Update trust anchors (#475)

kamphuisem · web-flow · commit 8a60faa5ec11 · 2025-08-14T13:12:48.000+02:00
diff --git a/eudi/credentials/sdjwtvc/verifier.go b/eudi/credentials/sdjwtvc/verifier.go
@@ -148,36 +148,6 @@ func SplitSdJwtVc(sdjwtvc SdJwtVc) (IssuerSignedJwt, []EncodedDisclosure, *KeyBi
 	return issuer, encdiscs, kbJwt, nil
 }
 
-func CreateX509VerifyOptionsFromMultiplePemChains(pemChains [][]byte) (*x509.VerifyOptions, error) {
-	rootPool := x509.NewCertPool()
-	intermediatePool := x509.NewCertPool()
-
-	for i, pemChainData := range pemChains {
-		certs, err := eudi.ParsePemCertificateChain(pemChainData)
-		if err != nil {
-			return nil, fmt.Errorf("failed to parse cert chain %d: %w", i, err)
-		}
-
-		if len(certs) == 0 {
-			return nil, fmt.Errorf("cert chain %d is empty", i)
-		}
-
-		// First cert is assumed to be the root (or self-signed root CA)
-		rootPool.AddCert(certs[0])
-
-		// Remaining certs are intermediates
-		for _, cert := range certs[1:] {
-			intermediatePool.AddCert(cert)
-		}
-	}
-
-	return &x509.VerifyOptions{
-		Roots:         rootPool,
-		Intermediates: intermediatePool,
-		KeyUsages:     []x509.ExtKeyUsage{x509.ExtKeyUsageAny},
-	}, nil
-}
-
 // CreateX509VerifyOptionsFromCertChain creates x509.VerifyOptions that can be added
 // to the `VerificationContext` as the trusted certificate chain.
 func CreateX509VerifyOptionsFromCertChain(pemChainData []byte) (*x509.VerifyOptions, error) {
@@ -198,6 +168,7 @@ func CreateX509VerifyOptionsFromCertChain(pemChainData []byte) (*x509.VerifyOpti
 		Roots:         rootPool,
 		Intermediates: intermediatePool,
 		KeyUsages:     []x509.ExtKeyUsage{x509.ExtKeyUsageAny},
+		CurrentTime:   time.Now().Add(-5 * time.Minute), // Adjust to account for skew
 	}
 
 	return &certVerifyOpts, nil
diff --git a/eudi/trustanchors.go b/eudi/trustanchors.go
@@ -2,81 +2,73 @@ package eudi
 
 // DefaultIssuerTrustAnchor_YiviStaging is the default issuer trust anchor for Yivi staging and will be replaced with the actual trust anchor for Yivi production (TODO)
 const DefaultIssuerTrustAnchor_YiviStaging = `
-Subject: CN=Yivi Requestors RootCA,O=Yivi,C=NL
-Issuer: CN=Yivi Requestors RootCA,O=Yivi,C=NL
+Subject: CN=Yivi Staging Requestors Root CA,O=Yivi,C=NL
+Issuer: CN=Yivi Staging Requestors Root CA,O=Yivi,C=NL
 -----BEGIN CERTIFICATE-----
-MIIBwTCCAWagAwIBAgIUYfwEDmHlGFzjk0ghWtAbVgPhdAswCgYIKoZIzj0EAwIw
-PTELMAkGA1UEBhMCTkwxDTALBgNVBAoMBFlpdmkxHzAdBgNVBAMMFllpdmkgUmVx
-dWVzdG9ycyBSb290Q0EwIBcNMjUwNzE1MDg0ODM1WhgPMjA1NTA3MDgwODQ4MzRa
-MD0xCzAJBgNVBAYTAk5MMQ0wCwYDVQQKDARZaXZpMR8wHQYDVQQDDBZZaXZpIFJl
-cXVlc3RvcnMgUm9vdENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE+Z+lxTy+
-1xYXBT4kuyGBlbnbpcQFNgUaulP19mAqjme7Uv998RND8jgwxfwbEswk1m/xA323
-mAPMYJD4GM38EKNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU6h4COg3Q
-DNkqZnZib7FOlaKlOSEwDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMCA0kAMEYC
-IQDqXBwGeGI9q1kqc3t4PEXJASETzL5WBycnNH6052GNFAIhAKAkzL/N+7IoDHVq
-zLVVVuKy/Xcv9t+0zLgxXD3ia4hM
+MIIB8jCCAZmgAwIBAgIUd8FwrZvzZ0+08+A0VNFgX5f/eIwwCgYIKoZIzj0EAwQw
+RjELMAkGA1UEBhMCTkwxDTALBgNVBAoMBFlpdmkxKDAmBgNVBAMMH1lpdmkgU3Rh
+Z2luZyBSZXF1ZXN0b3JzIFJvb3QgQ0EwIBcNMjUwODA4MTAwMDUzWhgPMjA1NTA4
+MDExMDAwNTJaMEYxCzAJBgNVBAYTAk5MMQ0wCwYDVQQKDARZaXZpMSgwJgYDVQQD
+DB9ZaXZpIFN0YWdpbmcgUmVxdWVzdG9ycyBSb290IENBMFkwEwYHKoZIzj0CAQYI
+KoZIzj0DAQcDQgAECTtfysVgEPFVKrVL8FM/Jx3E64qquuKSfG2ZqEucIkH6QHGL
+eJPEEhA1RUyGtPTLIZTjY5rHwR6foTSVThGrraNjMGEwDwYDVR0TAQH/BAUwAwEB
+/zAfBgNVHSMEGDAWgBRjtHvVs5rhDnC0L2AUi+7ncyXe1jAdBgNVHQ4EFgQUY7R7
+1bOa4Q5wtC9gFIvu53Ml3tYwDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMEA0cA
+MEQCIDCSNbPoyhDZ5A3SWupsyPj/tDF4xNoHYnE0WFIs2pz8AiA9mhXswiJPFbVR
+9dYSupOhXkuQRk8CgJuN++OnESd8uw==
 -----END CERTIFICATE-----
-Subject: CN=Yivi Attestation Providers CA,O=Yivi,C=NL
-Issuer: CN=Yivi Requestors RootCA,O=Yivi,C=NL
+Subject: CN=Yivi Staging Attestation Providers CA,O=Yivi,C=NL
+Issuer: CN=Yivi Staging Requestors Root CA,O=Yivi,C=NL
 -----BEGIN CERTIFICATE-----
-MIIDdTCCAxugAwIBAgIUN66rLur/gwVXKSWEDCFCmG/cXZQwCgYIKoZIzj0EAwIw
-PTELMAkGA1UEBhMCTkwxDTALBgNVBAoMBFlpdmkxHzAdBgNVBAMMFllpdmkgUmVx
-dWVzdG9ycyBSb290Q0EwHhcNMjUwNzE1MDk0NzAxWhcNMzkwNzEyMDk1MzAwWjBE
-MQswCQYDVQQGEwJOTDENMAsGA1UECgwEWWl2aTEmMCQGA1UEAwwdWWl2aSBBdHRl
-c3RhdGlvbiBQcm92aWRlcnMgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQZ
-Zfj0UgMD/K9zScgMsO6J8z9UGr4KKUbarTgzU8b7+1JvX/rQ7JwyKK17RAuLIjg4
-qETJKpepQWXsdbmTbWg7o4IB8DCCAewwEgYDVR0TAQH/BAgwBgEB/wIBADAfBgNV
-HSMEGDAWgBTqHgI6DdAM2SpmdmJvsU6VoqU5ITCBywYIKwYBBQUHAQEEgb4wgbsw
-dAYIKwYBBQUHMAKGaGh0dHBzOi8vY2Euc3RhZ2luZy55aXZpLmFwcC9lamJjYS9w
-dWJsaWN3ZWIvY2VydGlmaWNhdGVzL3NlYXJjaC5jZ2k/c0tJREhhc2g9Nmg0Q09n
-M1FETmtxWm5aaWI3Rk9sYUtsT1NFMEMGCCsGAQUFBzABhjdodHRwczovL2NhLnN0
-YWdpbmcueWl2aS5hcHAvZWpiY2EvcHVibGljd2ViL3N0YXR1cy9vY3NwMIG3BgNV
-HR8Ega8wgawwgamgZKBihmBodHRwczovL2NhLnN0YWdpbmcueWl2aS5hcHAvZWpi
-Y2EvcHVibGljd2ViL2NybHMvc2VhcmNoLmNnaT9zS0lESGFzaD02aDRDT2czUURO
-a3FablppYjdGT2xhS2xPU0WiQaQ/MD0xHzAdBgNVBAMMFllpdmkgUmVxdWVzdG9y
-cyBSb290Q0ExDTALBgNVBAoMBFlpdmkxCzAJBgNVBAYTAk5MMB0GA1UdDgQWBBTb
-73uxigF5vYzKQAyWIJB+4ng2kTAOBgNVHQ8BAf8EBAMCAYYwCgYIKoZIzj0EAwID
-SAAwRQIhAOGr5oI72XKrw51MxGf60Z6fBJskxvnBKDtBOAyqGF3IAiA7RHnTMnM+
-HlY1fmz1gEdQ5OQhwWn9AsMlhMvSDlZKBg==
------END CERTIFICATE-----`
+MIICbTCCAhSgAwIBAgIUX8STjkv3TRF5UBstXlp4ILHy2h0wCgYIKoZIzj0EAwQw
+RjELMAkGA1UEBhMCTkwxDTALBgNVBAoMBFlpdmkxKDAmBgNVBAMMH1lpdmkgU3Rh
+Z2luZyBSZXF1ZXN0b3JzIFJvb3QgQ0EwHhcNMjUwODEyMTUwODA1WhcNNDAwODA4
