├── .github └── workflows │ ├── python-app.yml │ └── python-publish.yml ├── .gitignore ├── LICENSE ├── README.md ├── docs ├── CREATE-MSO.md ├── DIAGN-VALIDATE.md ├── MSO.md └── NOTES_ON_KEYS.md ├── examples └── it_data_model.py ├── linting.sh ├── pymdoccbor ├── __init__.py ├── exceptions.py ├── mdoc │ ├── __init__.py │ ├── exceptions.py │ ├── issuer.py │ ├── issuersigned.py │ └── verifier.py ├── mso │ ├── __init__.py │ ├── issuer.py │ └── verifier.py ├── settings.py ├── tests │ ├── __init__.py │ ├── certs │ │ ├── README.md │ │ ├── fake-cert.cnf │ │ ├── fake-cert.pem │ │ ├── fake-private-key.pem │ │ └── fake-request.csr │ ├── micov_data.py │ ├── pid_data.py │ ├── pkey.py │ ├── test_01_mdoc_parser.py │ ├── test_02_mdoc_issuer.py │ ├── test_03_mdoc_issuer.py │ ├── test_04_issuer_signed.py │ ├── test_05_mdoc_verifier.py │ ├── test_06_mso_issuer.py │ ├── test_07_mso_verifier.py │ └── test_08_mdoc_cbor.py ├── tools.py └── x509.py ├── requirements-dev.txt └── setup.py /.github/workflows/python-app.yml: -------------------------------------------------------------------------------- 1 | # This workflow will install Python dependencies, run tests and lint with a single version of Python 2 | # For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions 3 | 4 | name: pymdoccbor 5 | 6 | on: 7 | push: 8 | branches: [ "*" ] 9 | pull_request: 10 | branches: [ "*" ] 11 | 12 | jobs: 13 | build: 14 | 15 | runs-on: ubuntu-22.04 16 | 17 | strategy: 18 | fail-fast: false 19 | matrix: 20 | python-version: 21 | - '3.10' 22 | - "3.11" 23 | - "3.12" 24 | 25 | steps: 26 | - uses: actions/checkout@v2 27 | - name: Set up Python ${{ matrix.python-version }} 28 | uses: actions/setup-python@v2 29 | with: 30 | python-version: ${{ matrix.python-version }} 31 | - name: Install system package 32 | run: | 33 | sudo apt update 34 | sudo apt install python3-dev libssl-dev libffi-dev make automake gcc g++ 35 | - name: Install dependencies 36 | run: | 37 | python -m pip install --upgrade pip 38 | if [ -f requirements-dev.txt ]; then pip install -r requirements-dev.txt; fi 39 | if [ -f requirements.txt ]; then pip install -r requirements.txt; fi 40 | if [ -f requirements-customizations.txt ]; then pip install -r requirements-customizations.txt; fi 41 | python -m pip install -U setuptools 42 | python -m pip install -e . 43 | - name: Lint with flake8 44 | run: | 45 | # stop the build if there are Python syntax errors or undefined names 46 | flake8 pymdoccbor --count --select=E9,F63,F7,F82 --show-source --statistics 47 | # exit-zero treats all errors as warnings. The GitHub editor is 127 chars wide 48 | flake8 pymdoccbor --count --exit-zero --statistics --max-line-length 160 49 | - name: Tests 50 | run: | 51 | pytest --cov 52 | - name: Bandit Security Scan 53 | run: | 54 | bandit -r -x pymdoccbor/test* pymdoccbor/* 55 | -------------------------------------------------------------------------------- /.github/workflows/python-publish.yml: -------------------------------------------------------------------------------- 1 | # This workflow will upload a Python Package to PyPI when a release is created 2 | # For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python#publishing-to-package-registries 3 | 4 | # This workflow uses actions that are not certified by GitHub. 5 | # They are provided by a third-party and are governed by 6 | # separate terms of service, privacy policy, and support 7 | # documentation. 8 | 9 | name: Upload Python Package 10 | 11 | on: 12 | release: 13 | types: [published] 14 | 15 | permissions: 16 | contents: read 17 | 18 | jobs: 19 | release-build: 20 | runs-on: ubuntu-latest 21 | 22 | steps: 23 | - uses: actions/checkout@v4 24 | 25 | - uses: actions/setup-python@v5 26 | with: 27 | python-version: "3.x" 28 | 29 | - name: Build release distributions 30 | run: | 31 | # NOTE: put your own distribution build steps here. 32 | python -m pip install build 33 | python -m build 34 | 35 | - name: Upload distributions 36 | uses: actions/upload-artifact@v4 37 | with: 38 | name: release-dists 39 | path: dist/ 40 | 41 | pypi-publish: 42 | runs-on: ubuntu-latest 43 | needs: 44 | - release-build 45 | permissions: 46 | # IMPORTANT: this permission is mandatory for trusted publishing 47 | id-token: write 48 | 49 | # Dedicated environments with protections for publishing are strongly recommended. 50 | # For more information, see: https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules 51 | environment: 52 | name: pypi 53 | # OPTIONAL: uncomment and update to include your PyPI project URL in the deployment status: 54 | # url: https://pypi.org/p/YOURPROJECT 55 | # 56 | # ALTERNATIVE: if your GitHub Release name is the PyPI project version string 57 | # ALTERNATIVE: exactly, uncomment the following line instead: 58 | # url: https://pypi.org/project/pymdoccbor/${{ github.event.release.name }} 59 | url: https://pypi.org/project/pymdoccbor 60 | 61 | steps: 62 | - name: Retrieve release distributions 63 | uses: actions/download-artifact@v4 64 | with: 65 | name: release-dists 66 | path: dist/ 67 | 68 | - name: Publish release distributions to PyPI 69 | uses: pypa/gh-action-pypi-publish@release/v1 70 | with: 71 | packages-dir: dist/ 72 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Byte-compiled / optimized / DLL files 2 | __pycache__/ 3 | *.py[cod] 4 | *$py.class 5 | 6 | # C extensions 7 | *.so 8 | 9 | # Distribution / packaging 10 | .Python 11 | build/ 12 | develop-eggs/ 13 | dist/ 14 | downloads/ 15 | eggs/ 16 | .eggs/ 17 | lib/ 18 | lib64/ 19 | parts/ 20 | sdist/ 21 | var/ 22 | wheels/ 23 | share/python-wheels/ 24 | *.egg-info/ 25 | .installed.cfg 26 | *.egg 27 | MANIFEST 28 | 29 | # PyInstaller 30 | # Usually these files are written by a python script from a template 31 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 32 | *.manifest 33 | *.spec 34 | 35 | # Installer logs 36 | pip-log.txt 37 | pip-delete-this-directory.txt 38 | 39 | # Unit test / coverage reports 40 | htmlcov/ 41 | .tox/ 42 | .nox/ 43 | .coverage 44 | .coverage.* 45 | .cache 46 | nosetests.xml 47 | coverage.xml 48 | *.cover 49 | *.py,cover 50 | .hypothesis/ 51 | .pytest_cache/ 52 | cover/ 53 | 54 | # Translations 55 | *.mo 56 | *.pot 57 | 58 | # Django stuff: 59 | *.log 60 | local_settings.py 61 | db.sqlite3 62 | db.sqlite3-journal 63 | 64 | # Flask stuff: 65 | instance/ 66 | .webassets-cache 67 | 68 | # Scrapy stuff: 69 | .scrapy 70 | 71 | # Sphinx documentation 72 | docs/_build/ 73 | 74 | # PyBuilder 75 | .pybuilder/ 76 | target/ 77 | 78 | # Jupyter Notebook 79 | .ipynb_checkpoints 80 | 81 | # IPython 82 | profile_default/ 83 | ipython_config.py 84 | 85 | # pyenv 86 | # For a library or package, you might want to ignore these files since the code is 87 | # intended to run in multiple environments; otherwise, check them in: 88 | # .python-version 89 | 90 | # pipenv 91 | # According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. 92 | # However, in case of collaboration, if having platform-specific dependencies or dependencies 93 | # having no cross-platform support, pipenv may install dependencies that don't work, or not 94 | # install all needed dependencies. 95 | #Pipfile.lock 96 | 97 | # poetry 98 | # Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control. 99 | # This is especially recommended for binary packages to ensure reproducibility, and is more 100 | # commonly ignored for libraries. 101 | # https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control 102 | #poetry.lock 103 | 104 | # pdm 105 | # Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control. 106 | #pdm.lock 107 | # pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it 108 | # in version control. 109 | # https://pdm.fming.dev/#use-with-ide 110 | .pdm.toml 111 | 112 | # PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm 113 | __pypackages__/ 114 | 115 | # Celery stuff 116 | celerybeat-schedule 117 | celerybeat.pid 118 | 119 | # SageMath parsed files 120 | *.sage.py 121 | 122 | # Environments 123 | .env 124 | .venv 125 | env/ 126 | venv/ 127 | ENV/ 128 | env.bak/ 129 | venv.bak/ 130 | 131 | # Spyder project settings 132 | .spyderproject 133 | .spyproject 134 | 135 | # Rope project settings 136 | .ropeproject 137 | 138 | # mkdocs documentation 139 | /site 140 | 141 | # mypy 142 | .mypy_cache/ 143 | .dmypy.json 144 | dmypy.json 145 | 146 | # Pyre type checker 147 | .pyre/ 148 | 149 | # pytype static type analyzer 150 | .pytype/ 151 | 152 | # Cython debug symbols 153 | cython_debug/ 154 | 155 | # PyCharm 156 | # JetBrains specific template is maintained in a separate JetBrains.gitignore that can 157 | # be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore 158 | # and can be added to the global gitignore or merged into this file. For a more nuclear 159 | # option (not recommended) you can uncomment the following to ignore the entire idea folder. 160 | #.idea/ 161 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # pyMDOC-CBOR 2 | 3 | Python parser and writer for EUDI Wallet MDOC CBOR for credential Type 1 and also or mDL use cases. 4 | 5 | > This project is an experimental proposal born for educational purposes. Please do not consider it as usable before the release 0.6.0. 6 | 7 | ## Specifications and Resources 8 | 9 | - [ISO 18013-5 - ISO-compliant driving licence — Mobile driving licence (mDL) application](https://www.iso.org/standard/69084.html) 10 | - [RFC 8949 - Concise Binary Object Representation (CBOR)](https://datatracker.ietf.org/doc/html/rfc8949) 11 | - [RFC 9052 - CBOR Object Signing and Encryption (COSE): Structures and Process](https://www.rfc-editor.org/rfc/rfc9052.html) 12 | - deprecates [RFC 8152 - CBOR Object Signing and Encryption (COSE)](https://datatracker.ietf.org/doc/html/rfc8152) 13 | - [IANA Registry - Concise Binary Object Representation (CBOR) Tags](https://www.iana.org/assignments/cbor-tags/cbor-tags.xhtml) 14 | 15 | COSE label 33 (x5chain) in MSO: 16 | 17 | - [RFC 9360 CBOR Object Signing and Encryption (COSE) - Header Parameters for Carrying and Referencing X.509 Certificates](https://www.rfc-editor.org/rfc/rfc9360.html) 18 | 19 | ## Scope 20 | 21 | pyMDOC-CBOR is a 22 | [cbor2](https://github.com/agronholm/cbor2) 23 | and 24 | [pycose](https://github.com/TimothyClaeys/pycose) 25 | wrapper that parses, creates and validates MDOC CBOR encoded binaries 26 | according to ISO 18013-5. 27 | 28 | ## Setup 29 | 30 | ```` 31 | pip install pymdoccbor 32 | ```` 33 | 34 | or 35 | 36 | ```` 37 | pip install git+https://github.com/peppelinux/pyMDOC-CBOR.git 38 | ```` 39 | 40 | ## Usage 41 | 42 | ### Issue an MDOC CBOR signed with HSM key 43 | 44 | ```` 45 | PID_DATA = { 46 | "eu.europa.ec.eudiw.pid.1": { 47 | "family_name": "Raffaello", 48 | "given_name": "Mascetti", 49 | "birth_date": "1922-03-13" 50 | } 51 | } 52 | 53 | mdoci = MdocCborIssuer( 54 | alg = 'ES256', 55 | kid = "demo-kid", 56 | hsm=True, 57 | key_label="p256-1", 58 | user_pin="1234", 59 | lib_path="/etc/utimaco/libcs2_pkcs11.so", 60 | slot_id=3 61 | ) 62 | 63 | mdoc = mdoci.new( 64 | doctype="eu.europa.ec.eudiw.pid.1", 65 | data=PID_DATA, 66 | # cert_path="app/keys/IACAmDLRoot01.der" # DS certificate 67 | ) 68 | 69 | ```` 70 | 71 | ### Issue an MDOC CBOR 72 | 73 | `MdocCborIssuer` must be initialized with a private key. 74 | The method `.new()` gets the user attributes, devicekeyinfo and doctype. 75 | 76 | ```` 77 | import os 78 | 79 | from pymdoccbor.mdoc.issuer import MdocCborIssuer 80 | 81 | PKEY = { 82 | 'KTY': 'EC2', 83 | 'CURVE': 'P_256', 84 | 'ALG': 'ES256', 85 | 'D': os.urandom(32), 86 | 'KID': b"demo-kid" 87 | } 88 | 89 | PID_DATA = { 90 | "eu.europa.ec.eudiw.pid.1": { 91 | "family_name": "Raffaello", 92 | "given_name": "Mascetti", 93 | "birth_date": "1922-03-13", 94 | "birth_place": "Rome", 95 | "birth_country": "IT" 96 | } 97 | } 98 | 99 | mdoci = MdocCborIssuer( 100 | private_key=PKEY, 101 | alg = "ES256" 102 | ) 103 | 104 | mdoc = mdoci.new( 105 | doctype="eu.europa.ec.eudiw.pid.1", 106 | data=PID_DATA, 107 | devicekeyinfo=PKEY, 108 | validity = {"issuance_date": "2025-01-17", "expiry_date": "2025-11-13" }, 109 | # cert_path="/path/" 110 | ) 111 | 112 | mdoc 113 | >> returns a python dictionay 114 | 115 | mdoc.dump() 116 | >> returns mdoc MSO bytes 117 | 118 | mdoci.dump() 119 | >> returns mdoc bytes 120 | 121 | mdoci.dumps() 122 | >> returns AF Binary mdoc string representation 123 | ```` 124 | 125 | ### Issue an MSO alone 126 | 127 | MsoIssuer is a class that handles private keys, data processing, digests and signature operations. 128 | 129 | The `disclosure_map` is used in the Mdoc `nameSpaces` object for issuance and presentations, 130 | it's carried in the mdoc but outside of the MSO, even if it is produced by `MsoIssuer`. 131 | that's why `MsoIssuer.sign()` returns a pure MSO, while `disclosure_map` 132 | is an attribute of the `MsoIssuer` instance. 133 | 134 | ```` 135 | import os 136 | from pymdoccbor.mso.issuer import MsoIssuer 137 | 138 | msoi = MsoIssuer( 139 | data = { 140 | "eu.europa.ec.eudiw.pid.1": { 141 | "family_name": "Raffaello", 142 | "given_name": "Mascetti", 143 | "birth_date": "1922-03-13" 144 | } 145 | }, 146 | private_key = { 147 | 'KTY': 'EC2', 148 | 'CURVE': 'P_256', 149 | 'ALG': 'ES256', 150 | 'D': os.urandom(32), 151 | 'KID': b"demo-kid" 152 | } 153 | ) 154 | 155 | mso = msoi.sign() 156 | ```` 157 | 158 | API usage: 159 | 160 | - `msoi.data`, user attributes to be encoded 161 | - `msoi.private_key`, COSEKey 162 | - `msoi.public_key`, COSEKey without `d` (for EC2Key) 163 | - `msoi.selfsigned_x509cert`, using the private and the public keys returns a self-signed x509 certificate 164 | - `msoi.hash_map`, digests that will be signed in the MSO 165 | - `msoi.disclosure_map`, disclosure objects grouped by namespaces 166 | - `msoi.sign`, signs the MSO and returns it 167 | 168 | ### [Presentation] Parse a binary MDocCBOR 169 | 170 | ```` 171 | from pymdoccbor.mdoc.verifier import MdocCbor 172 | ISSUED_MDOC="a36776657273696f6e63312e3069646f63756d656e747381a367646f6354797065756f72672e69736f2e31383031332e352e312e6d444c6c6973737565725369676e6564a26a6e616d65537061636573a1716f72672e69736f2e31383031332e352e3186d8185863a4686469676573744944006672616e646f6d58208798645b20ea200e19ffabac92624bee6aec63aceedecfb1b80077d22bfc20e971656c656d656e744964656e7469666965726b66616d696c795f6e616d656c656c656d656e7456616c756563446f65d818586ca4686469676573744944036672616e646f6d5820b23f627e8999c706df0c0a4ed98ad74af988af619b4bb078b89058553f44615d71656c656d656e744964656e7469666965726a69737375655f646174656c656c656d656e7456616c7565d903ec6a323031392d31302d3230d818586da4686469676573744944046672616e646f6d5820c7ffa307e5de921e67ba5878094787e8807ac8e7b5b3932d2ce80f00f3e9abaf71656c656d656e744964656e7469666965726b6578706972795f646174656c656c656d656e7456616c7565d903ec6a323032342d31302d3230d818586da4686469676573744944076672616e646f6d582026052a42e5880557a806c1459af3fb7eb505d3781566329d0b604b845b5f9e6871656c656d656e744964656e7469666965726f646f63756d656e745f6e756d6265726c656c656d656e7456616c756569313233343536373839d818590471a4686469676573744944086672616e646f6d5820d094dad764a2eb9deb5210e9d899643efbd1d069cc311d3295516ca0b024412d71656c656d656e744964656e74696669657268706f7274726169746c656c656d656e7456616c7565590412ffd8ffe000104a46494600010101009000900000ffdb004300130d0e110e0c13110f11151413171d301f1d1a1a1d3a2a2c2330453d4947443d43414c566d5d4c51685241435f82606871757b7c7b4a5c869085778f6d787b76ffdb0043011415151d191d381f1f38764f434f7676767676767676767676767676767676767676767676767676767676767676767676767676767676767676767676767676ffc00011080018006403012200021101031101ffc4001b00000301000301000000000000000000000005060401020307ffc400321000010303030205020309000000000000010203040005110612211331141551617122410781a1163542527391b2c1f1ffc4001501010100000000000000000000000000000001ffc4001a110101010003010000000000000000000000014111213161ffda000c03010002110311003f00a5bbde22da2329c7d692bc7d0d03f52cfb0ff75e7a7ef3e7709723a1d0dae146ddfbb3c039ce07ad2bd47a7e32dbb8dd1d52d6ef4b284f64a480067dfb51f87ffb95ff00eb9ff14d215de66af089ce44b7dbde9cb6890a2838eddf18078f7add62d411ef4db9b10a65d6b95a147381ea0d495b933275fe6bba75c114104a8ba410413e983dff004f5af5d34b4b4cde632d0bf1fd1592bdd91c6411f3934c2fa6af6b54975d106dcf4a65ae56e856001ebc03c7ce29dd9eef1ef10fc447dc9da76ad2aee93537a1ba7e4f70dd8eff0057c6dffb5e1a19854a83758e54528750946ec6704850cd037bceb08b6d7d2cc76d3317fc7b5cc04fb6707269c5c6e0c5b60ae549242123b0e493f602a075559e359970d98db89525456b51c951c8afa13ea8e98e3c596836783d5c63f5a61a99fdb7290875db4be88ab384bbbbbfc7183fdeaa633e8951db7da396dc48524fb1a8bd611a5aa2a2432f30ab420a7a6d3240c718cf031fa9ef4c9ad550205aa02951df4a1d6c8421b015b769db8c9229837ea2be8b1b0d39d0eba9c51484efdb8c0efd8d258daf3c449699f2edbd4584e7af9c64e3f96b9beb28d4ac40931e6478c8e76a24a825449501d867d2b1dcdebae99b9c752ae4ecd6dde4a179c1c1e460938f9149ef655e515c03919a289cb3dca278fb7bf177f4faa829dd8ce3f2ac9a7ecde490971fafd7dce15eed9b71c018c64fa514514b24e8e4f8c5c9b75c1e82579dc1233dfec08238f6add62d391acc1c5256a79e706d52d431c7a0145140b9fd149eb3a60dc5e88cbbc2da092411e9dc71f39a7766b447b344e847dcac9dcb5abba8d145061d43a6fcf1e65cf15d0e90231d3dd9cfe62995c6dcc5ca12a2c904a15f71dd27d451453e09d1a21450961cbb3ea8a956433b781f1ce33dfed54f0e2b50a2b71d84ed6db18028a28175f74fc6bda105c529a791c25c4f3c7a11f71586268f4a66b726e33de9ea6f1b52b181c760724e47b514520a5a28a283ffd9d81858ffa4686469676573744944096672616e646f6d58204599f81beaa2b20bd0ffcc9aa03a6f985befab3f6beaffa41e6354cdb2ab2ce471656c656d656e744964656e7469666965727264726976696e675f70726976696c656765736c656c656d656e7456616c756582a37576656869636c655f63617465676f72795f636f646561416a69737375655f64617465d903ec6a323031382d30382d30396b6578706972795f64617465d903ec6a323032342d31302d3230a37576656869636c655f63617465676f72795f636f646561426a69737375655f64617465d903ec6a323031372d30322d32336b6578706972795f64617465d903ec6a323032342d31302d32306a697373756572417574688443a10126a118215901d2308201ce30820174a003020102021401ec51916031e6898e8fc7864af5e6d5f86602b6300a06082a8648ce3d04030230233114301206035504030c0b75746f7069612069616361310b3009060355040613025553301e170d3230313030313030303030305a170d3231313030313030303030305a30213112301006035504030c0975746f706961206473310b30090603550406130255533059301306072a8648ce3d020106082a8648ce3d03010703420004ace7ab7340e5d9648c5a72a9a6f56745c7aad436a03a43efea77b5fa7b88f0197d57d8983e1b37d3a539f4d588365e38cbbf5b94d68c547b5bc8731dcd2f146ba38187308184301e0603551d120417301581136578616d706c65406578616d706c652e636f6d301c0603551d1f041530133011a00fa00d820b6578616d706c652e636f6d301d0603551d0e0416041414e29017a6c35621ffc7a686b7b72db06cd12351300e0603551d0f0101ff04040302078030150603551d250101ff040b3009060728818c5d050102300a06082a8648ce3d0403020348003045022100bac6f93a8bacf0fc9aeac1c89a5c9293af2076942e9e972882a113640330702702207b7b73c0444371a4c94c9c888ddfe553ffde84ca492fd64dfbf02ad46a31cbc85903a2d81859039da66776657273696f6e63312e306f646967657374416c676f726974686d675348412d3235366c76616c756544696765737473a2716f72672e69736f2e31383031332e352e31ad00582075167333b47b6c2bfb86eccc1f438cf57af055371ac55e1e359e20f254adcebf01582067e539d6139ebd131aef441b445645dd831b2b375b390ca5ef6279b205ed45710258203394372ddb78053f36d5d869780e61eda313d44a392092ad8e0527a2fbfe55ae0358202e35ad3c4e514bb67b1a9db51ce74e4cb9b7146e41ac52dac9ce86b8613db555045820ea5c3304bb7c4a8dcb51c4c13b65264f845541341342093cca786e058fac2d59055820fae487f68b7a0e87a749774e56e9e1dc3a8ec7b77e490d21f0e1d3475661aa1d0658207d83e507ae77db815de4d803b88555d0511d894c897439f5774056416a1c7533075820f0549a145f1cf75cbeeffa881d4857dd438d627cf32174b1731c4c38e12ca936085820b68c8afcb2aaf7c581411d2877def155be2eb121a42bc9ba5b7312377e068f660958200b3587d1dd0c2a07a35bfb120d99a0abfb5df56865bb7fa15cc8b56a66df6e0c0a5820c98a170cf36e11abb724e98a75a5343dfa2b6ed3df2ecfbb8ef2ee55dd41c8810b5820b57dd036782f7b14c6a30faaaae6ccd5054ce88bdfa51a016ba75eda1edea9480c5820651f8736b18480fe252a03224ea087b5d10ca5485146c67c74ac4ec3112d4c3a746f72672e69736f2e31383031332e352e312e5553a4005820d80b83d25173c484c5640610ff1a31c949c1d934bf4cf7f18d5223b15dd4f21c0158204d80e1e2e4fb246d97895427ce7000bb59bb24c8cd003ecf94bf35bbd2917e340258208b331f3b685bca372e85351a25c9484ab7afcdf0d2233105511f778d98c2f544035820c343af1bd1690715439161aba73702c474abf992b20c9fb55c36a336ebe01a876d6465766963654b6579496e666fa1696465766963654b6579a40102200121582096313d6c63e24e3372742bfdb1a33ba2c897dcd68ab8c753e4fbd48dca6b7f9a2258201fb3269edd418857de1b39a4e4a44b92fa484caa722c228288f01d0c03a2c3d667646f6354797065756f72672e69736f2e31383031332e352e312e6d444c6c76616c6964697479496e666fa3667369676e6564c074323032302d31302d30315431333a33303a30325a6976616c696446726f6dc074323032302d31302d30315431333a33303a30325a6a76616c6964556e74696cc074323032312d31302d30315431333a33303a30325a5840cff12c17d4739aba806035a9cb2b34ae8a830cef4f329289f9a3ebd302dd6b99c584068257569397b92ba9aa5128554eb05d1273dafea313da4aff6b01a5fb3f6c6465766963655369676e6564a26a6e616d65537061636573d81841a06a64657669636541757468a1696465766963654d61638443a10105a0f65820200d73ded787c64652dc8ee743ea83a5260d5a3283fddc919b7b9cfb486addb26673746174757300" 173 | mdoc = MdocCbor() 174 | mdoc.loads(ISSUED_MDOC) 175 | mdoc.verify() 176 | >> True 177 | 178 | mdoc 179 | >> pymdoccbor.mdoc.verifier.MdocCbor [1 valid documents] 180 | 181 | mdoc.documents 182 | >> [pymdoccbor.mdoc.verifier.MobileDocument [valid]] 183 | 184 | mdoc.disclosure_map 185 | >> ... dictionary containing all the disclosed attributes ... 186 | ```` 187 | 188 | ### Verify the Mobile Security Object 189 | 190 | ```` 191 | from pymdoccbor.mso.verifier import MsoVerifier 192 | 193 | import binascii 194 | import cbor2 195 | 196 | ISSUED_MDOC="a36776657273696f6e63312e3069646f63756d656e747381a367646f6354797065756f72672e69736f2e31383031332e352e312e6d444c6c6973737565725369676e6564a26a6e616d65537061636573a1716f72672e69736f2e31383031332e352e3186d8185863a4686469676573744944006672616e646f6d58208798645b20ea200e19ffabac92624bee6aec63aceedecfb1b80077d22bfc20e971656c656d656e744964656e7469666965726b66616d696c795f6e616d656c656c656d656e7456616c756563446f65d818586ca4686469676573744944036672616e646f6d5820b23f627e8999c706df0c0a4ed98ad74af988af619b4bb078b89058553f44615d71656c656d656e744964656e7469666965726a69737375655f646174656c656c656d656e7456616c7565d903ec6a323031392d31302d3230d818586da4686469676573744944046672616e646f6d5820c7ffa307e5de921e67ba5878094787e8807ac8e7b5b3932d2ce80f00f3e9abaf71656c656d656e744964656e7469666965726b6578706972795f646174656c656c656d656e7456616c7565d903ec6a323032342d31302d3230d818586da4686469676573744944076672616e646f6d582026052a42e5880557a806c1459af3fb7eb505d3781566329d0b604b845b5f9e6871656c656d656e744964656e7469666965726f646f63756d656e745f6e756d6265726c656c656d656e7456616c756569313233343536373839d818590471a4686469676573744944086672616e646f6d5820d094dad764a2eb9deb5210e9d899643efbd1d069cc311d3295516ca0b024412d71656c656d656e744964656e74696669657268706f7274726169746c656c656d656e7456616c7565590412ffd8ffe000104a46494600010101009000900000ffdb004300130d0e110e0c13110f11151413171d301f1d1a1a1d3a2a2c2330453d4947443d43414c566d5d4c51685241435f82606871757b7c7b4a5c869085778f6d787b76ffdb0043011415151d191d381f1f38764f434f7676767676767676767676767676767676767676767676767676767676767676767676767676767676767676767676767676ffc00011080018006403012200021101031101ffc4001b00000301000301000000000000000000000005060401020307ffc400321000010303030205020309000000000000010203040005110612211331141551617122410781a1163542527391b2c1f1ffc4001501010100000000000000000000000000000001ffc4001a110101010003010000000000000000000000014111213161ffda000c03010002110311003f00a5bbde22da2329c7d692bc7d0d03f52cfb0ff75e7a7ef3e7709723a1d0dae146ddfbb3c039ce07ad2bd47a7e32dbb8dd1d52d6ef4b284f64a480067dfb51f87ffb95ff00eb9ff14d215de66af089ce44b7dbde9cb6890a2838eddf18078f7add62d411ef4db9b10a65d6b95a147381ea0d495b933275fe6bba75c114104a8ba410413e983dff004f5af5d34b4b4cde632d0bf1fd1592bdd91c6411f3934c2fa6af6b54975d106dcf4a65ae56e856001ebc03c7ce29dd9eef1ef10fc447dc9da76ad2aee93537a1ba7e4f70dd8eff0057c6dffb5e1a19854a83758e54528750946ec6704850cd037bceb08b6d7d2cc76d3317fc7b5cc04fb6707269c5c6e0c5b60ae549242123b0e493f602a075559e359970d98db89525456b51c951c8afa13ea8e98e3c596836783d5c63f5a61a99fdb7290875db4be88ab384bbbbbfc7183fdeaa633e8951db7da396dc48524fb1a8bd611a5aa2a2432f30ab420a7a6d3240c718cf031fa9ef4c9ad550205aa02951df4a1d6c8421b015b769db8c9229837ea2be8b1b0d39d0eba9c51484efdb8c0efd8d258daf3c449699f2edbd4584e7af9c64e3f96b9beb28d4ac40931e6478c8e76a24a825449501d867d2b1dcdebae99b9c752ae4ecd6dde4a179c1c1e460938f9149ef655e515c03919a289cb3dca278fb7bf177f4faa829dd8ce3f2ac9a7ecde490971fafd7dce15eed9b71c018c64fa514514b24e8e4f8c5c9b75c1e82579dc1233dfec08238f6add62d391acc1c5256a79e706d52d431c7a0145140b9fd149eb3a60dc5e88cbbc2da092411e9dc71f39a7766b447b344e847dcac9dcb5abba8d145061d43a6fcf1e65cf15d0e90231d3dd9cfe62995c6dcc5ca12a2c904a15f71dd27d451453e09d1a21450961cbb3ea8a956433b781f1ce33dfed54f0e2b50a2b71d84ed6db18028a28175f74fc6bda105c529a791c25c4f3c7a11f71586268f4a66b726e33de9ea6f1b52b181c760724e47b514520a5a28a283ffd9d81858ffa4686469676573744944096672616e646f6d58204599f81beaa2b20bd0ffcc9aa03a6f985befab3f6beaffa41e6354cdb2ab2ce471656c656d656e744964656e7469666965727264726976696e675f70726976696c656765736c656c656d656e7456616c756582a37576656869636c655f63617465676f72795f636f646561416a69737375655f64617465d903ec6a323031382d30382d30396b6578706972795f64617465d903ec6a323032342d31302d3230a37576656869636c655f63617465676f72795f636f646561426a69737375655f64617465d903ec6a323031372d30322d32336b6578706972795f64617465d903ec6a323032342d31302d32306a697373756572417574688443a10126a118215901d2308201ce30820174a003020102021401ec51916031e6898e8fc7864af5e6d5f86602b6300a06082a8648ce3d04030230233114301206035504030c0b75746f7069612069616361310b3009060355040613025553301e170d3230313030313030303030305a170d3231313030313030303030305a30213112301006035504030c0975746f706961206473310b30090603550406130255533059301306072a8648ce3d020106082a8648ce3d03010703420004ace7ab7340e5d9648c5a72a9a6f56745c7aad436a03a43efea77b5fa7b88f0197d57d8983e1b37d3a539f4d588365e38cbbf5b94d68c547b5bc8731dcd2f146ba38187308184301e0603551d120417301581136578616d706c65406578616d706c652e636f6d301c0603551d1f041530133011a00fa00d820b6578616d706c652e636f6d301d0603551d0e0416041414e29017a6c35621ffc7a686b7b72db06cd12351300e0603551d0f0101ff04040302078030150603551d250101ff040b3009060728818c5d050102300a06082a8648ce3d0403020348003045022100bac6f93a8bacf0fc9aeac1c89a5c9293af2076942e9e972882a113640330702702207b7b73c0444371a4c94c9c888ddfe553ffde84ca492fd64dfbf02ad46a31cbc85903a2d81859039da66776657273696f6e63312e306f646967657374416c676f726974686d675348412d3235366c76616c756544696765737473a2716f72672e69736f2e31383031332e352e31ad00582075167333b47b6c2bfb86eccc1f438cf57af055371ac55e1e359e20f254adcebf01582067e539d6139ebd131aef441b445645dd831b2b375b390ca5ef6279b205ed45710258203394372ddb78053f36d5d869780e61eda313d44a392092ad8e0527a2fbfe55ae0358202e35ad3c4e514bb67b1a9db51ce74e4cb9b7146e41ac52dac9ce86b8613db555045820ea5c3304bb7c4a8dcb51c4c13b65264f845541341342093cca786e058fac2d59055820fae487f68b7a0e87a749774e56e9e1dc3a8ec7b77e490d21f0e1d3475661aa1d0658207d83e507ae77db815de4d803b88555d0511d894c897439f5774056416a1c7533075820f0549a145f1cf75cbeeffa881d4857dd438d627cf32174b1731c4c38e12ca936085820b68c8afcb2aaf7c581411d2877def155be2eb121a42bc9ba5b7312377e068f660958200b3587d1dd0c2a07a35bfb120d99a0abfb5df56865bb7fa15cc8b56a66df6e0c0a5820c98a170cf36e11abb724e98a75a5343dfa2b6ed3df2ecfbb8ef2ee55dd41c8810b5820b57dd036782f7b14c6a30faaaae6ccd5054ce88bdfa51a016ba75eda1edea9480c5820651f8736b18480fe252a03224ea087b5d10ca5485146c67c74ac4ec3112d4c3a746f72672e69736f2e31383031332e352e312e5553a4005820d80b83d25173c484c5640610ff1a31c949c1d934bf4cf7f18d5223b15dd4f21c0158204d80e1e2e4fb246d97895427ce7000bb59bb24c8cd003ecf94bf35bbd2917e340258208b331f3b685bca372e85351a25c9484ab7afcdf0d2233105511f778d98c2f544035820c343af1bd1690715439161aba73702c474abf992b20c9fb55c36a336ebe01a876d6465766963654b6579496e666fa1696465766963654b6579a40102200121582096313d6c63e24e3372742bfdb1a33ba2c897dcd68ab8c753e4fbd48dca6b7f9a2258201fb3269edd418857de1b39a4e4a44b92fa484caa722c228288f01d0c03a2c3d667646f6354797065756f72672e69736f2e31383031332e352e312e6d444c6c76616c6964697479496e666fa3667369676e6564c074323032302d31302d30315431333a33303a30325a6976616c696446726f6dc074323032302d31302d30315431333a33303a30325a6a76616c6964556e74696cc074323032312d31302d30315431333a33303a30325a5840cff12c17d4739aba806035a9cb2b34ae8a830cef4f329289f9a3ebd302dd6b99c584068257569397b92ba9aa5128554eb05d1273dafea313da4aff6b01a5fb3f6c6465766963655369676e6564a26a6e616d65537061636573d81841a06a64657669636541757468a1696465766963654d61638443a10105a0f65820200d73ded787c64652dc8ee743ea83a5260d5a3283fddc919b7b9cfb486addb26673746174757300" 197 | BIN_ISSUED_MDOC = binascii.unhexlify(ISSUED_MDOC) 198 | 199 | mdoc = cbor2.loads(BIN_ISSUED_MDOC) 200 | msop = MsoVerifier(mdoc['documents'][0]['issuerSigned']['issuerAuth']) 201 | msop.verify_signature() 202 | ```` 203 | 204 | API usage: 205 | 206 | - `msop.payload_as_dict`: returns the MSO as Python dictionary. 207 | - `msop.payload_as_raw`: returns the MSO as bytes in its original format. 208 | - `msop.payload_as_cbor`: returns the MSO as CBOR encoded object. 209 | - `msop.object`: returns a pycose COSE_Sign1 object. 210 | - `msop.raw_public_keys`: returns the list of the public keys from the unprotected COSE header 211 | - `msop.public_key`: returns `cryptography.hazmat` key. 212 | - `msop.x509_certificates`: returns a list of `cryptography.x509` certificate objects 213 | 214 | ## Tests 215 | 216 | ```` 217 | coverage erase 218 | pytest --cov-report term-missing --cov-report term:skip-covered --cov 219 | ```` 220 | 221 | ## Other examples 222 | 223 | Quick preview in bash using AF binary 224 | 225 | ```` 226 | # D.4.1.2 mdoc response 227 | export