COSE signatures

Signatures

Create new

Use the file if you have it, or or
If you do not have a file but know the file representation in HEX then use this field
If you do not have the file to upload but just its text content then use this field.
did:web issuer is a location where the .well-known/did.json file is hosted. did:x509 issuer will include x509 certificate chain and the issuer string will contain the CA thumbprint and details about signing cert
Header Value
Header Value
Header Value
Header keys are usually ints (see IANA). Use dot notation to create maps and brackets for arrays (with limitations). To add more use API instead. Default Cose protected headers: 15: [ 1: did:web:playground-cose-eastus-api.azurewebsites.net, 2: demo ], 1: ES256, 3: text/plain, 4: #keyid
Create with cURL

Payload as a file:

curl -L 'https://playground-cose-eastus-api.azurewebsites.net/signature/create' -X POST \
                  --form payloadfile='@./my/payload/file.txt' \
                  -o signature.cose

Payload as a hex value:

curl -L 'https://playground-cose-eastus-api.azurewebsites.net/signature/create' -X POST \
                  --form payloadhex='d2845828a301260446666f6f...17219018758186469643a77' \
                  -o signature.cose

Payload as plain text:

curl -L 'https://playground-cose-eastus-api.azurewebsites.net/signature/create' -X POST \
                  --form payload='{"foo":"bar"}' \
                  --form headerkey='3' \
                  --form headerval='application/json' \
                  -o signature.cose

Adding multiple headers:

curl -L 'https://playground-cose-eastus-api.azurewebsites.net/signature/create' -X POST \
                  --form payloadfile='@./my/payload/file' \
                  --form headerkey='3' \
                  --form headerval='some/type' \
                  --form headerkey='15.1' \
                  --form headerval='did:x509:0:sha256:WE4P5dd8DnLHSkyHaIjhp4udlkF9LqoKwCvu9gl38jk::subject:C:US:ST:California:O:My%20Organisation' \
                  --form headerkey='33[0]' \
                  --form headerval='base64Cert' \
                  --form headerkey='33[1]' \
                  --form headerval='anotherBase64Cert' \
                  -o signature.cose

Verify

Attach the cose file if you have it, or
If you do not have a file but know the signature representation in HEX then use this field
Verify with cURL

Using a file:

curl -L 'https://playground-cose-eastus-api.azurewebsites.net/signature/verify' -X POST \
                  --form signaturefile='@./my/signature/file.cose'

Using a hex value:

curl -L 'https://playground-cose-eastus-api.azurewebsites.net/signature/verify' -X POST \
                  --form signaturehex='d2845828a301260446666f6f...17219018758186469643a77'

Verification supports COSE_Sign1 signing envelopes with did:web or did:x509 issuers. Issuers are expected to be within CWT header. In case of did:web server will attempt to download did document from the issuer, will search for the public key in it and will use it for verification. In case of did:x509 verification will verify x5c chain, will compare CA cert thumbprint with the one in the issuer string and will verify additional signing cert policies (only subject policy is supported here).

Countersignatures aka transparent statements aka receipts

Countersign

Attach the cose file if you have it, or
If you do not have a file but know the signature representation in HEX then use this field
Specify how you want the receipt to be issued. Embedded option suits when you want keep signature and countersignature in one file.
Countersign with cURL

Using a file:

curl -L 'https://playground-cose-eastus-api.azurewebsites.net/receipt/create' -X POST \
                  --form signaturefile='@./my/signature/file.cose'
                  --form receipttype='embedded'

Using a hex value:

curl -L 'https://playground-cose-eastus-api.azurewebsites.net/receipt/create' -X POST \
                  --form signaturehex='d2845828a301260446666f6f...17219018758186469643a77'
                  --form receipttype='embedded'

This implementation produces a full countersignature - COSE_Countersignature. It contains a signature over the details of the submitted COSE_Sign1 parts (CounterSignatureV2). Please refer to RFC9338 for more details on countersignatures. In case when countersignature gets embedded into the original signature, then unprotected header "11" will be used.

Verify countersignature

Attach the cose file if you have it, or
If you do not have a file but know the signature representation in HEX then use this field
Attach the receipt file if you have it, or
If you do not have a file but know the representation in HEX then use this field
Verify with cURL

Using a file:

curl -L 'https://playground-cose-eastus-api.azurewebsites.net/receipt/verify' -X POST \
                  --form signaturefile='@./my/signature/file.cose'
                  --form receiptfile='@./my/signature/receipt.cbor'

Using a hex value:

curl -L 'https://playground-cose-eastus-api.azurewebsites.net/receipt/verify' -X POST \
                  --form signaturehex='d2845828a301260446666f6f...17219018758186469643a77'
                  --form receipthex='d2845828a301260446666f6f...17219018758186469643a77'

For the verification it is necessary to have both the receipt and the original signature. The receipt might be embedded into the original signature or be a separate file. If receipt is embedded it is expected to be in the unprotected header "11".

About

This is a playground for COSE signatures and countersignatures. It is implemented in Go and is opensource.

I needed this playground to quickly create signatures when developing tools that rely on them. It is not perfect but is fairly easy to use and is extensible.

To preview signature use the following websites