GitHub - wolfSSL/wolfCOSE: A fast, portable, and lightweight COSE + CBOR implementation for embedded systems. Supports PQC, FIPS 140-3, DO-178, and MISRA C. Powered by wolfSSL. · GitHub

Skip to content

Navigation Menu

Toggle navigation

Sign in

Appearance settings

PlatformAI CODE CREATIONGitHub CopilotWrite better code with AIGitHub SparkBuild and deploy intelligent appsGitHub ModelsManage and compare promptsMCP RegistryNewIntegrate external toolsDEVELOPER WORKFLOWSActionsAutomate any workflowCodespacesInstant dev environmentsIssuesPlan and track workCode ReviewManage code changesAPPLICATION SECURITYGitHub Advanced SecurityFind and fix vulnerabilitiesCode securitySecure your code as you buildSecret protectionStop leaks before they startEXPLOREWhy GitHubDocumentationBlogChangelogMarketplaceView all featuresSolutionsBY COMPANY SIZEEnterprisesSmall and medium teamsStartupsNonprofitsBY USE CASEApp ModernizationDevSecOpsDevOpsCI/CDView all use casesBY INDUSTRYHealthcareFinancial servicesManufacturingGovernmentView all industriesView all solutionsResourcesEXPLORE BY TOPICAISoftware DevelopmentDevOpsSecurityView all topicsEXPLORE BY TYPECustomer storiesEvents & webinarsEbooks & reportsBusiness insightsGitHub SkillsSUPPORT & SERVICESDocumentationCustomer supportCommunity forumTrust centerPartnersView all resourcesOpen SourceCOMMUNITYGitHub SponsorsFund open source developersPROGRAMSSecurity LabMaintainer CommunityAcceleratorGitHub StarsArchive ProgramREPOSITORIESTopicsTrendingCollectionsEnterpriseENTERPRISE SOLUTIONSEnterprise platformAI-powered developer platformAVAILABLE ADD-ONSGitHub Advanced SecurityEnterprise-grade security featuresCopilot for BusinessEnterprise-grade AI featuresPremium SupportEnterprise-grade 24/7 supportPricing

Search or jump to...

Search code, repositories, users, issues, pull requests...

Search

Clear

Search syntax tips

Provide feedback

We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted

Cancel

Submit feedback

Saved searches

Use saved searches to filter your results more quickly

Name

Query

To see all available qualifiers, see our documentation.

Cancel

Create saved search

Sign in

Sign up

Appearance settings

Resetting focus

You signed in with another tab or window. Reload to refresh your session.
You signed out in another tab or window. Reload to refresh your session.
You switched accounts on another tab or window. Reload to refresh your session.

Dismiss alert

wolfSSL

/

wolfCOSE

Public

Notifications
You must be signed in to change notification settings

Fork
3

Star
13

Code

Issues
14

Pull requests
2

Discussions

Actions

Projects

Wiki

Security and quality
0

Insights

Additional navigation options

Code

Issues

Pull requests

Discussions

Actions

Projects

Wiki

Security and quality

Insights

wolfSSL/wolfCOSE

 mainBranchesTagsGo to fileCodeOpen more actions menuFolders and filesNameNameLast commit messageLast commit dateLatest commit History103 Commits103 Commits.github/workflows.github/workflows  docsdocs  examplesexamples  include/wolfcoseinclude/wolfcose  scriptsscripts  srcsrc  teststests  toolstools  .gitignore.gitignore  MakefileMakefile  README.mdREADME.md  View all filesRepository files navigationREADMEwolfCOSE
wolfCOSE is a lightweight C library implementing CBOR (RFC 8949) and COSE (RFC 9052/9053) using wolfSSL as the crypto backend.
Main Features

Complete RFC 9052 message set: all six COSE message types, including multi-signer COSE_Sign and multi-recipient COSE_Encrypt / COSE_Mac
Post-quantum signing: ML-DSA (Dilithium) at all three security levels
40 algorithms across signing, encryption, MAC, and key distribution
Zero dynamic allocation: all operations use caller-provided buffers
Tiny footprint: 7.5 KB .text minimal build (Sign1+ECC), 25.6 KB full (40 algorithms), zero .data/.bss
Full COSE lifecycle in ~<1KB RAM (excluding wolfCrypt internals)
Path to FIPS 140-3 via wolfCrypt FIPS Certificate #4718 (sole crypto dependency)

Supported Algorithms
Signing: ES256, ES384, ES512, EdDSA (Ed25519/Ed448), PS256/384/512, ML-DSA-44/65/87
Encryption: AES-GCM (128/192/256), ChaCha20-Poly1305, AES-CCM variants
MAC: HMAC-SHA256/384/512, AES-MAC
Key Distribution: Direct, AES Key Wrap, ECDH-ES+HKDF
COSE Message Types (RFC 9052)
wolfCOSE has implemented all RFC 9052 messages both single-actor and multi-actor variants:

