PHPackages web-auth/cose-lib - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. web-auth/cose-lib ActiveLibrary[Security](/categories/security) web-auth/cose-lib ================= CBOR Object Signing and Encryption (COSE) For PHP 4.5.0(4mo ago)185.7M—5.6%10[1 issues](https://github.com/web-auth/cose-lib/issues)[1 PRs](https://github.com/web-auth/cose-lib/pulls)17MITPHPPHP >=8.1CI passing Since Jan 29Pushed 2w ago1 watchersCompare [ Source](https://github.com/web-auth/cose-lib)[ Packagist](https://packagist.org/packages/web-auth/cose-lib)[ Docs](https://github.com/web-auth)[ GitHub Sponsors](https://github.com/Spomky)[ Patreon](https://www.patreon.com/FlorentMorselli)[ RSS](/packages/web-auth-cose-lib/feed)WikiDiscussions 4.6.x Synced 1mo ago READMEChangelog (10)Dependencies (3)Versions (102)Used By (17) COSE Library for PHP ==================== [](#cose-library-for-php) [![CI](https://github.com/web-auth/cose-lib/actions/workflows/ci.yml/badge.svg)](https://github.com/web-auth/cose-lib/actions/workflows/ci.yml)[![Latest Stable Version](https://camo.githubusercontent.com/10354283c3404c82e5fc58c634349e53ef899116bd6212bf2f033512f59054bc/68747470733a2f2f706f7365722e707567782e6f72672f7765622d617574682f636f73652d6c69622f76)](https://packagist.org/packages/web-auth/cose-lib)[![Total Downloads](https://camo.githubusercontent.com/437a0d8649ad9704e5324c80975ac5098998cbfaba0d3d004470d003ae2235f6/68747470733a2f2f706f7365722e707567782e6f72672f7765622d617574682f636f73652d6c69622f646f776e6c6f616473)](https://packagist.org/packages/web-auth/cose-lib)[![License](https://camo.githubusercontent.com/4d84c026a930d741eafbc6ad16814c6f742958f1d43789d9c083dde787f2c9f8/68747470733a2f2f706f7365722e707567782e6f72672f7765622d617574682f636f73652d6c69622f6c6963656e7365)](https://packagist.org/packages/web-auth/cose-lib) **CBOR Object Signing and Encryption (COSE) for PHP** is a comprehensive library that provides full support for COSE operations including signing, encryption, and MAC (Message Authentication Code) operations. This library implements: - **[RFC 9052](https://datatracker.ietf.org/doc/html/rfc9052)** - COSE: Structures and Process - **[RFC 9053](https://datatracker.ietf.org/doc/html/rfc9053)** - COSE: Initial Algorithms Features -------- [](#features) ✅ **Complete COSE Tag Support** - COSE\_Sign1 (tag 18) - Single signature - COSE\_Sign (tag 98) - Multiple signatures - COSE\_Encrypt0 (tag 16) - Single recipient encryption - COSE\_Encrypt (tag 96) - Multiple recipients encryption - COSE\_Mac0 (tag 17) - MAC without recipients - COSE\_Mac (tag 97) - MAC with recipients ✅ **Cryptographic Algorithms** - **Signatures**: ECDSA (ES256, ES384, ES512, ES256K), EdDSA (Ed25519, Ed448), RSA (RS256/384/512, PS256/384/512) - **MAC**: HMAC with SHA-256/384/512 - Compatible with WebAuthn, FIDO2, and digital COVID certificates ✅ **Modern PHP** - PHP 8.1+ with strict types - Full type safety and PHPStan compliance - Comprehensive test coverage Installation ------------ [](#installation) Install the library with Composer: ``` composer require web-auth/cose-lib ``` For COSE tag support (Sign, Encrypt, Mac operations), also install: ``` composer require spomky-labs/cbor-php ``` Quick Start ----------- [](#quick-start) ### Verifying a COSE\_Sign1 Signature [](#verifying-a-cose_sign1-signature) ``` use CBOR\Decoder; use CBOR\OtherObject\OtherObjectManager; use CBOR\StringStream; use CBOR\Tag\TagManager; use