Skip to content

Support OpenID4VP preference-ordered protocol matching (supported_protocols) in Wasm Matcher#46

Merged
QZHelen merged 2 commits into
digitalcredentialsdev:mainfrom
g-brnlee:openid4vp-supported-protocols
Jul 10, 2026
Merged

Support OpenID4VP preference-ordered protocol matching (supported_protocols) in Wasm Matcher#46
QZHelen merged 2 commits into
digitalcredentialsdev:mainfrom
g-brnlee:openid4vp-supported-protocols

Conversation

@g-brnlee

@g-brnlee g-brnlee commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Overview

When evaluating OpenID4VP digital credential requests (GetDigitalCredentialOption), credential providers (creds) may support multiple protocol schemes (e.g., openid4vp-v1-signed, openid4vp-v1-unsigned). Previously, openid4vp_main() in matcher/openid4vp1_0.c evaluated incoming requests linearly in array order.

This PR introduces preference-ordered protocol matching: when supported_protocols is declared at the root of the credential provider registry (creds), the Wasm matcher evaluates incoming requests in the exact priority order defined by the provider and immediately short-circuits (return 0;) upon the first request that yields a match.


Commit Breakdown

1. Commit d05a848: Pure Refactor — Extract process_request(...) Helper

  • Changes:
    • Extracts the per-request OpenID4VP evaluation block inside main() / openid4vp_main() (openid4vp1_0.c) into a standalone static int process_request(...) helper function.
    • Preserves existing sequential request matching behavior.
  • Verification: All existing test cases compile and pass identically before and after extraction.

2. Commit 4f63622: Feature Implementation — Preference-Ordered Protocol Matching

  • Changes:
    • Inspects cJSON *supported_protocols = cJSON_GetObjectItem(creds, "supported_protocols"); on the credential store (creds_blob).
    • Preference-Ordered Matching (supported_protocols_size > 0):
      • Outer loop iterates over supported_protocols in provider priority order (p = 0..size-1).
      • Inner loop iterates across incoming requests matching target_protocol (strcmp(protocol, target_protocol) == 0).
      • Immediate Short-Circuit (return 0;): As soon as a request matching target_protocol successfully yields candidate credentials (process_request(...) == 1), openid4vp_main() immediately returns 0. If multiple incoming request items share the same preferred protocol, only the first request that yields a match is processed.
      • Strict Allowlisting: If none of the incoming requests match the explicit supported_protocols allowlist, openid4vp_main() returns 0 (no match) cleanly without accidentally falling back to unlisted protocols.
    • Default supported_protocols Configuration: Standard registry.json in matcher/testdata/ updated with default "supported_protocols": ["openid4vp-v1-signed", "openid4vp-v1-unsigned", "openid4vp-v1-multisigned"], ensuring all 39 unit tests operate seamlessly under preference-ordered matching.
    • Recompiles and updates the packaged runtime WebAssembly asset (app/src/main/assets/openid4vp1_0.wasm) using clang -o openid4vp1_0.wasm openid4vp1_0.c dcql.c cJSON/cJSON.c credentialmanager.c base64.c -I. -IcJSON -O3.
  • Unit Tests Added (test_runner.cc & matcher/testdata/):
    • TC39_MatchMostPreferredSupportedProtocolAvailable: Verifies that when supported_protocols: ["signed", "unsigned"] and requests: [unsigned, signed, signed, multisigned], the matcher short-circuits and reports only the first matching preferred signed request (req:1), skipping un-preferred unsigned (req:0) and duplicate signed (req:2).
    • TC40_NoMatchIfNoRequestsForSupportedProtocols: Verifies strict allowlist enforcement (0 matches) when supported_protocols: ["signed"] and requests: [unsigned].

Test Plan & Verification Evidence

Manual Test

  1. Configured CMWallet app to use locally built AndroidX SDK with added supportedProtocols support.
  2. Updated CredentialRepository with supportedProtocols = listOf("openid4vp-v1-multisigned", "openid4vp-v1-signed") when creating OpenId4VpRegistry.
  3. Built and installed app.
  4. Go to https://digital-credentials.dev/ in browser.
  5. Request credentials with unsigned request.
  6. Observe "Your info wasn't found".
  7. Request credentials with signed request.
  8. Verify that MDL was found and was able to be shared with RP.

Automated C / Wasm Unit Tests (make test)

Executed clean build and doctest suite execution inside CMWallet/matcher/:

===============================================================================
[doctest] test cases: 39 | 39 passed | 0 failed | 0 skipped
[doctest] assertions: 44 | 44 passed | 0 failed |
[doctest] Status: SUCCESS!

Extract the single-request evaluation logic inside main() / openid4vp_main()
into a standalone process_request(...) helper function without altering
existing sequential matching behavior.
@g-brnlee g-brnlee force-pushed the openid4vp-supported-protocols branch from bea60df to 33d8fc8 Compare July 10, 2026 15:57
@QZHelen QZHelen self-requested a review July 10, 2026 18:14
Comment thread matcher/openid4vp1_0.c Outdated
cJSON *supported_protocols = cJSON_GetObjectItem(creds, "supported_protocols");
int supported_protocols_size = (supported_protocols != NULL && cJSON_IsArray(supported_protocols))
? cJSON_GetArraySize(supported_protocols) : 0;
if (supported_protocols_size == 0)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's not support this fallback. In the latest Jetpack API, we should provide a non-breaking default value for the list of supported_protocols as list of [signed, unsigned, and multisigned]. This way, we don't have to maintain this fallback where the supported_protocols is empty.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed fallback.

Comment thread matcher/openid4vp1_0.c Outdated
++doc_idx;
}
}
matched = 1;

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably also want to break here. And add a comment noting that if there are multiple requests of the same protocol, then we'd only process that first one that matches.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

@g-brnlee g-brnlee force-pushed the openid4vp-supported-protocols branch from 33d8fc8 to d05a848 Compare July 10, 2026 19:51
Support preference-ordered protocol selection via supported_protocols array
in GetDigitalCredentialOption requests, short-circuiting on first match.
Fallback to sequential evaluation when supported_protocols is omitted or empty.
@g-brnlee g-brnlee force-pushed the openid4vp-supported-protocols branch from d05a848 to 9b05fc4 Compare July 10, 2026 20:57
@QZHelen QZHelen merged commit 38b05eb into digitalcredentialsdev:main Jul 10, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants