fix: verify common jwt claims for kb-jwt#378
Conversation
Signed-off-by: Timo Glastra <timo@animo.id>
Signed-off-by: Timo Glastra <timo@animo.id>
| throw new SDJWTException('Verify Error: Invalid Nonce'); | ||
| } | ||
|
|
||
| // Delegate signature verification and common JWT claim validation |
There was a problem hiding this comment.
If the spec mandates that some values are required, don't we want to check that instead of the letting the user check it? Or would that complicate the PR a lot?
There was a problem hiding this comment.
They are not required, but if present we want to check them.
The OID4VP HAIP conformance test suite checks that we reject KB-JWTs where the iat is in the future (and past, but that's maybe harder to solve in this library, what is "past"? it makes sense to reject an iat of one year ago, but there's no strict timeline).
There was a problem hiding this comment.
iat is required, and that is check. But it's not checked against the current time. so it can be any value as long as it's defined. This verifies that the iat is not in the future (and will add a check to credo to make it reasonably in the current time (e.g. created X minutes ago). But that feels too opiniated for this library
3 participants
Fixes #377