v0.18.2

Merge pull request #1619 from walt-id/release/v0.18.x

0.18.1

v0.18.0

Highlights

• Introduced CWT Status List support in verification policies, enabling broader credential status checking including CBOR/COSE-based credentials alongside existing JWT-based flows.
• Introduced mdoc issuance improvements (WAL-590), including extended key support, birth date serialization fixes, and refined cnf claim value assignment with improved holder key resolution.
• Introduced a Digital Credentials service with Kubernetes deployment configurations, an updated README, and OpenBadge credential schema hosting — making it easier to deploy and integrate credential infrastructure.
• Improved credential offer handling by replacing ConcurrentHashMap with a proper CredentialOfferCache, optimising resolution and reducing redundant double-retrieval of offer requests.
• Extended JWE encryption support in the wallet to cover ECDH-ES with multiple symmetric algorithms and asymmetric curves, plus full signed request handling and direct_post.jwt response mode compliance.
• Improved X.509 / IACA certificate utilities, adding PEM parsing, country code validation, certificate info extraction helpers, and CWT/COSE Sign1 parsing support.
• Fixed a BSON encoding issue with JsonNull values and resolved integration test failures introduced during merges, improving overall stability.
• Upgraded key dependencies including Kotlin, KotlinCrypto, nimbus-jose-jwt, and Next.js (security patches), reducing vulnerability exposure across the stack.

---

Detailed Updates

Verifier & Policies

• Added CWT Status List support to verification policies (#1467): Verifiers can now validate credential status using CWT-format status lists, broadening interoperability with CBOR/COSE-based credential ecosystems. Includes updated StatusPolicyImplementation dependencies and mutable results in VPPolicy2.
• Cleaned up class references in status policies (#1468): Internal refactoring to improve maintainability of status policy implementations.
• Added verifier2 deployment file for demo systems (#1475): A dedicated deployment configuration for the verifier2 service is now available, including additional request examples and full signature verification support.

Database & Storage

• Added sandbox deployment support (#1464): Sandbox environments can now be deployed alongside release configurations.
• Fixed a sorting bug: Resolved an incorrect sortedBy behaviour that could cause unexpected ordering in query results.

Issuer & Credentials

• Improved mdoc issuance (#1569, WAL-590): Multiple fixes and enhancements including extended key type support in mdoc tests, fixed birth_date serialisation, and refined cnf claim value assignment with improved holder key resolution and error handling (#1476).
• Introduced the Digital Credentials service (#1575): Added the waltid-digital-credentials module with Kubernetes deployment and service configurations, an enhanced README, and an OpenBadge credential schema (ob_v3p0_anyachievementcredential_schema.json) now hosted on GitHub (#1479).
• Fixed BSON encoding of JsonNull values (#1500): Resolved an encoding issue that caused failures when storing credentials containing null JSON fields. (Note: a subsequent revert was applied; the fix was re-integrated via merge.)
• Improved credential offer caching (#1322, #1482): Replaced ConcurrentHashMap with a CredentialOfferCache backed by ConfiguredPersistence, eliminating double-retrieval of offer requests and optimising resolution performance.
• Added credential redaction logic: Results are now mutable and support selective field redaction, enabling privacy-preserving credential handling.
• Extracted status entry logic to use DigitalCredential: Aligns status handling with the new digital credentials model for consistency.

Authentication & Sessions

• Extended JWE encryption support in the wallet (#1492): The wallet now supports ECDH-ES encryption with a full range of symmetric algorithms (A128GCM, A192GCM, A256GCM, A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) and asymmetric curves (secp256r1, secp384r1, secp521r1). Also includes signed request handling with client_id_prefix authentication, direct_post.jwt response mode support for non-DC-API flows, and SD-JWT recursive parsing fixes.
• Added format matchers for JWT and CWT: Enables the authentication layer to correctly identify and route credential formats during verification flows.
• Added data_retention_purge session event: Supports data lifecycle management by signalling when PII should be cleared from sessions.
• Extracted OIDC external role claims into session metadata: Role information from external OIDC providers is now surfaced in session context, improving authorisation flexibility.
• Added documentation for ciTokenKey (#1486): Developers integrating CI/CD token flows now have reference documentation for this configuration property.
• Fixed correct keyId headers for DID-based signed requests (#1465): Ensures signed requests using DIDs include the correct key identifier headers, resolving interoperability issues.
• Removed key check to support referenced keys (#1466): Allows use of externally referenced keys without requiring them to be present locally, broadening key management flexibility.

Cryptography & Keys

• Extended X.509 / IACA certificate utilities (#1515): Added PEM parsing for CertificateDer, IACA certificate info extraction helpers, ISO country code validation in commonMain, PEM guardrails, and snapshot-based test vectors — making it easier to work with IACA certificates in mobile and eIDAS contexts.
• Added CWT/COSE Sign1 parsing support: A new CwtParser enables parsing of COSE Sign1 hex-encoded structures, supporting CWT-based credential flows end-to-end.
• Added DID kid support in COSE: COSE signing now correctly handles DID-based key identifiers.
• Bumped KotlinCrypto from 0.6.1 to 0.8.0 (#1423): Picks up upstream cryptographic improvements and bug fixes.
• Bumped nimbus-jose-jwt from 10.6 to 10.7 (#1446): Keeps JWT handling up to date with the latest library fixes.

Wallet & Runtime

• Updated PID credential structure (#1481): Aligned PID credential fields with the latest EUDI attestation rulebook.
• Fixed mobile dependency issues (#1516): Resolved dependency conflicts affecting mobile builds.
• Added jose dependency for the dev-wallet (#1490): Ensures the development wallet has the required cryptographic library available.

Security

• Upgraded Next.js to address security vulnerabilities (#1478, #1494): Patched from 14.2.35 through to 16.1.5, resolving known CVEs in the web portal.
• Consolidated Kubernetes security context (#1596): Removed the init container and unified the security context across deployment configurations; added NET_BIND_SERVICE capability where required.
• Upgraded frontend dependencies via Snyk (#1441, #1442, #1443, #1444, #1445, #1496): Updated TypeScript, @types/node, @types/react, eslint, eslint-config-next, and jose to their latest patched versions, reducing vulnerability surface in the web portal.

Documentation & CI

• Improved Presentation Definition (PD) support with integration tests (#1513): Extended PD handling is now covered by automated integration tests, increasing confidence in verifier flows.
• Fixed enterprise integration test timeouts (#1514): Resolved flaky timeout-related failures in the enterprise test suite; the enterprise stack now uses the OkHttp client instead of CIO for improved reliability.
• Fixed buildFatJar for Hoplite (#1599): Resolves a build failure affecting fat JAR packaging for services using the Hoplite configuration library.
• Updated and expanded DC API examples (#1517): All Digital Credentials API examples have been reviewed, corrected, and extended to cover additional flows including Annex C.
• Updated Docker and Kubernetes configurations (#1470, #1471): Deployment namespace for waltid-credentials updated; READMEs improved with Docker build instructions; Dockerfile paths and nginx configuration refined for production.
• Tuned Gradle build workers (#1487, #1495): Adjusted max-worker settings to balance build speed and resource usage in CI.
• Uploaded test reports in GitHub Actions: Test report artefacts are now collected and uploaded on each build run, making it easier to diagnose failures.
• Bumped GitHub Actions (#1422, #1425, #1429, #1430): Updated reusable workflow references and actions/upload-artifact to current versions.

