open-eid · lauris71 · Feb 12, 2026 · Feb 12, 2026
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -28,7 +28,7 @@ jobs:
         echo 'path-exclude=/usr/share/doc-base/*' >> /etc/dpkg/dpkg.cfg.d/99-nodocs
         apt update -qq && apt install --no-install-recommends -y lsb-release build-essential devscripts debhelper lintian pkg-config ${UBUNTU_DEPS} doxygen swig openjdk-17-jdk-headless libpython3-dev python3-setuptools libboost-test-dev
     - name: Checkout
-      uses: actions/checkout@v5
+      uses: actions/checkout@v6
     - name: Setup changelog
       run: |
         export VERSION=$(grep project CMakeLists.txt | egrep -o "([0-9]{1,}\.)+[0-9]{1,}")
@@ -41,7 +41,7 @@ jobs:
     - name: Lintian
       run: lintian *.deb;
     - name: Archive artifacts
-      uses: actions/upload-artifact@v5
+      uses: actions/upload-artifact@v6
       with:
         name: ubuntu_${{ matrix.container }}_${{ matrix.arch }}
         path: libcdoc*.*
@@ -53,15 +53,15 @@ jobs:
         target: [androidarm, androidarm64, androidx86_64]
     steps:
     - name: Checkout
-      uses: actions/checkout@v5
+      uses: actions/checkout@v6
     - name: Expose Android NDK env
       shell: bash
       run: |
         echo "ANDROID_NDK_HOME=$ANDROID_NDK_LATEST_HOME" >> "$GITHUB_ENV"
         echo "ANDROID_NDK_ROOT=$ANDROID_NDK_LATEST_HOME" >> "$GITHUB_ENV"
         echo "VCPKG_ROOT=$VCPKG_INSTALLATION_ROOT" >> "$GITHUB_ENV"
     - name: Cache vcpkg
-      uses: actions/cache@v4
+      uses: actions/cache@v5
       with:
         path: ${{ github.workspace }}/vcpkg_cache
         key: vcpkg-${{ matrix.target }}-${{ hashFiles('vcpkg.json') }}
@@ -73,7 +73,7 @@ jobs:
         cmake --build --preset ${{ matrix.target }}
         cmake --build --preset ${{ matrix.target }} --target install/strip
     - name: Archive artifacts
-      uses: actions/upload-artifact@v5
+      uses: actions/upload-artifact@v6
       with:
         name: ${{ matrix.target }}
         path: |
@@ -88,14 +88,14 @@ jobs:
       DEST: ${{ github.workspace }}/${{ matrix.target }}
     steps:
     - name: Checkout
-      uses: actions/checkout@v5
+      uses: actions/checkout@v6
     - name: Install dependencies
       run: |
         brew update
         brew install --formula flatbuffers swig doxygen boost
     - name: Cache vcpkg
       if: matrix.target != 'macos'
-      uses: actions/cache@v4
+      uses: actions/cache@v5
       with:
         path: ${{ github.workspace }}/vcpkg_cache
         key: vcpkg-${{ matrix.target }}-${{ hashFiles('vcpkg.json') }}
@@ -112,7 +112,7 @@ jobs:
     - name: Install
       run: cmake --build --preset ${{ matrix.target }} --target install/strip
     - name: Archive artifacts
-      uses: actions/upload-artifact@v5
+      uses: actions/upload-artifact@v6
       with:
         name: ${{ matrix.target }}
         path: ${{ env.DEST }}
@@ -128,9 +128,9 @@ jobs:
       DEST: ${{ github.workspace }}/${{ matrix.image }}_${{ matrix.platform }}
     steps:
     - name: Checkout
-      uses: actions/checkout@v5
+      uses: actions/checkout@v6
     - name: Cache vcpkg
-      uses: actions/cache@v4
+      uses: actions/cache@v5
       with:
         path: ${{ github.workspace }}/vcpkg_cache
         key: vcpkg-${{ matrix.image }}-${{ matrix.platform }}-${{ hashFiles('vcpkg.json') }}
@@ -155,7 +155,7 @@ jobs:
         ctest -V -C RelWithDebInfo --test-dir build
         cmake --install build --config RelWithDebInfo --prefix ${{ env.DEST }}
     - name: Archive artifacts
-      uses: actions/upload-artifact@v5
+      uses: actions/upload-artifact@v6
       with:
         name: ${{ matrix.image }}_${{ matrix.platform }}
         path: ${{ env.DEST }}
@@ -167,7 +167,7 @@ jobs:
       contents: write
     steps:
     - name: Checkout
-      uses: actions/checkout@v5
+      uses: actions/checkout@v6
     - name: Install dependencies
       run: sudo apt update -qq && sudo apt install --no-install-recommends -y doxygen ${UBUNTU_DEPS}
     - name: Build docs
@@ -189,7 +189,7 @@ jobs:
       PROJECTNAME: ${{ github.repository }}
     steps:
     - name: Checkout
-      uses: actions/checkout@v5
+      uses: actions/checkout@v6
     - name: Install dependencies
       run: sudo apt update -qq && sudo apt install --no-install-recommends -y curl ca-certificates ${UBUNTU_DEPS}
     - name: Download Coverity Build Tool
@@ -224,7 +224,7 @@ jobs:
       security-events: write
     steps:
     - name: Checkout
-      uses: actions/checkout@v5
+      uses: actions/checkout@v6
     - name: Install dependencies
       run: sudo apt update -qq && sudo apt install --no-install-recommends -y ${UBUNTU_DEPS}
     - name: Initialize CodeQL

