[INJIVER-1523] Fixed LSH comments - updated ReadMe, added design doc, fixed Code Rabbit comments from PR 230 for CWT

[jaswanthkumartw]

Summary by CodeRabbit

• New Features

  • Added support for CWT (CBOR Web Token) Verifiable Credentials with COSE_Sign1 signature verification and ES256/EdDSA algorithm support.

• Documentation

  • Added comprehensive CWT-VC verification documentation covering issuer key resolution, validation/verification workflow, validation rules, and diagrams.

• Chores

  • Updated CBOR/crypto library references.

• Bug Fixes

  • Improved error handling for JWKS public key resolution.

[coderabbitai]

Warning

Rate limit exceeded

@jaswanthkumartw has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 7 minutes and 39 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

Walkthrough

Adds a README table entry for CWT_VC, a new design/spec doc for CWT-VC verification, and updates Kotlin build deps to replace a COSE library with UPoKe CBOR; a small error-handling tweak in JWKS resolver was also made.

Changes

Cohort / File(s)	Summary
Docs: README README.md	Added cwt_vc row to "Supported VC Formats and Their Signature Mechanisms" table (COSE_Sign1; algs ES256, EdDSA).
Docs: CWT-VC spec doc/cwt-vc-verification-support.md	New specification documenting CWT-VC validation/verification workflow, public API additions (CWT_VC enum/value, CwtVerifiableCredential, CwtValidator, CwtVerifier), validation rules, key resolution, and sequence diagrams.
Kotlin build config vc-verifier/kotlin/gradle/libs.versions.toml, vc-verifier/kotlin/vcverifier/build.gradle.kts	Replaced COSE/CBOR library refs with UPoKe CBOR (cborLibrary / upokecenter-cbor) and updated dependency usage.
JWKS resolver error handling vc-verifier/kotlin/vcverifier/src/.../JwksPublicKeyResolver.kt	Adjusted catch block to rethrow PublicKeyNotFoundException unchanged, otherwise wrap other exceptions in PublicKeyNotFoundException with a descriptive message.

Sequence Diagram(s)

sequenceDiagram
participant Client as Client
participant Factory as CredentialVerifierFactory
participant Validator as CwtValidator
participant Verifier as CwtVerifier
participant Resolver as IssuerPublicKeyResolver
participant Issuer as Issuer (HTTP(S))

Client->>Factory: submit CWT_VC credential
Factory->>Validator: select validator for CWT_VC
Validator->>Verifier: validate COSE_Sign1 structure & CWT claims
Verifier->>Resolver: fetch issuer public key (/.well-known/jwks.json)
Resolver->>Issuer: GET public key
Issuer-->>Resolver: return key
Resolver-->>Verifier: deliver key
Verifier->>Verifier: verify COSE_Sign1 signature & numeric dates
Verifier-->>Validator: verification result
Validator-->>Factory: validation outcome
Factory-->>Client: final verification response

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• [INJIVER-1369] Document CWT VC support and limitations #222 — Implements CWT_VC support (enum/classes and validation code) that corresponds to this spec/documentation.

Suggested reviewers

• mayuradesh
• swatigoel
• abhip2565

Poem

🐇 I hopped in with a CBOR cheer,
New CWT-VC banners near,
Docs penned clear and build deps swapped,
Keys fetched right from endpoints topped,
🥕 A tiny hop — verification's here!

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title references addressing LSH comments and CWT-related changes, which aligns with the PR's actual changes including CWT-VC documentation, README updates, and dependency updates for CBOR/COSE support.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@doc/cwt-vc-verification-support.md`:
- Around line 28-39: The diagram title claims "validate and verify `cwt-vc`
credential" but the mermaid sequence shows only validation steps; either rename
the heading to "validate `cwt-vc` credential" or extend the sequence to include
explicit verification interactions (e.g., after validation add messages such as
CredentialsVerifier->>TrustResolver: Resolve trust,
CredentialsVerifier->>SignatureVerifier: Verify signature,
SignatureVerifier-->>CredentialsVerifier: Verification result, then
CredentialsVerifier-->>Wallet: Verification result) by updating the Mermaid
actors (Wallet, CredentialsVerifier, CredentialVerifierFactory,
CwtVerifiableCredential, CwtValidator) to include the verification flow so the
title matches the diagram content.
- Around line 85-87: Update the sequence/diagram text to avoid implying
duplicate structure validation: change the CwtVerifier steps so they indicate
the COSE_Sign1 structure has already been validated (e.g., "Extract COSE_Sign1
object" -> "Extract COSE_Sign1 object (already validated by CwtValidator)") and
remove or relabel the "Validate COSE_Sign1 structure" step; reference
CwtValidator.validate() as the place where structure and claims are checked and
keep CwtVerifier.verify() focused on signature verification only.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In
`@vc-verifier/kotlin/vcverifier/src/main/java/io/mosip/vercred/vcverifier/keyResolver/types/jwks/JwksPublicKeyResolver.kt`:
- Around line 32-34: In JwksPublicKeyResolver's catch block that currently
rethrows exceptions (catching Exception and throwing
PublicKeyNotFoundException), preserve the original exception by creating the new
PublicKeyNotFoundException and calling initCause(e) on it before throwing;
specifically, replace the current conditional throw with constructing a new
PublicKeyNotFoundException("Failed to resolve JWKS public key: ${e.message}"),
invoke initCause(e) on that instance, and then throw it, while still rethrowing
the original e when it is already a PublicKeyNotFoundException.