Cose\Signature\CoseSign1Tag; use Cose\Signature\Signature1; // Setup decoder with COSE tag support $tagManager = TagManager::create()->add(CoseSign1Tag::class); $decoder = Decoder::create($tagManager, OtherObjectManager::create()); // Decode COSE_Sign1 message $stream = new StringStream($encodedData); $coseSign1 = $decoder->decode($stream); // Extract components $protectedHeader = $coseSign1->getProtectedHeader(); $payload = $coseSign1->getPayload(); $signature = $coseSign1->getSignature(); // Create signature structure for verification $sigStructure = Signature1::create($protectedHeader, $payload); // Verify (example with OpenSSL) $isValid = openssl_verify( (string) $sigStructure, $derSignature, $publicKey, 'sha256' ); ``` ### Creating a COSE\_Sign1 Message [](#creating-a-cose_sign1-message) ``` use CBOR\ByteStringObject; use CBOR\MapItem; use CBOR\MapObject; use CBOR\NegativeIntegerObject; use CBOR\UnsignedIntegerObject; use Cose\Signature\CoseSign1Tag; // Define headers $protectedHeader = MapObject::create([ MapItem::create( UnsignedIntegerObject::create(1), // alg NegativeIntegerObject::create(-7) // ES256 ), ]); $unprotectedHeader = MapObject::create([ MapItem::create( UnsignedIntegerObject::create(4), // kid ByteStringObject::create('my-key-id') ), ]); // Create COSE_Sign1 $coseSign1 = CoseSign1Tag::create( $protectedHeader, $unprotectedHeader, ByteStringObject::create('Message to sign'), ByteStringObject::create($signatureBytes) ); // Encode to CBOR $encoded = (string) $coseSign1; ``` Documentation ------------- [](#documentation) - **[Usage Guide](doc/Usage.md)** - Complete documentation with examples - **[RFC 9052](https://datatracker.ietf.org/doc/html/rfc9052)** - COSE Structures - **[RFC 9053](https://datatracker.ietf.org/doc/html/rfc9053)** - COSE Algorithms Use Cases --------- [](#use-cases) This library is perfect for: - 🏥 **Digital Health Certificates** - COVID-19 vaccination passes (EU Digital COVID Certificate) - 🔐 **WebAuthn/FIDO2** - Authenticator attestation and assertion signatures - 📱 **IoT Security** - Secure messaging for constrained devices - 🌐 **Web PKI** - CBOR-based certificate chains - 📄 **Document Signing** - Compact digital signatures Supported Algorithms -------------------- [](#supported-algorithms) ### Signature Algorithms [](#signature-algorithms) AlgorithmIdentifierDescriptionES256-7ECDSA with SHA-256ES384-35ECDSA with SHA-384ES512-36ECDSA with SHA-512ES256K-47ECDSA with secp256k1EdDSA-8EdDSAEd25519-EdDSA with Curve25519RS256-257RSASSA-PKCS1-v1\_5 with SHA-256RS384-258RSASSA-PKCS1-v1\_5 with SHA-384RS512-259RSASSA-PKCS1-v1\_5 with SHA-512PS256-37RSASSA-PSS with SHA-256PS384-38RSASSA-PSS with SHA-384PS512-39RSASSA-PSS with SHA-512### MAC Algorithms [](#mac-algorithms) AlgorithmIdentifierDescriptionHS2565HMAC with SHA-256HS3846HMAC with SHA-384HS5127HMAC with SHA-512HS256/644HMAC with SHA-256 truncated to 64 bitsTesting ------- [](#testing) Run the test suite with: ``` composer test ``` Or using Castor: ``` castor phpunit ``` The library includes comprehensive tests including: - Unit tests for all COSE tag types - Integration tests with real cryptographic operations - COVID-19 certificate verification examples - Test fixtures with actual certificates Requirements ------------ [](#requirements) - PHP 8.1 or higher - ext-json - ext-openssl - brick/math - spomky-labs/pki-framework - spomky-labs/cbor-php (for COSE tag support) Contributing ------------ [](#contributing) Contributions