Open
Conversation
… issuer, remove registry depedency from issuer.
…tion - Don't initialize empty Identity/Token structs in UIInteraction (causes validation failures since they have required fields) - Fix VerificationRequestObject to query by RequestObjectID instead of SessionID (the wallet sends the requestObjectID via ?id= parameter)
The RequestObject is stored with RequestObjectID as key (handlers_ui.go) but was being retrieved with SessionID (handlers_verification.go). This caused 'request object not found' errors.
This fix aligns the secret file parsing with the name change of ".verifier.oidc" to ".verifier.oidc_op".
Fix path for verifier OIDC OP secrets
…ect-lookup fix(verifier): fix validation and RequestObjectID lookup in UIInteraction
…uers Add TrustEvaluator integration to the verifier's credential verification flow. After VP token validation succeeds, the verifier now: 1. Extracts the x5c certificate chain from the SD-JWT header 2. Extracts issuer ID (from 'iss' claim) and credential type (from 'vct' claim) 3. Calls the configured AuthZEN PDP to evaluate issuer trust Configuration: - Set verifier.trust.pdp_url to enable AuthZEN trust evaluation - When pdp_url is empty, operates in 'allow-all' mode (no PDP calls) This enables verifiers to enforce trust policies defined in an external AuthZEN Policy Decision Point, validating that credential issuers are part of an authorized trust framework.
These files are needed for the verifier which builds without vc20 tags.
…material - Add WARN log when trust evaluation is disabled (no pdp_url configured) - Support JWK header in addition to x5c for issuer trust evaluation - Fail with protocol error if credential lacks x5c or jwk header (credentials must include issuer key material for trust evaluation)
If credential lacks x5c/jwk header but issuer is a DID, resolve the key via go-trust's DID resolution before evaluating trust. Falls back order: 1. x5c header (certificate chain) 2. jwk header (embedded JWK) 3. DID issuer (resolve key via go-trust) 4. Fail - no key material available
Critical security fix: The verifier was checking if an issuer is trusted but was NOT verifying the JWT signature to confirm the credential was actually signed by that issuer. This allowed accepting credentials that merely claim to be from a trusted issuer. Now: 1. Extract public key from x5c/jwk header or resolved DID 2. Verify JWT signature using that key (CRITICAL) 3. Only then evaluate trust via AuthZEN PDP Added helper functions: - parseJWKToPublicKey: converts JWK map to crypto.PublicKey - verifyJWTSignature: verifies JWT signature with public key
- Add configurable AllowedSignatureAlgorithms to TrustConfig Defaults to secure algorithms: ES256, ES384, ES512, RS256, RS384, RS512, PS256, PS384, PS512, EdDSA. The 'none' algorithm is NEVER allowed. - Fix dead code: len(parts) < 1 is always false since Split returns at least one element. Changed to check issuerJWT == "" - Add nil guard for trustEvaluator to prevent potential panic - Log algorithm in signature verification error messages Addresses SonarCloud security concern about JWT cipher validation.
Resolve conflicts: - bootstrapping/*.json: accept upstream (VCT URL-based, credential constructor changes) - handlers_issuer.go: accept upstream comment (openid4vp vs pid_auth) - endpoints_oauth.go: use cookie-based openid4vp_redirect_url from upstream - endpoints_users.go: add upstream cookie cleanup in user cancel - service.go: keep both jwt-vc-issuer/jwks (ours) and type-metadata (upstream) - consent.js: adopt upstream openid4vp naming and cookie-based redirect - validate.go: remove auth_method_exists validator (upstream removed auth_methods) - auth_methods.go: adopt upstream constants (drop pid_auth, add openid4vp) - config_test.go: fix YAML tags (oidcrp->oidc_rp, oidc->oidc_op) to match secrets.go struct tags (pre-existing test bug)
Contributor
There was a problem hiding this comment.
Pull request overview
This PR modernizes credential type metadata handling (URL-based VCT + SRI integrity), updates OpenID4VP/DCQL flows and related configuration/auth-method naming, and replaces the VERSION-file-based release automation with git-tag/Makefile-driven releases.
Changes:
- Enforce SD-JWT VC draft-14 style VCT handling by fetching VCTM from the
vctURL and validating SRI integrity (vct#integrity). - Refactor config and runtime code to use
common.credential_constructorand renamepid_auth→openid4vp, including DCQL response parsing/claim extraction updates. - Overhaul release tooling: remove VERSION + RC/tag workflows and introduce Makefile targets for release/promotions with reserved-tag guarding.
Reviewed changes
Copilot reviewed 117 out of 123 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| vendor/modules.txt | Removes an explicit vendored module entry. |
| sonar-project.properties | Adds rule-ignore criteria for _test.go files. |
| secrets.example.yaml | Renames oidcrp → oidc_rp in example secrets. |
| proto/v1-registry.proto | Adds StatusListUri field to status list add reply. |
| proto/v1-issuer.proto | Adds vct_url and integrity fields to MakeSDJWT request. |
| presentation_requests/eudi_pid.yaml | Switches format to dc+sd-jwt and adds ARF 1.5 VCT to vct_values. |
| presentation_requests/eudi_ehic.yaml | Switches format to dc+sd-jwt. |
| presentation_requests/eduid.yaml | Adds eduID presentation request templates. |
| pkg/sdjwtvc/verification_test.go | Updates tests to use BuildCredentialWithSigner + served VCTM + integrity. |
| pkg/sdjwtvc/utils_test.go | Updates parsing/build test to use VCT URL and integrity. |
| pkg/sdjwtvc/types.go | Replaces VCTM Encode with SRI integrity hash computation. |
| pkg/sdjwtvc/test_helpers_test.go | Adds shared signer + VCTM server helpers for tests. |
| pkg/sdjwtvc/methods.go | Fetches VCTM from vct URL, validates integrity, and issues SD-JWT accordingly. |
| pkg/sdjwtvc/fetchvctm_test.go | Adds unit tests for VCTM fetch + integrity validation behavior. |
| pkg/sdjwtvc/extra_coverage_test.go | Removes header VCTM encoding coverage tests. |
| pkg/sdjwtvc/error_coverage_test.go | Updates signing error test to BuildCredentialWithSigner via failing signer. |
| pkg/sdjwtvc/coverage_boost_test.go | Updates coverage tests for new signer + VCT URL/integrity flow; removes VCTM Encode tests. |
| pkg/sdjwtvc/complete_coverage_test.go | Updates comprehensive test to use VCT URL + integrity. |
| pkg/sdjwtvc/build_test.go | Renames and updates build tests to use new signer/VCT URL/integrity flow. |
| pkg/openid4vp/sdjwt_handler_test.go | Adds test signer/VCTM helpers and updates to BuildCredentialWithSigner. |
| pkg/openid4vp/dcql.go | Adds YAML tags and adjusts validation tags for DCQL structs. |
| pkg/openid4vp/context_test.go | Removes trailing whitespace. |
| pkg/openid4vp/claims_extractor.go | Adds DCQL vp_token JSON-object support and merges claims across credentials. |
| pkg/model/testdata/vctm_not_json.yaml | Adds non-JSON VCTM fixture for loader tests. |
| pkg/model/testdata/vctm_missing_vct.json | Adds missing-vct fixture for loader tests. |
| pkg/model/testdata/cfg.yaml | Switches test config auth_method to openid4vp. |
| pkg/model/secrets_test.go | Renames verifier OIDC config references to OIDCOP. |
| pkg/model/secrets.go | Renames secrets YAML keys (oidc_rp, oidc_op) and structs accordingly. |
| pkg/model/metadata_generation_test.go | Removes reference metadata generation test. |
| pkg/model/issuer_metadata_test.go | Switches issuer metadata VCT to resolved URL (VCTURL) in tests. |
| pkg/model/config_test.go | Updates credential constructor lookup/storage under Common and adds integrity/VCT URL assertions. |
| pkg/model/config_default_test.go | Renames OIDC defaults test to OIDCOP. |
| pkg/model/auth_methods.go | Replaces pid_auth constant with expanded auth-method constants incl. openid4vp. |
| pkg/httphelpers/middleware.go | Skips logging successful /health requests. |
| pkg/helpers/validate_test.go | Updates identity validation expectations and adds auth_scopes self-reference tests. |
| pkg/helpers/validate_saml_test.go | Adjusts SAML config test data to include SessionDuration. |
| pkg/helpers/validate.go | Removes unused custom validators and adds struct-level auth_scopes self-reference validation. |
| pkg/configuration/config_test.go | Updates secrets field names and adds defaults test for Digital Credentials config. |
| pkg/configuration/config.go | Loads constructors from Common, resolves VCT URLs from APIGW PublicURL, and updates required-config check. |
| pkg/cache/authcontext_test.go | Adds token ExpiresAt in cache tests. |
| metadata/vctm_pid_arf_1_8.json | Removes vct from stored metadata JSON. |
| metadata/vctm_pid_arf_1_5.json | Removes vct from stored metadata JSON. |
| metadata/vctm_pda1.json | Removes vct from stored metadata JSON. |
| metadata/vctm_microcredential.json | Removes vct from stored metadata JSON. |