What's Changed

• Feature/wal 280 - Fix double retrieval of the offer request (#1322) by @SuperBatata
• build(deps): bump walt-id/waltid-identity/.github/workflows/ebsictv3.yml from 70e59bb to f7b6a96 (#1422) by @dependabot[bot]
• build(deps): bump kotlincrypto from 0.6.1 to 0.8.0 (#1423) by @dependabot[bot]
• build(deps): bump walt-id/waltid-identity/.github/workflows/version.yml from 5eed655 to f7b6a96 (#1425) by @dependabot[bot]
• build(deps): bump walt-id/waltid-identity/.github/workflows/docker-compose-testing.yml from e01a65d to f7b6a96 (#1429) by @dependabot[bot]
• build(deps): bump actions/upload-artifact from 5 to 6 ([#1430](ht...

v0.17.1

Changelog

[0.17.1] - 2026-01-22 (UTC)

Compare: v0.17.0...v0.17.1

Highlights

• Introduced configurable X.509 certificate validation system with support for ISO/IEC 18013-5 compliant certificate generation, parsing, and validation across multiple platforms
• Added Helm charts for streamlined Kubernetes deployment of all WaltID components (issuer, verifier, portal, web-wallet) with production-ready defaults
• Expanded elliptic curve key support to include secp256r1, secp384r1, and secp521r1 for enhanced cryptographic flexibility
• Introduced synchronous blocking API variants for certificate operations, enabling better integration with non-coroutine codebases
• Updated docker-compose configuration to use stable version tags for improved deployment consistency
• Enhanced documentation with ISO specification references and configurable validation guidance for certificate workflows

Detailed Updates

Certificate Validation & X.509

Introduced configurable certificate validation system that provides a flexible, standards-compliant approach to X.509 certificate handling. The system supports both ISO/IEC 18013-5 compliant certificates (IACA and Document Signer) and general-purpose X.509 validation with configurable trust models.

Key improvements:

• Added synchronous blocking variants for certificate build/parse/validate operations on supported platforms, enabling easier integration with traditional Java/Kotlin codebases
• Switched onboarding flows to builder-based certificate generation for improved developer experience
• Expanded supported EC signing keys to include secp256r1, secp384r1, and secp521r1 beyond the existing secp256k1 support
• Updated README with linked ISO references and comprehensive guidance on configurable validation, including default settings and validity limits (20-year cap)
• Reworked onboarding tests and added blocking-vs-suspend equivalence tests to ensure API consistency

Breaking changes:

• Onboarding now requires explicit notBefore/notAfter timestamps in certificate request payloads
• Altered request/response shapes for certificate operations to support the new builder-based approach

Deployment & Infrastructure

Added comprehensive Helm charts for deploying WaltID components in Kubernetes environments. The charts include:

• Full deployment configurations for issuer, verifier, portal, and web-wallet services
• Service definitions with proper networking
• Ingress configurations for external access
• ConfigMaps for configuration management
• Persistent Volume Claims (PVC) support for data persistence
• Secure runtime defaults optimized for production use
• Documentation with prerequisites, installation steps, and usage examples

Updated docker-compose configuration to use stable version tags instead of specific version numbers, improving deployment consistency and simplifying version management.

Developer Experience

Enhanced documentation and tooling:

• Added comprehensive README for Helm charts with overview, prerequisites, installation, and usage instructions
• Added .helmignore files to streamline chart packaging and exclude transient files
• Improved alignment between OSS and Enterprise documentation for consistency

Pull Requests

PR #	Title	Author	Reviewer	Merged Date
#1458	Feature/wal 502	cpatsonakis	chsavvaidis	2026-01-21
#1460	feat: Added helm-charts	dinkar-jain	philpotisk	2026-01-22
#1462	Using "stable" tag for docker-compose	philpotisk	-	2026-01-21

What's Changed

• Added configurable X.509 certificate validation system with ISO/IEC 18013-5 support by @cpatsonakis in #1458
• Added Helm charts for Kubernetes deployment by @dinkar-jain in #1460
• Updated docker-compose to use stable tags by @philpotisk in #1462

---

Full Changelog: v0.17.0...v0.17.1

v0.17.0

Changelog

[0.17.0] - 2026-01-20 (UTC)

Compare: v0.16.2...v0.17.0

Highlights

• Introduced an initial OpenID4VCI 1.0 Library containing OAuth related implementations
• Expanded Verifier2 client metadata support (RFC7591) and added OpenAPI examples to reduce integration friction.
• Added Azure Key Vault as a crypto backend and improved cloud/remote key-management ergonomics (tagging, private-key semantics, serialization registration).
• Improved multiplatform X.509 / ISO 18013-5 building blocks to support stronger credential and certificate workflows.
• Fixed web wallet startup/session issues when using ktor-auth with a Valkey-backed session store.
• Hardened build + delivery: Docker build permission fix, CI tag fixes, and reduced flaky external test dependencies.

Detailed updates

OpenID4VCI

• Introduced an initial OpenID4VCI baseline library as a starting point for issuer flows and follow-up interoperability work.

Verifier / Metadata

• Added support for RFC7591-style client metadata in Verifier2 OpenID metadata, including language-tagged variants (WAL-428) (#1431).
• Added Verifier2 OpenAPI examples to make policy + query configuration easier to copy/paste (WAL-518) (#1457).

Wallet / Runtime / Sessions

• Fixed web wallet startup when ktor-auth is enabled and the Valkey session store is not reachable, improving failure-mode clarity and local dev ergonomics (#1439).

Crypto / Keys / Certificates

• Added additional Azure Key Vault support as a new cryptographic backend, enabling key management and signing operations against Azure-managed keys using Managed Identity rather than explicit authentication
• Added support for tagging keys at creation time in AWS and Azure integrations, and refactored AWS auth configuration for clearer initialization (#1454).
• Corrected hasPrivateKey semantics for AWS, Azure, OCI, and TSE key implementations to avoid incorrect capability checks in higher-level flows (#1455).
• Improved external key serialization registration by dynamically tracking registered key types, reducing brittleness when integrating new key providers (#1461).
• Added a PEM encoding extension helper to simplify key/cert export and interop with external tooling (#1451).
• Added commonized KMP domain models and extensions for X.509 / ISO 18013-5 related functionality (#1415).

