 02 82 83 | |
ASN.1 BER | 30 0b 02 01 01 30 06 02 01 02 02 01 03 | 30 80 02 01 01 30 06 02 01 02 02 01 03 00 00 |
MessagePack | 92 01 92 02 03 | |
BSON | 22 00 00 00 10 30 00 01 00 00 00 04 31 00 13 00 00 00 10 30 00 02 00 00 00 10 31 00 03 00 00 00 00 00 | |
CBOR | 82 01 82 02 03 | 9f 01 82 02 03 ff |
There are three basic kinds of well-formedness errors that can occur in decoding a CBOR data item:¶
In Appendix C, errors of the first kind are addressed in the first paragraph and bullet list (requiring "no bytes are left"), and errors of the second kind are addressed in the second paragraph/bullet list (failing "if n bytes are no longer available"). Errors of the third kind are identified in the pseudocode by specific instances of calling fail(), in order:¶
This subsection shows a few examples for CBOR data items that are not well-formed. Each example is a sequence of bytes, each shown in hexadecimal; multiple examples in a list are separated by commas.¶
Examples for well-formedness error kind 1 (too much data) can easily be formed by adding data to a well-formed encoded CBOR data item.¶
Similarly, examples for well-formedness error kind 2 (too little data) can be formed by truncating a well-formed encoded CBOR data item. In test suites, it may be beneficial to specifically test with incomplete data items that would require large amounts of addition to be completed (for instance by starting the encoding of a string of a very large size).¶
A premature end of the input can occur in a head or within the enclosed data, which may be bare strings or enclosed data items that are either counted or should have been ended by a "break" stop code.¶
A few examples for the five subkinds of well-formedness error kind 3 (syntax error) are shown below.¶
As discussed in the introduction, this document formally obsoletes RFC 7049 while keeping full compatibility with the interchange format from RFC 7049. This document provides editorial improvements, added detail, and fixed errata. This document does not create a new version of the format.¶
The two verified errata on RFC 7049, [Err3764] and [Err3770], concerned two encoding examples in the text that have been corrected (Section 3.4.3: "29" -> "49", Section 5.5: "0b000_11101" -> "0b000_11001"). Also, RFC 7049 contained an example using the numeric value 24 for a simple value [Err5917], which is not well-formed; this example has been removed. Errata report 5763 [Err5763] pointed to an error in the wording of the definition of tags; this was resolved during a rewrite of Section 3.4. Errata report 5434 [Err5434] pointed out that the Universal Binary JSON (UBJSON) example in Appendix E no longer complied with the version of UBJSON current at the time of the errata report submission. It turned out that the UBJSON specification had completely changed since 2013; this example therefore was removed. Other errata reports [Err4409] [Err4963] [Err4964] complained that the map key sorting rules for canonical encoding were onerous; these led to a reconsideration of the canonical encoding suggestions and replacement by the deterministic encoding suggestions (described below). An editorial suggestion in errata report 4294 [Err4294] was also implemented (improved symmetry by adding "Second value" to a comment to the last example in Section 3.2.2).¶
Other clerical changes include:¶
The IANA considerations were generally updated (clerical changes, e.g., now pointing to the CBOR Working Group as the author of the specification). References to the respective IANA registries were added to the informative references.¶
In the "Concise Binary Object Representation (CBOR) Tags" registry [IANA.cbor-tags], tags in the space from 256 to 32767 (lower half of "1+2") are no longer assigned by First Come First Served; this range is now Specification Required.¶
While revising the document, beyond the addressing of the errata reports, the working group drew upon nearly seven years of experience with CBOR in a diverse set of applications. This led to a number of editorial changes, including adding tables for illustration, but also emphasizing some aspects and de-emphasizing others.¶
A significant addition is Section 2, which discusses the CBOR data model and its small variations involved in the processing of CBOR. The introduction of terms for those variations (basic generic, extended generic, specific) enables more concise language in other places of the document and also helps to clarify expectations of implementations and of the extensibility features of the format.¶
