Merge pull request #314 from openwallet-foundation-labs/feat/verify-mdoc

feat: add mdoc validation approach

Author: cre8

.codecov.yml

@@ -9,6 +9,8 @@ coverage:
     patch:
       default:
         target: 10%
+        paths:
+          - apps/backend/**
 
 comment:
   layout: "reach,diff,flags,tree"
@@ -25,5 +27,11 @@ ignore:
   - "apps/client/**"
   - "apps/dcapi/**"
   - "apps/webhook/**"
+  - "apps/verifier-app/**"
   - "apps/tmp/**"
   - "monitor/**"
+  - "packages/**"
+  - "deployment/**"
+  - "scripts/**"
+  - "schemas/**"
+  - "assets/**"

.github/workflows/ci-and-release.yml

@@ -219,9 +219,8 @@ jobs:
     steps:
       - uses: actions/checkout@v6
 
-      #      - name: Add entry to /etc/hosts
-      #        run: echo "127.0.0.1       host.testcontainers.internal" | sudo tee
-      #          -a /etc/hosts
+      - name: Add entry to /etc/hosts
+        run: echo "127.0.0.1       host.testcontainers.internal" | sudo tee -a /etc/hosts
 
       - uses: pnpm/action-setup@v4
         name: Install pnpm
@@ -246,6 +245,8 @@ jobs:
 
       - name: Run E2E tests
         run: pnpm run --filter @eudiplo/backend test:e2e
+        env:
+          TESTCONTAINERS_HOST_OVERRIDE: host.testcontainers.internal
 
       - name: Upload coverage to Codecov
         uses: codecov/codecov-action@v5

README.md

@@ -37,7 +37,7 @@ management, scalable database support, and clean API boundaries.
 
 ## 🧩 Features
 
-- ✅ Supports **OID4VCI**, **OID4VP**, **SD-JWT VC**, and **OAuth Token Status
+- ✅ Supports **OID4VCI**, **OID4VP**, **SD-JWT VC**, **mDOC (ISO 18013-5)**, and **OAuth Token Status
   List**
 - ✅ **OIDF conformance tested** for OID4VCI and OID4VP protocols
 - ✅ JSON-based credential configuration

apps/backend/package.json

@@ -24,15 +24,16 @@
         "start:debug": "nest start --debug --watch",
         "start:prod": "node dist/main",
         "lint": "biome lint",
-        "lint:fix": "biome check --fix",
+        "lint:fix": "biome check --fix --unsafe",
         "test": "vitest run",
         "test:watch": "vitest",
         "test:debug": "vitest --inspect-brk --inspect --logHeapUsage --threads=false",
-        "test:e2e": "VITEST_SKIP_OIDF=true vitest run --coverage --config ./test/vitest.config.ts",
+        "test:e2e": "vitest run --coverage --config ./test/vitest.config.ts",
         "test:e2e:watch": "vitest --coverage --config ./test/vitest.config.ts",
         "registrar": "npx @hey-api/openapi-ts -i https://funke-wallet.de/-json -o ./src/registrar/generated -c @hey-api/client-fetch"
     },
     "dependencies": {
+        "@animo-id/mdoc": "0.6.0-alpha-20251209053057",
         "@aws-sdk/client-s3": "^3.943.0",
         "@aws-sdk/s3-request-presigner": "^3.943.0",
         "@badgateway/oauth2-client": "^3.3.1",
@@ -49,6 +50,8 @@
         "@nestjs/swagger": "^11.2.3",
         "@nestjs/terminus": "^11.0.0",
         "@nestjs/typeorm": "^11.0.0",
+        "@noble/hashes": "^2.0.1",
+        "@noble/curves": "^2.0.1",
         "@openid4vc/oauth2": "0.4.3",
         "@openid4vc/openid4vci": "0.4.3",
         "@openid4vc/openid4vp": "0.4.3",
@@ -82,7 +85,8 @@
         "rxjs": "^7.8.2",
         "sqlite3": "^5.1.7",
         "typeorm": "^0.3.28",
-        "uuid": "^13.0.0"
+        "uuid": "^13.0.0",
+        "@panva/hkdf": "^1.2.1"
     },
     "devDependencies": {
         "@biomejs/biome": "2.3.8",