Build / CI / Docs

• Added redirects for legacy domains to smooth migrations and reduce broken links (#1434).
• Updated Docker instructions and fixed an alignment warning in docs and build output (#1438).
• Fixed a Dockerfile permission issue that could break container builds in stricter environments (#1447).
• Fixed CI tag handling to reduce release friction (#1449).
• Disabled tests that depended on entra.walt.id as a DID store to avoid external dependency flakiness (#1435).
• Fixed Gradle warnings and introduced a configurable web data-fetching library, including a fix for schema verification policy behavior (#1433).

PRs merged

PR	Title	Author	Reviewer	Merged
#1434	chore: Added redirects for old used domains	@dinkar-jain	@philpotisk	2026-01-08
#1435	fix: WAL-493 disable tests which use entra.walt.id as did store	@hokorn	@philpotisk	2026-01-08
#1438	Updated docker instructions + fixed alignment-warning	@philpotisk	@JakeFernandes98	2026-01-09
#1415	Feature/WAL-459: KMP IACA & DS Commonization, JCA extensions and added features	@cpatsonakis	@chsavvaidis	2026-01-12
#1439	Web wallet ktor auth fix	@JakeFernandes98	@philpotisk	2026-01-12
#1447	fix: Dockerfile permission build error	@dinkar-jain	@philpotisk	2026-01-12
#1416	Feat/init vci 1.0	@chsavvaidis	@cpatsonakis	2026-01-13
#1433	WAL-468, fix Gradle warnings, introduce waltid data fetching	@waltkb		2026-01-14
#1449	Fix/ci tags	@dinkar-jain	@philpotisk	2026-01-14
#1417	Feature/wal 266	@SuperBatata	@cpatsonakis	2026-01-15
#1451	feat: add pem encoding extension function	@cpatsonakis	@philpotisk	2026-01-15
#1454	Feature/wal 486	@SuperBatata	@cpatsonakis	2026-01-19
#1455	set hasPrivateKey to true for AWS, Azure, OCI, and TSE key implementa...	@SuperBatata	@cpatsonakis	2026-01-19
#1431	added support for rfc7591 in openid metadata for verifier2	@JakeFernandes98		2026-01-20
#1457	Verifier2 OpenAPI Examples (wal-518)	@philpotisk	@waltkb	2026-01-20
#1461	refactor: improve key serialization registration process	@SuperBatata	@JakeFernandes98	2026-01-20

What's Changed

• fix: WAL-493 disable tests which use entra.walt.id as did store by @hokorn in #1435
• chore: Added redirects for old used domains by @dinkar-jain in #1434
• Updated docker instructions + fixed alignment-warning by @philpotisk in #1438
• Web wallet ktor auth fix by @JakeFernandes98 in #1439
• fix: Dockerfile permission build error by @dinkar-jain in #1447
• Feature/WAL-459: KMP IACA & DS Commonization, JCA extensions and added features by @cpatsonakis in #1415
• Feat/init vci 1.0 by @chsavvaidis in #1416
• WAL-468, fix Gradle warnings, introduce waltid data fetching by @waltkb in #1433
• Fix/ci tags by @dinkar-jain in #1449
• Feature/wal 266 by @SuperBatata in #1417
• feat: add pem encoding extension function by @cpatsonakis in #1451
• set hasPrivateKey to true for AWS, Azure, OCI, and TSE key implementa… by @SuperBatata in #1455
• Feature/wal 486 by @SuperBatata in #1454
• Verifier2 OpenAPI Examples (wal-518) by @philpotisk in #1457
• added support for rfc7591 in openid metadata for verifier2 by @JakeFernandes98 in #1431
• refactor: improve key serialization registration process by @SuperBatata in #1461

Full Changelog: v0.16.2...v0.17.0

v0.16.2

Merge pull request #1421 from arbeitandy/fix/openapi-example-date-val…

v0.16.1

waltid-identity 0.16.1 (2025-12-30 UTC)

Compare: v0.16.0...0.16.1

Highlights

• Introduced verifier API2 service wiring and configuration for docker-compose deployments (WAL-443) (feature).
• Hardened container runtime with non-root users and Kubernetes security contexts for wallet and verifier services (security/ops).
• Improved mdoc and X.509 onboarding correctness with MSO serialization, public key parsing, and notAfter validation (WAL-309, WAL-392) (bug fix).
• Fixed MongoDB/DocumentDB mdoc persistence to unblock integration tests (bug fix).
• Overhauled Gradle build via convention plugins and aligned Kotlin/Ktor updates with enterprise (OSS #1410, enterprise #293) (DX/ops).
• Refreshed dependencies, THIRD-PARTY notices, and Sonar issues to keep compliance and quality clean (maintenance).

Detailed updates

Auth and session flows

• No auth/session flow changes in this range.

Verifier and policies

• Added verifier API2 service configuration, reverse-proxy wiring, and README updates for multi-verifier deployments (WAL-443) (feature). (PR #1387)
• Added product-type aware service configuration headers for swagger docs to keep multi-product docs accurate (feature). (PR #1390)

Wallet and runtime

• Added Kubernetes security context defaults and wallet-api hardening, plus non-root container users and leaner Dockerfiles (security/ops). (PR #1409, #1389, #1400)

Crypto and credential formats

• Added custom MdocsCredential serialization including MSO, plus test coverage and constants to stabilize WAL-309 mdoc status mapping (feature/bug fix). (PR #1345)
• Refined Issuer API public key parsing and tightened DS/IACA notAfter validation with E2E guardrails while keeping notBefore flexible (WAL-391, WAL-392) (bug fix). (PR #1364)

Storage and persistence

• Fixed mdoc credential persistence in MongoDB/DocumentDB to unblock enterprise integration tests (bug fix). (PR #1411)

Build and dependencies

• Migrated to Gradle convention plugins and enabled configuration cache/parallelism; aligned Kotlin/Ktor upgrades with enterprise (OSS #1410, enterprise #293) (DX/ops). (PR #1405, #1410)
• Cleared Sonar findings and updated THIRD-PARTY notices alongside dependency upgrades (maintenance). (PR #1414, #1418)

PRs

PR #	Title	Author	Reviewer	Merged date
#1387	feat: add verifier API2 configuration and update related services	@SuperBatata	@philpotisk	2025-12-04
#1389	Create unprivileged user for Docker runtime	@alphafoobar	@dinkar-jain	2025-12-08
#1400	fix: Removed "apk add --update nodejs git"	@dinkar-jain	@mikeplotean	2025-12-08
#1345	feat: add mdocs-credential custom serializer to include the mso	@mikeplotean	@JakeFernandes98	2025-12-10
#1364	WAL-392 and related fixes	@cpatsonakis	@chsavvaidis	2025-12-11
#1390	added service configuration support for product types	@JakeFernandes98	@waltkb	2025-12-12
#1405	Move to convention plugin system	@waltkb	@philpotisk	2025-12-15
#1409	Feat/security context	@dinkar-jain	@waltkb	2025-12-17
#1410	Changes for Kotlin & ktor updates	@waltkb	@philpotisk	2025-12-19
#1411	Fix mdoc credential persistance in MongoDB	@hokorn	@philpotisk	2025-12-22
#1414	fixed sonarqube issues	@philpotisk		2025-12-22
#1418	Dep updates	@philpotisk		2025-12-30

