baseXX API strictness
We should think about how strict to make decoders for our baseXX APIs. In some situations, it improves security to only have a single canonical encoding for any particular value. We should see where this is true in our code.
Base16
- case sensitivity (currently case-insensitive)
Base32
- case sensitivity (currently case-insensitive -- also the standard default is uppercase and we use lowercase)
- padding strictness (currently no padding at all, even with odd lengths?)
- trailing bits strictness (in an odd-length decode, there might be leftover bits in the final non-padding character. for a canonical encoding, they should all be zero)
Base64
- padding strictness
- padding
=
characters only at end (currently any padding characters terminate decoding) - correct number of padding characters (currently not checked)
- whitespace? (maybe only if explicitly allowed?) currently we allow any whitespace
- trailing bits strictness (in an odd-length decode, there might be leftover bits in the final non-padding character. for a canonical encoding, they should all be zero)