chore: documentation, dependencies, security and CI

Author: peppelinux

.flake8

@@ -0,0 +1,14 @@
+[flake8]
+max-line-length = 120
+extend-ignore = E203, W503
+exclude =
+    .git,
+    __pycache__,
+    .venv,
+    venv,
+    build,
+    dist,
+    *.egg-info
+per-file-ignores =
+    __init__.py:F401
+    pymdoccbor/tests/*:E501

.github/workflows/code-quality.yml

@@ -0,0 +1,90 @@
+# Code quality: flake8, isort, bandit
+name: Code quality
+
+on:
+  push:
+    branches: ["*"]
+  pull_request:
+    branches: ["*"]
+
+jobs:
+  lint:
+    name: flake8
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+      - name: Create venv and install
+        run: |
+          python -m venv env
+          source env/bin/activate
+          pip install --upgrade pip flake8
+          if [ -f requirements-dev.txt ]; then pip install -r requirements-dev.txt; fi
+          pip install -e .
+      - name: Run flake8
+        run: |
+          source env/bin/activate
+          flake8 pymdoccbor
+
+  isort:
+    name: isort
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+      - name: Create venv and install
+        run: |
+          python -m venv env
+          source env/bin/activate
+          pip install --upgrade pip isort
+          pip install -e .
+      - name: Check import order with isort
+        run: |
+          source env/bin/activate
+          isort pymdoccbor --check-only --diff
+
+  bandit:
+    name: Bandit security scan
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+      - name: Create venv and install
+        run: |
+          python -m venv env
+          source env/bin/activate
+          pip install --upgrade pip bandit
+          pip install -e .
+      - name: Run Bandit security scan
+        run: |
+          source env/bin/activate
+          bandit -r -x pymdoccbor/tests pymdoccbor -f txt
+
+  radon:
+    name: Radon complexity
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+      - name: Create venv and install
+        run: |
+          python -m venv env
+          source env/bin/activate
+          pip install --upgrade pip radon
+          pip install -e .
+      - name: Run Radon (maintainability index, no fail)
+        run: |
+          source env/bin/activate
+          radon cc pymdoccbor -a -n B || true
+      - name: Run Radon (raw metrics)
+        run: |
+          source env/bin/activate
+          radon raw pymdoccbor -s || true

.github/workflows/dependency-security.yml

@@ -0,0 +1,34 @@
+# Security audit of Python dependencies (known vulnerabilities)
+name: Dependency security
+
+on:
+  push:
+    branches: ["*"]
+  pull_request:
+    branches: ["*"]
+
+jobs:
+  pip-audit:
+    name: pip-audit
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Create venv and install
+        run: |
+          python -m venv env
+          source env/bin/activate
+          pip install --upgrade pip pip-audit
+          pip install "cbor2>=5.4.0" "cbor-diag>=1.1.0" "pycose>=1.0.1"
+          pip install -r requirements-dev.txt
+
+      # Exit 1 on any vulnerability (fail CI). --skip-editable whitelists pymdoccbor (local package, not on PyPI).
+      # Ignore only unfixable: ecdsa CVE-2024-23342 (no upstream fix; see docs/SECURITY-DEPENDENCIES.md).
+      - name: Run pip-audit (dependencies)
+        run: |
+          source env/bin/activate
+          pip-audit --skip-editable --ignore-vuln CVE-2024-23342

.github/workflows/python-app.yml

@@ -1,4 +1,4 @@
-# This workflow will install Python dependencies, run tests and lint with a single version of Python
+# This workflow installs dependencies, runs examples and tests (lint is in code-quality workflow)
 # For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions
 
 name: pymdoccbor
@@ -23,32 +23,39 @@ jobs:
           - "3.12"
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
     - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v2
+      uses: actions/setup-python@v5
       with:
         python-version: ${{ matrix.python-version }}
     - name: Install system package
       run: |
         sudo apt update
-        sudo apt install python3-dev libssl-dev libffi-dev make automake gcc g++ 
-    - name: Install dependencies
+        sudo apt install python3-dev libssl-dev libffi-dev make automake gcc g++
+    - name: Create venv and install
       run: |
-        python -m pip install --upgrade pip
+        python -m venv env
+        source env/bin/activate
+        pip install --upgrade pip setuptools
         if [ -f requirements-dev.txt ]; then pip install -r requirements-dev.txt; fi
         if [ -f requirements.txt ]; then pip install -r requirements.txt; fi
         if [ -f requirements-customizations.txt ]; then pip install -r requirements-customizations.txt; fi
-        python -m pip install -U setuptools
-        python -m pip install -e .
-    - name: Lint with flake8
+        pip install -e .
+    - name: Run examples
       run: |
-        # stop the build if there are Python syntax errors or undefined names
-        flake8 pymdoccbor --count --select=E9,F63,F7,F82 --show-source --statistics
-        # exit-zero treats all errors as warnings. The GitHub editor is 127 chars wide
-        flake8 pymdoccbor --count --exit-zero --statistics  --max-line-length 160
-    - name: Tests
+        source env/bin/activate
+        chmod +x scripts/run_examples.sh
+        ./scripts/run_examples.sh
+    - name: Run README and docs examples
       run: |
-        pytest --cov
-    - name: Bandit Security Scan
+        source env/bin/activate
+        python scripts/run_doc_examples.py
+    - name: Tests with coverage
       run: |
-        bandit -r -x pymdoccbor/test* pymdoccbor/*
+        source env/bin/activate
+        pytest --cov=pymdoccbor --cov-report=xml --cov-report=term-missing
+    - name: Upload coverage to Codecov
+      uses: codecov/codecov-action@v4
+      with:
+        file: ./coverage.xml
+        fail_ci_if_error: false

