Weave Code
Code Weaver
Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.
Feedback
Share your thoughts, report bugs, or suggest improvements.
Subject
Message
Log in Register
Home
Packages
Cose Lib
Assessments

Cose Lib Laravel Package

web-auth/cose-lib

PHP 8.1+ COSE (RFC 9052/9053) library: sign, encrypt, and MAC with full tag support (Sign1/Sign, Encrypt0/Encrypt, Mac0/Mac). Supports ECDSA, EdDSA, RSA, and HMAC. Compatible with WebAuthn/FIDO2.

View on GitHub
Deep Wiki
Context7

Technical Evaluation

Architecture Fit

  • Strong alignment with modern security standards: The package implements RFC 9052 (COSE Structures) and RFC 9053 (COSE Algorithms), making it ideal for applications requiring CBOR-based cryptographic operations (e.g., WebAuthn, FIDO2, digital health certificates).
  • Modular design: Supports six COSE tags (Sign1, Sign, Encrypt0, Encrypt, Mac0, Mac), allowing granular adoption based on use case.
  • PHP 8.1+ compatibility: Leverages strict types, PHPStan compliance, and comprehensive test coverage, ensuring robustness in modern PHP stacks.
  • Interoperability: Works seamlessly with spomky-labs/cbor-php (required for COSE tag support) and integrates with OpenSSL for cryptographic operations.

Integration Feasibility

  • Low friction for PHP ecosystems: Composer-based installation with clear dependencies (spomky-labs/cbor-php, brick/math, spomky-labs/pki-framework).
  • CBOR/COSE expertise not required: The library abstracts CBOR encoding/decoding and COSE tag handling, reducing implementation complexity.
  • Algorithm flexibility: Supports ECDSA, EdDSA, RSA, and HMAC variants, accommodating diverse cryptographic needs (e.g., ES256 for WebAuthn, Ed25519 for IoT).
  • Use-case specificity: Pre-optimized for digital health certificates (EU DCC), WebAuthn/FIDO2, and IoT security, but adaptable to custom scenarios.

Technical Risk

Risk Area Mitigation Strategy
CBOR/COSE complexity Library provides high-level abstractions (e.g., CoseSign1Tag::create()), reducing manual CBOR handling.
Cryptographic bugs Comprehensive test suite (including COVID-19 certificate verification) and PHPStan compliance minimize edge-case failures.
Algorithm misconfiguration Explicit algorithm identifiers (e.g., -7 for ES256) enforce correct usage.
Dependency bloat Core functionality is lightweight; spomky-labs/cbor-php is the only mandatory external dependency.
Performance overhead Optimized for PHP 8.1+ with strict types; benchmarking recommended for high-throughput systems.

Key Questions for TPM

  1. Use Case Priority:
    • Is the primary need signing (COSE_Sign1/Sign), encryption (COSE_Encrypt), or MAC (COSE_Mac)?
    • Example: WebAuthn → Focus on COSE_Sign1 + ES256; IoT → Prioritize COSE_Encrypt0 + Ed25519.
  2. Key Management:
    • How will key IDs (kid) and public/private keys be stored/retrieved? (e.g., database, AWS KMS, hardware tokens).
    • Does the system require JWK/JWKS support for key interchange?
  3. Interoperability:
    • Must the COSE output interoperate with non-PHP systems (e.g., JavaScript, Rust)? If so, validate CBOR encoding against reference implementations.
  4. Compliance:
    • Are there regulatory requirements (e.g., FIPS 140-2, HIPAA) that mandate specific algorithms (e.g., Ed25519 over RSA)?
  5. Error Handling:
    • How should signature verification failures or malformed COSE messages be surfaced? (e.g., custom exceptions, HTTP 403).
  6. Scaling:
    • For high-volume signing/encryption, will asynchronous processing (e.g., queues) be needed to avoid blocking I/O-bound cryptographic ops?
  7. Migration Path:
    • If replacing JWS/JWE, what data format conversions (e.g., JSON ↔ CBOR) are required?
    • Are there legacy systems that need to coexist with COSE?

