Closed DhiaSlm closed 2 weeks ago
Hi @DhiaSlm
Thanks for reporting this. Indeed you are right.
The SdJwtVcVerifier
is a specialization of the SdJwtVerifier
in the case the SD-JWT-VC format is being used.
The validation/processing rules defined here do foresee 4 main options of how the issuer can convey its public key. Those options are represented in the library by a sealed hierarchy https://github.com/eu-digital-identity-wallet/eudi-lib-jvm-sdjwt-kt/blob/29fb44e9071c37411267a4a26b5ff754a2664823/src/main/kotlin/eu/europa/ec/eudi/sdjwt/vc/SdJwtVcVerifier.kt#L212
The problem is that we didn't take into account the additional rule, that you quoted which can be found here
Good catch
Currently the
SdJwtVcVerifier
is not able to build a KeySource when there iskid
header included in the signed JWT of the presentation. When akid
is included, However, the openid4vci spec recommends using it to lookup the key from the Metadata key set:It is RECOMMENDED that the JWT contains a kid JWT header parameter that can be used to look up the public key in the JWK Set included by value or referenced in the JWT VC Issuer Metadata.
We expect a different behavior in this case. When a
kid
header is present, the KeySelector would understand that it might be used in the context of jwt-vc-metadata key resolution method (when DID scheme is excluded)