[INJIVER-1369] using com.authlete:cbor libray and add the unit tests

[jaswanthkumartw]

Summary by CodeRabbit

• Dependencies

  • Added a CBOR/COSE library to support CBOR-based signature parsing and verification.

• Improvements

  • Switched token verification to a CBOR/COSE parsing and verification flow for more robust signature handling and clearer error reporting.

• Tests

  • Added tests and fixtures for EC-signed tokens (valid and invalid) plus mocked JWKS endpoints to validate verification behavior.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Adds Authlete CBOR dependency, updates CwtVerifier to parse and verify COSE_Sign1 via Authlete CBOR/COSEVerifier, and introduces unit tests plus JWKS and hex fixtures for EC-CWT verification scenarios.

Changes

Cohort / File(s)	Summary
Dependency management vc-verifier/kotlin/gradle/libs.versions.toml, vc-verifier/kotlin/vcverifier/build.gradle.kts	Added version authleteCbor = "1.19" and library alias authlete-cbor; added implementation(libs.authlete.cbor) to module build file.
CWT verification logic vc-verifier/kotlin/vcverifier/src/main/java/.../CwtVerifier.kt	Replaced prior COSEObject/Sign1 flow with parseCoseSign1 using CBORDecoder/CBORTaggedItem and verification via COSEVerifier; adjusted issuer JWKS URL construction and refined signature error handling.
Unit tests vc-verifier/kotlin/vcverifier/src/test/java/.../CwtVerifierTest.kt	Activated test class (@TestInstance(PER_CLASS)), added @BeforeAll setup to mock JWKS endpoints, and added tests for valid and invalid EC-signed CWT verification.
Test fixtures vc-verifier/kotlin/vcverifier/src/test/resources/cwt_vc/*	Added valid-ec-cwt.hex, invalid-ec-cwt.hex, and JWKS fixtures public_key/jwksECkey.json, public_key/jwksinvalidECkey.json.

Sequence Diagram(s)

mermaid
sequenceDiagram
participant Test as Test Harness
participant Verifier as CwtVerifier
participant CBOR as Authlete CBOR Parser
participant JWKS as JWKS HTTP Endpoint
participant COSE as COSEVerifier

Test->>Verifier: submit hex-encoded CWT
Verifier->>CBOR: parseCoseSign1(coseBytes)
CBOR-->>Verifier: COSE_Sign1 object
Verifier->>JWKS: fetch issuer JWKS (/.well-known/jwks.json)
JWKS-->>Verifier: JWKS JSON (keys)
Verifier->>COSE: verify signature with resolved public key
COSE-->>Verifier: verification result
Verifier-->>Test: return success / throw SignatureVerificationException

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested reviewers

• mayuradesh
• Prafulrakhade
• swatigoel

Poem

🐇 I nibbled bytes and parsed the night,
COSE and CBOR danced into sight,
JWKS keys gleamed in a testing glade,
I hopped—verification neatly made,
A rabbit's cheer for tests now right.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly indicates the main changes: adopting the com.authlete:cbor library and adding unit tests, which accurately reflects the changeset.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Fix all issues with AI agents

In `@vc-verifier/kotlin/gradle/libs.versions.toml`:
- Line 31: Update the authleteCbor version string (the libs.versions.toml entry
named authleteCbor) to a valid released version such as "1.18" (or confirm and
set the intended pre-release if that was meant) so the dependency resolves from
Maven Central; ensure the change preserves the dual-CBOR approach alongside
co.nstant.in:cbor 0.9 if both are required.

In
`@vc-verifier/kotlin/vcverifier/src/main/java/io/mosip/vercred/vcverifier/credentialverifier/verifier/CwtVerifier.kt`:
- Around line 45-48: The code in CwtVerifier that constructs the JWKS URI
currently does URI(issURI.toString() + "/.well-known/jwks.json") which can
produce double slashes when issURI ends with '/', so update the branch that
handles "http"/"https" to normalize the issuer before appending: obtain the
string from issURI (or use issURI.path), trim any trailing '/' from the issuer
string (or use URI.resolve with a relative path) and then append
"/.well-known/jwks.json" to produce a single-slash canonical URI; ensure you
still return a URI instance and keep the "did" branch unchanged.

In
`@vc-verifier/kotlin/vcverifier/src/test/java/io/mosip/vercred/vcverifier/credentialverifier/verifier/CwtVerifierTest.kt`:
- Around line 31-38: The test `should fail when EC CWT is verified with wrong
public key` currently only reads `coseHex` and never exercises the verifier;
update it to invoke the verification routine (e.g., call CwtVerifier.verify or
the project-specific verifier method) passing the `coseHex` and the incorrect
public key, and assert the negative outcome—either with assertThrows for an
expected exception or assertFalse/assertEquals for a boolean/error result—so the
test actually fails verification when given the wrong key.