Integration Approach

Stack Fit

Component Compatibility Notes
PHP 8.1+ Required; leverages strict types and modern PHP features.
Laravel Seamless integration via Composer; can be used in controllers, commands, or queues.
Symfony Works with Symfony’s security component for authentication flows (e.g., WebAuthn).
API Platform Can replace JWT with COSE_Sign1 for compact, CBOR-based signatures.
Queues (Redis/DB) Cryptographic operations can be offloaded to workers to avoid request latency.
Databases CBOR-encoded COSE messages can be stored in binary fields (e.g., PostgreSQL bytea).
Frontend (JS) Use @peculiar/webcrypto or cose-js for client-side interoperability.
Cloud (AWS/GCP) Integrates with KMS for key management and IAM roles for cryptographic ops.

Migration Path

  1. Pilot Phase:
    • Start with COSE_Sign1 for digital signatures (e.g., API responses, document signing).
    • Replace JWS with COSE_Sign1 in a non-critical endpoint to validate performance.
  2. Incremental Adoption:
    • Phase 1: Signatures → Migrate authentication tokens or audit logs to COSE.
    • Phase 2: Encryption → Secure PII or IoT messages with COSE_Encrypt0.
    • Phase 3: MAC → Add data integrity checks for internal APIs.
  3. Dependency Updates:
    • Ensure spomky-labs/cbor-php and brick/math are pinned to stable versions in composer.json.
    • Monitor for breaking changes in PHP 8.2+ (e.g., cryptography extensions).
  4. Tooling:
    • Use PHPStan to enforce type safety in COSE operations.
    • Integrate Pest/PhpUnit tests for signature verification and encryption/decryption cycles.

Compatibility

  • CBOR/COSE Standards: Fully compliant with RFC 9052/9053; no vendor lock-in.
  • Algorithm Overlap:
    • ES256 (COSE)RS256 (JWT): Can coexist if both are supported.
    • Ed25519 (COSE)EdDSA (WebAuthn): Native compatibility.
  • Key Formats:
    • Supports raw keys, PEM, and JWK (via spomky-labs/pki-framework).
    • No PKCS#12 support; use OpenSSL for conversion if needed.

Sequencing

  1. Setup:
    • Install dependencies: 
      composer require web-auth/cose-lib spomky-labs/cbor-php
    • Configure autoloading in composer.json: 
      "autoload": {
  "psr-4": {
    "App\\": "src/",
    "Cose\\": "vendor/web-auth/cose-lib/src"
  }
}
  2. Key Infrastructure:
    • Implement key storage (e.g., database table for kid ↔ key pairs).
    • Example: 
      // Pseudocode for key retrieval
$publicKey = KeyRepository::getByKid($coseSign1->getUnprotectedHeader()->get('kid'));
  3. Core Integration:
    • Signing: 
      $coseSign1 = CoseSign1Tag::create(
    $protectedHeader,
    $unprotectedHeader,
    ByteStringObject::create($payload),
    ByteStringObject::create($signature)
);
    • Verification: 
      $isValid = openssl_verify(
    (string) Signature1::create($protectedHeader, $payload),
    $derSignature,
    $publicKey,
    'sha256'
);
  4. Edge Cases:
    • Handle malformed COSE messages with try-catch: 
      try {
    $coseSign1 = $decoder->decode($stream);
} catch (CborException $e) {
    logError("Invalid COSE message");
    return false;
}
  5. Monitoring:
    • Log signature failures and algorithm usage for auditing.
Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.
Prompt
Add packages to context
No packages found.
davejamesmiller/laravel-breadcrumbs
artisanry/parsedown
bower-asset/punycode
bower-asset/inputmask
bower-asset/jquery
bower-asset/yii2-pjax
laravel/nova
spatie/laravel-mailcoach
spatie/laravel-superseeder
laravel/liferaft
nst/json-test-suite
danielmiessler/sec-lists
jackalope/jackalope-transport
twbs/bootstrap4
php-http/client-implementation
phpcr/phpcr-implementation
cucumber/gherkin-monorepo
haydenpierce/class-finder
psr/simple-cache-implementation
uri-template/tests