Skip to content

Commit db4eb31

Browse files
committed
Merge branch 'main' of https://github.com/IdentityPython/pyMDOC-CBOR into dev
2 parents b1a0f94 + 367d0f1 commit db4eb31

File tree

4 files changed

+25
-5
lines changed

4 files changed

+25
-5
lines changed

README.md

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -189,6 +189,27 @@ mdoc.disclosure_map
189189
>> ... dictionary containing all the disclosed attributes ...
190190
````
191191

192+
### Verify with Certificate Chain and Element Hashes
193+
194+
For production use, verify both the X.509 certificate chain and element hashes:
195+
196+
````python
197+
# skip in doc examples (requires your_ca_cert.pem and device_response_bytes)
198+
from pymdoccbor.mdoc.verifier import MdocCbor
199+
from cryptography import x509
200+
from cryptography.hazmat.backends import default_backend
201+
202+
# Load trusted root certificates
203+
with open('your_ca_cert.pem', 'rb') as f:
204+
iaca_cert = x509.load_pem_x509_certificate(f.read(), default_backend())
205+
206+
mdoc = MdocCbor()
207+
mdoc.loads(device_response_bytes)
208+
is_valid = mdoc.verify(trusted_root_certs=[iaca_cert], verify_hashes=True)
209+
````
210+
211+
For complete documentation on certificate chain verification and hash verification, see [docs/CERTIFICATE-CHAIN-VERIFICATION.md](docs/CERTIFICATE-CHAIN-VERIFICATION.md).
212+
192213
### Verify the Mobile Security Object
193214

194215
````

pymdoccbor/mso/verifier.py

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,7 @@
11
# Aligns with https://github.com/eu-digital-identity-wallet/pyMDOC-CBOR
2+
import hashlib
23
import logging
4+
from datetime import datetime, timezone
35
from typing import Union
46

57
import cbor2
@@ -163,7 +165,6 @@ def attest_public_key(self, trusted_root_certs: list = None):
163165
raise ValueError("DS certificate not signed by any trusted root")
164166

165167
# Verify certificate validity dates
166-
from datetime import datetime, timezone
167168
now = datetime.now(timezone.utc)
168169

169170
if ds_cert.not_valid_before_utc > now:
@@ -228,8 +229,6 @@ def verify_element_hashes(self, namespaces: dict) -> dict:
228229
Returns:
229230
dict: Results with 'valid' (bool), 'total' (int), 'verified' (int), 'failed' (list)
230231
"""
231-
import hashlib
232-
233232
mso_data = self.payload_as_dict
234233
value_digests = mso_data.get('valueDigests', {})
235234

pymdoccbor/tests/test_09_errors_field.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,8 @@
55
an 'errors' field describing which elements were not available.
66
"""
77

8+
import cbor2
9+
810
from pymdoccbor.mdoc.issuer import MdocCborIssuer
911
from pymdoccbor.mdoc.verifier import MobileDocument
1012
from pymdoccbor.tests.cert_data import CERT_DATA
@@ -103,7 +105,6 @@ def test_mobile_document_dump_with_errors():
103105
assert isinstance(dump, bytes)
104106

105107
# Decode and verify errors field is present
106-
import cbor2
107108
decoded = cbor2.loads(dump)
108109
# The dump is wrapped in a CBORTag, so we need to access .value
109110
if hasattr(decoded, 'value'):
@@ -138,7 +139,6 @@ def test_mobile_document_dump_without_errors():
138139
assert isinstance(dump, bytes)
139140

140141
# Decode and verify errors field is NOT present
141-
import cbor2
142142
decoded = cbor2.loads(dump)
143143
if hasattr(decoded, 'value'):
144144
decoded = decoded.value

0 commit comments

Comments
 (0)