apps/backend/src/crypto/key/cert/cert.service.ts

@@ -11,7 +11,6 @@ import { v4 } from "uuid";
 import { TenantEntity } from "../../../auth/tenant/entitites/tenant.entity";
 import { ConfigImportService } from "../../../shared/utils/config-import/config-import.service";
 import { CertImportDto } from "../dto/cert-import.dto";
-import { CertSelfSignedDto } from "../dto/cert-self-signed.dto";
 import { CertUpdateDto } from "../dto/cert-update.dto";
 import { UpdateKeyDto } from "../dto/key-update.dto";
 import { CertEntity } from "../entities/cert.entity";
@@ -154,7 +153,7 @@ export class CertService {
     async addSelfSignedCert(
         tenant: TenantEntity,
         keyId: string,
-        dto: CertSelfSignedDto,
+        dto: CertImportDto,
     ) {
         // === Inputs/parameters (subject + SAN hostname) ===
         const subjectCN = tenant.name;
@@ -185,7 +184,7 @@ export class CertService {
         const selfSignedCert =
             await x509.X509CertificateGenerator.createSelfSigned({
                 serialNumber: "01",
-                name: `CN=${subjectCN}`,
+                name: `C=DE, CN=${subjectCN}`,
                 notBefore: now,
                 notAfter: inOneYear,
                 signingAlgorithm: ECDSA_P256,
@@ -208,7 +207,9 @@ export class CertService {
         return this.addCertificate(tenant.id, keyId, {
             crt: crtPem,
             certUsageTypes: dto.certUsageTypes,
-            description: `Self-signed certificate (${dto.certUsageTypes.join(", ")}) for tenant ${tenant.name}`,
+            description:
+                dto.description ??
+                `Self-signed certificate (${dto.certUsageTypes.join(", ")}) for tenant ${tenant.name}`,
             keyId,
         });
     }
@@ -300,7 +301,7 @@ export class CertService {
             // Create a new key
             const keyId = await this.keyService.create(value.tenantId);
 
-            const dto: CertSelfSignedDto = {
+            const dto: CertImportDto = {
                 certUsageTypes: [value.type],
                 keyId,
             };

apps/backend/src/crypto/key/dto/cert-self-signed.dto.ts

@@ -9,6 +9,8 @@ import { CredentialConfigService } from "./credentials/credential-config/credent
 import { CredentialConfigController } from "./credentials/credential-config.controller";
 import { CredentialsService } from "./credentials/credentials.service";
 import { CredentialConfig } from "./credentials/entities/credential.entity";
+import { MdocIssuerService } from "./credentials/issuer/mdoc-issuer/mdoc-issuer.service";
+import { SdjwtvcIssuerService } from "./credentials/issuer/sdjwtvc-issuer/sdjwtvc-issuer.service";
 import { IssuanceConfig } from "./issuance/entities/issuance-config.entity";
 import { IssuanceService } from "./issuance/issuance.service";
 import { IssuanceConfigController } from "./issuance/issuance-config.controller";
@@ -35,6 +37,8 @@ import { IssuanceConfigController } from "./issuance/issuance-config.controller"
         CredentialsService,
         CredentialConfigService,
         WebhookService,
+        SdjwtvcIssuerService,
+        MdocIssuerService,
     ],
     exports: [IssuanceService, CredentialConfigService, CredentialsService],
 })

apps/backend/src/issuer/configuration/configuration.module.ts

@@ -1,10 +1,19 @@
-import { Body, Controller, Delete, Get, Param, Post } from "@nestjs/common";
+import {
+    Body,
+    Controller,
+    Delete,
+    Get,
+    Param,
+    Patch,
+    Post,
+} from "@nestjs/common";
 import { ApiTags } from "@nestjs/swagger";
 import { Role } from "../../../auth/roles/role.enum";
 import { Secured } from "../../../auth/secure.decorator";
 import { Token, TokenPayload } from "../../../auth/token.decorator";
 import { CredentialConfigService } from "./credential-config/credential-config.service";
 import { CredentialConfigCreate } from "./dto/credential-config-create.dto";
+import { CredentialConfigUpdate } from "./dto/credential-config-update.dto";
 
 /**
  * Controller for managing credential configurations.
@@ -49,6 +58,22 @@ export class CredentialConfigController {
         return this.credentialsService.store(user.entity!.id, config);
     }
 
+    /**
+     * Updates a credential configuration by ID.
+     * @param id
+     * @param config
+     * @param user
+     * @returns
+     */
+    @Patch(":id")
+    updateCredentialConfiguration(
+        @Param("id") id: string,
+        @Body() config: CredentialConfigUpdate,
+        @Token() user: TokenPayload,
+    ) {
+        return this.credentialsService.update(user.entity!.id, id, config);
+    }
+
     /**
      * Deletes an credential configuration.
      * @param id

apps/backend/src/issuer/configuration/credentials/credential-config.controller.ts

@@ -10,6 +10,7 @@ import { ConfigImportService } from "../../../../shared/utils/config-import/conf
 import { FilesService } from "../../../../storage/files.service";
 import { StatusListService } from "../../../lifecycle/status/status-list.service";
 import { CredentialConfigCreate } from "../dto/credential-config-create.dto";
+import { CredentialConfigUpdate } from "../dto/credential-config-update.dto";
 import { CredentialConfig } from "../entities/credential.entity";
 
 /**
@@ -168,6 +169,25 @@ export class CredentialConfigService {
         });
     }
 
+    /**
+     * Updates a credential configuration for a given tenant.
+     * Only updates fields that are provided in the config.
+     * Set fields to null to clear them.
+     * @param tenantId - The ID of the tenant.
+     * @param id - The ID of the CredentialConfig entity to update.
+     * @param config - The partial CredentialConfig to update.
+     * @returns A promise that resolves to the updated CredentialConfig entity.
+     */
+    async update(tenantId: string, id: string, config: CredentialConfigUpdate) {
+        const existing = await this.getById(tenantId, id);
+        return this.credentialConfigRepository.save({
+            ...existing,
+            ...config,
+            id,
+            tenantId,
+        });
+    }
+
     /**
      * Deletes a credential configuration for a given tenant.
      * @param tenantId - The ID of the tenant.