Add --payload-location option for IndirectSignature

CoseIndirectSignature.Tests/IndirectSignatureFactoryTests.cs

@@ -440,4 +440,66 @@ public void TestCreateIndirectSignatureAlreadyProvided()
         IndirectSignature.TryGetPayloadHashAlgorithm(out CoseHashAlgorithm? algo).Should().BeTrue();
         algo!.Should().Be(CoseHashAlgorithm.SHA256);
     }
+
+    [Test]
+    public async Task TestCreateIndirectSignatureAsyncWithPayloadLocation()
+    {
+        ICoseSigningKeyProvider coseSigningKeyProvider = TestUtils.SetupMockSigningKeyProvider();
+        using IndirectSignatureFactory factory = new();
+        byte[] randomBytes = new byte[50];
+        new Random().NextBytes(randomBytes);
+        string testPayloadLocation = "https://example.com/payload/test.bin";
+
+        using MemoryStream memStream = new(randomBytes);
+        CoseSign1Message indirectSignature = await factory.CreateIndirectSignatureAsync(
+            memStream,
+            coseSigningKeyProvider,
+            "application/test.payload",
+            IndirectSignatureFactory.IndirectSignatureVersion.CoseHashEnvelope,
+            payloadLocation: testPayloadLocation);
+
+        // Verify it's an indirect signature
+        indirectSignature.IsIndirectSignature().Should().BeTrue();
+        indirectSignature.SignatureMatches(randomBytes).Should().BeTrue();
+
+        // Verify PayloadLocation header is set correctly
+        indirectSignature.TryGetPayloadLocation(out string? actualLocation).Should().BeTrue();
+        actualLocation.Should().Be(testPayloadLocation);
+
+        // Verify other headers are also correct
+        indirectSignature.TryGetPreImageContentType(out string? payloadType).Should().Be(true);
+        payloadType!.Should().Be("application/test.payload");
+        indirectSignature.TryGetPayloadHashAlgorithm(out CoseHashAlgorithm? algo).Should().BeTrue();
+        algo!.Should().Be(CoseHashAlgorithm.SHA256);
+    }
+
+    [Test]
+    public async Task TestCreateIndirectSignatureAsyncWithoutPayloadLocation()
+    {
+        ICoseSigningKeyProvider coseSigningKeyProvider = TestUtils.SetupMockSigningKeyProvider();
+        using IndirectSignatureFactory factory = new();
+        byte[] randomBytes = new byte[50];
+        new Random().NextBytes(randomBytes);
+
+        using MemoryStream memStream = new(randomBytes);
+        CoseSign1Message indirectSignature = await factory.CreateIndirectSignatureAsync(
+            memStream,
+            coseSigningKeyProvider,
+            "application/test.payload",
+            IndirectSignatureFactory.IndirectSignatureVersion.CoseHashEnvelope);
+
+        // Verify it's an indirect signature
+        indirectSignature.IsIndirectSignature().Should().BeTrue();
+        indirectSignature.SignatureMatches(randomBytes).Should().BeTrue();
+
+        // Verify PayloadLocation header is NOT set
+        indirectSignature.TryGetPayloadLocation(out string? actualLocation).Should().BeFalse();
+        actualLocation.Should().BeNull();
+
+        // Verify other headers are correct
+        indirectSignature.TryGetPreImageContentType(out string? payloadType).Should().Be(true);
+        payloadType!.Should().Be("application/test.payload");
+        indirectSignature.TryGetPayloadHashAlgorithm(out CoseHashAlgorithm? algo).Should().BeTrue();
+        algo!.Should().Be(CoseHashAlgorithm.SHA256);
+    }
 }

CoseIndirectSignature/IndirectSignatureFactory.CoseHashEnvelope.cs

@@ -19,6 +19,7 @@ public sealed partial class IndirectSignatureFactory
     /// <param name="bytePayload">If streamPayload is null then this must be specified and must not be null and will use the Byte API's on the CoseSign1MesssageFactory</param>
     /// <param name="payloadHashed">True if the payload represents the raw hash</param>
     /// <param name="headerExtender">Optional header extender to add custom headers to the COSE message.</param>
+    /// <param name="payloadLocation">Optional URI indicating where the payload can be retrieved from.</param>
     /// <returns>Either a CoseSign1Message or a ReadOnlyMemory{byte} representing the CoseSign1Message object.</returns>
     /// <exception cref="ArgumentNullException">The contentType parameter was empty or null</exception>
     /// <exception cref="ArgumentNullException">Either streamPayload or bytePayload must be specified, but not both at the same time, or both cannot be null</exception>
@@ -30,7 +31,8 @@ private object CreateIndirectSignatureWithChecksInternalCoseHashEnvelopeFormat(
         Stream? streamPayload = null,
         ReadOnlyMemory<byte>? bytePayload = null,
         bool payloadHashed = false,
-        ICoseHeaderExtender? headerExtender = null)
+        ICoseHeaderExtender? headerExtender = null,
+        string? payloadLocation = null)
     {
         ReadOnlyMemory<byte> hash;
         HashAlgorithmName algoName = InternalHashAlgorithmName;
@@ -57,8 +59,8 @@ private object CreateIndirectSignatureWithChecksInternalCoseHashEnvelopeFormat(
         }
 
         ICoseHeaderExtender effectiveHeaderExtender = headerExtender == null ?
-            new CoseHashEnvelopeHeaderExtender(algoName, contentType, null) :
-            new CoseSign1.Headers.ChainedCoseHeaderExtender(new[] { headerExtender, new CoseHashEnvelopeHeaderExtender(algoName, contentType, null) });
+            new CoseHashEnvelopeHeaderExtender(algoName, contentType, payloadLocation) :
+            new CoseSign1.Headers.ChainedCoseHeaderExtender(new[] { headerExtender, new CoseHashEnvelopeHeaderExtender(algoName, contentType, payloadLocation) });
 
         return returnBytes
                ? InternalMessageFactory.CreateCoseSign1MessageBytes(
@@ -84,7 +86,8 @@ private async Task<object> CreateIndirectSignatureWithChecksInternalCoseHashEnve
         ReadOnlyMemory<byte>? bytePayload = null,
         bool payloadHashed = false,
         ICoseHeaderExtender? headerExtender = null,
-        CancellationToken cancellationToken = default)
+        CancellationToken cancellationToken = default,
+        string? payloadLocation = null)
     {
         // Check for cancellation before starting expensive hash computation
         cancellationToken.ThrowIfCancellationRequested();
@@ -117,8 +120,8 @@ private async Task<object> CreateIndirectSignatureWithChecksInternalCoseHashEnve
         }
 
         ICoseHeaderExtender effectiveHeaderExtender = headerExtender == null ?
-            new CoseHashEnvelopeHeaderExtender(algoName, contentType, null) :
-            new CoseSign1.Headers.ChainedCoseHeaderExtender(new[] { headerExtender, new CoseHashEnvelopeHeaderExtender(algoName, contentType, null) });
+            new CoseHashEnvelopeHeaderExtender(algoName, contentType, payloadLocation) :
+            new CoseSign1.Headers.ChainedCoseHeaderExtender(new[] { headerExtender, new CoseHashEnvelopeHeaderExtender(algoName, contentType, payloadLocation) });
 
         return returnBytes
                ? await InternalMessageFactory.CreateCoseSign1MessageBytesAsync(