diff --git a/CMakePresets.json b/CMakePresets.json
@@ -55,9 +55,8 @@
       "cacheVariables": {
         "CMAKE_SYSTEM_NAME": "iOS",
         "CMAKE_OSX_SYSROOT": "${presetName}",
-        "CMAKE_OSX_DEPLOYMENT_TARGET": "15.0",
-        "CMAKE_DISABLE_FIND_PACKAGE_SWIG": "YES",
-        "CMAKE_CXX_FLAGS": "-D_LIBCPP_DISABLE_AVAILABILITY"
+        "CMAKE_OSX_DEPLOYMENT_TARGET": "16.3",
+        "CMAKE_DISABLE_FIND_PACKAGE_SWIG": "YES"
       }
     },
     {

diff --git a/cdoc/CDoc1Reader.cpp b/cdoc/CDoc1Reader.cpp
@@ -327,7 +327,13 @@ CDoc1Reader::CDoc1Reader(libcdoc::DataSource *src, bool delete_on_close)
                     key.setBytes(Lock::Params::KEY_MATERIAL, reader.readBase64());
 				// EncryptedData/KeyInfo/EncryptedKey/KeyInfo/X509Data/X509Certificate
 				else if(reader.isElement("X509Certificate"))
-                    key.setCertificate(reader.readBase64());
+                {
+                    auto cert = reader.readBase64();
+                    Certificate ssl(cert);
+                    key.setBytes(Lock::CERT, std::move(cert));
+                    key.setBytes(Lock::RCPT_KEY, ssl.getPublicKey());
+                    key.pk_type = (ssl.getAlgorithm() == libcdoc::Certificate::RSA) ? Lock::RSA : Lock::ECC;
+                }
 				// EncryptedData/KeyInfo/EncryptedKey/KeyInfo/CipherData/CipherValue
 				else if(reader.isElement("CipherValue"))
                     key.encrypted_fmk = reader.readBase64();

diff --git a/cdoc/CDoc2Reader.cpp b/cdoc/CDoc2Reader.cpp
@@ -117,15 +117,17 @@ CDoc2Reader::getLocks()
 
