KeyToCose()
Converts a cryptographic key to COSE (CBOR Object Signing and Encryption) format — the key representation used by WebAuthn/passkeys and other CBOR-based protocols. Useful for generating test authenticator responses or interoperating with systems that expect COSE keys.
Accepts a key pair struct, PEM string, or Java key object. Supports EC (P-256, P-384, P-521) and Ed25519 keys.
Requires Extension: Crypto Extension
KeyToCose( key=any );
Returns: Struct
| Argument | Description |
|---|---|
|
key
any,
required
|
edit
Key to convert: PublicKey, PrivateKey, PEM string, or key pair struct from GenerateKeyPair() |
Usage Notes
editInput types: Accepts a key pair struct (from GenerateKeyPair()), a PEM string, or a Java key object. If you pass a key pair with both public and private keys, the COSE output includes the private key material in key -4.
Struct keys: The returned struct uses string keys like "1", "-1", "-2" because CFML struct keys are always strings. CborEncode() converts these back to CBOR integer keys when encoding to wire format.
Supported key types: EC (P-256, P-384, P-521) and Ed25519. RSA keys are not supported in COSE format.
Primary use case: Generating test authenticator data for WebAuthn integration tests, or interoperating with systems that use COSE keys (CWT tokens, COSE_Sign1 messages).
Examples
edit// Convert an EC key pair to COSE (includes private key material)
keyPair = GenerateKeyPair( "P-256" );
cose = KeyToCose( keyPair );
// cose["1"] == 2 (kty: EC), cose["3"] == -7 (alg: ES256)
// cose["-1"] == 1 (crv: P-256), cose["-2"] and cose["-3"] are binary coords
// cose["-4"] is the private key (binary)
// Convert just the public key (no private material)
cose = KeyToCose( keyPair.public );
// Same as above but without cose["-4"]
// Ed25519 keys
edKp = GenerateKeyPair( "Ed25519" );
cose = KeyToCose( edKp );
// cose["1"] == 1 (kty: OKP), cose["3"] == -8 (alg: EdDSA)
// cose["-1"] == 6 (crv: Ed25519), cose["-2"] is the x coordinate
// Encode the COSE struct to CBOR binary (for sending over the wire)
cborBytes = CborEncode( cose );
// Useful for testing: generate a fake authenticator response
cose = KeyToCose( keyPair );
coseBytes = CborEncode( cose );
// Use coseBytes as the credential public key in test authenticator data
// Roundtrip: KeyToCose then CoseToKey gets you back a working key
keys = CoseToKey( cose );
sig = GenerateSignature( "test", keyPair.private );
isValid = VerifySignature( "test", sig, keys.public ); // true
See also
- Cryptography
- CborEncode()
- CoseToKey()
- GenerateKeyPair()
- KeyToJwk()
- Search Issue Tracker open_in_new
- Search Lucee Test Cases open_in_new (good for further, detailed examples)