CoseIndirectSignature/IndirectSignatureFactory.Stream.cs

@@ -185,6 +185,7 @@ public CoseSign1Message CreateIndirectSignatureFromHash(
     /// <param name="signatureVersion">The <see cref="IndirectSignatureVersion"/> this factory should create.</param>
     /// <param name="coseHeaderExtender">Optional header extender to add custom headers to the COSE message.</param>
     /// <param name="cancellationToken">Cancellation token to cancel the operation.</param>
+    /// <param name="payloadLocation">Optional URI indicating where the payload can be retrieved from. Only applicable for CoseHashEnvelope format.</param>
     /// <returns>A Task which can be awaited which will return a CoseSign1Message which can be used as a Indirect signature validation of the payload.</returns>
     /// <exception cref="ArgumentNullException">The contentType parameter was empty or null</exception>
     public async Task<CoseSign1Message> CreateIndirectSignatureAsync(
@@ -193,15 +194,17 @@ public async Task<CoseSign1Message> CreateIndirectSignatureAsync(
         string contentType,
         IndirectSignatureVersion signatureVersion,
         ICoseHeaderExtender? coseHeaderExtender = null,
-        CancellationToken cancellationToken = default) =>
+        CancellationToken cancellationToken = default,
+        string? payloadLocation = null) =>
             (CoseSign1Message)await CreateIndirectSignatureWithChecksInternalAsync(
                 returnBytes: false,
                 signingKeyProvider: signingKeyProvider,
                 contentType: contentType,
                 streamPayload: payload,
                 signatureVersion: signatureVersion,
                 headerExtender: coseHeaderExtender,
-                cancellationToken: cancellationToken).ConfigureAwait(false);
+                cancellationToken: cancellationToken,
+                payloadLocation: payloadLocation).ConfigureAwait(false);
 
     /// <summary>
     /// Creates a Indirect signature of the payload given a hash of the payload returned as a <see cref="CoseSign1Message"/> following the rules in this class description.

CoseIndirectSignature/IndirectSignatureFactory.cs

@@ -109,6 +109,7 @@ private CoseHashAlgorithm GetCoseHashAlgorithmFromHashAlgorithm(HashAlgorithm al
     /// <param name="payloadHashed">True if the payload represents the raw hash</param>
     /// <param name="signatureVersion">The <see cref="IndirectSignatureVersion"/> this factory should create.</param>
     /// <param name="headerExtender">An optional <see cref="ICoseHeaderExtender"/> to extend the protected headers of the CoseSign1Message.</param>
+    /// <param name="payloadLocation">Optional URI indicating where the payload can be retrieved from. Only applicable for CoseHashEnvelope format.</param>
     /// <returns>Either a CoseSign1Message or a ReadOnlyMemory{byte} representing the CoseSign1Message object.</returns>
     /// <exception cref="ArgumentNullException">The contentType parameter was empty or null</exception>
     /// <exception cref="ArgumentNullException">Either streamPayload or bytePayload must be specified, but not both at the same time, or both cannot be null</exception>
@@ -121,7 +122,8 @@ private object CreateIndirectSignatureWithChecksInternal(
         Stream? streamPayload = null,
         ReadOnlyMemory<byte>? bytePayload = null,
         bool payloadHashed = false,
-        ICoseHeaderExtender? headerExtender = null)
+        ICoseHeaderExtender? headerExtender = null,
+        string? payloadLocation = null)
     {
         if (string.IsNullOrWhiteSpace(contentType))
         {
@@ -166,7 +168,8 @@ private object CreateIndirectSignatureWithChecksInternal(
                             streamPayload,
                             bytePayload,
                             payloadHashed,
-                            headerExtender);
+                            headerExtender,
+                            payloadLocation);
             default:
                 throw new ArgumentOutOfRangeException(nameof(signatureVersion), "Unknown signature version");
         }
@@ -184,6 +187,7 @@ private object CreateIndirectSignatureWithChecksInternal(
     /// <param name="signatureVersion">The <see cref="IndirectSignatureVersion"/> this factory should create.</param>
     /// <param name="headerExtender">An optional <see cref="ICoseHeaderExtender"/> to extend the protected headers of the CoseSign1Message.</param>
     /// <param name="cancellationToken">The token to monitor for cancellation requests.</param>
+    /// <param name="payloadLocation">Optional URI indicating where the payload can be retrieved from. Only applicable for CoseHashEnvelope format.</param>
     /// <returns>Either a CoseSign1Message or a ReadOnlyMemory{byte} representing the CoseSign1Message object.</returns>
     /// <exception cref="ArgumentNullException">The contentType parameter was empty or null</exception>
     /// <exception cref="ArgumentNullException">Either streamPayload or bytePayload must be specified, but not both at the same time, or both cannot be null</exception>
@@ -197,7 +201,8 @@ private async Task<object> CreateIndirectSignatureWithChecksInternalAsync(
         ReadOnlyMemory<byte>? bytePayload = null,
         bool payloadHashed = false,
         ICoseHeaderExtender? headerExtender = null,
-        CancellationToken cancellationToken = default)
+        CancellationToken cancellationToken = default,
+        string? payloadLocation = null)
     {
         if (string.IsNullOrWhiteSpace(contentType))
         {
@@ -245,7 +250,8 @@ private async Task<object> CreateIndirectSignatureWithChecksInternalAsync(
                             bytePayload,
                             payloadHashed,
                             headerExtender,
-                            cancellationToken).ConfigureAwait(false);
+                            cancellationToken,
+                            payloadLocation).ConfigureAwait(false);
             default:
                 throw new ArgumentOutOfRangeException(nameof(signatureVersion), "Unknown signature version");
         }

