In April and May 2022, NCC Group Cryptography Services engaged in a security and cryptography assessment reviewing Microsoft’s contributions to the go-cose library, a Go library implementing signing and verification for CBOR Object Signing and Encryption (COSE), as specified in RFC 8152. This library focuses on a minimal feature set to enable the signing and verification of COSE messages using a single signer, aka “sign1”. The purpose of this assessment was to identify cryptographic vulnerabilities and application-level security issues that could adversely affect the security of the go-cose library.
The Public Report for this review may be downloaded below: