web-auth / cose-lib
CBOR Object Signing and Encryption (COSE) For PHP
Installs: 4 197 255
Dependents: 20
Suggesters: 0
Security: 0
Stars: 18
Watchers: 1
Forks: 8
Open Issues: 0
pkg:composer/web-auth/cose-lib
Requires
- php: >=8.1
- ext-json: *
- ext-openssl: *
- brick/math: ^0.9|^0.10|^0.11|^0.12|^0.13
- spomky-labs/pki-framework: ^1.0
Requires (Dev)
- deptrac/deptrac: ^3.0
- ekino/phpstan-banned-code: ^1.0|^2.0|^3.0
- infection/infection: ^0.29
- php-parallel-lint/php-parallel-lint: ^1.3
- phpstan/extension-installer: ^1.3
- phpstan/phpstan: ^1.7|^2.0
- phpstan/phpstan-deprecation-rules: ^1.0|^2.0
- phpstan/phpstan-phpunit: ^1.1|^2.0
- phpstan/phpstan-strict-rules: ^1.0|^2.0
- phpunit/phpunit: ^10.1|^11.0|^12.0
- rector/rector: ^2.0
- symfony/phpunit-bridge: ^6.4|^7.0
- symplify/easy-coding-standard: ^12.0
Suggests
- ext-bcmath: For better performance, please install either GMP (recommended) or BCMath extension
- ext-gmp: For better performance, please install either GMP (recommended) or BCMath extension
- 4.5.x-dev
- 4.4.x-dev
- 4.4.2
- 4.4.1
- 4.4.0
- 4.3.x-dev
- 4.3.0
- 4.2.x-dev
- 4.2.3
- 4.2.2
- 4.2.1
- 4.2.0
- 4.1.x-dev
- 4.1.3
- 4.1.2
- 4.1.1
- 4.1.0
- 4.0.x-dev
- 4.0.13
- 4.0.12
- 4.0.11
- 4.0.10
- 4.0.9
- 4.0.8
- 4.0.7
- v4.0.6
- v4.0.5
- v4.0.4
- v4.0.3
- v4.0.2
- v4.0.1
- v4.0.0
- v3.3.x-dev
- v3.3.12
- v3.3.11
- v3.3.10
- v3.3.9
- v3.3.8
- v3.3.7
- v3.3.6
- v3.3.5
- v3.3.4
- v3.3.3
- v3.3.2
- v3.3.1
- v3.3.0
- v3.2.x-dev
- v3.2.12
- v3.2.11
- v3.2.10
- v3.2.9
- v3.2.8
- v3.2.7
- v3.2.6
- v3.2.5
- v3.2.4
- v3.2.3
- v3.2.2
- v3.2.1
- v3.2.0
- v3.1.x-dev
- v3.1.1
- v3.1.0
- v3.0.x-dev
- v3.0.2
- v3.0.1
- v3.0.0
- v2.2.x-dev
- v2.1.x-dev
- v2.1.7
- v2.1.6
- v2.1.5
- v2.1.4
- v2.1.3
- v2.1.2
- v2.1.1
- v2.1.0
- v2.0.x-dev
- v2.0.3
- v2.0.2
- v2.0.1
- v2.0.0
- v2.0.0-alpha1
- v1.2.x-dev
- v1.2.2
- v1.2.1
- v1.2.0
- v1.1.x-dev
- v1.1.0
- v1.1.0-alpha1
- v1.0.x-dev
- v1.0.1
- v1.0.0
- dev-features/cose-sign1
- dev-new-ci-cd
- dev-dependabot/composer/symplify/easy-coding-standard-tw-12.0or-tw-13.0
- dev-dependabot/github_actions/actions/upload-artifact-5.0.0
- dev-dependabot/github_actions/github/codeql-action-4.31.2
- dev-dependabot/composer/deptrac/deptrac-tw-3.0or-tw-4.0
- dev-ci-cd-fix
This package is auto-updated.
Last update: 2025-11-13 15:03:30 UTC
README
CBOR Object Signing and Encryption (COSE) for PHP is a comprehensive library that provides full support for COSE operations including signing, encryption, and MAC (Message Authentication Code) operations.
