SUNET · yimyitbarek · Mar 18, 2026 · Mar 19, 2026 · Mar 9, 2026 · Mar 9, 2026
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -14,5 +14,16 @@ jobs:
           go-version-file: go.mod
           cache-dependency-path: "**/*.sum"
 
+      - name: Clone Missing Dependency
+        run: |
+          git clone https://github.com/google/longfellow-zk.git /tmp/longfellow-zk
+          cd /tmp/longfellow-zk
+          git checkout 66fab34ac83bdb669be35ca380e16191468e96d4
+
+      - name: Sync dependencies
+        run: |
+          go mod tidy
+          go mod vendor
-      - name: Sync dependencies
-        run: |
-          go mod tidy
-          go mod vendor
+      - name: Verify dependencies are tidy and vendored
+        run: |
+          go mod tidy
+          go mod vendor
+          git diff --exit-code -- go.mod go.sum vendor/
-      - name: Sync dependencies
-        run: |
-          go mod tidy
-          go mod vendor
+      - name: Verify dependencies are tidy and vendored
+        run: |
+          go mod tidy
+          go mod vendor
+          git diff --exit-code -- go.mod go.sum vendor/
+
       - name: Run tests
         run: make test
diff --git a/Makefile b/Makefile
@@ -36,10 +36,14 @@ RESERVED_TAGS           := latest testing demo dev
 # PKCS#11 requires CGO for hardware security module support.
 PKCS11_TAG              := pkcs11
 
+VC20_TAG                := vc20
+ALL_TAGS                := $(SAML_TAG),$(OIDCRP_TAG)
+ZK_TAG                  := zk
+
 # Service Build Configuration (service -> static/dynamic, tags)
 # Format: service_name:cgo_mode:build_tags
 BUILD_CONFIGS           := \
-	verifier:static: \
+	verifier:dynamic:${ZK_TAG} \
-	verifier:dynamic:${ZK_TAG} \
+	verifier:dynamic: \
-	verifier:dynamic:${ZK_TAG} \
+	verifier:dynamic: \
 	registry:static: \
 	mockas:static: \
 	apigw:static: \
@@ -189,6 +193,11 @@ test-pkcs11: ## Test with PKCS#11 build tag
 	$(info Testing with PKCS#11 build tag)
 	go test -tags $(PKCS11_TAG) -v ./pkg/signing/...
 
+
+test-all-tags: ## Test with all build tags
+	$(info Testing with all build tags)
+	go test -tags "$(SAML_TAG),$(OIDCRP_TAG),$(VC20_TAG),$(PKCS11_TAG), $(ZK_TAG)" -v ./...
-	go test -tags "$(SAML_TAG),$(OIDCRP_TAG),$(VC20_TAG),$(PKCS11_TAG), $(ZK_TAG)" -v ./...
+	go test -tags "$(SAML_TAG),$(OIDCRP_TAG),$(VC20_TAG),$(PKCS11_TAG),$(ZK_TAG)" -v ./...
-	go test -tags "$(SAML_TAG),$(OIDCRP_TAG),$(VC20_TAG),$(PKCS11_TAG), $(ZK_TAG)" -v ./...
+	go test -tags "$(SAML_TAG),$(OIDCRP_TAG),$(VC20_TAG),$(PKCS11_TAG),$(ZK_TAG)" -v ./...
+
 # DIDComm v2.1 Test targets
 test-didcomm: ## Test DIDComm v2.1 implementation
 	$(info Testing DIDComm v2.1 implementation)
@@ -347,6 +356,37 @@ endef
 
 $(foreach service,$(WORKER_SERVICES),$(eval $(call DOCKER_BUILD_WORKER_TEMPLATE,$(service))))
 
