1XS(3)                 User Contributed Perl Documentation                XS(3)
2
3
4

NAME

6       CBOR::XS - Concise Binary Object Representation (CBOR, RFC7049)
7

SYNOPSIS

9        use CBOR::XS;
10
11        $binary_cbor_data = encode_cbor $perl_value;
12        $perl_value       = decode_cbor $binary_cbor_data;
13
14        # OO-interface
15
16        $coder = CBOR::XS->new;
17        $binary_cbor_data = $coder->encode ($perl_value);
18        $perl_value       = $coder->decode ($binary_cbor_data);
19
20        # prefix decoding
21
22        my $many_cbor_strings = ...;
23        while (length $many_cbor_strings) {
24           my ($data, $length) = $cbor->decode_prefix ($many_cbor_strings);
25           # data was decoded
26           substr $many_cbor_strings, 0, $length, ""; # remove decoded cbor string
27        }
28

DESCRIPTION

30       This module converts Perl data structures to the Concise Binary Object
31       Representation (CBOR) and vice versa. CBOR is a fast binary
32       serialisation format that aims to use an (almost) superset of the JSON
33       data model, i.e.  when you can represent something useful in JSON, you
34       should be able to represent it in CBOR.
35
36       In short, CBOR is a faster and quite compact binary alternative to
37       JSON, with the added ability of supporting serialisation of Perl
38       objects. (JSON often compresses better than CBOR though, so if you plan
39       to compress the data later and speed is less important you might want
40       to compare both formats first).
41
42       The primary goal of this module is to be correct and the secondary goal
43       is to be fast. To reach the latter goal it was written in C.
44
45       To give you a general idea about speed, with texts in the megabyte
46       range, "CBOR::XS" usually encodes roughly twice as fast as Storable or
47       JSON::XS and decodes about 15%-30% faster than those. The shorter the
48       data, the worse Storable performs in comparison.
49
50       Regarding compactness, "CBOR::XS"-encoded data structures are usually
51       about 20% smaller than the same data encoded as (compact) JSON or
52       Storable.
53
54       In addition to the core CBOR data format, this module implements a
55       number of extensions, to support cyclic and shared data structures (see
56       "allow_sharing" and "allow_cycles"), string deduplication (see
57       "pack_strings") and scalar references (always enabled).
58
59       See MAPPING, below, on how CBOR::XS maps perl values to CBOR values and
60       vice versa.
61

FUNCTIONAL INTERFACE

63       The following convenience methods are provided by this module. They are
64       exported by default:
65
66       $cbor_data = encode_cbor $perl_scalar
67           Converts the given Perl data structure to CBOR representation.
68           Croaks on error.
69
70       $perl_scalar = decode_cbor $cbor_data
71           The opposite of "encode_cbor": expects a valid CBOR string to
72           parse, returning the resulting perl scalar. Croaks on error.
73

OBJECT-ORIENTED INTERFACE

75       The object oriented interface lets you configure your own encoding or
76       decoding style, within the limits of supported formats.
77
78       $cbor = new CBOR::XS
79           Creates a new CBOR::XS object that can be used to de/encode CBOR
80           strings. All boolean flags described below are by default disabled.
81
82           The mutators for flags all return the CBOR object again and thus
83           calls can be chained:
84
85              my $cbor = CBOR::XS->new->encode ({a => [1,2]});
86
87       $cbor = new_safe CBOR::XS
88           Create a new, safe/secure CBOR::XS object. This is similar to
89           "new", but configures the coder object to be safe to use with
90           untrusted data. Currently, this is equivalent to:
91
92              my $cbor = CBOR::XS
93                 ->new
94                 ->forbid_objects
95                 ->filter (\&CBOR::XS::safe_filter)
96                 ->max_size (1e8);
97
98           But is more future proof (it is better to crash because of a change
99           than to be exploited in other ways).
100
101       $cbor = $cbor->max_depth ([$maximum_nesting_depth])
102       $max_depth = $cbor->get_max_depth
103           Sets the maximum nesting level (default 512) accepted while
104           encoding or decoding. If a higher nesting level is detected in CBOR
105           data or a Perl data structure, then the encoder and decoder will
106           stop and croak at that point.
107
108           Nesting level is defined by number of hash- or arrayrefs that the
109           encoder needs to traverse to reach a given point or the number of
110           "{" or "[" characters without their matching closing parenthesis
111           crossed to reach a given character in a string.
112
113           Setting the maximum depth to one disallows any nesting, so that
114           ensures that the object is only a single hash/object or array.
115
116           If no argument is given, the highest possible setting will be used,
117           which is rarely useful.
118
119           Note that nesting is implemented by recursion in C. The default
120           value has been chosen to be as large as typical operating systems
121           allow without crashing.
122
123           See "SECURITY CONSIDERATIONS", below, for more info on why this is
124           useful.
125
126       $cbor = $cbor->max_size ([$maximum_string_size])
127       $max_size = $cbor->get_max_size
128           Set the maximum length a CBOR string may have (in bytes) where
129           decoding is being attempted. The default is 0, meaning no limit.
130           When "decode" is called on a string that is longer then this many
131           bytes, it will not attempt to decode the string but throw an
132           exception. This setting has no effect on "encode" (yet).
133
134           If no argument is given, the limit check will be deactivated (same
135           as when 0 is specified).
136
137           See "SECURITY CONSIDERATIONS", below, for more info on why this is
138           useful.
139
140       $cbor = $cbor->allow_unknown ([$enable])
141       $enabled = $cbor->get_allow_unknown
142           If $enable is true (or missing), then "encode" will not throw an
143           exception when it encounters values it cannot represent in CBOR
144           (for example, filehandles) but instead will encode a CBOR "error"
145           value.
146
147           If $enable is false (the default), then "encode" will throw an
148           exception when it encounters anything it cannot encode as CBOR.
149
150           This option does not affect "decode" in any way, and it is
151           recommended to leave it off unless you know your communications
152           partner.
153
154       $cbor = $cbor->allow_sharing ([$enable])
155       $enabled = $cbor->get_allow_sharing
156           If $enable is true (or missing), then "encode" will not double-
157           encode values that have been referenced before (e.g. when the same
158           object, such as an array, is referenced multiple times), but
159           instead will emit a reference to the earlier value.
160
161           This means that such values will only be encoded once, and will not
162           result in a deep cloning of the value on decode, in decoders
163           supporting the value sharing extension. This also makes it possible
164           to encode cyclic data structures (which need "allow_cycles" to be
165           enabled to be decoded by this module).
166
167           It is recommended to leave it off unless you know your
168           communication partner supports the value sharing extensions to CBOR
169           (<http://cbor.schmorp.de/value-sharing>), as without decoder
170           support, the resulting data structure might be unusable.
171
172           Detecting shared values incurs a runtime overhead when values are
173           encoded that have a reference counter large than one, and might
174           unnecessarily increase the encoded size, as potentially shared
175           values are encoded as shareable whether or not they are actually
176           shared.
177
178           At the moment, only targets of references can be shared (e.g.
179           scalars, arrays or hashes pointed to by a reference). Weirder
180           constructs, such as an array with multiple "copies" of the same
181           string, which are hard but not impossible to create in Perl, are
182           not supported (this is the same as with Storable).
183
184           If $enable is false (the default), then "encode" will encode shared
185           data structures repeatedly, unsharing them in the process. Cyclic
186           data structures cannot be encoded in this mode.
187
188           This option does not affect "decode" in any way - shared values and
189           references will always be decoded properly if present.
190
191       $cbor = $cbor->allow_cycles ([$enable])
192       $enabled = $cbor->get_allow_cycles
193           If $enable is true (or missing), then "decode" will happily decode
194           self-referential (cyclic) data structures. By default these will
195           not be decoded, as they need manual cleanup to avoid memory leaks,
196           so code that isn't prepared for this will not leak memory.
197
198           If $enable is false (the default), then "decode" will throw an
199           error when it encounters a self-referential/cyclic data structure.
200
201           FUTURE DIRECTION: the motivation behind this option is to avoid
202           real cycles - future versions of this module might chose to decode
203           cyclic data structures using weak references when this option is
204           off, instead of throwing an error.
205
206           This option does not affect "encode" in any way - shared values and
207           references will always be encoded properly if present.
208
209       $cbor = $cbor->forbid_objects ([$enable])
210       $enabled = $cbor->get_forbid_objects
211           Disables the use of the object serialiser protocol.
212
213           If $enable is true (or missing), then "encode" will will throw an
214           exception when it encounters perl objects that would be encoded
215           using the perl-object tag (26). When "decode" encounters such tags,
216           it will fall back to the general filter/tagged logic as if this
217           were an unknown tag (by default resulting in a "CBOR::XC::Tagged"
218           object).
219
220           If $enable is false (the default), then "encode" will use the
221           Types::Serialiser object serialisation protocol to serialise
222           objects into perl-object tags, and "decode" will do the same to
223           decode such tags.
224
225           See "SECURITY CONSIDERATIONS", below, for more info on why
226           forbidding this protocol can be useful.
227
228       $cbor = $cbor->pack_strings ([$enable])
229       $enabled = $cbor->get_pack_strings
230           If $enable is true (or missing), then "encode" will try not to
231           encode the same string twice, but will instead encode a reference
232           to the string instead. Depending on your data format, this can save
233           a lot of space, but also results in a very large runtime overhead
234           (expect encoding times to be 2-4 times as high as without).
235
236           It is recommended to leave it off unless you know your
237           communications partner supports the stringref extension to CBOR
238           (<http://cbor.schmorp.de/stringref>), as without decoder support,
239           the resulting data structure might not be usable.
240
241           If $enable is false (the default), then "encode" will encode
242           strings the standard CBOR way.
243
244           This option does not affect "decode" in any way - string references
245           will always be decoded properly if present.
246
247       $cbor = $cbor->text_keys ([$enable])
248       $enabled = $cbor->get_text_keys
249           If $enabled is true (or missing), then "encode" will encode all
250           perl hash keys as CBOR text strings/UTF-8 string, upgrading them as
251           needed.
252
253           If $enable is false (the default), then "encode" will encode hash
254           keys normally - upgraded perl strings (strings internally encoded
255           as UTF-8) as CBOR text strings, and downgraded perl strings as CBOR
256           byte strings.
257
258           This option does not affect "decode" in any way.
259
260           This option is useful for interoperability with CBOR decoders that
261           don't treat byte strings as a form of text. It is especially useful
262           as Perl gives very little control over hash keys.
263
264           Enabling this option can be slow, as all downgraded hash keys that
265           are encoded need to be scanned and converted to UTF-8.
266
267       $cbor = $cbor->text_strings ([$enable])
268       $enabled = $cbor->get_text_strings
269           This option works similar to "text_keys", above, but works on all
270           strings (including hash keys), so "text_keys" has no further effect
271           after enabling "text_strings".
272
273           If $enabled is true (or missing), then "encode" will encode all
274           perl strings as CBOR text strings/UTF-8 strings, upgrading them as
275           needed.
276
277           If $enable is false (the default), then "encode" will encode
278           strings normally (but see "text_keys") - upgraded perl strings
279           (strings internally encoded as UTF-8) as CBOR text strings, and
280           downgraded perl strings as CBOR byte strings.
281
282           This option does not affect "decode" in any way.
283
284           This option has similar advantages and disadvantages as
285           "text_keys". In addition, this option effectively removes the
286           ability to automatically encode byte strings, which might break
287           some "FREEZE" and "TO_CBOR" methods that rely on this.
288
289           A workaround is to use explicit type casts, which are unaffected by
290           this option.
291
292       $cbor = $cbor->validate_utf8 ([$enable])
293       $enabled = $cbor->get_validate_utf8
294           If $enable is true (or missing), then "decode" will validate that
295           elements (text strings) containing UTF-8 data in fact contain valid
296           UTF-8 data (instead of blindly accepting it). This validation
297           obviously takes extra time during decoding.
298
299           The concept of "valid UTF-8" used is perl's concept, which is a
300           superset of the official UTF-8.
301
302           If $enable is false (the default), then "decode" will blindly
303           accept UTF-8 data, marking them as valid UTF-8 in the resulting
304           data structure regardless of whether that's true or not.
305
306           Perl isn't too happy about corrupted UTF-8 in strings, but should
307           generally not crash or do similarly evil things. Extensions might
308           be not so forgiving, so it's recommended to turn on this setting if
309           you receive untrusted CBOR.
310
311           This option does not affect "encode" in any way - strings that are
312           supposedly valid UTF-8 will simply be dumped into the resulting
313           CBOR string without checking whether that is, in fact, true or not.
314
315       $cbor = $cbor->filter ([$cb->($tag, $value)])
316       $cb_or_undef = $cbor->get_filter
317           Sets or replaces the tagged value decoding filter (when $cb is
318           specified) or clears the filter (if no argument or "undef" is
319           provided).
320
321           The filter callback is called only during decoding, when a non-
322           enforced tagged value has been decoded (see "TAG HANDLING AND
323           EXTENSIONS" for a list of enforced tags). For specific tags, it's
324           often better to provide a default converter using the
325           %CBOR::XS::FILTER hash (see below).
326
327           The first argument is the numerical tag, the second is the
328           (decoded) value that has been tagged.
329
330           The filter function should return either exactly one value, which
331           will replace the tagged value in the decoded data structure, or no
332           values, which will result in default handling, which currently
333           means the decoder creates a "CBOR::XS::Tagged" object to hold the
334           tag and the value.
335
336           When the filter is cleared (the default state), the default filter
337           function, "CBOR::XS::default_filter", is used. This function simply
338           looks up the tag in the %CBOR::XS::FILTER hash. If an entry exists
339           it must be a code reference that is called with tag and value, and
340           is responsible for decoding the value. If no entry exists, it
341           returns no values. "CBOR::XS" provides a number of default filter
342           functions already, the the %CBOR::XS::FILTER hash can be freely
343           extended with more.
344
345           "CBOR::XS" additionally provides an alternative filter function
346           that is supposed to be safe to use with untrusted data (which the
347           default filter might not), called "CBOR::XS::safe_filter", which
348           works the same as the "default_filter" but uses the
349           %CBOR::XS::SAFE_FILTER variable instead. It is prepopulated with
350           the tag decoding functions that are deemed safe (basically the same
351           as %CBOR::XS::FILTER without all the bignum tags), and can be
352           extended by user code as wlel, although, obviously, one should be
353           very careful about adding decoding functions here, since the
354           expectation is that they are safe to use on untrusted data, after
355           all.
356
357           Example: decode all tags not handled internally into
358           "CBOR::XS::Tagged" objects, with no other special handling (useful
359           when working with potentially "unsafe" CBOR data).
360
361              CBOR::XS->new->filter (sub { })->decode ($cbor_data);
362
363           Example: provide a global filter for tag 1347375694, converting the
364           value into some string form.
365
366              $CBOR::XS::FILTER{1347375694} = sub {
367                 my ($tag, $value);
368
369                 "tag 1347375694 value $value"
370              };
371
372           Example: provide your own filter function that looks up tags in
373           your own hash:
374
375              my %my_filter = (
376                 998347484 => sub {
377                    my ($tag, $value);
378
379                    "tag 998347484 value $value"
380                 };
381              );
382
383              my $coder = CBOR::XS->new->filter (sub {
384                 &{ $my_filter{$_[0]} or return }
385              });
386
387           Example: use the safe filter function (see "SECURITY
388           CONSIDERATIONS" for more considerations on security).
389
390              CBOR::XS->new->filter (\&CBOR::XS::safe_filter)->decode ($cbor_data);
391
392       $cbor_data = $cbor->encode ($perl_scalar)
393           Converts the given Perl data structure (a scalar value) to its CBOR
394           representation.
395
396       $perl_scalar = $cbor->decode ($cbor_data)
397           The opposite of "encode": expects CBOR data and tries to parse it,
398           returning the resulting simple scalar or reference. Croaks on
399           error.
400
401       ($perl_scalar, $octets) = $cbor->decode_prefix ($cbor_data)
402           This works like the "decode" method, but instead of raising an
403           exception when there is trailing garbage after the CBOR string, it
404           will silently stop parsing there and return the number of
405           characters consumed so far.
406
407           This is useful if your CBOR texts are not delimited by an outer
408           protocol and you need to know where the first CBOR string ends amd
409           the next one starts - CBOR strings are self-delimited, so it is
410           possible to concatenate CBOR strings without any delimiters or size
411           fields and recover their data.
412
413              CBOR::XS->new->decode_prefix ("......")
414              => ("...", 3)
415
416   INCREMENTAL PARSING
417       In some cases, there is the need for incremental parsing of JSON texts.
418       While this module always has to keep both CBOR text and resulting Perl
419       data structure in memory at one time, it does allow you to parse a CBOR
420       stream incrementally, using a similar to using "decode_prefix" to see
421       if a full CBOR object is available, but is much more efficient.
422
423       It basically works by parsing as much of a CBOR string as possible - if
424       the CBOR data is not complete yet, the pasrer will remember where it
425       was, to be able to restart when more data has been accumulated. Once
426       enough data is available to either decode a complete CBOR value or
427       raise an error, a real decode will be attempted.
428
429       A typical use case would be a network protocol that consists of sending
430       and receiving CBOR-encoded messages. The solution that works with CBOR
431       and about anything else is by prepending a length to every CBOR value,
432       so the receiver knows how many octets to read. More compact (and
433       slightly slower) would be to just send CBOR values back-to-back, as
434       "CBOR::XS" knows where a CBOR value ends, and doesn't need an explicit
435       length.
436
437       The following methods help with this:
438
439       @decoded = $cbor->incr_parse ($buffer)
440           This method attempts to decode exactly one CBOR value from the
441           beginning of the given $buffer. The value is removed from the
442           $buffer on success. When $buffer doesn't contain a complete value
443           yet, it returns nothing. Finally, when the $buffer doesn't start
444           with something that could ever be a valid CBOR value, it raises an
445           exception, just as "decode" would. In the latter case the decoder
446           state is undefined and must be reset before being able to parse
447           further.
448
449           This method modifies the $buffer in place. When no CBOR value can
450           be decoded, the decoder stores the current string offset. On the
451           next call, continues decoding at the place where it stopped before.
452           For this to make sense, the $buffer must begin with the same octets
453           as on previous unsuccessful calls.
454
455           You can call this method in scalar context, in which case it either
456           returns a decoded value or "undef". This makes it impossible to
457           distinguish between CBOR null values (which decode to "undef") and
458           an unsuccessful decode, which is often acceptable.
459
460       @decoded = $cbor->incr_parse_multiple ($buffer)
461           Same as "incr_parse", but attempts to decode as many CBOR values as
462           possible in one go, instead of at most one. Calls to "incr_parse"
463           and "incr_parse_multiple" can be interleaved.
464
465       $cbor->incr_reset
466           Resets the incremental decoder. This throws away any saved state,
467           so that subsequent calls to "incr_parse" or "incr_parse_multiple"
468           start to parse a new CBOR value from the beginning of the $buffer
469           again.
470
471           This method can be called at any time, but it must be called if you
472           want to change your $buffer or there was a decoding error and you
473           want to reuse the $cbor object for future incremental parsings.
474