What's Changed

• feat: add verifier API2 configuration and update related services by @SuperBatata in #1387
• Create unprivileged user for Docker runtime by @alphafoobar in #1389
• fix: Removed "apk add --update nodejs git" by @dinkar-jain in #1400
• feat: add mdocs-credential custom serializer to include the mso by @mikeplotean in #1345
• WAL-392 and related fixes by @cpatsonakis in #1364
• added service configuration support for product types by @JakeFernandes98 in #1390
• Move to convention plugin system by @waltkb in #1405
• Feat/security context by @dinkar-jain in #1409
• Changes for Kotlin & ktor updates by @waltkb in #1410
• Fix mdoc credential persistance in MongoDB by @hokorn in #1411
• fixed sonarqube issues by @philpotisk in #1414
• Dep updates by @philpotisk in #1418

New Contributors

• @alphafoobar made their first contribution in #1389

Full Changelog: v0.16.0...v0.16.1

v0.16.0

Features

OpenID4VP 1.0, DCQL and the new Verifier2 service

• Added a DCQL module for expressing credential queries, inspecting presented credentials and driving OpenID4VP verification across the stack.
• Introduced the new OSS Verifier2 HTTP service and API, built on shared OpenID4VP verifier libraries, to run DCQL-based OpenID4VP 1.0 verification with selective disclosure and modern REST interfaces.
• Implemented a VP-level policy to enforce required credential types in a single presentation (e.g., gx:LegalPerson plus specific registration numbers such as VAT/EORI/LEI).
• Added a dedicated OpenID4VP conformance runner service that spins up Verifier2, provisions SD-JWT VC and ISO mdoc test plans, drives the OIDF suite and asserts both external and internal session state.

mDoc credentials and JSON→CBOR data adaptation

• Rolled out a unified OpenID4VP 1.0 + mDoc implementation with reusable wallet/verifier modules so services share the same mDoc-ready flows with less duplication.
• Implemented comprehensive mDoc handling (parsing, device authentication, validation) using kotlinx-serialization-cbor and waltid-cose.
• Introduced mDoc namespace builders, typed namespace data, configurable JSON→CBOR translators and recursive mapping utilities so issuer payloads remain consistent and interoperable.
• Fixed ISO 18013-7 profile handling issues and expanded mDoc tests and interop coverage (e.g., against external implementations) to stabilize mobile credential support.

COSE signatures, VICAL trust lists and certificate management

• Released the waltid-cose library for creating and verifying COSE (CBOR Object Signing and Encryption) signatures on top of the multiplatform crypto stack and kotlinx-serialization.
• Added the waltid-vical library for issuing and verifying VICAL (Verified Issuer Certificate Authority Lists) as defined in ISO/IEC 18013-5 to manage trusted issuer lists at scale.
• Exposed VICAL verification and trust bootstrapping via Verifier2 /vical/fetch and /vical/validate endpoints, backed by shared VicalService and new test fixtures.
• Introduced the VICAL Management Service and Registry so certificate artifacts can be fetched, validated, stored and reused as shared trust anchors across environments, and published waltid-cose/vical artifacts for external consumers.

SD-JWT VC issuance and verification hardening

• Fixed SD-JWT VC encoding details (including the required trailing ~ and _sd_alg parameter) to align with the SD-JWT VC drafts and prevent invalid tokens.
• Updated SD-JWT VC metadata handling to use draft-specific models, preserving custom parameters and aligning disclosure hashing with RFC 9901 so selective-disclosure proofs verify reliably.
• Ensured inline JWKS and certificate chains (x5c) are decoded, persisted and transcoded correctly (e.g., PEM→base64 DER) to keep issuer keys usable across components.
• Suppressed empty display entries, added missing SD-JWT VC end-to-end tests in the Community Stack and fixed sd_jwt_dc wallet credential parsing so SD-JWT-based credentials work end-to-end.

OIDC authentication and auth flow ergonomics

• Re-engineered the OIDC auth method in waltid-ktor-authnz with dynamic discovery, multi-step session flows, explicit separation of in-progress vs authenticated state and external mapping lists to avoid stale mappings.
• Added HTML-based redirect helpers (handleAuthSuccessAndRedirect) to avoid SameSite cookie drops, plus opt-in flags for advanced auth methods, redirect-after-login handling and safer token cookie management.
• Standardized authentication exception handling for built-in methods (EmailPass, UserPass, LDAP, RADIUS, JWT, TOTP, Web3) using shared WebExceptions so clients receive clear HTTP responses instead of generic failures.
• Extended configuration options for custom authentication methods (via the shared auth library), enabling on-prem deployments to plug in OIDC/LDAP/RADIUS while keeping Community Stack aligned with the same primitives.

Wallet keys, DIDs and user experience

• Set secp256r1 as the default key type in the Web Wallet and allowed users to assign aliases when generating or importing keys, falling back to the key ID when no alias is provided.
• Enabled wallets to reuse an existing default DID when none is explicitly provided in useOfferRequest flows and added endpoints to import DIDs into the OSS wallet.
• Improved web wallet behavior by fixing vct parsing, upgrading frontend dependencies (Next.js, UnoCSS), stabilizing logout flows and scoping VP presentations correctly to wallet accounts.
• Added optional stopwatch-style performance logging and carried out a community wallet performance analysis to simplify identifying slow operations.

Security and Compliance

• Updated Ktor to 3.2.2 and bumped core dependencies such as Nimbus JOSE+JWT, BouncyCastle and Okio to their latest LTS variants.
• Added THIRD-PARTY-NOTICE/NOTICE collateral and cleaned up security samples (e.g., removing hard-coded security tokens) to improve legal compliance and security posture.

Fixes & Improvements

Verification robustness, policies & sessions

• Added an UNSUCCESSFUL verification session status and statusReason fields so OpenID4VP failures surface actionable error context to clients.
• Introduced multiplatform credential-status policies and a status-list policy in verification-policies2 so revocation and status checks can be handled consistently across verifier2 and library consumers.
• Exposed DCQL credential query metadata (e.g., type strings) so verifiers can render human-readable credential types in UI headers and logs.
• Hardened presentation parsing and selective-disclosure logic to make verifier behavior more resilient to malformed or partially valid presentations.
• Fixed response types supported in the OSS verifier API and corrected success/error redirect responses to be spec-compliant.
• Corrected an error-message typo that could trigger a NullPointerException and refreshed Postman collections for critical flows.

