[ANN] CBOR Library - Small, safe, and easy CBOR encoding and decoding (for WebAuthn, etc.) in Go

[Faye Amacker]

Hello,

fxamacker/cbor is my first open source project, after working exclusively on closed source.

It is MIT licensed and designed to be:

• Easy -- idiomatic Go API (like encoding/json).
• Safe and reliable -- no unsafe pkg, test coverage at ~90%, fuzz tested, and uses RFC 7049 test vectors.
• Standards-compliant -- supports RFC 7049 and canonical CBOR encodings (both RFC 7049 and CTAP2).
• Small and self-contained -- pkg compiles to under 0.5 MB with no external dependencies.

This library balances compiled size, safety (no unsafe pkg) and speed (benchmarks).

Program size comparison (linux_amd64, Go 1.12) doing the same CBOR encoding and decoding:

• 2.7 MB program using fxamacker/cbor
• 11.9 MB program using ugorji/go

Library size comparison (linux_amd64, Go 1.12):

• 0.45 MB pkg -- fxamacker/cbor
• 2.9 MB pkg -- ugorji/go without code generation (go install --tags "notfastpath")
• 5.7 MB pkg -- ugorji/go with code generation (default)

I'm using this library in a new WebAuthn library which I hope to announce later.

Any suggestions or feedback would be appreciated.

Thanks,

Faye

[Faye Amacker]

Answers to some questions received today:

Is the API stable?

There's no plan to change the API -- but I wanted to leave room to improve the API based on initial feedback.

The API will always be backwards compatible unless the major version number changes. 

Is this production ready?

Current version passed fuzzing for 9+ hours on linux_amd64 without problems using RFC 7049 test vectors as seeds. It appears ready for production use on linux_amd64.

Why is version number only 0.3?

I was tempted to release 0.3 as 1.0.  I'll promote version 0.3 to 1.0 this month, unless API changes are requested by the Go community.  I'm using semantic versioning, so I didn't want to risk a 2.0 release right after announcing 1.0.

I've updated the README to include this info.