Skip to content

openbadgeslib 1.2.0

Choose a tag to compare

@luisgf luisgf released this 01 Jul 12:54

Minor release adding four OpenBadges 3.0 / cryptography features on top of the v1.1.6 security & correctness baseline. No breaking changes; a drop-in upgrade. cryptography is now an explicit dependency (it was already pulled in transitively by PyJWT[crypto]).

New features

  • Ed25519 (EdDSA) keys, end to end. Key generation (key_type = ED25519 in the badge profile), OB2 JWS and OB3 JWT-VC signing and verification. detect_key_type classifies an Ed25519 PEM explicitly — the ecdsa library would otherwise misread it as a NIST/ECC key — and the algorithm-pinning allowlists bind EdDSA to Ed25519 keys, so cross-type tokens are still rejected. (#103)

  • OB3 credential revocation via credentialStatus. The OB3 counterpart of OB2's revocation control. OB3Verifier.verify(check_status=True) (and openbadges-verifier --check-status) resolves each status entry — W3C Bitstring Status List v1.0 and the legacy StatusList2021 — fetches the status list over HTTPS, decodes the multibase base64url + GZIP bitstring under a bounded inflate, and rejects a set revocation/suspension bit. Fail-closed when enabled; verifies the published status bit only, not the status-list credential's own signature (documented). (#104)

  • DID resolution for OB3 issuer identity. New ob3.resolve_did() and OB3Verifier.for_issuer_did() support did:key (Ed25519 and P-256, self-certifying, offline) and did:web (fetches the DID document over HTTPS and reads its first verification method's publicKeyJwk or publicKeyMultibase). openbadges-verifier --resolve-did reads the issuer DID from the token and resolves it when no key is supplied. did:key needs no external trust; did:web trusts the host's DNS + TLS (documented in the Security Model). (#105)

  • --json verifier output. openbadges-verifier --json emits a single machine-readable JSON result (valid, ob_version, recipient, reason, plus OB2 trusted/status or OB3 issuer/achievement/…) instead of the human lines, and exits 0 when valid / non-zero otherwise — usable in CI and services without scraping stdout. The default human output and its exit codes are unchanged. (#106)

See Changelog.txt for the full list.