🧹 Nitpick comments (1)

vc-verifier/kotlin/vcverifier/src/test/java/io/mosip/vercred/vcverifier/credentialverifier/verifier/CwtVerifierTest.kt (1)

17-21: Consider unmocking the NetworkManagerClient after tests.

mockkObject in a PER_CLASS lifecycle can leak mocks to other tests; an @AfterAll unmock helps keep tests isolated.

♻️ Suggested teardown

+import io.mockk.unmockkObject
+import org.junit.jupiter.api.AfterAll
+
+@AfterAll
+fun tearDown() {
+    unmockkObject(NetworkManagerClient.Companion)
+}

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ef5d5ff and be6d86d.

📒 Files selected for processing (8)

• vc-verifier/kotlin/gradle/libs.versions.toml
• vc-verifier/kotlin/vcverifier/build.gradle.kts
• vc-verifier/kotlin/vcverifier/src/main/java/io/mosip/vercred/vcverifier/credentialverifier/verifier/CwtVerifier.kt
• vc-verifier/kotlin/vcverifier/src/test/java/io/mosip/vercred/vcverifier/credentialverifier/verifier/CwtVerifierTest.kt
• vc-verifier/kotlin/vcverifier/src/test/resources/cwt_vc/invalid-ec-cwt.hex
• vc-verifier/kotlin/vcverifier/src/test/resources/cwt_vc/public_key/jwksECkey.json
• vc-verifier/kotlin/vcverifier/src/test/resources/cwt_vc/public_key/jwksinvalidECkey.json
• vc-verifier/kotlin/vcverifier/src/test/resources/cwt_vc/valid-ec-cwt.hex

🧰 Additional context used

🧠 Learnings (4)

📓 Common learnings

Learnt from: jaswanthkumartw
Repo: inji/vc-verifier PR: 216
File: vc-verifier/kotlin/vcverifier/src/main/java/io/mosip/vercred/vcverifier/credentialverifier/verifier/CwtVerifier.kt:22-26
Timestamp: 2026-01-09T06:10:25.708Z
Learning: In the CWT verification flow for the CwtVerifier and CwtValidator classes, validation is performed before verification. CwtValidator.validate() checks structure and claims first, then CwtVerifier.verify() performs signature verification. The verifier does not need to duplicate detailed structure validation since it's already handled by the validator.

📚 Learning: 2026-01-09T05:57:56.476Z

Learnt from: jaswanthkumartw
Repo: inji/vc-verifier PR: 216
File: vc-verifier/kotlin/vcverifier/src/main/java/io/mosip/vercred/vcverifier/keyResolver/Utils.kt:79-85
Timestamp: 2026-01-09T05:57:56.476Z
Learning: In the file vc-verifier/kotlin/vcverifier/src/main/java/io/mosip/vercred/vcverifier/keyResolver/Utils.kt, the constant JWK_KEY_TYPE_EC is defined as "EC", so when this constant is used in pattern matching, it already covers the raw "EC" string value.

Applied to files:

• vc-verifier/kotlin/vcverifier/src/test/resources/cwt_vc/valid-ec-cwt.hex
• vc-verifier/kotlin/vcverifier/src/test/resources/cwt_vc/invalid-ec-cwt.hex
• vc-verifier/kotlin/vcverifier/src/test/java/io/mosip/vercred/vcverifier/credentialverifier/verifier/CwtVerifierTest.kt
• vc-verifier/kotlin/vcverifier/src/test/resources/cwt_vc/public_key/jwksECkey.json
• vc-verifier/kotlin/vcverifier/src/test/resources/cwt_vc/public_key/jwksinvalidECkey.json

📚 Learning: 2026-01-09T06:10:25.708Z

Learnt from: jaswanthkumartw
Repo: inji/vc-verifier PR: 216
File: vc-verifier/kotlin/vcverifier/src/main/java/io/mosip/vercred/vcverifier/credentialverifier/verifier/CwtVerifier.kt:22-26
Timestamp: 2026-01-09T06:10:25.708Z
Learning: In the CWT verification flow for the CwtVerifier and CwtValidator classes, validation is performed before verification. CwtValidator.validate() checks structure and claims first, then CwtVerifier.verify() performs signature verification. The verifier does not need to duplicate detailed structure validation since it's already handled by the validator.

