feat: enhance VpToken validation

[nanderstabel]

Description of change

This PR implementation introduces a comprehensive validation flow for OID4VP Verifiable Presentations using DCQL (Digital Credential Query Language), along with necessary infrastructure updates and dependency improvements.

• Implement VpTokenValidator: Ideally suited for OID4VP Authorization Responses, this new validator handles:
  • Structural validation of the vp_token against a DcqlQuery.
  • Cryptographic verification of jwt_vc_json, dc+sd-jwt, and vc+sd-jwt presentation formats.
  • Resolution of holder binding (key binding) and audience/nonce checks.
  • Semantic evaluation of claims using the DCQL logic (credential sets, claim selection).
• Deprecate Legacy Validation: Marked RelyingParty::validate_response as deprecated for OID4VP flows, steering users towards the new VpTokenValidator.
• Refactor Error Handling: The validator crate was not functionally used, once it's Error types where utilized so I have replaced it with custom thiserror types (DcqlQueryError, MetaError, VpTokenBuilderError, DcqlClaimsError) for more granular and idiomatic error reporting across DCQL and token parsing modules.
• Infrastructure & Types:
  • Added VerificationMaterialResolver trait for abstracting DID/Key resolution.
  • Added SignatureVerifier implementation using identity_verification.
  • Introduced StringOrObject utility and Presentations newtype for flexible JSON handling.
• Dependency Updates: Updated Cargo.toml to include necessary identity-* crates. (the patch changes can be seen here: https://github.com/iotaledger/identity/compare/v1.9.1-beta.1...impierce:identity.rs:fix/issues?expand=1)

Breaking change

• Usage of RelyingPartyManager::validate_response for OID4VP Authorization Responses has been deprecated. Use VpTokenValidator instead.
• fn evaluate_dcql_query and fn evaluate_credential_query arguments have been changed to use strong typing.

Links to any relevant issues

n/a

How the change has been tested

• added several unit tests for VpTokenValidator
• added tests for StringOrObject
• The updates in this code are utilized here and here

Definition of Done checklist

Add an x to the boxes that are relevant to your changes.

• I have followed the contribution guidelines for this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes

[codecov-commenter]

Codecov Report

❌ Patch coverage is 93.93939% with 56 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
oid4vp/src/token/vp_token_validator.rs	97.09%	19 Missing ⚠️
oid4vp/src/dcql_evaluation.rs	83.95%	13 Missing ⚠️
oid4vc-core/src/types/string_or_object.rs	73.52%	9 Missing ⚠️
oid4vp/src/dcql/meta.rs	45.45%	6 Missing ⚠️
oid4vp/src/dcql/dcql_query.rs	88.23%	4 Missing ⚠️
oid4vc-core/src/verifier.rs	66.66%	2 Missing ⚠️
oid4vp/src/dcql/claims.rs	87.50%	2 Missing ⚠️
oid4vp/src/token/vp_token_builder.rs	98.57%	1 Missing ⚠️

Files with missing lines	Coverage Δ
oid4vc-core/src/claim_path_pointer.rs	95.89% <ø> (+1.36%)	⬆️
oid4vc-core/src/jwt.rs	96.05% <100.00%> (ø)
oid4vc-core/src/lib.rs	74.07% <ø> (ø)
oid4vc-core/src/verification_material_resolver.rs	100.00% <100.00%> (ø)
oid4vc-manager/src/managers/relying_party.rs	90.00% <ø> (ø)
oid4vc-manager/src/methods/key_method.rs	89.87% <100.00%> (-0.26%)	⬇️
oid4vp/src/oid4vp.rs	73.25% <ø> (+4.26%)	⬆️
oid4vp/src/token/verifiable_presentation_jwt.rs	100.00% <100.00%> (ø)
...p/src/token/verifiable_presentation_jwt_builder.rs	100.00% <100.00%> (ø)
oid4vp/src/token/vp_token.rs	100.00% <ø> (+100.00%)	⬆️
... and 9 more

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Copilot]

Pull request overview

Adds a dedicated VP Token validation path for OID4VP, shifting away from the generic “decode authorization response” flow and introducing shared primitives for signature verification and verification-material resolution.

Changes:

• Introduces VpTokenValidator to validate VpToken contents (JWT VC JSON, dc+sd-jwt, vc+sd-jwt), including signature checks and DCQL evaluation.
• Refactors VP token building/structural validation (VpTokenBuilder + validate_presentation_submission) and replaces validator-based DCQL validation with thiserror-based error types.
• Adds core verification utilities (VerificationMaterialResolver, SignatureVerifier) and updates tests/usages accordingly.

Reviewed changes

Copilot reviewed 27 out of 27 changed files in this pull request and generated 9 comments.

Show a summary per file

File	Description
siopv2/src/relying_party.rs	Deprecates validate_response to steer OID4VP users to VpTokenValidator.
oid4vp/src/token/vp_token_validator.rs	New VP token validator implementation + tests.
oid4vp/src/token/vp_token_builder.rs	Builder now uses Presentations and a custom error type; structural submission validation extracted.
oid4vp/src/token/vp_token.rs	Replaces PresentationFormat with Presentations(Vec<StringOrObject>).
oid4vp/src/token/verifiable_presentation_jwt*.rs	Makes VP JWT wrapper generic over credential type.
oid4vp/src/oid4vp.rs	Removes OID4VP decode_authorization_response implementation and old decoded VP token type.
oid4vp/src/dcql_evaluation.rs	Evaluates DCQL against DecodedVpToken instead of raw JSON map.
oid4vp/src/dcql/{dcql_query.rs,claims.rs,meta.rs}	Moves validation to explicit validate_all() with custom errors; adds vc+sd-jwt format.
oid4vc-core/src/{verifier.rs,verification_material_resolver.rs,types/string_or_object.rs}	Adds signature verifier, verification material resolver trait (+ test impl), and StringOrObject.
oid4vc-core/src/jwt.rs	Exposes base64_url_encode publicly.
oid4vc-manager/tests/*	Updates tests to use new validator and deprecated paths where needed.
Cargo.toml / crate Cargo.toml files	Adds identity-related deps and workspace patches; removes validator usage.

Comments suppressed due to low confidence (1)

oid4vp/src/oid4vp.rs:49

• OID4VP sets ResponseHandle::ResponseItem = DecodedVpToken, but this Extension implementation no longer overrides decode_authorization_response. Callers using the generic RelyingParty::validate_response path will now hit the default implementation and get a runtime "Not implemented" error. Consider reintroducing decode_authorization_response (possibly delegating to VpTokenValidator), or changing ResponseItem / API so decoding is not expected via the Extension trait.

impl ResponseHandle for ResponseHandler {
    type Input = VpToken;
    type Parameters = AuthorizationResponseParameters;
    type ResponseItem = DecodedVpToken;
}

/// This is the [`Extension`] implementation for the [`OID4VP`] extension.
#[derive(Serialize, Deserialize, Debug, PartialEq, Clone)]
pub struct OID4VP;
impl OpenID4VC for OID4VP {}
impl Extension for OID4VP {
    type RequestHandle = RequestHandler;
    type ResponseHandle = ResponseHandler;

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

Pull request overview

Copilot reviewed 27 out of 27 changed files in this pull request and generated 6 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

Pull request overview

Copilot reviewed 27 out of 27 changed files in this pull request and generated 1 comment.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.