+MTUwODA0WjBMMQswCQYDVQQGEwJOTDENMAsGA1UECgwEWWl2aTEuMCwGA1UEAwwl
+WWl2aSBTdGFnaW5nIEF0dGVzdGF0aW9uIFByb3ZpZGVycyBDQTBZMBMGByqGSM49
+AgEGCCqGSM49AwEHA0IABMDTwj6APykJnBdr0sCO8LpkULpbXFOBWV47hKKsJHsa
+CVMarjLCYU3CV57UdklHSlMrtm7vfoDpYn4BvUv00UqjgdkwgdYwEgYDVR0TAQH/
+BAgwBgEB/wIBADAfBgNVHSMEGDAWgBRjtHvVs5rhDnC0L2AUi+7ncyXe1jBwBgNV
+HR8EaTBnMGWgY6Bhhl9odHRwczovL2NhLnN0YWdpbmcueWl2aS5hcHAvZWpiY2Ev
+cHVibGljd2ViL2NybHMvc2VhcmNoLmNnaT9pSGFzaD1rRkNPdDhOTGhKOGcwV3FN
+QW5sJTJCdm9OMlJ1WTAdBgNVHQ4EFgQUEjcBLRMmQGBJO0h04IL5Jwha1rEwDgYD
+VR0PAQH/BAQDAgGGMAoGCCqGSM49BAMEA0cAMEQCIDEaWIs4uSm8KVQe+fy0EndE
+Taj1ayt6dUgKQY/xZBO3AiAPYGwRlZMzbeCTFQ2ORLJiSowRtXzbmXpNDSyvtn7e
+Dw==
+-----END CERTIFICATE-----
+`
 
 // DefaultVerifierTrustAnchor_YiviStaging is the default issuer trust anchor for Yivi staging and will be replaced with the actual trust anchor for Yivi production (TODO)
 const DefaultVerifierTrustAnchor_YiviStaging = `
-Subject: CN=Yivi Requestors RootCA,O=Yivi,C=NL
-Issuer: CN=Yivi Requestors RootCA,O=Yivi,C=NL
+Subject: CN=Yivi Staging Requestors Root CA,O=Yivi,C=NL
+Issuer: CN=Yivi Staging Requestors Root CA,O=Yivi,C=NL
 -----BEGIN CERTIFICATE-----
-MIIBwTCCAWagAwIBAgIUYfwEDmHlGFzjk0ghWtAbVgPhdAswCgYIKoZIzj0EAwIw
-PTELMAkGA1UEBhMCTkwxDTALBgNVBAoMBFlpdmkxHzAdBgNVBAMMFllpdmkgUmVx
-dWVzdG9ycyBSb290Q0EwIBcNMjUwNzE1MDg0ODM1WhgPMjA1NTA3MDgwODQ4MzRa
-MD0xCzAJBgNVBAYTAk5MMQ0wCwYDVQQKDARZaXZpMR8wHQYDVQQDDBZZaXZpIFJl
-cXVlc3RvcnMgUm9vdENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE+Z+lxTy+
-1xYXBT4kuyGBlbnbpcQFNgUaulP19mAqjme7Uv998RND8jgwxfwbEswk1m/xA323
-mAPMYJD4GM38EKNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU6h4COg3Q
-DNkqZnZib7FOlaKlOSEwDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMCA0kAMEYC
-IQDqXBwGeGI9q1kqc3t4PEXJASETzL5WBycnNH6052GNFAIhAKAkzL/N+7IoDHVq
-zLVVVuKy/Xcv9t+0zLgxXD3ia4hM
+MIIB8jCCAZmgAwIBAgIUd8FwrZvzZ0+08+A0VNFgX5f/eIwwCgYIKoZIzj0EAwQw
+RjELMAkGA1UEBhMCTkwxDTALBgNVBAoMBFlpdmkxKDAmBgNVBAMMH1lpdmkgU3Rh
+Z2luZyBSZXF1ZXN0b3JzIFJvb3QgQ0EwIBcNMjUwODA4MTAwMDUzWhgPMjA1NTA4
+MDExMDAwNTJaMEYxCzAJBgNVBAYTAk5MMQ0wCwYDVQQKDARZaXZpMSgwJgYDVQQD
+DB9ZaXZpIFN0YWdpbmcgUmVxdWVzdG9ycyBSb290IENBMFkwEwYHKoZIzj0CAQYI
+KoZIzj0DAQcDQgAECTtfysVgEPFVKrVL8FM/Jx3E64qquuKSfG2ZqEucIkH6QHGL
+eJPEEhA1RUyGtPTLIZTjY5rHwR6foTSVThGrraNjMGEwDwYDVR0TAQH/BAUwAwEB
+/zAfBgNVHSMEGDAWgBRjtHvVs5rhDnC0L2AUi+7ncyXe1jAdBgNVHQ4EFgQUY7R7
+1bOa4Q5wtC9gFIvu53Ml3tYwDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMEA0cA
+MEQCIDCSNbPoyhDZ5A3SWupsyPj/tDF4xNoHYnE0WFIs2pz8AiA9mhXswiJPFbVR
+9dYSupOhXkuQRk8CgJuN++OnESd8uw==
 -----END CERTIFICATE-----
-Subject: CN=Yivi Relying Parties CA,O=Yivi,C=NL
-Issuer: CN=Yivi Requestors RootCA,O=Yivi,C=NL
+Subject: CN=Yivi Staging Relying Parties CA,O=Yivi,C=NL
