Contributing DCQL Null Matching to the EUDI Reference Wallet
On contributing code, for the first time, to the EU's official reference wallet ecosystem.
DCQL and Null Matching
For readers who don't work in digital identity, a very short primer. There's a query language that verifier services use to ask a wallet "show me this kind of credential, matching these conditions." It's called DCQL (Digital Credentials Query Language), and it's defined in OpenID for Verifiable Presentations.
One small feature of DCQL is null matching. When you query an array-typed field inside a credential — say, nationalities for someone who holds multiple citizenships — you can put null in the path to mean "match any element of this array":
{
"path": ["nationalities", null],
"values": ["LU", "FR", "DE"]
}
Does the user's nationalities contain any of LU, FR, or DE?
DCQL null matching applies to JSON-based credentials (such as SD-JWT VC). It does not apply to mdoc-based credentials, whose query structure is different and has no null wildcard concept. Everything in this post is about the JSON-based side.
The Problem: the Official EUDI Reference Wallet Didn't Support Null Matching
The iOS stack of the EUDI Wallet reference implementation — the official reference codebase maintained by the European Commission — did not support DCQL null matching. The same query that worked correctly against the Android stack silently failed on iOS.
So I fixed it and pushed the change upstream. The fix spanned two libraries, and both PRs were merged within days:
More than the technical details, what I want to share is how this contribution felt.
What It Means to Contribute to an Official Reference Implementation
The EUDI Wallet reference implementation is the official codebase that every EU Member State builds on when shipping its own national wallet. And Europe is running it as open source. I genuinely love this.
It could have been done differently. The European Commission could have awarded a single closed-source vendor contract, or left each Member State to build from scratch. Instead, they chose to publish on GitHub, accept external contributions, and run a real review process. That means an outside engineer — someone who is neither part of any EU institution nor an officially selected vendor — can find a bug, open a pull request, and actually see the fix merged into a codebase that downstream national pilots will pick up.
That is not a trivial choice. Running public infrastructure as open source means absorbing the cost of external review, security scrutiny, and governance coordination. Choosing to do that anyway — and reviewing and merging external contributors' PRs within days — is, I think, one of the reasons the EU digital identity ecosystem is moving at the pace and quality it is today.
A sincere thank you to the EUDI maintainers for the fast review cycle. The feeling of "my work is welcome here" is what makes the next contribution happen. I felt that again this time, and it matters.
What's Next
EUDI isn't the only DCQL implementation missing null matching. Looking around the ecosystem, there seem to be quite a few places where this is still not supported. My plan is to slowly go through them and contribute fixes where I can. I'd like the digital identity ecosystem to reach a state where querying array fields of JSON-based credentials is something that just works — that's one of my small personal goals right now.
And most of all — Europe, thank you for running your public infrastructure in the open. 🇪🇺
Links
