Lack of deterministically encoded headers

[kentakayama]

Some applications require encoded cose binaries to be deterministically encoded.
As the protected header is fed into Sig_structure, Enc_structure and MAC_structure, reordering it may result authentication failure.
It is better to support deterministic encoding on protected and unprotected headers.

Background

Section 4.2.1 of RFC 8949 defines core deterministic encoding.

Since python 3.7+, the dictionaries are ordered by default, for example,

>>> d = {1: 1, 4: 4, 2: 2}
{1: 1, 4: 4, 2: 2}
>>> d[3] = 3
{1: 1, 4: 4, 2: 2, 3: 3}

Current python-cwt behavior

This leads python-cwt generated headers like

import cbor2
from cwt import COSE, COSEKey

sign_key = COSEKey.from_jwk({
    "kty": "EC",
    "alg": "ES256",
    "crv": "P-256",
    "x": "usWxHK2PmfnHKwXPS54m0kTcGJ90UiglWiGahtagnv8",
    "y": "IBOL-C3BttVivg-lSreASjpkttcsz-1rb7btKLv8EX4",
    "d": "V8kgd2ZBRuh2dgyVINBUqpPDr7BOMGcF22CQMIUHtNM",
})

ctx = COSE.new(alg_auto_inclusion=True)
encoded = ctx.encode_and_sign(
    payload=b'a',
    key=sign_key,
    protected={"kid": "11"},
)
bstr_encoded_p = cbor2.loads(encoded).value[0]
encoded_p = cbor2.loads(bstr_encoded_p)
print(encoded_p)

displays {4: b'11', 1: -7}, which is not deterministically encoded (keys are not sorted in the bytewise lexicographic order).