Skip to content

Add more details on wallet structure to README#43

Merged
QZHelen merged 7 commits into
digitalcredentialsdev:mainfrom
cy245:update-readme
Jul 8, 2026
Merged

Add more details on wallet structure to README#43
QZHelen merged 7 commits into
digitalcredentialsdev:mainfrom
cy245:update-readme

Conversation

@cy245

@cy245 cy245 commented Jun 5, 2026

Copy link
Copy Markdown
Contributor

No description provided.

@cy245

cy245 commented Jun 5, 2026

Copy link
Copy Markdown
Contributor Author

@leecam @QZHelen please TAL - updated the readme to provide more insight into CMWallet. Let me know of any areas you'd like to update or add.

Comment thread README.md Outdated
Comment thread README.md Outdated
Comment thread README.md Outdated
Comment thread README.md Outdated
Comment thread README.md Outdated
Comment thread README.md Outdated
* **Presentation Assembly**: The wallet extracts the requested claims, builds a cryptographically secure **Session Transcript** to bind the response to the specific connection, signs the response using the private key stored in secure hardware, packages the payload, and returns it to the calling verifier.

### 2. Credential Issuance
Handles credential issuance requests from issuers. When a user initiates getting a credential from an issuer by scanning a QR code or opening a link, the issuer can trigger a system intent that launches the credential creation and storage process:

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not exactly right - issuer calls the Android Credential Manager API to initiate the issuance call.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Still seems a bit off.. How about something like this:

Normally a user can trigger credential issuance in two ways:

  1. Issuer initiated flow: the user triggers a request to issue a VDC from an issuer application or website. For example, an issuer.gov website may offer its users an option to "Add your passport to your wallet". The issuer calls the Credential Manager issuance API to make an OpenID4VCI Credential Offer request. To handle such requests a wallet must first integrate with Credential Manager to register its metadata. Credential Manager will display relevant options for a user to select. After the user selects a wallet option, the wallet application will be invoked and then the wallet can proceed with the steps needed to complete the issuance.
  2. Wallet initiated flow: the user requests to add a VDC from their wallet application. For example, a wallet may offer a button to "Add your passport". In this case, the wallet maintains its supported issuer list and metadata. It does not need to integrate with the Android Credential Manager to complete this function.

CMWallet supports the issuer initiated flow, allowing arbitrary type of credentials in the SD-JWT VC or mdoc format.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay, updated as written with minimal changes.

Comment thread README.md Outdated
Comment thread README.md Outdated
[Room DB] ◄── Save issued credential ◄── Hardware-backed attestation process ◄── Request credential from Issuer
```
* **Issuer triggers intent**: The issuer triggers Android's `CREATE_CREDENTIAL` system intent, launching `CreateCredentialActivity`.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's just link to the Android DAC doc, or copy content over

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you mean the below section or this line in particular? I think it's still useful to have text here - the DAC page can still be the maintained source of truth.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added some more detailed suggestion in the comment above. We should update the sections Issuer triggers intent and Progress bottom to correctly reflect the issuance flow

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've gone ahead and removed the diagram as it may add more confusion given the wallet-initiated one doesn't use credman at all and could be perceived as simpler, though it doesn't scale well.

Comment thread README.md
└── matcher-rs/ # Rust implementation of wasm matcher
```

### Detailed Directory Mapping

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need this part? Worry that it may become quickly outdated

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is intended to help users map each of the concepts covered to the directories in which they're implemented. Do we think the core files might change in the future? Even if new features are added the core files should likely remain the same - WDYT?

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fine with me either way; but I hope the structure above is good enough for most of the time.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's keep for now - I'll update as needed if things change.

Comment thread README.md Outdated
Comment thread README.md Outdated
* **Presentation Assembly**: The wallet extracts the requested claims, builds a cryptographically secure **Session Transcript** to bind the response to the specific connection, signs the response using the private key stored in secure hardware, packages the payload, and returns it to the calling verifier.

### 2. Credential Issuance
Handles credential issuance requests from issuers. When a user initiates getting a credential from an issuer by scanning a QR code or opening a link, the issuer can trigger a system intent that launches the credential creation and storage process:

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Still seems a bit off.. How about something like this:

Normally a user can trigger credential issuance in two ways:

  1. Issuer initiated flow: the user triggers a request to issue a VDC from an issuer application or website. For example, an issuer.gov website may offer its users an option to "Add your passport to your wallet". The issuer calls the Credential Manager issuance API to make an OpenID4VCI Credential Offer request. To handle such requests a wallet must first integrate with Credential Manager to register its metadata. Credential Manager will display relevant options for a user to select. After the user selects a wallet option, the wallet application will be invoked and then the wallet can proceed with the steps needed to complete the issuance.
  2. Wallet initiated flow: the user requests to add a VDC from their wallet application. For example, a wallet may offer a button to "Add your passport". In this case, the wallet maintains its supported issuer list and metadata. It does not need to integrate with the Android Credential Manager to complete this function.

CMWallet supports the issuer initiated flow, allowing arbitrary type of credentials in the SD-JWT VC or mdoc format.

Comment thread README.md Outdated
Comment thread README.md
Comment thread README.md Outdated
[Room DB] ◄── Save issued credential ◄── Hardware-backed attestation process ◄── Request credential from Issuer
```
* **Issuer triggers intent**: The issuer triggers Android's `CREATE_CREDENTIAL` system intent, launching `CreateCredentialActivity`.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added some more detailed suggestion in the comment above. We should update the sections Issuer triggers intent and Progress bottom to correctly reflect the issuance flow

Comment thread README.md Outdated
Comment thread README.md Outdated
```
* **Issuer triggers intent**: The issuer triggers Android's `CREATE_CREDENTIAL` system intent, launching `CreateCredentialActivity`.
* **Progress bottom sheet**: The wallet displays a Compose bottom sheet showing a progress bar while it parses the Credential Offer.
* **Key Generation and Attestation**: The wallet generates a secure cryptographic EC P-256 key pair in the phone's hardware-backed **Android KeyStore**. It creates a signed **DPoP Proof** and an **Android Keystore Key Attestation** to prove the key is tied to a genuine physical device.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CMWallet supports Android key attestation for credential binding keys. It provides a direct Android hardware backed key attestation and is the recommended key proof approach on Android.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated the bullet.

Comment thread README.md
## Directory & Module Guide

```
CMWallet/

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should also talk about the testdata folder that supports generating SD-JWT VC / mdoc for testing.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added a section - can you help verify?

Comment thread README.md
└── matcher-rs/ # Rust implementation of wasm matcher
```

### Detailed Directory Mapping

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fine with me either way; but I hope the structure above is good enough for most of the time.

@QZHelen

QZHelen commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

I added some edits inline. Ptal and lmk if it looks good!

Comment thread README.md Outdated
* **Holder invocation**: If matching credential(s) are found, Android displays a credential selector
with the matched credentials to the user. The user selects the credential they want, which then
invokes the holder and launches the holder activity. CMWallet launches an additional
`BiometricPrompt` during invocation for additional user consent.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Replace user consent with user authentication

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

@cy245

cy245 commented Jul 8, 2026

Copy link
Copy Markdown
Contributor Author

I added some edits inline. Ptal and lmk if it looks good!

I'm good with these changes. Feel free to approve/merge when ready.

@QZHelen QZHelen merged commit 3ce1f94 into digitalcredentialsdev:main Jul 8, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants