Gitly


1 // Real-world conformance: drives CBOR-Web-Token (RFC 8392) and COSE
2 // (RFC 8152) sample structures. These are the canonical CBOR payloads
3 // used by IoT auth, OAuth 2.0 PoP, and EAT (RFC 9711). They exercise
4 // canonical encoding, signed/MAC/COSE_Sign1 structures, and standard
5 // claim-set integer keys.
6 module main
7 
8 import encoding.cbor
9 import encoding.hex
10 
11 fn h_(s string) []u8 {
12     return hex.decode(s) or { panic('bad hex ${s}') }
13 }
14 
15 fn b_eq(a []u8, b []u8) bool {
16     if a.len != b.len {
17         return false
18     }
19     for i in 0 .. a.len {
20         if a[i] != b[i] {
21             return false
22         }
23     }
24     return true
25 }
26 
27 // --------------------------------------------------------------------
28 // RFC 8392 §A.1 — Example CWT Claims Set
29 //
30 //   {
31 //     1: "coap://as.example.com",  // iss
32 //     2: "erikw",                   // sub
33 //     3: "coap://light.example.com",// aud
34 //     4: 1444064944,                // exp
35 //     5: 1443944944,                // nbf
36 //     6: 1443944944,                // iat
37 //     7: h'0b71'                    // cti
38 //   }
39 const a1_claims_hex = 'a70175636f61703a2f2f61732e6578616d706c652e636f6d02656572696b77' +
40     '037818636f61703a2f2f6c696768742e6578616d706c652e636f6d041a5612ae' +
41     'b0051a5610d9f0061a5610d9f007420b71'
42 
43 fn test_rfc8392_a1_cwt_claims_set() {
44     v := cbor.decode[cbor.Value](h_(a1_claims_hex), cbor.DecodeOpts{}) or {
45         panic('decode CWT claims: ${err}')
46     }
47     if v !is cbor.Map {
48         assert false, 'CWT claim set must decode to a Map'
49         return
50     }
51     m := v as cbor.Map
52     assert m.pairs.len == 7
53 
54     // Helper: find pair by integer key.
55     mut by_key := map[u64]cbor.Value{}
56     for pair in m.pairs {
57         key := pair.key
58         if key !is cbor.IntNum {
59             assert false, 'CWT claim key must be an integer (got ${key.type_name()})'
60             return
61         }
62         k := key as cbor.IntNum
63         assert !k.negative
64         by_key[k.magnitude] = pair.value
65     }
66 
67     // iss / sub / aud / exp / nbf / iat / cti
68     iss := by_key[1] or {
69         assert false, 'missing iss'
70         return
71     }
72     assert (iss as cbor.Text).value == 'coap://as.example.com'
73     sub := by_key[2] or {
74         assert false, 'missing sub'
75         return
76     }
77     assert (sub as cbor.Text).value == 'erikw'
78     aud := by_key[3] or {
79         assert false, 'missing aud'
80         return
81     }
82     assert (aud as cbor.Text).value == 'coap://light.example.com'
83     exp := by_key[4] or {
84         assert false, 'missing exp'
85         return
86     }
87     exp_int := exp as cbor.IntNum
88     assert !exp_int.negative && exp_int.magnitude == 1444064944
89     nbf := by_key[5] or {
90         assert false, 'missing nbf'
91         return
92     }
93     nbf_int := nbf as cbor.IntNum
94     assert !nbf_int.negative && nbf_int.magnitude == 1443944944
95     iat := by_key[6] or {
96         assert false, 'missing iat'
97         return
98     }
99     iat_int := iat as cbor.IntNum
100     assert !iat_int.negative && iat_int.magnitude == 1443944944
101     cti := by_key[7] or {
102         assert false, 'missing cti'
103         return
104     }
105     cti_bs := cti as cbor.Bytes
106     assert b_eq(cti_bs.data, [u8(0x0b), 0x71])
107 
108     // Re-encode through the Value tree: must be byte-identical (RFC 8392
109     // claim sets are already in canonical form per §7).
