Skip to content

Generating COSE signatures #65

New issue
New issue
Open
Open
Generating COSE signatures#65
@atyndall

Description

@atyndall
atyndall
opened on Oct 4, 2024

It's ambiguous in the docs that this library doesn't assist you with the generation of COSE signatures, some of the examples imply it might, but it became clear to me after testing that this doesn't seem to be supported?

It would be good to make this clearer, or add the functionality.

To assist any users who come by the Github and have the same issue, here is some sample code I wrote that can successfully generate the COSE signatures.

It's not production ready, but it does work, and proves the core concepts.

class ExampleSigner
  attr_reader :algorithm, :sig_method

  def initialize(algorithm, sig_method)
    @algorithm = COSE::Algorithm.find(algorithm)
    @sig_method = COSE.const_get(sig_method)
  end

  def generate_key
    signer.generate_signing_key.verify_key.serialize
  end

  def sign(unsigned_payload)
    CBOR::Tagged.new(sig_method.tag, [
                       CBOR.encode(protected_header),
                       unprotected_header,
                       unsigned_payload,
                       signature(unsigned_payload)
                     ]).to_cbor
  end

  def verify(signed_payload, verify_key)
    signed_cwt = sig_method.deserialize(signed_payload)
    cose_key = COSE::Key::EC2.from_pkey(signer.class::VerifyKey.deserialize(verify_key).send(:__getobj__))
    signed_cwt.verify(cose_key)
  end

  private

  def signer
    @signer ||= algorithm.send(:signature_algorithm_class).new(**algorithm.send(:signature_algorithm_parameters))
  end

  def protected_header
    { COSE::SecurityMessage::Headers::HEADER_LABEL_ALG => algorithm.id }
  end

  def unprotected_header
    {}
  end

  def external_aad
    nil
  end

  def sig_structure(unsigned_payload)
    CBOR.encode([
                  sig_method::CONTEXT,
                  CBOR.encode(protected_header),
                  external_aad || COSE::SecurityMessage::ZERO_LENGTH_BIN_STRING,
                  unsigned_payload
                ])
  end

  def signature(unsigned_payload)
    signer.sign(sig_structure(unsigned_payload))
  end
end

CWT_ISSUER = 1
CWT_EXPIRATION = 4
CWT_NOT_BEFORE = 5
CWT_ISSUED_AT = 6

# Example CWT payload
unsigned_payload = {CWT_ISSUER=>'my_issuer',
           CWT_EXPIRATION=>1_735_689_599,
           CWT_NOT_BEFORE=>1_704_067_200,
           CWT_ISSUED_AT=>1_727_998_532}

s = ExampleSigner.new('ES256', 'Sign1')
public_key = s.generate_key

signed_payload = s.sign(unsigned_payload)

if s.verify(signed_payload, public_key)
  puts "Verified successfully!"
else
  puts "Verification failed!"
end

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions