SD-JWT Verification Error: cnf Must Be Present Even with DID?

[ChrisAE13]

Hello everyone,

We are presenting the following SD-JWT to the verifier via the walt.id wallet (one can use sd-jwt debugger to see the content):

eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImRpZDprZXk6ekRuYWV4Tmtxd01LcjRjV0RrWTJpR1kxc3RoSzR5NzU4UXN6eGZCTnNKWGkyQ2ZzaCJ9.eyJfc2QiOlsiN2Z4YkJGZTNYeE5HUUpsSVV6VXM4a0FzXy05SW9mbTRfdFJTOFhCWHVpWSIsIkZnVVpIOXlmV0VfNV81bDZrNE5ZeDY3eV9mZVVBcV9UYUtjMGZyQjJyR2ciLCJOWEViUjIxNng5TDlNaFE4VUtrNW1DM3BfaXpveWNBSEtMTlhyLVV6eUl3IiwiWlVjaVpCeU1EcXpFUkNNWHBQcHh4LTN5R0oydVFHajJVN0x2LUJmSk5xMCIsIm40SUxlVjFEeUVGWl9uZXZfZzhEdWUxTnIyUm1JdzdTTnhseFQ0ekVEMGciLCJ3Yk9lY082QUpES1h6anl0czA4c2t0OEtJa2FmTWFVa1VhWUZ1R3FNa05ZIl0sIl9zZF9hbGciOiJzaGEtMjU2IiwiaXNzIjoiZGlkOmtleTp6RG5hZXhOa3F3TUtyNGNXRGtZMmlHWTFzdGhLNHk3NThRc3p4ZkJOc0pYaTJDZnNoIiwidmN0IjoiVXNlckNyZWRlbnRpYWwiLCJqdGkiOiJ1cm46dXVpZDo1ZWE3MzIxOC02OGFkLTRiNDMtODkyMS0xYWExOGExZTRmMzMifQ.Ew9if23EyLAKpob4GJC2m2tSZDQ7uee43l6srIwhB1JwwANi_ZsaFV_VrsP5Dh6NUMrxZHLAnYFPsYuzM0BFqg~WyJ1YlRVRjZUZDJybzN3NFcxRkF2dUdBIiwgImZpcnN0TmFtZSIsICJUZXN0Il0~WyJTbFQwdHA1ZDN3SVJBeFVFZUZTRUR3IiwgImxhc3ROYW1lIiwgIlJlYWRlciJd~WyJVdEJqUTBmVnQzcTNaWkRRc2twR1hnIiwgImVtYWlsIiwgInRlc3RAdXNlci5vcmciXQ~eyJraWQiOiItSld6a2duTkFva25ZTVRCZTkyVEpNOHhrOWg5bFcwdnlQeGY1WkV3NlNNIiwidHlwIjoia2Irand0IiwiYWxnIjoiRVMyNTYifQ.eyJpYXQiOjE3NTY0MDQ5NTYsImF1ZCI6ImRpZDprZXk6ekRuYWVldXR6aE42b1dMY2FWQ0RjNXFobmduOTFNbUVxWE45NE4yRDdLQUVjYW5qayIsIm5vbmNlIjoiIiwic2RfaGFzaCI6Im1OTlBSZ3lCNlByQmpoOW9aMUtiS2E0SHRKeWdhUDYxUjU0MDJoUGNWZXMifQ.kC2GCXs0khhOH1-cKIzq9Y6kfImL7NdMZ2OClGjUHvPVrah3suc5aJ2gas8tSrDK1uUEXZqD6JW7ML4NvF1eWA

We get this error:

Was not a sdjwt. Err: run holder verification: failed to get signature verifier from presentation claims: cnf must be present in SD-JWT

Since we use DIDs shouldn't the verifier be able to extract the required public keys? Is the cnf required even in this case?

We think that the issue may lie at the Key-Binding Header which does not include the holder's DID itself but only the kid:

{
  "kid": "-JWzkgnNAoknYMTBe92TJM8xk9h9lW0vyPxf5ZEw6SM",
  "typ": "kb+jwt",
  "alg": "ES256"
}

Could this be the issue? If this is the issue, since we have disabled holder verification, shouldn't the verifier ignore the key-binding?

This is the configuration for the verifier:

{
        "id": "data-service",
        "defaultOidcScope": "default",
        "oidcScopes": {
            "default": {
                "credentials": [
                    {
                        "type": "UserCredential",
                        "trustedParticipantsLists": [
                            "http://tir.trust-anchor.svc.cluster.local:8080"
                        ],
                        "trustedIssuersLists": [
                            "http://trusted-issuers-list:8080"
                        ],
                        "holderVerification": {
                          "enabled": false
                        }
                    }
                ],
                "presentationDefinition": {
                    "id": "UserCredential",
                    "input_descriptors": [
                        {
                            "id": "UserCredential",
                            "format": {
                                "vc+sd-jwt": {
                                    "alg": ["ES256"]
                                }
                            }
                        }
                    ]
                }
            }
        }
    }