Applied to files:

• vc-verifier/kotlin/vcverifier/src/test/java/io/mosip/vercred/vcverifier/credentialverifier/verifier/CwtVerifierTest.kt
• vc-verifier/kotlin/vcverifier/src/main/java/io/mosip/vercred/vcverifier/credentialverifier/verifier/CwtVerifier.kt

📚 Learning: 2026-01-07T10:57:37.322Z

Learnt from: jaswanthkumartw
Repo: inji/vc-verifier PR: 216
File: vc-verifier/kotlin/vcverifier/src/main/java/io/mosip/vercred/vcverifier/credentialverifier/verifier/CwtVerifier.kt:95-123
Timestamp: 2026-01-07T10:57:37.322Z
Learning: In the CwtVerifier class, the `PublicKeyResolverFactory().get(issuer)` method throws `PublicKeyNotFoundException` when a key cannot be resolved, rather than returning null.

Applied to files:

• vc-verifier/kotlin/vcverifier/src/test/java/io/mosip/vercred/vcverifier/credentialverifier/verifier/CwtVerifierTest.kt
• vc-verifier/kotlin/vcverifier/src/main/java/io/mosip/vercred/vcverifier/credentialverifier/verifier/CwtVerifier.kt

🧬 Code graph analysis (1)

vc-verifier/kotlin/vcverifier/src/test/java/io/mosip/vercred/vcverifier/credentialverifier/verifier/CwtVerifierTest.kt (1)

vc-verifier/kotlin/vcverifier/src/test/java/testutils/TestUtils.kt (2)

• readClasspathFile (8-9)
• mockHttpResponse (13-17)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: build-maven-vc-verifier / maven-build

🔇 Additional comments (6)

vc-verifier/kotlin/vcverifier/build.gradle.kts (1)

72-72: LGTM!

The dependency addition is correctly configured and aligns with the version catalog entry in libs.versions.toml.

vc-verifier/kotlin/vcverifier/src/test/resources/cwt_vc/invalid-ec-cwt.hex (1)

1-1: LGTM!

The invalid EC-CWT test fixture is appropriately added for negative test scenarios. Having both valid and invalid test resources ensures comprehensive coverage of the verification flow.

vc-verifier/kotlin/vcverifier/src/test/resources/cwt_vc/valid-ec-cwt.hex (1)

1-1: LGTM!

The valid EC-CWT test fixture is correctly structured (CBOR tag 18 prefix d284 indicates COSE_Sign1) and appropriately added for positive test scenarios.

vc-verifier/kotlin/vcverifier/src/test/resources/cwt_vc/public_key/jwksECkey.json (1)

1-13: LGTM!

The JWKS test fixture is well-formed and follows RFC 7517 structure correctly. The EC P-256 key with ES256 algorithm is appropriate for testing the COSEVerifier-based verification flow.

vc-verifier/kotlin/vcverifier/src/test/resources/cwt_vc/public_key/jwksinvalidECkey.json (1)

1-13: Test JWKS fixture looks consistent.

Fields required for an ES256 EC public key are present and well-formed for test usage.

vc-verifier/kotlin/vcverifier/src/main/java/io/mosip/vercred/vcverifier/credentialverifier/verifier/CwtVerifier.kt (1)

100-108: Confirm tagged-only COSE_Sign1 parsing is intentional.

parseCoseSign1 now rejects untagged COSE_Sign1 inputs. If any issuers produce untagged Sign1 (allowed in some profiles), verification will fail despite validateCoseStructure passing. Please verify expected input format and Authlete decoder behavior; if untagged tokens are possible, accept both tagged and untagged forms.

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@vc-verifier/kotlin/gradle/libs.versions.toml`:
- Line 31: Update the pinned dependency value for authleteCbor in the
libs.versions.toml by changing the authleteCbor entry from "1.18" to "1.19"
(replace the authleteCbor = "1.18" line with authleteCbor = "1.19") so the
project uses the latest release; run a quick build to confirm no compatibility
issues after the version bump.

🧹 Nitpick comments (1)

vc-verifier/kotlin/vcverifier/src/main/java/io/mosip/vercred/vcverifier/credentialverifier/verifier/CwtVerifier.kt (1)

121-121: Use val instead of var.

issuer is never reassigned, so it should be declared as val for immutability.

🔧 Suggested fix

-            var issuer = extractIssuer(claims)
+            val issuer = extractIssuer(claims)

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between be6d86d and c8d9967.