+
+docker-build-verifier: _check-reserved-tag ## Build Docker image for verifier with ZK support
+	$(info Building Docker image 'verifier' with ZK support)
+	go mod tidy
+	go mod vendor
+	docker build --build-arg SERVICE_NAME=verifier \
+		--build-arg GO_BUILD_TAGS=$(ZK_TAG) \
+		--tag verifier \
+		--file dockerfiles/verifier.Dockerfile .
+
+docker-build-apigw-saml: _check-reserved-tag ## Build apigw Docker image with SAML support
+	$(info Docker building apigw with SAML support, tag: $(VERSION))
+	docker build --build-arg SERVICE_NAME=apigw --build-arg BUILDTAG=$(VERSION) \
+		--build-arg GO_BUILD_TAGS=$(SAML_TAG) \
+		--tag $(call docker-tag,apigw-saml,$(VERSION)) \
+		--file dockerfiles/worker .
+
+docker-build-apigw-oidcrp: _check-reserved-tag ## Build apigw Docker image with OIDC RP support
+	$(info Docker building apigw with OIDC RP support, tag: $(VERSION))
+	docker build --build-arg SERVICE_NAME=apigw --build-arg BUILDTAG=$(VERSION) \
+		--build-arg GO_BUILD_TAGS=$(OIDCRP_TAG) \
+		--tag $(call docker-tag,apigw-oidcrp,$(VERSION)) \
+		--file dockerfiles/worker .
+
+docker-build-apigw-all: _check-reserved-tag ## Build apigw Docker image with all features
+	$(info Docker building apigw with all features - SAML and OIDC RP, tag: $(VERSION))
+	docker build --build-arg SERVICE_NAME=apigw --build-arg BUILDTAG=$(VERSION) \
+		--build-arg GO_BUILD_TAGS="$(ALL_TAGS)" \
+		--tag $(call docker-tag,apigw-full,$(VERSION)) \
+		--file dockerfiles/worker .
+
 # Docker build with PKCS#11 feature
 docker-build-issuer-hsm: _check-reserved-tag ## Build issuer Docker image with PKCS#11 HSM support
 	$(info Docker building issuer with PKCS#11 HSM support, tag: $(VERSION))
@@ -792,4 +832,4 @@ release-demo: ## Promote a release tag to demo
 	$(MAKE) docker-push VERSION=demo _RELEASE_MODE=1; \
 	echo ""; \
 	echo "==> Demo promotion complete for $$SRC_TAG (:demo)"; \
-	echo ""
+	echo ""
diff --git a/cmd/verifier/main.go b/cmd/verifier/main.go
@@ -37,9 +37,16 @@ func main() {
 	)
 
 	cfg, err := configuration.New(ctx, serviceName)
+
 	if err != nil {
 		panic(err)
 	}
+	if cfg.Verifier == nil {
+		panic("Verifier section is missing from config")
+	}
+	if err := setupZK(cfg); err != nil {
+        panic(err)
+    }
 
 	if cfg.Verifier == nil {
 		panic("verifier configuration is required but not found in config file")