110     out := cbor.encode_value(v, cbor.EncodeOpts{})!
111     assert b_eq(out, h_(a1_claims_hex)), 'CWT round-trip mismatch'
112 }
113 
114 // --------------------------------------------------------------------
115 // RFC 8392 §A.3 — COSE_Mac0-tagged CWT (tag 17 = CBOR_Tag_COSE_Mac0)
116 // The outer is `61(...)` = tag 61 (CWT) wrapping a COSE_Mac0 (tag 17).
117 // We don't validate the MAC — only the CBOR structure parses cleanly,
118 // the protected header is a bstr, the claim payload is a bstr containing
119 // the §A.1 claims, and the tag is correctly identified.
120 // Tag 61 (CWT) → tag 17 (COSE_Mac0) → [protected={1:5}, {}, payload, mac_tag]
121 // Constructed from §A.1 claims + §A.3 example MAC.
122 const a3_mac_hex = 'd83d' + // CWT tag
123  'd1' + // COSE_Mac0 tag
124  '84' + // array(4)
125  '43a10105' + // bstr(3): {1:5} (HMAC 256/64)
126  'a0' + // {}
127  '5850' + a1_claims_hex + // bstr(80): claims
128  '48093101ef6d789200' // bstr(8): MAC
129 
130 fn test_rfc8392_a3_cose_mac0_cwt() {
131     v := cbor.decode[cbor.Value](h_(a3_mac_hex), cbor.DecodeOpts{}) or {
132         panic('decode CWT-Mac0: ${err}')
133     }
134     // Outer is tag 61 (CWT).
135     if v !is cbor.Tag {
136         assert false, 'expected tag 61'
137         return
138     }
139     cwt_tag := v as cbor.Tag
140     assert cwt_tag.number == 61, 'outer tag = ${cwt_tag.number}, want 61'
141 
142     // Inner is tag 17 (COSE_Mac0).
143     inner := cwt_tag.content()
144     if inner !is cbor.Tag {
145         assert false, 'expected tag 17 inside CWT'
146         return
147     }
148     mac0 := inner as cbor.Tag
149     assert mac0.number == 17, 'inner tag = ${mac0.number}, want 17'
150 
151     // COSE_Mac0 = [protected, unprotected, payload, tag]
152     body := mac0.content()
153     if body !is cbor.Array {
154         assert false, 'COSE_Mac0 must be array'
155         return
156     }
157     arr := body as cbor.Array
158     assert arr.elements.len == 4, 'COSE_Mac0 must have 4 elements, got ${arr.elements.len}'
159 
160     // protected is a bstr wrapping a CBOR-encoded map.
161     protected_bs := arr.elements[0] as cbor.Bytes
162     protected_map := cbor.decode[cbor.Value](protected_bs.data, cbor.DecodeOpts{}) or {
163         panic('decode protected header: ${err}')
164     }
165     assert protected_map is cbor.Map
166 
167     // unprotected is an empty map.
168     assert arr.elements[1] is cbor.Map
169     assert (arr.elements[1] as cbor.Map).pairs.len == 0
170 
171     // payload is a bstr that decodes to the §A.1 claims set.
172     payload_bs := arr.elements[2] as cbor.Bytes
173     claims := cbor.decode[cbor.Value](payload_bs.data, cbor.DecodeOpts{}) or {
174         panic('decode payload: ${err}')
175     }
176     assert claims is cbor.Map
177     claims_map := claims as cbor.Map
178     assert claims_map.pairs.len == 7, 'expected 7 claims, got ${claims_map.pairs.len}'
179 
180     // Round-trip: re-encode the entire structure and compare bytes.
181     out := cbor.encode_value(v, cbor.EncodeOpts{})!