Issuance, credentials & standards interoperability

• Fixed credential-offer request URL generation across issuer services, refactoring handlers and cleaning up redundant test scaffolding to avoid broken issuance flows.
• Updated issuer DID parsing in raw credential signing and corrected issues in ISO 18013-7 profile handling, including sign-token alg claim handling.
• Added support for SD-JWT VC photo-id-vc, additional credential formats required by OID4VCI draft17 and a new TaxCredential type.
• Improved alignment between Community Stack APIs and mobile SDKs/libraries (Issuer and Wallet APIs) to resolve compatibility issues observed with earlier Enterprise versions.
• Enforced explicit credential formats in DCQL meta-serialization to align with the evolving DCQL spec and simplify test authoring.

Wallet, portal & mobile SDKs

• Fixed wallet credential parsing issues (including sd_jwt_dc) so wallet ingestion works reliably across credential types and platforms (iOS/Android).
• Updated the web wallet and portal to newer frontend libraries (Next.js, UnoCSS) and fixed assorted UI issues such as broken vct parsing and login/signup developer count display.
• Improved logout flows, session management and redirect URLs after verification for the web wallet so users see consistent behavior across devices and flows.
• Added default DID fallback behavior and DID import capabilities in the OSS wallet, reducing friction when reusing existing identities.

Runtime, storage & infrastructure

• Added a runtime feature flag for integration tests, enabling more of the verifier runtime behavior to be exercised automatically.
• Introduced an HTTP/HTTPS toggle for DID Web resolution so local testing can use HTTP resolvers while HTTPS remains the production default.
• Adjusted stored credential structures to avoid $-prefixed keys that are rejected by certain MongoDB/DocumentDB variants, improving compatibility with managed databases.
• Fixed docker-compose configurations and Ktor-based Docker image builds, and ensured dockerized issuer, verifier and wallet API services are available for easier deployment.
• Disabled flaky integration tests (e.g., Entra, certain conformance suites, uniresolver did-cheqd) while tracking root causes to keep CI stable.

Docs, DX & CI/CD

• Refreshed documentation across applications, libraries and protocols with consistent READMEs, updated community links (LinkedIn/Discord), quickstarts and deep dives for DCQL, verification policies, OpenID4VC(P), crypto stacks and CLI usage.
• Added new docs for OIDC (including hardened Keycloak setups with PKCE and back-channel logout), VICAL, OpenID4VP verifier flows and verification policy wiring.
• Introduced typed dev-mode configuration and klogging ConfigMaps so HTTP/HTTPS DID Web resolution and logging can be toggled centrally in development environments.
• Updated CI/CD workflows (Gradle setup, conformance URLs, tunnel URL handling, compliance workflows, release/tagging pipelines, branch deployments) to be more robust and to ensure latest tags only move on releases.
• Created a new waltid-integration-tests framework to replace legacy e2e tests and standardized test asserts across modules.
• Added and refined GitHub Actions workflows for delete-namespace operations, dependency bumps, enterprise API builds and release automation to streamline the release process.

Miscellaneous fixes and housekeeping

• Updated docker-compose version tags, versioning actions and deployment actions to keep local setups and CI configuration in sync.
• Removed obsolete reporting modules, disabled outdated tests and cleaned up minor library dependencies and naming conventions.
• Fixed various smaller issues such as broken links, test i...

v2025.1.0-PRE-RELEASE.7

v2025.1.0-PRE-RELEASE.7 (OSS)

Release date (UTC): 2025-11-28
Compare: v2025.1.0-PRE-RELEASE.6...v2025.1.0-PRE-RELEASE.7

Highlights

• Hardened SD-JWT issuance and metadata handling with draft-specific models, correct x5c parsing, and RFC-accurate disclosure hashing (#1337, #1343, #1356, #1358, #1361).
• Added explicit UNSUCCESSFUL verification session state plus idempotent issuer/verifier endpoints to avoid duplicate flows and clarify failures (#1338, #1347; aligned with enterprise #265).
• Introduced the VICAL Management Service and Registry for reusable certificate artifacts, paired with enterprise delivery (#1309 / enterprise #221).
• Expanded verifier runtime and deployment options with verifier2 dev deployments, dockerized issuer/verifier/wallet services, and runtime-enabled integration tests (#1341, #1348, #1327).
• Developer experience upgrades: typed dev-mode toggles, klogging configmaps, and streamlined GitHub Actions/tagging for safer releases (#1335, #1344, #1333, #1334, #1336, #1340, #1349-#1353, #1363).
• Compliance and dependency hygiene via THIRD-PARTY notice additions and JWT/BouncyCastle/Okio bumps (#1362, #1281, #1283, #1286).

Detailed updates

Auth & session flows

• Added UNSUCCESSFUL verification status and reason fields so OpenID4VP failures surface actionable context (#1338).
• Made create/issue/verification endpoints idempotent to prevent duplicate requests across issuer and verifier services, mirroring enterprise behavior (#1347, enterprise #265).
• Corrected error messaging that could trigger an NPE and refreshed Postman coverage for critical flows (#1361, #1359).

SD-JWT, issuance & crypto

• Split SD-JWT VC metadata into draft-specific models with preserved custom parameters for stricter validation (#1337).
• Fixed SD-JWT issuance to decode x5c headers, persist inline JWKS correctly, and transcode PEM chains to base64 DER segments (#1343).
• Brought disclosure hashing in line with RFC 9901 to keep selective-disclosure proofs verifiable (#1356).
• Suppressed empty display entries in issued SD-JWT VCs to stay spec-aligned (#1358).
• Repaired sd_jwt_dc wallet credential parsing to avoid ingest failures (#1277).

Verifier, policies & runtime

• Shipped multiplatform credential-status policy support and a status-list policy in verification-policies2 (#1310, #1314).
• Enabled the runtime feature for integration tests to exercise more verifier functionality (#1327).
• Added dev deployment manifests for verifier2 and docker packaging for issuer, verifier, and wallet APIs to simplify rollout (#1341, #1348).
• Delivered the VICAL Management Service/Registry for certificate lookup and reuse, coordinated with enterprise roll-out (#1309 / enterprise #221).

Platform, dev experience & CI

• Introduced typed dev-mode configuration plus klogging configmaps to toggle HTTP/HTTPS DID Web resolution centrally (#1335, #1344).
• Refreshed CI/CD with workflow_call hooks, dependency fixes, action version bumps, and safer tagging so latest tags only move on releases (#1333, #1334, #1336, #1340, #1349-#1353, #1363).
• Added THIRD-PARTY-NOTICE/NOTICE collateral and updated JWT/BouncyCastle/Okio libraries for security posture (#1362, #1281, #1283, #1286).

