Support for detached content

[becarpenter]

I'm probably missing something but I don't see how to sign or verify with detached content, which RFC 8152 allows. (Reason: we are wondering whether to add COSE signing to GRASP, RFC 8990, and I'd like to prototype it.)

[BrianSipos]

I have used COSE with detached payloads by manipulating the CBOR array between the COSE encoding and CBOR encoding layers. An example of this is the removal (after signing) and replacement (before verification) of the message_dec[2] item in test_sign1_ecdsa.py.

I don't know if this is the one-true-way to make this happen but it does the right thing. Because COSE is more of a framework than a specific protocol, it seems like most uses of the library will need to do similar item- or field-specific manipulation to line things up correctly with the use.

[becarpenter]

Thanks @BrianSipos, I had almost figured that out for myself. It seems a bit expensive because of additional cbor.loads() and dumps() but it will serve my purpose.

[letmaik]

The API of pycose could be extended to support this directly. For example, when signing, there could be an optional detached: Optional[bool]=False keyword argument, and when verifying, there could be an optional payload: Optional[bytes]=None.

@TimothyClaeys What do you think?