| metadata/vctm_elm.json | Removes vct from stored metadata JSON. |
| metadata/vctm_ehic.json | Removes vct from stored metadata JSON. |
| metadata/vctm_eduid.json | Removes vct from stored metadata JSON. |
| metadata/vctm_diploma.json | Removes vct from stored metadata JSON. |
| metadata/issuer_metadata.json | Removes committed issuer metadata JSON artifact. |
| internal/verifier/static/authorize_enhanced.html | Adds web-wallet links + QR toggles and updates poll path/status handling. |
| internal/verifier/httpserver/service.go | Moves CORS middleware to engine level; adds TODO on polling. |
| internal/verifier/httpserver/endpoints_openid4vp.go | Returns 200 JSON for direct_post (no redirect) per spec notes. |
| internal/verifier/httpserver/endpoints_oidc.go | Propagates OAuth error codes to redirect URI and adds WalletLinks to template data. |
| internal/verifier/db/service.go | Creates DB indexes during service initialization. |
| internal/verifier/db/client.go | Adds unique index creation for clients collection. |
| internal/verifier/apiv1/mock_db_test.go | Renames verifier OIDC config to OIDCOP in tests. |
| internal/verifier/apiv1/handlers_verification.go | Ensures request object lookup by RequestObjectID. |
| internal/verifier/apiv1/handlers_ui_test.go | Moves credential constructors under cfg.Common. |
| internal/verifier/apiv1/handlers_ui.go | Updates UI metadata to use constructor getters; makes Identity/Token nil until presented. |
| internal/verifier/apiv1/handler_session_preference.go | Uses OIDCOP for code duration. |
| internal/verifier/apiv1/handler_openid4vp_test.go | Removes legacy vp_formats helper test. |
| internal/verifier/apiv1/handler_openid4vp.go | Uses new direct_post endpoint path, x5c signing chain, and x509_san_dns client_id derivation. |
| internal/verifier/apiv1/handler_client_registration_test.go | Renames verifier OIDC config to OIDCOP in tests. |
| internal/verifier/apiv1/client_test.go | Renames verifier OIDC config to OIDCOP and updates DCQL query builder test. |
| internal/verifier/apiv1/client.go | Uses constructors from Common, updates logs, and builds DCQL queries from constructor config and VCT URLs. |
| internal/registry/grpcserver/endpoints.go | Builds and returns full StatusList URI in add-status reply. |
| internal/mockas/bootstrapper/client_test.go | Ensures bootstrap dir exists; reorders idp_user generation. |
| internal/issuer/grpcserver/endpoints.go | Passes VCT URL + integrity through to issuer API. |
| internal/issuer/apiv1/handlers_test.go | Adds served VCTM + integrity to issuer tests and validates missing integrity. |
| internal/issuer/apiv1/handlers.go | Requires integrity; uses registry-provided status list URI; issues SD-JWT using VCT URL from request. |
| internal/issuer/apiv1/common_test.go | Updates mock registry reply to include StatusListUri; simplifies mock config. |
| internal/gen/registry/apiv1_registry/v1-registry_grpc.pb.go | Updates generated code version comment. |
| internal/gen/registry/apiv1_registry/v1-registry.pb.go | Adds generated field/accessor for StatusListUri. |
| internal/gen/issuer/apiv1_issuer/v1-issuer_grpc.pb.go | Updates generated code version comment. |
| internal/gen/issuer/apiv1_issuer/v1-issuer.pb.go | Adds generated fields/accessors for vct_url and integrity. |
| internal/apigw/staticembed/consent.js | Expands auth methods and renames redirect cookie to openid4vp. |
| internal/apigw/staticembed/consent.html | Updates consent page logic for openid4vp auth method. |
| internal/apigw/httpserver/service.go | Adds type-metadata endpoint; switches restricted routes to APIAuth middleware; formatting fixes. |
| internal/apigw/httpserver/endpoints_users.go | Uses openid4vp auth method and renamed cookie key. |
| internal/apigw/httpserver/endpoints_saml.go | Provides VCT URL + integrity to issuer requests. |
| internal/apigw/httpserver/endpoints_oauth.go | Uses openid4vp auth method and renamed redirect cookie key. |
| internal/apigw/httpserver/endpoints.go | Adds /type-metadata/:scope endpoint. |
| internal/apigw/httpserver/api.go | Adds TypeMetadata to APIV1 interface. |
| internal/apigw/db/methods_vc_datastore.go | Switches document queries from meta.vct to meta.scope; updates comment. |
| internal/apigw/apiv1/scope_match_test.go | Adds tests for matching a valid scope among multiple scopes. |