PRs merged

PR	Title	Author	Reviewer	Merged
#1277	Cannot parse WalletCredential document for sd_jwt_dc	tdiesler	SuperBatata	2025-11-07
#1281	build(deps): bump com.nimbusds:nimbus-jose-jwt from 10.0.1 to 10.0.2 in the gradle group across 1 directory	dependabot[bot]	waltkb	2025-11-26
#1283	build(deps): bump org.bouncycastle:bcprov-lts8on from 2.73.8 to 2.73.9	dependabot[bot]	waltkb	2025-11-26
#1286	build(deps): bump com.squareup.okio:okio from 3.16.0 to 3.16.2	dependabot[bot]	waltkb	2025-11-26
#1309	Simple VICAL service: VICAL Management Service, VICAL Registry, Certificate Store	waltkb	waltkb	2025-11-16
#1310	Credential-status policy multiplatform	mikeplotean	cursor[bot], philpotisk	2025-11-07
#1314	Status-list policy in verification-policies2	mikeplotean	philpotisk	2025-11-07
#1327	Enable 'runtime' feature for integration tests	hokorn		2025-11-07
#1333	chore: Added workflow_call to delete-namespace.yml	dinkar-jain	mikeplotean	2025-11-10
#1334	fix: Removed input dependency	dinkar-jain	philpotisk	2025-11-10
#1335	Dev mode	philpotisk	chatgpt-codex-connector[bot], mikeplotean, philpotisk, waltkb	2025-11-14
#1336	chore: Github action version update	dinkar-jain	philpotisk	2025-11-12
#1337	WAL-293 Part 1 OSS Developments	cpatsonakis	chsavvaidis	2025-11-13
#1338	refactor: update session status to UNSUCCESSFUL and add statusReason …	SuperBatata	philpotisk	2025-11-18
#1340	chore: Removed jlumbroso/free-disk-space@v1.3.1	dinkar-jain	philpotisk	2025-11-13
#1341	feat: Added deployment-dev for verifier2	dinkar-jain	philpotisk	2025-11-17
#1343	Feature/wal 294: SD-JWT VC OSS Issuance Fixes	cpatsonakis	chsavvaidis	2025-11-18
#1344	chore: Added dev-klogging configmaps	dinkar-jain	philpotisk	2025-11-20
#1347	Feat: WAL-306 Idempotency of some enterprise service endpoints	hokorn	philpotisk	2025-11-24
#1348	feat: Added docker files for the issuer, verifier and wallet API	dinkar-jain	dinkar-jain, mikeplotean	2025-11-24
#1349	build(deps): bump walt-id/waltid-identity/.github/workflows/docker.yml from 69b0349 to 8fcefa7	dependabot[bot]	dinkar-jain	2025-11-24
#1350	build(deps): bump walt-id/waltid-identity/.github/workflows/deployment.yml from 1.0.2508201203.pre.chore.pre.tag.pre.replacement to 1.2312081150.0	dependabot[bot]	dinkar-jain	2025-11-24
#1351	build(deps): bump walt-id/waltid-identity/.github/workflows/enterprise-tag.yml from 70e59bb to 8fcefa7	dependabot[bot]	dinkar-jain	2025-11-24
#1352	build(deps): bump actions/checkout from 5 to 6	dependabot[bot]	dinkar-jain	2025-11-24
#1353	build(deps): bump walt-id/waltid-identity/.github/workflows/tag.yml from 70e59bb to 8fcefa7	dependabot[bot]	dinkar-jain	2025-11-24
#1356	Bug/incorrect disclosure hash	Adelrisk	waltkb	2025-11-26
#1358	WAL-295 OSS Changes	cpatsonakis	SuperBatata	2025-11-26
#1359	Fix/postman tests	dinkar-jain	philpotisk	2025-11-26
#1361	fix: typo in error msg causing NPE	cpatsonakis	chsavvaidis	2025-11-26
#1362	THIRD-PARTY-NOTICE.md added	philpotisk	hokorn	2025-11-28
#1363	Override latest tag only with release in OSS	dinkar-jain	philpotisk	2025-11-27

What’s Changed

• Cannot parse WalletCredential document for sd_jwt_dc (#1277) by @tdiesler
• build(deps): bump com.nimbusds:nimbus-jose-jwt from 10.0.1 to 10.0.2 in the gradle group across 1 directory (#1281) by @dependabot[bot]
• build(deps): bump org.bouncycastle:bcprov-lts8on from 2.73.8 to 2.73.9 (#1283) by @dependabot[bot]
• build(deps): bump com.squareup.okio:okio from 3.16.0 to 3.16.2 (#1286) by @dependabot[bot]
• Simple VICAL service: VICAL Management Service, VICAL Registry, Certificate Store (#1309) by @waltkb
• Credential-status policy multiplatform (#1310) by @mikeplotean
• Status-list policy in verification-policies2 (#1314) by @mikeplotean
• Enable 'runtime' feature for integration tests (#1327) by @hokorn
• chore: Added workflow_call to delete-names...

v2025.1.0-PRE-RELEASE.6

waltid-identity v2025.1.0-PRE-RELEASE.6

Release date: 2025-11-07
Comparison: v2025.1.0-PRE-RELEASE.5...v2025.1.0-PRE-RELEASE.6

Highlights

• End-to-end OIDC overhaul (#1312): Re-engineered the Ktor AuthNZ OIDC method with dynamic discovery, multi-step session flows, front- and back-channel logout support, safer token handling and a new HTML redirect helper, plus an installation guide for hardened Keycloak setups.
• Policy and verifier hardening (#1302, #1315, #1313): Added a VP-level policy to require multiple credential types in one presentation, fixed SD-JWT VC x5c key parsing, and surfaced DCQL credential metadata so enterprise verifiers can render richer headers.
• Credential runtime resilience (#1308, #1323, #1316): Improved authentication exception propagation, patched MongoDB/DocumentDB incompatibilities with $-prefixed fields, and introduced an HTTP/HTTPS toggle for DID Web so local wallets mirror production behavior.
• Crypto foundation upgrade (#1321): Delivered the new crypto2 hash/digest API for JVM with JCA-backed factories, deterministic vector tests and concurrency stress suites to ensure consistent hashing across platforms.
• Developer experience & docs (#1318, #1326, #1325, #1324, #1320, #1317, #1306): Rewrote the entire README set for every library/application, removed outdated security token examples, and stabilized CI by parameterizing the Gradle setup action, updating conformance endpoints, improving GitHub Action tunnel handling and disabling flaky suites when needed.

Detailed updates

Authentication and session flows

• OIDC auth method revamp (#1312): Session data now distinguishes in-progress steps from authenticated state, external mapping lists prevent stale mappings, and handleAuthSuccessAndRedirect returns HTML-based redirects to avoid SameSite cookie drops. Added opt-in flags for intricate auth methods, redirectAfterLogin, improved token cookie handling, and comprehensive docs (docs/oidc.md) on wiring Keycloak with PKCE + back-channel logout.
• Auth exception ergonomics (#1308): Standardized exception surfaces across all built-in authentication methods (EmailPass, UserPass, LDAP, RADIUS, JWT, TOTP, Web3) and introduced reusable WebExceptions helpers so API clients receive actionable HTTP responses instead of generic failures.