As a format derived from the JSON ecosystem, RFC 7049 was influenced by the JSON number system that was in turn inherited from JavaScript at the time. JSON does not provide distinct integers and floating-point values (and the latter are decimal in the format). CBOR provides binary representations of numbers, which do differ between integers and floating-point values. Experience from implementation and use suggested that the separation between these two number domains should be more clearly drawn in the document; language that suggested an integer could seamlessly stand in for a floating-point value was removed. Also, a suggestion (based on I-JSON [RFC7493]) was added for handling these types when converting JSON to CBOR, and the use of a specific rounding mechanism has been recommended.¶
For a single value in the data model, CBOR often provides multiple encoding options. A new section (Section 4) introduces the term "preferred serialization" (Section 4.1) and defines it for various kinds of data items. On the basis of this terminology, the section then discusses how a CBOR-based protocol can define "deterministic encoding" (Section 4.2), which avoids terms "canonical" and "canonicalization" from RFC 7049. The suggestion of "Core Deterministic Encoding Requirements" (Section 4.2.1) enables generic support for such protocol-defined encoding requirements. This document further eases the implementation of deterministic encoding by simplifying the map ordering suggested in RFC 7049 to a simple lexicographic ordering of encoded keys. A description of the older suggestion is kept as an alternative, now termed "length-first map key ordering" (Section 4.2.3).¶
The terminology for well-formed and valid data was sharpened and more stringently used, avoiding less well-defined alternative terms such as "syntax error", "decoding error", and "strict mode" outside of examples. Also, a third level of requirements that an application has on its input data beyond CBOR-level validity is now explicitly called out. Well-formed (processable at all), valid (checked by a validity-checking generic decoder), and expected input (as checked by the application) are treated as a hierarchy of layers of acceptability.¶
The handling of non-well-formed simple values was clarified in text and pseudocode. Appendix F was added to discuss well-formedness errors and provide examples for them. The pseudocode was updated to be more portable, and some portability considerations were added.¶
The discussion of validity has been sharpened in two areas. Map validity (handling of duplicate keys) was clarified, and the domain of applicability of certain implementation choices explained. Also, while streamlining the terminology for tags, tag numbers, and tag content, discussion was added on tag validity, and the restrictions were clarified on tag content, in general and specifically for tag 1.¶
An implementation note (and note for future tag definitions) was added to Section 3.4 about defining tags with semantics that depend on serialization order.¶
Tag 35 is not defined by this document; the registration based on the definition in RFC 7049 remains in place.¶
Terminology was introduced in Section 3 for "argument" and "head", simplifying further discussion.¶
The security considerations (Section 10) were mostly rewritten and significantly expanded; in multiple other places, the document is now more explicit that a decoder cannot simply condone well-formedness errors.¶
CBOR was inspired by MessagePack. MessagePack was developed and promoted by Sadayuki Furuhashi ("frsyuki"). This reference to MessagePack is solely for attribution; CBOR is not intended as a version of, or replacement for, MessagePack, as it has different design goals and requirements.¶
The need for functionality beyond the original MessagePack specification became obvious to many people at about the same time around the year 2012. BinaryPack is a minor derivation of MessagePack that was developed by Eric Zhang for the binaryjs project. A similar, but different, extension was made by Tim Caswell for his msgpack-js and msgpack-js-browser projects. Many people have contributed to the discussion about extending MessagePack to separate text string representation from byte string representation.¶
The encoding of the additional information in CBOR was inspired by the encoding of length information designed by Klaus Hartke for CoAP.¶
This document also incorporates suggestions made by many people, notably Dan Frost, James Manger, Jeffrey Yasskin, Joe Hildebrand, Keith Moore, Laurence Lundblade, Matthew Lepinski, Michael Richardson, Nico Williams, Peter Occil, Phillip Hallam-Baker, Ray Polk, Stuart Cheshire, Tim Bray, Tony Finch, Tony Hansen, and Yaron Sheffer. Benjamin Kaduk provided an extensive review during IESG processing. Éric Vyncke, Erik Kline, Robert Wilton, and Roman Danyliw provided further IESG comments, which included an IoT directorate review by Eve Schooler.¶