MAPPING

476       This section describes how CBOR::XS maps Perl values to CBOR values and
477       vice versa. These mappings are designed to "do the right thing" in most
478       circumstances automatically, preserving round-tripping characteristics
479       (what you put in comes out as something equivalent).
480
481       For the more enlightened: note that in the following descriptions,
482       lowercase perl refers to the Perl interpreter, while uppercase Perl
483       refers to the abstract Perl language itself.
484
485   CBOR -> PERL
486       integers
487           CBOR integers become (numeric) perl scalars. On perls without 64
488           bit support, 64 bit integers will be truncated or otherwise
489           corrupted.
490
491       byte strings
492           Byte strings will become octet strings in Perl (the Byte values
493           0..255 will simply become characters of the same value in Perl).
494
495       UTF-8 strings
496           UTF-8 strings in CBOR will be decoded, i.e. the UTF-8 octets will
497           be decoded into proper Unicode code points. At the moment, the
498           validity of the UTF-8 octets will not be validated - corrupt input
499           will result in corrupted Perl strings.
500
501       arrays, maps
502           CBOR arrays and CBOR maps will be converted into references to a
503           Perl array or hash, respectively. The keys of the map will be
504           stringified during this process.
505
506       null
507           CBOR null becomes "undef" in Perl.
508
509       true, false, undefined
510           These CBOR values become "Types:Serialiser::true",
511           "Types:Serialiser::false" and "Types::Serialiser::error",
512           respectively. They are overloaded to act almost exactly like the
513           numbers 1 and 0 (for true and false) or to throw an exception on
514           access (for error). See the Types::Serialiser manpage for details.
515
516       tagged values
517           Tagged items consists of a numeric tag and another CBOR value.
518
519           See "TAG HANDLING AND EXTENSIONS" and the description of "->filter"
520           for details on which tags are handled how.
521
522       anything else
523           Anything else (e.g. unsupported simple values) will raise a
524           decoding error.
525
526   PERL -> CBOR
527       The mapping from Perl to CBOR is slightly more difficult, as Perl is a
528       typeless language. That means this module can only guess which CBOR
529       type is meant by a perl value.
530
531       hash references
532           Perl hash references become CBOR maps. As there is no inherent
533           ordering in hash keys (or CBOR maps), they will usually be encoded
534           in a pseudo-random order. This order can be different each time a
535           hash is encoded.
536
537           Currently, tied hashes will use the indefinite-length format, while
538           normal hashes will use the fixed-length format.
539
540       array references
541           Perl array references become fixed-length CBOR arrays.
542
543       other references
544           Other unblessed references will be represented using the
545           indirection tag extension (tag value 22098,
546           <http://cbor.schmorp.de/indirection>). CBOR decoders are guaranteed
547           to be able to decode these values somehow, by either "doing the
548           right thing", decoding into a generic tagged object, simply
549           ignoring the tag, or something else.
550
551       CBOR::XS::Tagged objects
552           Objects of this type must be arrays consisting of a single "[tag,
553           value]" pair. The (numerical) tag will be encoded as a CBOR tag,
554           the value will be encoded as appropriate for the value. You must
555           use "CBOR::XS::tag" to create such objects.
556
557       Types::Serialiser::true, Types::Serialiser::false,
558       Types::Serialiser::error
559           These special values become CBOR true, CBOR false and CBOR
560           undefined values, respectively. You can also use "\1", "\0" and
561           "\undef" directly if you want.
562
563       other blessed objects
564           Other blessed objects are serialised via "TO_CBOR" or "FREEZE". See
565           "TAG HANDLING AND EXTENSIONS" for specific classes handled by this
566           module, and "OBJECT SERIALISATION" for generic object
567           serialisation.
568
569       simple scalars
570           Simple Perl scalars (any scalar that is not a reference) are the
571           most difficult objects to encode: CBOR::XS will encode undefined
572           scalars as CBOR null values, scalars that have last been used in a
573           string context before encoding as CBOR strings, and anything else
574           as number value:
575
576              # dump as number
577              encode_cbor [2]                      # yields [2]
578              encode_cbor [-3.0e17]                # yields [-3e+17]
579              my $value = 5; encode_cbor [$value]  # yields [5]
580
581              # used as string, so dump as string (either byte or text)
582              print $value;
583              encode_cbor [$value]                 # yields ["5"]
584
585              # undef becomes null
586              encode_cbor [undef]                  # yields [null]
587
588           You can force the type to be a CBOR string by stringifying it:
589
590              my $x = 3.1; # some variable containing a number
591              "$x";        # stringified
592              $x .= "";    # another, more awkward way to stringify
593              print $x;    # perl does it for you, too, quite often
594
595           You can force whether a string is encoded as byte or text string by
596           using "utf8::upgrade" and "utf8::downgrade" (if "text_strings" is
597           disabled).
598
599             utf8::upgrade $x;   # encode $x as text string
600             utf8::downgrade $x; # encode $x as byte string
601
602           More options are available, see "TYPE CASTS", below, and the
603           "text_keys" and "text_strings" options.
604
605           Perl doesn't define what operations up- and downgrade strings, so
606           if the difference between byte and text is important, you should
607           up- or downgrade your string as late as possible before encoding.
608           You can also force the use of CBOR text strings by using
609           "text_keys" or "text_strings".
610
611           You can force the type to be a CBOR number by numifying it:
612
613              my $x = "3"; # some variable containing a string
614              $x += 0;     # numify it, ensuring it will be dumped as a number
615              $x *= 1;     # same thing, the choice is yours.
616
617           You can not currently force the type in other, less obscure, ways.
618           Tell me if you need this capability (but don't forget to explain
619           why it's needed :).
620
621           Perl values that seem to be integers generally use the shortest
622           possible representation. Floating-point values will use either the
623           IEEE single format if possible without loss of precision, otherwise
624           the IEEE double format will be used. Perls that use formats other
625           than IEEE double to represent numerical values are supported, but
626           might suffer loss of precision.
627
628   TYPE CASTS
629       EXPERIMENTAL: As an experimental extension, "CBOR::XS" allows you to
630       force specific cbor types to be used when encoding. That allows you to
631       encode types not normally accessible (e.g. half floats) as well as
632       force string types even when "text_strings" is in effect.
633
634       Type forcing is done by calling a special "cast" function which keeps a
635       copy of the value and returns a new value that can be handed over to
636       any CBOR encoder function.
637
638       The following casts are currently available (all of which are unary
639       operators):
640
641       CBOR::XS::as_int $value
642           Forces the value to be encoded as some form of (basic, not bignum)
643           integer type.
644
645       CBOR::XS::as_text $value
646           Forces the value to be encoded as (UTF-8) text values.
647
648       CBOR::XS::as_bytes $value
649           Forces the value to be encoded as a (binary) string value.
650
651           Example: encode a perl string as binary even though "text_strings"
652           is in effect.
653
654              CBOR::XS->new->text_strings->encode ([4, "text", CBOR::XS::bytes "bytevalue"]);
655
656       CBOR::XS::as_bool $value
657           Converts a Perl boolean (which can be any kind of scalar) into a
658           CBOR boolean. Strictly the same, but shorter to write, than:
659
660              $value ? Types::Serialiser::true : Types::Serialiser::false
661
662       CBOR::XS::as_float16 $value
663           Forces half-float (IEEE 754 binary16) encoding of the given value.
664
665       CBOR::XS::as_float32 $value
666           Forces single-float (IEEE 754 binary32) encoding of the given
667           value.
668
669       CBOR::XS::as_float64 $value
670           Forces double-float (IEEE 754 binary64) encoding of the given
671           value.
672
673       CBOR::XS::as_cbor $cbor_text
674           Not a type cast per-se, this type cast forces the argument to eb
675           encoded as-is. This can be used to embed pre-encoded CBOR data.
676
677           Note that no checking on the validity of the $cbor_text is done -
678           it's the callers responsibility to correctly encode values.
679
680       CBOR::XS::as_map [key => value...]
681           Treat the array reference as key value pairs and output a CBOR map.
682           This allows you to generate CBOR maps with arbitrary key types (or,
683           if you don't care about semantics, duplicate keys or prairs in a
684           custom order), which is otherwise hard to do with Perl.
685
686           The single argument must be an array reference with an even number
687           of elements.
688
689           Example: encode a CBOR map with a string and an integer as keys.
690
691              encode_cbor CBOR::XS::as_map [string => "value", 5 => "value"]
692
693   OBJECT SERIALISATION
694       This module implements both a CBOR-specific and the generic
695       Types::Serialier object serialisation protocol. The following
696       subsections explain both methods.
697
698       ENCODING
699
700       This module knows two way to serialise a Perl object: The CBOR-specific
701       way, and the generic way.
702
703       Whenever the encoder encounters a Perl object that it cannot serialise
704       directly (most of them), it will first look up the "TO_CBOR" method on
705       it.
706
707       If it has a "TO_CBOR" method, it will call it with the object as only
708       argument, and expects exactly one return value, which it will then
709       substitute and encode it in the place of the object.
710
711       Otherwise, it will look up the "FREEZE" method. If it exists, it will
712       call it with the object as first argument, and the constant string
713       "CBOR" as the second argument, to distinguish it from other
714       serialisers.
715
716       The "FREEZE" method can return any number of values (i.e. zero or
717       more). These will be encoded as CBOR perl object, together with the
718       classname.
719
720       These methods MUST NOT change the data structure that is being
721       serialised. Failure to comply to this can result in memory corruption -
722       and worse.
723
724       If an object supports neither "TO_CBOR" nor "FREEZE", encoding will
725       fail with an error.
726
727       DECODING
728
729       Objects encoded via "TO_CBOR" cannot (normally) be automatically
730       decoded, but objects encoded via "FREEZE" can be decoded using the
731       following protocol:
732
733       When an encoded CBOR perl object is encountered by the decoder, it will
734       look up the "THAW" method, by using the stored classname, and will fail
735       if the method cannot be found.
736
737       After the lookup it will call the "THAW" method with the stored
738       classname as first argument, the constant string "CBOR" as second
739       argument, and all values returned by "FREEZE" as remaining arguments.
740
741       EXAMPLES
742
743       Here is an example "TO_CBOR" method:
744
745          sub My::Object::TO_CBOR {
746             my ($obj) = @_;
747
748             ["this is a serialised My::Object object", $obj->{id}]
749          }
750
751       When a "My::Object" is encoded to CBOR, it will instead encode a simple
752       array with two members: a string, and the "object id". Decoding this
753       CBOR string will yield a normal perl array reference in place of the
754       object.
755
756       A more useful and practical example would be a serialisation method for
757       the URI module. CBOR has a custom tag value for URIs, namely 32:
758
759         sub URI::TO_CBOR {
760            my ($self) = @_;
761            my $uri = "$self"; # stringify uri
762            utf8::upgrade $uri; # make sure it will be encoded as UTF-8 string
763            CBOR::XS::tag 32, "$_[0]"
764         }
765
766       This will encode URIs as a UTF-8 string with tag 32, which indicates an
767       URI.
768
769       Decoding such an URI will not (currently) give you an URI object, but
770       instead a CBOR::XS::Tagged object with tag number 32 and the string -
771       exactly what was returned by "TO_CBOR".
772
773       To serialise an object so it can automatically be deserialised, you
774       need to use "FREEZE" and "THAW". To take the URI module as example,
775       this would be a possible implementation:
776
777          sub URI::FREEZE {
778             my ($self, $serialiser) = @_;
779             "$self" # encode url string
780          }
781
782          sub URI::THAW {
783             my ($class, $serialiser, $uri) = @_;
784             $class->new ($uri)
785          }
786
787       Unlike "TO_CBOR", multiple values can be returned by "FREEZE". For
788       example, a "FREEZE" method that returns "type", "id" and "variant"
789       values would cause an invocation of "THAW" with 5 arguments:
790
791          sub My::Object::FREEZE {
792             my ($self, $serialiser) = @_;
793
794             ($self->{type}, $self->{id}, $self->{variant})
795          }
796
797          sub My::Object::THAW {
798             my ($class, $serialiser, $type, $id, $variant) = @_;
799
800             $class-<new (type => $type, id => $id, variant => $variant)
801          }
802

