Skip to content

v3.2.0

Choose a tag to compare

@luisgf luisgf released this 03 Jul 18:27

Feature release: verification of W3C Data Integrity (Linked Data Proof) credentials — the second proof format Open Badges 3.0 allows, alongside the VC-JWT stack this library already ships. Verify-only by design (issuing stays JWT-VC), and fully opt-in via a new packaging extra:

pip install "openbadgeslib[ldp]"

Added

  • feat(ob3): OB3LdpVerifier verifies OB 3.0 credentials secured with an embedded Data Integrity proof, cryptosuite eddsa-rdfc-2022 (W3C Recommendation vc-di-eddsa) — validated byte-for-byte against the official W3C test vectors, which ship as fixtures. The low-level crypto core is exposed as verify_data_integrity_proof for non-OB3 VCs. Same API, trust model and exceptions as the JWT verifier: pinned key wins; otherwise the key resolves from proof.verificationMethod with fail-closed binding to the credential's DID issuer; expected_recipient / check_status behave identically.
  • feat(ob3): JSON-LD @context documents are never fetched from the network — the exact context files (VC 2.0, the published OB v3p0 revisions, data-integrity/v2, multikey/v1) ship pinned inside the wheel with recorded provenance, behind an exact-match allowlist (unknown context ⇒ fail closed). Documents are capped at 256 KiB before canonicalization (poison-graph guard).
  • feat(ob3): resolve_verification_method resolves the exact verificationMethod URL a proof names (did:key fragment validation; did:web entry selected by id, no silent [0] fallback).
  • feat(baking): the OB 3.0 §5.3 text-content carrier for Data Integrity credentials — bake_svg(..., as_text=True) / extract_svg(..., text_fallback=True); PNG needed no change.
  • feat(cli): openbadges-verifier -V 3 autodetects the baked payload (compact JWT vs credential JSON) with the same trust flags — no new options — and reports proof_format ("vc-jwt" / "ldp") in --json. Without the extra, the failure reason carries the install hint.
  • feat(api): OpenBadgeCredential.from_vc_document reconstructs a credential from its JSON-LD document shape.

Not included (deferred): the ecdsa-sd-2023 selective-disclosure cryptosuite — it fails closed with a clear "unsupported cryptosuite" message; the cryptosuite registry makes it an additive future module.

Everything works without the extra: the base install is unchanged, LDP tests skip cleanly, and attempting an LDP verification reports pip install openbadgeslib[ldp].

Verified with flake8, mypy (strict), the full test suite (760 with the extra; 726 + 27 skipped without), a real-CLI end-to-end run (pinned key trusted / did:key untrusted / tampered rejected), and a clean-venv wheel install check, on Python 3.10–3.13.

Full history: Changelog.txt