a-sit-plus · opsiv · Dec 15, 2025 · Dec 15, 2025 · Dec 19, 2025 · Dec 29, 2025
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,8 @@
 Release 5.11.0 (unreleased):
  - Add `VerifyStatusListTokenHAIP` and related resolver/tests to enforce HAIP d04
  - Add `IdentifierList` and `IdentifierListInfo` and related classes
+ - Add data classes and serializers for ISO-18013-5 2nd edition
+ - Add `ZkSystemParamRegistry` to enable Zero-Knowledge backends to register serializers for their custom parameters
  - OpenID for Verifiable Credential Issuance:
    - In `SimpleAuthorizationService` add parameter `configurationIds` to method `credentialOfferWithAuthorizationCode`
    - Support different supported credential formats having the same scope value (as this is covered by the spec)

diff --git a/openid-data-classes/src/commonMain/kotlin/at/asitplus/iso/DeviceResponse.kt b/openid-data-classes/src/commonMain/kotlin/at/asitplus/iso/DeviceResponse.kt
@@ -12,6 +12,8 @@ data class DeviceResponse(
     val version: String,
     @SerialName("documents")
     val documents: Array<Document>? = null,
+    @SerialName("zkDocuments")
+    val zkDocuments: Array<ZkDocument>? = null,
     @SerialName("documentErrors")
     val documentErrors: Array<Pair<String, UInt>>? = null,
     @SerialName("status")
@@ -29,6 +31,10 @@ data class DeviceResponse(
             if (other.documents == null) return false
             if (!documents.contentEquals(other.documents)) return false
         } else if (other.documents != null) return false
+        if (zkDocuments != null) {
+            if (other.zkDocuments == null) return false
+            if (!zkDocuments.contentEquals(other.zkDocuments)) return false
+        } else if (other.zkDocuments != null) return false
         if (documentErrors != null) {
             if (other.documentErrors == null) return false
             if (!documentErrors.contentEquals(other.documentErrors)) return false
@@ -39,6 +45,7 @@ data class DeviceResponse(
     override fun hashCode(): Int {
         var result = version.hashCode()
         result = 31 * result + (documents?.contentHashCode() ?: 0)
+        result = 31 * result + (zkDocuments?.contentHashCode() ?: 0)
         result = 31 * result + (documentErrors?.contentHashCode() ?: 0)
         result = 31 * result + status.hashCode()
         return result

diff --git a/openid-data-classes/src/commonMain/kotlin/at/asitplus/iso/DocRequestInfo.kt b/openid-data-classes/src/commonMain/kotlin/at/asitplus/iso/DocRequestInfo.kt
@@ -0,0 +1,51 @@
+package at.asitplus.iso
+
+import kotlinx.serialization.SerialName
+import kotlinx.serialization.Serializable
+import kotlinx.serialization.cbor.ByteString
+
+@Serializable
+data class DocRequestInfo(
+    @SerialName("issuerIdentifiers")
+    @ByteString
+    val issuerIdentifiers: List<ByteArray>? = null,
+    @SerialName("uniqueDocSetRequired")
+    val uniqueDocSetRequired: Boolean? = null,
+    @SerialName("maximumResponseSize")
+    val maximumResponseSize: UInt? = null,
+    @SerialName("zkRequest")
+    val zkRequest: ZkRequest? = null,
+    @SerialName("docResponseEncryption")
+    val docResponseEncryption: EncryptionParameters? = null,
+    // TODO: Implement alternativeDataElements
+) {
+    override fun equals(other: Any?): Boolean {
+        if (this === other) return true
+        if (other == null || this::class != other::class) return false
+
+        other as DocRequestInfo
+
+        if (uniqueDocSetRequired != other.uniqueDocSetRequired) return false
+        if (issuerIdentifiers != null && other.issuerIdentifiers != null) {
+            if (issuerIdentifiers.size != other.issuerIdentifiers.size) return false
+            if (!issuerIdentifiers.zip(other.issuerIdentifiers).all {
+                (a, b) -> a.contentEquals(b)
+            }) return false
+        } else if (issuerIdentifiers != other.issuerIdentifiers) return false
+
+        if (maximumResponseSize != other.maximumResponseSize) return false
+        if (zkRequest != other.zkRequest) return false
+        if (docResponseEncryption != other.docResponseEncryption) return false
+
+        return true
+    }
+
+    override fun hashCode(): Int {
+        var result = uniqueDocSetRequired?.hashCode() ?: 0
+        result = 31 * result + (issuerIdentifiers?.fold(1) { acc, arr -> 31 * acc + arr.contentHashCode() } ?: 0)
+        result = 31 * result + (maximumResponseSize?.hashCode() ?: 0)
+        result = 31 * result + (zkRequest?.hashCode() ?: 0)
