Passport Reader

[0xVikasRushi]

• Added sod, dsc parsing
• Added passport extractor
• Added circuits inputs for complete_age_check
• mock data generator with mimic us real passport data

[codspeed-hq]

CodSpeed WallTime Performance Report

Merging #178 will improve performances by 33.33%

_{Comparing vr/passport-parser (bce9885) with main (56f91aa)}

⚠️ Unknown Walltime execution environment detected

Using the Walltime instrument on standard Hosted Runners will lead to inconsistent data.

For the most accurate results, we recommend using CodSpeed Macro Runners: bare-metal machines fine-tuned for performance measurement consistency.

Summary

⚡ 1 improvement
✅ 34 untouched

Benchmarks breakdown

	Benchmark	BASE	HEAD	Change
⚡	reduce_add_rc	4 ns	3 ns	+33.33%

[Copilot]

Pull Request Overview

This PR introduces a comprehensive passport reader system that replaces the previous mock test data generation with real passport SOD parsing and certificate validation capabilities. The key changes include:

• Replace mock data generators with real passport SOD (Security Object Document) parsing
• Add DSC (Document Signer Certificate) and CSCA (Country Signing Certificate Authority) validation
• Implement circuit input generation for complete age verification workflows

Reviewed Changes

Copilot reviewed 17 out of 19 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
src/lib.rs	New main library interface implementing PassportReader with validation and circuit input generation
src/parser/*.rs	Parser modules for binary data, SOD structures, DSC certificates, and type definitions
src/mock_generator.rs	Mock data generation utilities for testing with synthetic passport data
src/mock_keys.rs	Mock RSA private keys for testing certificate validation
csca_registry/csca_public_key.json	USA CSCA public key registry for certificate chain validation
Cargo.toml	Updated dependencies for X.509 parsing, ASN.1 handling, and cryptographic operations

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[Copilot]

Thread-local storage with RefCell can cause issues in multi-threaded environments. Consider using a global static with Mutex or RwLock for thread-safe access, or document that this should only be used in single-threaded contexts.

[Copilot]

The signing time parsing assumes the UtcTime string can be directly formatted as a date, but this may not always be valid. The fallback to current time could mask parsing errors and return incorrect timestamps.

Suggested change

	signing_time: signed_attrs.signing_time.map(|ut| {
	let time_str = ut.to_string();
	chrono::DateTime::parse_from_rfc3339(&format!("{}T00:00:00Z", time_str))
	.unwrap_or_else(|_| chrono::Utc::now().into())
	.with_timezone(&chrono::Utc)
	signing_time: signed_attrs.signing_time.and_then(|ut| {
	// Try to parse the UtcTime using chrono. If parsing fails, return None.
	let time_str = ut.to_string();
	chrono::DateTime::parse_from_rfc3339(&format!("{}T00:00:00Z", time_str))
	.ok()
	.map(|dt| dt.with_timezone(&chrono::Utc))

[0xVikasRushi]

fixed

[Copilot]

The magic numbers 0x04 and offset 2 should be documented or defined as named constants to explain what ASN.1 structure is being parsed here.

[Copilot]

Converting binary data to hex string and then back to bytes is inefficient. Consider working directly with the binary data without the intermediate hex conversion.

Suggested change

	let hex_der = hex::decode(binary.to_hex().trim_start_matches("0x")).unwrap();
	let content_info: ContentInfo = der::decode(&hex_der).expect("CMS decode failed");
	let content_info: ContentInfo = der::decode(binary.as_bytes()).expect("CMS decode failed");

[Bisht13]

why is this needed?

[0xVikasRushi]

yeah. while running cargo test. i was getting this error without katex-header.html. not sure what is the reason

[Bisht13]

Can we import only the required items?

[Bisht13]

We should use some Date format instead of String

[Bisht13]

Don't show US passports use RSASSA-PSS? Maybe we can change it to something like this

match sod.signer_info.signature_algorithm.name {
    SignatureAlgorithmName::Sha256WithRsaEncryption => {
        dsc_pubkey.verify(Pkcs1v15Sign::new::<Sha256>(), &signed_attr_hash, &dsc_signature)
    }
    SignatureAlgorithmName::RsassaPss => {
        // Use PSS verification with proper parameters
        dsc_pubkey.verify(Pss::new::<Sha256>(), &signed_attr_hash, &dsc_signature)
    }
    // ... other algorithms
}

[0xVikasRushi]

yeah, changed that

[Bisht13]

Is it okay to hardcode DER header length?

[0xVikasRushi]

Yeah, it works but hardcoding assumes a 2-byte OCTET STRING header since its ANS.1 Encoded

[Bisht13]

Missing 4096-bit RSA support?

[0xVikasRushi]

wWe’re directly parsing the CSCA key using RsaPublicKey::from_public_key_der(), so we don’t need that.

For csc_pubkey: [u8; SIG_BYTES * 2], we’re basically defining a fixed buffer (around 512 bytes)

[Bisht13]

• Inconsistent Error Handling
• Many internal parsing details are public
• No clear API boundary between internal parsing and external interface

[Bisht13]

Use lazy_static!, heavy allocation used in multiple places.

[Bisht13]

Unnecessary clone, return and use &[u8] where possible.

[Bisht13]

We should use ISO 8601 or Unix timestamp for time format.

[Bisht13]

Please add a README as well.