From d2c55efa2d702eaef70d4c0db84b1a6e13eac37c Mon Sep 17 00:00:00 2001
From: iaco <iaco@okta.com>
Date: Wed, 19 Nov 2025 15:25:31 +0000
Subject: [PATCH] fix: missing
 `issuerSigned.issuerAuth.deviceKeyInfo.deviceKey.alg`

---
 src/mdoc/Verifier.ts | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/mdoc/Verifier.ts b/src/mdoc/Verifier.ts
index 0dddb7a..59c83e4 100644
--- a/src/mdoc/Verifier.ts
+++ b/src/mdoc/Verifier.ts
@@ -1,8 +1,8 @@
 import { compareVersions } from 'compare-versions';
 import { X509Certificate } from '@peculiar/x509';
-import { importX509, JWK, KeyLike } from 'jose';
+import { importJWK, importX509, JWK, KeyLike } from 'jose';
 import { Buffer } from 'buffer';
-import { COSEKeyToJWK, Sign1, importCOSEKey } from 'cose-kit';
+import { COSEKeyToJWK, Sign1 } from 'cose-kit';
 import crypto from 'uncrypto';
 import { MDoc } from './model/MDoc';
 
@@ -157,7 +157,9 @@ export class Verifier {
     }
 
     if (deviceAuth.deviceSignature) {
-      const deviceKey = await importCOSEKey(deviceKeyCoseKey);
+      const deviceKeyJwk = COSEKeyToJWK(deviceKeyCoseKey);
+      // When deviceKey (COSE Key) does not contain the `alg` parameter, use the one specified by the COSE_Sign1
+      const deviceKey = await importJWK(deviceKeyJwk, deviceKeyJwk.alg ?? deviceAuth.deviceSignature.algName);
 
       // ECDSA/EdDSA authentication
       try {