From 058d0eabedaf5d396026dd66c0607722ee8046c2 Mon Sep 17 00:00:00 2001 From: Milena-Czierlinski Date: Tue, 17 Mar 2026 15:38:33 +0100 Subject: [PATCH 1/5] feat: use token id as nonce --- .../src/modules/openid4vc/OpenId4VcController.ts | 4 ++-- .../src/modules/openid4vc/local/Holder.ts | 4 ++-- .../openid4vc/CreatePresentationToken.ts | 16 ++++++++++------ 3 files changed, 14 insertions(+), 10 deletions(-) diff --git a/packages/consumption/src/modules/openid4vc/OpenId4VcController.ts b/packages/consumption/src/modules/openid4vc/OpenId4VcController.ts index e1de7aa7c..9d59f4e36 100644 --- a/packages/consumption/src/modules/openid4vc/OpenId4VcController.ts +++ b/packages/consumption/src/modules/openid4vc/OpenId4VcController.ts @@ -130,7 +130,7 @@ export class OpenId4VcController extends ConsumptionBaseController { return { status: serverResponse.status, message: serverResponse.body }; } - public async createPresentationTokenContent(credential: VerifiableCredential): Promise { - return await this.holder.createPresentationTokenContent(credential); + public async createPresentationTokenContent(credential: VerifiableCredential, nonce: string): Promise { + return await this.holder.createPresentationTokenContent(credential, nonce); } } diff --git a/packages/consumption/src/modules/openid4vc/local/Holder.ts b/packages/consumption/src/modules/openid4vc/local/Holder.ts index aa0b6ecb3..ff55dbcc9 100644 --- a/packages/consumption/src/modules/openid4vc/local/Holder.ts +++ b/packages/consumption/src/modules/openid4vc/local/Holder.ts @@ -204,7 +204,7 @@ export class Holder extends BaseAgent> // hacky solution because credo doesn't support credentials without key binding // TODO: use credentials without key binding once supported - public async createPresentationTokenContent(credential: VerifiableCredential): Promise { + public async createPresentationTokenContent(credential: VerifiableCredential, nonce: String): Promise { if (credential.type !== ClaimFormat.SdJwtDc) throw new Error("Only SD-JWT credentials have been tested so far with token presentation"); const sdJwtVcApi = this.agent.dependencyManager.resolve(SdJwtVcApi); @@ -213,7 +213,7 @@ export class Holder extends BaseAgent> verifierMetadata: { audience: "defaultPresentationAudience", issuedAt: Date.now() / 1000, - nonce: "defaultPresentationNonce" + nonce } }); diff --git a/packages/runtime/src/useCases/consumption/openid4vc/CreatePresentationToken.ts b/packages/runtime/src/useCases/consumption/openid4vc/CreatePresentationToken.ts index cd19e022e..1d74c6531 100644 --- a/packages/runtime/src/useCases/consumption/openid4vc/CreatePresentationToken.ts +++ b/packages/runtime/src/useCases/consumption/openid4vc/CreatePresentationToken.ts @@ -34,14 +34,18 @@ export class CreatePresentationTokenUseCase extends UseCase Date: Wed, 18 Mar 2026 17:21:41 +0100 Subject: [PATCH 2/5] feat: use ephemeral for empty token --- .../useCases/consumption/openid4vc/CreatePresentationToken.ts | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/packages/runtime/src/useCases/consumption/openid4vc/CreatePresentationToken.ts b/packages/runtime/src/useCases/consumption/openid4vc/CreatePresentationToken.ts index 1d74c6531..b203b4a5b 100644 --- a/packages/runtime/src/useCases/consumption/openid4vc/CreatePresentationToken.ts +++ b/packages/runtime/src/useCases/consumption/openid4vc/CreatePresentationToken.ts @@ -34,8 +34,7 @@ export class CreatePresentationTokenUseCase extends UseCase Date: Wed, 18 Mar 2026 17:29:49 +0100 Subject: [PATCH 3/5] fix: use string --- packages/consumption/src/modules/openid4vc/local/Holder.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/consumption/src/modules/openid4vc/local/Holder.ts b/packages/consumption/src/modules/openid4vc/local/Holder.ts index ff55dbcc9..f3b4ea48d 100644 --- a/packages/consumption/src/modules/openid4vc/local/Holder.ts +++ b/packages/consumption/src/modules/openid4vc/local/Holder.ts @@ -204,7 +204,7 @@ export class Holder extends BaseAgent> // hacky solution because credo doesn't support credentials without key binding // TODO: use credentials without key binding once supported - public async createPresentationTokenContent(credential: VerifiableCredential, nonce: String): Promise { + public async createPresentationTokenContent(credential: VerifiableCredential, nonce: string): Promise { if (credential.type !== ClaimFormat.SdJwtDc) throw new Error("Only SD-JWT credentials have been tested so far with token presentation"); const sdJwtVcApi = this.agent.dependencyManager.resolve(SdJwtVcApi); From cab6ac46ee8c0fc1d4e2d47147e46edc8997d00c Mon Sep 17 00:00:00 2001 From: Timo Notheisen Date: Thu, 19 Mar 2026 08:36:27 +0100 Subject: [PATCH 4/5] chore: npm audit fix --- package-lock.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/package-lock.json b/package-lock.json index b0cc7c572..89ec678f8 100644 --- a/package-lock.json +++ b/package-lock.json @@ -12129,7 +12129,9 @@ } }, "node_modules/sjcl": { - "version": "1.0.8", + "version": "1.0.9", + "resolved": "https://registry.npmjs.org/sjcl/-/sjcl-1.0.9.tgz", + "integrity": "sha512-dWM71tkSHxe7zEZj0/COjtJdmErIxp7UMp8a6D4xx8dTTtJLc4lFL+HAX8s6lvASyQQ2iYMHwa7rhhQq7MT5MA==", "license": "(BSD-2-Clause OR GPL-2.0-only)", "engines": { "node": "*" From 0c3f49075070444a54fdad60499d3774b3ac3ed7 Mon Sep 17 00:00:00 2001 From: Timo Notheisen Date: Thu, 19 Mar 2026 08:36:36 +0100 Subject: [PATCH 5/5] chore: exclude vulnerabilities --- .ci/runChecks.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.ci/runChecks.sh b/.ci/runChecks.sh index f94dfef62..5d37d564a 100755 --- a/.ci/runChecks.sh +++ b/.ci/runChecks.sh @@ -6,4 +6,4 @@ npm run lint:eslint npm run lint:prettier npm run --workspaces cdep npx --workspaces license-check -npx better-npm-audit audit --exclude 1112030 +npx better-npm-audit audit --exclude 1112030,1114592,1114594,1114638,1114640,1114642