Invalid input_descriptors parsing while presenting mdoc credentials

[matija-tbtl]

Bug Description

It seems that the path values of the input_descriptors.constraints.fields of the Presentation Definition are incorrectly parsed by the Wallet when executing the presentation flow of the mdoc credentials, resulting in empty documents, i.e. no disclosures are presented.

This is applicable when the namespace contains . (dot) characters, as is the case with the Mobile Driving License (mDL), where, by the ISO/IEC 18013-5:2021, the namespace should be set to org.iso.18013.5.1.

Additional context

The ISO/IEC TS 18013-7:2024 specifies that the path for selecting disclosures for mdoc credentials should look like $['<namespace>']['<data_element_identifier>'], e.g. $['org.iso.18013.5.1']['family_name'] for namespace org.iso.18013.5.1 and disclosure family_name.

Here is the method that parses that path:

waltid-identity/waltid-libraries/protocols/waltid-openid4vc/src/commonMain/kotlin/id/walt/oid4vc/data/dif/InputDescriptorField.kt

Lines 30 to 36 in 4d0f11a

	fun addToMdocRequest(mDocRequestBuilder: MDocRequestBuilder, intentToRetain: Boolean = false): MDocRequestBuilder {
	path.firstOrNull()?.trimStart('$')?.replace("['", "")?.replace("']", ".")?.trimEnd('.')?.split('.')
	?.also { pathSegments ->
	mDocRequestBuilder.addDataElementRequest(pathSegments.first(), pathSegments.last(), intentToRetain)
	}
	return mDocRequestBuilder
	}

Here, the call to split('.') will also split the namespace value, thus making the pathSegments.first() return just org instead of org.iso.18013.5.1 in the previous example. The org namespace will not exist, and consequently, no disclosures will ever be matched/returned.

There are multiple tests for creating the mdoc presentations, but they use the underlying addDataElementRequest method directly, with the appropriate values, avoiding the call to the referenced addToMdocRequest method.

To Reproduce

Without going into details, I will focus on the request body parameters of the end-to-end flow, i.e. the mdoc credential issuance, presentation, and verification. The issue seems to only be on the Wallet side, where the Issuer and the Verifier here serve only to be able to execute the whole flow.

When calling the /openid4vc/mdoc/issue endpoint on the Issuer, the following payload is used (the key- and certificate-related data is intentionally omitted):

{
  "issuerKey": { ... },
  "credentialConfigurationId": "org.iso.18013.5.1.mDL",
  "mdocData": {
    "org.iso.18013.5.1": {
      "family_name": "Doe",
      "given_name": "John",
      "birth_date": "1980-01-02"
    }
  },
  "authenticationMethod": "PRE_AUTHORIZED",
  "issuerDid": "",
  "x5Chain": [ "..." ],
  "trustedRootCAs": [ "..." ]
}

Furthermore, when calling the /openid4vc/verify endpoint on the Verifier, the following payload is used (again, the key- and certificate-related data is intentionally omitted):

{
    "request_credentials": [
        {
            "format": "mso_mdoc",
            "doc_type": "org.iso.18013.5.1.mDL",
            "input_descriptor": {
                "constraints": {
                    "limit_disclosure": "required",
                    "fields": [
                        {
                            "path": [
                                "$['org.iso.18013.5.1']['family_name']"
                            ],
                            "intent_to_retain": true,
                            "filter": {
                                "pattern": null
                            }
                        }
                    ]
                }
            }
        }
    ],
    "trusted_root_cas": [ "..." ],
    "openid_profile": "ISO_18013_7_MDOC"
}

The Presentation Definition sent to the Wallet will then contain this input_desctiptor. The wallet will parse the path value incorrectly and will present an empty credential.