+Issuer: CN=Yivi Staging Requestors Root CA,O=Yivi,C=NL
 -----BEGIN CERTIFICATE-----
-MIIDbzCCAxWgAwIBAgIUX1VHxaun5d4JgoXFLkEqK2LBXIYwCgYIKoZIzj0EAwIw
-PTELMAkGA1UEBhMCTkwxDTALBgNVBAoMBFlpdmkxHzAdBgNVBAMMFllpdmkgUmVx
-dWVzdG9ycyBSb290Q0EwHhcNMjUwNzE1MDk0MjIyWhcNMzkwNzEyMDk0ODIxWjA+
-MQswCQYDVQQGEwJOTDENMAsGA1UECgwEWWl2aTEgMB4GA1UEAwwXWWl2aSBSZWx5
-aW5nIFBhcnRpZXMgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQZZfj0UgMD
-/K9zScgMsO6J8z9UGr4KKUbarTgzU8b7+1JvX/rQ7JwyKK17RAuLIjg4qETJKpep
-QWXsdbmTbWg7o4IB8DCCAewwEgYDVR0TAQH/BAgwBgEB/wIBADAfBgNVHSMEGDAW
-gBTqHgI6DdAM2SpmdmJvsU6VoqU5ITCBywYIKwYBBQUHAQEEgb4wgbswdAYIKwYB
-BQUHMAKGaGh0dHBzOi8vY2Euc3RhZ2luZy55aXZpLmFwcC9lamJjYS9wdWJsaWN3
-ZWIvY2VydGlmaWNhdGVzL3NlYXJjaC5jZ2k/c0tJREhhc2g9Nmg0Q09nM1FETmtx
-Wm5aaWI3Rk9sYUtsT1NFMEMGCCsGAQUFBzABhjdodHRwczovL2NhLnN0YWdpbmcu
-eWl2aS5hcHAvZWpiY2EvcHVibGljd2ViL3N0YXR1cy9vY3NwMIG3BgNVHR8Ega8w
-gawwgamgZKBihmBodHRwczovL2NhLnN0YWdpbmcueWl2aS5hcHAvZWpiY2EvcHVi
-bGljd2ViL2NybHMvc2VhcmNoLmNnaT9zS0lESGFzaD02aDRDT2czUUROa3Fablpp
-YjdGT2xhS2xPU0WiQaQ/MD0xHzAdBgNVBAMMFllpdmkgUmVxdWVzdG9ycyBSb290
-Q0ExDTALBgNVBAoMBFlpdmkxCzAJBgNVBAYTAk5MMB0GA1UdDgQWBBTb73uxigF5
-vYzKQAyWIJB+4ng2kTAOBgNVHQ8BAf8EBAMCAYYwCgYIKoZIzj0EAwIDSAAwRQIh
-AJ345PijWRJZ2kztubVPfDWY+F8ipBFQ4NFrv2BgDESAAiB8I/dol3DCLBYtRIwr
-1j+O4+RgM6cvGWwb5pGToMVmxw==
+MIICaDCCAg6gAwIBAgIUVbrz0YgTTgjJE/qHcwLtn6lT4pEwCgYIKoZIzj0EAwQw
+RjELMAkGA1UEBhMCTkwxDTALBgNVBAoMBFlpdmkxKDAmBgNVBAMMH1lpdmkgU3Rh
+Z2luZyBSZXF1ZXN0b3JzIFJvb3QgQ0EwHhcNMjUwODA4MTEzMDUxWhcNNDAwODA0
+MTEzMDUwWjBGMQswCQYDVQQGEwJOTDENMAsGA1UECgwEWWl2aTEoMCYGA1UEAwwf
+WWl2aSBTdGFnaW5nIFJlbHlpbmcgUGFydGllcyBDQTBZMBMGByqGSM49AgEGCCqG
+SM49AwEHA0IABD6/Jx9e/BIjRZQNSMcyvb6jcv9jtE9DEnQUgdkR4ZbMsEqAa6Kj
+SF358k8N8DrV3nRvi2jbcnXP2gWXc3yTpZujgdkwgdYwEgYDVR0TAQH/BAgwBgEB
+/wIBADAfBgNVHSMEGDAWgBRjtHvVs5rhDnC0L2AUi+7ncyXe1jBwBgNVHR8EaTBn
+MGWgY6Bhhl9odHRwczovL2NhLnN0YWdpbmcueWl2aS5hcHAvZWpiY2EvcHVibGlj
+d2ViL2NybHMvc2VhcmNoLmNnaT9pSGFzaD1rRkNPdDhOTGhKOGcwV3FNQW5sJTJC
+dm9OMlJ1WTAdBgNVHQ4EFgQUn+JmQGo29ozmYyzmKGG5lYN5maEwDgYDVR0PAQH/
+BAQDAgGGMAoGCCqGSM49BAMEA0gAMEUCIQDs40VU7/tHrBsHdwVj2kc+ZqpvLoOf
+EtyHWcNN5HZpUAIgI3qf4KxHuFXdzEakHYb4aOpiQI9O7Sk8TUxJT7jymXM=
 -----END CERTIFICATE-----
 `
diff --git a/eudi/verifier_validator.go b/eudi/verifier_validator.go
@@ -8,13 +8,15 @@ import (
 	"encoding/json"
 	"fmt"
 	"strings"
+	"time"
 
 	"github.com/go-errors/errors"
 	"github.com/golang-jwt/jwt/v5"
 	"github.com/privacybydesign/irmago/eudi/openid4vp"
 )
 
 const SchemeExtensionOID = "2.1.123.1"
+const ClockSkew = 300 * time.Second
 
 // VerifierValidator is an interface to be used to verify verifiers by parsing and verifying the
 // authorization request and returning the requestor info for the verifier.
@@ -106,8 +108,9 @@ func (v *RequestorCertificateStoreVerifierValidator) createAuthRequestVerifier()
 		certVerifyOpts := x509.VerifyOptions{
 			Roots:         v.model.GetRootCerts(),
 			Intermediates: v.model.GetIntermediateCerts(),
-			KeyUsages:     []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+			KeyUsages:     []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
 			DNSName:       hostname,
+			CurrentTime:   time.Now().Add(-ClockSkew), // Adjust to account for skew
 		}
 
 		parsedCert, err := getEndEntityCertFromX5cHeader(token)
diff --git a/testdata/eudi/verifier/chain.pem b/testdata/eudi/verifier/chain.pem
@@ -1,13 +1,13 @@
 -----BEGIN CERTIFICATE-----
-MIIbVTCCGvugAwIBAgIUaJZX+x6EoPXdaSmPDvV1+lwb4nkwCgYIKoZIzj0EAwIw
+MIIbVDCCGvugAwIBAgIUYJgzQsuejq3oRk+rDTkiJ2ppIM0wCgYIKoZIzj0EAwIw
 RzELMAkGA1UEBhMCTkwxGTAXBgNVBAoMEERlbW8gVmVyaWZpZXIgQ0ExHTAbBgNV
-BAMMFERlbW8gUmVxdWVzdG9ycyBSb290MB4XDTI1MDgwNTA5NTAzMloXDTI3MTEw
-ODA5NTAzMlowPzELMAkGA1UEBhMCTkwxDTALBgNVBAoMBFlpdmkxEjAQBgNVBAMM
+BAMMFERlbW8gUmVxdWVzdG9ycyBSb290MB4XDTI1MDgxMzA2NDgxNVoXDTI3MTEx
+NjA2NDgxNVowPzELMAkGA1UEBhMCTkwxDTALBgNVBAoMBFlpdmkxEjAQBgNVBAMM
 CWxvY2FsaG9zdDENMAsGA1UEBRMEMTIzNDBZMBMGByqGSM49AgEGCCqGSM49AwEH
 A0IABOuqqlgV4cdjZ8wRoe9SaKEfWrMxTY2A+cr95aEh7oDDxP/9D09lUIJ1MfBr
 l9svmW5C18Olt7tE+x+rU5VDACujghnLMIIZxzAmBgNVHREEHzAdhhBodHRwOi8v
 bG9jYWxob3N0gglsb2NhbGhvc3QwDAYDVR0TAQH/BAIwADALBgNVHQ8EBAMCBaAw
-EwYDVR0lBAwwCgYIKwYBBQUHAwEwghkrBgNRewEEghkiDIIZHnsicmVnaXN0cmF0
+EwYDVR0lBAwwCgYIKwYBBQUHAwIwghkrBgNRewEEghkiDIIZHnsicmVnaXN0cmF0
 aW9uIjoiaHR0cHM6Ly9wb3J0YWwuZGV2L29yZ2FuaXphdGlvbnMveWl2aS8iLCJv
 cmdhbml6YXRpb24iOnsibG9nbyI6eyJtaW1lVHlwZSI6ImltYWdlL3BuZyIsImRh
 dGEiOiJpVkJPUncwS0dnb0FBQUFOU1VoRVVnQUFBR1FBQUFCa0NBSUFBQUQvZ0FJ
@@ -143,8 +143,8 @@ cmVkZW50aWFsIjoicGJkZi5nZW1lZW50ZS5wZXJzb25hbERhdGEiLCJhdHRyaWJ1
 dGVzIjpbIm92ZXIxOCJdfV0sInB1cnBvc2UiOnsiZW4iOiJBZ2UgdmVyaWZpY2F0
 aW9uIiwibmwiOiJMZWVmdGlqZHN2ZXJpZmljYXRpZSJ9fX0wHQYDVR0OBBYEFHnL
 9P1C3+jruk4O5bBBxExmGL3uMB8GA1UdIwQYMBaAFDz3b3XVIzc6lHcdBjuEo5SA
-4pZ2MAoGCCqGSM49BAMCA0gAMEUCIFq1Dxgg0Yu3dTDxjWPckh5NkzqkrrONdLUP
-rJ1IYU80AiEAvGy1pGLDXQ6JF+wbo6AZq2FNse8JAftg9M1iaQbAT7U=
+4pZ2MAoGCCqGSM49BAMCA0cAMEQCICfdWtoKEIOO9r7XZO4iBoo7XZEuSdlwMpKn
+26XTaYJ9AiAjb0fPrJH6n3re7ht+QjX9+ilUfulWJFhrWlZxLIx+IQ==
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIB5DCCAYmgAwIBAgIUKp3l1e+X2zF9p49OH70NS4rA3VcwCgYIKoZIzj0EAwIw
diff --git a/testdata/eudi/verifier/end-entity.cfg b/testdata/eudi/verifier/end-entity.cfg
@@ -16,7 +16,7 @@ CN 	= localhost
 subjectAltName = @alt_names
 basicConstraints = critical,CA:false
 keyUsage = digitalSignature,keyEncipherment
-extendedKeyUsage = serverAuth
+extendedKeyUsage = clientAuth
 2.1.123.1 = ASN1:UTF8String:{\"registration\":\"https://portal.dev/organizations/yivi/\",\"organization\":{\"logo\":{\"mimeType\":\"image/png\",\"data\":\"iVBORw0KGgoAAAANSUhEUgAAAGQAAABkCAIAAAD/gAIDAAABg2lDQ1BJQ0MgUHJvZmlsZQAAKM+VkT1Iw0AcxV/TSkUqDnYQcQhYxcEuKuLYVqEIFUKt0KqDyaVf0KQhSXFxFFwLDn4sVh1cnHV1cBUEwQ8QVxcnRRcp8X9JoUWo4IXjfrzLe9y9A4RGhWlWIAZoum2mkwkxm1sVg68I0BfCKCZkZhlxSUqh6/i6h4+vd1Gehf+NfjVvMcAnEseYYdrEG8Szm7bBeZ84zEqySnxOPGnSAYkfua54/Ma56LLAM8NmJj1PHCYWix2sdDArmRrxDHFE1XTKF7Ieq5y3OGuVGmudk98wlNdXlrlOcwRJLGIJEkQoqKGMCmxEadVJsZCm/UQX/7Drl8ilkKsMRo4FVKFBdv3gb/C7W6swPeUlhRJAz4vjfIwBwV2gWXec72PHaZ4A/mfgSm/7qw1g7pP0eluLHAED28DFdVtT9oDLHWDoyZBN2ZX8NIVCAXg/o2fKAYO3QN+a11trH6cPQIa6St0AB4fAeJGy17vcu7eztz//afX3A4g1cq9dzZTfAAAACXBIWXMAAA3WAAAN1gGQb3mcAAAAGHRFWHRTb2Z0d2FyZQBQYWludC5ORVQgNS4xLjgbaeqoAAAAjGVYSWZJSSoACAAAAAUAGgEFAAEAAABKAAAAGwEFAAEAAABSAAAAKAEDAAEAAAACAAAAMQECABAAAABaAAAAaYcEAAEAAABqAAAAAAAAAIhfAQDoAwAAiF8BAOgDAABQYWludC5ORVQgNS4xLjgAAgAAkAcABAAAADAyMzABoAMAAQAAAP//AAAAAAAAOkiPeVdr+akAAA9NSURBVHhe7ZpZcBzHecf/3T3XXtjFzQWJiyABkMRByiQBXpJsMWJJliLHsVOJypVTL0lKj5Hj5CUPsfMQO67cFaeiJCpbcQ6nKkpFsiXajCRK0EFJ5mGIIkhCICESBEBce+/M9JeHWezOzkIyBlSoFDO/ajyg55vpmX/P/+ue7mVEhID1wb0VAR9OIJYPArF8EIjlg0AsHwRi+SAQyweBWD4IxPJBIJYPArF8EIjlg0AsHwRi+SAQyweBWD4IxPJBIJYPArF8EIjlg0AsHwRi+SAQyweBWD5gn9Qmq8zm7HSaqaqSiIMx7+GPAzuTkZks0zQlEfce2xCfgFhkWcs/+FH6O/9hj19l8ZB2bLT+S1/UO7Z4424Bmc8v/ef3M9/9L3lxhjXFjIfvTjz681pLszfOJ7ddLKL5J7+deuz3GLpZUoMpaf4mP9LX+u0/+bj0Isua/eZfZ5/4Y651o1FFQdLCjPLFI61/+VW1uckb7YfbnbMy595NP/Z13t7PukMwBGIq27pJvnxh8R++S1J6ozdE+vVT2Sf+jHftwGYDhkBcZVvbrX99aenfnvGG+uR2i5UdexMAFFe7BNbWVHjquHlj1hW4UYgyJ15lSMCdBgmsIZn73nFradlV65vbK5aU1tQHQNhbr3G6dNNaXPLW+0cWTXtyGgh5D0QEvTNjr6S89X64vWIxxnQNqLEbAeBMUbz1/mGcwfiQJmIKU4S33g+3Wyxt53ZgpcojAJZN/pmtasstZV8HpqraYF9tEzSdF0f6lPr6qlqf3F6xgOihETa8HVN598PIpcnIr39eSSTckRsmevQeoA5LZqUJSYQr0Ud/loeM6lh/3PapA5Aae3Phkd+luRtAHWAR5kJ/8FvNv/PbIlyTyzbK0vM/Wjr2FSAPRIAiYTHyp19u/s1fY6rqDfXDJyAWgPz7U6kXXjQvTPK6aOjwvtjBEa7r3qBbI/feROr4S9bkVdGUCN99ILr/U7eeEz