Verifier, credential and policy enhancements

• DCQL metadata parity (#1313): Credential query metadata models now expose getTypeString() so verifiers can present human-readable credential types, addressing WAL-262.
• VP-level credential requirements (#1302): Introduced VpRequiredCredentialsPolicy allowing verifiers to demand a gx:LegalPerson credential plus a specific Legal Registration Number (VAT/EORI/LEI) within the same presentation; OpenAPI documentation and examples describe how to enable it.
• SD-JWT VC signature fix (#1315): Ensured issuer keys are parsed correctly from x5c headers to avoid false negatives when enforcing SD-JWT VC signature policies.

Wallet, DID and runtime improvements

• DID Web local testing (#1316): Runtime configs (webwallet, integration tests) can now opt into HTTP DID Web resolution, making it easier to spin up local resolvers without TLS while keeping HTTPS defaulted for production.
• Mongo/DocumentDB compatibility (#1323): Adjusted stored credential structures to avoid $-prefixed keys that older MongoDB variants reject, resolving failures reported by DocumentDB deployments.

Cryptography

• Hasher/digest API for JVM (#1321): Added platform-neutral hashing manifests, vector suites (SHA-2/SHA-3 families), concurrency tests and JCA-backed implementations, unlocking deterministic hashing with extensive coverage for future crypto2 work.

Documentation, security and CI/CD

• Repository-wide documentation refresh (#1318): Every application, library and protocol README shares a consistent structure, updated community links (LinkedIn/Discord), clearer quickstarts and new deep dives for DCQL, verification policies, OpenID4VC(P), crypto stacks and CLI usage.
• Security sample cleanup (#1326): Removed lingering hard-coded security token examples and aligned test class names with Kotlin conventions.
• GitHub Actions robustness (#1325, #1324, #1320, #1317, #1306): Gradle setup now accepts a path to local wrappers, conformance runners point to the latest URLs, tunnel URL handling is fixed for self-hosted runners, optional suites can be toggled off during incidents, and compliance workflows received dependency tweaks.

Pull requests included

PR	Title	Author	Reviewer	Merged
#1318	Better readmes	JakeFernandes	philpotisk	2025-11-06
#1312	waltid-ktor-authnz OIDC	waltkb	philpotisk	2025-11-06
#1313	feature/wal-262	waltkb	philpotisk	2025-11-06
#1326	Remove security token examples	philpotisk	waltkb	2025-11-06
#1325	Updated gradle-setup action to accept location as input	Dinkar Jain	mikeplotean	2025-11-06
#1321	feat: crypto2 hasher digest jvm implementation	cpatsonakis	mikeplotean	2025-11-06
#1324	chore: ConformanceTests URLs update	dinkar-jain	philpotisk	2025-11-06
#1316	HTTPs toggle for DID Web resolution	philpotisk	philpotisk	2025-11-06
#1323	Fix MongoDB dollar prefix issue	waltkb	philpotisk	2025-11-06
#1320	fix: Tunnel URL handling	Dinkar Jain	philpotisk	2025-11-05
#1317	fix/disable conformance	Dinkar Jain	JakeFernandes	2025-11-05
#1315	fix: issuer key parsing from x5c header in sd jwt vc signature policy	cpatsonakis	mikeplotean	2025-11-04
#1308	Feature/wal 192- improve the auth exception	Khaled Battiche	philpotisk	2025-10-31
#1302	Feature/wal 263 : Implement a new VP-level policy to enforce required credentials in a presentation	Khaled Battiche	mikeplotean	2025-10-30
#1306	Fix/Complaince-CI-CD	waltkb	philpotisk	2025-10-30
#1310	Credential-status policy multiplatform	mikeplotean	philpotisk	2025-10-30
#1314	Status-list policy in verification-policies2	mikeplotean	philpotisk	2025-10-30

---

What's Changed

• Fix/Complaince-CI-CD by @dinkar-jain in #1306
• Feature/wal 263 : Implement a new VP-level policy to enforce required credentials in a presentation by @SuperBatata in #1302
• Feature/wal 192- improve the auth exception by @SuperBatata in #1308
• fix: issuer key parsing from x5c header in sd jwt vc signature policy by @cpatsonakis in #1315
• fix/disable conformance by @dinkar-jain in #1317
• fix: Tunnel URL handling by @dinkar-jain in #1320
• Fix MongoDB dollar prefix issue by @waltkb in #1323
• HTTPs toggle for DID Web resolution by @philpotisk in #1316
• chore: ConformanceTests URLs update by @dinkar-jain in #1324
• feat: crypto2 hasher digest jvm implementation by @cpatsonakis in #1321
• Updated gradle-setup action to accept location as input by @dinkar-jain in #1325
• Remove security token examples by @philpotisk in #1326
• feature/wal-262 by @waltkb in #1313
• waltid-ktor-authnz OIDC by @waltkb in #1312
• Better readmes by @JakeFernandes98 in #1318
• Credential-status policy multiplatform by @mikeplotean in #1310
• Enable 'runtime' feature for integration tests by @hokorn in #1327
• Status-list policy in verification-policies2 by @mikeplotean in #1314

New Contributors

• @JakeFernandes98 made their first contribution in #1318

Full Changelog: v2025.1.0-PRE-RELEASE.5...v2025.1.0-PRE-RELEASE.6

v2025.1.0-PRE-RELEASE.5

This drop pushes the OpenID4VP stack closer to production readiness. We automated end-to-end conformance checks, hardened VICAL trust management, improved wallet authentication flows, and laid groundwork for future crypto primitives.

---

🤝 Automated OpenID4VP Conformance Runs

The new waltid-openid4vp-conformance-runners service remote-controls the official OpenID Foundation suite. It spins up Verifier2, provisions SD-JWT VC and ISO mdoc test plans, drives the presentation flow, and asserts both OIDF results and internal session state. We wired the runner into CI (.github/workflows/gradle.yml) so regressions surface before they reach production.

fun main() {
    ConformanceTestRunner(
        verifier2UrlPrefix = "https://verifier2.localhost/verification-session",
        conformanceHost = "conformance.waltid.cloud",
        conformancePort = 443
    ).run()
}

Run it locally with ./gradlew :waltid-services:waltid-openid4vp-conformance-runners:run and adjust the host/port when driving your own conformance suite instance.

---

🛡️ VICAL Trust Management APIs

VICAL verification matured across the stack: the policy now validates certificate chains with optional system anchors, docType filtering, and revocation toggles, while Verifier2 gained /vical/fetch and /vical/validate endpoints for automation-ready trust bootstrapping.

curl -X POST "$VERIFIER_BASE/vical/validate" \
  -H "Content-Type: application/json" \
  -d '{
    "vicalBase64": "...",
    "verificationKey": {
      "type": "jwk",
      "jwk": {
        "kty": "EC",
        "crv": "P-256",
        "x": "5n7yVdsDcdYRBAzb78_-6iAjpXCrIHId6qdJ7wwg1lE",
        "y": "EFp0x5hbusr51g61xDoL9Y1nlVUqFZGBcSdsuBsjizM"
      }
    }
  }'

Assuming $VERIFIER_BASE points to your Verifier2 instance, these APIs use the shared VicalService and new test fixtures so you can fetch AAMVA or Austroads lists, validate them, and plug the anchors directly into policy evaluation.