ISSUED_MDOC="a36776657273696f6e63312e3069646f63756d656e747381a367646f6354797065756f72672e69736f2e31383031332e352e312e6d444c6c6973737565725369676e6564a26a6e616d65537061636573a1716f72672e69736f2e31383031332e352e3186d8185863a4686469676573744944006672616e646f6d58208798645b20ea200e19ffabac92624bee6aec63aceedecfb1b80077d22bfc20e971656c656d656e744964656e7469666965726b66616d696c795f6e616d656c656c656d656e7456616c756563446f65d818586ca4686469676573744944036672616e646f6d5820b23f627e8999c706df0c0a4ed98ad74af988af619b4bb078b89058553f44615d71656c656d656e744964656e7469666965726a69737375655f646174656c656c656d656e7456616c7565d903ec6a323031392d31302d3230d818586da4686469676573744944046672616e646f6d5820c7ffa307e5de921e67ba5878094787e8807ac8e7b5b3932d2ce80f00f3e9abaf71656c656d656e744964656e7469666965726b6578706972795f646174656c656c656d656e7456616c7565d903ec6a323032342d31302d3230d818586da4686469676573744944076672616e646f6d582026052a42e5880557a806c1459af3fb7eb505d3781566329d0b604b845b5f9e6871656c656d656e744964656e7469666965726f646f63756d656e745f6e756d6265726c656c656d656e7456616c756569313233343536373839d818590471a4686469676573744944086672616e646f6d5820d094dad764a2eb9deb5210e9d899643efbd1d069cc311d3295516ca0b024412d71656c656d656e744964656e74696669657268706f7274726169746c656c656d656e7456616c7565590412ffd8ffe000104a46494600010101009000900000ffdb004300130d0e110e0c13110f11151413171d301f1d1a1a1d3a2a2c2330453d4947443d43414c566d5d4c51685241435f82606871757b7c7b4a5c869085778f6d787b76ffdb0043011415151d191d381f1f38764f434f7676767676767676767676767676767676767676767676767676767676767676767676767676767676767676767676767676ffc00011080018006403012200021101031101ffc4001b00000301000301000000000000000000000005060401020307ffc400321000010303030205020309000000000000010203040005110612211331141551617122410781a1163542527391b2c1f1ffc4001501010100000000000000000000000000000001ffc4001a110101010003010000000000000000000000014111213161ffda000c03010002110311003f00a5bbde22da2329c7d692bc7d0d03f52cfb0ff75e7a7ef3e7709723a1d0dae146ddfbb3c039ce07ad2bd47a7e32dbb8dd1d52d6ef4b284f64a480067dfb51f87ffb95ff00eb9ff14d215de66af089ce44b7dbde9cb6890a2838eddf18078f7add62d411ef4db9b10a65d6b95a147381ea0d495b933275fe6bba75c114104a8ba410413e983dff004f5af5d34b4b4cde632d0bf1fd1592bdd91c6411f3934c2fa6af6b54975d106dcf4a65ae56e856001ebc03c7ce29dd9eef1ef10fc447dc9da76ad2aee93537a1ba7e4f70dd8eff0057c6dffb5e1a19854a83758e54528750946ec6704850cd037bceb08b6d7d2cc76d3317fc7b5cc04fb6707269c5c6e0c5b60ae549242123b0e493f602a075559e359970d98db89525456b51c951c8afa13ea8e98e3c596836783d5c63f5a61a99fdb7290875db4be88ab384bbbbbfc7183fdeaa633e8951db7da396dc48524fb1a8bd611a5aa2a2432f30ab420a7a6d3240c718cf031fa9ef4c9ad550205aa02951df4a1d6c8421b015b769db8c9229837ea2be8b1b0d39d0eba9c51484efdb8c0efd8d258daf3c449699f2edbd4584e7af9c64e3f96b9beb28d4ac40931e6478c8e76a24a825449501d867d2b1dcdebae99b9c752ae4ecd6dde4a179c1c1e460938f9149ef655e515c03919a289cb3dca278fb7bf177f4faa829dd8ce3f2ac9a7ecde490971fafd7dce15eed9b71c018c64fa514514b24e8e4f8c5c9b75c1e82579dc1233dfec08238f6add62d391acc1c5256a79e706d52d431c7a0145140b9fd149eb3a60dc5e88cbbc2da092411e9dc71f39a7766b447b344e847dcac9dcb5abba8d145061d43a6fcf1e65cf15d0e90231d3dd9cfe62995c6dcc5ca12a2c904a15f71dd27d451453e09d1a21450961cbb3ea8a956433b781f1ce33dfed54f0e2b50a2b71d84ed6db18028a28175f74fc6bda105c529a791c25c4f3c7a11f71586268f4a66b726e33de9ea6f1b52b181c760724e47b514520a5a28a283ffd9d81858ffa4686469676573744944096672616e646f6d58204599f81beaa2b20bd0ffcc9aa03a6f985befab3f6beaffa41e6354cdb2ab2ce471656c656d656e744964656e7469666965727264726976696e675f70726976696c656765736c656c656d656e7456616c756582a37576656869636c655f63617465676f72795f636f646561416a69737375655f64617465d903ec6a323031382d30382d30396b6578706972795f64617465d903ec6a323032342d31302d3230a37576656869636c655f63617465676f72795f636f646561426a69737375655f64617465d903ec6a323031372d30322d32336b6578706972795f64617465d903ec6a323032342d31302d32306a697373756572417574688443a10126a118215901d2308201ce30820174a003020102021401ec51916031e6898e8fc7864af5e6d5f86602b6300a06082a8648ce3d04030230233114301206035504030c0b75746f7069612069616361310b3009060355040613025553301e170d3230313030313030303030305a170d3231313030313030303030305a30213112301006035504030c0975746f706961206473310b30090603550406130255533059301306072a8648ce3d020106082a8648ce3d03010703420004ace7ab7340e5d9648c5a72a9a6f56745c7aad436a03a43efea77b5fa7b88f0197d57d8983e1b37d3a539f4d588365e38cbbf5b94d68c547b5bc8731dcd2f146ba38187308184301e0603551d120417301581136578616d706c65406578616d706c652e636f6d301c0603551d1f041530133011a00fa00d820b6578616d706c652e636f6d301d0603551d0e0416041414e29017a6c35621ffc7a686b7b72db06cd12351300e0603551d0f0101ff04040302078030150603551d250101ff040b3009060728818c5d050102300a06082a8648ce3d0403020348003045022100bac6f93a8bacf0fc9aeac1c89a5c9293af2076942e9e972882a113640330702702207b7b73c0444371a4c94c9c888ddfe553ffde84ca492fd64dfbf02ad46a31cbc85903a2d81859039da66776657273696f6e63312e306f646967657374416c676f726974686d675348412d3235366c76616c756544696765737473a2716f72672e69736f2e31383031332e352e31ad00582075167333b47b6c2bfb86eccc1f438cf57af055371ac55e1e359e20f254adcebf01582067e539d6139ebd131aef441b445645dd831b2b375b390ca5ef6279b205ed45710258203394372ddb78053f36d5d869780e61eda313d44a392092ad8e0527a2fbfe55ae0358202e35ad3c4e514bb67b1a9db51ce74e4cb9b7146e41ac52dac9ce86b8613db555045820ea5c3304bb7c4a8dcb51c4c13b65264f845541341342093cca786e058fac2d59055820fae487f68b7a0e87a749774e56e9e1dc3a8ec7b77e490d21f0e1d3475661aa1d0658207d83e507ae77db815de4d803b88555d0511d894c897439f5774056416a1c7533075820f0549a145f1cf75cbeeffa881d4857dd438d627cf32174b1731c4c38e12ca936085820b68c8afcb2aaf7c581411d2877def155be2eb121a42bc9ba5b7312377e068f660958200b3587d1dd0c2a07a35bfb120d99a0abfb5df56865bb7fa15cc8b56a66df6e0c0a5820c98a170cf36e11abb724e98a75a5343dfa2b6ed3df2ecfbb8ef2ee55dd41c8810b5820b57dd036782f7b14c6a30faaaae6ccd5054ce88bdfa51a016ba75eda1edea9480c5820651f8736b18480fe252a03224ea087b5d10ca5485146c67c74ac4ec3112d4c3a746f72672e69736f2e31383031332e352e312e5553a4005820d80b83d25173c484c5640610ff1a31c949c1d934bf4cf7f18d5223b15dd4f21c0158204d80e1e2e4fb246d97895427ce7000bb59bb24c8cd003ecf94bf35bbd2917e340258208b331f3b685bca372e85351a25c9484ab7afcdf0d2233105511f778d98c2f544035820c343af1bd1690715439161aba73702c474abf992b20c9fb55c36a336ebe01a876d6465766963654b6579496e666fa1696465766963654b6579a40102200121582096313d6c63e24e3372742bfdb1a33ba2c897dcd68ab8c753e4fbd48dca6b7f9a2258201fb3269edd418857de1b39a4e4a44b92fa484caa722c228288f01d0c03a2c3d667646f6354797065756f72672e69736f2e31383031332e352e312e6d444c6c76616c6964697479496e666fa3667369676e6564c074323032302d31302d30315431333a33303a30325a6976616c696446726f6dc074323032302d31302d30315431333a33303a30325a6a76616c6964556e74696cc074323032312d31302d30315431333a33303a30325a5840cff12c17d4739aba806035a9cb2b34ae8a830cef4f329289f9a3ebd302dd6b99c584068257569397b92ba9aa5128554eb05d1273dafea313da4aff6b01a5fb3f6c6465766963655369676e6564a26a6e616d65537061636573d81841a06a64657669636541757468a1696465766963654d61638443a10105a0f65820200d73ded787c64652dc8ee743ea83a5260d5a3283fddc919b7b9cfb486addb26673746174757300" 228 | 229 | echo $ISSUED_MDOC | xxd -r -ps | python3 -m cbor2.tool --pretty 230 | ```` 231 | 232 | ### using cbor-diag 233 | 234 | Install cbor-diag 235 | 236 | ```` 237 | pip install cbor-diag 238 | ```` 239 | 240 | Print a cbor diagnostic representation 241 | 242 | ```` 243 | from cbor_diag import * 244 | 245 | encoded = bytes.fromhex(ISSUED_MDOC) 246 | print(cbor2diag(encoded)) 247 | ```` 248 | 249 | Other examples at [cbor official documentation](https://github.com/agronholm/cbor2). 250 | 251 | ## References 252 | 253 | #### CBOR Diagnostic representation 254 | 255 | - [CBOR-DIAG-PY](https://github.com/chrysn/cbor-diag-py) 256 | - [Authlete's CBOR diagnostic tools](https://nextdev-api.authlete.net/api/cbor) 257 | - [Auth0 CBOR diagnostic tool](https://www.mdl.me/) 258 | 259 | #### X.509 certificates and chains 260 | 261 | - [Python Certvalidator](https://github.com/wbond/certvalidator/blob/master/docs/usage.md) 262 | 263 | ## Authors and contributors 264 | 265 | - Giuseppe De Marco 266 | - Pasquale De Rose 267 | -------------------------------------------------------------------------------- /docs/CREATE-MSO.md: -------------------------------------------------------------------------------- 1 | ```` 2 | cbor2.loads(cbor2.loads(ia[2]).value) 3 | 4 | import datetime 5 | 6 | payload = {'version': '1.0', 7 | 'digestAlgorithm': 'SHA-256', 8 | 'valueDigests': {'org.iso.18013.5.1': {0: b'u\x16s3\xb4{l+\xfb\x86\xec\xcc\x1fC\x8c\xf5z\xf0U7\x1a\xc5^\x1e5\x9e \xf2T\xad\xce\xbf', 9 | 1: b'g\xe59\xd6\x13\x9e\xbd\x13\x1a\xefD\x1bDVE\xdd\x83\x1b+7[9\x0c\xa5\xefby\xb2\x05\xedEq', 10 | 2: b"3\x947-\xdbx\x05?6\xd5\xd8ix\x0ea\xed\xa3\x13\xd4J9 \x92\xad\x8e\x05'\xa2\xfb\xfeU\xae", 11 | 3: b'.5\xad\xcf\x94\xbf5\xbb\xd2\x91~4", 23 | 2: b'\x8b3\x1f;h[\xca7.\x855\x1a%\xc9HJ\xb7\xaf\xcd\xf0\xd2#1\x05Q\x1fw\x8d\x98\xc2\xf5D', 24 | 3: b'\xc3C\xaf\x1b\xd1i\x07\x15C\x91a\xab\xa77\x02\xc4t\xab\xf9\x92\xb2\x0c\x9f\xb5\\6\xa36\xeb\xe0\x1a\x87'}}, 25 | 'deviceKeyInfo': {'deviceKey': {1: 2, 26 | -1: 1, 27 | -2: b'\x961=lc\xe2N3rt+\xfd\xb1\xa3;\xa2\xc8\x97\xdc\xd6\x8a\xb8\xc7S\xe4\xfb\xd4\x8d\xcak\x7f\x9a', 28 | -3: b'\x1f\xb3&\x9e\xddA\x88W\xde\x1b9\xa4\xe4\xa4K\x92\xfaHL\xaar,"\x82\x88\xf0\x1d\x0c\x03\xa2\xc3\xd6'}}, 29 | 'docType': 'org.iso.18013.5.1.mDL', 30 | 'validityInfo': {'signed': datetime.datetime(2020, 10, 1, 13, 30, 2, tzinfo=datetime.timezone.utc), 31 | 'validFrom': datetime.datetime(2020, 10, 1, 13, 30, 2, tzinfo=datetime.timezone.utc), 32 | 'validUntil': datetime.datetime(2021, 10, 1, 13, 30, 2, tzinfo=datetime.timezone.utc)} 33 | } 34 | 35 | 36 | from binascii import unhexlify, hexlify 37 | from pycose.messages import Sign1Message 38 | from pycose.keys import CoseKey 39 | from pycose.headers import Algorithm, KID 40 | from pycose.algorithms import EdDSA 41 | from pycose.keys.curves import Ed25519 42 | from pycose.keys.keyparam import KpKty, OKPKpD, OKPKpX, KpKeyOps, OKPKpCurve 43 | from pycose.keys.keytype import KtyOKP 44 | from pycose.keys.keyops import SignOp, VerifyOp 45 | 46 | # create a key 47 | 48 | import os 49 | from pycose.keys import EC2Key, CoseKey 50 | 51 | cose_key = EC2Key(crv='P_256', d=os.urandom(128), optional_params={'ALG': 'ES256'}) 52 | 53 | # OR 54 | 55 | key_attribute_dict = { 56 | 'KTY': 'EC2', 57 | 'CURVE': 'P_256', 58 | 'ALG': 'ES256', 59 | 'D': os.urandom(32), 60 | 'KID': b"demo-kid" 61 | } 62 | 63 | cose_key = CoseKey.from_dict(key_attribute_dict) 64 | msg = Sign1Message( 65 | phdr = {Algorithm: cose_key.alg, KID: cose_key.kid}, 66 | payload = cbor2.dumps(payload) 67 | ) 68 | msg.key = cose_key 69 | 70 | # the encode() function performs the signing automatically 71 | encoded = msg.encode() 72 | 73 | # DECODE 74 | 75 | decoded = Sign1Message.decode(encoded) 76 | decoded.key = cose_key 77 | decoded.verify_signature() 78 | 79 | ```` 80 | -------------------------------------------------------------------------------- /docs/DIAGN-VALIDATE.md: -------------------------------------------------------------------------------- 1 | # NOTES 2 | 3 | #### Document structure 4 | 5 | ```` 6 | { 7 | 'version': '1.0', 8 | 'documents': Array of $doc, 9 | 'status': 0 10 | } 11 | ```` 12 | 13 | Where a single `$doc` it something like as follow. 14 | 15 | ```` 16 | { 17 | 'docType': 'org.iso.18013.5.1.mDL' 18 | 'issuerSigned': { 19 | 'nameSpaces' 20 | 'org.iso.18013.5.1' -> Arrays of digests 21 | [ 22 | Tag( 23 | 24, 24 | b'\xa4hdigestID\x00frandomX \x87\x98d[ \xea \x0e\x19\xff\xab\xac\x92bK\xeej\xecc\xac\xee\xde\xcf\xb1\xb8\x00w\xd2+\xfc \xe9qelementIdentifierkfamily_namelelementValuecDoe' 25 | ), -> {'digestID': 0, 'random': b'\x87\x98d[ \xea \x0e\x19\xff\xab\xac\x92bK\xeej\xecc\xac\xee\xde\xcf\xb1\xb8\x00w\xd2+\xfc \xe9', 'elementIdentifier': 'family_name', 'elementValue': 'Doe'} 26 | ... 27 | ] 28 | 'issuerAuth': -> TAG 18 Contains the mobile security object (MSO) for issuer data authentication, an Array of the elements below 29 | cbor({1: -7}) # Protected Header, find -7 here https://datatracker.ietf.org/doc/html/rfc8152 -> ES256 SHA-256 30 | {33: cbor tag( -17)} # Unprotected header -> the x5chain element has the temporary identifer 33 registered in the IANA registry. 31 | Tag(24, cbor(payload) -> It's a MobileSecurityObjectBytes 32 | { 33 | 'version': '1.0', 34 | 'digestAlgorithm': 'SHA-256', 35 | 'valueDigests': { 36 | 'org.iso.18013.5.1': { 37 | 0: b'u\x16s3\xb4{l+\xfb\x86\xec\xcc\x1fC\x8c\xf5z\xf0U7\x1a\xc5^\x1e5\x9e \xf2T\xad\xce\xbf', 38 | 1: b'g\xe59\xd6\x13\x9e\xbd\x13\x1a\xefD\x1bDVE\xdd\x83\x1b+7[9\x0c\xa5\xefby\xb2\x05\xedEq', 39 | 2: b"3\x947-\xdbx\x05?6\xd5\xd8ix\x0ea\xed\xa3\x13\xd4J9 \x92\xad\x8e\x05'\xa2\xfb\xfeU\xae", 40 | 3: b'.5\xad\xcf\x94\xbf5\xbb\xd2\x91~4", 53 | 2: b'\x8b3\x1f;h[\xca7.\x855\x1a%\xc9HJ\xb7\xaf\xcd\xf0\xd2#1\x05Q\x1fw\x8d\x98\xc2\xf5D', 54 | 3: b'\xc3C\xaf\x1b\xd1i\x07\x15C\x91a\xab\xa77\x02\xc4t\xab\xf9\x92\xb2\x0c\x9f\xb5\\6\xa36\xeb\xe0\x1a\x87' 55 | } 56 | }, 57 | 'deviceKeyInfo': { 58 | 'deviceKey': { 59 | 1: 2, 60 | -1: 1, 61 | -2: b'\x961=lc\xe2N3rt+\xfd\xb1\xa3;\xa2\xc8\x97\xdc\xd6\x8a\xb8\xc7S\xe4\xfb\xd4\x8d\xcak\x7f\x9a', 62 | -3: b'\x1f\xb3&\x9e\xddA\x88W\xde\x1b9\xa4\xe4\xa4K\x92\xfaHL\xaar,"\x82\x88\xf0\x1d\x0c\x03\xa2\xc3\xd6'} 63 | }, 64 | 'docType': 'org.iso.18013.5.1.mDL', 65 | 'validityInfo': { 66 | 'signed': Tag(0, '2020-10-01T13:30:02Z'), 67 | 'validFrom': Tag(0, '2020-10-01T13:30:02Z'), 68 | 'validUntil': Tag(0, '2021-10-01T13:30:02Z') 69 | } 70 | } 71 | ), 72 | Signature? 73 | } 74 | 'deviceSigned' 75 | {'nameSpaces': Tag(24, b'\xa0'), 76 | 'deviceAuth': { 77 | 'deviceMac': [ 78 | b'\xa1\x01\x05', 79 | {}, 80 | None, 81 | b' \rs\xde\xd7\x87\xc6FR\xdc\x8e\xe7C\xea\x83\xa5&\rZ2\x83\xfd\xdc\x91\x9b{\x9c\xfbHj\xdd\xb2' 82 | ] 83 | } 84 | } 85 | ```` 86 | 87 | Here a diagnostic representation 88 | 89 | ```` 90 | import binascii 91 | import cbor_diag 92 | 93 | BIN_ISSUED_MDOC = binascii.unhexlify(ISSUED_MDOC) 94 | print(cbor_diag.cbor2diag(BIN_ISSUED_MDOC)) 95 | 96 | { 97 | "version": "1.0", 98 | "documents": [ 99 | { 100 | "docType": "org.iso.18013.5.1.mDL", 101 | "issuerSigned": { 102 | "nameSpaces": { 103 | "org.iso.18013.5.1": [ 104 | 24_0(<<{ 105 | "digestID": 0, 106 | "random": h'8798645b20ea200e19ffabac92624bee6aec63aceedecfb1b80077d22bfc20e9', 107 | "elementIdentifier": "family_name", 108 | "elementValue": "Doe", 109 | }>>), 110 | 24_0(<<{ 111 | "digestID": 3, 112 | "random": h'b23f627e8999c706df0c0a4ed98ad74af988af619b4bb078b89058553f44615d', 113 | "elementIdentifier": "issue_date", 114 | "elementValue": 1004_1("2019-10-20"), 115 | }>>), 116 | 24_0(<<{ 117 | "digestID": 4, 118 | "random": h'c7ffa307e5de921e67ba5878094787e8807ac8e7b5b3932d2ce80f00f3e9abaf', 119 | "elementIdentifier": "expiry_date", 120 | "elementValue": 1004_1("2024-10-20"), 121 | }>>), 122 | 24_0(<<{ 123 | "digestID": 7, 124 | "random": h'26052a42e5880557a806c1459af3fb7eb505d3781566329d0b604b845b5f9e68', 125 | "elementIdentifier": "document_number", 126 | "elementValue": "123456789", 127 | }>>), 128 | 24_0(<<{ 129 | "digestID": 8, 130 | "random": h'd094dad764a2eb9deb5210e9d899643efbd1d069cc311d3295516ca0b024412d', 131 | "elementIdentifier": "portrait", 132 | "elementValue": h'ffd8ffe000104a46494600010101009000900000ffdb004300130d0e110e0c13110f11151413171d301f1d1a1a1d3a2a2c2330453d4947443d43414c566d5d4c51685241435f82606871757b7c7b4a5c869085778f6d787b76ffdb0043011415151d191d381f1f38764f434f7676767676767676767676767676767676767676767676767676767676767676767676767676767676767676767676767676ffc00011080018006403012200021101031101ffc4001b00000301000301000000000000000000000005060401020307ffc400321000010303030205020309000000000000010203040005110612211331141551617122410781a1163542527391b2c1f1ffc4001501010100000000000000000000000000000001ffc4001a110101010003010000000000000000000000014111213161ffda000c03010002110311003f00a5bbde22da2329c7d692bc7d0d03f52cfb0ff75e7a7ef3e7709723a1d0dae146ddfbb3c039ce07ad2bd47a7e32dbb8dd1d52d6ef4b284f64a480067dfb51f87ffb95ff00eb9ff14d215de66af089ce44b7dbde9cb6890a2838eddf18078f7add62d411ef4db9b10a65d6b95a147381ea0d495b933275fe6bba75c114104a8ba410413e983dff004f5af5d34b4b4cde632d0bf1fd1592bdd91c6411f3934c2fa6af6b54975d106dcf4a65ae56e856001ebc03c7ce29dd9eef1ef10fc447dc9da76ad2aee93537a1ba7e4f70dd8eff0057c6dffb5e1a19854a83758e54528750946ec6704850cd037bceb08b6d7d2cc76d3317fc7b5cc04fb6707269c5c6e0c5b60ae549242123b0e493f602a075559e359970d98db89525456b51c951c8afa13ea8e98e3c596836783d5c63f5a61a99fdb7290875db4be88ab384bbbbbfc7183fdeaa633e8951db7da396dc48524fb1a8bd611a5aa2a2432f30ab420a7a6d3240c718cf031fa9ef4c9ad550205aa02951df4a1d6c8421b015b769db8c9229837ea2be8b1b0d39d0eba9c51484efdb8c0efd8d258daf3c449699f2edbd4584e7af9c64e3f96b9beb28d4ac40931e6478c8e76a24a825449501d867d2b1dcdebae99b9c752ae4ecd6dde4a179c1c1e460938f9149ef655e515c03919a289cb3dca278fb7bf177f4faa829dd8ce3f2ac9a7ecde490971fafd7dce15eed9b71c018c64fa514514b24e8e4f8c5c9b75c1e82579dc1233dfec08238f6add62d391acc1c5256a79e706d52d431c7a0145140b9fd149eb3a60dc5e88cbbc2da092411e9dc71f39a7766b447b344e847dcac9dcb5abba8d145061d43a6fcf1e65cf15d0e90231d3dd9cfe62995c6dcc5ca12a2c904a15f71dd27d451453e09d1a21450961cbb3ea8a956433b781f1ce33dfed54f0e2b50a2b71d84ed6db18028a28175f74fc6bda105c529a791c25c4f3c7a11f71586268f4a66b726e33de9ea6f1b52b181c760724e47b514520a5a28a283ffd9', 133 | }>>), 134 | 24_0(<<{ 135 | "digestID": 9, 136 | "random": h'4599f81beaa2b20bd0ffcc9aa03a6f985befab3f6beaffa41e6354cdb2ab2ce4', 137 | "elementIdentifier": "driving_privileges", 138 | "elementValue": [ 139 | { 140 | "vehicle_category_code": "A", 141 | "issue_date": 1004_1("2018-08-09"), 142 | "expiry_date": 1004_1("2024-10-20"), 143 | }, 144 | { 145 | "vehicle_category_code": "B", 146 | "issue_date": 1004_1("2017-02-23"), 147 | "expiry_date": 1004_1("2024-10-20"), 148 | }, 149 | ], 150 | }>>), 151 | ], 152 | }, 153 | "issuerAuth": [ 154 | h'a10126', 155 | { 156 | 33_0: h'308201ce30820174a003020102021401ec51916031e6898e8fc7864af5e6d5f86602b6300a06082a8648ce3d04030230233114301206035504030c0b75746f7069612069616361310b3009060355040613025553301e170d3230313030313030303030305a170d3231313030313030303030305a30213112301006035504030c0975746f706961206473310b30090603550406130255533059301306072a8648ce3d020106082a8648ce3d03010703420004ace7ab7340e5d9648c5a72a9a6f56745c7aad436a03a43efea77b5fa7b88f0197d57d8983e1b37d3a539f4d588365e38cbbf5b94d68c547b5bc8731dcd2f146ba38187308184301e0603551d120417301581136578616d706c65406578616d706c652e636f6d301c0603551d1f041530133011a00fa00d820b6578616d706c652e636f6d301d0603551d0e0416041414e29017a6c35621ffc7a686b7b72db06cd12351300e0603551d0f0101ff04040302078030150603551d250101ff040b3009060728818c5d050102300a06082a8648ce3d0403020348003045022100bac6f93a8bacf0fc9aeac1c89a5c9293af2076942e9e972882a113640330702702207b7b73c0444371a4c94c9c888ddfe553ffde84ca492fd64dfbf02ad46a31cbc8', 157 | }, 158 | h'd81859039da66776657273696f6e63312e306f646967657374416c676f726974686d675348412d3235366c76616c756544696765737473a2716f72672e69736f2e31383031332e352e31ad00582075167333b47b6c2bfb86eccc1f438cf57af055371ac55e1e359e20f254adcebf01582067e539d6139ebd131aef441b445645dd831b2b375b390ca5ef6279b205ed45710258203394372ddb78053f36d5d869780e61eda313d44a392092ad8e0527a2fbfe55ae0358202e35ad3c4e514bb67b1a9db51ce74e4cb9b7146e41ac52dac9ce86b8613db555045820ea5c3304bb7c4a8dcb51c4c13b65264f845541341342093cca786e058fac2d59055820fae487f68b7a0e87a749774e56e9e1dc3a8ec7b77e490d21f0e1d3475661aa1d0658207d83e507ae77db815de4d803b88555d0511d894c897439f5774056416a1c7533075820f0549a145f1cf75cbeeffa881d4857dd438d627cf32174b1731c4c38e12ca936085820b68c8afcb2aaf7c581411d2877def155be2eb121a42bc9ba5b7312377e068f660958200b3587d1dd0c2a07a35bfb120d99a0abfb5df56865bb7fa15cc8b56a66df6e0c0a5820c98a170cf36e11abb724e98a75a5343dfa2b6ed3df2ecfbb8ef2ee55dd41c8810b5820b57dd036782f7b14c6a30faaaae6ccd5054ce88bdfa51a016ba75eda1edea9480c5820651f8736b18480fe252a03224ea087b5d10ca5485146c67c74ac4ec3112d4c3a746f72672e69736f2e31383031332e352e312e5553a4005820d80b83d25173c484c5640610ff1a31c949c1d934bf4cf7f18d5223b15dd4f21c0158204d80e1e2e4fb246d97895427ce7000bb59bb24c8cd003ecf94bf35bbd2917e340258208b331f3b685bca372e85351a25c9484ab7afcdf0d2233105511f778d98c2f544035820c343af1bd1690715439161aba73702c474abf992b20c9fb55c36a336ebe01a876d6465766963654b6579496e666fa1696465766963654b6579a40102200121582096313d6c63e24e3372742bfdb1a33ba2c897dcd68ab8c753e4fbd48dca6b7f9a2258201fb3269edd418857de1b39a4e4a44b92fa484caa722c228288f01d0c03a2c3d667646f6354797065756f72672e69736f2e31383031332e352e312e6d444c6c76616c6964697479496e666fa3667369676e6564c074323032302d31302d30315431333a33303a30325a6976616c696446726f6dc074323032302d31302d30315431333a33303a30325a6a76616c6964556e74696cc074323032312d31302d30315431333a33303a30325a', 159 | h'cff12c17d4739aba806035a9cb2b34ae8a830cef4f329289f9a3ebd302dd6b99c584068257569397b92ba9aa5128554eb05d1273dafea313da4aff6b01a5fb3f', 160 | ], 161 | }, 162 | "deviceSigned": { 163 | "nameSpaces": 24_0(<<{}>>), 164 | "deviceAuth": { 165 | "deviceMac": [ 166 | h'a10105', 167 | {}, 168 | null, 169 | h'200d73ded787c64652dc8ee743ea83a5260d5a3283fddc919b7b9cfb486addb2', 170 | ], 171 | }, 172 | }, 173 | }, 174 | ], 175 | "status": 0, 176 | } 177 | 178 | ```` 179 | 180 | #### `issuerAuth` with TAG 33 181 | 182 | The `x5chain` element has the temporary identifer 33 registered in the IANA registry. 183 | 184 | Please note: ISO 18013-5 uses draft not standards yet, like: 185 | 186 | - draft-ietf-cbor-date-tag-01 -> became an RFC here: https://www.rfc-editor.org/rfc/rfc8943.html 187 | - draft-ietf-cose-x509-08 188 | 189 | 190 | #### 9.3 Validation and inspection procedures 191 | 192 | 1. Validate the certificate included in the MSO header according to Clause 9.3.3. 193 | 2. Verify the digital signature of the IssuerAuth structure (see Clause 9.1.2.4) using the 194 | working_public_key, working_public_key_parameters, and working_public_key_algorithm from 195 | the certificate validation procedure of step 1. 196 | 3. Calculate the digest value for every IssuerSignedItem returned in the DeviceResponse 197 | structure according to Clause 9.1.2.5 and verify that these calculated digests equal the 198 | corresponding digest values in the MSO. 199 | 4. Verify that the DocType in the MSO matches the relevant DocType in the Documents structure. 200 | 5. Validate the elements in the ValidityInfo structure, i.e. verify that 201 | - the 'signed' date is within the validity period of the certificate in the MSO header; 202 | - the current timestamp shall be equal or later than the ‘validFrom’ element; 203 | - the 'validUntil' element shall be equal or later than the current timestamp 204 | 205 | #### Validation example 206 | 207 | > The X509 Certificates MUST be validated alone, expiration, revocation, using python cryptography x509. 208 | In the example below the certificate is invalid since it is expired 209 | 210 | ```` 211 | import binascii 212 | import cbor2 213 | 214 | from pycose.keys import EC2Key, CoseKey 215 | from pycose.messages import Sign1Message 216 | 217 | 218 | BIN_ISSUED_MDOC = binascii.unhexlify(ISSUED_MDOC) 219 | do = cbor2.loads(BIN_ISSUED_MDOC) 220 | 221 | # do 222 | # {'version': '1.0', 'documents': ..., 'status': 0} 223 | 224 | # here the mDocs 225 | do['documents'] 226 | 227 | # do['documents'][0].keys() 228 | # dict_keys(['docType', 'issuerSigned', 'deviceSigned'] 229 | 230 | # {'docType': 'org.iso.18013.5.1.mDL', 'issuerSigned': {'nameSpaces': {'org.iso.18013.5.1': [ ...], }, 'issuerAuth': ...} 231 | 232 | # do['documents'][0]['issuerSigned']['nameSpaces']['org.iso.18013.5.1'][1] 233 | # CBORTag(24, b'\xa4hdigestID\x03frandomX \xb2?b~\x89\x99\xc7\x06\xdf\x0c\nN\xd9\x8a\xd7J\xf9\x88\xafa\x9bK\xb0x\xb8\x90XU?Da]qelementIdentifierjissue_datelelementValue\xd9\x03\xecj2019-10-20 234 | 235 | # here the MSO of the first document 236 | ia = do['documents'][0]['issuerSigned']['issuerAuth'] 237 | 238 | key = CoseKey.from_dict(cbor2.loads(cbor2.loads(ia[2]).value)['deviceKeyInfo']['deviceKey']) 239 | 240 | # TAG 18 identifies the COSE_Sign1 objects 241 | 242 | # TAG18 = b'\xd2' 243 | # decoded = Sign1Message.decode(TAG18 + b'\x84C\xa1\x01&' + BIN_ISSUED_MDOC.split(b'\x84C\xa1\x01&')[1].split(b'ldeviceSigned')[0]) 244 | 245 | # OR BETTER 246 | decoded = Sign1Message.decode(cbor2.dumps(cbor2.CBORTag(18, value=ia))) 247 | # decoded.key = key 248 | # decoded.verify_signature() 249 | 250 | # x509 certificate chain is here 251 | decoded.uhdr 252 | 253 | # Validate the X509 certificate chain -> its's not a chain but a single certificate in this example, then this won't work 254 | from certvalidator import CertificateValidator 255 | cert_validator = CertificateValidator(list(decoded.uhdr.values())[0]) 256 | cert_validator.validate_usage({'digital_signature'}) 257 | 258 | # get the public key after having validated the chain 259 | import cryptography 260 | der_certificate = cryptography.x509.load_der_x509_certificate(list(decoded.uhdr.values())[0]) 261 | 262 | # 263 | _key = der_certificates.public_key() 264 | 265 | # PEM format 266 | # der_certificates.public_bytes(encoding=cryptography.hazmat.primitives.serialization.Encoding.PEM) 267 | 268 | # using CWT for kwy (unfortunately it doesn't support cbor Tag24) 269 | # import cwt 270 | # from cwt import Claims, COSEKey 271 | # public_key = COSEKey.from_pem(pem, kid="issuer-01") 272 | # 273 | 274 | COSEKEY_HAZMAT_CRV_MAP = { 275 | "secp256r1": "P_256" 276 | } 277 | 278 | 279 | # since _key.curve.name == secp256r1 280 | key = EC2Key(crv=COSEKEY_HAZMAT_CRV_MAP[_key.curve.name], x=_key.public_numbers().x.to_bytes(32, 'big')) 281 | 282 | decoded.key = key 283 | decoded.verify_signature() 284 | ```` 285 | 286 | 287 | -------------------------------------------------------------------------------- /docs/MSO.md: -------------------------------------------------------------------------------- 1 | # Mobile Security Object 2 | 3 | The MSO is encapsulated and signed by the untagged COSE_Sign1 structure 4 | as defined in RFC 8152 and identified as “IssuerAuth” in 8.2.1.1.2.2. 5 | Within the COSE_Sign1 structure, the ‘payload’ shall be the 6 | ‘MobileSecurityObject’ structure. The ‘external_aad’ field used in 7 | the ‘Sig_structure’ shall be a bytestring of size zero. 8 | 9 | 10 | The MSO has the following CDDL structure: 11 | 12 | ```` 13 | MobileSecurityObject = { 14 | "digestAlgorithm" : tstr, ; Message digest algorithm used "valueDigests" : ValueDigests, ; Array of digests of all data elements "deviceKey" : DeviceKey, 15 | "docType" : tstr, ; DocType as used in Documents "validityInfo" : ValidityInfo 16 | } 17 | DeviceKey = COSE_Key ; Device key in COSE_Key as defined in RFC 8152 18 | ValueDigests = { 19 | "nameSpaces" : NameSpacesDigests 20 | } 21 | NameSpacesDigests = { 22 | + NameSpace => DigestIDs 23 | } 24 | DigestIDs = { 25 | + DigestID => Digest 26 | } 27 | ValidityInfo = { 28 | "signed" : tdate, 29 | "validFrom" : tdate, 30 | "validUntil" : tdate, 31 | ? "expectedUpdate" : tdate 32 | } 33 | ```` 34 | 35 | 36 | The ‘digestAlgorithm’ and ‘valueDigests’ are the digest algorithm identifier 37 | and the digests of the data elements. 38 | 39 | 40 | The ‘deviceKey’ is the public key pair used for authentication. 41 | The ‘deviceKey’ element is encoded as an untagged COSE_Key 42 | element as specified in RFC 8152. 43 | 44 | 45 | The ‘ValidityInfo’ structure contains information related to 46 | the validity of the MSO and its signature. 47 | 48 | 49 | The “alg” element (RFC 8152) shall be included as an element in the 50 | protected header. Other elements should not be present in the protected header. 51 | 52 | 53 | The DS certificate shall be included as a ‘x5chain’ element as described 54 | in “draft-ietf-cose-x509-04”. It shall be included as an 55 | unprotected header element. 56 | 57 | 58 | The input for the digest function is the binary data of the IssuerSignedItem. 59 | Each IssuerSignedItem also contains a random value. 60 | This value shall be different for each IssuerSignedItem and 61 | shall have a minimum length of 16 bytes. 62 | 63 | 64 | The mDL private key, which belongs to the mDL public key stored in 65 | the MSO, is used to authenticate the mDL. 66 | It is also used to authenticate the response data contained in the 67 | DeviceSignedItems structure. 68 | 69 | 70 | ## Presenter Authentication 71 | 72 | The mDL authentication key pair consists of a public and a private key 73 | (SDeviceKey.Priv, SDeviceKey. Pub). The public key is accessible 74 | through the DeviceKey element in the MSO. 75 | 76 | 77 | 78 | -------------------------------------------------------------------------------- /docs/NOTES_ON_KEYS.md: -------------------------------------------------------------------------------- 1 | # here some trials to have a publick raw key usable in phdr or uhdr 2 | # but, again, it seems that only x509 works for COSE Sign1 3 | 4 | ``` 5 | ckey = COSEKey.from_bytes(self.private_key.encode()) 6 | pubkey = ckey.key.public_key() 7 | self.public_key = CoseKey( 8 | crv=COSEKEY_HAZMAT_CRV_MAP[pubkey.curve.name], 9 | x=pubkey.public_numbers().x.to_bytes(32, 'big') 10 | ) 11 | 12 | self.public_key = COSEKey( 13 | crv=self.private_key.crv, 14 | x=self.private_key.x, 15 | y=self.private_key.y 16 | ) 17 | ``` 18 | -------------------------------------------------------------------------------- /examples/it_data_model.py: -------------------------------------------------------------------------------- 1 | import cbor2 2 | import os 3 | 4 | from pymdoccbor.mdoc.issuer import MdocCborIssuer 5 | 6 | PKEY = { 7 | 'KTY': 'EC2', 8 | 'CURVE': 'P_256', 9 | 'ALG': 'ES256', 10 | 'D': os.urandom(32), 11 | 'KID': b"demo-kid" 12 | } 13 | 14 | PID_DATA = { 15 | "org.iso.18013.5.1": { 16 | "expiry_date": "2024-02-22", 17 | "issue_date": "2023-11-14", 18 | "issuing_country": "IT", 19 | "issuing_authority": "Gli amici della Salaria", 20 | "family_name": "Rossi", 21 | "given_name": "Mario", 22 | "birth_date": "1956-01-12", 23 | "document_number": "XX1234567", 24 | "portrait": b'\xff\xd8\xff\xe0\x00\x10JFIF\x00\x01\x01\x01\x00\x90\x00\x90\x00\x00\xff\xdb\x00C\x00\x13\r\x0e\x11\x0e\x0c\x13\x11\x0f\x11\x15\x14\x13\x17\x1d0\x1f\x1d\x1a\x1a\x1d:*,#0E=IGD=CALVm]LQhRAC_\x82`hqu{|{J\\\x86\x90\x85w\x8fmx{v\xff\xdb\x00C\x01\x14\x15\x15\x1d\x19\x1d8\x1f\x1f8vOCOvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv\xff\xc0\x00\x11\x08\x00\x18\x00d\x03\x01"\x00\x02\x11\x01\x03\x11\x01\xff\xc4\x00\x1b\x00\x00\x03\x01\x00\x03\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x06\x04\x01\x02\x03\x07\xff\xc4\x002\x10\x00\x01\x03\x03\x03\x02\x05\x02\x03\t\x00\x00\x00\x00\x00\x00\x01\x02\x03\x04\x00\x05\x11\x06\x12!\x131\x14\x15Qaq"A\x07\x81\xa1\x165BRs\x91\xb2\xc1\xf1\xff\xc4\x00\x15\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xff\xc4\x00\x1a\x11\x01\x01\x01\x00\x03\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01A\x11!1a\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00?\x00\xa5\xbb\xde"\xda#)\xc7\xd6\x92\xbc}\r\x03\xf5,\xfb\x0f\xf7^z~\xf3\xe7p\x97#\xa1\xd0\xda\xe1F\xdd\xfb\xb3\xc09\xce\x07\xad+\xd4z~2\xdb\xb8\xdd\x1dR\xd6\xefK(Od\xa4\x80\x06}\xfbQ\xf8\x7f\xfb\x95\xff\x00\xeb\x9f\xf1M!]\xe6j\xf0\x89\xceD\xb7\xdb\xde\x9c\xb6\x89\n(8\xed\xdf\x18\x07\x8fz\xddb\xd4\x11\xefM\xb9\xb1\ne\xd6\xb9Z\x14s\x81\xea\rI[\x932u\xfek\xbau\xc1\x14\x10J\x8b\xa4\x10A>\x98=\xff\x00OZ\xf5\xd3KKL\xdec-\x0b\xf1\xfd\x15\x92\xbd\xd9\x1cd\x11\xf3\x93L/\xa6\xafkT\x97]\x10m\xcfJe\xaeV\xe8V\x00\x1e\xbc\x03\xc7\xce)\xdd\x9e\xef\x1e\xf1\x0f\xc4G\xdc\x9d\xa7j\xd2\xae\xe957\xa1\xba~Op\xdd\x8e\xff\x00W\xc6\xdf\xfb^\x1a\x19\x85J\x83u\x8eTR\x87P\x94n\xc6pHP\xcd\x03{\xce\xb0\x8bm},\xc7m3\x17\xfc{\\\xc0O\xb6pri\xc5\xc6\xe0\xc5\xb6\n\xe5I$!#\xb0\xe4\x93\xf6\x02\xa0uU\x9e5\x99p\xd9\x8d\xb8\x95%EkQ\xc9Q\xc8\xaf\xa1>\xa8\xe9\x8e\x89Q\xdb}\xa3\x96\xdcHRO\xb1\xa8\xbda\x1aZ\xa2\xa2C/0\xabB\nzm2@\xc7\x18\xcf\x03\x1f\xa9\xefL\x9a\xd5P Z\xa0)Q\xdfJ\x1dl\x84!