8ZsUoQ/S996FT4WJtYl1hSykwqtWZgJBYVYo0hJp/LFQtFz30SoBA05x9W+sPqdS0iqnkwBuh1McbXyK25bNYsmt4mCCpQMlt1EyREUVsjZzGGkKZ4G16L9Yll23/3tW+ee+5Vra4yf5GE+EL68Sf/qH5wZ1U0AODpP//Wa9951khE3FcvMvaFQ3u2/vdbti3dCZ6b9mxf95wp1Zk5iIouJEnLm3c9+dXI1q5KNADAtqy//cNvnD/+hhY1nG5gAAG2oT36qV3JF96wBa80QRCZ3OSD941/9hGFyJmqOJiSehLho/2byjUfwRo9VgsXom/v8PzYhfTkfLksTM23nZqUr53yRgPLC4tvP3MiP72ScsUv/2RGjRhdewbtH16hs7PuIk9OXzDCK51d8sx16+pSpVxbNl48n3/njLcBYO7G7Ol/PpG7tpyanHdaSU3OL56ajiebNg/0Wy9P0DlXE+dmrTevX8zmC7Ys2LJgUbnkLbklUTOD/RDWJRaA3oGd8Z3tTOHcUJyi6EpvY2Px+Kt2JusJnrxwce74hNoYKgdzQ7Gm80OfHmnYnJQoIKaWC4sq+bbQZUUU+vuR0JkmmF4qXBMxJZY/MSZN09PExNnxzPlZJaZXNXEzt/ue0VhLE8FyN8EjSmpT5ApjKsAAxkoFDBFVtCXWOwqvV6zmZGv/Q6PF2ZIuNtBEaK3Tiv9yqjD5vif43Otv8dXUVMZGfmDfXYqqAra7nhNmw8rNopnflLT6O2BaTj0BmpR6m2Y+OVaYvuY+RdryzMnXtUTUXQkCg9i5Z4gx7jaa8+FwPSxSRJ7EZEtqi+p1xnrnE+sVSyjK0JGR4nza+dcEttkUBghW9tSP3ZErS8tnn39V3171JLJgNd7bs7Vvm6xZWiCFT2pc2rYZDheGd7FUoVTPEDFtwRly89kzP3GfMn/jxrvPvqa1RdyVVrrY/ovDW7o6pF3VGQCkyicUxmqysyR0N1Rd5KNZr1gAegd3RbY3ki2dMabHkowAJZ5/4RU7myuHTU1cuvHseRGq6q7ipcyu+w8k4nEpq56EEfK6mJBSIQJjmd5eiFL3M0Kk9JbF8yfGpFV64wBcHD+/8s415l66AAqTK0P3HQzpumeph0lKG+KSZXvGbAJCCm9bd8LyJ1ZLW7L3oRFzLieBRsImmyQD26xbT58qTF0ph517420G72TCtHKDB/fBNVFw4ETzurhuSsHApMwm2+wdHShajgcN0yYGtiVs/tNY4dqMc4qU8szJN9RodaIhANi1d0/ln1U4Y9c1sWBK1+gIx4PJqFYX8qaLj8CHWIqqDN09WphNmQzbbIrI0mIBkM+9ddqJSS2vnHn+FX1bzH2iLNoNh7p6dvS5K0sIPqlwy5YAQGSGw/nhnSxdIMYili2cd0TlmJ3JnR13zrg5Ozf+3JjWXmUfO1vc8oWh9h7vDAOAVPglzphVNVlxvhe7GyLrmV6V8SEWgL7dA6GuerKpxya22n+MxXMvnJS5PIArlyevPzPu9eBUZsex0YaaJd2SB4mU8uvGeaa/H4wxomjRKk0pAaAud+JVadkALr17YemNq1ytenkLl1KDnzkQjVV1kjONzBjikpSeHE6AofD1j4MO/sRqbUv2PLyvbj6XtEiWH6TDsJ46Vbg67YyDDMzTh2YuO3x4hNXMzjnRvCGu2VIpnyBlLtlm9W3WCqbjQQe2OWL++1jxxiyAM6+8rhrehyTIgZG7PJUAONiMLm7akle3bkvaFNETfjzoWyxV0wbvOdA1sxyRrtzDGZDOnz6XyeXO/nBM76n2oGkn9rd/iAfZ+wo3XbN5RlSMRPPDuyJzGSFdqUfjmPyg8O57C4tL498f07o8HjSTj+zq6NnqrnQghV3iDO5LAaseDNd030/Bn1gAduwe3BGOccvTfLz4yqn33zlz7eUJEa7qLnM6239spLFmG4oRCrq4SKS6r0QgzjL9/dHZgidPA7H82FsX3j699Mo1rlV78GJq8L4DsXidu7LkQV25JKVSfSUCdME3+/TgRsTavKWt90v77KuVuQIA1hkyXzp7+q+eQr3h8WAxldl99yiv+RJmRDd1ZdqWq1MFB4KUrGOLcbSbMpW5AgDWHi08N/bjv3la6feKQrAHR/d6Kh0P3tDFnLcJ2JI2RbVEdaeuB+8z/FRUXa87ephQtbnAODMX8+zMVUWv6nOyZN3uZM/OfnelAxNsSuFFu5L6HCxbdnUno5//NM1VN6FwcyatvHud61XLUnbObHmgr2PbWh4U7LJgtJYHO+vDniy2HnyLBSC0ZwiIw3bdBFHWUKMhPca5e0ZYvJbtf3C0ubXFVYdSbtLFBVR7EHBuqKspFh65C