diff --git a/cmd/verifier/zk_disabled_setup.go b/cmd/verifier/zk_disabled_setup.go
@@ -0,0 +1,11 @@
+//go:build !zk
+
+package main
+
+import (
+    "vc/pkg/model"
+)
+
+func setupZK(cfg *model.Cfg) error {
+    return nil
+}
diff --git a/cmd/verifier/zk_enabled_setup.go b/cmd/verifier/zk_enabled_setup.go
@@ -0,0 +1,26 @@
+//go:build zk
+
+package main
+
+import (
+	"fmt"
+	"os"
+	"proofs/server/v2/zk"
+	"vc/pkg/model"
+)
+
+func setupZK(cfg *model.Cfg) error {
+	if cfg.Verifier == nil || cfg.Verifier.ZK.CircuitsPath == "" || cfg.Verifier.ZK.CACertsPath == "" {
+        return fmt.Errorf("ZK build requires circuits_path and cacerts_path in config")
+    }
+	zk.LoadCircuits(cfg.Verifier.ZK.CircuitsPath)
-	if cfg.Verifier == nil || cfg.Verifier.ZK.CircuitsPath == "" || cfg.Verifier.ZK.CACertsPath == "" {
-        return fmt.Errorf("ZK build requires circuits_path and cacerts_path in config")
-    }
-	zk.LoadCircuits(cfg.Verifier.ZK.CircuitsPath)
+	if cfg.Verifier == nil || cfg.Verifier.ZK.CircuitsPath == "" || cfg.Verifier.ZK.CACertsPath == "" || cfg.Verifier.ZK.LibPath == "" {
+		return fmt.Errorf("ZK build requires circuits_path, cacerts_path, and lib_path in config")
+	}
+
+	if err := os.Setenv("LD_LIBRARY_PATH", cfg.Verifier.ZK.LibPath); err != nil {
+		return fmt.Errorf("could not set ZK library path: %w", err)
+	}
+
+	if err := zk.LoadCircuits(cfg.Verifier.ZK.CircuitsPath); err != nil {
+		return fmt.Errorf("could not load ZK circuits: %w", err)
+	}
-	if cfg.Verifier == nil || cfg.Verifier.ZK.CircuitsPath == "" || cfg.Verifier.ZK.CACertsPath == "" {
-        return fmt.Errorf("ZK build requires circuits_path and cacerts_path in config")
-    }
-	zk.LoadCircuits(cfg.Verifier.ZK.CircuitsPath)
+	if cfg.Verifier == nil || cfg.Verifier.ZK.CircuitsPath == "" || cfg.Verifier.ZK.CACertsPath == "" || cfg.Verifier.ZK.LibPath == "" {
+		return fmt.Errorf("ZK build requires circuits_path, cacerts_path, and lib_path in config")
+	}
+
+	if err := os.Setenv("LD_LIBRARY_PATH", cfg.Verifier.ZK.LibPath); err != nil {
+		return fmt.Errorf("could not set ZK library path: %w", err)
+	}
+
+	if err := zk.LoadCircuits(cfg.Verifier.ZK.CircuitsPath); err != nil {
+		return fmt.Errorf("could not load ZK circuits: %w", err)
+	}
+	pem, err := os.ReadFile(cfg.Verifier.ZK.CACertsPath)
+	if err != nil {
+		return fmt.Errorf("could not read ZK cacerts file: %w", err)
+	}
+	if err := zk.LoadIssuerRootCA(pem); err != nil {
+		return fmt.Errorf("could not load issuer root CA: %w", err)
+	}
+
+	return nil
+}
diff --git a/config.yaml b/config.yaml
@@ -88,6 +88,11 @@ common:
       auth_scopes: ["pid_1_5", "pid_1_8", "eduid"]
       auth_claims: ["given_name", "birthdate", "family_name"]
       format: "dc+sd-jwt"
+    mdl_pid:
+      vct: "urn:eudi:pid:1"
+      vctm_file_path: "/metadata/vctm_pid_arf_1_5.json" # Or your mdoc metadata
+      auth_method: "basic"
+      format: "mso_mdoc"
 
 kafka:
   enable: false
@@ -96,16 +101,18 @@ kafka:
     - "kafka1:9092"
 
 issuer:
-  issuer_url: "http://apigw.vc.docker:8080"
+  identifier: "https://issuer.sunet.se"
   wallet_url: ""
+  issuer_url: "http://apigw.vc.docker:8080"
+  signing_key_path: "/pki/signing_ec_private.pem"
   api_server:
     addr: :8080
   grpc_server:
     addr: issuer.vc.docker:8090
   registry_client:
     addr: registry.vc.docker:8090
   audit_log:
-    enable: false
+    enabled: false
-    enabled: false
+    enable: false
-    enabled: false
+    enable: false
     destinations:
       - "console"
       - "/var/log/vc/audit.log"
@@ -130,6 +137,14 @@ issuer:
     valid_duration: 3600
     verifiable_credential_type: "https://credential.sunet.se/identity_credential"
     static_host: "http://vc_dev_portal:8080/statics"
+  mdoc:
+      valid_duration: 3600
+      signing_key_path: "/pki/signing_ec_private.pem"
+      # This must match the DocType in your curl
+      doc_type: "org.iso.18013.5.1.mDL" 
+      certificate_chain_path: "/pki/signing_ec_chain.pem" 
+      # This is the namespace your Rust code expects
+      namespace: "org.iso.18013.5.1"
 
 verifier:
   api_server:
@@ -240,6 +255,10 @@ verifier:
       - vct: "urn:credential:eduid:1"
         scopes:
           - "eduid"
+  zk:
+      ca_certs_path: "/app/vc/internal/verifier/zk/certs.pem"
+      circuits_path: "/app/vc/internal/verifier/zk/circuits/"
+      lib_path: "/usr/local/lib"
 
 registry:
   api_server:

