KeySelector fails to Resolve a Key source if kid header is included in the presentation

[DhiaSlm]

Currently the SdJwtVcVerifier is not able to build a KeySource when there is kid header included in the signed JWT of the presentation. When a kid is included, However, the openid4vci spec recommends using it to lookup the key from the Metadata key set:

It is RECOMMENDED that the JWT contains a kid JWT header parameter that can be used to look up the public key in the JWK Set included by value or referenced in the JWT VC Issuer Metadata.

We expect a different behavior in this case. When a kid header is present, the KeySelector would understand that it might be used in the context of jwt-vc-metadata key resolution method (when DID scheme is excluded)

[babisRoutis]

Hi @DhiaSlm

Thanks for reporting this. Indeed you are right.

The SdJwtVcVerifier is a specialization of the SdJwtVerifier in the case the SD-JWT-VC format is being used.

The validation/processing rules defined here do foresee 4 main options of how the issuer can convey its public key. Those options are represented in the library by a sealed hierarchy https://github.com/eu-digital-identity-wallet/eudi-lib-jvm-sdjwt-kt/blob/29fb44e9071c37411267a4a26b5ff754a2664823/src/main/kotlin/eu/europa/ec/eudi/sdjwt/vc/SdJwtVcVerifier.kt#L212

The problem is that we didn't take into account the additional rule, that you quoted which can be found here

Good catch