openwallet-foundation/credo-ts

Holder does not detect mismatch in offered and issued credential

Opened this issue · 0 comments

Patrik-Stas commented

Hi, I think I found an issue. It's not a biggie but I am posting it here for tracking purpose.

Here's the scenario

  • issuer creates offer, offering FooCredential (the following is fragment of resolved credential offer)
      "offeredCredentialConfigurations": {
        "FooCredential": {
          "proof_types_supported": {
            "jwt": {
              "proof_signing_alg_values_supported": [
                "EdDSA",
                "ES256",
                "ES256K"
              ]
            }
          },
          "format": "jwt_vc_json",
          "credential_definition": {
            "type": [
              "VerifiableCredential",
              "FooCredential"
            ]
          }
        }
      },

using code such as

export const fooCredential = {
  id: 'FooCredential',
  format: OpenId4VciCredentialFormatProfile.JwtVcJson,
  types: ['VerifiableCredential', ServiceCredentialTypes.Foo],
} satisfies OpenId4VciCredentialSupportedWithId;

async function createOffer(...) {
   ....
   return await this.#issuanceAgent.createCredentialOffer([
      fooCredential.id,
    ]);
}

When holder requests credential, actually issue him different credential BarCredential

{
      '@context': [ 'https://www.w3.org/2018/credentials/v1' ],
      type: [ 'VerifiableCredential', 'BarCredential' ],
      credentialSubject: {
        number: '123456789',
        id: 'did:key:z6MkuAXvSM64j7nAFo6mqzFAeg4HLz7rPXsqeGtHTWuaEW9M'
      },
      issuanceDate: '2024-10-01T08:31:19Z',
      expirationDate: undefined,
      issuer: 'did:key:z6MktiQQEqm2yapXBDt1WEVB3dqgvyzi96FuFANYmrgTrKV9',
      id: undefined
    }

using code such as

export const barCredential = {
  id: 'BarCredential',
  format: OpenId4VciCredentialFormatProfile.JwtVcJson,
  types: ['VerifiableCredential', ServiceCredentialTypes.Bar],
} satisfies OpenId4VciCredentialSupportedWithId;


requestToCred: OpenId4VciCredentialRequestToCredentialMapper = async ({
    issuanceSession,
    holderBinding,
  }): Promise<OpenId4VciSignCredential> => {
   ....
{
        credentialSupportedId: barCredential.id,
        format: ClaimFormat.JwtVc,
        credential: new W3cCredential({
          type: barCredential.types,
          issuer: new W3cIssuer({
            id: issuerDidKey.did,
          }),
          credentialSubject: new W3cCredentialSubject({
            id: parseDid(holderBinding.didUrl).did,
            claims,
          }),
          issuanceDate: w3cDate(Date.now()),
        }),
        verificationMethod: `${issuerDidKey.did}#${issuerDidKey.key.fingerprint}`,
      };
}

eg. simply issuing BarCredential instead of "promised" FooCredential

I guess I would expect Holder to error out upon receiving the credential, but right now the credential is succesfuly stored.