Per the COSE spec,
When present, this parameter MUST be placed in the protected header bucket.
Currently, messages with HeaderLabelCritical in UnprotectedHeaders are marshaled and unmarshaled without error. The implementation should validate that the value is found only in the Protected headers.
- From Trail of Bits audit report
Per the COSE spec,
Currently, messages with
HeaderLabelCriticalinUnprotectedHeadersare marshaled and unmarshaled without error. The implementation should validate that the value is found only in the Protected headers.