Skip to content

Commit 3afd79f

Browse files
FlavPMUFlavPMU
committed
docs: add certificate verification section to README and rename doc file
- Add certificate chain and hash verification section to README - Rename certificate_chain_verification.md to CERTIFICATE-CHAIN-VERIFICATION.md for consistency - Move cryptography imports to top of mso/verifier.py per maintainer feedback
1 parent 289638c commit 3afd79f

3 files changed

Lines changed: 26 additions & 3 deletions

File tree

README.md

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -183,6 +183,26 @@ mdoc.disclosure_map
183183
>> ... dictionary containing all the disclosed attributes ...
184184
````
185185

186+
### Verify with Certificate Chain and Element Hashes
187+
188+
For production use, verify both the X.509 certificate chain and element hashes:
189+
190+
````python
191+
from pymdoccbor.mdoc.verifier import MdocCbor
192+
from cryptography import x509
193+
from cryptography.hazmat.backends import default_backend
194+
195+
# Load trusted root certificates
196+
with open('iaca_cert.pem', 'rb') as f:
197+
iaca_cert = x509.load_pem_x509_certificate(f.read(), default_backend())
198+
199+
mdoc = MdocCbor()
200+
mdoc.loads(device_response_bytes)
201+
is_valid = mdoc.verify(trusted_root_certs=[iaca_cert], verify_hashes=True)
202+
````
203+
204+
For complete documentation on certificate chain verification and hash verification, see [docs/CERTIFICATE-CHAIN-VERIFICATION.md](docs/CERTIFICATE-CHAIN-VERIFICATION.md).
205+
186206
### Verify the Mobile Security Object
187207

188208
````

docs/certificate_chain_verification.md renamed to docs/CERTIFICATE-CHAIN-VERIFICATION.md

File renamed without changes.

pymdoccbor/mso/verifier.py

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,11 @@
1111
MsoX509ChainNotFound,
1212
UnsupportedMsoDataFormat
1313
)
14+
15+
from cryptography import x509
16+
from cryptography.hazmat.primitives import hashes
17+
from cryptography.exceptions import InvalidSignature
18+
1419
from pymdoccbor import settings
1520
from pymdoccbor.tools import bytes2CoseSign1, cborlist2CoseSign1
1621

@@ -132,9 +137,7 @@ def attest_public_key(self, trusted_root_certs: list = None):
132137
return None
133138

134139
# Verify certificate chain
135-
from cryptography import x509
136-
from cryptography.hazmat.primitives import hashes
137-
from cryptography.exceptions import InvalidSignature
140+
138141

139142
# Load DS certificate (first in chain)
140143
ds_cert = self.x509_certificates[0] if self.x509_certificates else None

0 commit comments

Comments
 (0)