311 cbor tag (#316)

* remove cose_sign1 tag from examples

* add text requiring support for untagged CWT form

* tweak language around CBOR tag

* further update to language

* further tweak

* Update draft-ietf-oauth-status-list.md

* Update draft-ietf-oauth-status-list.md

---------

Co-authored-by: Tobias Looker <[email protected]>
Co-authored-by: Paul Bastian <[email protected]>

Author: 3 people

draft-ietf-oauth-status-list.md

@@ -445,7 +445,7 @@ The following is a non-normative example of a Status List Token in JWT format:
 
 ## Status List Token in CWT Format {#status-list-token-cwt}
 
-The Status List Token MUST be encoded as a "CBOR Web Token (CWT)" according to {{RFC8392}}.
+The Status List Token MUST be encoded as a "CBOR Web Token (CWT)" according to {{RFC8392}}. The Status List Token MUST not be tagged with the tags defined in section 6 of {{RFC8392}} or in section 2 of {{RFC9052}}.
 
 The following content applies to the protected header of the CWT:
 
@@ -463,11 +463,11 @@ The following additional rules apply:
 
 1. The CWT MAY contain other claims.
 
-2. The CWT MUST be secured using a cryptographic signature or MAC algorithm. Relying Parties MUST reject CWTs with an invalid signature.
+1. The CWT MUST be secured using a cryptographic signature or MAC algorithm. Relying Parties MUST reject CWTs with an invalid signature.
 
-3. Relying Parties MUST reject CWTs that are not valid in all other respects per "CBOR Web Token (CWT)" {{RFC8392}}.
+1. Relying Parties MUST reject CWTs that are not valid in all other respects per "CBOR Web Token (CWT)" {{RFC8392}}.
 
-4. Application of additional restrictions and policies are at the discretion of the Relying Party.
+1. Application of additional restrictions and policies are at the discretion of the Relying Party.
 
 The following is a non-normative example of a Status List Token in CWT format in Hex:
 
@@ -1968,6 +1968,7 @@ CBOR encoding:
 
 -14
 
+* remove cose_sign1 tag from statuslist in cwt form examples
 * slightly restructure/clarify referenced token cose section
 * Add ASN.1 module
 

src/requirements.txt

@@ -2,6 +2,6 @@
 git+https://github.com/wbond/oscrypto.git@1547f535001ba568b239b8797465536759c742a3
 # Normal dependencies
 jwcrypto==1.5.6
-cbor2==5.6.2
-cwt==2.7.4
+cbor2==5.7.1
+cwt==3.2.0
 py_markdown_table==1.3.0

src/status_token.py

@@ -1,8 +1,8 @@
 import json
-from datetime import datetime, timedelta
+from datetime import UTC, datetime, timedelta
 from typing import Dict
 
-from cbor2 import dumps
+from cbor2 import CBORTag, dumps
 from cwt import COSE, COSEHeaders, COSEKey, CWTClaims
 from jwcrypto import jwk, jwt
 
@@ -77,7 +77,7 @@ def get(self, pos: int) -> int:
 
     def buildJWT(
         self,
-        iat: datetime = datetime.utcnow(),
+        iat: datetime = datetime.now(UTC),
         exp: datetime | None = None,
         ttl: timedelta | None = None,
         optional_claims: Dict | None = None,
@@ -115,7 +115,7 @@ def buildJWT(
 
     def buildCWT(
         self,
-        iat: datetime = datetime.utcnow(),
+        iat: datetime = datetime.now(UTC),
         exp: datetime | None = None,
         ttl: timedelta | None = None,
         optional_claims: Dict | None = None,
@@ -158,10 +158,12 @@ def buildCWT(
         # The sender side:
         sender = COSE.new()
         encoded = sender.encode(
-            dumps(claims),
-            key,
+            payload=dumps(claims),
+            key=key,
             protected=protected_header,
             unprotected=unprotected_header,
         )
 
+        # removes cose_sign1 tag (only 1 byte long for tag 18)
+        encoded = encoded[1:]
         return encoded