Skip to content

Add support for CWT Claims & Type in Protected Headers #183

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
OR13 wants to merge 18 commits into from
+150 −3
Closed

Add support for CWT Claims & Type in Protected Headers #183

Show file tree
Hide file tree
Changes from 7 commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
bc4610a
add initial test
Jan 26, 2024
25991e9
fix test
Jan 26, 2024
203b417
add basic test for cwt
Jan 26, 2024
adc1599
Update cwt_test.go
yogeshbdeshpande Mar 8, 2024
a379d94
Update cwt_test.go
OR13 Apr 5, 2024
1a0f2e1
Update Readme for latest release (#182)
SteveLasker Jan 26, 2024
c7cee92
add typ and validation
Apr 7, 2024
026b364
add initial test
Jan 26, 2024
a0aff97
fix test
Jan 26, 2024
65cbebc
add basic test for cwt
Jan 26, 2024
9c30e67
Update cwt_test.go
yogeshbdeshpande Mar 8, 2024
51788e9
Update cwt_test.go
OR13 Apr 5, 2024
acc2fef
Update Readme for latest release (#182)
SteveLasker Jan 26, 2024
53cc3cc
add typ and validation
Apr 7, 2024
479710f
Update cwt.go
SteveLasker Jun 21, 2024
c9f2ab1
Update cwt_test.go
SteveLasker Jun 21, 2024
4c57853
Update cwt_test.go
OR13 Jun 21, 2024
1980457
Merge
Jun 21, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ A golang library for the [COSE specification][cose-spec]

## Project Status

**Current Release**: [go-cose v1.0.0][current-release]
**Current Release**: [go-cose v1.1.0][current-release]

The project was *initially* forked from the upstream [mozilla-services/go-cose][mozilla-go-cose] project, however the Veraison and Mozilla maintainers have agreed to retire the mozilla-services/go-cose project and focus on [veraison/go-cose][veraison-go-cose] as the active project.

Expand Down Expand Up @@ -243,4 +243,4 @@ go test -fuzz=FuzzSign1
[mozilla-contributors]: https://github.com/mozilla-services/go-cose/graphs/contributors
[mozilla-go-cose]: http://github.com/mozilla-services/go-cose
[veraison-go-cose]: https://github.com/veraison/go-cose
[current-release]: https://github.com/veraison/go-cose/releases/tag/v1.0.0
[current-release]: https://github.com/veraison/go-cose/releases/tag/v1.1.0
20 changes: 20 additions & 0 deletions cwt.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
package cose

// https://www.iana.org/assignments/cwt/cwt.xhtml
const (
CWTClaimIssuer int64 = 1
CWTClaimSubject int64 = 2
CWTClaimAudience int64 = 3
CWTClaimExpirationTime int64 = 4
CWTClaimNotBefore int64 = 5
CWTClaimIssuedAt int64 = 6
CWTClaimCWTID int64 = 7
CWTClaimConfirmation int64 = 8
CWTClaimScope int64 = 9

// TODO: the rest upon request
Copy link
Contributor Author

@OR13 OR13 Jan 26, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think it is smart to add the whole registry in the first PR.

Copy link
Contributor

@SteveLasker SteveLasker Mar 8, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Based on the above, it looks like we have the minimal code needed to proceed.

Copy link
Contributor

@yogeshbdeshpande yogeshbdeshpande Mar 8, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should add what is bare minimum required, and then extend it when a new point needs to be registered!

Copy link
Contributor

@thomas-fossati thomas-fossati Jun 21, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[...] and then extend it when a new point needs to be registered!

Sorry, I have probably missed the right conversations, but I am not sure I get what the strategy is. There are 10's of claims already registered. What is the criterion for promoting them from the CWT Claims registry to consts in the cose package?

I think we should explicitly document how to add new claims here.

)

// CWTClaims contains parameters that are to be cryptographically
// protected.
type CWTClaims map[any]any
82 changes: 82 additions & 0 deletions cwt_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
package cose_test

import (
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"fmt"

"github.com/veraison/go-cose"
)

// This example demonstrates signing and verifying COSE_Sign1 signatures.
func ExampleCWTMessage() {

// create message to be signed
msgToSign := cose.NewSign1Message()
msgToSign.Payload = []byte("hello world")
msgToSign.Headers.Protected.SetAlgorithm(cose.AlgorithmES512)

msgToSign.Headers.Protected.SetType("application/cwt")
claims := make(cose.CWTClaims)
claims[cose.CWTClaimIssuer] = "issuer.example"
claims[cose.CWTClaimSubject] = "subject.example"
msgToSign.Headers.Protected.SetCWTClaims(claims)

msgToSign.Headers.Unprotected[cose.HeaderLabelKeyID] = []byte("1")

