Handle "new-style" COSE envelop and validate transparent receipts by micromaomao · Pull Request #38 · microsoft/cosesign1go

micromaomao · 2026-05-11T14:15:04Z

Prepare for validating transparant fragments.

> sign1util print -in ~/cplat-0.2.14-dev.202603261649/package/LinuxBootFiles/transparent_reference_info.cose
checkCoseSign1 passed
CCF receipt 0 from esrp-cts-db.confidential-ledger.azure.com validation passed
iss: did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.2
feed: ContainerPlat-AMD-UVM
cty: application/json
pubkey: MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAxTSM4xP4oW53VIo0Q0rnOk99dFCjkrEoDr0Euwb9KHvMHGk30wkA62B5ey0MHtL6zwNCiLdJxatExQrm0xC8bv3q5fbBjGZ0yZGIMlTKrbI7zHz/ZF2pm0ojqSWlV2fcaEgM4UuyK4waxZPXm/Z37oGVdHSOJH0wNn1VqLIcfO6mhxq+rqUaKwNNjLIkmMyClTQKmRIAeB9bSd/TJlsHfaOCbodXKIjyiqqSZsBf5GFQDMKS+j3CzEPFIMg6eK0nADEEtygnq2wU0tT/yOL6F/nCRAExYulJ97rq/X2J1IERKQSTIuGQ7eCIL0j0rVLDoi9rq+Lf4vYUCayeKDnHmjJ6DmwPeXdQmoZftSvWLkFXdzkhT3ue8O5IIM8z0VkoVH2mgWeqsHuhdyJCuyELk4A33+Yo+OD+JLTNMeGLas7g8mKAbK6HnPf47v90ofh7BVytqpuugKvjei+UU46tgmj2jvbZuyj5j83V/Jha9yfyJquv0mA0G3LhDB4W8hrZAgMBAAE=
pubcert: MIIGazCCBFOgAwIBAgITMwAAAE+CVvVEUdIgyAAAAAAATzANBgkqhkiG9w0BAQwFADBVMQswCQYDVQQGEwJVUzEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgU0NEIFByb2R1Y3RzIFJTQSBDQTAeFw0yNTA1MTUxODU3MDNaFw0yNjA1MTUxODU3MDNaMGwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xFjAUBgNVBAMTDUNvbnRhaW5lclBsYXQwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQDFNIzjE/ihbndUijRDSuc6T310UKOSsSgOvQS7Bv0oe8wcaTfTCQDrYHl7LQwe0vrPA0KIt0nFq0TFCubTELxu/erl9sGMZnTJkYgyVMqtsjvMfP9kXambSiOpJaVXZ9xoSAzhS7IrjBrFk9eb9nfugZV0dI4kfTA2fVWoshx87qaHGr6upRorA02MsiSYzIKVNAqZEgB4H1tJ39MmWwd9o4Juh1coiPKKqpJmwF/kYVAMwpL6PcLMQ8UgyDp4rScAMQS3KCerbBTS1P/I4voX+cJEATFi6Un3uur9fYnUgREpBJMi4ZDt4IgvSPStUsOiL2ur4t/i9hQJrJ4oOceaMnoObA95d1Cahl+1K9YuQVd3OSFPe57w7kggzzPRWShUfaaBZ6qwe6F3IkK7IQuTgDff5ij44P4ktM0x4YtqzuDyYoBsroec9/ju/3Sh+HsFXK2qm66Aq+N6L5RTjq2CaPaO9tm7KPmPzdX8mFr3J/Imq6/SYDQbcuEMHhbyGtkCAwEAAaOCAZswggGXMA4GA1UdDwEB/wQEAwIHgDAjBgNVHSUEHDAaBgsrBgEEAYI3TDsBAQYLKwYBBAGCN0w7AQIwHQYDVR0OBBYEFKEPDqVK/oBtc4H6FxKDddVcgjfGMEUGA1UdEQQ+MDykOjA4MR4wHAYDVQQLExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xFjAUBgNVBAUTDTQ3Mjk3Mis1MDQ4NjcwHwYDVR0jBBgwFoAUVc1NhW7NSjXDjj9yAbqqmBmXS6cwXgYDVR0fBFcwVTBToFGgT4ZNaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9jcmwvTWljcm9zb2Z0JTIwU0NEJTIwUHJvZHVjdHMlMjBSU0ElMjBDQS5jcmwwawYIKwYBBQUHAQEEXzBdMFsGCCsGAQUFBzAChk9odHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NlcnRzL01pY3Jvc29mdCUyMFNDRCUyMFByb2R1Y3RzJTIwUlNBJTIwQ0EuY3J0MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEMBQADggIBAIFlKzk+6/SVwScu6Am5rcBiJpjxrvGPG9BKhS4Vl3zVMw/oxhMahHpL3VB4n+HjibYakHISn76jbYIeE9rwRlfhCazzY3J1wHd0Cqx+22+Vp8JGfpXGYN606yy+6Oycvdt5+lHX5OKA82XDKGkMVr3JuVH1NLXuMy4HbJgoDt9o1YDrQUsuLIiyxKIo6jtdzWL+X54EQ47aUtQ23LX1YxXRzj1UdO7y0hCmwj8qIol0OXQQP2UkwxPhRrCg983BWtrzKPHZIM0S8MU9EKpklWvLnrOp55bmJenUGPakmbLJXke18A38wba+TJy0icxumAQ0qhaIxqO3XAeI8PGc5cRM8fyiTbcr0ioSh3He0Xrtf61AwQB1r2rsmPDQiV3f209qGzaOmlEoPtZVaZrx3bR2pvtITNlSmGwTRU9rONukctvVn8ymUL7zLohMTWHYwNHbV6pWY9j7MlHDz1SY6rncpg7asjdnjYAOI2D8832Jrxbn5d3hwaoEz6t7hsDPUeKgXROe5+UcP8JCkSaB1UtpfZ0eyE/6ebqXZ1UcxPEVyHq1SyM+SK3YqglHFxzJZCle/rIaw6AzolCqcuy0NF1EP3FcSAzZtjOenctMvDr/oh8RNfIyG96kCJDncJ/a6hYiV0usAoL+N93ikzUhq2ZekShUPgyGf6EFg1PH3iih
all protected headers:
  1: PS384
  3: "application/json"
  15: {1: "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6.1.4.1.311.76.59.1.2", 2: "ContainerPlat-AMD-UVM", 6: 2026-03-26 17:01:36 +0000 UTC, "svn": 104}
  33: ...
  34: ...
all unprotected headers:
  394: ...
payload:
{
  "x-ms-sevsnpvm-launchmeasurement": "dc3f5a934489232a9b1818f12a0a88d2324ced00f8ab370f40451a76b7880bc3e211849a0739642d3d6c3b2b4bfb9866"
}

