wwWallet · patatoid · Sep 24, 2025 · Sep 24, 2025 · Sep 24, 2025 · patatoid
diff --git a/src/credential-verifiers/SDJWTVCVerifier.ts b/src/credential-verifiers/SDJWTVCVerifier.ts
@@ -200,14 +200,18 @@ export function SDJWTVCVerifier(args: { context: Context, pkResolverEngine: Publ
 
 	const fetchVctFromRegistry = async function (urnOrUrl: string, integrity?: string) {
 		if (urnOrUrl.startsWith('https')) {
+			const SdJwtVc = new SDJwtVcInstance({
+				hasher: hasherAndAlgorithm.hasher,
+			})
+
 			const url = urnOrUrl
 
 			const vctm = await args.httpClient.get(url).then(({ data }) => {
 				return data as { vct: string }
 			})
 
 			// @ts-ignore
-			const isIntegrityValid = await SdJwtVc.validateIntegrity(vctm, uri, integrity)
+			const isIntegrityValid = await SdJwtVc.validateIntegrity(vctm, url, integrity)
 
 			return vctm
 		}
@@ -269,11 +273,11 @@ export function SDJWTVCVerifier(args: { context: Context, pkResolverEngine: Publ
 					success: true,
 					value: {},
 				}
-			} else {
-				return {
-					success: false,
-					error: CredentialVerificationError.VctSchemaError,
-				}
+			}
+
+			return {
+				success: false,
+				error: CredentialVerificationError.VctSchemaError,
 			}
 		}
 
@@ -283,6 +287,42 @@ export function SDJWTVCVerifier(args: { context: Context, pkResolverEngine: Publ
 		}
 	}
 
+	const verifyCnf = async (rawCredential: string, opts: {}) => {
+		const SdJwtVc = new SDJwtVcInstance({
+			verifier: () => true,
+			hasher: hasherAndAlgorithm.hasher,
+			hashAlg: hasherAndAlgorithm.alg as 'sha-256',
+			loadTypeMetadataFormat: true,
+			vctFetcher: fetchVctFromRegistry,
+		});
+
+		const publicKeyResult = await getHolderPublicKey(rawCredential);
+		if (!publicKeyResult.success) {
+			logError(CredentialVerificationError.CannotExtractHolderPublicKey, "CannotExtractHolderPublicKey");
+			return {
+				success: false,
+				error: publicKeyResult.error,
+			}
+		}
+
+		try {
+			const jwt = rawCredential.split("~")[0];
+			await jwtVerify(jwt, publicKeyResult.value, { clockTolerance: args.context.clockTolerance });
+		}
+		catch (err: any) {
+			logError(CredentialVerificationError.KbJwtVerificationFailedSignatureValidation, "Error on verifyCnf(): Invalid SD-JWT signature");
+			return {
+				success: false,
+				error: CredentialVerificationError.KbJwtVerificationFailedSignatureValidation,
+			};
+		}
+
+		return {
+			success: true,
+			value: {},
+		}
+	}
+
 	const verifyKbJwt = async (rawPresentation: string, opts: {
 		expectedNonce?: string;
 		expectedAudience?: string;
@@ -385,6 +425,17 @@ export function SDJWTVCVerifier(args: { context: Context, pkResolverEngine: Publ
 				}
 			}
 
+			// cnf (cryptographic holder binding) validation
+			if (opts.verifyCnf) {
+				const verifyCnfResult = await verifyCnf(rawCredential, opts);
+				if (!verifyCnfResult.success) {
+					return {
+						success: false,
+						error: errors.length > 0 ?  errors[0].error : CredentialVerificationError.UnknownProblem,
+					}
+				}
+			}
+
 			// KB-JWT validation
 			if (!rawCredential.endsWith('~')) { // contains kbjwt
 				const verifyKbJwtResult = await verifyKbJwt(rawCredential, opts);
@@ -396,20 +447,9 @@ export function SDJWTVCVerifier(args: { context: Context, pkResolverEngine: Publ
 				}
 			}
 
-			const publicKeyResult = await getHolderPublicKey(rawCredential);
-			if (publicKeyResult.success === false) {
-				logError(CredentialVerificationError.CannotExtractHolderPublicKey, "Could not extract holder public key");
-				return {
-					success: false,
-					error: errors.length > 0 ?  errors[0].error : CredentialVerificationError.UnknownProblem,
-				}
-			}
-
 			return {
 				success: true,
 				value: {
-					valid: true,
-					holderPublicKey: await exportJWK(publicKeyResult.value),
 				},
 			}
 		},

diff --git a/src/interfaces.ts b/src/interfaces.ts
@@ -30,7 +30,7 @@ export interface ParsingEngineI {
 
 export interface VerifyingEngineI {
 	register(credentialVerifier: CredentialVerifier): void;
-	verify({ rawCredential, opts }: { rawCredential: unknown, opts: { expectedNonce?: string, expectedAudience?: string, holderNonce?: string, responseUri?: string, verifySchema?: boolean } }): Promise<Result<{ holderPublicKey: JWK; }, CredentialVerificationError>>;
+	verify({ rawCredential, opts }: { rawCredential: unknown, opts: { expectedNonce?: string, expectedAudience?: string, holderNonce?: string, responseUri?: string, verifySchema?: boolean, verifyCnf?: boolean } }): Promise<Result<{ holderPublicKey?: JWK; }, CredentialVerificationError>>;
 }
 
 export interface PublicKeyResolverEngineI {
@@ -49,8 +49,8 @@ export interface CredentialParser {
 }
 
 export interface CredentialVerifier {
-	verify(args: { rawCredential: unknown, opts: { expectedNonce?: string, expectedAudience?: string, holderNonce?: string, responseUri?: string, verifySchema?: boolean } }): Promise<Result<{
-		holderPublicKey: JWK,
+	verify(args: { rawCredential: unknown, opts: { expectedNonce?: string, expectedAudience?: string, holderNonce?: string, responseUri?: string, verifySchema?: boolean, verifyCnf?: boolean } }): Promise<Result<{
+		holderPublicKey?: JWK,
 	}, CredentialVerificationError>>;
 }