// create a signer
privateKey, err := ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
if err != nil {
panic(err)
}
signer, err := cose.NewSigner(cose.AlgorithmES512, privateKey)
if err != nil {
panic(err)
}

// sign message
err = msgToSign.Sign(rand.Reader, nil, signer)
if err != nil {
panic(err)
}
sig, err := msgToSign.MarshalCBOR()
// uncomment to review EDN
// coseSign1Diagnostic, err := cbor.Diagnose(sig)
// fmt.Println(coseSign1Diagnostic)
if err != nil {
panic(err)
}
fmt.Println("message signed")

// create a verifier from a trusted public key
publicKey := privateKey.Public()
verifier, err := cose.NewVerifier(cose.AlgorithmES512, publicKey)
if err != nil {
panic(err)
}

// verify message
var msgToVerify cose.Sign1Message
err = msgToVerify.UnmarshalCBOR(sig)
if err != nil {
panic(err)
}
err = msgToVerify.Verify(nil, verifier)
if err != nil {
panic(err)
}
fmt.Println("message verified")

// tamper the message and verification should fail
msgToVerify.Payload = []byte("foobar")
Copy link
Contributor Author

@OR13 OR13 Jan 26, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

for this test, it might be better to tamper with the protected header.

err = msgToVerify.Verify(nil, verifier)
if err != cose.ErrVerification {
panic(err)
}
fmt.Println("verification error as expected")
// Output:
// message signed
// message verified
// verification error as expected
}
47 changes: 46 additions & 1 deletion headers.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,8 @@ const (
HeaderLabelCounterSignature0 int64 = 9
HeaderLabelCounterSignatureV2 int64 = 11
HeaderLabelCounterSignature0V2 int64 = 12
HeaderLabelCWTClaims int64 = 15
HeaderLabelType int64 = 16
HeaderLabelX5Bag int64 = 32
HeaderLabelX5Chain int64 = 33
HeaderLabelX5T int64 = 34
Expand Down Expand Up @@ -97,11 +99,35 @@ func (h *ProtectedHeader) UnmarshalCBOR(data []byte) error {
return nil
}

// SetAlgorithm sets the algorithm value to the algorithm header.
// SetAlgorithm sets the algorithm value of the protected header.
func (h ProtectedHeader) SetAlgorithm(alg Algorithm) {
h[HeaderLabelAlgorithm] = alg
}

// SetType sets the type of the cose object in the protected header.
func (h ProtectedHeader) SetType(typ any) (any, error) {
if !canTstr(typ) && !canUint(typ) {
return typ, errors.New("header parameter: type: require tstr / uint type")
}
h[HeaderLabelType] = typ
return typ, nil
}

// SetCWTClaims sets the CWT Claims value of the protected header.
func (h ProtectedHeader) SetCWTClaims(claims CWTClaims) (CWTClaims, error) {
iss, hasIss := claims[1]
if hasIss && !canTstr(iss) {
return claims, errors.New("cwt claim: iss: require tstr")
}
sub, hasSub := claims[2]
if hasSub && !canTstr(sub) {
return claims, errors.New("cwt claim: sub: require tstr")
}
// TODO: validate claims, other claims
h[HeaderLabelCWTClaims] = claims
return claims, nil
}

// Algorithm gets the algorithm value from the algorithm header.
func (h ProtectedHeader) Algorithm() (Algorithm, error) {
value, ok := h[HeaderLabelAlgorithm]
Expand Down Expand Up @@ -471,6 +497,25 @@ func validateHeaderParameters(h map[any]any, protected bool) error {
if err := ensureCritical(value, h); err != nil {
return fmt.Errorf("header parameter: crit: %w", err)
}
case HeaderLabelType:
is_tstr := canTstr(value)
if !is_tstr && !canUint(value) {
return errors.New("header parameter: type: require tstr / uint type")
}
if is_tstr {
v := value.(string)
if len(v) == 0 {
return errors.New("header parameter: type: require non-empty string")
}
if v[0] == ' ' || v[len(v)-1] == ' ' {
return errors.New("header parameter: type: require no leading/trailing whitespace")
}
// Basic check that the content type is of form type/subtype.
// We don't check the precise definition though (RFC 6838 Section 4.2).
if strings.Count(v, "/") != 1 {
return errors.New("header parameter: type: require text of form type/subtype")
}
}
case HeaderLabelContentType:
is_tstr := canTstr(value)
if !is_tstr && !canUint(value) {
Expand Down