+        result = 31 * result + (docResponseEncryption?.hashCode() ?: 0)
+        return result
+    }
+}
diff --git a/openid-data-classes/src/commonMain/kotlin/at/asitplus/iso/IssuerSignedItem.kt b/openid-data-classes/src/commonMain/kotlin/at/asitplus/iso/IssuerSignedItem.kt
@@ -17,10 +17,10 @@ data class IssuerSignedItem(
     @ByteString
     val random: ByteArray,
     @SerialName(PROP_ELEMENT_ID)
-    val elementIdentifier: String,
+    override val elementIdentifier: String,
     @SerialName(PROP_ELEMENT_VALUE)
-    val elementValue: Any,
-) {
+    override val elementValue: Any,
+) : Item {
 
     override fun equals(other: Any?): Boolean {
         if (this === other) return true

diff --git a/openid-data-classes/src/commonMain/kotlin/at/asitplus/iso/Item.kt b/openid-data-classes/src/commonMain/kotlin/at/asitplus/iso/Item.kt
@@ -0,0 +1,6 @@
+package at.asitplus.iso
+
+interface Item {
+    val elementIdentifier: String
+    val elementValue: Any
+}
diff --git a/openid-data-classes/src/commonMain/kotlin/at/asitplus/iso/ItemsRequest.kt b/openid-data-classes/src/commonMain/kotlin/at/asitplus/iso/ItemsRequest.kt
@@ -13,5 +13,5 @@ data class ItemsRequest(
     @SerialName("nameSpaces")
     val namespaces: Map<String, ItemsRequestList>,
     @SerialName("requestInfo")
-    val requestInfo: Map<String, String>? = null,
+    val requestInfo: DocRequestInfo? = null,
 )
diff --git a/...id-data-classes/src/commonMain/kotlin/at/asitplus/iso/NamespacedZkSignedListSerializer.kt b/...id-data-classes/src/commonMain/kotlin/at/asitplus/iso/NamespacedZkSignedListSerializer.kt
@@ -0,0 +1,50 @@
+package at.asitplus.iso
+
+import kotlinx.serialization.KSerializer
+import kotlinx.serialization.builtins.MapSerializer
+import kotlinx.serialization.builtins.serializer
+import kotlinx.serialization.descriptors.PrimitiveKind
+import kotlinx.serialization.descriptors.PrimitiveSerialDescriptor
+import kotlinx.serialization.encoding.Decoder
+import kotlinx.serialization.encoding.Encoder
+
+object NamespacedZkSignedListSerializer : KSerializer<Map<String, ZkSignedList>> {
+    private val mapSerializer = MapSerializer(String.serializer(), object :
+        ZkSignedListSerializer("") {})
+
+    override val descriptor = mapSerializer.descriptor
+    override fun deserialize(decoder: Decoder): Map<String, ZkSignedList> = NamespacedMapEntryDeserializer().let {
+        MapSerializer(it.namespaceSerializer, it.itemSerializer).deserialize(decoder)
+    }
+
+    class NamespacedMapEntryDeserializer {
+        lateinit var key: String
+        val namespaceSerializer = NamespaceSerializer()
+        val itemSerializer = ZkSignedListSerializer()
+
+        inner class NamespaceSerializer internal constructor() : KSerializer<String> {
+            override val descriptor = PrimitiveSerialDescriptor("ISO namespace", PrimitiveKind.STRING)
+
+            override fun deserialize(decoder: Decoder): String = decoder.decodeString().apply { key = this }
+
+            override fun serialize(encoder: Encoder, value: String) {
+                encoder.encodeString(value).also { key = value }
+            }
+        }
+
+        inner class ZkSignedListSerializer internal constructor() : KSerializer<ZkSignedList> {
+            override val descriptor = mapSerializer.descriptor
+
+            override fun deserialize(decoder: Decoder): ZkSignedList =
+                decoder.decodeSerializableValue(ZkSignedListSerializer(key))
+
+            override fun serialize(encoder: Encoder, value: ZkSignedList) =
+                encoder.encodeSerializableValue(ZkSignedListSerializer(key), value)
+        }
+    }
+
+    override fun serialize(encoder: Encoder, value: Map<String, ZkSignedList>) =
+        NamespacedMapEntryDeserializer().let {
+            MapSerializer(it.namespaceSerializer, it.itemSerializer).serialize(encoder, value)
+        }
+}
diff --git a/openid-data-classes/src/commonMain/kotlin/at/asitplus/iso/ZkDocument.kt b/openid-data-classes/src/commonMain/kotlin/at/asitplus/iso/ZkDocument.kt
@@ -0,0 +1,36 @@
+package at.asitplus.iso
+
+import at.asitplus.signum.indispensable.cosef.io.ByteStringWrapper
+import kotlinx.serialization.SerialName
+import kotlinx.serialization.Serializable
+import kotlinx.serialization.cbor.ByteString
+import kotlinx.serialization.cbor.ValueTags
+
+/**
+ * Part of the ISO/IEC 18013-5:2021 standard: Data structure for mdoc request in ZK (10.3.4)
+ */
+@Serializable
+data class ZkDocument (