receipt 0:
  protected headers:
    ccf.v1: {"txid": "685.17237"}
    1: ES384
    4: "da7694f16def5a056ca96afb21e89a9450e4cc875e2de351da76d99544a3e849"
    395: 2
    15: {6: 1774544498, 1: "esrp-cts-db.confidential-ledger.azure.com", 2: "scitt.ccf.signature.v1"}
  unprotected headers:
    396:
      -1: inclusion proof
  payload: ""

Todo:

Needs to actually check that receipt matches the data
Mayve we should keep the existing output of sign1util print, and only prints the headers and receipts if --print-headers / --print-receipts flags are provided?

Copilot

Pull request overview

This PR extends the COSE_Sign1 unpack/validation path to understand “new-style” envelopes using CWT claim maps and to parse/validate COSE receipts (CCF profile), and updates sign1util to display headers/receipts and validate receipts by fetching issuer JWKS.

Changes:

Add COSE/CWT/receipt-related constants and extend UnpackAndValidateCOSE1CertChain to expose protected/unprotected headers and parse attached receipts.
Implement receipt validation (structure checks + Merkle root recomputation for CCF inclusion proofs + COSE_Sign1 signature verification).
Update sign1util to fetch JWKS, validate receipts, print headers/receipts, and add a global --log-level flag.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 8 comments.