| internal/apigw/apiv1/scope_match.go | Adds helper to choose first configured scope instead of blindly using index 0. |
| internal/apigw/apiv1/handlers_verifier.go | Uses matchScope; builds DCQL from constructor auth_* fields; queries datastore by scope. |
| internal/apigw/apiv1/handlers_vctm.go | Reads VCTM via Common constructors and adds raw TypeMetadata serving for local VCTMs. |
| internal/apigw/apiv1/handlers_users_test.go | Updates PID auth tests to openid4vp. |
| internal/apigw/apiv1/handlers_users.go | Updates user lookup flow to openid4vp auth method. |
| internal/apigw/apiv1/handlers_token_status_list.go | Removes old HTTP handler for token status list allocation. |
| internal/apigw/apiv1/handlers_oidcrp.go | Provides VCT URL + integrity to issuer requests. |
| internal/apigw/apiv1/handlers_issuer.go | Uses matchScope; queries datastore by scope; passes VCT URL + integrity into SD-JWT issuance. |
| internal/apigw/apiv1/client_test.go | Moves constructors under Common in tests; updates VCTM loading loop. |
| internal/apigw/apiv1/client.go | Generates issuer metadata from Common constructors; reads VCTM via getters. |
| go.sum | Removes nhooyr websocket sums. |
| go.mod | Promotes gorilla/websocket to direct dependency; moves go-cmp to indirect; drops nhooyr/websocket. |
| docs/adr/diagrams/ehic-pid-auth-flow.puml | Renames auth_method from pid_auth to openid4vp in diagram. |
| docs/RELEASE_PROCESS.md | Replaces VERSION/RC workflow description with git-tag + Make targets release flow. |
| docs/MAKEFILE.md | Updates Docker tag examples and documents reserved tag guard + new release targets. |
| developer_tools/scripts/gen_config_docs/main.go | Simplifies section labels mapping. |
| config_minimal.yaml | Moves credential_constructor under common and adds ha flag. |
| config.yaml | Moves credential_constructor under common, migrates pid_auth to openid4vp config, adds verifier CORS config, renames oidc_rp key. |
| VERSION | Removes VERSION file. |
| README.md | Updates auth_method naming in diagram. |
| Makefile | Introduces tag guard and new release/release-prod/release-demo targets; defaults VERSION to local. |
| .vscode/settings.json | Adds new dictionary words for updated terminology/tooling. |
| .github/workflows/version-bump.yaml | Removes version bump workflow. |
| .github/workflows/pr-rc-build.yaml | Removes PR RC build workflow. |
| .github/workflows/build.yaml | Removes release tagging workflow. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…-trust feat(verifier): integrate AuthZEN trust evaluation for credential issuers
leifj
added a commit
to sirosfoundation/vc
that referenced
this pull request
Mar 11, 2026
- Use url.Parse instead of strings.TrimLeft for x509_san_dns client_id - Validate scope against credential constructors in MakeSDJWT (SSRF prevention) - Enforce VCT URL and integrity match configured values - Add validate:required,url to VCTUrl and validate:required to Integrity - Use resolved VCT URL in UIMetadata (prefer GetVCTURL over VCTM.VCT) - Add 30s timeout and 1MiB size limit to fetchVCTM HTTP client - Add SetVCTURL/SetIntegrity methods to CredentialConstructor for testing
…penID4VP; remove debug JSON logging - endpoints_oauth.go: pass OpenID4VP wallet redirect URL via template data-redirect-url attribute instead of setting openid4vp_redirect_url cookie (getCookie was removed in prior refactor, breaking the flow) - consent.js: handleLoginPidAuth reads dataset.redirectUrl instead of calling the removed getCookie function - consent.js: handleCredentialSelection adds missing return after error when redirectUrl is null (prevented redirect to null URL) - consent.js: remove console.info(JSON.stringify) debug logging from fetchData that displayed raw JSON on every API response
fix(consent): replace cookie-based redirect with data attribute for OpenID4VP
When a browser sends Accept: text/html, the generic Content renderer uses fmt %v on json.RawMessage ([]byte), producing decimal byte values instead of JSON. Use c.Data() to write the raw VCTM bytes directly with application/json content type.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
fix: serve type-metadata as raw JSON to avoid byte-array rendering
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.