Merge pull request #535 from lissi-id/bugfix/fix-claimpath-handling

bugfix: fix claim path null handling

Author: Dindexx

CHANGELOG.md

@@ -7,6 +7,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### [Unreleased]
 
+#### Fixed
+
+- Claim paths that select all elements in an array are preserved correctly when credentials or metadata are serialized.
+- SD-JWT presentations include the right disclosures for nested and array-shaped claims, not only simple top-level paths.
+
+#### Changed
+
+- SD-JWT holder presentation APIs now take structured claim paths instead of raw path strings.
+
 ### [3.0.1] - 2026.02.27
 
 - Fix Database concurrency issues

src/WalletFramework.Core/ClaimPaths/ClaimPath.cs

@@ -87,4 +87,13 @@ public static JsonPath ToJsonPath(this ClaimPath claimPath)
 
         return JsonPath.ValidJsonPath(jsonPath.ToString()).UnwrapOrThrow();
     }
+
+    public static Validation<ClaimPathSelection> ProcessWith(this ClaimPath path, JObject jObject) =>
+        path.GetPathComponents().Aggregate(
+            ClaimPathSelection.Create([(JToken)jObject]),
+            (validation, component) => validation.OnSuccess(selection =>
+                component.Match(
+                    s => ClaimPathSelectionFun.SelectObjectKey(selection, s),
+                    i => ClaimPathSelectionFun.SelectArrayIndex(selection, i),
+                    _ => ClaimPathSelectionFun.SelectAllArrayElements(selection))));
 }

src/WalletFramework.Oid4Vp/ClaimPaths/ClaimPathFun.cs

@@ -6,7 +6,6 @@
 using WalletFramework.MdocLib;
 using WalletFramework.MdocLib.Elements;
 using WalletFramework.SdJwtLib.Models;
-using static WalletFramework.Core.ClaimPaths.ClaimPathSelectionFun;
 
 namespace WalletFramework.Oid4Vp.ClaimPaths;
 
@@ -24,26 +23,12 @@ public static Validation<ClaimPathSelection> ProcessWith(this ClaimPath path, st
             return new InvalidJsonError(json, e);
         }
 
-        var components = path.GetPathComponents();
-        return components.Aggregate(
-            ClaimPathSelection.Create([jObject]),
-            (validation, component) => validation.OnSuccess(selection =>
-            {
-                return component.Match(
-                    s => SelectObjectKey(selection, s),
-                    i => SelectArrayIndex(selection, i),
-                    _ => SelectAllArrayElements(selection)
-                );
-            })
-        );
-    }
-    
-    public static Validation<ClaimPathSelection> ProcessWith(this ClaimPath path, SdJwtDoc sdJwtDoc)
-    {
-        var jsonStr = sdJwtDoc.UnsecuredPayload.ToString();
-        return path.ProcessWith(jsonStr);
+        return path.ProcessWith(jObject);
     }
 
+    public static Validation<ClaimPathSelection> ProcessWith(this ClaimPath path, SdJwtDoc sdJwtDoc) =>
+        path.ProcessWith(sdJwtDoc.UnsecuredPayload);
+
     public static Validation<ClaimPathSelection> ProcessWith(this ClaimPath path, Mdoc mdoc)
     {
         var components = path.GetPathComponents();

src/WalletFramework.Oid4Vp/Services/PresentationService.cs

@@ -1,5 +1,7 @@
 using LanguageExt;
 using Microsoft.IdentityModel.Tokens;
+using WalletFramework.Core.ClaimPaths;
+using WalletFramework.Core.Credentials;
 using WalletFramework.Core.Credentials.Abstractions;
 using WalletFramework.Core.Functional;
 using WalletFramework.Credentials;
@@ -94,10 +96,14 @@ public PresentationService(
             {
                 case SdJwtCredential sdJwt:
                     format = CredentialFormat.ValidCredentialFormat(sdJwt.Format).UnwrapOrThrow();
+
+                    var sdJwtPaths = credential.ClaimsToDisclose.Match(
+                        queries => queries.Select(q => q.Path).ToArray(),
+                        () => Array.Empty<ClaimPath>());
 
                     presentation = await _sdJwtVcHolderService.CreatePresentation(
                         sdJwt,
-                        [.. claims],
+                        sdJwtPaths,
                         txDataHashesAsHexOption,
                         txDataHashesAlgOption,
                         audience,

src/WalletFramework.SdJwtVc/Services/SdJwtVcHolderService/ISdJwtVcHolderService.cs

