Support OpenID4VP preference-ordered protocol matching (supported_protocols) in Wasm Matcher#46
Merged
QZHelen merged 2 commits intoJul 10, 2026
Conversation
Extract the single-request evaluation logic inside main() / openid4vp_main() into a standalone process_request(...) helper function without altering existing sequential matching behavior.
bea60df to
33d8fc8
Compare
QZHelen
reviewed
Jul 10, 2026
| cJSON *supported_protocols = cJSON_GetObjectItem(creds, "supported_protocols"); | ||
| int supported_protocols_size = (supported_protocols != NULL && cJSON_IsArray(supported_protocols)) | ||
| ? cJSON_GetArraySize(supported_protocols) : 0; | ||
| if (supported_protocols_size == 0) |
Contributor
There was a problem hiding this comment.
Let's not support this fallback. In the latest Jetpack API, we should provide a non-breaking default value for the list of supported_protocols as list of [signed, unsigned, and multisigned]. This way, we don't have to maintain this fallback where the supported_protocols is empty.
| ++doc_idx; | ||
| } | ||
| } | ||
| matched = 1; |
Contributor
There was a problem hiding this comment.
Probably also want to break here. And add a comment noting that if there are multiple requests of the same protocol, then we'd only process that first one that matches.
33d8fc8 to
d05a848
Compare
Support preference-ordered protocol selection via supported_protocols array in GetDigitalCredentialOption requests, short-circuiting on first match. Fallback to sequential evaluation when supported_protocols is omitted or empty.
d05a848 to
9b05fc4
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Overview
When evaluating OpenID4VP digital credential requests (
GetDigitalCredentialOption), credential providers (creds) may support multiple protocol schemes (e.g.,openid4vp-v1-signed,openid4vp-v1-unsigned). Previously,openid4vp_main()inmatcher/openid4vp1_0.cevaluated incomingrequestslinearly in array order.This PR introduces preference-ordered protocol matching: when
supported_protocolsis declared at the root of the credential provider registry (creds), the Wasm matcher evaluates incoming requests in the exact priority order defined by the provider and immediately short-circuits (return 0;) upon the first request that yields a match.Commit Breakdown
1. Commit
d05a848: Pure Refactor — Extractprocess_request(...)Helpermain()/openid4vp_main()(openid4vp1_0.c) into a standalonestatic int process_request(...)helper function.2. Commit
4f63622: Feature Implementation — Preference-Ordered Protocol MatchingcJSON *supported_protocols = cJSON_GetObjectItem(creds, "supported_protocols");on the credential store (creds_blob).supported_protocols_size > 0):supported_protocolsin provider priority order (p = 0..size-1).target_protocol(strcmp(protocol, target_protocol) == 0).return 0;): As soon as a request matchingtarget_protocolsuccessfully yields candidate credentials (process_request(...) == 1),openid4vp_main()immediately returns0. If multiple incoming request items share the same preferred protocol, only the first request that yields a match is processed.supported_protocolsallowlist,openid4vp_main()returns0(no match) cleanly without accidentally falling back to unlisted protocols.supported_protocolsConfiguration: Standardregistry.jsoninmatcher/testdata/updated with default"supported_protocols": ["openid4vp-v1-signed", "openid4vp-v1-unsigned", "openid4vp-v1-multisigned"], ensuring all 39 unit tests operate seamlessly under preference-ordered matching.app/src/main/assets/openid4vp1_0.wasm) usingclang -o openid4vp1_0.wasm openid4vp1_0.c dcql.c cJSON/cJSON.c credentialmanager.c base64.c -I. -IcJSON -O3.test_runner.cc&matcher/testdata/):TC39_MatchMostPreferredSupportedProtocolAvailable: Verifies that whensupported_protocols: ["signed", "unsigned"]andrequests: [unsigned, signed, signed, multisigned], the matcher short-circuits and reports only the first matching preferredsignedrequest (req:1), skipping un-preferredunsigned(req:0) and duplicatesigned(req:2).TC40_NoMatchIfNoRequestsForSupportedProtocols: Verifies strict allowlist enforcement (0matches) whensupported_protocols: ["signed"]andrequests: [unsigned].Test Plan & Verification Evidence
Manual Test
supportedProtocolssupport.CredentialRepositorywithsupportedProtocols = listOf("openid4vp-v1-multisigned", "openid4vp-v1-signed")when creatingOpenId4VpRegistry.Automated C / Wasm Unit Tests (
make test)Executed clean build and doctest suite execution inside
CMWallet/matcher/: