Payload as a file:
curl -L 'https://playground-cose-eastus-api.azurewebsites.net/signature/create' -X POST \ --form payloadfile='@./my/payload/file.txt' \ -o signature.cose
Payload as a hex value:
curl -L 'https://playground-cose-eastus-api.azurewebsites.net/signature/create' -X POST \ --form payloadhex='d2845828a301260446666f6f...17219018758186469643a77' \ -o signature.cose
Payload as plain text:
curl -L 'https://playground-cose-eastus-api.azurewebsites.net/signature/create' -X POST \ --form payload='{"foo":"bar"}' \ --form headerkey='3' \ --form headerval='application/json' \ -o signature.cose
Adding multiple headers:
curl -L 'https://playground-cose-eastus-api.azurewebsites.net/signature/create' -X POST \ --form payloadfile='@./my/payload/file' \ --form headerkey='3' \ --form headerval='some/type' \ --form headerkey='15.1' \ --form headerval='did:x509:0:sha256:WE4P5dd8DnLHSkyHaIjhp4udlkF9LqoKwCvu9gl38jk::subject:C:US:ST:California:O:My%20Organisation' \ --form headerkey='33[0]' \ --form headerval='base64Cert' \ --form headerkey='33[1]' \ --form headerval='anotherBase64Cert' \ -o signature.cose
Using a file:
curl -L 'https://playground-cose-eastus-api.azurewebsites.net/signature/verify' -X POST \ --form signaturefile='@./my/signature/file.cose'
Using a hex value:
curl -L 'https://playground-cose-eastus-api.azurewebsites.net/signature/verify' -X POST \ --form signaturehex='d2845828a301260446666f6f...17219018758186469643a77'
Verification supports COSE_Sign1 signing envelopes with did:web or did:x509 issuers. Issuers are expected to be within CWT header. In case of did:web server will attempt to download did document from the issuer, will search for the public key in it and will use it for verification. In case of did:x509 verification will verify x5c chain, will compare CA cert thumbprint with the one in the issuer string and will verify additional signing cert policies (only subject policy is supported here).
Using a file:
curl -L 'https://playground-cose-eastus-api.azurewebsites.net/receipt/create' -X POST \ --form signaturefile='@./my/signature/file.cose' --form receipttype='embedded'
Using a hex value:
curl -L 'https://playground-cose-eastus-api.azurewebsites.net/receipt/create' -X POST \ --form signaturehex='d2845828a301260446666f6f...17219018758186469643a77' --form receipttype='embedded'
This implementation produces a full countersignature - COSE_Countersignature. It contains a signature over the details of the submitted COSE_Sign1 parts (CounterSignatureV2). Please refer to RFC9338 for more details on countersignatures. In case when countersignature gets embedded into the original signature, then unprotected header "11" will be used.
Using a file:
curl -L 'https://playground-cose-eastus-api.azurewebsites.net/receipt/verify' -X POST \ --form signaturefile='@./my/signature/file.cose' --form receiptfile='@./my/signature/receipt.cbor'
Using a hex value:
curl -L 'https://playground-cose-eastus-api.azurewebsites.net/receipt/verify' -X POST \ --form signaturehex='d2845828a301260446666f6f...17219018758186469643a77' --form receipthex='d2845828a301260446666f6f...17219018758186469643a77'
For the verification it is necessary to have both the receipt and the original signature. The receipt might be embedded into the original signature or be a separate file. If receipt is embedded it is expected to be in the unprotected header "11".
This is a playground for COSE signatures and countersignatures. It is implemented in Go and is opensource.
I needed this playground to quickly create signatures when developing tools that rely on them. It is not perfect but is fairly easy to use and is extensible.
To preview signature use the following websites