feat: changes to the OID4VC issuance workflow required for Credo-0.6.x

[shitrerohit]

What?

Made changes to the OID4VC issuance workflow required for Credo 6.1 version support.

How?

• Added a new keyId column to the x509_certificates table
• Updated the logic for generating claims for the offer creation payload
• Made other required changes to generate the payload

Summary by CodeRabbit

• New Features

  • Added key identifier support for certificate tracking and management.

• Refactor

  • Updated credential format references to align with standardized naming conventions.
  • Standardized cryptographic key type representations for consistency across the system.
  • Restructured credential metadata organization for improved clarity and accessibility.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

• 🔍 Trigger a full review

📝 Walkthrough

Walkthrough

This pull request introduces keyId support throughout the X.509 certificate and OID4VC issuance stack, updates credential format references from "vc+sd-jwt" to "dc+sd-jwt", refactors credential claim handling from nested objects to a generator-based approach, and canonicalizes key type enum values across the platform.

Changes

Cohort / File(s)	Change Summary
API Metadata Updates apps/api-gateway/src/oid4vc-issuance/dtos/oid4vc-issuer-template.dto.ts	Updated metadata descriptions and examples to reference "dc+sd-jwt" instead of "vc+sd-jwt" in MdocTemplateDto, SdJwtTemplateDto, and CreateCredentialTemplateDto
Core Type & Constant Updates apps/oid4vc-issuance/constant/issuance.ts, apps/oid4vc-issuance/interfaces/oid4vc-issuance.interfaces.ts	Restructured accessTokenSignerKeyType from simple string literal to object shape { kty: 'OKP'; crv: 'Ed25519' }; updated credential_signing_alg_values_supported to accept string[] | number[]; canonicalized AccessTokenSignerKeyType.ED25519 enum value from 'ed25519' to 'Ed25519'
Signer & Session Interfaces apps/oid4vc-issuance/interfaces/oid4vc-issuer-sessions.interfaces.ts	Added optional keyId?: string property to ISignerOption interface
Format & Credential Mapping apps/oid4vc-issuance/libs/helpers/credential-sessions.builder.ts	Updated mapDbFormatToApiFormat SdJwtVc detection to reference 'dc+sd-jwt' instead of 'vc+sd-jwt'
Credential Metadata Refactoring apps/oid4vc-issuance/libs/helpers/issuer.metadata.ts	Reworked claims from nested object model to generator-based array approach; introduced credential_metadata field containing claims and display arrays on SD-JWT and MDOC configs; separated algorithm and binding constants per format; updated buildClaimsFromTemplate and buildCredentialConfigurationsSupported workflows
OID4VC Service Implementation apps/oid4vc-issuance/src/oid4vc-issuance.service.ts	Added keyId field sourced from activeCertificate.keyId to X5C signer options in createOidcCredentialOffer
X.509 Certificate Interface apps/x509/src/interfaces/x509.interface.ts	Added optional keyId?: string property to CreateX509CertificateEntity interface
X.509 Repository & Service apps/x509/src/repositories/x509.repository.ts, apps/x509/src/x509.service.ts	Propagated keyId from request payload through certificate creation/import workflows; updated key validation source from publicKey to publicJwk; changed date extraction to use ASN.1 tbsCertificate.validity fields; updated keyType references to use canonical crv values
X.509 Record Model libs/common/src/interfaces/x509.interface.ts	Added keyId: string property to X509CertificateRecord interface
Enum Canonicalization libs/enum/src/enum.ts	Canonicalized x5cKeyType enum values: Ed25519 from 'ed25519' to 'Ed25519', P256 from 'p256' to 'P-256'; updated CredentialFormat.SdJwtVc from 'vc+sd-jwt' to 'dc+sd-jwt'
Database Schema & Migration libs/prisma-service/prisma/schema.prisma, libs/prisma-service/prisma/migrations/.../migration.sql	Added optional keyId: String? column to x509_certificates model via migration

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~75 minutes

Possibly related PRs

• feat: auth and draft 15 #1496 — Overlaps on oid4vc issuance stack changes: CredentialFormat updates, DTOs, issuer metadata builders, X.509 keyId handling, and credential session logic
• feat: Initial changes for x509 support #1482 — Shares credential format symbol updates and SdJwt/Vc mapping changes affecting same code paths
• feat: OID4VC, OID4VP and X509 capabilities - experimental feature #1517 — Modifies same OID4VC/X509 modules (api-gateway DTOs, libs/enum, oid4vc-issuance and x509 apps)

Suggested labels

feature

Suggested reviewers

• RinkalBhojani
• tipusinghaw
• GHkrishna

Poem

🐰 A keyId hops through the X.509 warren,
Claims now dance in arrays, no longer a tarron,
Format strings shift to "dc+sd-jwt"'s call,
Canonicalized keys stand proud and tall,
The credential stack hops forward, metadata in hand! 🌟

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Title check	✅ Passed	The PR title accurately summarizes the main objective: updating OID4VC issuance workflow for Credo-0.6.x compatibility. It aligns with the substantive changes across database schema, interfaces, constants, and service implementations.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/credo6.1-version-upgradation-changes

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[shitrerohit]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

apps/oid4vc-issuance/interfaces/oid4vc-issuance.interfaces.ts (1)

93-98: Remove unused accessTokenSignerKeyType field from IssuerUpdation.

The accessTokenSignerKeyType property in IssuerUpdation is declared but never used in the update flow—it's absent from IssuerUpdationDto, not extracted in the service, and not persisted in the repository. This creates dead code. If this field should support updates to the token signer configuration, align it with IssuerCreation by making it optional with the object type { kty: string; crv: string }. Otherwise, remove it entirely to eliminate confusion.

Note: Line 96 also has an incomplete type annotation on display; that should be corrected.

🤖 Fix all issues with AI agents

In `@apps/oid4vc-issuance/constant/issuance.ts`:
- Around line 5-8: The accessTokenSignerKeyType constant uses { kty: 'OKP', crv:
'Ed25519' } but other modules expect 'ed25519' and there are three conflicting
AccessTokenSignerKeyType enums; pick a single canonical enum value (either
'Ed25519' or 'ed25519'), update all enum definitions (including in
oid4vc-issuance/interfaces/oid4vc-issuance.interfaces.ts and api-gateway dto),
and change the constant accessTokenSignerKeyType to use the exact string/format
that matches that canonical enum (or replace the duplicate enums with a single
exported enum shared across modules) so the cast to AccessTokenSignerKeyType is
type-correct and all modules share the same value and casing.

In `@apps/oid4vc-issuance/libs/helpers/credential-sessions.builder.ts`:
- Around line 136-140: The function mapDbFormatToApiFormat is dropping legacy
"vc+sd-jwt" representations causing DB rows or missing formats to throw; update
mapDbFormatToApiFormat to recognize and normalize legacy variants (e.g.,
"vc+sd-jwt") to CredentialFormat.SdJwtVc or, alternatively, change the default
mapping site that falls back to "vc+sd-jwt" to a supported value — specifically,
add "vc+sd-jwt" to the normalized checks in mapDbFormatToApiFormat and ensure
the code path that currently defaults to "vc+sd-jwt" (the default mapping usage)
is updated to use CredentialFormat.SdJwtVc so existing rows continue to resolve
without migration.

In `@libs/common/src/interfaces/x509.interface.ts`:
- Line 216: The property keyId on the X.509 interface is declared as a required
string but must be optional to match the Prisma schema; update the interface
property declaration from keyId: string to keyId?: string (in the interface that
declares the X.509 certificate fields), then fix any places that assume it is
always present (add null/undefined guards or optional chaining where the code
accesses keyId) and run type checks/tests to ensure no other type errors remain.

In `@libs/enum/src/enum.ts`:
- Around line 288-291: The x5cKeyType enum was changed from legacy literal
strings which will break persisted data and clients; restore backward
compatibility by adding legacy aliases or a compatibility mapping (e.g., accept
old strings in parsing/serialization code that handles x5cKeyType and map them
to the new enum values), implement a one-time data migration script to update
persisted records to the new values, update any (de)serializer functions and
validation logic to handle both old and new strings, and add tests and docs
noting the deprecation and the mapping; search for x5cKeyType (and the similar
enum referenced at lines ~321-323) to apply the same compatibility changes.

🧹 Nitpick comments (5)

libs/prisma-service/prisma/migrations/20260119085820_added_key_id_in_x509_certificates_table/migration.sql (1)

1-2: Consider indexing/uniqueness for keyId if it’s used for lookups.
If keyId becomes a lookup key or unique identifier, adding an index (or unique constraint) will prevent duplicate data and speed queries.

apps/x509/src/x509.service.ts (1)

176-177: Consider handling generalizedTime in addition to utcTime.

X.509 certificates use utcTime for dates before 2050 and generalizedTime for dates from 2050 onwards. Accessing only .utcTime may fail for certificates with validity extending beyond 2050.

Proposed defensive approach

-      const validFrom = new Date(decodedCert.asn.tbsCertificate.validity.notBefore.utcTime);
-      const expiry = new Date(decodedCert.asn.tbsCertificate.validity.notAfter.utcTime);
+      const notBefore = decodedCert.asn.tbsCertificate.validity.notBefore;
+      const notAfter = decodedCert.asn.tbsCertificate.validity.notAfter;
+      const validFrom = new Date(notBefore.utcTime ?? notBefore.generalizedTime);
+      const expiry = new Date(notAfter.utcTime ?? notAfter.generalizedTime);

apps/oid4vc-issuance/libs/helpers/issuer.metadata.ts (3)

247-304: Remove commented-out code.

This large block of commented-out code (buildNestedClaims, generateObjects) should be removed rather than left in the codebase. Dead code clutters the file and can cause confusion for future maintainers. If needed for reference, Git history preserves the old implementation.

---

305-334: Consider adding a type for attributes parameter.

The any[] type for attributes reduces type safety. Consider defining or importing a proper type (e.g., CredentialAttribute[]) to improve maintainability and catch errors at compile time.

♻️ Suggested improvement

-// eslint-disable-next-line `@typescript-eslint/no-explicit-any`
-function generateClaims(attributes: any[], namespace?: string, parentPath: string[] = []): Claim[] {
+import { CredentialAttribute } from 'apps/oid4vc-issuance/interfaces/oid4vc-template.interfaces';
+
+function generateClaims(attributes: CredentialAttribute[], namespace?: string, parentPath: string[] = []): Claim[] {

---

341-359: Simplify return type to Claim[].

The return type Record<string, Claim> | Claim[] is misleading since both code paths (MDOC and SD-JWT) now return Claim[]. The Record<string, Claim> appears to be a remnant from the removed buildNestedClaims implementation.

♻️ Suggested fix

-function buildClaimsFromTemplate(template: SdJwtTemplate | MdocTemplate): Record<string, Claim> | Claim[] {
+function buildClaimsFromTemplate(template: SdJwtTemplate | MdocTemplate): Claim[] {

[GHkrishna]

Can we remove this commented code?

[sonarqubecloud]

Quality Gate passed

Issues
8 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud