Home

COSESign

COSESign refers to the signing structures defined in the CBOR Object Signing and Encryption (COSE) framework, specified in RFC 8152. It provides a standardized way to apply digital signatures to CBOR-encoded data, enabling authenticity and integrity assurances without encryption.

There are two principal forms: COSE_Sign and COSE_Sign1. COSE_Sign supports multiple signatures on a single payload,

The protected header contains fields that are integrity-protected (for example, the algorithm and key identifiers), encoded

while
COSE_Sign1
is
a
single-signature
variant
designed
for
simplicity
and
compactness.
Both
forms
use
a
CBOR
array
representation
with
a
protected
header,
an
unprotected
header,
the
payload,
and
one
or
more
signatures.
In
COSE_Sign,
the
top-level
structure
is
a
four-element
array
containing
protected,
unprotected,
payload,
and
signatures,
where
signatures
is
an
array
of
per-signature
triplets
[protected_i,
unprotected_i,
signature_i].
In
COSE_Sign1,
the
message
is
a
four-element
array
[protected,
unprotected,
payload,
signature],
representing
a
single
signature.
as
a
bstr
containing
a
CBOR
map.
The
unprotected
header
holds
optional,
non-integrity-protected
parameters.
The
payload
is
the
data
to
be
signed
and
may
be
nil
to
indicate
a
detached
payload.
Signatures
are
produced
using
a
defined
Sig_structure
that
binds
the
protected
headers,
external
auxiliary
data
(if
any),
and
the
payload
into
a
canonical
input
for
the
cryptographic
operation.
Verification
re-computes
this
structure
and
checks
the
signature
against
the
corresponding
public
key
or
certificate.
Supported
algorithms
come
from
the
COSE
algorithm
registry
and
include
RSA,
ECDSA,
and
EdDSA
families.
COSE_Sign
is
commonly
used
when
multiple
entities
must
co-sign
a
message,
while
COSE_Sign1
favors
single-signer
scenarios,
such
as
compact
tokens
in
constrained
environments.