README.md

@@ -71,11 +71,20 @@ mdoc = mdoci.new(
 `MdocCborIssuer` must be initialized with a private key.
 The method `.new()` gets the user attributes, devicekeyinfo and doctype.
 
-````
+````python
 import os
+from datetime import datetime, timezone, timedelta
 
 from pymdoccbor.mdoc.issuer import MdocCborIssuer
 
+CERT_INFO = {
+    "country_name": "IT",
+    "organization_name": "Example Issuer",
+    "common_name": "Example mDL",
+    "not_valid_before": datetime.now(timezone.utc) - timedelta(days=1),
+    "not_valid_after": datetime.now(timezone.utc) + timedelta(days=365),
+}
+
 PKEY = {
     'KTY': 'EC2',
     'CURVE': 'P_256',
@@ -85,39 +94,36 @@ PKEY = {
 }
 
 PID_DATA = {
-        "eu.europa.ec.eudiw.pid.1": {
-            "family_name": "Raffaello",
-            "given_name": "Mascetti",
-            "birth_date": "1922-03-13",
-	        "birth_place": "Rome",
-            "birth_country": "IT"
-        }
+    "eu.europa.ec.eudiw.pid.1": {
+        "family_name": "Raffaello",
+        "given_name": "Mascetti",
+        "birth_date": "1922-03-13",
+        "birth_place": "Rome",
+        "birth_country": "IT"
     }
+}
 
 mdoci = MdocCborIssuer(
     private_key=PKEY,
-    alg = "ES256"
+    alg="ES256",
+    cert_info=CERT_INFO,
 )
 
 mdoc = mdoci.new(
     doctype="eu.europa.ec.eudiw.pid.1",
     data=PID_DATA,
     devicekeyinfo=PKEY,
-    validity = {"issuance_date": "2025-01-17", "expiry_date": "2025-11-13" },
-    # cert_path="/path/"
+    validity={"issuance_date": "2025-01-17", "expiry_date": "2025-11-13"},
 )
 
-mdoc
->> returns a python dictionay
-
-mdoc.dump()
->> returns mdoc MSO bytes
+assert mdoc
+# >> mdoc returns a python dictionary (signed mdoc)
 
-mdoci.dump()
->> returns mdoc bytes
+assert mdoci.dump()
+# >> mdoci.dumps() returns mdoc bytes
 
-mdoci.dumps()
->> returns AF Binary mdoc string representation
+assert mdoci.dumps()
+# >> mdoci.dumps() returns mdoc bytes
 ````
 
 ### Issue an MSO alone

docs/FIX_ERRORS_FIELD.md

@@ -76,31 +76,53 @@ All tests pass: **36/36 passed**
 
 ### With errors field (status != 0)
 ```python
+import os
+from datetime import datetime, timezone, timedelta
+from pymdoccbor.mdoc.issuer import MdocCborIssuer
 from pymdoccbor.mdoc.verifier import MobileDocument
 
-document = {
-    'docType': 'eu.europa.ec.eudi.pid.1',
-    'issuerSigned': {...},
-    'errors': {
-        'eu.europa.ec.eudi.pid.1': {
-            'missing_element': 1
-        }
-    }
+CERT_INFO = {
+    "country_name": "IT",
+    "organization_name": "Example",
+    "common_name": "Example mDL",
+    "not_valid_before": datetime.now(timezone.utc) - timedelta(days=1),
+    "not_valid_after": datetime.now(timezone.utc) + timedelta(days=365),
 }
+PKEY = {"KTY": "EC2", "CURVE": "P_256", "ALG": "ES256", "D": os.urandom(32), "KID": b"kid"}
+DATA = {"org.micov.medical.1": {"family_name": "Test", "given_name": "User"}}
+
+issuer = MdocCborIssuer(private_key=PKEY, alg="ES256", cert_info=CERT_INFO)
+issuer.new(data=DATA, doctype="org.micov.medical.1", validity={"issuance_date": "2025-01-01", "expiry_date": "2025-12-31"})
+document = issuer.signed["documents"][0]
+document["errors"] = {"org.micov.medical.1": {"missing_element": 1}}
 
