Engineering Showcase

Technical Projects &
Case Studies

Detailed breakdowns of systems I have designed, built, and optimized.

DVLA Government ProjectISO/IEC 18013-5

mdoc-builder (Mobile Driving Licence)

View on GitHub

The `mdoc-builder` is an open-source Java library built in collaboration with GDS and key government departments. It provides the core cryptographic mechanisms to package, sign, and issue compliant Mobile Driving Licences (mDL) that adhere strictly to the **ISO/IEC 18013-5** international standard.

Applying strong technical judgement to match both DVLA and GDS needs against a rapidly evolving ISO standard, I chose to design this library from scratch with minimal external dependencies. This avoided hacky integrations of incomplete third-party packages, producing a lightweight, secure, and easily extendable core. To ensure maintenance standards, I personally configured SonarQube, Checkstyle, and security vulnerability checks inside CI/CD deployment pipelines.

In digital identity, privacy is paramount. Using CBOR (Concise Binary Object Representation) namespaces and COSE (CBOR Object Signing and Encryption) cryptography, this library allows driver attributes to be divided into individual digests, enabling **Selective Disclosure** (proving you are over 18 without disclosing your full name or exact birthdate).

Key Engineering Contributions:

  • Personally designed and developed the core mdoc-builder Java library from scratch.
  • Created cryptographic signing interfaces to securely bind driving credentials to mobile device hardware keys.
  • Integrated SonarQube, Checkstyle, and Tenable vulnerability checks within CI/CD pipelines to guarantee code compliance.
  • Built local containerized Kubernetes replica environments using Docker for simplified squad testing.

Project Technical Stack

JavaSpring BootOpenAPICBOR / COSEISO/IEC 18013-5SonarQube / CheckstyleDocker / K8sTenable / Renovate
SECURITY COMPLIANCEISO/IEC 18013-5 Personal Identification — Mobile Driving Licence (mDL) standard.

How It Works: Interactive Flow

DVLA Architecture Showcase

mdoc Certificate & Issuance Lifecycle

This interactive demo illustrates how driving licence certificates are requested, cryptographically bound to hardware security enclaves, and signed by the DVLA root CA.

Wallet (Mobile)DVLA (Issuer)
Actor: WalletISO/IEC 18013-5 Standard compliant

1. Device Key Provisioning

The mobile wallet generates a secure device public/private key pair (typically using hardware-backed keystores like iOS Secure Enclave or Android Keystore). The private key never leaves the device.

Mobile Wallet
DVLA Issuer
Payload Structure InspectorCBOR / COSE
// Device Key Generation (ECDSA secp256r1 / ES256)
// Public Key (COSE_Key format)
{
  1: 2,       // Key Type: EC2
  3: -7,      // Algorithm: ES256
  -1: 1,      // Curve: P-256
  -2: h'd759713f...', // X coordinate
  -3: h'f4a22d3e...'  // Y coordinate
}
Security Binding: Cryptographic AssociationIntegrity Verified ✓

Other Systems I've Built

Enterprise integrations and open source contributions.

GoAWS LambdaKinesisDynamoDBTerraform

Transactional Serverless Broker

Designed and implemented a serverless message broker to ingest and validate transactional event streams for high-throughput enterprise applications. Built with Go for sub-millisecond execution times and cost efficiency.

Impact / Outcome

Handled peak loads of 15,000 requests/sec, reduced cloud operational costs by 60% compared to ECS-based container alternatives, and guaranteed at-least-once message delivery protocols.

PHPJavaScriptNode.jsElectronPostgreSQL

Cyber Freakz Enterprise Suite

Maintained complete end-to-end lifecycle ownership of cross-platform desktop suites and web applications for medium-sized business clients. Designed and built internal tools using Electron to automate business discovery workflows.

Impact / Outcome

Successfully turned client business use cases into production-ready portals, automating internal document ingestion pipelines and cutting manual workflow processing delays by 40%.

Standards & Protocol Deep-Dive

Inside the ISO/IEC 18013-5 Spec

Mobile driving licences (mDLs) are not simply digital images or signed PDFs. They are highly structured, cryptographically verifiable data envelopes designed to protect user privacy and establish undeniable authenticity. Here is how the data structures inside `mdoc-builder` are composed.

[01]Dual Envelope Architecture

An mdoc contains two distinct cryptographic envelopes that separate the Authority's claim signature from the Holder's device authentication.

IssuerSigned

Contains raw user claims (e.g. given name, portrait) grouped by namespace. Each claim is encoded as an individual IssuerSignedItem along with a salt. Hashes of these items are stored in a signed Mobile Security Object (MSO).

DeviceSigned

Contains a dynamic signature generated on-device using a private key locked in the hardware's Secure Enclave. This proves that the person presenting the mDL is the actual holder, preventing clone attacks.

[02]Anti-Correlation

To guarantee user privacy, the spec enforces safeguards against correlation (tracking a user across multiple verifiers) and dictionary attacks:

  • 16-Byte Random Salt: Every claim includes a minimum 16-byte random salt. Without it, public fields (e.g., given_name = "Joe") could be resolved by verifiers running offline hash tables.
  • Digest ID Shuffling: Claims are assigned unique `digestID` integers. In `mdoc-builder`, we generate and randomly shuffle these IDs to eliminate any coding sequence correlation.

[03]Namespace Mapping

Attributes are organized in namespaces to isolate standard data fields from regional or regional authority extensions:

org.iso.18013.5.1

Standard mDL attributes: given_name, family_name, birth_date, portrait, issuing_authority, document_number, un_distinguishing_sign.

org.iso.18013.5.1.GB

British DVLA extensions: provisional_driving_privileges, title, welsh_licence (bilingual flag).

[04]Verification Loop (Selective Disclosure)

The verification process requires no connection back to the issuing authority, protecting offline privacy:

1. Selective Present

The mobile wallet sends only the requested elements (e.g., portrait, age_over_18) and hides the rest.

2. Hash Matching

The verifier hashes the received items. If they match the digests stored in the MSO, data integrity is proven.

3. Authentication

The verifier validates the Issuer's signature on the MSO, and the Device's signature using the MSO's public key.