Fix P-521 ECDSA verification and add curve coverage tests (#1956)

* Fix P-521 curve name typo and signature length check in ECDSA verifier

hashForCurve matched "P-512" instead of "P-521", making the P-521 path
unreachable. verifyECDSASignature used hash length (64 for SHA-512) to
determine signature component size, but P-521 COSE signatures use 66-byte
components (ceil(521/8)). Derive component size from the curve order instead.

Add verify_test.go with sign/verify roundtrips for all four NIST curves,
rejection tests (wrong key, wrong payload, tampered sig, wrong length,
DER format), and an explicit test proving P-521 key size != hash size.

* Add COSE Sign1 verification tests against RFC 8152 / cose-wg vectors

Verify the ECDSA signature pipeline (CBOR parse, Sig_structure build,
verifyECDSASignature) against official test vectors from the COSE Working
Group Examples repository (normative suite for RFC 9052/9053):

- ES256: RFC 8152 Appendix C.2.1 (sign-pass-03)
- ES384: ecdsa-sig-02
- ES512: ecdsa-sig-03 (exercises the P-521 fix from previous commit)
- Tampered payload: sign-fail-02
- Modified protected header: sign-fail-06
- Wrong key: valid ES256 vector verified with P-384 key

* Address review: reuse curveKeySize in test, use ecdsa.SignASN1 for DER test

Author: nadahalli

pkg/teeattestation/nitro/verify.go

@@ -220,14 +220,27 @@ func parseCertificateChain(doc *attestationDocument) (*x509.Certificate, *x509.C
 	return leafCert, intermediates, nil
 }
 
+// curveKeySize returns the byte length of one ECDSA signature component
+// (r or s) for the given curve: ceil(bitSize / 8). This is the correct
+// size per RFC 9053 section 2.1, and differs from the hash length for P-521
+// (key component = 66 bytes, hash = 64 bytes).
+func curveKeySize(publicKey *ecdsa.PublicKey) int {
+	return (publicKey.Curve.Params().BitSize + 7) / 8
+}
+
 func verifyECDSASignature(publicKey *ecdsa.PublicKey, sigStructure, signature []byte) bool {
+	keySize := curveKeySize(publicKey)
+	if len(signature) != 2*keySize {
+		return false
+	}
+
 	hash, ok := hashForCurve(publicKey, sigStructure)
-	if !ok || len(signature) != 2*len(hash) {
+	if !ok {
 		return false
 	}
 
-	r := new(big.Int).SetBytes(signature[:len(hash)])
-	s := new(big.Int).SetBytes(signature[len(hash):])
+	r := new(big.Int).SetBytes(signature[:keySize])
+	s := new(big.Int).SetBytes(signature[keySize:])
 	return ecdsa.Verify(publicKey, hash, r, s)
 }
 
@@ -242,7 +255,7 @@ func hashForCurve(publicKey *ecdsa.PublicKey, sigStructure []byte) ([]byte, bool
 	case "P-384":
 		sum := sha512.Sum384(sigStructure)
 		return sum[:], true
-	case "P-512":
+	case "P-521":
 		sum := sha512.Sum512(sigStructure)
 		return sum[:], true
 	default: