feat(oid4vc): add mDOC credential issuance and verification (ISO 18013-5)#22
Open
burdettadam wants to merge 5 commits intomainfrom
Open
feat(oid4vc): add mDOC credential issuance and verification (ISO 18013-5)#22burdettadam wants to merge 5 commits intomainfrom
burdettadam wants to merge 5 commits intomainfrom
Conversation
burdettadam
force-pushed
the
feat/mso-mdoc-new
branch
from
46ff341 to
5f0251d
Compare
burdettadam
force-pushed
the
feat/mso-mdoc-new
branch
from
5f0251d to
f87bc94
Compare
burdettadam
force-pushed
the
feat/mso-mdoc-new
branch
2 times, most recently
from
e23e7c9 to
00bbb1c
Compare
burdettadam
force-pushed
the
feat/mso-mdoc-new
branch
from
00bbb1c to
253f9cb
Compare
burdettadam
force-pushed
the
feat/mso-mdoc-new
branch
from
253f9cb to
91eed74
Compare
burdettadam
force-pushed
the
feat/mso-mdoc-new
branch
from
91eed74 to
5bb3912
Compare
…tion Implements OID4VCI mso_mdoc credential issuance and OID4VP mDOC presentation verification using the isomdl-uniffi Rust library. Key changes: - Rewrite mso_mdoc credential processor with isomdl-uniffi bindings - Add mDOC issuer (mdoc/issuer.py) and verifier (mdoc/verifier.py) - Add MSO issuer/verifier (consolidated from mso/ into mdoc/) - Add key generation routes for mDOC signing keys - Add storage layer: trust anchors, certificates, keys, config - Add x.509 cert chain handling and PEM splitting utilities - Add trust anchor guard (fail-closed) and cert expiry validation - Remove superseded mso/ package and x509.py (merged into mdoc/) - Update Docker/CI to install isomdl-uniffi platform wheel - Add OID4VC conformance tests GitHub Actions workflow - Fix ConnectError retry in integration test credo_client fixture Signed-off-by: Adam Burdett <burdettadam@gmail.com>
The upstream isomdl-uniffi library now exposes issuer_signed_b64() which serialises directly to an IssuerSigned struct that carries the correct serde rename attributes for ISO 18013-5 section 8.3 camelCase keys (issuerAuth, nameSpaces) and array namespace values. This removes the Python-side _patch_mdoc_keys workaround which had to decode CBOR, rename keys by hand, and re-encode. The fix is now in the right layer (Rust serialisation types) rather than a post-processing hack. Change summary: - Remove import base64 (only used by _patch_mdoc_keys) - Remove _patch_mdoc_keys() entirely - Replace stringify() + _patch_mdoc_keys() call with mdoc.issuer_signed_b64() - Add test_mdoc_sign_emits_iso_cbor_keys to verify camelCase keys and array namespace values end-to-end through isomdl_mdoc_sign() Signed-off-by: Adam Burdett <burdettadam@gmail.com>
Namespace element values are now passed to Mdoc.create_and_sign() as JSON strings (stdlib json.dumps) rather than CBOR bytes (cbor2.dumps). The Rust layer gains a json_to_cbor() converter so it internalises the CBOR encoding, eliminating the need for callers to own a CBOR library. Changes: - mso_mdoc/mdoc/issuer.py: remove `import cbor2`; cbor2.dumps -> json.dumps in _prepare_mdl_namespaces and _prepare_generic_namespaces - integration/tests/mdoc/test_pki.py: namespace inputs updated to json.dumps; cbor2 retained (hard import) for the DeviceResponse construction below - pyproject.toml: cbor2 removed from [dependencies] optional and from mso_mdoc extras; added to [tool.poetry.group.dev.dependencies] Signed-off-by: Adam Burdett <burdettadam@gmail.com>
Signed-off-by: Adam Burdett <burdettadam@gmail.com>
Trust anchors are exclusively stored in and retrieved from the Askar wallet. Sub-wallets maintain their own trust registry with their own root authority certificates. - Remove FileTrustStore (filesystem PEM directory) entirely - Remove OID4VC_MDOC_TRUST_STORE_TYPE env var and create_trust_store() - verify_credential / verify_presentation always build a fresh WalletTrustStore(profile) from the calling profile per-request, ensuring each tenant Askar partition is queried correctly - Simplify plugin __init__.py / on_startup (no trust store init at startup) - Remove TestFileTrustStore unit tests (class no longer exists) - Rewrite test_wallet_trust_store_per_request.py for always-wallet design - Remove FileTrustStore imports from test_review_issues / test_verifier Signed-off-by: Adam Burdett <burdettadam@gmail.com>
burdettadam
force-pushed
the
feat/mso-mdoc-new
branch
from
7b7e3b1 to
d078461
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
mDOC support via isomdl-uniffi. Depends on #21.