A.6. Example Nested CWT
A.6. Example Nested CWT
This section shows a Nested CWT, signed and then encrypted, with a single recipient and a full CWT Claims Set.
The signature is generated using the private ECDSA key from Appendix A.2.3, and it can be validated using the public ECDSA parts from Appendix A.2.3. The encryption is done with AES-CCM mode using the 128-bit symmetric key from Appendix A.2.1 with a 64-bit tag and 13-byte nonce, i.e., COSE AES-CCM-16-64-128. The content type is set to CWT to indicate that there are multiple layers of COSE protection before finding the CWT Claims Set. The decrypted ciphertext will be a COSE_sign1 structure. In this example, it is the same one as in Appendix A.3, i.e., a Signed CWT Claims Set. Note that there is no limitation to the number of layers; this is an example with two layers. Line breaks are for display purposes only.
d08343a1010aa2044c53796d6d6574726963313238054d4a0694c0e69ee6b595
6655c7b258b7f6b0914f993de822cc47e5e57a188d7960b528a747446fe12f0e
7de05650dec74724366763f167a29c002dfd15b34d8993391cf49bc91127f545
dba8703d66f5b7f1ae91237503d371e6333df9708d78c4fb8a8386c8ff09dc49
af768b23179deab78d96490a66d5724fb33900c60799d9872fac6da3bdb89043
d67c2a05414ce331b5b8f1ed8ff7138f45905db2c4d5bc8045ab372bff142631
610a7e0f677b7e9b0bc73adefdcee16d9d5d284c616abeab5d8c291ce0
Figure 16: Signed and Encrypted CWT as Hex String
16(
[
/ protected / << {
/ alg / 1: 10 / AES-CCM-16-64-128 /
} >>,
/ unprotected / {
/ kid / 4: h'53796d6d6574726963313238' / 'Symmetric128' /,
/ iv / 5: h'4a0694c0e69ee6b5956655c7b2'
},
/ ciphertext / h'f6b0914f993de822cc47e5e57a188d7960b528a7474
46fe12f0e7de05650dec74724366763f167a29c002d
fd15b34d8993391cf49bc91127f545dba8703d66f5b
7f1ae91237503d371e6333df9708d78c4fb8a8386c8
ff09dc49af768b23179deab78d96490a66d5724fb33
900c60799d9872fac6da3bdb89043d67c2a05414ce3
31b5b8f1ed8ff7138f45905db2c4d5bc8045ab372bf
f142631610a7e0f677b7e9b0bc73adefdcee16d9d5d
284c616abeab5d8c291ce0'
]
)
Figure 17: Signed and Encrypted CWT in CBOR Diagnostic Notation