📒 Files selected for processing (4)

• vc-verifier/kotlin/gradle/libs.versions.toml
• vc-verifier/kotlin/vcverifier/src/main/java/io/mosip/vercred/vcverifier/credentialverifier/verifier/CwtVerifier.kt
• vc-verifier/kotlin/vcverifier/src/test/java/io/mosip/vercred/vcverifier/credentialverifier/verifier/CwtVerifierTest.kt
• vc-verifier/kotlin/vcverifier/src/test/resources/cwt_vc/public_key/jwksinvalidECkey.json

🚧 Files skipped from review as they are similar to previous changes (2)

• vc-verifier/kotlin/vcverifier/src/test/resources/cwt_vc/public_key/jwksinvalidECkey.json
• vc-verifier/kotlin/vcverifier/src/test/java/io/mosip/vercred/vcverifier/credentialverifier/verifier/CwtVerifierTest.kt

🧰 Additional context used

🧠 Learnings (2)

📚 Learning: 2026-01-09T06:10:25.708Z

Learnt from: jaswanthkumartw
Repo: inji/vc-verifier PR: 216
File: vc-verifier/kotlin/vcverifier/src/main/java/io/mosip/vercred/vcverifier/credentialverifier/verifier/CwtVerifier.kt:22-26
Timestamp: 2026-01-09T06:10:25.708Z
Learning: In the CWT verification flow for the CwtVerifier and CwtValidator classes, validation is performed before verification. CwtValidator.validate() checks structure and claims first, then CwtVerifier.verify() performs signature verification. The verifier does not need to duplicate detailed structure validation since it's already handled by the validator.

Applied to files:

• vc-verifier/kotlin/vcverifier/src/main/java/io/mosip/vercred/vcverifier/credentialverifier/verifier/CwtVerifier.kt

📚 Learning: 2026-01-07T10:57:37.322Z

Learnt from: jaswanthkumartw
Repo: inji/vc-verifier PR: 216
File: vc-verifier/kotlin/vcverifier/src/main/java/io/mosip/vercred/vcverifier/credentialverifier/verifier/CwtVerifier.kt:95-123
Timestamp: 2026-01-07T10:57:37.322Z
Learning: In the CwtVerifier class, the `PublicKeyResolverFactory().get(issuer)` method throws `PublicKeyNotFoundException` when a key cannot be resolved, rather than returning null.

Applied to files:

• vc-verifier/kotlin/vcverifier/src/main/java/io/mosip/vercred/vcverifier/credentialverifier/verifier/CwtVerifier.kt

🪛 detekt (1.23.8)

vc-verifier/kotlin/vcverifier/src/main/java/io/mosip/vercred/vcverifier/credentialverifier/verifier/CwtVerifier.kt

[warning] 95-95: The caught exception is swallowed. The original exception could be lost.

(detekt.exceptions.SwallowedException)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: build-maven-vc-verifier / maven-build

🔇 Additional comments (5)

vc-verifier/kotlin/vcverifier/src/main/java/io/mosip/vercred/vcverifier/credentialverifier/verifier/CwtVerifier.kt (4)

3-6: LGTM!

The new Authlete CBOR/COSE imports align well with the updated verification flow.

---

44-47: LGTM - previous review concern addressed.

The use of removeSuffix("/") properly handles trailing slashes in the issuer URI, preventing double-slash issues in the constructed JWKS URL.

---

100-109: LGTM!

The parseCoseSign1 method has good defensive error handling with clear, specific error messages for each failure case (empty input, missing tag, invalid structure).

---

93-97: The suggested fix won't compile; SignatureVerificationException doesn't accept a cause parameter.

The current constructor for SignatureVerificationException only accepts a message: String? parameter and doesn't support passing a cause. The parent class BaseUncheckedException similarly only accepts errorMessage: String? and passes it to RuntimeException.

To implement the suggestion of passing the original exception as a cause, the exception hierarchy would need to be modified first:

1. Update BaseUncheckedException to accept and pass a cause parameter to RuntimeException
2. Update SignatureVerificationException to accept and pass a cause parameter to BaseUncheckedException
3. Then update the call site to pass the exception as the cause

Without these changes, the current code is correct for the existing constructor signature.

Likely an incorrect or invalid review comment.

vc-verifier/kotlin/gradle/libs.versions.toml (1)

68-68: Catalog alias wiring is correct and properly used.

The authlete-cbor alias is correctly defined with a valid version reference (authleteCbor = "1.18") and is actively referenced in vcverifier/build.gradle.kts (line 72). The dependency is imported and used in CwtVerifier.kt.

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}