Message
RFC 9052
API
Purpose

COSE_Sign1
Sec. 4.2
wc_CoseSign1_Sign / wc_CoseSign1_Verify
Single-signer signature

COSE_Sign
Sec. 4.1
wc_CoseSign_Sign / wc_CoseSign_Verify
Multi-signer (independent signatures over the same payload)

COSE_Encrypt0
Sec. 5.2
wc_CoseEncrypt0_Encrypt / wc_CoseEncrypt0_Decrypt
Single-recipient AEAD

COSE_Encrypt
Sec. 5.1
wc_CoseEncrypt_Encrypt / wc_CoseEncrypt_Decrypt
Multi-recipient (one ciphertext, many recipients via Direct / AES-KW / ECDH-ES)

COSE_Mac0
Sec. 6.2
wc_CoseMac0_Create / wc_CoseMac0_Verify
Single-recipient MAC

COSE_Mac
Sec. 6.1
wc_CoseMac_Create / wc_CoseMac_Verify
Multi-recipient MAC (shared MAC key, distributed to recipients)

COSE_Key / COSE_KeySet
Sec. 7
wc_CoseKey_Encode / wc_CoseKey_Decode
Key serialization for all key types

Prerequisites (wolfSSL)
wolfCOSE requires wolfSSL as its crypto backend. Minimum supported version: v5.8.0-stable (first release with the public wc_ForceZero symbol alongside the FIPS 204 final ML-DSA and context-aware wc_dilithium_*_ctx_msg APIs). Older 5.x releases can technically be supported but require source-level changes; contact wolfSSL for commercial support.
Choose a build configuration based on the algorithms you need.
Minimal Build (ECC + AES-GCM)
This gives you COSE Sign1 (ES256/384/512) and Encrypt0 (AES-GCM):
cd wolfssl
./autogen.sh
./configure --enable-ecc --enable-aesgcm \
--enable-sha384 --enable-sha512 --enable-keygen
make && sudo make install
sudo ldconfig
Algorithms enabled: ES256, ES384, ES512, AES-GCM-128/192/256
Minimal Build (Post-Quantum / ML-DSA only)
For pure post-quantum signing with ML-DSA-44/65/87:
cd wolfssl
./autogen.sh
./configure --enable-cryptonly --enable-dilithium
make && sudo make install
sudo ldconfig
Algorithms enabled: ML-DSA-44, ML-DSA-65, ML-DSA-87
(SHAKE-128/256 are pulled in automatically by --enable-dilithium.)
Full Build (All Algorithms)
cd wolfssl
./autogen.sh
./configure --enable-ecc --enable-ed25519 --enable-ed448 \
--enable-curve25519 --enable-aesgcm --enable-aesccm \
--enable-sha384 --enable-sha512 --enable-keygen \
--enable-rsapss --enable-chacha --enable-poly1305 \
--enable-dilithium --enable-hkdf --enable-aeskeywrap
make && sudo make install
sudo ldconfig
Build
# Core library (libwolfcose.a)
make

# Run unit tests
make test

# Build and run CLI tool round-trip tests (all algorithms)
make tool-test

# Run lifecycle demo (11 algorithms)
make demo
Build Targets

Target
Description

make all
Build libwolfcose.a (core library only)

make shared
Build libwolfcose.so

make test
Build + run CBOR and COSE unit tests

make tool
Build CLI tool (tools/wolfcose_tool)

make tool-test
Round-trip self-test for all 17 algorithms

make demo
Build + run lifecycle demo (11 algorithms)

make clean
Remove all build artifacts

Quick Start
Examples
See examples/ for complete working code:

sign1_demo.c, encrypt0_demo.c, mac0_demo.c: algorithm demos
lifecycle_demo.c: full edge-to-cloud workflow
comprehensive/: algorithm matrix tests
scenarios/: firmware signing, attestation, fleet config

CI / Testing
Runs on every push and PR:

Build + Test: Ubuntu, macOS, GCC 10-14, Clang 14-18
Comprehensive Tests: ~240 algorithm combination tests
Static Analysis: cppcheck, Clang analyzer, GCC -fanalyzer
MISRA C 2012: cppcheck --addon=misra checking all wolfCOSE code paths
MISRA C 2023: strict GCC warnings and clang-tidy (bugprone-*, cert-*, clang-analyzer-*, misc-*)
Coverity Scan: nightly defect analysis
Advanced Internal Static Analysis: Fenrir wolfssl advanced static analysis tools
Code Coverage: 99.3% for wolfcose.c, 100% for wolfcose_cbor.c

make coverage # Run tests with gcov
make coverage-force-failure # Include crypto failure path testing

Documentation
Full documentation is available in the Wiki:

