COSE messages can be read, validated, created, and encrypted

[jozkee]

Minimum viable product (MVP)

• [x] #62872
• [x] #32121
  • Proceed adding the code normally as any other new project.
  • Namespace will be System.Security.Cryptography.Cose
  • APIs will be annotated with [RequiresPreviewFeatures], allowing the APIs to be introduced for early adopters before the API Review is conducted
  • Scenarios that need support:
    • Tag/Untagged (Assume COSE_Sign1 in untagged case).
    • Embedded/detached content
    • Get early API feedback from @blowdart and early adopters

Checkpoint MVP+1 (aligned with .NET 7 Preview 4)

• [x] Address open PR TODO feedback from MVP
• [x] Improve API consistency with CborReader regarding ReadOnlySpan, ReadOnlyMemory, and byte[]
  • Improving the scenarios of moving between Cose and Cbor APIs, avoiding conversions between ROS/ROM and byte[]
• [x] Overloads that accept data types other than byte[], Span such as Stream for detached content
  • This introduces async requirements

Checkpoint MVP+2 (.NET 7 prev 6/7)

• [x] Support Critical Headers
• [x] Ability to modify unprotected headers and re-encode the signed message (useful for counter-sign scenarios).
• [x] #62599
• [x] API review and removal of RequiresPreviewFeature.

Checkpoint MVP+3 (.NET 8)

• [ ] #32123
• [ ] Support Counter signatures
• [ ] X509 extensions for chain building and timestamp handling, once unblocked by RFC ratification
  • Extension methods for handling headers and certs
  • Verify a COSE signature using an embedded x509 chain
  • Handle timestamps

Collaboration with the GluCOSE project

In parallel with the engineering efforts above, we will also be collaborating with the GluCOSE project to ensure .NET is represented as a first-tier implementation of COSE standards.

• [ ] Contribute to the GluCOSE test suite definition, with the all applicable tests implemented
• [ ] Consider support for MAC

[ghost]

Tagging subscribers to this area: @dotnet/area-system-security, @vcsjones, @krwq See info in area-owners.md if you want to be subscribed.

Issue Details

---

### Minimum viable product (MVP) : 0. [ ] Add support for ns2.0 to System.Formats.CBOR. 1. [ ] https://github.com/dotnet/runtime/issues/32121. - Proceed adding the code normally as any other new project. - Namespace will be System.Security.Cryptography.Cose. - Scenarios that need support: - Tag/Untagged (Assume COSE_Sign1 in untagged case). - Embedded/detached content. 2. [ ] We need an sponsor for adding the feature without going through API review (@bartonjs nominated @jeffhandley as sponsor). 3. [ ] Show API to @blowdart for UX validation. 4. [ ] Add write support of COSE_Sign1. ### Additional scope after MVP: 5. [ ] https://github.com/dotnet/runtime/issues/62599 6. [ ] https://github.com/dotnet/runtime/issues/32123

Author:	Jozkee
Assignees:	Jozkee
Labels:	`Epic`, `area-System.Security`
Milestone:	7.0.0