\xb0\x15\xb7i\xdb\x8c\x92)\x83~\xa2\xbe\x8b\x1b\r9\xd0\xeb\xa9\xc5\x14\x84\xef\xdb\x8c\x0e\xfd\x8d%\x8d\xaf\t\xd1\xa2\x14P\x96\x1c\xbb>\xa8\xa9VC;x\x1f\x1c\xe3=\xfe\xd5O\x0e+P\xa2\xb7\x1d\x84\xedm\xb1\x80(\xa2\x81u\xf7O\xc6\xbd\xa1\x05\xc5)\xa7\x91\xc2\\O dict: 81 | """ 82 | create a new mdoc with signed mso 83 | 84 | :param data: dict: data to be signed 85 | :param doctype: str: document type 86 | :param validity: dict: validity info 87 | :param devicekeyinfo: Union[dict, CoseKey, str]: device key info 88 | :param cert_path: str: path to the certificate 89 | :param revocation: dict: revocation status dict it may include status_list and identifier_list keys 90 | :param status: dict: status dict that includes the status list's uri and the idx following the "https://datatracker.ietf.org/doc/draft-ietf-oauth-status-list" specification 91 | 92 | :return: dict: signed mdoc 93 | """ 94 | if isinstance(devicekeyinfo, dict): 95 | devicekeyinfoCoseKeyObject = CoseKey.from_dict(devicekeyinfo) 96 | devicekeyinfo = { 97 | 1: devicekeyinfoCoseKeyObject.kty.identifier, 98 | -1: devicekeyinfoCoseKeyObject.crv.identifier, 99 | -2: devicekeyinfoCoseKeyObject.x, 100 | -3: devicekeyinfoCoseKeyObject.y, 101 | } 102 | if isinstance(devicekeyinfo, str): 103 | device_key_bytes = base64.urlsafe_b64decode(devicekeyinfo.encode("utf-8")) 104 | public_key:EllipticCurvePublicKey = serialization.load_pem_public_key(device_key_bytes) 105 | curve_name = public_key.curve.name 106 | curve_map = { 107 | "secp256r1": 1, # NIST P-256 108 | "secp384r1": 2, # NIST P-384 109 | "secp521r1": 3, # NIST P-521 110 | "brainpoolP256r1": 8, # Brainpool P-256 111 | "brainpoolP384r1": 9, # Brainpool P-384 112 | "brainpoolP512r1": 10, # Brainpool P-512 113 | # Add more curve mappings as needed 114 | } 115 | curve_identifier = curve_map.get(curve_name) 116 | 117 | # Extract the x and y coordinates from the public key 118 | x = public_key.public_numbers().x.to_bytes( 119 | (public_key.public_numbers().x.bit_length() + 7) 120 | // 8, # Number of bytes needed 121 | "big", # Byte order 122 | ) 123 | 124 | y = public_key.public_numbers().y.to_bytes( 125 | (public_key.public_numbers().y.bit_length() + 7) 126 | // 8, # Number of bytes needed 127 | "big", # Byte order 128 | ) 129 | 130 | devicekeyinfo = { 131 | 1: 2, 132 | -1: curve_identifier, 133 | -2: x, 134 | -3: y, 135 | } 136 | 137 | else: 138 | devicekeyinfo: CoseKey = devicekeyinfo 139 | 140 | if self.hsm: 141 | msoi = MsoIssuer( 142 | data=data, 143 | cert_path=cert_path, 144 | hsm=self.hsm, 145 | key_label=self.key_label, 146 | user_pin=self.user_pin, 147 | lib_path=self.lib_path, 148 | slot_id=self.slot_id, 149 | alg=self.alg, 150 | kid=self.kid, 151 | validity=validity, 152 | revocation=revocation 153 | ) 154 | 155 | else: 156 | msoi = MsoIssuer( 157 | data=data, 158 | private_key=self.private_key, 159 | alg=self.alg, 160 | cert_path=cert_path, 161 | validity=validity, 162 | revocation=revocation 163 | ) 164 | 165 | mso = msoi.sign(doctype=doctype, device_key=devicekeyinfo,valid_from=datetime.now(timezone.utc)) 166 | 167 | mso_cbor = mso.encode( 168 | tag=False, 169 | hsm=self.hsm, 170 | key_label=self.key_label, 171 | user_pin=self.user_pin, 172 | lib_path=self.lib_path, 173 | slot_id=self.slot_id, 174 | ) 175 | 176 | 177 | res = { 178 | "version": self.version, 179 | "documents": [ 180 | { 181 | "docType": doctype, # 'org.iso.18013.5.1.mDL' 182 | "issuerSigned": { 183 | "nameSpaces": { 184 | ns: [v for k, v in dgst.items()] 185 | for ns, dgst in msoi.disclosure_map.items() 186 | }, 187 | "issuerAuth": cbor2.decoder.loads(mso_cbor), 188 | }, 189 | } 190 | ], 191 | "status": self.status, 192 | } 193 | 194 | if status: 195 | if not "status_list" in status: 196 | raise InvalidStatusDescriptor("status_list is required") 197 | 198 | if not "uri" in status["status_list"]: 199 | raise InvalidStatusDescriptor("uri is required") 200 | if not "idx" in status["status_list"]: 201 | raise InvalidStatusDescriptor("idx is required") 202 | 203 | res["status"] = status 204 | 205 | logger.debug(f"MSO diagnostic notation: {cbor2diag(mso_cbor)}") 206 | 207 | self.signed = res 208 | return self.signed 209 | 210 | def dump(self) -> bytes: 211 | """ 212 | Returns the CBOR representation of the signed mdoc 213 | 214 | :return: bytes: CBOR representation of the signed mdoc 215 | """ 216 | return cbor2.dumps(self.signed, canonical=True) 217 | 218 | def dumps(self) -> bytes: 219 | """ 220 | Returns the AF binary representation of the signed mdoc 221 | 222 | :return: bytes: AF binary representation of the signed mdoc 223 | """ 224 | return binascii.hexlify(cbor2.dumps(self.signed, canonical=True)) 225 | -------------------------------------------------------------------------------- /pymdoccbor/mdoc/issuersigned.py: -------------------------------------------------------------------------------- 1 | import cbor2 2 | from typing import Union 3 | 4 | from pymdoccbor.mso.verifier import MsoVerifier 5 | 6 | class IssuerSigned: 7 | """ 8 | nameSpaces provides the definition within which the data elements of 9 | the document are defined. 10 | A document may have multiple nameSpaces. 11 | 12 | IssuerAuth is a COSE_Sign1 ; The payload is the MobileSecurityObject, 13 | see ISO 18013-5 section 9.2.2.4 14 | 15 | issuerAuth is a list of [ 16 | cbor({1: -7}) # Protected Header, find -7 17 | here https://datatracker.ietf.org/doc/html/rfc8152 18 | cbor({33: bytes}) # Unprotected Header containing X509 certificate 19 | cbor({24: bytes}) # Payload -> Mobile Security Object 20 | bytes # Signature 21 | ] 22 | """ 23 | 24 | def __init__(self, nameSpaces: dict, issuerAuth: Union[cbor2.CBORTag, dict, bytes]) -> None: 25 | """ 26 | Initialize the IssuerSigned object 27 | 28 | :param nameSpaces: dict: the nameSpaces of the document 29 | :param issuerAuth: Union[dict, bytes]: the issuerAuth info of the document 30 | """ 31 | 32 | self.namespaces: dict = nameSpaces 33 | 34 | if not issuerAuth: 35 | raise ValueError("issuerAuth must be provided") 36 | 37 | # if isinstance(ia, dict): 38 | self.issuer_auth = MsoVerifier(issuerAuth) 39 | 40 | def dump(self) -> dict: 41 | """ 42 | It returns the issuerSigned as a dict 43 | 44 | :return: dict: the issuerSigned as a dict 45 | """ 46 | 47 | return { 48 | 'nameSpaces': self.namespaces, 49 | 'issuerAuth': self.issuer_auth 50 | } 51 | 52 | def dumps(self) -> bytes: 53 | """ 54 | It returns the issuerSigned as bytes 55 | 56 | :return: dict: the issuerSigned as bytes 57 | """ 58 | 59 | return cbor2.dumps( 60 | { 61 | 'nameSpaces': self.namespaces, 62 | 'issuerAuth': self.issuer_auth.payload_as_cbor 63 | } 64 | ) 65 | -------------------------------------------------------------------------------- /pymdoccbor/mdoc/verifier.py: -------------------------------------------------------------------------------- 1 | import binascii 2 | import cbor2 3 | import logging 4 | 5 | from typing import List 6 | 7 | from pymdoccbor.exceptions import InvalidMdoc 8 | from pymdoccbor.mdoc.issuersigned import IssuerSigned 9 | from pymdoccbor.mdoc.exceptions import NoDocumentTypeProvided, NoSignedDocumentProvided 10 | 11 | logger = logging.getLogger('pymdoccbor') 12 | 13 | 14 | class MobileDocument: 15 | """ 16 | MobileDocument class to handle the Mobile Document 17 | """ 18 | 19 | _states = { 20 | True: "valid", 21 | False: "failed", 22 | } 23 | 24 | def __init__(self, docType: str, issuerSigned: dict, deviceSigned: dict = {}) -> None: 25 | """ 26 | Initialize the MobileDocument object 27 | 28 | :param docType: str: the document type 29 | :param issuerSigned: dict: the issuerSigned info 30 | :param deviceSigned: dict: the deviceSigned info 31 | """ 32 | 33 | if not docType: 34 | raise NoDocumentTypeProvided("You must provide a document type") 35 | 36 | self.doctype: str = docType # eg: 'org.iso.18013.5.1.mDL' 37 | 38 | if not issuerSigned: 39 | raise NoSignedDocumentProvided("You must provide a signed document") 40 | 41 | self.issuersigned: List[IssuerSigned] = IssuerSigned(**issuerSigned) 42 | self.is_valid = False 43 | self.devicesigned: dict = deviceSigned 44 | 45 | def dump(self) -> dict: 46 | """ 47 | It returns the document as a dict 48 | 49 | :return: dict: the document as a dict 50 | """ 51 | return { 52 | 'docType': self.doctype, 53 | 'issuerSigned': self.issuersigned.dump() 54 | } 55 | 56 | def dumps(self) -> bytes: 57 | """ 58 | It returns the AF binary repr as bytes 59 | 60 | :return: bytes: the document as bytes 61 | """ 62 | return binascii.hexlify(self.dump()) 63 | 64 | def dump(self) -> bytes: 65 | """ 66 | It returns the document as bytes 67 | 68 | :return: dict: the document as bytes 69 | """ 70 | return cbor2.dumps( 71 | cbor2.CBORTag( 72 | 24, 73 | value={ 74 | 'docType': self.doctype, 75 | 'issuerSigned': self.issuersigned.dumps() 76 | } 77 | ) 78 | ) 79 | 80 | def verify(self) -> bool: 81 | """ 82 | Verify the document signature 83 | 84 | :return: bool: True if the signature is valid, False otherwise 85 | """ 86 | self.is_valid = self.issuersigned.issuer_auth.verify_signature() 87 | return self.is_valid 88 | 89 | def __repr__(self) -> str: 90 | return f"{self.__module__}.{self.__class__.__name__} [{self._states[self.is_valid]}]" 91 | 92 | 93 | class MdocCbor: 94 | """ 95 | MdocCbor class to handle the Mobile Document 96 | """ 97 | 98 | def __init__(self) -> None: 99 | """ 100 | Initialize the MdocCbor object 101 | """ 102 | self.data_as_bytes: bytes = b"" 103 | self.data_as_cbor_dict: dict = {} 104 | 105 | self.documents: List[MobileDocument] = [] 106 | self.documents_invalid: list = [] 107 | self.disclosure_map: dict = {} 108 | 109 | def loads(self, data: str) -> None: 110 | """ 111 | Load the data from a AF Binary string 112 | 113 | :param data: str: the AF binary string 114 | """ 115 | if isinstance(data, bytes): 116 | data = binascii.hexlify(data) 117 | 118 | self.data_as_bytes = binascii.unhexlify(data) 119 | self.data_as_cbor_dict = cbor2.loads(self.data_as_bytes) 120 | 121 | def dump(self) -> bytes: 122 | """ 123 | Returns the CBOR representation of the mdoc as bytes 124 | """ 125 | return self.data_as_bytes 126 | 127 | def dumps(self) -> bytes: 128 | """ 129 | Returns the AF binary representation of the mdoc as bytes 130 | 131 | :return: bytes: the AF binary representation of the mdoc 132 | """ 133 | return binascii.hexlify(self.data_as_bytes) 134 | 135 | @property 136 | def data_as_string(self) -> str: 137 | return self.dumps().decode() 138 | 139 | def _decode_claims(self, claims: list[dict]) -> dict: 140 | decoded_claims = {} 141 | 142 | for claim in claims: 143 | decoded = cbor2.loads(claim.value) 144 | 145 | if isinstance(decoded['elementValue'], cbor2.CBORTag): 146 | decoded_claims[decoded['elementIdentifier']] = decoded['elementValue'].value 147 | elif isinstance(decoded['elementValue'], list): 148 | claims_list = [] 149 | 150 | for element in decoded['elementValue']: 151 | claims_dict = {} 152 | for key, value in element.items(): 153 | if isinstance(value, cbor2.CBORTag): 154 | claims_dict[key] = value.value 155 | else: 156 | claims_dict[key] = value 157 | claims_list.append(claims_dict) 158 | 159 | decoded_claims[decoded['elementIdentifier']] = claims_list 160 | else: 161 | decoded_claims[decoded['elementIdentifier']] = decoded['elementValue'] 162 | 163 | return decoded_claims 164 | 165 | 166 | def verify(self) -> bool: 167 | """" 168 | Verify signatures of all documents contained in the mdoc 169 | 170 | :return: bool: True if all signatures are valid, False otherwise 171 | """ 172 | 173 | cdict = self.data_as_cbor_dict 174 | 175 | for i in ('version', 'documents'): 176 | if i not in cdict: 177 | raise InvalidMdoc( 178 | f"Mdoc is invalid since it doesn't contain the '{i}' element" 179 | ) 180 | 181 | doc_cnt = 1 182 | for doc in cdict['documents']: 183 | mso = MobileDocument(**doc) 184 | 185 | try: 186 | if mso.verify(): 187 | self.documents.append(mso) 188 | else: 189 | self.documents_invalid.append(mso) 190 | 191 | for namespace, claims in mso.issuersigned.namespaces.items(): 192 | self.disclosure_map[namespace] = self._decode_claims(claims) 193 | 194 | except Exception as e: 195 | logger.error( 196 | f"COSE Sign1 validation failed to the document number #{doc_cnt}. " 197 | f"Then it is appended to self.documents_invalid: {e}" 198 | ) 199 | self.documents_invalid.append(doc) 200 | 201 | doc_cnt += 1 202 | 203 | self.status = cdict.get('status', None) 204 | 205 | return False if self.documents_invalid else True 206 | 207 | def __repr__(self) -> str: 208 | return ( 209 | f"{self.__module__}.{self.__class__.__name__} " 210 | f"[{len(self.documents)} valid documents]" 211 | ) 212 | -------------------------------------------------------------------------------- /pymdoccbor/mso/__init__.py: -------------------------------------------------------------------------------- 1 | __version__ = "0.4.1" 2 | -------------------------------------------------------------------------------- /pymdoccbor/mso/issuer.py: -------------------------------------------------------------------------------- 1 | import cbor2 2 | import datetime 3 | import hashlib 4 | import secrets 5 | import uuid 6 | import logging 7 | 8 | logger = logging.getLogger("pymdoccbor") 9 | 10 | from pycose.headers import Algorithm #, KID 11 | from pycose.keys import CoseKey, EC2Key 12 | from pycose.messages import Sign1Message 13 | 14 | from typing import Union 15 | 16 | from pymdoccbor.exceptions import MsoPrivateKeyRequired 17 | from pymdoccbor import settings 18 | from pymdoccbor.x509 import MsoX509Fabric 19 | from pymdoccbor.tools import shuffle_dict 20 | from cryptography import x509 21 | from cryptography.hazmat.primitives import serialization 22 | from cryptography.x509 import Certificate 23 | 24 | 25 | from cbor_diag import * 26 | 27 | 28 | class MsoIssuer(MsoX509Fabric): 29 | """ 30 | MsoIssuer helper class to create a new mso 31 | """ 32 | 33 | def __init__( 34 | self, 35 | data: dict, 36 | validity: dict, 37 | cert_path: str = None, 38 | key_label: str = None, 39 | user_pin: str = None, 40 | lib_path: str = None, 41 | slot_id: int = None, 42 | kid: str = None, 43 | alg: str = None, 44 | hsm: bool = False, 45 | private_key: Union[dict, CoseKey] = None, 46 | digest_alg: str = settings.PYMDOC_HASHALG, 47 | revocation: dict = None 48 | ) -> None: 49 | """ 50 | Initialize a new MsoIssuer 51 | 52 | :param data: dict: the data to sign 53 | :param validity: validity: the validity info of the mso 54 | :param cert_path: str: the path to the certificate 55 | :param key_label: str: key label 56 | :param user_pin: str: user pin 57 | :param lib_path: str: path to the library cryptographic library 58 | :param slot_id: int: slot id 59 | :param kid: str: key id 60 | :param alg: str: hashig algorithm 61 | :param hsm: bool: hardware security module 62 | :param private_key: Union[dict, CoseKey]: the signing key 63 | :param digest_alg: str: the digest algorithm 64 | :param revocation: dict: revocation status dict to include in the mso, it may include status_list and identifier_list keys 65 | """ 66 | 67 | if not hsm: 68 | if private_key: 69 | if isinstance(private_key, dict): 70 | self.private_key = CoseKey.from_dict(private_key) 71 | if not self.private_key.kid: 72 | self.private_key.kid = str(uuid.uuid4()) 73 | elif isinstance(private_key, CoseKey): 74 | self.private_key = private_key 75 | else: 76 | raise ValueError("private_key must be a dict or CoseKey object") 77 | else: 78 | raise MsoPrivateKeyRequired("MSO Writer requires a valid private key") 79 | 80 | if not validity: 81 | raise ValueError("validity must be present") 82 | 83 | if not alg: 84 | raise ValueError("alg must be present") 85 | 86 | self.data: dict = data 87 | self.hash_map: dict = {} 88 | self.cert_path = cert_path 89 | self.disclosure_map: dict = {} 90 | self.digest_alg: str = digest_alg 91 | self.key_label = key_label 92 | self.user_pin = user_pin 93 | self.lib_path = lib_path 94 | self.slot_id = slot_id 95 | self.hsm = hsm 96 | self.alg = alg 97 | self.kid = kid 98 | self.validity = validity 99 | self.revocation = revocation 100 | 101 | alg_map = {"ES256": "sha256", "ES384": "sha384", "ES512": "sha512"} 102 | 103 | hashfunc = getattr(hashlib, alg_map.get(self.alg)) 104 | 105 | digest_cnt = 0 106 | for ns, values in data.items(): 107 | self.disclosure_map[ns] = {} 108 | self.hash_map[ns] = {} 109 | for k, v in shuffle_dict(values).items(): 110 | _rnd_salt = secrets.token_bytes(settings.DIGEST_SALT_LENGTH) 111 | 112 | _value_cbortag = settings.CBORTAGS_ATTR_MAP.get(k, None) 113 | 114 | if _value_cbortag: 115 | v = cbor2.CBORTag(_value_cbortag, value=v) 116 | 117 | if isinstance(v, dict): 118 | for k2, v2 in v.items(): 119 | _value_cbortag = settings.CBORTAGS_ATTR_MAP.get(k2, None) 120 | if _value_cbortag: 121 | v[k2] = cbor2.CBORTag(_value_cbortag, value=v2) 122 | 123 | if isinstance(v, list) and k != "nationality": 124 | for item in v: 125 | for k2, v2 in item.items(): 126 | _value_cbortag = settings.CBORTAGS_ATTR_MAP.get(k2, None) 127 | if _value_cbortag: 128 | item[k2] = cbor2.CBORTag(_value_cbortag, value=v2) 129 | 130 | self.disclosure_map[ns][digest_cnt] = cbor2.CBORTag( 131 | 24, 132 | value=cbor2.dumps( 133 | { 134 | "digestID": digest_cnt, 135 | "random": _rnd_salt, 136 | "elementIdentifier": k, 137 | "elementValue": v, 138 | }, 139 | canonical=True, 140 | ), 141 | ) 142 | 143 | self.hash_map[ns][digest_cnt] = hashfunc( 144 | cbor2.dumps(self.disclosure_map[ns][digest_cnt], canonical=True) 145 | ).digest() 146 | 147 | digest_cnt += 1 148 | 149 | def format_datetime_repr(self, dt: datetime.datetime) -> str: 150 | """ 151 | Format a datetime object to a string 152 | 153 | :param dt: datetime.datetime: the datetime object 154 | :return: str: the formatted string 155 | """ 156 | return dt.isoformat().split(".")