+    @SerialName("zkDocumentDataBytes")
+    @ValueTags(24U)
+    val zkDocumentDataBytes: ByteStringWrapper<ZkDocumentData>,
+    @SerialName("proof")
+    @ByteString
+    val proof: ByteArray,
+) {
+    override fun equals(other: Any?): Boolean {
+        if (this === other) return true
+        if (other !is ZkDocument) return false
+
+        if (zkDocumentDataBytes != other.zkDocumentDataBytes) return false
+        if (!proof.contentEquals(other.proof)) return false
+
+        return true
+    }
+
+    override fun hashCode(): Int {
+        var result = zkDocumentDataBytes.hashCode()
+        result = 31 * result + proof.contentHashCode()
+        return result
+    }
+}
diff --git a/openid-data-classes/src/commonMain/kotlin/at/asitplus/iso/ZkDocumentData.kt b/openid-data-classes/src/commonMain/kotlin/at/asitplus/iso/ZkDocumentData.kt
@@ -0,0 +1,40 @@
+package at.asitplus.iso
+
+import kotlinx.serialization.Contextual
+import kotlinx.serialization.SerialName
+import kotlinx.serialization.Serializable
+import kotlinx.serialization.cbor.ByteString
+import kotlinx.serialization.cbor.CborLabel
+import kotlin.time.Instant
+
+@Serializable
+data class ZkDocumentData (
+    @SerialName("docType")
+    val docType: String,
+    @SerialName("zkSystemId")
+    val zkSystemId: String,
+    @SerialName("timestamp")
+    val timestamp: Instant,
+    @SerialName("issuerSigned")
+    @Serializable(with = NamespacedZkSignedListSerializer::class)
+    val issuerSigned: Map<String, @Contextual ZkSignedList>? = null,
+    @SerialName("deviceSigned")
+    @Serializable(with = NamespacedZkSignedListSerializer::class)
+    val deviceSigned: Map<String, @Contextual ZkSignedList>? = null,
+    /**
+     * This header parameter contains an ordered array of X.509 certificates. The certificates are to be ordered
+     * starting with the certificate containing the end-entity key followed by the certificate that signed it, and so
+     * on. There is no requirement for the entire chain to be present in the element if there is reason to believe that
+     * the relying party already has, or can locate, the missing certificates. This means that the relying party is
+     * still required to do path building but that a candidate path is proposed in this header parameter.
+     *
+     * This header parameter allows for a single X.509 certificate or a chain of X.509 certificates to be carried in
+     * the message.
+     *
+     * See [RFC9360](https://www.rfc-editor.org/rfc/rfc9360.html)
+     */
+    @CborLabel(33)
+    @SerialName("msoX5chain")
+    @ByteString
+    val certificateChain: List<ByteArray>? = null,
+)
diff --git a/openid-data-classes/src/commonMain/kotlin/at/asitplus/iso/ZkRequest.kt b/openid-data-classes/src/commonMain/kotlin/at/asitplus/iso/ZkRequest.kt
@@ -0,0 +1,21 @@
+package at.asitplus.iso
+
+import kotlinx.serialization.SerialName
+import kotlinx.serialization.Serializable
+
+@Serializable
+data class ZkRequest (
+    @SerialName("ZkRequired")
+    val zkRequired: Boolean,
+    @SerialName("systemSpecs")
+    val systemSpecs: List<ZkSystemSpec>,
+) {
+    fun validate() {
+        require(!zkRequired || systemSpecs.isNotEmpty()) {
+            "systemSpecs list cannot be empty if Zero-Knowledge is enforced"
+        }
+    }
+    companion object {
+        val Default = ZkRequest(false, emptyList())
+    }
+}
diff --git a/openid-data-classes/src/commonMain/kotlin/at/asitplus/iso/ZkSignedItem.kt b/openid-data-classes/src/commonMain/kotlin/at/asitplus/iso/ZkSignedItem.kt
@@ -0,0 +1,28 @@
+package at.asitplus.iso
+
+import at.asitplus.signum.indispensable.cosef.io.Base16Strict
+import io.matthewnelson.encoding.core.Encoder.Companion.encodeToString
+import kotlinx.serialization.SerialName
+
+
+data class ZkSignedItem(
+    @SerialName(PROP_ELEMENT_ID)
+    override val elementIdentifier: String,
+
+    @SerialName(PROP_ELEMENT_VALUE)
+    override val elementValue: Any,
+) : Item {
+    override fun toString(): String = "ZkSignedItem(elementIdentifier='$elementIdentifier'," +
+            " elementValue=${elementValue.toCustomString()})"
+
+    companion object {
+        internal const val PROP_ELEMENT_ID = "elementIdentifier"
+        internal const val PROP_ELEMENT_VALUE = "elementValue"
+    }
+}
+
+private fun Any.toCustomString(): String = when (this) {
+    is ByteArray -> this.encodeToString(Base16Strict)
+    is Array<*> -> this.contentDeepToString()
+    else -> this.toString()
+}