Tiny COSE

A very incomplete COSE library for use with other tiny-* libraries.

What's inside

This implementation provides (incomplete):

• Deserializing public and private key objects into JavaScript CryptoKeys
• Serializing JavaScript private and public CryptoKeys into public and private COSE key objects
• Deserializing and serializing symmetric CryptoKeys into COSE key objects

This implementation omits:

• Signing data with private keys
• Verifying data with public keys
• MACing data with symmetric keys
• Verifying MACd data with symmetric keys
• Direct Encryption of data with symmetric keys
• Direct Decryption of data with symmetric keys
• Encrypting data with asymmetric keys with ephemeral-static / static-static key agreement
• Decrypting data with asymmetric keys with ephemeral-static / static-static key agreement
• Key agreement with key wrapping
• Key transport
• ECDH
• Key Derivation Functions

This implementation does not support:

• RSA keys with multiple primes
• Elliptic Curve keys with compressed points
• CryptoKeys for symmetric encryption with AES
• RSAES-OAEP
• Private keys without public components
• ES512 / Curve P-521, see Deno Issue P-521 curves in WebCrypto

Over time, this list may change.

Warning

COSE cryptography is, in general, unsafe for most to dabble with. Please consult a cryptographer when you are inventing something new with cryptographic constructs.

Standards References

• RFC9052 - CBOR Object Signing and Encryption (COSE): Structures and Process
• RFC9053 - CBOR Object Signing and Encryption (COSE): Initial Algorithms
• RFC9054 - CBOR Object Signing and Encryption (COSE): Hash Algorithms
• RFC8230 - Using RSA Algorithms with CBOR Object Signing and Encryption (COSE) Messages
• RFC8812 - CBOR Object Signing and Encryption (COSE) and JSON Object Signing and Encryption (JOSE) Registrations for Web Authentication (WebAuthn) Algorithms