[0] + "Z" 157 | 158 | def sign( 159 | self, 160 | device_key: Union[dict, None] = None, 161 | valid_from: Union[None, datetime.datetime] = None, 162 | doctype: str = None, 163 | ) -> Sign1Message: 164 | """ 165 | Sign a mso and returns it 166 | 167 | :param device_key: Union[dict, None]: the device key 168 | :param valid_from: Union[None, datetime.datetime]: the valid from date 169 | :param doctype: str: the document type 170 | 171 | :return: Sign1Message: the signed mso 172 | """ 173 | 174 | utcnow = datetime.datetime.utcnow() 175 | valid_from = datetime.datetime.strptime( 176 | self.validity["issuance_date"], "%Y-%m-%d" 177 | ) 178 | 179 | if settings.PYMDOC_EXP_DELTA_HOURS: 180 | exp = utcnow + datetime.timedelta(hours=settings.PYMDOC_EXP_DELTA_HOURS) 181 | else: 182 | # five years 183 | exp = datetime.datetime.strptime(self.validity["expiry_date"], "%Y-%m-%d") 184 | # exp = utcnow + datetime.timedelta(hours=(24 * 365) * 5) 185 | 186 | if utcnow > valid_from: 187 | valid_from = utcnow 188 | 189 | alg_map = {"ES256": "SHA-256", "ES384": "SHA-384", "ES512": "SHA-512"} 190 | 191 | payload = { 192 | "docType": doctype or list(self.hash_map)[0], 193 | "version": "1.0", 194 | "validityInfo": { 195 | "signed": cbor2.CBORTag(0, self.format_datetime_repr(utcnow)), 196 | "validFrom": cbor2.CBORTag( 197 | 0, self.format_datetime_repr(valid_from or utcnow) 198 | ), 199 | "validUntil": cbor2.CBORTag(0, self.format_datetime_repr(exp)), 200 | }, 201 | "valueDigests": self.hash_map, 202 | "deviceKeyInfo": { 203 | "deviceKey": device_key, 204 | }, 205 | "digestAlgorithm": alg_map.get(self.alg) 206 | } 207 | if self.revocation is not None: 208 | payload.update({"status": self.revocation}) 209 | 210 | if self.cert_path: 211 | # Try to load the certificate file 212 | with open(self.cert_path, "rb") as file: 213 | certificate = file.read() 214 | _parsed_cert: Union[Certificate, None] = None 215 | try: 216 | _parsed_cert = x509.load_pem_x509_certificate(certificate) 217 | except Exception as e: 218 | logger.error(f"Certificate at {self.cert_path} could not be loaded as PEM, trying DER") 219 | 220 | if not _parsed_cert: 221 | try: 222 | _parsed_cert = x509.load_der_x509_certificate(certificate) 223 | except Exception as e: 224 | _err_msg = f"Certificate at {self.cert_path} could not be loaded as DER" 225 | logger.error(_err_msg) 226 | 227 | if _parsed_cert: 228 | cert = _parsed_cert 229 | else: 230 | raise Exception(f"Certificate at {self.cert_path} failed parse") 231 | _cert = cert.public_bytes(getattr(serialization.Encoding, "DER")) 232 | else: 233 | _cert = self.selfsigned_x509cert() 234 | 235 | if self.hsm: 236 | # print("payload diganostic notation: \n",cbor2diag(cbor2.dumps(cbor2.CBORTag(24, cbor2.dumps(payload))))) 237 | 238 | mso = Sign1Message( 239 | phdr={ 240 | Algorithm: self.alg, 241 | # 33: _cert 242 | }, 243 | # TODO: x509 (cbor2.CBORTag(33)) and federation trust_chain support (cbor2.CBORTag(27?)) here 244 | # 33 means x509chain standing to rfc9360 245 | # in both protected and unprotected for interop purpose .. for now. 246 | uhdr={33: _cert}, 247 | payload=cbor2.dumps( 248 | cbor2.CBORTag(24, cbor2.dumps(payload, canonical=True)), 249 | canonical=True, 250 | ), 251 | ) 252 | 253 | else: 254 | logger.debug("payload diagnostic notation: {cbor2diag(cbor2.dumps(cbor2.CBORTag(24,cbor2.dumps(payload))))}") 255 | 256 | mso = Sign1Message( 257 | phdr={ 258 | Algorithm: self.private_key.alg, 259 | # KID: self.private_key.kid, 260 | # 33: _cert 261 | }, 262 | # TODO: x509 (cbor2.CBORTag(33)) and federation trust_chain support (cbor2.CBORTag(27?)) here 263 | # 33 means x509chain standing to rfc9360 264 | # in both protected and unprotected for interop purpose .. for now. 265 | uhdr={33: _cert}, 266 | payload=cbor2.dumps( 267 | cbor2.CBORTag(24, cbor2.dumps(payload, canonical=True)), 268 | canonical=True, 269 | ), 270 | ) 271 | 272 | mso.key = self.private_key 273 | 274 | return mso 275 | -------------------------------------------------------------------------------- /pymdoccbor/mso/verifier.py: -------------------------------------------------------------------------------- 1 | import cbor2 2 | import cryptography 3 | import logging 4 | 5 | from pycose.keys import CoseKey, EC2Key 6 | from pycose.messages import Sign1Message 7 | 8 | from typing import Union 9 | 10 | from pymdoccbor.exceptions import ( 11 | MsoX509ChainNotFound, 12 | UnsupportedMsoDataFormat 13 | ) 14 | from pymdoccbor import settings 15 | from pymdoccbor.tools import bytes2CoseSign1, cborlist2CoseSign1 16 | 17 | 18 | logger = logging.getLogger("pymdoccbor") 19 | 20 | 21 | class MsoVerifier: 22 | """ 23 | Parameters 24 | data: CBOR TAG 24 25 | 26 | Example: 27 | MsoParser(mdoc['documents'][0]['issuerSigned']['issuerAuth']) 28 | 29 | Note 30 | The signature is contained in an untagged COSE_Sign1 31 | structure as defined in RFC 8152. 32 | """ 33 | 34 | def __init__(self, data: Union[cbor2.CBORTag, bytes, list]) -> None: 35 | """ 36 | Initialize the MsoParser object 37 | 38 | :param data: Union[cbor2.CBORTag, bytes, list]: the data to parse 39 | """ 40 | 41 | self._data = data 42 | 43 | # not used 44 | if isinstance(self._data, bytes): 45 | self.object: Sign1Message = bytes2CoseSign1( 46 | cbor2.dumps(cbor2.CBORTag(18, value=self._data))) 47 | elif isinstance(self._data, list): 48 | self.object: Sign1Message = cborlist2CoseSign1(self._data) 49 | else: 50 | raise UnsupportedMsoDataFormat( 51 | f"MsoParser only supports raw bytes and list, a {type(data)} was provided" 52 | ) 53 | 54 | self.object.key = None 55 | self.public_key: cryptography.hazmat.backends.openssl.ec._EllipticCurvePublicKey = None 56 | self.x509_certificates: list = [] 57 | 58 | @property 59 | def payload_as_cbor(self) -> dict: 60 | """ 61 | It returns the payload as a CBOR TAG 62 | 63 | :return: dict: the payload as a CBOR TAG 24 64 | """ 65 | return cbor2.loads(self.object.payload) 66 | 67 | @property 68 | def payload_as_raw(self): 69 | return self.object.payload 70 | 71 | @property 72 | def payload_as_dict(self): 73 | return cbor2.loads( 74 | cbor2.loads(self.object.payload).value 75 | ) 76 | 77 | @property 78 | def raw_public_keys(self) -> bytes: 79 | """ 80 | it returns the public key extract from x509 certificates 81 | looking to both phdr and uhdr 82 | """ 83 | _mixed_heads = self.object.phdr.items() | self.object.uhdr.items() 84 | for h, v in _mixed_heads: 85 | if h.identifier == 33: 86 | return list(self.object.uhdr.values()) 87 | 88 | raise MsoX509ChainNotFound( 89 | "I can't find any valid X509certs, identified by label number 33, " 90 | "in this MSO." 91 | ) 92 | 93 | def attest_public_key(self): 94 | logger.warning( 95 | "TODO: in next releases. " 96 | "The certificate is to be considered as untrusted, this release " 97 | "doesn't validate x.509 certificate chain. See next releases and " 98 | "python certvalidator or cryptography for that." 99 | ) 100 | 101 | def load_public_key(self) -> None: 102 | """ 103 | Load the public key from the x509 certificate 104 | 105 | :return: None 106 | """ 107 | self.attest_public_key() 108 | 109 | for i in self.raw_public_keys: 110 | self.x509_certificates.append( 111 | cryptography.x509.load_der_x509_certificate(i) 112 | ) 113 | 114 | self.public_key = self.x509_certificates[0].public_key() 115 | 116 | key = EC2Key( 117 | crv=settings.COSEKEY_HAZMAT_CRV_MAP[self.public_key.curve.name], 118 | x=self.public_key.public_numbers().x.to_bytes( 119 | settings.CRV_LEN_MAP[self.public_key.curve.name], 'big' 120 | ), 121 | y=self.public_key.public_numbers().y.to_bytes( settings.CRV_LEN_MAP[self.public_key.curve.name], 'big') 122 | ) 123 | self.object.key = key 124 | 125 | def verify_signature(self) -> bool: 126 | """" 127 | Verify the signature of the MSO 128 | 129 | :return: bool: True if the signature is valid, False otherwise 130 | """ 131 | if not self.object.key: 132 | self.load_public_key() 133 | 134 | return self.object.verify_signature() 135 | -------------------------------------------------------------------------------- /pymdoccbor/settings.py: -------------------------------------------------------------------------------- 1 | import datetime 2 | import os 3 | 4 | from datetime import timezone 5 | 6 | COSEKEY_HAZMAT_CRV_MAP = { 7 | "secp256r1": "P_256", 8 | "secp384r1": "P_384", 9 | "secp521r1": "P_521" 10 | } 11 | 12 | CRV_LEN_MAP = { 13 | "secp256r1": 32, 14 | } 15 | 16 | PYMDOC_HASHALG: str = os.getenv("PYMDOC_HASHALG", "SHA-256") 17 | PYMDOC_EXP_DELTA_HOURS: int = os.getenv("PYMDOC_EXP_DELTA_HOURS", 0) 18 | 19 | HASHALG_MAP = { 20 | "SHA-256": "sha256", 21 | "SHA-512": "sha512", 22 | } 23 | 24 | DIGEST_SALT_LENGTH = 32 25 | 26 | 27 | X509_DER_CERT = os.getenv("X509_DER_CERT", None) 28 | 29 | # OR 30 | 31 | X509_COUNTRY_NAME = os.getenv('X509_COUNTRY_NAME', "US") 32 | X509_STATE_OR_PROVINCE_NAME = os.getenv('X509_STATE_OR_PROVINCE_NAME', "California") 33 | X509_LOCALITY_NAME = os.getenv('X509_LOCALITY_NAME', "San Francisco") 34 | X509_ORGANIZATION_NAME = os.getenv('X509_ORGANIZATION_NAME', "My Company") 35 | X509_COMMON_NAME = os.getenv('X509_COMMON_NAME', "mysite.com") 36 | 37 | X509_NOT_VALID_BEFORE = os.getenv('X509_NOT_VALID_BEFORE', datetime.datetime.now(timezone.utc)) 38 | X509_NOT_VALID_AFTER_DAYS = os.getenv('X509_NOT_VALID_AFTER_DAYS', 10) 39 | X509_NOT_VALID_AFTER = os.getenv( 40 | 'X509_NOT_VALID_AFTER', 41 | datetime.datetime.now(timezone.utc) + datetime.timedelta( 42 | days=X509_NOT_VALID_AFTER_DAYS 43 | ) 44 | ) 45 | 46 | X509_SAN_URL = os.getenv( 47 | "X509_SAN_URL", "https://credential-issuer.example.org" 48 | ) 49 | 50 | CBORTAGS_ATTR_MAP = { 51 | "birth_date": 1004, 52 | "expiry_date": 1004, 53 | "issue_date": 1004, 54 | "issuance_date": 1004, 55 | } 56 | -------------------------------------------------------------------------------- /pymdoccbor/tests/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/IdentityPython/pyMDOC-CBOR/68f001d5df0764e10f23f87a7a302862a980f6d5/pymdoccbor/tests/__init__.py -------------------------------------------------------------------------------- /pymdoccbor/tests/certs/README.md: -------------------------------------------------------------------------------- 1 | ### Procedure to create fake certificate fake-cert.pem 2 | ``` 3 | openssl ecparam -name prime256v1 -genkey -noout -out fake-private-key.pem 4 | openssl x509 -req -in fake-request.csr -out leaf-asl.pem -days 3650 -sha256 5 | openssl x509 -req -in fake-request.csr -key fake-private-key.pem -out fake-cert.pem -days 3650 -sha256 6 | ``` -------------------------------------------------------------------------------- /pymdoccbor/tests/certs/fake-cert.cnf: -------------------------------------------------------------------------------- 1 | [ req ] 2 | distinguished_name = req_distinguished_name 3 | attributes = req_attributes 4 | 5 | # Stop confirmation prompts. All information is contained below. 6 | prompt= no 7 | 8 | 9 | # The extensions to add to a certificate request - see [ v3_req ] 10 | req_extensions = v3_req 11 | 12 | [ req_distinguished_name ] 13 | # Describe the Subject (ie the origanisation). 14 | # The first 6 below could be shortened to: C ST L O OU CN 15 | # The short names are what are shown when the certificate is displayed. 16 | # Eg the details below would be shown as: 17 | # Subject: C=UK, ST=Hertfordshire, L=My Town, O=Some Organisation, OU=Some Department, CN=www.example.com/emailAddress=bofh@example.com 18 | 19 | countryName= BE 20 | stateOrProvinceName= Brussels Region 21 | localityName= Brussels 22 | organizationName= Test 23 | organizationalUnitName= Test-Unit 24 | commonName= Test ASL Issuer 25 | emailAddress= fake@fake.com 26 | 27 | [ req_attributes ] 28 | # None. Could put Challenge Passwords, don't want them, leave empty 29 | 30 | [ v3_req ] 31 | # None. -------------------------------------------------------------------------------- /pymdoccbor/tests/certs/fake-cert.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIICTzCCAfWgAwIBAgIUN+rPlhGdCIIWrQaKxFcdzJGyL0YwCgYIKoZIzj0EAwIw 3 | gZUxCzAJBgNVBAYTAkJFMRgwFgYDVQQIDA9CcnVzc2VscyBSZWdpb24xETAPBgNV 4 | BAcMCEJydXNzZWxzMQ0wCwYDVQQKDARUZXN0MRIwEAYDVQQLDAlUZXN0LVVuaXQx 5 | GDAWBgNVBAMMD1Rlc3QgQVNMIElzc3VlcjEcMBoGCSqGSIb3DQEJARYNZmFrZUBm 6 | YWtlLmNvbTAeFw0yNTAzMTcxMTA3MTZaFw0zNTAzMTUxMTA3MTZaMIGVMQswCQYD 7 | VQQGEwJCRTEYMBYGA1UECAwPQnJ1c3NlbHMgUmVnaW9uMREwDwYDVQQHDAhCcnVz 8 | c2VsczENMAsGA1UECgwEVGVzdDESMBAGA1UECwwJVGVzdC1Vbml0MRgwFgYDVQQD 9 | DA9UZXN0IEFTTCBJc3N1ZXIxHDAaBgkqhkiG9w0BCQEWDWZha2VAZmFrZS5jb20w 10 | WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASgs+CiDRy2Fh1lPA6mtIb/c1fBBIA3 11 | Qz77kpnxsOid5/2bbUFYOI02djof6hsq7lWuCGwdWThDeiUQV1hISCPyoyEwHzAd 12 | BgNVHQ4EFgQU+jJ/exJHH3gawahlcnWTrlxbw3UwCgYIKoZIzj0EAwIDSAAwRQIg 13 | JJ3N2I7VyCFzN8CVktrs6IylXlDiSC+vsjt1POLnrHYCIQDKkU1XOfQiBGFzeLav 14 | vvqxhGIU/iOVlrLM3JOF9pGKCA== 15 | -----END CERTIFICATE----- 16 | -------------------------------------------------------------------------------- /pymdoccbor/tests/certs/fake-private-key.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN EC PRIVATE KEY----- 2 | MHcCAQEEIEWpyV6wCzKqJhcvRWg2olReRXLLcUwyL2IZzKNLiR6koAoGCCqGSM49 3 | AwEHoUQDQgAEoLPgog0cthYdZTwOprSG/3NXwQSAN0M++5KZ8bDonef9m21BWDiN 4 | NnY6H+obKu5VrghsHVk4Q3olEFdYSEgj8g== 5 | -----END EC PRIVATE KEY----- 6 | -------------------------------------------------------------------------------- /pymdoccbor/tests/certs/fake-request.csr: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE REQUEST----- 2 | MIIBUDCB+AIBADCBlTELMAkGA1UEBhMCQkUxGDAWBgNVBAgMD0JydXNzZWxzIFJl 3 | Z2lvbjERMA8GA1UEBwwIQnJ1c3NlbHMxDTALBgNVBAoMBFRlc3QxEjAQBgNVBAsM 4 | CVRlc3QtVW5pdDEYMBYGA1UEAwwPVGVzdCBBU0wgSXNzdWVyMRwwGgYJKoZIhvcN 5 | AQkBFg1mYWtlQGZha2UuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEoLPg 6 | og0cthYdZTwOprSG/3NXwQSAN0M++5KZ8bDonef9m21BWDiNNnY6H+obKu5Vrghs 7 | HVk4Q3olEFdYSEgj8qAAMAoGCCqGSM49BAMCA0cAMEQCICtw2VqH3Jg03Ycme7UW 8 | 0aQbBll8eQiBDPLCui+yekAMAiBfLqO9P7mgEWPMoSWfGYBiOVDEVUO8vERTZY1e 9 | HKpaRg== 10 | -----END CERTIFICATE REQUEST----- 11 | -------------------------------------------------------------------------------- /pymdoccbor/tests/micov_data.py: -------------------------------------------------------------------------------- 1 | MICOV_DATA = { 2 | "org.micov.medical.1":{ 3 | "last_name": "Rossi", 4 | "given_name": "Mario", 5 | "birth_date": "1922-03-13", 6 | "PersonId_nic": { 7 | "PersonIdNumber": "1234567890", 8 | "PersonIdType": "nic", 9 | "PersonIdIS": "IT", 10 | }, 11 | "sex": 1, 12 | "VPInfo_COVID-19_1": { 13 | "VaccineProphylaxis": "", 14 | "VaccMedicinalProd": "Moderna", 15 | "VaccMktAuthHolder": "Moderna", 16 | "VaccDoseNumber": "2/2", 17 | "VaccAdmDate": "2021-01-01", 18 | "VaccCountry": "IT", 19 | }, 20 | "CertIssuer": "Italian Ministry of Health", 21 | "CertId": "1234567890", 22 | } 23 | } -------------------------------------------------------------------------------- /pymdoccbor/tests/pid_data.py: -------------------------------------------------------------------------------- 1 | PID_DATA = { 2 | "eu.europa.ec.eudiw.pid.1": { 3 | "family_name": "Raffaello", 4 | "given_name": "Mascetti", 5 | "birth_date": "1922-03-13", 6 | "age_over_18": True, 7 | "age_over_NN": 150, 8 | "age_in_years": 101, 9 | "age_birth_year": 1922, 10 | "unique_id": "random-opaque-value", 11 | "family_name_birth": "Mascetti", 12 | "given_name_birth": "Raffaello", 13 | "birth_place": "Firenze", 14 | "birth_country": "IT", 15 | "birth_state": "Tuscany", 16 | "birth_city": "Firenze", 17 | "resident_address": "via Tal dei tali", 18 | "resident_country": "Italy", 19 | "resident_state": "Tuscany", 20 | "resident_city": "Firenze", 21 | "resident_postal_code": "50100", 22 | "resident_street": "via Tal dei tali", 23 | "resident_house_number": "21", 24 | "gender": 1, 25 | "nationality": "IT", 26 | "portrait": None, 27 | "portrait_capture_date": None, 