3DmJqsQZUJqQ0jTUR6HAaA4kR68/2C83rskzSRlDcVrc+crSvD2hI+Je5mNiKW3b1Z/Yz9dcTuRpTXFILQK4U79xaX08JFRXrPgxQgLuvJBjUEkocFQmsKqvrWbHxvEcrF8iBhLqUqEWJMQ7v6wYX6IBzGri1nLrmmCWiMb8eAGxeK6bhw9BFQ2LC3BsorgkpJclFcmyZLRnS3bBnZUzlyFcTal8nytB4k6EiGNMyVepz1whBZXSvGAKXhOCIUoyStiybzVfHRbV2+P6xolSOGXBZM1HrQlOhNhwX17cINiAQjvGQIizpDMiHKqYjJGQD14RHDnBos3sn0PjbZs8q6rMVBRFxMgzyDlTEI6V79sw6OfAlZzPFFGU2wOApoY11jJiYUL6cFjhxINDZVLAE4TOV1MSFnrQVWwjnrf46DDBsXSO9uVX9mPqTxQ8iAxEGBItAphEwEo3kwPHxkRNfuaDFg0xFVLepZyJVFCV1qipZXfUG8Pu28AK6bjwYyqMAIBUWKNq060kR84sIYHGTCni9m1bN4S1uojG9wc2aBY3DBC9x0kLJc96PQ1I9rEBRgjW0Z6m3qHdnnPBBjYFVXkvB5ktqSOeEhf/Y5R6xP6A4fo5krZg068IEpyLivLPturLlOCX1a4XetBoq760MY8uHGxAIT27gYMZlNeVczVbxkCGsDDghdnc9sf2t+STHpPA0woa3iQiDHWVb26FDq4FyiAKKsplutOm5lQGStMpHcdO1jf1Og+xRk98lBrx0EQKZy1129kHHTYuFhGZ4fy6F5M59OqUv6IIyAk0SJEdm5l+O5RRfVu1XFgCeoVu9aDqNNFS6xq9yXUt50d2UlpK60q5fmCBGLEGjkvyNVln2oYMAdtpmYctCQ1hdSGjXrwlsTi4ZBx9KApUxm15EEHRrQJPNTd0Dc84I4vHQWbComs14MwLdkZDxnVawlaQ73+4EFzPpurdo4garVRf3jr2p+cDJfBrRoPWjZ11YeVjXrwlsQCENl3Vx5hs3obkwiJ5eLAw/tb2tb0IC7kiixnyoJVKSmTpOxcyyDhw/szKFo2wZQwbaeQKRunskPHRhtqPAigAPYe8jzvun7BsueLgqPD//egm1sSS+/uLP7qfhQtrvByYSoPTeUP3XtQ09aY+KWEmNvTnOhsjLQ3lEuot2lzMtFat8YOqNHfm/vsHhbWWNxg8ZBTEDdicX30yIHaZR8AS4qysrM13lG5fqS9ITTU3JVMNEY37kHHNN7Xdf3IQuHK479vPnuaNVSek2zCYmHzy98K93RXRQMAioViJp1mzMktq3ujBKEotcsGAIgot7BIzjJO1Z2SkYiLtfojn8/nMlnGqk4ggqqptauDvrglsVZOvrZ45HHWUe9eaaCprPrYSPIvvsY+7t96fOL4sKGdSmXHz5sLC3Ymay0tr5wcW/ry19EYI8GIuwqWjJ85fOcp5e/NKly5er3zc/xAF0s20M0V+eJl1hRDnVrlDlNixWo9/Y9GV4er9g7Bx5tFREyL0vlF+YMJGp9nXQ2IVSvFQNMLxlc+Z3S2u2rvHHyIBVtSUSKmoEVHtLLJUCFtseZE/Bce+Rh/EvV/Ch9ikW0D9hoaOSNbwZazV+N//4RR8/OgOwYfYkHKypqJm6Kky4t0bTn+vW8kHrzfe/QOwkeCz46fv7FrL0MnoKxuf9oAsS1J7Zfvjf/Sz4UH1vhV252ED7FkNpc9/545fd1eXIJlQ3AejahtSa1ji5ZsZTVrx3cePsQK8JOz/t8TiOWDQCwfBGL5IBDLB4FYPgjE8kEglg8CsXwQiOWDQCwfBGL5IBDLB4FYPgjE8kEglg8CsXwQiOWDQCwfBGL5IBDLB4FYPgjE8kEglg8CsXwQiOWD/wEhyYVr0vqJXgAAAABJRU5ErkJggg==\"},\"legalName\":{\"en\":\"Yivi B.V.\",\"nl\":\"Yivi B.V.\"}},\"rp\":{\"authorized\":[{\"credential\":\"pbdf.gemeente.personalData\",\"attributes\":[\"over18\"]}],\"purpose\":{\"en\":\"Age verification\",\"nl\":\"Leeftijdsverificatie\"}}}
 
 [ alt_names ]
diff --git a/testdata/eudi/verifier/keystore.p12 b/testdata/eudi/verifier/keystore.p12
diff --git a/testdata/eudi/verifier/verifier.crt b/testdata/eudi/verifier/verifier.crt