This library implements:
Features
✅ Complete COSE Tag Support
- COSE_Sign1 (tag 18) - Single signature
- COSE_Sign (tag 98) - Multiple signatures
- COSE_Encrypt0 (tag 16) - Single recipient encryption
- COSE_Encrypt (tag 96) - Multiple recipients encryption
- COSE_Mac0 (tag 17) - MAC without recipients
- COSE_Mac (tag 97) - MAC with recipients
✅ Cryptographic Algorithms
- Signatures: ECDSA (ES256, ES384, ES512, ES256K), EdDSA (Ed25519, Ed448), RSA (RS256/384/512, PS256/384/512)
- MAC: HMAC with SHA-256/384/512
- Compatible with WebAuthn, FIDO2, and digital COVID certificates
✅ Modern PHP
- PHP 8.1+ with strict types
- Full type safety and PHPStan compliance
- Comprehensive test coverage
Installation
Install the library with Composer:
composer require web-auth/cose-lib
For COSE tag support (Sign, Encrypt, Mac operations), also install:
composer require spomky-labs/cbor-php
Quick Start
Verifying a COSE_Sign1 Signature
use CBOR\Decoder; use CBOR\OtherObject\OtherObjectManager; use CBOR\StringStream; use CBOR\Tag\TagManager; use Cose\Signature\CoseSign1Tag; use Cose\Signature\Signature1; // Setup decoder with COSE tag support $tagManager = TagManager::create()->add(CoseSign1Tag::class); $decoder = Decoder::create($tagManager, OtherObjectManager::create()); // Decode COSE_Sign1 message $stream = new StringStream($encodedData); $coseSign1 = $decoder->decode($stream); // Extract components $protectedHeader = $coseSign1->getProtectedHeader(); $payload = $coseSign1->getPayload(); $signature = $coseSign1->getSignature(); // Create signature structure for verification $sigStructure = Signature1::create($protectedHeader, $payload); // Verify (example with OpenSSL) $isValid = openssl_verify( (string) $sigStructure, $derSignature, $publicKey, 'sha256' );
Creating a COSE_Sign1 Message
use CBOR\ByteStringObject; use CBOR\MapItem; use CBOR\MapObject; use CBOR\NegativeIntegerObject; use CBOR\UnsignedIntegerObject; use Cose\Signature\CoseSign1Tag; // Define headers $protectedHeader = MapObject::create([ MapItem::create( UnsignedIntegerObject::create(1), // alg NegativeIntegerObject::create(-7) // ES256 ), ]); $unprotectedHeader = MapObject::create([ MapItem::create( UnsignedIntegerObject::create(4), // kid ByteStringObject::create('my-key-id') ), ]); // Create COSE_Sign1 $coseSign1 = CoseSign1Tag::create( $protectedHeader, $unprotectedHeader, ByteStringObject::create('Message to sign'), ByteStringObject::create($signatureBytes) ); // Encode to CBOR $encoded = (string) $coseSign1;
Documentation
- Usage Guide - Complete documentation with examples
- RFC 9052 - COSE Structures
- RFC 9053 - COSE Algorithms
Use Cases
This library is perfect for:
- 🏥 Digital Health Certificates - COVID-19 vaccination passes (EU Digital COVID Certificate)
- 🔐 WebAuthn/FIDO2 - Authenticator attestation and assertion signatures
- 📱 IoT Security - Secure messaging for constrained devices
- 🌐 Web PKI - CBOR-based certificate chains
- 📄 Document Signing - Compact digital signatures
Supported Algorithms
Signature Algorithms
| Algorithm | Identifier | Description |
|---|---|---|
| ES256 | -7 | ECDSA with SHA-256 |
| ES384 | -35 | ECDSA with SHA-384 |
| ES512 | -36 | ECDSA with SHA-512 |
| ES256K | -47 | ECDSA with secp256k1 |
| EdDSA | -8 | EdDSA |
| Ed25519 | - | EdDSA with Curve25519 |
| RS256 | -257 | RSASSA-PKCS1-v1_5 with SHA-256 |
| RS384 | -258 | RSASSA-PKCS1-v1_5 with SHA-384 |
| RS512 | -259 | RSASSA-PKCS1-v1_5 with SHA-512 |
| PS256 | -37 | RSASSA-PSS with SHA-256 |
| PS384 | -38 | RSASSA-PSS with SHA-384 |
| PS512 | -39 | RSASSA-PSS with SHA-512 |
MAC Algorithms
| Algorithm | Identifier | Description |
|---|---|---|
| HS256 | 5 | HMAC with SHA-256 |
| HS384 | 6 | HMAC with SHA-384 |
| HS512 | 7 | HMAC with SHA-512 |
| HS256/64 | 4 | HMAC with SHA-256 truncated to 64 bits |
Testing
Run the test suite with:
composer test
Or using Castor:
castor phpunit
The library includes comprehensive tests including:
- Unit tests for all COSE tag types
- Integration tests with real cryptographic operations
- COVID-19 certificate verification examples
- Test fixtures with actual certificates
Requirements
- PHP 8.1 or higher
- ext-json
- ext-openssl
- brick/math
- spomky-labs/pki-framework
- spomky-labs/cbor-php (for COSE tag support)
Contributing
Contributions are welcome! Please see CONTRIBUTING.md for details.
For security vulnerabilities, please email security [at] spomky-labs.com instead of using the issue tracker.
Support
I bring solutions to your problems and answer your questions.
If you really love this project and the work I have done, or if you want me to prioritize your issues, you can support me:
License
This software is released under the MIT License.
Credits
Maintained by Florent Morselli and contributors.
Made with ❤️ for the PHP community