[INJIVER-1369] Enforce CWT tag (61) and unwrap before COSE signature verification

[jaswanthkumartw]

Summary by CodeRabbit

• Bug Fixes

  • Strengthened credential format validation to ensure properly tagged and unwrapped credentials are rejected if invalid.

• Refactor

  • Verification flow updated to explicitly unwrap and re-encode credentials for consistent validation and claim extraction.

• Chores

  • Added a public utility to convert decoded credential objects to byte form (duplicated insertion noted).
  • Test fixtures adjusted (minor hex prefix changes); publication version updated.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Adds CWT (COSE Web Token) tag 61 validation/unwrapping in the verifier, introduces a utility to encode CBOR COSE objects to bytes, updates test CWT hex fixtures with the COSE tag prefix, and bumps artifact version numbers.

Changes

Cohort / File(s)	Summary
CWT Validation Logic vc-verifier/kotlin/vcverifier/src/main/java/io/mosip/vercred/vcverifier/credentialverifier/verifier/CwtVerifier.kt	Added requireAndUnwrapCwt(CBORObject) to enforce CBOR tag 61 and unwrap; refactored verify() to decode CBOR, unwrap CWT, re-encode COSE bytes via utility, and proceed with existing verification flow.
COSE Encoding Utility vc-verifier/kotlin/vcverifier/src/main/java/io/mosip/vercred/vcverifier/utils/Util.kt	Added fun toCoseBytes(coseObj: CBORObject): ByteArray to encode CBOR objects to bytes. ⚠️ Duplicate insertion of the same function appears in the file.
Test Fixtures vc-verifier/kotlin/vcverifier/src/test/resources/cwt_vc/valid-ec-cwt.hex, vc-verifier/kotlin/vcverifier/src/test/resources/cwt_vc/invalid-ec-cwt.hex	Inserted COSE tag 61 hex prefix (d83d) at start of both test fixture files to reflect tagged CWTs.
Publishing Configuration vc-verifier/kotlin/vcverifier/publish-artifact.gradle	Bumped publication versions from 1.7.0-RC2 to 1.7.0-RC3 for AAR/JAR publications.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• [INJIVER-1369]: updated the artifact version #220 — Version bump in publish-artifact.gradle overlapping artifact version changes.
• [INJIVER-1369] using com.authlete:cbor libray and add the unit tests #219 — Related changes to CWT/COSE parsing and verification logic in CwtVerifier.kt.

Suggested reviewers

• mayuradesh
• swatigoel

Poem

🐰 I hopped in code to find a tag,
Sixty-one snug as a tiny flag,
Unwrap the CBOR, bytes take flight,
Verify the token, snug and right,
A carrot for tests passing bright 🥕✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main objective: enforcing CWT tag 61 validation and unwrapping before COSE signature verification, which aligns with the core changes in CwtVerifier.kt.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}