182     assert b_eq(out, h_(a3_mac_hex)), 'CWT-Mac0 round-trip mismatch'
183 }
184 
185 // --------------------------------------------------------------------
186 // RFC 8152 §C.2.1 — COSE_Sign1 single-signer ECDSA example
187 // 18([h'a201260300', {}, h'546869732069732074686520636f6e74656e742e',
188 //     h'6520bbaf2081d7e0ed0f95f76eb0733d667005f7467cec4b87b9381a6ba1ed' +
189 //       'e8e00df29f32a37230f39a842a54821fdd223092819d7728efb9d3a0080b75'])
190 //
191 // The fully-encoded form is published in the working group test
192 // vectors. We encode it from its components to validate that the
193 // pieces round-trip — that's the meaningful interop check (the actual
194 // signature isn't verified).
195 fn test_cose_sign1_structure() {
196     mut p := cbor.new_packer(cbor.EncodeOpts{})
197     p.pack_tag(18) // COSE_Sign1
198     p.pack_array_header(4)
199     // protected (bstr containing {1: -7})  −7 = ECDSA w/ SHA-256
200     p.pack_bytes(h_('a10126'))
201     // unprotected (empty map)
202     p.pack_map_header(0)
203     // payload
204     p.pack_bytes('This is the content.'.bytes())
205     // signature (truncated example)
206     p.pack_bytes(h_('8eb33e4ca31d1c465ab05aac34cc6b23d58fef5c083106c4d25a91aef0b0117e2af9a291aa32e14ab834dc56ed2a223444547e01f11d3b0916e5a4c345cacb36'))
207 
208     out := p.bytes()
209 
210     // Decode back and validate the COSE_Sign1 shape.
211     v := cbor.decode[cbor.Value](out, cbor.DecodeOpts{}) or { panic('decode Sign1: ${err}') }
212     tag := v as cbor.Tag
213     assert tag.number == 18, 'tag = ${tag.number}, want 18 (COSE_Sign1)'
214 
215     body := tag.content() as cbor.Array
216     assert body.elements.len == 4
217 
218     protected := body.elements[0] as cbor.Bytes
219     hdr := cbor.decode[cbor.Value](protected.data, cbor.DecodeOpts{}) or {
220         panic('decode protected: ${err}')
221     }
222     hdr_map := hdr as cbor.Map
223     assert hdr_map.pairs.len == 1
224     // alg label = 1, value = -7
225     alg_key := hdr_map.pairs[0].key as cbor.IntNum
226     assert !alg_key.negative && alg_key.magnitude == 1
227     alg_val := hdr_map.pairs[0].value as cbor.IntNum
228     assert alg_val.negative && alg_val.magnitude == 6 // -7 = -1 - 6
229 
230     payload := body.elements[2] as cbor.Bytes
231     assert payload.data.bytestr() == 'This is the content.'
232 
233     // Roundtrip the whole thing through Value tree.
234     rt := cbor.encode_value(v, cbor.EncodeOpts{})!
235     assert b_eq(rt, out), 'COSE_Sign1 round-trip mismatch'
236 }
237 
238 // --------------------------------------------------------------------
239 // RFC 8152 §3 — Sig_structure used as Signature Input
240 // Sig_structure = [context, body_protected, external_aad, payload]
241 // This covers canonical encoding requirements (§4.4): when computing
242 // the to-be-signed bytes, the structure MUST be deterministically encoded.
243 fn test_sig_structure_canonical() {
244     mut p := cbor.new_packer(cbor.EncodeOpts{ canonical: true })
245     p.pack_array_header(4)
246     p.pack_text('Signature1')
247     p.pack_bytes(h_('a10126'))
248     p.pack_bytes([]u8{}) // external_aad
249     p.pack_bytes('payload bytes'.bytes())
250     encoded := p.bytes()
251 
252     // Re-encode in canonical mode through the Value tree must be identical.
253     v := cbor.decode[cbor.Value](encoded, cbor.DecodeOpts{}) or { panic(err) }
254     mut p2 := cbor.new_packer(cbor.EncodeOpts{ canonical: true })
255     p2.pack_value(v)!
