feat: skew for jwt-based credential verification (openwallet-foundation#2588)

TimoGlastra · web-flow · commit b9bd214763b4 · 2025-12-11T13:53:05.000+01:00
Signed-off-by: Timo Glastra &lt;timo@animo.id&gt;
diff --git a/.changeset/every-phones-cross.md b/.changeset/every-phones-cross.md
@@ -0,0 +1,6 @@
+---
+"@credo-ts/openid4vc": patch
+"@credo-ts/core": patch
+---
+
+feat: add a (configurable) 30 seconds skew to JWT-based credentials and other JWT object verification. This is to prevent verification errors based on slight deviations in server time. This does not affect non-JWT credentials yet (mDOC, JSON-LD)
diff --git a/packages/core/src/agent/AgentConfig.ts b/packages/core/src/agent/AgentConfig.ts
@@ -1,3 +1,4 @@
+import { DEFAULT_SKEW_TIME } from '../crypto/jose/jwt/JwtPayload'
 import type { Logger } from '../logger'
 import { ConsoleLogger, LogLevel } from '../logger'
 import type { InitConfig } from '../types'
@@ -22,6 +23,10 @@ export class AgentConfig {
     return this.initConfig.autoUpdateStorageOnStartup ?? false
   }
 
+  public get validitySkewSeconds() {
+    return this.initConfig.validitySkewSeconds ?? DEFAULT_SKEW_TIME
+  }
+
   public extend(config: Partial<InitConfig>): AgentConfig {
     return new AgentConfig({ ...this.initConfig, logger: this.logger, ...config }, this.agentDependencies)
   }
diff --git a/packages/core/src/crypto/jose/jwt/JwtPayload.ts b/packages/core/src/crypto/jose/jwt/JwtPayload.ts
@@ -1,4 +1,5 @@
 import { CredoError } from '../../../error'
+import { dateToSeconds } from '../../../utils'
 
 /**
  * The maximum allowed clock skew time in seconds. If an time based validation
@@ -7,7 +8,7 @@ import { CredoError } from '../../../error'
  *
  * See https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.5
  */
-const DEFAULT_SKEW_TIME = 300
+export const DEFAULT_SKEW_TIME = 30
 
 export interface JwtPayloadJson {
   iss?: string
@@ -123,8 +124,15 @@ export class JwtPayload {
    *  - if `iat` is present, it must be less than now
    *  - if `exp` is present, it must be greater than now
    */
-  public validate(options?: { skewTime?: number; now?: number }) {
-    const { nowSkewedFuture, nowSkewedPast } = getNowSkewed(options?.now, options?.skewTime)
+  public validate(options?: {
+    /**
+     * @deprecated use `skewSeconds` instead
+     */
+    skewTime?: number
+    skewSeconds?: number
+    now?: number
+  }) {
+    const { nowSkewedFuture, nowSkewedPast } = getNowSkewed(options?.now, options?.skewSeconds ?? options?.skewTime)
 
     // Validate nbf
     if (typeof this.nbf !== 'number' && typeof this.nbf !== 'undefined') {
@@ -220,12 +228,12 @@ export class JwtPayload {
   }
 }
 
-function getNowSkewed(now?: number, skewTime?: number) {
-  const _now = typeof now === 'number' ? now : Math.floor(Date.now() / 1000)
-  const _skewTime = typeof skewTime !== 'undefined' && skewTime >= 0 ? skewTime : DEFAULT_SKEW_TIME
+function getNowSkewed(now?: number, skewSeconds?: number) {
+  const _now = now ?? dateToSeconds(new Date())
+  const _skewSeconds = skewSeconds ?? DEFAULT_SKEW_TIME
 
   return {
-    nowSkewedPast: _now - _skewTime,
-    nowSkewedFuture: _now + _skewTime,
+    nowSkewedPast: _now - _skewSeconds,
+    nowSkewedFuture: _now + _skewSeconds,
   }
 }
diff --git a/packages/core/src/crypto/jose/jwt/__tests__/JwtPayload.test.ts b/packages/core/src/crypto/jose/jwt/__tests__/JwtPayload.test.ts
@@ -36,16 +36,16 @@ describe('JwtPayload', () => {
     const jwtPayload = JwtPayload.fromJson({})
 
     jwtPayload.exp = 123
-    expect(() => jwtPayload.validate({ now: 200, skewTime: 1 })).toThrow('JWT expired at 123')
-    expect(() => jwtPayload.validate({ now: 100, skewTime: 1 })).not.toThrow()
+    expect(() => jwtPayload.validate({ now: 200, skewSeconds: 1 })).toThrow('JWT expired at 123')
+    expect(() => jwtPayload.validate({ now: 100, skewSeconds: 1 })).not.toThrow()
 
     jwtPayload.nbf = 80
-    expect(() => jwtPayload.validate({ now: 75, skewTime: 1 })).toThrow('JWT not valid before 80')
-    expect(() => jwtPayload.validate({ now: 100, skewTime: 1 })).not.toThrow()
+    expect(() => jwtPayload.validate({ now: 75, skewSeconds: 1 })).toThrow('JWT not valid before 80')
+    expect(() => jwtPayload.validate({ now: 100, skewSeconds: 1 })).not.toThrow()
 
     jwtPayload.iat = 90
-    expect(() => jwtPayload.validate({ now: 85, skewTime: 1 })).toThrow('JWT issued in the future at 90')
-    expect(() => jwtPayload.validate({ now: 100, skewTime: 1 })).not.toThrow()
+    expect(() => jwtPayload.validate({ now: 85, skewSeconds: 1 })).toThrow('JWT issued in the future at 90')
+    expect(() => jwtPayload.validate({ now: 100, skewSeconds: 1 })).not.toThrow()
   })
 
   test('throws error for invalid values', () => {
diff --git a/packages/core/src/modules/mdoc/Mdoc.ts b/packages/core/src/modules/mdoc/Mdoc.ts
@@ -17,7 +17,7 @@ import { X509Certificate, X509ModuleConfig } from '../x509'
 import { getMdocContext } from './MdocContext'
 import { MdocError } from './MdocError'
 import type { MdocNameSpaces, MdocSignOptions, MdocVerifyOptions } from './MdocOptions'
-import { isMdocSupportedSignatureAlgorithm, mdocSupporteSignatureAlgorithms } from './mdocSupportedAlgs'
+import { isMdocSupportedSignatureAlgorithm, mdocSupportedSignatureAlgorithms } from './mdocSupportedAlgs'
 
 /**
  * This class represents a IssuerSigned Mdoc Document,
@@ -163,7 +163,7 @@ export class Mdoc {
           issuerKey.jwkTypeHumanDescription
         }. Key supports algs ${issuerKey.supportedSignatureAlgorithms.join(
           ', '
-        )}. mdoc supports algs ${mdocSupporteSignatureAlgorithms.join(', ')}`
+        )}. mdoc supports algs ${mdocSupportedSignatureAlgorithms.join(', ')}`
       )
     }
 
diff --git a/packages/core/src/modules/mdoc/MdocDeviceResponse.ts b/packages/core/src/modules/mdoc/MdocDeviceResponse.ts
@@ -29,7 +29,7 @@ import type {
   MdocDeviceResponseVerifyOptions,
   MdocSessionTranscriptOptions,
 } from './MdocOptions'
-import { isMdocSupportedSignatureAlgorithm, mdocSupporteSignatureAlgorithms } from './mdocSupportedAlgs'
+import { isMdocSupportedSignatureAlgorithm, mdocSupportedSignatureAlgorithms } from './mdocSupportedAlgs'
 import { nameSpacesRecordToMap } from './mdocUtil'
 