diff --git a/docker-compose.yaml b/docker-compose.yaml
@@ -69,7 +69,7 @@ services:
   verifier:
     container_name: "vc_dev_verifier"
     hostname: "verifier.vc.docker"
-    image: docker.sunet.se/iam_vc/verifier:local
+    image: verifier
     restart: always
     volumes:
       - ./config_minimal.yaml:/config.yaml:ro

diff --git a/dockerfiles/verifier.Dockerfile b/dockerfiles/verifier.Dockerfile
@@ -0,0 +1,45 @@
+# --- Stage 1: Build C++ ZK Libraries and Go Binary ---
+FROM golang:latest AS builder
+
+RUN apt update -y && apt install -y \
+    clang cmake libssl-dev libzstd-dev libgtest-dev \
+    libbenchmark-dev zlib1g-dev build-essential git
+
+# 1. Clone the external dependency
+RUN git clone https://github.com/google/longfellow-zk.git /tmp/longfellow-zk && \
+    cd /tmp/longfellow-zk && \
+    git checkout 66fab34ac83bdb669be35ca380e16191468e96d4
+
+WORKDIR /tmp/longfellow-zk
+
+RUN CXX=clang++ cmake -D CMAKE_BUILD_TYPE=Release -S lib -B build \
+    --install-prefix /usr/local/zk-install && \
+    cd build && make -j$(nproc) install
+
+WORKDIR /app
+COPY . .
+ARG GO_BUILD_TAGS
+RUN --mount=type=cache,target=/root/.cache/go-build \
+    CGO_ENABLED=1 \
+    CGO_CFLAGS="-I/usr/local/zk-install/include" \
+    CGO_LDFLAGS="-L/usr/local/zk-install/lib -lmdoc_static -lcrypto -lzstd -lstdc++" \
+    go build -mod=vendor -v \
+    -tags "${GO_BUILD_TAGS}" \
+    -o /app/bin/vc_verifier ./cmd/verifier/
+
+# --- Stage 2: Final Runtime Image ---
+FROM docker.sunet.se/iam_vc/verifier:latest
+
+RUN apt update -y && apt install -y libssl3 libzstd1 zlib1g && rm -rf /var/lib/apt/lists/*
+
+# Copy the binary
+COPY --from=builder /app/bin/vc_verifier /usr/local/bin/verifier
+COPY --from=builder /tmp/longfellow-zk/lib/circuits /app/vc/internal/verifier/zk/circuits/
+COPY --from=builder /tmp/longfellow-zk/reference/verifier-service/server/certs.pem /app/vc/internal/verifier/zk/certs.pem
+
+# Copy compiled libraries
+COPY --from=builder /usr/local/zk-install/lib /usr/local/lib/
+RUN ldconfig
+
+WORKDIR /
+ENTRYPOINT ["/usr/local/bin/verifier"]
diff --git a/dockerfiles/worker b/dockerfiles/worker
@@ -8,9 +8,8 @@ ARG GO_BUILD_TAGS
 # Copy only dependency files first for better caching
 COPY go.mod go.sum ./
 RUN --mount=type=cache,target=/root/.cache/go-build \
-    --mount=type=cache,target=/go/pkg/mod \
-    go mod download
-
+    --mount=type=cache,target=/go/pkg/mod 
+COPY vendor/ ./vendor/
 # Copy source code
 COPY . .
 
@@ -22,7 +21,7 @@ RUN make proto
 # GO_BUILD_TAGS is optional - if set, adds -tags flag
 RUN --mount=type=cache,target=/root/.cache/go-build \
     --mount=type=cache,target=/go/pkg/mod \
-    GOOS=linux GOARCH=amd64 go build -v ${GO_BUILD_TAGS:+-tags "$GO_BUILD_TAGS"} -o bin/vc_$SERVICE_NAME -ldflags \
+    GOOS=linux GOARCH=amd64 go build -mod=vendor -v ${GO_BUILD_TAGS:+-tags "$GO_BUILD_TAGS"} -o bin/vc_$SERVICE_NAME -ldflags \
     "-X vc/pkg/model.BuildVariableGitCommit=$(git rev-list -1 HEAD) \
     -X vc/pkg/model.BuildVariableGitBranch=$(git rev-parse --abbrev-ref HEAD) \
     -X vc/pkg/model.BuildVariableTimestamp=$(date +'%F:T%TZ') \