CoseSignTool.IndirectSignature.Plugin.Tests/IndirectSignCommandTests.cs

@@ -1019,5 +1019,99 @@
         // Assert
         Assert.AreEqual(PluginExitCode.InvalidArgumentValue, result);
     }
+
+    [TestMethod]
+    public void IndirectSignCommand_Options_ShouldContainPayloadLocationOption()
+    {
+        // Arrange
+        IndirectSignCommand command = new IndirectSignCommand();
+
+        // Act
+        IDictionary<string, string> options = command.Options;
+
+        // Assert
+        Assert.IsTrue(options.ContainsKey("payload-location"), "Options should contain payload-location");
+        Assert.IsTrue(options["payload-location"].Contains("URI"), "payload-location description should mention URI");
+    }
+
+    [TestMethod]
+    public async Task IndirectSignCommand_Execute_WithPayloadLocation_ShouldIncludePayloadLocationHeader()
+    {
+        // Arrange
+        IndirectSignCommand command = new IndirectSignCommand();
+        string signaturePath = TestSignaturePath + "_payload_location";
+        string testPayloadLocation = "https://example.com/payload/test.bin";
+        IConfiguration configuration = CreateConfiguration(new Dictionary<string, string?>
+        {
+            ["payload"] = TestPayloadPath,
+            ["signature"] = signaturePath,
+            ["pfx"] = TestCertificatePath,
+            ["payload-location"] = testPayloadLocation
+        });
+
+        try
+        {
+            // Act
+            PluginExitCode result = await command.ExecuteAsync(configuration);
+
+            // Assert
+            Assert.AreEqual(PluginExitCode.Success, result);
+            Assert.IsTrue(File.Exists(signaturePath));
+
+            // Verify the signature contains the PayloadLocation header (label 260 per RFC 9054)
+            byte[] signatureBytes = File.ReadAllBytes(signaturePath);
+            CoseSign1Message message = CoseMessage.DecodeSign1(signatureBytes);
+            Assert.IsNotNull(message);
+            Assert.IsTrue(message.IsIndirectSignature());
+
+            // PayloadLocation is COSE header label 260
+            bool hasPayloadLocation = message.ProtectedHeaders.TryGetValue(new CoseHeaderLabel(260), out CoseHeaderValue payloadLocationValue);
+            Assert.IsTrue(hasPayloadLocation, "Signature should contain PayloadLocation header (label 260)");
+            string? actualLocation = payloadLocationValue.GetValueAsString();
+            Assert.AreEqual(testPayloadLocation, actualLocation, "PayloadLocation header value should match the specified URI");
+        }
+        finally
+        {
+            SafeDeleteFile(signaturePath);
+        }
+    }
+
+    [TestMethod]
+    public async Task IndirectSignCommand_Execute_WithoutPayloadLocation_ShouldNotIncludePayloadLocationHeader()
+    {
+        // Arrange
+        IndirectSignCommand command = new IndirectSignCommand();
+        string signaturePath = TestSignaturePath + "_no_payload_location";
+        IConfiguration configuration = CreateConfiguration(new Dictionary<string, string?>
+        {
+            ["payload"] = TestPayloadPath,
+            ["signature"] = signaturePath,
+            ["pfx"] = TestCertificatePath
+        });
+
+        try
+        {
+            // Act
+            PluginExitCode result = await command.ExecuteAsync(configuration);
+
+            // Assert
+            Assert.AreEqual(PluginExitCode.Success, result);
+            Assert.IsTrue(File.Exists(signaturePath));
+
+            // Verify the signature does NOT contain the PayloadLocation header (label 260)
+            byte[] signatureBytes = File.ReadAllBytes(signaturePath);
+            CoseSign1Message message = CoseMessage.DecodeSign1(signatureBytes);
+            Assert.IsNotNull(message);
+            Assert.IsTrue(message.IsIndirectSignature());
+
+            // PayloadLocation is COSE header label 260
+            bool hasPayloadLocation = message.ProtectedHeaders.TryGetValue(new CoseHeaderLabel(260), out _);
+            Assert.IsFalse(hasPayloadLocation, "Signature should NOT contain PayloadLocation header when not specified");
+        }
+        finally
+        {
+            SafeDeleteFile(signaturePath);
+        }
+    }
 }
 