@@ -1,4 +1,5 @@
 using LanguageExt;
+using WalletFramework.Core.ClaimPaths;
 
 namespace WalletFramework.SdJwtVc.Services.SdJwtVcHolderService;
 
@@ -11,10 +12,7 @@ public interface ISdJwtVcHolderService
     ///     Creates a SD-JWT in presentation format where the provided claims are disclosed.
     ///     The key binding is optional and can be activated by providing an audience and a nonce.
     /// </summary>
-    /// <remarks>
-    ///     The SD-JWT is created using the provided SD-JWT credential and the provided claims are disclosed
-    /// </remarks>
-    /// <param name="disclosedClaimPaths">The claims to disclose</param>
+    /// <param name="disclosedClaimPaths">The claim paths to disclose</param>
     /// <param name="sdJwt">The SD-JWT credential</param>
     /// <param name="transactionDataHashes">The transaction data hashes</param>
     /// <param name="transactionDataHashesAlg">The transaction data hashes alg</param>
@@ -23,7 +21,7 @@ public interface ISdJwtVcHolderService
     /// <returns>The SD-JWT in presentation format</returns>
     Task<string> CreatePresentation(
         SdJwtCredential sdJwt,
-        string[] disclosedClaimPaths,
+        ClaimPath[] disclosedClaimPaths,
         Option<IEnumerable<string>> transactionDataHashes,
         Option<string> transactionDataHashesAlg,
         string? audience = null,

src/WalletFramework.SdJwtVc/Services/SdJwtVcHolderService/SdJwtVcHolderService.cs

@@ -1,7 +1,10 @@
 using LanguageExt;
+using Newtonsoft.Json.Linq;
+using WalletFramework.Core.ClaimPaths;
 using WalletFramework.Core.Functional;
 using WalletFramework.SdJwtLib.Models;
 using WalletFramework.SdJwtLib.Roles;
+using PathSet = System.Collections.Generic.HashSet<string>;
 
 namespace WalletFramework.SdJwtVc.Services.SdJwtVcHolderService;
 
@@ -11,24 +14,23 @@ public class SdJwtVcHolderService(IHolder holder, ISdJwtSigner signer) : ISdJwtV
     /// <inheritdoc />
     public async Task<string> CreatePresentation(
         SdJwtCredential credential,
-        string[] disclosedClaimPaths,
+        ClaimPath[] disclosedClaimPaths,
         Option<IEnumerable<string>> transactionDataHashes,
         Option<string> transactionDataHashesAlg,
         string? audience = null,
         string? nonce = null)
     {
         var sdJwtDoc = credential.ToSdJwtDoc();
-        var disclosures = new List<Disclosure>();
-        foreach (var disclosure in sdJwtDoc.Disclosures)
-        {
-            if (disclosedClaimPaths.Any(disclosedClaim => disclosedClaim.StartsWith(disclosure.Path ?? string.Empty)))
-            {
-                disclosures.Add(disclosure);
-            }
-        }
+
+        var requiredPaths = CollectRequiredDisclosurePaths(sdJwtDoc.UnsecuredPayload, disclosedClaimPaths);
+
+        var disclosures = sdJwtDoc
+            .Disclosures
+            .Where(disclosure => !string.IsNullOrEmpty(disclosure.Path) && requiredPaths.Contains(disclosure.Path!))
+            .ToArray();
 
         var presentationFormat =
-            holder.CreatePresentationFormat(credential.EncodedIssuerSignedJwt, disclosures.ToArray());
+            holder.CreatePresentationFormat(credential.EncodedIssuerSignedJwt, disclosures);
 
         if (credential.KeyId.IsSome
             && !string.IsNullOrEmpty(nonce)
@@ -49,4 +51,36 @@ public async Task<string> CreatePresentation(
 
