Verify location of alg and crit header parameters

[letmaik]

COSE requires that alg must be authenticated (external_aad or protected header) and crit must be in the protected header. pycose reads both parameters from the unprotected header if missing in the protected header.

pycose/pycose/messages/signcommon.py

Lines 40 to 50 in 5a08c02

	def verify_signature(self, *args, **kwargs) -> bool:
	"""
	Verifies the signature of a received COSE message.
	:returns: True for a valid signature or False for an invalid signature
	"""
	alg = self.get_attr(headers.Algorithm)
	self._key_verification(alg, VerifyOp)
	return alg.verify(key=self.key, data=self._sig_structure, signature=self.signature)

pycose/pycose/messages/cosebase.py

Lines 61 to 81 in 5a08c02

	def get_attr(self, attribute: Type[CoseHeaderAttribute], default: Any = None) -> Optional[Any]:
	"""
	Fetches an header attribute from the COSE header buckets.
	:param attribute: A header parameter to fetch from the buckets.
	:param default: A default return value in case the attribute was not found
	:raise CoseException: When the same attribute is found in both the protected and unprotected header.
	:returns: If found returns a header attribute else 'None' or the default value
	"""
	p_attr = self._phdr.get(attribute, default)
	u_attr = self._uhdr.get(attribute, default)
	if p_attr is not None and u_attr is not None:
	raise CoseException("MALFORMED: different values for the same header parameters in the header buckets")
	if p_attr is not None:
	return p_attr
	else:
	return u_attr

The get_attr method should be extended to check whether a parameter is required to be in the protected bucket. This requires another field in the attribute class.