 libcdoc::result_t
 CDoc2Reader::getLockForCert(const std::vector<uint8_t>& cert){
-    libcdoc::Certificate cc(cert);
-    std::vector<uint8_t> other_key = cc.getPublicKey();
+    std::vector<uint8_t> other_key = libcdoc::Certificate(cert).getPublicKey();
+    if (other_key.empty())
+         return libcdoc::NOT_FOUND;
     LOG_DBG("Cert public key: {}", toHex(other_key));
-    for (int lock_idx = 0; lock_idx < priv->locks.size(); lock_idx++) {
-        const Lock &ll = priv->locks.at(lock_idx);
+    int lock_idx = 0;
+    for (const Lock &ll : priv->locks) {
         LOG_DBG("Lock {} type {}", lock_idx, (int) ll.type);
-        if (ll.hasTheSameKey(other_key)) {
+        if (ll.isPKI() && ll.getBytes(libcdoc::Lock::RCPT_KEY) == other_key) {
             return lock_idx;
         }
+        ++lock_idx;
     }
     setLastError("No lock found with certificate key");
     return libcdoc::NOT_FOUND;

diff --git a/cdoc/Lock.cpp b/cdoc/Lock.cpp
@@ -53,43 +53,5 @@ Lock::setInt(Params key, int32_t val)
 	params[key] = std::move(bytes);
 }
 
-bool
-Lock::hasTheSameKey(const Lock& other) const
-{
-	if (!isPKI()) return false;
-	if (!other.isPKI()) return false;
-	if (!params.contains(Params::RCPT_KEY)) return false;
-	if (!other.params.contains(Params::RCPT_KEY)) return false;
-	std::vector<uint8_t> pki = getBytes(Params::RCPT_KEY);
-	if (pki.empty()) return false;
-	std::vector<uint8_t> other_pki = other.getBytes(Params::RCPT_KEY);
-	if (other_pki.empty()) return false;
-	return pki == other_pki;
-}
-
-bool
-Lock::hasTheSameKey(const std::vector<uint8_t>& public_key) const
-{
-	if (!isPKI()) return false;
-	if (!params.contains(Params::RCPT_KEY)) return false;
-	if (public_key.empty()) return false;
-	std::vector<uint8_t> pki = getBytes(Params::RCPT_KEY);
-	LOG_DBG("Lock key: {}", toHex(pki));
-	if (pki.empty()) return false;
-	return pki == public_key;
-}
-
-void
-Lock::setCertificate(const std::vector<uint8_t> &_cert)
-{
-	setBytes(Params::CERT, _cert);
-	Certificate ssl(_cert);
-	std::vector<uint8_t> pkey = ssl.getPublicKey();
-	Certificate::Algorithm algo = ssl.getAlgorithm();
-
-	setBytes(Params::RCPT_KEY, pkey);
-	pk_type = (algo == libcdoc::Certificate::RSA) ? PKType::RSA : PKType::ECC;
-}
-
 } // namespace libcdoc
 
diff --git a/cdoc/Lock.h b/cdoc/Lock.h
@@ -42,7 +42,7 @@ struct CDOC_EXPORT Lock
     /**
      * @brief The lock type
      */
-	enum Type : unsigned char {
+    enum Type : unsigned char {
         /**
          * @brief Valid capsule but not supported by this library version
          * 
@@ -51,7 +51,7 @@ struct CDOC_EXPORT Lock
         /**
          * @brief Symmetric AES key
          */
-		SYMMETRIC_KEY,
+        SYMMETRIC_KEY,
         /**
          * @brief PBKDF key (derived from password)
          */
@@ -72,26 +72,26 @@ struct CDOC_EXPORT Lock
          * @brief Symmetric key distributed on several servers
          */
         SHARE_SERVER
-	};
+    };
 
     /**
      * @brief The public key type
      */
-	enum PKType : unsigned char {
+    enum PKType : unsigned char {
         /**
          * Elliptic curve
          */
         ECC,
         /**
          * RSA
          */
-		RSA
-	};
+        RSA
+    };
 
     /**
      * @brief Extra parameters depending on key type
      */
-	enum Params : unsigned int {
+    enum Params : unsigned int {
         /**
          * @brief HKDF salt (SYMMETRIC_KEY, PASSWORD and SHARE_SERVER)
          */
@@ -152,7 +152,7 @@ struct CDOC_EXPORT Lock
          * @brief CDoc1 specific
          */
         PARTY_VINFO
-	};
+    };
 