diff --git a/go.mod b/go.mod
@@ -64,6 +64,7 @@ require (
 	gopkg.in/yaml.v2 v2.4.0
 	gorm.io/gorm v1.31.1
 	gotest.tools/v3 v3.5.2
+	proofs/server/v2 v2.0.0
 )
 
 require (
@@ -213,3 +214,5 @@ require (
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20260316180232-0b37fe3546d5 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
+
+replace proofs/server/v2 => /tmp/longfellow-zk/reference/verifier-service/server
diff --git a/internal/issuer/apiv1/handlers_test.go b/internal/issuer/apiv1/handlers_test.go
@@ -11,6 +11,11 @@
 	"vc/internal/gen/issuer/apiv1_issuer"
 	"vc/pkg/logger"
 
+	"context"
+	"encoding/hex"
+
+	"vc/pkg/mdoc"
+
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
@@ -602,3 +607,32 @@
 		})
 	}
 }
+
+func TestMakeMDoc_Only(t *testing.T) {
+	ctx := context.Background()
+	log := logger.NewSimple("test")
+	client := mockNewClient(ctx, t, "ecdsa", log)
+
+	realIssuer := &mdoc.Issuer{}
+
+	client.mdocIssuer = realIssuer
+
+	deviceKeyHex := "a501020326200121582065eda5bd2d497ef0d35502f5846014e4a66a17ef65476a029587428f6426466322582042f4c664323c932a393086603a1f81d894e77227ed9097e38317769539257609"
+	deviceKeyBytes, _ := hex.DecodeString(deviceKeyHex)
+
+	req := &CreateMDocRequest{
+		Scope:           "mdl",
+		DocType:         "org.iso.18013.5.1.mDL",
+		DocumentData:    []byte(`{"given_name": "John"}`),
+		DevicePublicKey: deviceKeyBytes,
+		DeviceKeyFormat: "cose",
+	}
+
+	got, err := client.MakeMDoc(ctx, req)
+	if err != nil {
+		t.Logf("Note: Real issuer failed (likely missing keys): %v", err)
+	} else {
+		require.NoError(t, err)
+		assert.NotNil(t, got)
+	}
+}
diff --git a/internal/issuer/httpserver/endpoints.go b/internal/issuer/httpserver/endpoints.go
@@ -7,6 +7,8 @@ import (
 	"go.opentelemetry.io/otel/codes"
 
 	"github.com/gin-gonic/gin"
+
+	"vc/internal/issuer/apiv1"
 )
 
 func (s *Service) endpointHealth(ctx context.Context, c *gin.Context) (any, error) {
@@ -21,3 +23,11 @@ func (s *Service) endpointHealth(ctx context.Context, c *gin.Context) (any, erro
 	}
 	return reply, nil
 }
+
+func (s *Service) endpointMakeMDoc(ctx context.Context, c *gin.Context) (any, error) {
+	req := &apiv1.CreateMDocRequest{}
+	if err := c.ShouldBindJSON(req); err != nil {
+		return nil, err
+	}
+	return s.apiv1.MakeMDoc(ctx, req)
+}
diff --git a/internal/issuer/httpserver/service.go b/internal/issuer/httpserver/service.go
@@ -22,7 +22,7 @@ type Service struct {
 	cfg         *model.Cfg
 	log         *logger.Log
 	server      *http.Server
-	apiv1       Apiv1
+	apiv1       *apiv1.Client
 	gin         *gin.Engine
 	tracer      *trace.Tracer
 	httpHelpers *httphelpers.Client
@@ -51,6 +51,7 @@ func New(ctx context.Context, cfg *model.Cfg, apiv1 *apiv1.Client, tracer *trace
 	}
 
 	s.httpHelpers.Server.RegEndpoint(ctx, rgRoot, http.MethodGet, "health", http.StatusOK, s.endpointHealth)
+	s.httpHelpers.Server.RegEndpoint(ctx, rgRoot, http.MethodPost, "mdoc", http.StatusOK, s.endpointMakeMDoc)
 
 	rgDocs := rgRoot.Group("/swagger")
 	rgDocs.GET("/*any", ginSwagger.WrapHandler(swaggerFiles.Handler))