OpenID demo does not cover mdoc verification #2611
Description
I believe mdoc verification is supposed to be supported in 0.6.x, but the demo has not been updated to show the intended usage.
Getting the holder to accept a UniversityDegreeCredential mdoc from the issuer works fine, but I have yet to get a working example of resolving and accepting a proof request end to end.
There are no provided examples of proof request definitions for mdoc, but I constructed what I believe are valid formats for each method. See below.
Using these examples, I'm able to resolve a proof request from the holder and see that my held credential satisfies the requirements, but I cannot accept.
Does the verifier also need to set the trusted certificate, similar to the holder? Because I logged the internal error, and it shows this:
received error status code '400'. {"error":"invalid_request","error_description":"One or more presentations failed verification.\t- UniversityDegreeCredential-mdoc[0]: No trusted certificates found. Cannot verify mdoc."}
Looking at this made me think maybe I just need to copy that option for adding one that the holder has (* Add trusted certificate), so I gave that a try, and the error changes to this:
received error status code '400'. {"error":"invalid_request","error_description":"One or more presentations failed verification.\t- UniversityDegreeCredential-mdoc[0]: Unable to verify deviceAuth signature (ECDSA/EdDSA): Device signature must be valid"}
DCQL Example:
const universityDegreeDcql = {
credential_sets: [
{
required: true,
options: [['UniversityDegreeCredential-vc-sd-jwt'], ['UniversityDegreeCredential-jwt_vc_json'], ['UniversityDegreeCredential-mdoc']],
},
],
credentials: [
{
id: 'UniversityDegreeCredential-vc-sd-jwt',
format: 'vc+sd-jwt',
meta: {
vct_values: ['UniversityDegreeCredential'],
},
},
{
id: 'UniversityDegreeCredential-jwt_vc_json',
format: 'jwt_vc_json',
claims: [
{
path: ['vc', 'type'],
values: ['UniversityDegree'],
},
],
meta: {
type_values: [['UniversityDegreeCredential']],
},
},
{
id: 'UniversityDegreeCredential-mdoc',
format: 'mso_mdoc',
require_cryptographic_holder_binding: true,
multiple: false,
meta: {
doctype_value: 'UniversityDegreeCredential'
},
claims: [
{
id: "degree",
namespace: "Leopold-Franzens-University",
claim_name: "degree",
values: ["bachelor"]
},
]
}
],
} satisfies DcqlQuery
DIF Example:
const universityDegreePresentationDefinition: DifPresentationExchangeDefinitionV2 = {
id: 'UniversityDegreeCredential - DIF Presentation Exchange',
purpose: 'Present your UniversityDegreeCredential to verify your education level.',
input_descriptors: [
{
id: 'UniversityDegreeCredential', // This must match the docType of the credential
format: { // mso_mdoc format must be specified or else it fails
mso_mdoc: {
alg: ['EdDSA', 'ES256']
},
},
constraints: {
limit_disclosure: 'required',
fields: [
{
path: ["$['Leopold-Franzens-University']['degree']"], //Must be valid JSON path
intent_to_retain: false,
},
{
path: ["$['Leopold-Franzens-University']['authorized_user']"],
intent_to_retain: false,
}
],
},
},
],
}