CoseSignTool.IndirectSignature.Plugin/IndirectSignCommand.cs

@@ -38,6 +38,9 @@ public override IDictionary<string, string> Options
             options["cwt-subject"] = "The CWT subject (sub) claim. Defaults to 'UnknownIntent'";
             options["cwt-audience"] = "The CWT audience (aud) claim (optional)";
 
+            // Add payload location option for CoseHashEnvelope format
+            options["payload-location"] = "A URI indicating where the payload can be retrieved from (optional, CoseHashEnvelope format only)";
+
             return options;
         }
     }
@@ -150,6 +153,13 @@ public override async Task<PluginExitCode> ExecuteAsync(IConfiguration configura
                 Logger.LogVerbose($"Custom CWT claims count: {cwtClaims.Count}");
             }
 
+            // Parse payload location for CoseHashEnvelope format
+            string? payloadLocation = GetOptionalValue(configuration, "payload-location");
+            if (!string.IsNullOrEmpty(payloadLocation))
+            {
+                Logger.LogVerbose($"Payload location: {payloadLocation}");
+            }
+
             // Create the indirect signature
             using CancellationTokenSource combinedCts = CreateTimeoutCancellationToken(timeoutSeconds, cancellationToken);
             Logger.LogVerbose($"Creating indirect signature with hash algorithm: {hashAlgorithm.Name}, version: {signatureVersion}");
@@ -167,6 +177,7 @@ public override async Task<PluginExitCode> ExecuteAsync(IConfiguration configura
                 cwtSubject,
                 cwtAudience,
                 cwtClaims,
+                payloadLocation,
                 Logger,
                 combinedCts.Token);
 
@@ -210,6 +221,7 @@ public override async Task<PluginExitCode> ExecuteAsync(IConfiguration configura
     /// <param name="cwtSubject">Optional CWT subject claim.</param>
     /// <param name="cwtAudience">Optional CWT audience claim.</param>
     /// <param name="cwtClaims">Optional custom CWT claims as label:value pairs.</param>
+    /// <param name="payloadLocation">Optional URI indicating where the payload can be retrieved from.</param>
     /// <param name="logger">Logger for diagnostic output.</param>
     /// <param name="cancellationToken">Cancellation token with timeout.</param>
     /// <returns>Tuple containing the exit code and optional result object for JSON output.</returns>
@@ -227,6 +239,7 @@ public override async Task<PluginExitCode> ExecuteAsync(IConfiguration configura
         string? cwtSubject,
         string? cwtAudience,
         List<string>? cwtClaims,
+        string? payloadLocation,
         IPluginLogger logger,
         CancellationToken cancellationToken)
     {
@@ -318,7 +331,8 @@ public override async Task<PluginExitCode> ExecuteAsync(IConfiguration configura
                 contentType: contentType,
                 signatureVersion: signatureVersion,
                 coseHeaderExtender: headerExtender,
-                cancellationToken: cancellationToken);
+                cancellationToken: cancellationToken,
+                payloadLocation: payloadLocation);
 
             // Encode and write signature to file
             byte[] signatureBytes = indirectSignature.Encode();