MAGIC HEADER

804       There is no way to distinguish CBOR from other formats
805       programmatically. To make it easier to distinguish CBOR from other
806       formats, the CBOR specification has a special "magic string" that can
807       be prepended to any CBOR string without changing its meaning.
808
809       This string is available as $CBOR::XS::MAGIC. This module does not
810       prepend this string to the CBOR data it generates, but it will ignore
811       it if present, so users can prepend this string as a "file type"
812       indicator as required.
813

THE CBOR::XS::Tagged CLASS

815       CBOR has the concept of tagged values - any CBOR value can be tagged
816       with a numeric 64 bit number, which are centrally administered.
817
818       "CBOR::XS" handles a few tags internally when en- or decoding. You can
819       also create tags yourself by encoding "CBOR::XS::Tagged" objects, and
820       the decoder will create "CBOR::XS::Tagged" objects itself when it hits
821       an unknown tag.
822
823       These objects are simply blessed array references - the first member of
824       the array being the numerical tag, the second being the value.
825
826       You can interact with "CBOR::XS::Tagged" objects in the following ways:
827
828       $tagged = CBOR::XS::tag $tag, $value
829           This function(!) creates a new "CBOR::XS::Tagged" object using the
830           given $tag (0..2**64-1) to tag the given $value (which can be any
831           Perl value that can be encoded in CBOR, including serialisable Perl
832           objects and "CBOR::XS::Tagged" objects).
833
834       $tagged->[0]
835       $tagged->[0] = $new_tag
836       $tag = $tagged->tag
837       $new_tag = $tagged->tag ($new_tag)
838           Access/mutate the tag.
839
840       $tagged->[1]
841       $tagged->[1] = $new_value
842       $value = $tagged->value
843       $new_value = $tagged->value ($new_value)
844           Access/mutate the tagged value.
845
846   EXAMPLES
847       Here are some examples of "CBOR::XS::Tagged" uses to tag objects.
848
849       You can look up CBOR tag value and emanings in the IANA registry at
850       <http://www.iana.org/assignments/cbor-tags/cbor-tags.xhtml>.
851
852       Prepend a magic header ($CBOR::XS::MAGIC):
853
854          my $cbor = encode_cbor CBOR::XS::tag 55799, $value;
855          # same as:
856          my $cbor = $CBOR::XS::MAGIC . encode_cbor $value;
857
858       Serialise some URIs and a regex in an array:
859
860          my $cbor = encode_cbor [
861             (CBOR::XS::tag 32, "http://www.nethype.de/"),
862             (CBOR::XS::tag 32, "http://software.schmorp.de/"),
863             (CBOR::XS::tag 35, "^[Pp][Ee][Rr][lL]\$"),
864          ];
865
866       Wrap CBOR data in CBOR:
867
868          my $cbor_cbor = encode_cbor
869             CBOR::XS::tag 24,
870                encode_cbor [1, 2, 3];
871