---

🔐 Wallet Experience & Authentication Hardening

Wallet users can now name keys when they generate or import them, and the UI falls back to the key kid when no alias is provided. The auth stack gained Valkey-backed session stores, deterministic logout flows, and fixes that keep VP presentations scoped to a wallet account. Optional stopwatch logging makes performance investigations in the community wallet far easier.

---

📌 Additional Improvements

• DCQL meta serialization now enforces explicit credential formats, aligning with the latest spec and simplifying test authoring.
• Branch deployment workflows and the compliance CI integration keep preview environments and conformance runs in sync with each PR.
• Verifier callbacks, integration tests, and conformance hosts were updated to mirror production endpoints while remaining toggleable for local runs.
• Documentation for VICAL and verification policies received a cleanup so integrators can wire the new features without guesswork.

2025.1:

Here's a look at what's new in our latest update! We've been busy aligning with major industry
standards and building powerful new tools to make your life easier.

---

🚀 Major Upgrade: Our New OpenID4VP Verifier Service

The digital identity world is buzzing, and for good reason: OpenID for Verifiable Presentations (
OpenID4VP) 1.0 has officially been released! 🥳

This isn't just a minor update; versions from draft 28 onwards represent a complete overhaul of the
specification. The old approach, which relied on Presentation Exchange (PEX), is gone. The new
standard is now built on the powerful and flexible Digital Credentials Query Language (DCQL).

To support this massive shift, we've built a brand-new Verifier service within our Enterprise
stack. This includes a completely re-designed REST API to give you a modern, streamlined experience
for handling verifiable presentations.

Get Started

You can create a new verification session by sending a POST request to
/v1/{target}/verifier2-service-api/verification-session/create with your DCQL query.

{
  "dcql_query": {
    "credentials": [
      {
        "id": "pid",
        "format": "dc+sd-jwt",
        "meta": {
          "vct_values": ["https://org1.enterprise.waltid.cloud/v1/org1.issuer/issuer-service-api/openid4vc/draft13/identity_credential"]
        },
        "claims": [
          { "path": [ "given_name" ] },
          { "path": [ "family_name" ] },
          { "path": [ "address", "street_address" ] }
        ]
      }
    ]
  },
  "policies": {
    "vc_policies": [ "signature", "expiration" ],
    "vp_policies": [ "signature", "holder_binding" ]
  }
}

---

🔧 New Tool in the Box: waltid-cose for COSE Signatures

We're excited to introduce waltid-cose, a simple and powerful new library for handling COSE (CBOR
Object Signing and Encryption). It's perfect for managing credential signatures and is built on our
multiplatform waltid-crypto library and kotlinx-serialization.

Here's how easy it is to sign and verify data:

Sign Data

val signer = key.toCoseSigner() // your key
val signed = CoseSign1.createAndSign(
    protectedHeaders = protectedHeaders,
    unprotectedHeaders = unprotectedHeaders,
    payload = payload,
    signer = signer,
    externalAad = externalAad
)

val signedHex: String = signed.toTagged().toHexString()

println(signedHex) // d28443a10126a1044231315454...

Verify Signature

val signedHex = "d28443a10126a1044231315454..."

val coseSign1 = CoseSign1.fromTagged(signedHex) // provide signature as hex string or ByteArray

val verifier = key.toCoseVerifier()
val verified: Boolean = coseSelf.verify(verifier, externalAad)

println(verified) // true / false

---

✅ Trust at Scale: Introducing the VICAL Library

Building on our new COSE library, we're also releasing waltid-vical, a library for issuing and
verifying VICAL (Verified Issuer Certificate Authority Lists). VICAL, defined in the ISO/IEC 18013-5
standard for mobile Driver's Licenses (mDL), provides a standardized way to trust and manage lists
of authorized credential issuers.

Here's a quick example showing how to verify the AAMVA (American Association of Motor Vehicles
Administrators) VICAL and list its allowed issuers.

/* -- Decode the VICAL file -- */
val rawFile: ByteArray = readFile("vicals/aamva.cbor").readBytes()

val vical = Vical.decode(rawFile)

/* -- Verify the VICAL Signature -- */

// 1. Extract the signer's certificate from the VICAL header
val x5Chain = vical.coseSign1.unprotected.x5chain
requireNotNull(x5Chain) { "Signer certificate chain (x5chain) not found in header." }
val signerCertificate = x5Chain.first().rawBytes // select a certificate to verify

// 2. Import the certificate as a key that can be used for verification
val signerKey = JWKKey.importFromDerCertificate(signerCertificate).getOrThrow()

// 3. Verify the signature
val isSignatureValid: Boolean = vical.verify(signerKey.toCoseVerifier())
println(isSignatureValid) // true/false

/* -- List allowed issuers -- */
val allowedIssuers = vical.vicalData.getAllAllowedIssuers().entries
vical.vicalData.getAllAllowedIssuers().entries.forEachIndexed { idx, (certificateInfo, certKeyResult) ->
    println("--- ${idx + 1}: Certificate key for: ${certificateInfo.issuingAuthority}")
    val certKey = certKeyResult.getOrNull()
    println("Key: $certKeyResult (${certKey?.getKeyId() ?: "Error"})")
}
println("Allowed issuers per this VICAL: ${allowedIssuers.size}")

🔐 Custom authentication methods (Enterprise feature)

For on-prem deployments of the Enterprise stacks, you can now configure custom authentication
methods to be used. This feature is based on the multiplatform waltid-ktor-authnz library.

This library provides various authentication methods to choose from besides email/username +
password,
including OIDC, LDAP, RADIUS.

To get started using this feature, edit your auth.conf configuration file to set the
authentication flow:

# Configure the Auth Flow (refer to: waltid-ktor-authnz)
authFlow = {
    method: radius
    config: {
        radiusServerHost: "localhost"
        radiusServerPort: 1812
        radiusServerSecret: "testing123"
    }
    expiration: "7d" # optional: Set expiration time for login tokens, e.g. a week
    ok: true # Auth flow ends successfuly with this step
}

Just like that, users can now authenticate against POST /auth/account/radius with their RADIUS
credentials.

What's Changed

• Signer may incorrectly add JWT header 'kid' by @tdiesler in #1242
• Fix broken links by @taminobaumann in #1264
• Add credential format required by oid4vci draft17 by @tdiesler in #1240
• chore(deps-dev): bump the npm_and_yarn group across 2 directories with 1 update by @dependabot[bot] in #1238
• feat: preliminary support for gradle version catalogue by @cpatsonakis in #1266
• fixed redirect url after verification by @SuperBatata in #1263
• Alias when generating or importing a key to the wallet by @SuperBatata in #1253
• Webwallet logout by @waltkb in #1262
• chore: Added TaxCredential by @dinkar-jain in #1265
• feat: hasher & digest kmp interfaces by @cpatsonakis in #1280
• Community wallet performance anlysis by @hokorn in https...