fix 543: improve COSE_Key spec language and add COSE_Key examples #732
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -2443,7 +2443,7 @@ object=] for a given credential. It has the following format: | |
| <tr> | ||
| <td><dfn>credentialIdLength</dfn></td> | ||
| <td>2</td> | ||
| <td>Byte length <strong>L</strong> of Credential ID</td> | ||
| </tr> | ||
| <tr> | ||
| <td><dfn>credentialId</dfn></td> | ||
|
|
@@ -2454,7 +2454,8 @@ object=] for a given credential. It has the following format: | |
| <td><dfn>credentialPublicKey</dfn></td> | ||
| <td>variable</td> | ||
| <td> | ||
| The [=credential public key=] encoded in COSE_Key format, | ||
| as defined in Section 7 of [[RFC8152]], using the [=CTAP canonical CBOR encoding form=]. | ||
| The COSE_Key-encoded [=credential public key=] MUST contain the optional "alg" parameter and MUST NOT | ||
| contain any other optional parameters. The "alg" parameter MUST contain a {{COSEAlgorithmIdentifier}} value. | ||
| The encoded [=credential public key=] MUST also contain any additional required parameters stipulated by the | ||
|
|
@@ -2467,6 +2468,79 @@ object=] for a given credential. It has the following format: | |
| NOTE: The names in the Name column in the above table are only for reference within this document, and are not present in the | ||
| actual representation of the [=attested credential data=]. | ||
|
|
||
| #### Examples of `credentialPublicKey` Values encoded in COSE_Key format #### {#sctn-encoded-credPubKey-examples} | ||
|
|
||
| This section provides examples of COSE_Key-encoded Eliptic Curve and RSA public keys for the ES256, PS256, and RS256 | ||
| signature algorithms. These examples adhere to the rules defined above for the [=credentialPublicKey=] value, and are presented in [[CDDL]] for clarity. | ||
|
|
||
| [[RFC8152]] [Section 7](https://tools.ietf.org/html/rfc8152#section-7) defines the general framework for all | ||
| COSE_Key-encoded keys. | ||
| Specific key types for specific algorithms are defined in other sections of [[RFC8152]] as well as in other specifications, | ||
| as noted below. | ||
|
|
||
| Below is an example of a COSE_Key-encoded Eliptic Curve public key in EC2 format (see [[RFC8152]] | ||
| [Section 13.1](https://tools.ietf.org/html/rfc8152#section-13.1)), on the P-256 curve, to be used with the ES256 signature | ||
| algorithm (ECDSA w/ SHA-256, see [[RFC8152]] [Section 8.1](https://tools.ietf.org/html/rfc8152#section-8.1)): | ||
|
|
||
| <pre class="example" highlight="json"> | ||
| { | ||
| 1: 2, ; kty: EC2 key type | ||
| 3:-7, ; alg: ES256 signature algorithm | ||
| -1: 1, ; crv: P-256 curve | ||
| -2: x, ; x-coordinate as byte string 32 bytes in length | ||
| e.g., in hex: 65eda5a12577c2bae829437fe338701a10aaa375e1bb5b5de108de439c08551d | ||
| -3: y ; y-coordinate as byte string 32 bytes in length | ||
| e.g., in hex: 1e52ed75701163f7f9e40ddf9f341b3dc9ba860af7e0ca7ca7e9eecd0084d19c | ||
| } | ||
| </pre> | ||
|
|
||
| Below is the above Eliptic Curve public key encoded in the [=CTAP canonical CBOR encoding form=], whitespace and line breaks | ||
| are included here for clarity and to match the [[CDDL]] presentation above: | ||
|
|
||
| <pre class="example" highlight="json"> | ||
| A5 | ||
| 01 02 | ||
|
|
||
| 03 26 | ||
|
|
||
| 20 01 | ||
|
|
||
| 21 58 20 65eda5a12577c2bae829437fe338701a10aaa375e1bb5b5de108de439c08551d | ||
|
|
||
| 22 58 20 1e52ed75701163f7f9e40ddf9f341b3dc9ba860af7e0ca7ca7e9eecd0084d19c | ||
| </pre> | ||
|
|
||
|
|
||
| Below is an example of a COSE_Key-encoded 2048-bit RSA public key (see [[RFC8230]] [Section 4](https://tools.ietf.org/html/rfc8230#section-4)) | ||
| to be used with the RSASSA-PSS w/ SHA-256 signature algorithm | ||
| (see [[RFC8230]] [Section 2](https://tools.ietf.org/html/rfc8230#section-2)): | ||
|
|
||