     /**
      * @brief get lock parameter value
@@ -176,20 +176,20 @@ struct CDOC_EXPORT Lock
     /**
      * @brief The lock type
      */
-	Type type = Type::UNKNOWN;
+    Type type = Type::UNKNOWN;
     /**
      * @brief algorithm type for public key based locks
      */
-	PKType pk_type = PKType::ECC;
+    PKType pk_type = PKType::ECC;
 
     /**
      * @brief the lock label
      */
-	std::string label;
+    std::string label;
     /**
      * @brief encrypted FMK (File Master Key)
      */
-	std::vector<uint8_t> encrypted_fmk;
+    std::vector<uint8_t> encrypted_fmk;
 
     /**
      * @brief check whether lock is valid
@@ -206,11 +206,6 @@ struct CDOC_EXPORT Lock
      * @return true if type is CDOC1, PUBLIC_KEY or SERVER
      */
     constexpr bool isPKI() const noexcept { return (type == Type::CDOC1) || (type == Type::PUBLIC_KEY) || (type == Type::SERVER); }
-    /**
-     * @brief check whether lock is based on certificate
-     * @return true if type is CDOC1
-     */
-    constexpr bool isCertificate() const noexcept { return (type == Type::CDOC1); }
     /**
      * @brief check whether lock is CDoc1 version
      * @return true if type is CDOC1
@@ -222,57 +217,32 @@ struct CDOC_EXPORT Lock
      */
     constexpr bool isRSA() const noexcept { return pk_type == PKType::RSA; }
 
-    /**
-     * @brief check whether two locks have the same public key
-     *
-     * This convenience method checks whether both locks are public key based, and if they are,
-     * whether the RCPT_KEY parameters are identical (i.e. both can be decrypted by the same private key)
-     * @param other the other lock
-     * @return true if both have the same public key
-     */
-    bool hasTheSameKey(const Lock &other) const;
-    /**
-     * @brief check whether lock has the given public key
-     *
-     * This convenience method checks whether lock is public key based, and if it is,
-     * whether the RCPT_KEY parameters is identical to ptovided key(i.e. it can be decrypted by the corresponding private key)
-     * @param public_key the public key (short format)
-     * @return true if lock has the same public key
-     */
-    bool hasTheSameKey(const std::vector<uint8_t>& public_key) const;
-
-	Lock() noexcept = default;
-	Lock(Type _type) noexcept : type(_type) {};
+    Lock() noexcept = default;
+    Lock(Type _type) noexcept : type(_type) {};
 
     /**
      * @brief Set lock parameter value
      * @param param a parameter type
      * @param val the value
      */
-    void setBytes(Params param, const std::vector<uint8_t>& val) { params[param] = val; }
+    void setBytes(Params param, std::vector<uint8_t> val) { params[param] = std::move(val); }
     /**
      * @brief Set lock parameter value from string
      * @param param a parameter type
      * @param val the value
      */
-    void setString(Params param, const std::string& val) { params[param] = std::vector<uint8_t>(val.cbegin(), val.cend()); }
+    void setString(Params param, const std::string& val) { setBytes(param, {val.cbegin(), val.cend()}); }
     /**
      * @brief Set lock parameter value from integer
      * @param param a parameter type
      * @param val the value
      */
     void setInt(Params param, int32_t val);
 
-    /**
-     * @brief A convenience method to initialize CERTIFICATE, RCPT_KEY and PK_TYPE values from given certificate
-     * @param cert the certificate (der-encoded)
-     */
-	void setCertificate(const std::vector<uint8_t>& cert);
-
-    bool operator== (const Lock& other) const = default;
+    bool operator== (const Lock& other) const noexcept = default;
 
 private:
-	std::map<Params,std::vector<uint8_t>> params;
+    std::map<Params,std::vector<uint8_t>> params;
 };
 
 } // namespace libcdoc

diff --git a/libcdoc.i b/libcdoc.i
@@ -176,7 +176,6 @@
 %ignore libcdoc::Lock::setBytes;
 %ignore libcdoc::Lock::setString;
 %ignore libcdoc::Lock::setInt;
-%ignore libcdoc::Lock::setCertificate;
 %extend libcdoc::Lock {
     Type getType() {
         return $self->type;