TAG HANDLING AND EXTENSIONS

873       This section describes how this module handles specific tagged values
874       and extensions. If a tag is not mentioned here and no additional
875       filters are provided for it, then the default handling applies
876       (creating a CBOR::XS::Tagged object on decoding, and only encoding the
877       tag when explicitly requested).
878
879       Tags not handled specifically are currently converted into a
880       CBOR::XS::Tagged object, which is simply a blessed array reference
881       consisting of the numeric tag value followed by the (decoded) CBOR
882       value.
883
884       Future versions of this module reserve the right to special case
885       additional tags (such as base64url).
886
887   ENFORCED TAGS
888       These tags are always handled when decoding, and their handling cannot
889       be overridden by the user.
890
891       26 (perl-object, <http://cbor.schmorp.de/perl-object>)
892           These tags are automatically created (and decoded) for serialisable
893           objects using the "FREEZE/THAW" methods (the Types::Serialier
894           object serialisation protocol). See "OBJECT SERIALISATION" for
895           details.
896
897       28, 29 (shareable, sharedref, <http://cbor.schmorp.de/value-sharing>)
898           These tags are automatically decoded when encountered (and they do
899           not result in a cyclic data structure, see "allow_cycles"),
900           resulting in shared values in the decoded object. They are only
901           encoded, however, when "allow_sharing" is enabled.
902
903           Not all shared values can be successfully decoded: values that
904           reference themselves will currently decode as "undef" (this is not
905           the same as a reference pointing to itself, which will be
906           represented as a value that contains an indirect reference to
907           itself - these will be decoded properly).
908
909           Note that considerably more shared value data structures can be
910           decoded than will be encoded - currently, only values pointed to by
911           references will be shared, others will not. While non-reference
912           shared values can be generated in Perl with some effort, they were
913           considered too unimportant to be supported in the encoder. The
914           decoder, however, will decode these values as shared values.
915
916       256, 25 (stringref-namespace, stringref,
917       <http://cbor.schmorp.de/stringref>)
918           These tags are automatically decoded when encountered. They are
919           only encoded, however, when "pack_strings" is enabled.
920
921       22098 (indirection, <http://cbor.schmorp.de/indirection>)
922           This tag is automatically generated when a reference are
923           encountered (with the exception of hash and array references). It
924           is converted to a reference when decoding.
925
926       55799 (self-describe CBOR, RFC 7049)
927           This value is not generated on encoding (unless explicitly
928           requested by the user), and is simply ignored when decoding.
929
930   NON-ENFORCED TAGS
931       These tags have default filters provided when decoding. Their handling
932       can be overridden by changing the %CBOR::XS::FILTER entry for the tag,
933       or by providing a custom "filter" callback when decoding.
934
935       When they result in decoding into a specific Perl class, the module
936       usually provides a corresponding "TO_CBOR" method as well.
937
938       When any of these need to load additional modules that are not part of
939       the perl core distribution (e.g. URI), it is (currently) up to the user
940       to provide these modules. The decoding usually fails with an exception
941       if the required module cannot be loaded.
942
943       0, 1 (date/time string, seconds since the epoch)
944           These tags are decoded into Time::Piece objects. The corresponding
945           "Time::Piece::TO_CBOR" method always encodes into tag 1 values
946           currently.
947
948           The Time::Piece API is generally surprisingly bad, and fractional
949           seconds are only accidentally kept intact, so watch out. On the
950           plus side, the module comes with perl since 5.10, which has to
951           count for something.
952
953       2, 3 (positive/negative bignum)
954           These tags are decoded into Math::BigInt objects. The corresponding
955           "Math::BigInt::TO_CBOR" method encodes "small" bigints into normal
956           CBOR integers, and others into positive/negative CBOR bignums.
957
958       4, 5, 264, 265 (decimal fraction/bigfloat)
959           Both decimal fractions and bigfloats are decoded into
960           Math::BigFloat objects. The corresponding "Math::BigFloat::TO_CBOR"
961           method always encodes into a decimal fraction (either tag 4 or
962           264).
963
964           NaN and infinities are not encoded properly, as they cannot be
965           represented in CBOR.
966
967           See "BIGNUM SECURITY CONSIDERATIONS" for more info.
968
969       30 (rational numbers)
970           These tags are decoded into Math::BigRat objects. The corresponding
971           "Math::BigRat::TO_CBOR" method encodes rational numbers with
972           denominator 1 via their numerator only, i.e., they become normal
973           integers or "bignums".
974
975           See "BIGNUM SECURITY CONSIDERATIONS" for more info.
976
977       21, 22, 23 (expected later JSON conversion)
978           CBOR::XS is not a CBOR-to-JSON converter, and will simply ignore
979           these tags.
980
981       32 (URI)
982           These objects decode into URI objects. The corresponding
983           "URI::TO_CBOR" method again results in a CBOR URI value.
984

CBOR and JSON

986       CBOR is supposed to implement a superset of the JSON data model, and
987       is, with some coercion, able to represent all JSON texts (something
988       that other "binary JSON" formats such as BSON generally do not
989       support).
990
991       CBOR implements some extra hints and support for JSON interoperability,
992       and the spec offers further guidance for conversion between CBOR and
993       JSON. None of this is currently implemented in CBOR, and the guidelines
994       in the spec do not result in correct round-tripping of data. If JSON
995       interoperability is improved in the future, then the goal will be to
996       ensure that decoded JSON data will round-trip encoding and decoding to
997       CBOR intact.
998

SECURITY CONSIDERATIONS

1000       Tl;dr... if you want to decode or encode CBOR from untrusted sources,
1001       you should start with a coder object created via "new_safe" (which
1002       implements the mitigations explained below):
1003
1004          my $coder = CBOR::XS->new_safe;
1005
1006          my $data = $coder->decode ($cbor_text);
1007          my $cbor = $coder->encode ($data);
1008
1009       Longer version: When you are using CBOR in a protocol, talking to
1010       untrusted potentially hostile creatures requires some thought:
1011
1012       Security of the CBOR decoder itself
1013           First and foremost, your CBOR decoder should be secure, that is,
1014           should not have any buffer overflows or similar bugs that could
1015           potentially be exploited. Obviously, this module should ensure that
1016           and I am trying hard on making that true, but you never know.
1017
1018       CBOR::XS can invoke almost arbitrary callbacks during decoding
1019           CBOR::XS supports object serialisation - decoding CBOR can cause
1020           calls to any "THAW" method in any package that exists in your
1021           process (that is, CBOR::XS will not try to load modules, but any
1022           existing "THAW" method or function can be called, so they all have
1023           to be secure).
1024
1025           Less obviously, it will also invoke "TO_CBOR" and "FREEZE" methods
1026           - even if all your "THAW" methods are secure, encoding data
1027           structures from untrusted sources can invoke those and trigger bugs
1028           in those.
1029
1030           So, if you are not sure about the security of all the modules you
1031           have loaded (you shouldn't), you should disable this part using
1032           "forbid_objects" or using "new_safe".
1033
1034       CBOR can be extended with tags that call library code
1035           CBOR can be extended with tags, and "CBOR::XS" has a registry of
1036           conversion functions for many existing tags that can be extended
1037           via third-party modules (see the "filter" method).
1038
1039           If you don't trust these, you should configure the "safe" filter
1040           function, "CBOR::XS::safe_filter" ("new_safe" does this), which by
1041           default only includes conversion functions that are considered
1042           "safe" by the author (but again, they can be extended by third
1043           party modules).
1044
1045           Depending on your level of paranoia, you can use the "safe" filter:
1046
1047              $cbor->filter (\&CBOR::XS::safe_filter);
1048
1049           ... your own filter...
1050
1051              $cbor->filter (sub { ... do your stuffs here ... });
1052
1053           ... or even no filter at all, disabling all tag decoding:
1054
1055              $cbor->filter (sub { });
1056
1057           This is never a problem for encoding, as the tag mechanism only
1058           exists in CBOR texts.
1059
1060       Resource-starving attacks: object memory usage
1061           You need to avoid resource-starving attacks. That means you should
1062           limit the size of CBOR data you accept, or make sure then when your
1063           resources run out, that's just fine (e.g. by using a separate
1064           process that can crash safely). The size of a CBOR string in octets
1065           is usually a good indication of the size of the resources required
1066           to decode it into a Perl structure. While CBOR::XS can check the
1067           size of the CBOR text (using "max_size" - done by "new_safe"), it
1068           might be too late when you already have it in memory, so you might
1069           want to check the size before you accept the string.
1070
1071           As for encoding, it is possible to construct data structures that
1072           are relatively small but result in large CBOR texts (for example by
1073           having an array full of references to the same big data structure,
1074           which will all be deep-cloned during encoding by default). This is
1075           rarely an actual issue (and the worst case is still just running
1076           out of memory), but you can reduce this risk by using
1077           "allow_sharing".
1078
1079       Resource-starving attacks: stack overflows
1080           CBOR::XS recurses using the C stack when decoding objects and
1081           arrays. The C stack is a limited resource: for instance, on my
1082           amd64 machine with 8MB of stack size I can decode around 180k
1083           nested arrays but only 14k nested CBOR objects (due to perl itself
1084           recursing deeply on croak to free the temporary). If that is
1085           exceeded, the program crashes. To be conservative, the default
1086           nesting limit is set to 512. If your process has a smaller stack,
1087           you should adjust this setting accordingly with the "max_depth"
1088           method.
1089
1090       Resource-starving attacks: CPU en-/decoding complexity
1091           CBOR::XS will use the Math::BigInt, Math::BigFloat and Math::BigRat
1092           libraries to represent encode/decode bignums. These can be very
1093           slow (as in, centuries of CPU time) and can even crash your program
1094           (and are generally not very trustworthy). See the next section on
1095           bignum security for details.
1096
1097       Data breaches: leaking information in error messages
1098           CBOR::XS might leak contents of your Perl data structures in its
1099           error messages, so when you serialise sensitive information you
1100           might want to make sure that exceptions thrown by CBOR::XS will not
1101           end up in front of untrusted eyes.
1102
1103       Something else...
1104           Something else could bomb you, too, that I forgot to think of. In
1105           that case, you get to keep the pieces. I am always open for hints,
1106           though...
1107