Getting Started: Build instructions and first steps
Message Types: All six RFC 9052 messages (Sign1, Sign, Encrypt0, Encrypt, Mac0, Mac) with code samples
Algorithms: Complete list of 40 supported algorithms with COSE IDs
API Reference: Function signatures, data structures, error codes
Macros: Compile-time configuration options
Testing: Test infrastructure, coverage, and failure injection
MISRA Compliance: MISRA C:2012 and C:2023 compliance status and deviation rationale
Project Structure: Source file layout

Blogs
Blogs and update can be found here:
wolfCOSE Blogs
License
wolfCOSE is free software licensed under the GPLv3.
Copyright (C) 2026 wolfSSL Inc.
Support

Note: While wolfCOSE is currently maintained by wolfSSL developers, it is not yet classified as an officially supported product. It was designed from the ground up to meet the same quality standards as the rest of the wolfSSL suite with future adoption in mind. We are eager to transition this to a fully supported product as demand grows; if your organization requires official support or has specific feature requirements or you just have general questions or guidance with product, please reach out.

For commercial licensing, professional support contracts, or to discuss moving wolfCOSE into your production environment, contact wolfSSL.

About

A fast, portable, and lightweight COSE + CBOR implementation for embedded systems. Supports PQC, FIPS 140-3, DO-178, and MISRA C. Powered by wolfSSL.

www.wolfssl.com/

Topics

c

iot

cryptography

embedded

embedded-systems

cbor

fips

iot-security

post-quantum

wolfssl

cose

pqcrypto

pqc

misra-c

quantum-resistant

rfc-8949

fips-140-3

rfc-9052

no-dynamic-allocations

mldsa

Resources

Readme

Uh oh!

There was an error while loading. Please reload this page.

Activity

Custom properties
Stars

13
stars
Watchers

1
watching
Forks

3
forks

Report repository

Contributors

Uh oh!

There was an error while loading. Please reload this page.

Languages

C
98.7%

Other
1.3%

Footer

© 2026 GitHub, Inc.

Footer navigation

Terms

Privacy

Security

Status

Community

Docs

Contact

Manage cookies

Do not share my personal information

You can’t perform that action at this time.

wolfCOSE is a lightweight C library designed for embedded systems that provides an implementation of the CBOR standard (RFC 8949) coupled with the COSE messaging protocol (RFC 9052/9053), utilizing wolfSSL as its underlying cryptographic backend. The core philosophy of wolfCOSE is to deliver high-security cryptographic functionality in a portable and minimal footprint suitable for constrained environments, supporting stringent security requirements such as FIPS 140-3, DO-178, and MISRA C compliance. The library achieves this goal through a design principle emphasizing zero dynamic allocation for all operations, ensuring efficiency and predictability.

The implementation encompasses the complete set of COSE message types defined in RFC 9052, covering both single-actor and multi-actor scenarios. This includes functions for single-signer signatures (COSE_Sign1), multi-signer signatures (COSE_Sign), single-recipient authenticated encryption (COSE_Encrypt0), multi-recipient encryption methods leveraging direct, AES Key Wrap, or ECDH-ES key distribution (COSE_Encrypt), single-recipient message authentication codes (COSE_Mac0), and multi-recipient MAC functionality (COSE_Mac). Furthermore, it provides mechanisms for key serialization and encoding through COSE_Key and COSE_KeySet.

Cryptographically, wolfCOSE supports a broad spectrum of algorithms across signing, encryption, MAC, and key distribution. This includes established schemes like ES256, ES384, ES512, EdDSA, PS256/384/512, and AEAD modes such as AES-GCM and ChaCha20-Poly1305, alongside post-quantum capabilities via ML-DSA (Dilithium) at various security levels. The library is engineered to support forty distinct algorithms in total.

The library's reliance on wolfSSL dictates a specific prerequisite: the minimum supported version is v5.8.0-stable, particularly noting the introduction of context-aware APIs for Post-Quantum cryptography within wolfSSL. The build process is configurable based on required features. A minimal build focuses on ECC and AES-GCM operations, supporting COSE Sign1 and Encrypt0. A post-quantum focused build allows for the implementation of ML-DSA algorithms, while a full build enables all supported algorithms.

The project provides a comprehensive set of build targets, including specific configurations for the core library, shared libraries, unit tests, and command-line tools. These targets facilitate the execution of round-trip tests across all supported algorithms and a full lifecycle demonstration. The testing methodology is highly rigorous, incorporating continuous integration processes that enforce static analysis using tools like cppcheck and Clang analyzer, adherence to MISRA C standards across all code paths (C:2012 and C:2023), and advanced defect analysis through tools like Coverity Scan. This systematic approach ensures high code coverage, evidenced by results up to 100% for the core code modules.

Ultimately, the wolfCOSE implementation is positioned as a fast, portable, and lightweight solution for cryptographic operations in embedded systems, balancing advanced security features—including post-quantum cryptography and FIPS 140-3 considerations—with the constraints of resource-limited hardware. wolfCOSE is provided under the GPLv3 license, and while currently developed by wolfSSL, the project aims for future adoption within the broader wolfSSL ecosystem.