File	Description
pkg/cosesign1/constants.go	Introduces numeric constants for COSE header labels, receipt profile identifiers, and CWT claim keys.
pkg/cosesign1/check.go	Adds receipt parsing/validation and “new-style” CWT claim extraction, and exposes headers/receipts on the unpacked object.
cmd/sign1util/main.go	Adds JWKS fetching + receipt validation and expands verbose printing (headers + receipts) plus global log-level configuration.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

+// Validate validates the COSE Receipt's structure and signature.  See
+// https://www.ietf.org/archive/id/draft-ietf-cose-merkle-tree-proofs-18.html
+// for details about COSE Receipts.
+//
+// It checks that:
+//   - the protected header carries a vds (label 395),
+//   - the payload is detached,
+//   - the unprotected `vdp` header (label 396) contains at least one
+//     inclusion proof (key -1) encoded as a byte string,
+//   - the Merkle root recomputed from each inclusion proof verifies the
+//     receipt's COSE_Sign1 signature, using the public key in `keys` indexed by
+//     r.Kid.
+func (r ParsedCOSEReceipt) Validate(keys map[string]crypto.PublicKey) error {


KenGordon

Maybe break the key fetch out of main.

Copilot

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, fmt.Errorf("reading %s: %w", url, err)
+	}
+	var set jwkSet
+	if err := json.Unmarshal(body, &set); err != nil {
+		return nil, fmt.Errorf("parsing %s: %w", url, err)
+	}


micromaomao · 2026-05-12T23:50:51Z

need to check that receipt actually matches the data

micromaomao added 5 commits April 27, 2026 14:23

Print RAW cose headers and transparent receipts

342cec0

Give names to constants and define more constants

a18e3df

Add CCF receipt validation

6e06f37

Add --log-level flag to sign1util

60a70d9

Receipt validation API/code refactor

c231af7

micromaomao requested a review from KenGordon May 11, 2026 14:15

micromaomao self-assigned this May 11, 2026

micromaomao requested a review from Copilot May 11, 2026 14:15

Copilot started reviewing on behalf of micromaomao May 11, 2026 14:16 View session

Copilot AI reviewed May 11, 2026

View reviewed changes

KenGordon previously approved these changes May 11, 2026

View reviewed changes

micromaomao added 4 commits May 11, 2026 15:07

Fix issues from Copilot review

e5b1225

main.go: tweak output

6373384

Move key fetching code from main.go to a separate file

33ae576

sign1util: receipt verification: Print out CCF certificate

ca16f8e

micromaomao dismissed KenGordon’s stale review via ca16f8e May 12, 2026 22:44

micromaomao requested a review from Copilot May 12, 2026 22:44

Copilot started reviewing on behalf of micromaomao May 12, 2026 22:45 View session

github-advanced-security AI found potential problems May 12, 2026

View reviewed changes

Comment thread cmd/sign1util/ccf_keyfetch.go Dismissed

Copilot AI reviewed May 12, 2026

View reviewed changes

Address review

bbc6ab0

micromaomao marked this pull request as draft May 12, 2026 23:50

micromaomao force-pushed the transparant-fragments branch from 1e2b04c to e5006b1 Compare May 13, 2026 00:11

micromaomao added 2 commits May 13, 2026 00:14

Add unit tests for new parsing code and transparent receipt validation

885b8fc

Add unit test for maliciously grafted receipt

4fa4ccf

micromaomao force-pushed the transparant-fragments branch from e5006b1 to 4fa4ccf Compare May 13, 2026 00:15

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Handle "new-style" COSE envelop and validate transparent receipts#38

Handle "new-style" COSE envelop and validate transparent receipts#38
micromaomao wants to merge 12 commits into
mainfrom
transparant-fragments

micromaomao commented May 11, 2026 •

edited

Loading

Uh oh!

Copilot AI left a comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

KenGordon left a comment

Uh oh!

Uh oh!

Copilot AI left a comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

micromaomao commented May 12, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

micromaomao commented May 11, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

KenGordon left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

Uh oh!

Uh oh!

micromaomao commented May 12, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

micromaomao commented May 11, 2026 •

edited

Loading