are welcome! Please see [CONTRIBUTING.md](doc/Contributing.md) for details. For security vulnerabilities, please email **security \[at\] spomky-labs.com** instead of using the issue tracker. Support ------- [](#support) I bring solutions to your problems and answer your questions. If you really love this project and the work I have done, or if you want me to prioritize your issues, you can support me: - [Become a sponsor on GitHub](https://github.com/sponsors/Spomky) - [Become a Patreon](https://www.patreon.com/FlorentMorselli) License ------- [](#license) This software is released under the [MIT License](LICENSE). Credits ------- [](#credits) Maintained by [Florent Morselli](https://github.com/Spomky) and [contributors](https://github.com/web-auth/cose-lib/contributors). --- Made with ❤️ for the PHP community ### Health Score 68 — FairBetter than 100% of packages Maintenance86 Actively maintained with recent releases Popularity55 Moderate usage in the ecosystem Community28 Small or concentrated contributor base Maturity85 Battle-tested with a long release history Bus Factor1 Top contributor holds 64.4% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~27 days Recently: every ~48 days Total 95 Last Release 85d ago Major Versions v1.2.x-dev → v2.0.02019-05-05 v2.2.x-dev → v3.0.02020-01-02 v3.3.11 → v4.0.02022-04-02 PHP version history (4 changes)v1.0.1PHP ^7.1 v2.0.0PHP ^7.2 v3.3.0PHP >=7.2 v4.0.0PHP >=8.1 ### Community Maintainers ![](https://www.gravatar.com/avatar/ccc6c59de7d9ddc53219653bc58f1e082ef83d96632d233eedc0b7097cf80ea3?d=identicon)[Spomky](/maintainers/Spomky) --- Top Contributors [![Spomky](https://avatars.githubusercontent.com/u/1091072?v=4)](https://github.com/Spomky "Spomky (125 commits)")[![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4)](https://github.com/dependabot[bot] "dependabot[bot] (57 commits)")[![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4)](https://github.com/github-actions[bot] "github-actions[bot] (6 commits)")[![szepeviktor](https://avatars.githubusercontent.com/u/952007?v=4)](https://github.com/szepeviktor "szepeviktor (3 commits)")[![kronthto](https://avatars.githubusercontent.com/u/17156142?v=4)](https://github.com/kronthto "kronthto (1 commits)")[![fnpen](https://avatars.githubusercontent.com/u/31767378?v=4)](https://github.com/fnpen "fnpen (1 commits)")[![TimWolla](https://avatars.githubusercontent.com/u/209270?v=4)](https://github.com/TimWolla "TimWolla (1 commits)") --- Tags cosecose-keyCOSERFC8152 ### Embed Badge ![Health badge](/badges/web-auth-cose-lib/health.svg) ``` [![Health](https://phpackages.com/badges/web-auth-cose-lib/health.svg)](https://phpackages.com/packages/web-auth-cose-lib) ``` ### Alternatives [defuse/php-encryption Secure PHP Encryption Library 3.9k162.4M214](/packages/defuse-php-encryption)[mews/purifier Laravel 5/6/7/8/9/10 HtmlPurifier Package 2.0k16.7M113](/packages/mews-purifier)[robrichards/xmlseclibs A PHP library for XML Security 41478.1M118](/packages/robrichards-xmlseclibs)[bjeavons/zxcvbn-php Realistic password strength estimation PHP library based on Zxcvbn JS 87117.5M63](/packages/bjeavons-zxcvbn-php)[illuminate/encryption The Illuminate Encryption package. 9229.7M280](/packages/illuminate-encryption)[paragonie/hidden-string Encapsulate strings in an object to hide them from stack traces 7410.6M39](/packages/paragonie-hidden-string) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)