28 | "issuance_date": "2023-06-07", 29 | "expiry_date": "2027-06-07", 30 | "issuing_authority": "IT", 31 | "document_number": "CA0568IT_example", 32 | "administrative_number": None, 33 | "issuing_country": "IT", 34 | "issuing_jurisdiction": None 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /pymdoccbor/tests/pkey.py: -------------------------------------------------------------------------------- 1 | import os 2 | 3 | PKEY = { 4 | 'KTY': 'EC2', 5 | 'CURVE': 'P_256', 6 | 'ALG': 'ES256', 7 | 'D': b"<\xe5\xbc;\x08\xadF\x1d\xc5\x0czR'T&\xbb\x91\xac\x84\xdc\x9ce\xbf\x0b,\x00\xcb\xdd\xbf\xec\xa2\xa5", 8 | 'KID': b"demo-kid" 9 | } -------------------------------------------------------------------------------- /pymdoccbor/tests/test_01_mdoc_parser.py: -------------------------------------------------------------------------------- 1 | 2 | from pymdoccbor.mdoc.verifier import MdocCbor 3 | from pymdoccbor.tools import pretty_print 4 | 5 | 6 | ISSUED_MDOC = "a36776657273696f6e63312e3069646f63756d656e747381a367646f6354797065756f72672e69736f2e31383031332e352e312e6d444c6c6973737565725369676e6564a26a6e616d65537061636573a1716f72672e69736f2e31383031332e352e3186d8185863a4686469676573744944006672616e646f6d58208798645b20ea200e19ffabac92624bee6aec63aceedecfb1b80077d22bfc20e971656c656d656e744964656e7469666965726b66616d696c795f6e616d656c656c656d656e7456616c756563446f65d818586ca4686469676573744944036672616e646f6d5820b23f627e8999c706df0c0a4ed98ad74af988af619b4bb078b89058553f44615d71656c656d656e744964656e7469666965726a69737375655f646174656c656c656d656e7456616c7565d903ec6a323031392d31302d3230d818586da4686469676573744944046672616e646f6d5820c7ffa307e5de921e67ba5878094787e8807ac8e7b5b3932d2ce80f00f3e9abaf71656c656d656e744964656e7469666965726b6578706972795f646174656c656c656d656e7456616c7565d903ec6a323032342d31302d3230d818586da4686469676573744944076672616e646f6d582026052a42e5880557a806c1459af3fb7eb505d3781566329d0b604b845b5f9e6871656c656d656e744964656e7469666965726f646f63756d656e745f6e756d6265726c656c656d656e7456616c756569313233343536373839d818590471a4686469676573744944086672616e646f6d5820d094dad764a2eb9deb5210e9d899643efbd1d069cc311d3295516ca0b024412d71656c656d656e744964656e74696669657268706f7274726169746c656c656d656e7456616c7565590412ffd8ffe000104a46494600010101009000900000ffdb004300130d0e110e0c13110f11151413171d301f1d1a1a1d3a2a2c2330453d4947443d43414c566d5d4c51685241435f82606871757b7c7b4a5c869085778f6d787b76ffdb0043011415151d191d381f1f38764f434f7676767676767676767676767676767676767676767676767676767676767676767676767676767676767676767676767676ffc00011080018006403012200021101031101ffc4001b00000301000301000000000000000000000005060401020307ffc400321000010303030205020309000000000000010203040005110612211331141551617122410781a1163542527391b2c1f1ffc4001501010100000000000000000000000000000001ffc4001a110101010003010000000000000000000000014111213161ffda000c03010002110311003f00a5bbde22da2329c7d692bc7d0d03f52cfb0ff75e7a7ef3e7709723a1d0dae146ddfbb3c039ce07ad2bd47a7e32dbb8dd1d52d6ef4b284f64a480067dfb51f87ffb95ff00eb9ff14d215de66af089ce44b7dbde9cb6890a2838eddf18078f7add62d411ef4db9b10a65d6b95a147381ea0d495b933275fe6bba75c114104a8ba410413e983dff004f5af5d34b4b4cde632d0bf1fd1592bdd91c6411f3934c2fa6af6b54975d106dcf4a65ae56e856001ebc03c7ce29dd9eef1ef10fc447dc9da76ad2aee93537a1ba7e4f70dd8eff0057c6dffb5e1a19854a83758e54528750946ec6704850cd037bceb08b6d7d2cc76d3317fc7b5cc04fb6707269c5c6e0c5b60ae549242123b0e493f602a075559e359970d98db89525456b51c951c8afa13ea8e98e3c596836783d5c63f5a61a99fdb7290875db4be88ab384bbbbbfc7183fdeaa633e8951db7da396dc48524fb1a8bd611a5aa2a2432f30ab420a7a6d3240c718cf031fa9ef4c9ad550205aa02951df4a1d6c8421b015b769db8c9229837ea2be8b1b0d39d0eba9c51484efdb8c0efd8d258daf3c449699f2edbd4584e7af9c64e3f96b9beb28d4ac40931e6478c8e76a24a825449501d867d2b1dcdebae99b9c752ae4ecd6dde4a179c1c1e460938f9149ef655e515c03919a289cb3dca278fb7bf177f4faa829dd8ce3f2ac9a7ecde490971fafd7dce15eed9b71c018c64fa514514b24e8e4f8c5c9b75c1e82579dc1233dfec08238f6add62d391acc1c5256a79e706d52d431c7a0145140b9fd149eb3a60dc5e88cbbc2da092411e9dc71f39a7766b447b344e847dcac9dcb5abba8d145061d43a6fcf1e65cf15d0e90231d3dd9cfe62995c6dcc5ca12a2c904a15f71dd27d451453e09d1a21450961cbb3ea8a956433b781f1ce33dfed54f0e2b50a2b71d84ed6db18028a28175f74fc6bda105c529a791c25c4f3c7a11f71586268f4a66b726e33de9ea6f1b52b181c760724e47b514520a5a28a283ffd9d81858ffa4686469676573744944096672616e646f6d58204599f81beaa2b20bd0ffcc9aa03a6f985befab3f6beaffa41e6354cdb2ab2ce471656c656d656e744964656e7469666965727264726976696e675f70726976696c656765736c656c656d656e7456616c756582a37576656869636c655f63617465676f72795f636f646561416a69737375655f64617465d903ec6a323031382d30382d30396b6578706972795f64617465d903ec6a323032342d31302d3230a37576656869636c655f63617465676f72795f636f646561426a69737375655f64617465d903ec6a323031372d30322d32336b6578706972795f64617465d903ec6a323032342d31302d32306a697373756572417574688443a10126a118215901d2308201ce30820174a003020102021401ec51916031e6898e8fc7864af5e6d5f86602b6300a06082a8648ce3d04030230233114301206035504030c0b75746f7069612069616361310b3009060355040613025553301e170d3230313030313030303030305a170d3231313030313030303030305a30213112301006035504030c0975746f706961206473310b30090603550406130255533059301306072a8648ce3d020106082a8648ce3d03010703420004ace7ab7340e5d9648c5a72a9a6f56745c7aad436a03a43efea77b5fa7b88f0197d57d8983e1b37d3a539f4d588365e38cbbf5b94d68c547b5bc8731dcd2f146ba38187308184301e0603551d120417301581136578616d706c65406578616d706c652e636f6d301c0603551d1f041530133011a00fa00d820b6578616d706c652e636f6d301d0603551d0e0416041414e29017a6c35621ffc7a686b7b72db06cd12351300e0603551d0f0101ff04040302078030150603551d250101ff040b3009060728818c5d050102300a06082a8648ce3d0403020348003045022100bac6f93a8bacf0fc9aeac1c89a5c9293af2076942e9e972882a113640330702702207b7b73c0444371a4c94c9c888ddfe553ffde84ca492fd64dfbf02ad46a31cbc85903a2d81859039da66776657273696f6e63312e306f646967657374416c676f726974686d675348412d3235366c76616c756544696765737473a2716f72672e69736f2e31383031332e352e31ad00582075167333b47b6c2bfb86eccc1f438cf57af055371ac55e1e359e20f254adcebf01582067e539d6139ebd131aef441b445645dd831b2b375b390ca5ef6279b205ed45710258203394372ddb78053f36d5d869780e61eda313d44a392092ad8e0527a2fbfe55ae0358202e35ad3c4e514bb67b1a9db51ce74e4cb9b7146e41ac52dac9ce86b8613db555045820ea5c3304bb7c4a8dcb51c4c13b65264f845541341342093cca786e058fac2d59055820fae487f68b7a0e87a749774e56e9e1dc3a8ec7b77e490d21f0e1d3475661aa1d0658207d83e507ae77db815de4d803b88555d0511d894c897439f5774056416a1c7533075820f0549a145f1cf75cbeeffa881d4857dd438d627cf32174b1731c4c38e12ca936085820b68c8afcb2aaf7c581411d2877def155be2eb121a42bc9ba5b7312377e068f660958200b3587d1dd0c2a07a35bfb120d99a0abfb5df56865bb7fa15cc8b56a66df6e0c0a5820c98a170cf36e11abb724e98a75a5343dfa2b6ed3df2ecfbb8ef2ee55dd41c8810b5820b57dd036782f7b14c6a30faaaae6ccd5054ce88bdfa51a016ba75eda1edea9480c5820651f8736b18480fe252a03224ea087b5d10ca5485146c67c74ac4ec3112d4c3a746f72672e69736f2e31383031332e352e312e5553a4005820d80b83d25173c484c5640610ff1a31c949c1d934bf4cf7f18d5223b15dd4f21c0158204d80e1e2e4fb246d97895427ce7000bb59bb24c8cd003ecf94bf35bbd2917e340258208b331f3b685bca372e85351a25c9484ab7afcdf0d2233105511f778d98c2f544035820c343af1bd1690715439161aba73702c474abf992b20c9fb55c36a336ebe01a876d6465766963654b6579496e666fa1696465766963654b6579a40102200121582096313d6c63e24e3372742bfdb1a33ba2c897dcd68ab8c753e4fbd48dca6b7f9a2258201fb3269edd418857de1b39a4e4a44b92fa484caa722c228288f01d0c03a2c3d667646f6354797065756f72672e69736f2e31383031332e352e312e6d444c6c76616c6964697479496e666fa3667369676e6564c074323032302d31302d30315431333a33303a30325a6976616c696446726f6dc074323032302d31302d30315431333a33303a30325a6a76616c6964556e74696cc074323032312d31302d30315431333a33303a30325a5840cff12c17d4739aba806035a9cb2b34ae8a830cef4f329289f9a3ebd302dd6b99c584068257569397b92ba9aa5128554eb05d1273dafea313da4aff6b01a5fb3f6c6465766963655369676e6564a26a6e616d65537061636573d81841a06a64657669636541757468a1696465766963654d61638443a10105a0f65820200d73ded787c64652dc8ee743ea83a5260d5a3283fddc919b7b9cfb486addb26673746174757300" 7 | 8 | 9 | def test_parse_mdoc_af_binary(): 10 | mdoc = MdocCbor() 11 | mdoc.loads(ISSUED_MDOC) 12 | mdoc.verify() 13 | 14 | for i in mdoc.documents: 15 | assert i.is_valid 16 | 17 | assert len(mdoc.documents) == 1 18 | 19 | # testing format outputs 20 | assert type(mdoc.data_as_string) == str 21 | assert type(mdoc.data_as_bytes) == bytes 22 | assert type(mdoc.data_as_cbor_dict) == dict 23 | 24 | # testing from export re-import 25 | mdoc2 = MdocCbor() 26 | mdoc2.loads(mdoc.data_as_bytes) 27 | mdoc2.verify() 28 | 29 | for i in mdoc.documents: 30 | assert i.is_valid 31 | 32 | assert len(mdoc.documents) == 1 33 | 34 | # test repr 35 | mdoc.__repr__() 36 | 37 | 38 | def test_parse_mdoc_break(): 39 | 40 | signature_bytes = "cff12c17d4739aba806035a9cb2b34ae8a830cef4f329289f9a3ebd302dd6b99c584068257569397b92ba9aa5128554eb05d1273dafea313da4aff6b01a5fb3f" 41 | fault_signature_bytes = "aff12c17d4739aba806035a9eb2b34aefa830cef4f329289e9a3ebd302dd6b99f584068257569397b92ca9aa5128554eb05d2273dafea313da4aff6b01a5fb3e" 42 | _breaked_mso = ISSUED_MDOC.replace(signature_bytes, fault_signature_bytes) 43 | 44 | mdoc_break = MdocCbor() 45 | mdoc_break.loads(_breaked_mso) 46 | 47 | assert mdoc_break.verify() is False 48 | assert mdoc_break.documents_invalid[0].is_valid is False 49 | 50 | 51 | def test_pretty_print(): 52 | mdoc = MdocCbor() 53 | mdoc.loads(ISSUED_MDOC) 54 | pretty_print(mdoc.data_as_string) 55 | -------------------------------------------------------------------------------- /pymdoccbor/tests/test_02_mdoc_issuer.py: -------------------------------------------------------------------------------- 1 | import cbor2 2 | import os 3 | 4 | from asn1crypto.x509 import Certificate 5 | from cryptography import x509 6 | from cryptography.hazmat.primitives import serialization 7 | from cryptography.x509 import load_der_x509_certificate 8 | from pycose.messages import Sign1Message 9 | 10 | from pymdoccbor.mdoc.issuer import MdocCborIssuer 11 | from pymdoccbor.mdoc.verifier import MdocCbor 12 | from pymdoccbor.mso.issuer import MsoIssuer 13 | from pymdoccbor.tests.pid_data import PID_DATA 14 | 15 | 16 | PKEY = { 17 | 'KTY': 'EC2', 18 | 'CURVE': 'P_256', 19 | 'ALG': 'ES256', 20 | 'D': os.urandom(32), 21 | 'KID': b"demo-kid" 22 | } 23 | 24 | 25 | def extract_mso(mdoc:dict): 26 | mso_data = mdoc["documents"][0]["issuerSigned"]["issuerAuth"][2] 27 | mso_cbortag = cbor2.loads(mso_data) 28 | mso = cbor2.loads(mso_cbortag.value) 29 | return mso 30 | 31 | 32 | def test_mso_writer(): 33 | validity = {"issuance_date": "2025-01-17", "expiry_date": "2025-11-13" } 34 | msoi = MsoIssuer( 35 | data=PID_DATA, 36 | private_key=PKEY, 37 | validity=validity, 38 | alg = "ES256" 39 | ) 40 | 41 | assert "eu.europa.ec.eudiw.pid.1" in msoi.hash_map 42 | assert msoi.hash_map["eu.europa.ec.eudiw.pid.1"] 43 | 44 | assert "eu.europa.ec.eudiw.pid.1" in msoi.disclosure_map 45 | assert msoi.disclosure_map["eu.europa.ec.eudiw.pid.1"] 46 | assert msoi.disclosure_map["eu.europa.ec.eudiw.pid.1"].values().__len__() == PID_DATA["eu.europa.ec.eudiw.pid.1"].values().__len__() 47 | 48 | mso = msoi.sign() 49 | 50 | Sign1Message.decode(mso.encode()) 51 | 52 | # TODO: assertion about the content 53 | # breakpoint() 54 | 55 | 56 | def test_mdoc_issuer(): 57 | validity = {"issuance_date": "2025-01-17", "expiry_date": "2025-11-13" } 58 | mdoci = MdocCborIssuer( 59 | private_key=PKEY, 60 | alg = "ES256" 61 | ) 62 | with open("pymdoccbor/tests/certs/fake-cert.pem", "rb") as file: 63 | fake_cert_file = file.read() 64 | asl_signing_cert = x509.load_pem_x509_certificate(fake_cert_file) 65 | _asl_signing_cert = asl_signing_cert.public_bytes(getattr(serialization.Encoding, "DER")) 66 | status_list = { 67 | "status_list": { 68 | "idx": 0, 69 | "uri": "https://issuer.com/statuslists", 70 | "certificate": _asl_signing_cert, 71 | } 72 | } 73 | mdoc = mdoci.new( 74 | doctype="eu.europa.ec.eudiw.pid.1", 75 | data=PID_DATA, 76 | devicekeyinfo=PKEY, 77 | validity=validity, 78 | revocation=status_list 79 | ) 80 | 81 | mdocp = MdocCbor() 82 | aa = cbor2.dumps(mdoc) 83 | mdocp.loads(aa) 84 | assert mdocp.verify() is True 85 | 86 | mdoci.dump() 87 | mdoci.dumps() 88 | 89 | # check mso content for status list 90 | mso = extract_mso(mdoc) 91 | status_list = mso["status"]["status_list"] 92 | assert status_list["idx"] == 0 93 | assert status_list["uri"] == "https://issuer.com/statuslists" 94 | cert_bytes = status_list["certificate"] 95 | cert:Certificate = load_der_x509_certificate(cert_bytes) 96 | assert "Test ASL Issuer" in cert.subject.rfc4514_string(), "ASL is not signed with the expected certificate" -------------------------------------------------------------------------------- /pymdoccbor/tests/test_03_mdoc_issuer.py: -------------------------------------------------------------------------------- 1 | from pycose.keys import EC2Key 2 | from pymdoccbor.mdoc.issuer import MdocCborIssuer 3 | from pymdoccbor.tests.micov_data import MICOV_DATA 4 | from pymdoccbor.tests.pid_data import PID_DATA 5 | from pymdoccbor.tests.pkey import PKEY 6 | 7 | mdoc = MdocCborIssuer( 8 | private_key=PKEY, 9 | alg="ES256", 10 | ) 11 | 12 | def test_MdocCborIssuer_creation(): 13 | assert mdoc.version == '1.0' 14 | assert mdoc.status == 0 15 | 16 | def test_mdoc_without_private_key_must_fail(): 17 | try: 18 | MdocCborIssuer(None) 19 | except Exception as e: 20 | assert str(e) == "You must provide a private key" 21 | 22 | def test_MdocCborIssuer_new_single(): 23 | mdoc.new( 24 | data=MICOV_DATA, 25 | #devicekeyinfo=PKEY, # TODO 26 | doctype="org.micov.medical.1", 27 | validity={ 28 | "issuance_date": "2024-12-31", 29 | "expiry_date": "2050-12-31" 30 | }, 31 | ) 32 | assert mdoc.signed['version'] == '1.0' 33 | assert mdoc.signed['status'] == 0 34 | assert mdoc.signed['documents'][0]['docType'] == 'org.micov.medical.1' 35 | assert mdoc.signed['documents'][0]['issuerSigned']['nameSpaces']['org.micov.medical.1'][0].tag == 24 36 | 37 | # TODO: restore multiple documents support 38 | """ 39 | def test_MdocCborIssuer_new_multiple(): 40 | micov_data = {"doctype": "org.micov.medical.1", "data": MICOV_DATA} 41 | pid_data = {"doctype": "eu.europa.ec.eudiw.pid.1", "data": PID_DATA} 42 | 43 | mdoc.new( 44 | #TODO: fix the doctype handling 45 | doctype="org.micov.medical.1", 46 | data=[micov_data, pid_data], 47 | validity={ 48 | "issuance_date": "2024-12-31", 49 | "expiry_date": "2050-12-31" 50 | }, 51 | #devicekeyinfo=PKEY # TODO 52 | ) 53 | assert mdoc.signed['version'] == '1.0' 54 | assert mdoc.signed['status'] == 0 55 | assert mdoc.signed['documents'][0]['docType'] == 'org.micov.medical.1' 56 | assert mdoc.signed['documents'][0]['issuerSigned']['nameSpaces']['org.micov.medical.1'][0].tag == 24 57 | assert mdoc.signed['documents'][1]['docType'] == 'eu.europa.ec.eudiw.pid.1' 58 | assert mdoc.signed['documents'][1]['issuerSigned']['nameSpaces']['eu.europa.ec.eudiw.pid.1'][0].tag == 24 59 | """ 60 | 61 | def test_MdocCborIssuer_dump(): 62 | dump = mdoc.dump() 63 | 64 | assert dump 65 | assert isinstance(dump, bytes) 66 | assert len(dump) > 0 67 | 68 | def test_MdocCborIssuer_dumps(): 69 | dumps = mdoc.dumps() 70 | 71 | assert dumps 72 | assert isinstance(dumps, bytes) 73 | assert len(dumps) > 0 -------------------------------------------------------------------------------- /pymdoccbor/tests/test_04_issuer_signed.py: -------------------------------------------------------------------------------- 1 | from pycose.keys import EC2Key 2 | from pymdoccbor.mdoc.issuersigned import IssuerSigned 3 | from pymdoccbor.mdoc.issuer import MdocCborIssuer 4 | from pymdoccbor.tests.micov_data import MICOV_DATA 5 | from pymdoccbor.tests.pkey import PKEY 6 | 7 | 8 | mdoc = MdocCborIssuer( 9 | private_key=PKEY, 10 | alg="ES256", 11 | ) 12 | mdoc.new( 13 | data=MICOV_DATA, 14 | #devicekeyinfo=PKEY, # TODO 15 | doctype="org.micov.medical.1", 16 | validity={ 17 | "issuance_date": "2024-12-31", 18 | "expiry_date": "2050-12-31" 19 | }, 20 | ) 21 | issuerAuth = mdoc.signed["documents"][0]["issuerSigned"] 22 | issuer_signed = IssuerSigned(**issuerAuth) 23 | 24 | def test_issuer_signed_fail(): 25 | try: 26 | IssuerSigned(None, None) 27 | except Exception as e: 28 | assert str(e) == "issuerAuth must be provided" 29 | 30 | def test_issuer_signed_creation(): 31 | assert issuer_signed.namespaces 32 | assert issuer_signed.issuer_auth 33 | 34 | def test_issuer_signed_dump(): 35 | issuerAuth = mdoc.signed["documents"][0]["issuerSigned"] 36 | 37 | issuer_signed = IssuerSigned(**issuerAuth) 38 | 39 | dump = issuer_signed.dump() 40 | assert dump 41 | assert dump["nameSpaces"] == issuer_signed.namespaces 42 | assert dump["issuerAuth"] == issuer_signed.issuer_auth 43 | 44 | def test_issuer_signed_dumps(): 45 | issuerAuth = mdoc.signed["documents"][0]["issuerSigned"] 46 | 47 | issuer_signed = IssuerSigned(**issuerAuth) 48 | 49 | dumps = issuer_signed.dumps() 50 | assert dumps 51 | assert isinstance(dumps, bytes) 52 | assert len(dumps) > 0 -------------------------------------------------------------------------------- /pymdoccbor/tests/test_05_mdoc_verifier.py: -------------------------------------------------------------------------------- 1 | from pycose.keys import EC2Key 2 | from pymdoccbor.mdoc.verifier import MobileDocument 3 | from pymdoccbor.mdoc.issuer import MdocCborIssuer 4 | from pymdoccbor.tests.micov_data import MICOV_DATA 5 | from pymdoccbor.tests.pkey import PKEY 6 | 7 | def test_verifier_must_fail_document_type(): 8 | try: 9 | MobileDocument(None, None) 10 | except Exception as e: 11 | assert str(e) == "You must provide a document type" 12 | 13 | def test_verifier_must_fail_issuer_signed(): 14 | try: 15 | MobileDocument("org.micov.medical.1", None) 16 | except Exception as e: 17 | assert str(e) == "You must provide a signed document" 18 | 19 | def test_mobile_document(): 20 | mdoc = MdocCborIssuer( 21 | private_key=PKEY, 22 | alg="ES256", 23 | ) 24 | mdoc.new( 25 | data=MICOV_DATA, 26 | #devicekeyinfo=PKEY, # TODO 27 | doctype="org.micov.medical.1", 28 | validity={ 29 | "issuance_date": "2024-12-31", 30 | "expiry_date": "2050-12-31" 31 | }, 32 | ) 33 | 34 | 35 | document = mdoc.signed["documents"][0] 36 | doc = MobileDocument(**document) 37 | 38 | assert doc.doctype == "org.micov.medical.1" 39 | assert doc.issuersigned 40 | 41 | def test_mobile_document_dump(): 42 | mdoc = MdocCborIssuer( 43 | private_key=PKEY, 44 | alg="ES256" 45 | ) 46 | mdoc.new( 47 | data=MICOV_DATA, 48 | #devicekeyinfo=PKEY, # TODO 49 | doctype="org.micov.medical.1", 50 | validity={ 51 | "issuance_date": "2024-12-31", 52 | "expiry_date": "2050-12-31" 53 | }, 54 | ) 55 | 56 | 57 | document = mdoc.signed["documents"][0] 58 | doc = MobileDocument(**document) 59 | 60 | dump = doc.dump() 61 | assert dump 62 | assert isinstance(dump, bytes) 63 | assert len(dump) > 0 64 | 65 | def test_mobile_document_dumps(): 66 | mdoc = MdocCborIssuer( 67 | private_key=PKEY, 68 | alg="ES256" 69 | ) 70 | mdoc.new( 71 | data=MICOV_DATA, 72 | #devicekeyinfo=PKEY, # TODO 73 | doctype="org.micov.medical.1", 74 | validity={ 75 | "issuance_date": "2024-12-31", 76 | "expiry_date": "2050-12-31" 77 | }, 78 | ) 79 | 80 | 81 | document = mdoc.signed["documents"][0] 82 | doc = MobileDocument(**document) 83 | 84 | dumps = doc.dumps() 85 | assert dumps 86 | assert isinstance(dumps, bytes) 87 | assert len(dumps) > 0 88 | 89 | def test_mobile_document_verify(): 90 | mdoc = MdocCborIssuer( 91 | private_key=PKEY, 92 | alg="ES256" 93 | ) 94 | mdoc.new( 95 | data=MICOV_DATA, 96 | #devicekeyinfo=PKEY, # TODO 97 | doctype="org.micov.medical.1", 98 | validity={ 99 | "issuance_date": "2024-12-31", 100 | "expiry_date": "2050-12-31" 101 | }, 102 | ) 103 | 104 | document = mdoc.signed["documents"][0] 105 | doc = MobileDocument(**document) 106 | 107 | assert doc.verify() 108 | -------------------------------------------------------------------------------- /pymdoccbor/tests/test_06_mso_issuer.py: -------------------------------------------------------------------------------- 1 | from pycose.keys import EC2Key 2 | from pycose.messages import CoseMessage 3 | from pymdoccbor.mso.issuer import MsoIssuer 4 | from pymdoccbor.tests.micov_data import MICOV_DATA 5 | from pymdoccbor.tests.pkey import PKEY 6 | 7 | 8 | def test_mso_issuer_fail(): 9 | try: 10 | MsoIssuer(None, None) 11 | except Exception as e: 12 | assert str(e) == "MSO Writer requires a valid private key" 13 | 14 | def test_mso_issuer_creation(): 15 | msoi = MsoIssuer( 16 | data=MICOV_DATA, 17 | private_key=PKEY, 18 | validity={ 19 | "issuance_date": "2024-12-31", 20 | "expiry_date": "2050-12-31" 21 | }, 22 | alg="ES256" 23 | ) 24 | 25 | assert msoi.private_key 26 | assert msoi.data 27 | assert msoi.hash_map 28 | assert list(msoi.hash_map.keys())[0] == 'org.micov.medical.1' 29 | assert msoi.disclosure_map['org.micov.medical.1'] 30 | 31 | def test_mso_issuer_sign(): 32 | msoi = MsoIssuer( 33 | data=MICOV_DATA, 34 | private_key=PKEY, 35 | validity={ 36 | "issuance_date": "2024-12-31", 37 | "expiry_date": "2050-12-31" 38 | }, 39 | alg="ES256" 40 | ) 41 | 42 | mso = msoi.sign() 43 | assert isinstance(mso, CoseMessage) -------------------------------------------------------------------------------- /pymdoccbor/tests/test_07_mso_verifier.py: -------------------------------------------------------------------------------- 1 | 2 | import os 3 | from pycose.keys import CoseKey, EC2Key 4 | from pymdoccbor.mso.verifier import MsoVerifier 5 | from pymdoccbor.mdoc.issuer import MdocCborIssuer 6 | from pymdoccbor.tests.micov_data import MICOV_DATA 7 | from pycose.messages import CoseMessage 8 | from pymdoccbor.tests.pkey import PKEY 9 | 10 | 11 | mdoc = MdocCborIssuer( 12 | private_key=PKEY, 13 | alg="ES256", 14 | ) 15 | 16 | mdoc.new( 17 | data=MICOV_DATA, 18 | #devicekeyinfo=PKEY, # TODO 19 | doctype="org.micov.medical.1", 20 | validity={ 21 | "issuance_date": "2024-12-31", 22 | "expiry_date": "2050-12-31" 23 | }, 24 | ) 25 | 26 | def test_mso_verifier_fail(): 27 | try: 28 | MsoVerifier(None) 29 | except Exception as e: 30 | assert str(e) == "MsoParser only supports raw bytes and list, a was provided" 31 | 32 | def test_mso_verifier_creation(): 33 | issuerAuth = mdoc.signed["documents"][0]["issuerSigned"]["issuerAuth"] 34 | 35 | msov = MsoVerifier(issuerAuth) 36 | 37 | assert isinstance(msov.object, CoseMessage) 38 | 39 | def test_mso_verifier_verify_signatures(): 40 | issuerAuth = mdoc.signed["documents"][0]["issuerSigned"]["issuerAuth"] 41 | 42 | msov = MsoVerifier(issuerAuth) 43 | 44 | assert msov.verify_signature() 45 | 46 | def test_mso_verifier_payload_as_cbor(): 47 | issuerAuth = mdoc.signed["documents"][0]["issuerSigned"]["issuerAuth"] 48 | 49 | msov = MsoVerifier(issuerAuth) 50 | 51 | cbor = msov.payload_as_dict 52 | 53 | assert cbor 54 | assert cbor["version"] == "1.0" 55 | assert cbor["digestAlgorithm"] == "SHA-256" 56 | assert cbor["valueDigests"]["org.micov.medical.1"] 57 | 58 | def test_payload_as_raw(): 59 | issuerAuth = mdoc.signed["documents"][0]["issuerSigned"]["issuerAuth"] 60 | 61 | msov = MsoVerifier(issuerAuth) 62 | 63 | raw = msov.payload_as_raw 64 | 65 | assert raw 66 | assert isinstance(raw, bytes) 67 | assert len(raw) > 0 -------------------------------------------------------------------------------- /pymdoccbor/tests/test_08_mdoc_cbor.py: -------------------------------------------------------------------------------- 1 | import os 2 | import cbor2 3 | from pymdoccbor.mdoc.issuer import MdocCborIssuer 4 | from pymdoccbor.tests.micov_data import MICOV_DATA 5 | from pymdoccbor.mdoc.verifier import MdocCbor 6 | from pymdoccbor.tests.pkey import PKEY 7 | 8 | def test_mdoc_cbor_creation(): 9 | mdoci = MdocCborIssuer( 10 | private_key=PKEY, 11 | alg="ES256", 12 | ) 13 | mdoc = mdoci.new( 14 | data=MICOV_DATA, 15 | #devicekeyinfo=PKEY, # TODO 16 | doctype="org.micov.medical.1", 17 | validity={ 18 | "issuance_date": "2024-12-31", 19 | "expiry_date": "2050-12-31" 20 | }, 21 | status={ 22 | "status_list": { 23 | "idx": 412, 24 | "uri": "https://example.com/statuslists/1" 25 | } 26 | } 27 | ) 28 | 29 | data = cbor2.dumps(mdoc) 30 | 31 | mdocp = MdocCbor() 32 | mdocp.loads(data) 33 | mdocp.verify() 34 | 35 | assert mdoc 36 | assert 'org.micov.medical.1' in mdocp.disclosure_map 37 | assert mdocp.disclosure_map == MICOV_DATA 38 | assert mdocp.status == { 39 | "status_list": { 40 | "idx": 412, 41 | "uri": "https://example.com/statuslists/1" 42 | } 43 | } 44 | 45 | def test_mdoc_cbor_invalid_status(): 46 | mdoci = MdocCborIssuer( 47 | private_key=PKEY, 48 | alg="ES256", 49 | ) 50 | 51 | try: 52 | mdoci.new( 53 | data=MICOV_DATA, 54 | #devicekeyinfo=PKEY, # TODO 55 | doctype="org.micov.medical.1", 56 | validity={ 57 | "issuance_date": "2024-12-31", 58 | "expiry_date": "2050-12-31" 59 | }, 60 | status={ 61 | "status_list": { 62 | "idx": 412, 63 | # "uri": "https://example.com/statuslists/1" # Missing URI 64 | } 65 | } 66 | ) 67 | except Exception as e: 68 | assert str(e) == "uri is required" 69 | 70 | try: 71 | mdoci.new( 72 | data=MICOV_DATA, 73 | #devicekeyinfo=PKEY, # TODO 74 | doctype="org.micov.medical.1", 75 | validity={ 76 | "issuance_date": "2024-12-31", 77 | "expiry_date": "2050-12-31" 78 | }, 79 | status={ 80 | "status_list": { 81 | #"idx": 412, 82 | "uri": "https://example.com/statuslists/1" # Missing URI 83 | } 84 | } 85 | ) 86 | except Exception as e: 87 | assert str(e) == "idx is required" 88 | 89 | try: 90 | mdoci.new( 91 | data=MICOV_DATA, 92 | #devicekeyinfo=PKEY, # TODO 93 | doctype="org.micov.medical.1", 94 | validity={ 95 | "issuance_date": "2024-12-31", 96 | "expiry_date": "2050-12-31" 97 | }, 98 | status={ 99 | "not_status_list": { 100 | "idx": 412, 101 | "uri": "https://example.com/statuslists/1" # Missing URI 102 | } 103 | } 104 | ) 105 | except Exception as e: 106 | assert str(e) == "status_list is required" -------------------------------------------------------------------------------- /pymdoccbor/tools.py: -------------------------------------------------------------------------------- 1 | import cbor2 2 | import json 3 | import random 4 | 5 | 6 | from cbor2.tool import ( 7 | DefaultEncoder, 8 | key_to_str 9 | ) 10 | from pycose.messages import Sign1Message 11 | 12 | 13 | def bytes2CoseSign1(data: bytes) -> Sign1Message: 14 | """ 15 | Gets bytes and return a COSE_Sign1 object 16 | 17 | :param data: bytes: the COSE Sign1 as bytes 18 | :return: Sign1Message: the COSE Sign1 object 19 | """ 20 | decoded = Sign1Message.decode(cbor2.loads(data).value) 21 | 22 | return decoded 23 | 24 | 25 | def cborlist2CoseSign1(data: list) -> Sign1Message: 26 | """ 27 | Gets cbor2 decoded COSE Sign1 as a list and return a COSE_Sign1 object 28 | 29 | :param data: list: the COSE Sign1 as a list 30 | :return: Sign1Message: the COSE Sign1 object 31 | """ 32 | decoded = Sign1Message.decode( 33 | cbor2.dumps( 34 | cbor2.CBORTag(18, value=data) 35 | ) 36 | ) 37 | 38 | return decoded 39 | 40 | 41 | def pretty_print(cbor_loaded: dict) -> None: 42 | """" 43 | Pretty print a CBOR object 44 | 45 | :param cbor_loaded: dict: the CBOR object 46 | """ 47 | _obj = key_to_str(cbor_loaded) 48 | res = json.dumps( 49 | _obj, 50 | indent=(None, 4), 51 | cls=DefaultEncoder 52 | ) 53 | print(res) 54 | 55 | 56 | def shuffle_dict(d: dict) -> dict: 57 | """ 58 | Shuffle a dictionary 59 | 60 | :param d: dict: the dictionary to shuffle 61 | :return: dict: the shuffled dictionary 62 | """ 63 | 64 | keys = list(d.keys()) 65 | 66 | for i in range(random.randint(3, 27)): # nosec: B311 67 | random.shuffle(keys) 68 | 69 | return dict([(key, d[key]) for key in keys]) 70 | -------------------------------------------------------------------------------- /pymdoccbor/x509.py: -------------------------------------------------------------------------------- 1 | from cwt import COSEKey 2 | from typing import Union 3 | 4 | from cryptography import x509 5 | from cryptography.x509.oid import NameOID 6 | from cryptography.x509 import Certificate 7 | from cryptography.hazmat.primitives import hashes, serialization 8 | 9 | from pymdoccbor import settings 10 | 11 | class MsoX509Fabric: 12 | """ 13 | MsoX509Fabric helper class to create a new mso 14 | """ 15 | 16 | def selfsigned_x509cert(self, encoding: str = "DER") -> Union[Certificate, bytes]: 17 | """ 18 | Returns an X.509 certificate derived from the private key of the MSO Issuer 19 | 20 | :param encoding: str: the encoding to use, default is DER 21 | 22 | :return: Union[Certificate, bytes]: the X.509 certificate 23 | """ 24 | ckey = COSEKey.from_bytes(self.private_key.encode()) 25 | 26 | subject = issuer = x509.Name([ 27 | x509.NameAttribute(NameOID.COUNTRY_NAME, settings.X509_COUNTRY_NAME), 28 | x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, settings.X509_STATE_OR_PROVINCE_NAME), 29 | x509.NameAttribute(NameOID.LOCALITY_NAME, settings.X509_LOCALITY_NAME), 30 | x509.NameAttribute(NameOID.ORGANIZATION_NAME, settings.X509_ORGANIZATION_NAME), 31 | x509.NameAttribute(NameOID.COMMON_NAME, settings.X509_COMMON_NAME), 32 | ]) 33 | cert = x509.CertificateBuilder().subject_name( 34 | subject 35 | ).issuer_name( 36 | issuer 37 | ).public_key( 38 | ckey.key.public_key() 39 | ).serial_number( 40 | x509.random_serial_number() 41 | ).not_valid_before( 42 | settings.X509_NOT_VALID_BEFORE 43 | ).not_valid_after( 44 | settings.X509_NOT_VALID_AFTER 45 | ).add_extension( 46 | x509.SubjectAlternativeName( 47 | [ 48 | x509.UniformResourceIdentifier( 49 | settings.X509_SAN_URL 50 | ) 51 | ] 52 | ), 53 | critical=False, 54 | # Sign our certificate with our private key 55 | ).sign(ckey.key, hashes.SHA256()) 56 | 57 | if not encoding: 58 | return cert 59 | else: 60 | return cert.public_bytes( 61 | getattr(serialization.Encoding, encoding) 62 | ) 63 | -------------------------------------------------------------------------------- /requirements-dev.txt: -------------------------------------------------------------------------------- 1 | pytest 2 | pdbpp 3 | pytest-cov 4 | flake8 5 | isort 6 | autoflake 7 | bandit 8 | autopep8 9 | pycose>=1.0.1 -------------------------------------------------------------------------------- /setup.py: -------------------------------------------------------------------------------- 1 | import re 2 | from setuptools import setup, find_packages 3 | 4 | 5 | def readme(): 6 | with open("README.md") as f: 7 | return f.read() 8 | 9 | 10 | _pkg_name = "pymdoccbor" 11 | 12 | with open(f"{_pkg_name}/__init__.py", "r") as fd: 13 | VERSION = re.search( 14 | r'^__version__\s*=\s*[\'"]([^\'"]*)[\'"]', fd.read(), re.MULTILINE 15 | ).group(1) 16 | 17 | setup( 18 | name=_pkg_name, 19 | version=VERSION, 20 | description="Python parser and writer for Mobile Driving License and EUDI Wallet MDOC CBOR.", 21 | long_description=readme(), 22 | long_description_content_type="text/markdown", 23 | classifiers=[ 24 | "Development Status :: 4 - Beta", 25 | "License :: OSI Approved :: Apache Software License", 26 | "Programming Language :: Python :: 3.10", 27 | "Programming Language :: Python :: 3.11", 28 | "Programming Language :: Python :: 3.12", 29 | "Topic :: Software Development :: Libraries :: Python Modules", 30 | ], 31 | url="https://github.com/IdentityPython/pyMDL-MDOC", 32 | author="Giuseppe De Marco", 33 | author_email="demarcog83@gmail.com", 34 | license="License :: OSI Approved :: Apache Software License", 35 | # scripts=[f'{_pkg_name}/bin/{_pkg_name}'], 36 | packages=find_packages(include=["pymdoccbor", "pymdoccbor.*"]), 37 | include_package_data=True, 38 | install_requires=[ 39 | "cbor2>=5.4.0,<5.5.0", 40 | "cwt>=2.3.0,<2.4", 41 | "cbor-diag>=1.1.0,<1.2", 42 | "pycose>=1.0.1" 43 | ], 44 | ) 45 | --------------------------------------------------------------------------------