-doc = MobileDocument(**document)  # ✅ Works now!
-print(doc.errors)  # {'eu.europa.ec.eudi.pid.1': {'missing_element': 1}}
+doc = MobileDocument(**document)
+assert doc.errors == {"org.micov.medical.1": {"missing_element": 1}}
 ```
 
 ### Without errors field (status == 0)
 ```python
-document = {
-    'docType': 'eu.europa.ec.eudi.pid.1',
-    'issuerSigned': {...}
+import os
+from datetime import datetime, timezone, timedelta
+from pymdoccbor.mdoc.issuer import MdocCborIssuer
+from pymdoccbor.mdoc.verifier import MobileDocument
+
+CERT_INFO = {
+    "country_name": "IT",
+    "organization_name": "Example",
+    "common_name": "Example mDL",
+    "not_valid_before": datetime.now(timezone.utc) - timedelta(days=1),
+    "not_valid_after": datetime.now(timezone.utc) + timedelta(days=365),
 }
+PKEY = {"KTY": "EC2", "CURVE": "P_256", "ALG": "ES256", "D": os.urandom(32), "KID": b"kid"}
+DATA = {"org.micov.medical.1": {"family_name": "Test", "given_name": "User"}}
+
+issuer = MdocCborIssuer(private_key=PKEY, alg="ES256", cert_info=CERT_INFO)
+issuer.new(data=DATA, doctype="org.micov.medical.1", validity={"issuance_date": "2025-01-01", "expiry_date": "2025-12-31"})
+document = issuer.signed["documents"][0]
 
-doc = MobileDocument(**document)  # ✅ Still works
-print(doc.errors)  # {}
+doc = MobileDocument(**document)
+assert doc.errors == {}
 ```
 
 ## ISO 18013-5 Reference

docs/SECURITY-DEPENDENCIES.md

@@ -0,0 +1,37 @@
+# Dependency security and known issues
+
+This document describes known unfixable or accepted dependency vulnerabilities and possible alternatives.
+
+## ecdsa CVE-2024-23342 (Minerva timing attack, no fix)
+
+**Status:** Ignored in `pip-audit` via `--ignore-vuln CVE-2024-23342`. No upstream fix is planned.
+
+**What it is:** A Minerva timing attack on the P-256 curve. Using `ecdsa.SigningKey.sign_digest()` and measuring timing can leak the internal nonce and potentially the private key. Affects ECDSA signing, key generation, and ECDH. **ECDSA signature verification is not affected.**
+
+**Why we have it:** The `ecdsa` package is a transitive dependency of [pycose](https://github.com/TimothyClaeys/pycose). Pycose uses `ecdsa` for deterministic ECDSA (RFC 6979); it uses [cryptography](https://cryptography.io) for other operations.
+
+**Alternatives / mitigations:**
+
+1. **Keep ignoring in CI**  
+   Document the risk (as here) and continue with `--ignore-vuln CVE-2024-23342`. The python-ecdsa project [considers side-channel attacks out of scope](https://github.com/tlsfuzzer/python-ecdsa/issues/330); there is no planned fix.
+
+2. **Prefer Ed25519 (EdDSA) where possible**  
+   This codebase and pycose support EdDSA (e.g. `EdDSA` / Ed25519), which is not affected by this CVE. When you control key and algorithm choice, prefer Ed25519 for new use.
+
+3. **Limit exposure**  
+   If your use case only **verifies** MSO/mdoc signatures (no signing with P-256 in process), the vulnerable code path (signing/keygen) may not be exercised in your deployment. Verification is explicitly unaffected.
+
+4. **Upstream change**  
+   Ask or contribute to pycose to use `cryptography` for deterministic ECDSA (ES256/ES384/ES512) instead of `ecdsa`, so the dependency can be dropped once pycose supports it.
+
+5. **Alternative COSE library**  
+   Switching to another COSE implementation that does not depend on `ecdsa` would remove the vulnerability from the dependency tree; this would require a larger change in this project.
+
+## cryptography (previously ignored; now resolved)
+
+**Status:** No longer ignored. With current dependency resolution, `pip install` picks `cryptography>=42`, so the previously known cryptography CVEs (e.g. PYSEC-2024-225, CVE-2023-50782, CVE-2024-0727, GHSA-h4gh-qq45-vh27) are addressed by the default resolution.
+
+If you ever see cryptography-related vulns again in CI (e.g. after adding a new dependency that pins `cryptography<42`), options are:
+
+- Prefer upgrading the constraining dependency (e.g. ensure pycose’s transitive deps use versions that allow `cryptography>=42`; [pyhpke](https://pypi.org/project/pyhpke/) 0.6.x already requires `cryptography>=42.0.1,<47`).
+- As a last resort, re-add temporary `--ignore-vuln` for the specific cryptography advisories and track the issue until the dependency tree can be updated.