Google Git
Sign in
third-party-mirror / golang / veraison / go-cose / refs/heads/main
commit5b59fee131087c97a13d8eaf764ac651ba6d2d8d[log] [tgz]
authorDionna Glaze <dionnaglaze@google.com>Mon Jul 11 22:57:02 2022 +0000
committerDionna Glaze <dionnaglaze@google.com>Mon Jul 11 22:57:02 2022 +0000
treeee29224e85f5aff91b12582ade5e2f6ad9907162
First mirror commit.
57 files changed
tree: ee29224e85f5aff91b12582ade5e2f6ad9907162
  1. GOIMPORT/
  2. scripts/
  3. testdata/
  4. algorithm.go
  5. algorithm_test.go
  6. bench_test.go
  7. BUILD
  8. cbor.go
  9. cbor_test.go
  10. CODE_OF_CONDUCT.md
  11. conformance_test.go
  12. ecdsa.go
  13. ecdsa_test.go
  14. ed25519.go
  15. ed25519_test.go
  16. errors.go
  17. example_test.go
  18. fuzz_test.go
  19. go.mod
  20. go.sum
  21. headers.go
  22. headers_test.go
  23. LICENSE
  24. README.md
  25. rsa.go
  26. rsa_test.go
  27. sign.go
  28. sign1.go
  29. sign1_test.go
  30. sign_test.go
  31. signer.go
  32. signer_test.go
  33. verifier.go
  34. verifier_test.go
README.md

go-cose

go.dev tests coverage

A COSE library for go.

Installation

go-cose is compatible with modern Go releases in module mode, with Go installed:

go get github.com/veraison/go-cose

will resolve and add the package to the current development module, along with its dependencies.

Alternatively the same can be achieved if you use import in a package:

import "github.com/veraison/go-cose"

and run go get without parameters.

Finally, to use the top-of-trunk version of this repo, use the following command:

go get github.com/veraison/go-cose@main

Usage

import "github.com/veraison/go-cose"

Construct a new COSE_Sign1 message, then sign it using ECDSA w/ SHA-512 and finally marshal it. For example:

// create a signer
privateKey, _ := ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
signer, _ := cose.NewSigner(cose.AlgorithmES512, privateKey)

// create message to be signed
msg := cose.NewSign1Message()
msgToSign.Payload = []byte("hello world")
msg.Headers.Protected.SetAlgorithm(cose.AlgorithmES512)

// sign message
_ = msg.Sign(rand.Reader, nil, signer)

// marshal message
data, _ := msg.MarshalCBOR()

Verify a raw COSE_Sign1 message. For example:

// create a verifier from a trusted private key
publicKey := privateKey.Public()
verifier, _ := cose.NewVerifier(cose.AlgorithmES512, publicKey)

// create a sign message from a raw COSE_Sign1 payload
var msg cose.Sign1Message
_ = msg.UnmarshalCBOR(raw)
_ = msg.Verify(nil, verifier)

Features

Signing and Verifying Objects

go-cose supports two different signature structures:

:warning: The COSE_Sign API is currently EXPERIMENTAL and may be changed or removed in a later release. In addition, the amount of functional and security testing it has received so far is significantly lower than the COSE_Sign1 API.

Built-in Algorithms

go-cose has built-in supports the following algorithms:

  • PS{256,384,512}: RSASSA-PSS w/ SHA as defined in RFC 8230.
  • ES{256,384,512}: ECDSA w/ SHA as defined in RFC 8152.
  • Ed25519: PureEdDSA as defined in RFC 8152.

Custom Algorithms

The supported algorithms can be extended at runtime by using cose.RegisterAlgorithm.

API docs

Conformance Tests

go-cose runs the GlueCOSE test suite on every local go test execution. These are also executed on every CI job.

Fuzz Tests

go-cose implements several fuzz tests using Go's native fuzzing.

Fuzzing requires Go 1.18 or higher, and can be executed as follows:

go test -fuzz=FuzzSign1