BIGNUM SECURITY CONSIDERATIONS

1109       CBOR::XS provides a "TO_CBOR" method for both Math::BigInt and
1110       Math::BigFloat that tries to encode the number in the simplest possible
1111       way, that is, either a CBOR integer, a CBOR bigint/decimal fraction
1112       (tag 4) or an arbitrary-exponent decimal fraction (tag 264). Rational
1113       numbers (Math::BigRat, tag 30) can also contain bignums as members.
1114
1115       CBOR::XS will also understand base-2 bigfloat or arbitrary-exponent
1116       bigfloats (tags 5 and 265), but it will never generate these on its
1117       own.
1118
1119       Using the built-in Math::BigInt::Calc support, encoding and decoding
1120       decimal fractions is generally fast. Decoding bigints can be slow for
1121       very big numbers (tens of thousands of digits, something that could
1122       potentially be caught by limiting the size of CBOR texts), and decoding
1123       bigfloats or arbitrary-exponent bigfloats can be extremely slow
1124       (minutes, decades) for large exponents (roughly 40 bit and longer).
1125
1126       Additionally, Math::BigInt can take advantage of other bignum
1127       libraries, such as Math::GMP, which cannot handle big floats with large
1128       exponents, and might simply abort or crash your program, due to their
1129       code quality.
1130
1131       This can be a concern if you want to parse untrusted CBOR. If it is,
1132       you might want to disable decoding of tag 2 (bigint) and 3 (negative
1133       bigint) types. You should also disable types 5 and 265, as these can be
1134       slow even without bigints.
1135
1136       Disabling bigints will also partially or fully disable types that rely
1137       on them, e.g. rational numbers that use bignums.
1138

CBOR IMPLEMENTATION NOTES

1140       This section contains some random implementation notes. They do not
1141       describe guaranteed behaviour, but merely behaviour as-is implemented
1142       right now.
1143
1144       64 bit integers are only properly decoded when Perl was built with 64
1145       bit support.
1146
1147       Strings and arrays are encoded with a definite length. Hashes as well,
1148       unless they are tied (or otherwise magical).
1149
1150       Only the double data type is supported for NV data types - when Perl
1151       uses long double to represent floating point values, they might not be
1152       encoded properly. Half precision types are accepted, but not encoded.
1153
1154       Strict mode and canonical mode are not implemented.
1155

LIMITATIONS ON PERLS WITHOUT 64-BIT INTEGER SUPPORT

1157       On perls that were built without 64 bit integer support (these are rare
1158       nowadays, even on 32 bit architectures, as all major Perl distributions
1159       are built with 64 bit integer support), support for any kind of 64 bit
1160       value in CBOR is very limited - most likely, these 64 bit values will
1161       be truncated, corrupted, or otherwise not decoded correctly. This also
1162       includes string, float, array and map sizes that are stored as 64 bit
1163       integers.
1164

THREADS

1166       This module is not guaranteed to be thread safe and there are no plans
1167       to change this until Perl gets thread support (as opposed to the
1168       horribly slow so-called "threads" which are simply slow and bloated
1169       process simulations - use fork, it's much faster, cheaper, better).
1170
1171       (It might actually work, but you have been warned).
1172

BUGS

1174       While the goal of this module is to be correct, that unfortunately does
1175       not mean it's bug-free, only that I think its design is bug-free. If
1176       you keep reporting bugs they will be fixed swiftly, though.
1177
1178       Please refrain from using rt.cpan.org or any other bug reporting
1179       service. I put the contact address into my modules for a reason.
1180

SEE ALSO

1182       The JSON and JSON::XS modules that do similar, but human-readable,
1183       serialisation.
1184
1185       The Types::Serialiser module provides the data model for true, false
1186       and error values.
1187

AUTHOR

1189        Marc Lehmann <schmorp@schmorp.de>
1190        http://home.schmorp.de/
1191
1192
1193
1194perl v5.32.1                      2021-01-26                             XS(3)
Impressum