         return presentationFormat.Value;
     }
+
+    private static PathSet CollectRequiredDisclosurePaths(
+        JObject payload,
+        IEnumerable<ClaimPath> paths)
+    {
+        var result = new PathSet();
+
+        foreach (var path in paths)
+        {
+            path
+                .ProcessWith(payload)
+                .OnSuccess(selection =>
+                {
+                    foreach (var token in selection.GetValues())
+                    foreach (var ancestorPath in AncestorPaths(token))
+                        result.Add(ancestorPath);
+
+                    return Unit.Default;
+                });
+        }
+
+        return result;
+    }
+
+    private static IEnumerable<string> AncestorPaths(JToken token)
+    {
+        for (JToken? current = token; current is not null; current = current.Parent)
+        {
+            if (!string.IsNullOrEmpty(current.Path))
+                yield return current.Path;
+        }
+    }
 }

test/WalletFramework.Oid4Vci.Tests/CredConfiguration/ClaimMetadataTests.cs

@@ -0,0 +1,28 @@
+using FluentAssertions;
+using Newtonsoft.Json.Linq;
+using WalletFramework.Core.ClaimPaths;
+using WalletFramework.Core.Functional;
+using WalletFramework.Core.Json;
+using WalletFramework.Oid4Vci.CredConfiguration.Models;
+using Xunit;
+
+namespace WalletFramework.Oid4Vci.Tests.CredConfiguration;
+
+public class ClaimMetadataTests
+{
+    [Fact]
+    public void Claim_metadata_preserves_array_wildcard_paths()
+    {
+        var path = new JArray("credentialContent", "degreePrograms", JValue.CreateNull(), "name");
+        var json = new JObject { ["path"] = path };
+
+        var result = ClaimMetadata.ValidClaimMetadata(
+            json,
+            jt => jt.ToJArray().OnSuccess(ClaimPath.FromJArray));
+
+        result.IsSuccess.Should().BeTrue();
+
+        var roundTripped = result.UnwrapOrThrow().EncodeToJson()["path"]!;
+        JToken.DeepEquals(roundTripped, path).Should().BeTrue();
+    }
+}

test/WalletFramework.Oid4Vp.Tests/ClaimPaths/ClaimPathJsonCredentialTests.cs

@@ -1,4 +1,5 @@
 using FluentAssertions;
+using Newtonsoft.Json.Linq;
 using WalletFramework.Core.ClaimPaths;
 using WalletFramework.Core.ClaimPaths.Errors;
 using WalletFramework.Core.Functional;
@@ -111,4 +112,58 @@ public void Processing_Unknown_Component_Results_In_Error()
             errors => errors.Should().ContainSingle(e => e is UnknownComponentError)
         );
     }
+
+    [Fact]
+    public void ClaimPathSelection_Selects_All_Array_Elements_With_Null()
+    {
+        var credential = JObject.Parse(
+            """
+            {
+              "degrees": [
+                { "type": "Bachelor of Science", "university": "U1" },
+                { "type": "Master of Science",   "university": "U2" }
+              ]
+            }
+            """);
+
+        var path = ClaimPath.FromJArray(new JArray("degrees", JValue.CreateNull(), "type")).UnwrapOrThrow();
+
+        path.ProcessWith(credential).Match(
+            selection => selection
+                .GetValues()
+                .Select(t => t.ToString())
+                .Should()
+                .BeEquivalentTo(new[] { "Bachelor of Science", "Master of Science" }),
+            _ => Assert.Fail("ClaimPathSelection validation failed"));
+    }
+
+    [Fact]
+    public void ClaimPathSelection_Selects_By_Integer_Index()
+    {
+        var credential = JObject.Parse(
+            """
+            { "nationalities": ["British", "Betelgeusian"] }
+            """);
+
+        var path = ClaimPath.FromJArray(new JArray("nationalities", 1)).UnwrapOrThrow();
+
+        path.ProcessWith(credential).Match(
+            selection => selection
+                .GetValues()
+                .Select(t => t.ToString())
+                .Should()
+                .BeEquivalentTo(new[] { "Betelgeusian" }),
+            _ => Assert.Fail("ClaimPathSelection validation failed"));
+    }
+
+    [Fact]
+    public void ClaimPathSelection_Errors_When_Component_Targets_NonArray()
+    {
+        var credential = JObject.Parse("""{ "name": "Arthur" }""");
+        var path = ClaimPath.FromJArray(new JArray("name", JValue.CreateNull())).UnwrapOrThrow();
+
+        path.ProcessWith(credential).Match(
+            _ => Assert.Fail("Expected error, got selection"),
+            errors => errors.Should().ContainSingle(e => e is SelectedElementIsNotAnArrayError));
+    }
 }