256     rt := p2.bytes()
257     assert b_eq(rt, encoded), 'Sig_structure canonical round-trip differs'
258 }
259

1	// Real-world conformance: drives CBOR-Web-Token (RFC 8392) and COSE
2	// (RFC 8152) sample structures. These are the canonical CBOR payloads
3	// used by IoT auth, OAuth 2.0 PoP, and EAT (RFC 9711). They exercise
4	// canonical encoding, signed/MAC/COSE_Sign1 structures, and standard
5	// claim-set integer keys.
6	module main
7
8	import encoding.cbor
9	import encoding.hex
10
11	fn h_(s string) []u8 {
12	return hex.decode(s) or { panic('bad hex ${s}') }
13	}
14
15	fn b_eq(a []u8, b []u8) bool {
16	if a.len != b.len {
17	return false
18	}
19	for i in 0 .. a.len {
20	if a[i] != b[i] {
21	return false
22	}
23	}
24	return true
25	}
26
27	// --------------------------------------------------------------------
28	// RFC 8392 §A.1 — Example CWT Claims Set
29	//
30	// {
31	// 1: "coap://as.example.com", // iss
32	// 2: "erikw", // sub
33	// 3: "coap://light.example.com",// aud
34	// 4: 1444064944, // exp
35	// 5: 1443944944, // nbf
36	// 6: 1443944944, // iat
37	// 7: h'0b71' // cti
38	// }
39	const a1_claims_hex = 'a70175636f61703a2f2f61732e6578616d706c652e636f6d02656572696b77' +
40	'037818636f61703a2f2f6c696768742e6578616d706c652e636f6d041a5612ae' +
41	'b0051a5610d9f0061a5610d9f007420b71'
42
43	fn test_rfc8392_a1_cwt_claims_set() {
44	v := cbor.decode[cbor.Value](h_(a1_claims_hex), cbor.DecodeOpts{}) or {
45	panic('decode CWT claims: ${err}')
46	}
47	if v !is cbor.Map {
48	assert false, 'CWT claim set must decode to a Map'
49	return
50	}
51	m := v as cbor.Map
52	assert m.pairs.len == 7
53
54	// Helper: find pair by integer key.
55	mut by_key := map[u64]cbor.Value{}
56	for pair in m.pairs {
57	key := pair.key
58	if key !is cbor.IntNum {
59	assert false, 'CWT claim key must be an integer (got ${key.type_name()})'
60	return
61	}
62	k := key as cbor.IntNum
63	assert !k.negative
64	by_key[k.magnitude] = pair.value
65	}
66
67	// iss / sub / aud / exp / nbf / iat / cti
68	iss := by_key[1] or {
69	assert false, 'missing iss'
70	return
71	}
72	assert (iss as cbor.Text).value == 'coap://as.example.com'
73	sub := by_key[2] or {
74	assert false, 'missing sub'
75	return
76	}
77	assert (sub as cbor.Text).value == 'erikw'
78	aud := by_key[3] or {
79	assert false, 'missing aud'
80	return
81	}
82	assert (aud as cbor.Text).value == 'coap://light.example.com'
83	exp := by_key[4] or {
84	assert false, 'missing exp'
85	return
86	}
87	exp_int := exp as cbor.IntNum
88	assert !exp_int.negative && exp_int.magnitude == 1444064944
89	nbf := by_key[5] or {
90	assert false, 'missing nbf'
91	return
92	}
93	nbf_int := nbf as cbor.IntNum
94	assert !nbf_int.negative && nbf_int.magnitude == 1443944944
95	iat := by_key[6] or {
96	assert false, 'missing iat'
97	return
98	}
99	iat_int := iat as cbor.IntNum
100	assert !iat_int.negative && iat_int.magnitude == 1443944944
101	cti := by_key[7] or {
102	assert false, 'missing cti'
103	return
104	}
105	cti_bs := cti as cbor.Bytes
106	assert b_eq(cti_bs.data, [u8(0x0b), 0x71])
107
108	// Re-encode through the Value tree: must be byte-identical (RFC 8392
109	// claim sets are already in canonical form per §7).