| <pre class="example" highlight="json"> | ||
| { | ||
| 1: 3, ; kty: RSA key type | ||
| 3:-37, ; alg: RS256 | ||
| -1: n, ; n: RSA modulus n byte string 257 bytes in length | ||
|
There was a problem hiding this comment. Should this value (and below) be a 256 byte value? (There's no zero padding to avoid negative numbers in COSE.) There was a problem hiding this comment. thx hm. I dunno, you guys tell me. Here's how I generated the example RSA key pair, and openssl sez the modulus is 257 bytes: is there any zero-padding in the above modulus value? Ah, is the leading There was a problem hiding this comment. 2048 bits / 8 = 256, so we would expect a 256-byte value. ASN.1 DER requires that an INTEGER with the most-significant bit set be padded with a leading zero to avoid it appearing to be negative. Since the leading byte is 0xdb, that will have happened in this case. In fact, it'll happen for all RSA keys since the MSB is required to be 1 (otherwise it would be a 2047-bit key). COSE, however, doesn't have this leading padding byte. That is made explicit here:
There was a problem hiding this comment. Ok, thx, so is openssl just not displaying a leading zero padding byte? ( I think yes ) There was a problem hiding this comment. Correct, as it's not considered part of the value. If you base64-decode the public key and look for the modulus in a hex dump, it should be preceded by 0282010100. |
||
| e.g., in hex (middle bytes elided for brevity): DB5F651550...6DC6548ACC3 | ||
| -2: e ; e: RSA public exponent e byte string 3 bytes in length | ||
| e.g., in hex: 010001 | ||
| } | ||
| </pre> | ||
|
|
||
| Below is an example of a COSE_Key-encoded 2048-bit RSA public key (see [[RFC8230]] | ||
|
There was a problem hiding this comment. (Could also just say that it's the same key because it's also RSA. Your call.) |
||
| [Section 4](https://tools.ietf.org/html/rfc8230#section-4)) | ||
| to be used with the RSASSA-PKCS1-v1_5 w/ SHA-256 signature algorithm (see [[#sctn-cose-alg-reg]]): | ||
|
|
||
| <pre class="example" highlight="json"> | ||
| { | ||
| 1: 3, ; kty: RSA key type | ||
| 3:-257, ; alg: RS256 | ||
|
There was a problem hiding this comment. Is algorithm -257 defined for COSE? I don't see it in the IANA registry. (In fact, I don't see PKCS #1 v1.5 at all.) There was a problem hiding this comment. It's registered in WebAuthn, actually: https://w3c.github.io/webauthn/#sctn-cose-alg-reg There was a problem hiding this comment. Once we reach CR, I plan to submit the registration request to IANA. |
||
| -1: n, ; n: RSA modulus n byte string 257 bytes in length | ||
|
There was a problem hiding this comment. I think one extra space is needed after the colon here and below. (And then the continued comment lines would need an extra space too.) |
||
| e.g., in hex (middle bytes elided for brevity): DB5F651550...6DC6548ACC3 | ||
| -2: e ; e: RSA public exponent e byte string 3 bytes in length | ||
| e.g., in hex: 010001 | ||
| } | ||
| </pre> | ||
|
There was a problem hiding this comment. One example: {1: 3, 3: -257, -1: h'ea9fbf0b9766e8e7412f86adeab7af8e11dd01308c1b71ac7c037f98a796b98f54253cf8b83f72b656340895608752af185e560695da06a77a655760ab28df3d44bfa417fe28978bfe34f1c93ad44508f4e6c56a4840f09aaf89481faa22098b41bb49082faad0ba94ffb529cd95cec0a56f3eebee9ff0f9cd95b22c48ef4854ce0f719cb06e76ba746e4129fbcfcb3f80b44bb2edd3908f468991a5249a1b8d9234316f245b1289f95d778a461733543612e3705c5ec2b78a9674305ca9fa464c3e95b0b67f058ff0cc6a84b0890551c413f1557a2a198c6d2629ade0f16ef9aec06ae89162f15a98ae49ce8b0ce8e07bafe1bd3b728bd1fc18f07e87a425f1', -2: h'010001'} |
||
|
|
||
|
|
||
| ### Attestation Statement Formats ### {#attestation-formats} | ||
|
|
||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: PS256, rather than RS256, I believe.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, fixed, thx.