110	out := cbor.encode_value(v, cbor.EncodeOpts{})!
111	assert b_eq(out, h_(a1_claims_hex)), 'CWT round-trip mismatch'
112	}
113
114	// --------------------------------------------------------------------
115	// RFC 8392 §A.3 — COSE_Mac0-tagged CWT (tag 17 = CBOR_Tag_COSE_Mac0)
116	// The outer is `61(...)` = tag 61 (CWT) wrapping a COSE_Mac0 (tag 17).
117	// We don't validate the MAC — only the CBOR structure parses cleanly,
118	// the protected header is a bstr, the claim payload is a bstr containing
119	// the §A.1 claims, and the tag is correctly identified.
120	// Tag 61 (CWT) → tag 17 (COSE_Mac0) → [protected={1:5}, {}, payload, mac_tag]
121	// Constructed from §A.1 claims + §A.3 example MAC.
122	const a3_mac_hex = 'd83d' + // CWT tag
123	'd1' + // COSE_Mac0 tag
124	'84' + // array(4)
125	'43a10105' + // bstr(3): {1:5} (HMAC 256/64)
126	'a0' + // {}
127	'5850' + a1_claims_hex + // bstr(80): claims
128	'48093101ef6d789200' // bstr(8): MAC
129
130	fn test_rfc8392_a3_cose_mac0_cwt() {
131	v := cbor.decode[cbor.Value](h_(a3_mac_hex), cbor.DecodeOpts{}) or {
132	panic('decode CWT-Mac0: ${err}')
133	}
134	// Outer is tag 61 (CWT).
135	if v !is cbor.Tag {
136	assert false, 'expected tag 61'
137	return
138	}
139	cwt_tag := v as cbor.Tag
140	assert cwt_tag.number == 61, 'outer tag = ${cwt_tag.number}, want 61'
141
142	// Inner is tag 17 (COSE_Mac0).
143	inner := cwt_tag.content()
144	if inner !is cbor.Tag {
145	assert false, 'expected tag 17 inside CWT'
146	return
147	}
148	mac0 := inner as cbor.Tag
149	assert mac0.number == 17, 'inner tag = ${mac0.number}, want 17'
150
151	// COSE_Mac0 = [protected, unprotected, payload, tag]
152	body := mac0.content()
153	if body !is cbor.Array {
154	assert false, 'COSE_Mac0 must be array'
155	return
156	}
157	arr := body as cbor.Array
158	assert arr.elements.len == 4, 'COSE_Mac0 must have 4 elements, got ${arr.elements.len}'
159
160	// protected is a bstr wrapping a CBOR-encoded map.
161	protected_bs := arr.elements[0] as cbor.Bytes
162	protected_map := cbor.decode[cbor.Value](protected_bs.data, cbor.DecodeOpts{}) or {
163	panic('decode protected header: ${err}')
164	}
165	assert protected_map is cbor.Map
166
167	// unprotected is an empty map.
168	assert arr.elements[1] is cbor.Map
169	assert (arr.elements[1] as cbor.Map).pairs.len == 0
170
171	// payload is a bstr that decodes to the §A.1 claims set.
172	payload_bs := arr.elements[2] as cbor.Bytes
173	claims := cbor.decode[cbor.Value](payload_bs.data, cbor.DecodeOpts{}) or {
174	panic('decode payload: ${err}')
175	}
176	assert claims is cbor.Map
177	claims_map := claims as cbor.Map
178	assert claims_map.pairs.len == 7, 'expected 7 claims, got ${claims_map.pairs.len}'
179
180	// Round-trip: re-encode the entire structure and compare bytes.
181	out := cbor.encode_value(v, cbor.EncodeOpts{})!
182	assert b_eq(out, h_(a3_mac_hex)), 'CWT-Mac0 round-trip mismatch'
183	}
184
185	// --------------------------------------------------------------------
186	// RFC 8152 §C.2.1 — COSE_Sign1 single-signer ECDSA example
187	// 18([h'a201260300', {}, h'546869732069732074686520636f6e74656e742e',
188	// h'6520bbaf2081d7e0ed0f95f76eb0733d667005f7467cec4b87b9381a6ba1ed' +
189	// 'e8e00df29f32a37230f39a842a54821fdd223092819d7728efb9d3a0080b75'])
190	//
191	// The fully-encoded form is published in the working group test
192	// vectors. We encode it from its components to validate that the
193	// pieces round-trip — that's the meaningful interop check (the actual
194	// signature isn't verified).
195	fn test_cose_sign1_structure() {
196	mut p := cbor.new_packer(cbor.EncodeOpts{})
197	p.pack_tag(18) // COSE_Sign1
198	p.pack_array_header(4)
199	// protected (bstr containing {1: -7}) −7 = ECDSA w/ SHA-256
200	p.pack_bytes(h_('a10126'))
201	// unprotected (empty map)
202	p.pack_map_header(0)
203	// payload
204	p.pack_bytes('This is the content.'.bytes())
205	// signature (truncated example)
206	p.pack_bytes(h_('8eb33e4ca31d1c465ab05aac34cc6b23d58fef5c083106c4d25a91aef0b0117e2af9a291aa32e14ab834dc56ed2a223444547e01f11d3b0916e5a4c345cacb36'))
207
208	out := p.bytes()
209
210	// Decode back and validate the COSE_Sign1 shape.
211	v := cbor.decode[cbor.Value](out, cbor.DecodeOpts{}) or { panic('decode Sign1: ${err}') }
212	tag := v as cbor.Tag
213	assert tag.number == 18, 'tag = ${tag.number}, want 18 (COSE_Sign1)'
214
215	body := tag.content() as cbor.Array
216	assert body.elements.len == 4
217
218	protected := body.elements[0] as cbor.Bytes
219	hdr := cbor.decode[cbor.Value](protected.data, cbor.DecodeOpts{}) or {
220	panic('decode protected: ${err}')
221	}
222	hdr_map := hdr as cbor.Map
223	assert hdr_map.pairs.len == 1
224	// alg label = 1, value = -7
225	alg_key := hdr_map.pairs[0].key as cbor.IntNum
226	assert !alg_key.negative && alg_key.magnitude == 1
227	alg_val := hdr_map.pairs[0].value as cbor.IntNum
228	assert alg_val.negative && alg_val.magnitude == 6 // -7 = -1 - 6
229
230	payload := body.elements[2] as cbor.Bytes
231	assert payload.data.bytestr() == 'This is the content.'
232
233	// Roundtrip the whole thing through Value tree.
234	rt := cbor.encode_value(v, cbor.EncodeOpts{})!
235	assert b_eq(rt, out), 'COSE_Sign1 round-trip mismatch'
236	}
237
238	// --------------------------------------------------------------------
239	// RFC 8152 §3 — Sig_structure used as Signature Input
240	// Sig_structure = [context, body_protected, external_aad, payload]
241	// This covers canonical encoding requirements (§4.4): when computing
242	// the to-be-signed bytes, the structure MUST be deterministically encoded.
243	fn test_sig_structure_canonical() {
244	mut p := cbor.new_packer(cbor.EncodeOpts{ canonical: true })
245	p.pack_array_header(4)
246	p.pack_text('Signature1')
247	p.pack_bytes(h_('a10126'))
248	p.pack_bytes([]u8{}) // external_aad
249	p.pack_bytes('payload bytes'.bytes())
250	encoded := p.bytes()
251
252	// Re-encode in canonical mode through the Value tree must be identical.
253	v := cbor.decode[cbor.Value](encoded, cbor.DecodeOpts{}) or { panic(err) }
254	mut p2 := cbor.new_packer(cbor.EncodeOpts{ canonical: true })
255	p2.pack_value(v)!
256	rt := p2.bytes()
257	assert b_eq(rt, encoded), 'Sig_structure canonical round-trip differs'
258	}
259