 export class MdocDeviceResponse {
@@ -441,7 +441,7 @@ export class MdocDeviceResponse {
           jwk.jwkTypeHumanDescription
         }. Key supports algs ${jwk.supportedSignatureAlgorithms.join(
           ', '
-        )}. mdoc supports algs ${mdocSupporteSignatureAlgorithms.join(', ')}`
+        )}. mdoc supports algs ${mdocSupportedSignatureAlgorithms.join(', ')}`
       )
     }
 
diff --git a/packages/core/src/modules/mdoc/mdocSupportedAlgs.ts b/packages/core/src/modules/mdoc/mdocSupportedAlgs.ts
@@ -1,7 +1,7 @@
 import { type KnownJwaSignatureAlgorithm, KnownJwaSignatureAlgorithms } from '../kms'
 
-export type MdocSupportedSignatureAlgorithm = (typeof mdocSupporteSignatureAlgorithms)[number]
-export const mdocSupporteSignatureAlgorithms = [
+export type MdocSupportedSignatureAlgorithm = (typeof mdocSupportedSignatureAlgorithms)[number]
+export const mdocSupportedSignatureAlgorithms = [
   KnownJwaSignatureAlgorithms.ES256,
   KnownJwaSignatureAlgorithms.ES384,
   KnownJwaSignatureAlgorithms.ES512,
@@ -11,5 +11,5 @@ export const mdocSupporteSignatureAlgorithms = [
 export function isMdocSupportedSignatureAlgorithm(
   alg: KnownJwaSignatureAlgorithm
 ): alg is MdocSupportedSignatureAlgorithm {
-  return mdocSupporteSignatureAlgorithms.includes(alg as MdocSupportedSignatureAlgorithm)
+  return mdocSupportedSignatureAlgorithms.includes(alg as MdocSupportedSignatureAlgorithm)
 }
diff --git a/packages/core/src/modules/sd-jwt-vc/SdJwtVcService.ts b/packages/core/src/modules/sd-jwt-vc/SdJwtVcService.ts
@@ -326,7 +326,7 @@ export class SdJwtVcService {
           requiredClaimKeys: requiredClaimKeys ? [...requiredClaimKeys, 'vct'] : ['vct'],
           keyBindingNonce: keyBinding?.nonce,
           currentDate: dateToSeconds(now ?? new Date()),
-          skewSeconds: 0,
+          skewSeconds: agentContext.config.validitySkewSeconds,
         })
       } catch (error) {
         return {
@@ -347,7 +347,7 @@ export class SdJwtVcService {
       try {
         JwtPayload.fromJson(returnSdJwtVc.payload).validate({
           now: dateToSeconds(now ?? new Date()),
-          skewTime: 0,
+          skewSeconds: agentContext.config.validitySkewSeconds,
         })
       } catch (error) {
         return {
diff --git a/packages/core/src/modules/sd-jwt-vc/__tests__/SdJwtVcService.test.ts b/packages/core/src/modules/sd-jwt-vc/__tests__/SdJwtVcService.test.ts
@@ -1219,11 +1219,12 @@ describe('SdJwtVcService', () => {
     })
 
     test('verify expired sd-jwt-vc and fails', async () => {
+      // 31 seconds due to the skew of 30 seconds
       Date.prototype.getTime = vi.fn(function () {
-        return 1716111919 * 1000 + 1000
+        return 1716111919 * 1000 + 31000
       })
       Date.now = vi.fn(function () {
-        return 1716111919 * 1000 + 1000
+        return 1716111919 * 1000 + 31000
       })
       const verificationResult = await sdJwtVcService.verify(agent.context, {
         compactSdJwtVc: expiredSdJwtVc,
diff --git a/packages/core/src/modules/vc/jwt-vc/W3cJwtCredentialService.ts b/packages/core/src/modules/vc/jwt-vc/W3cJwtCredentialService.ts
@@ -109,7 +109,9 @@ export class W3cJwtCredentialService {
             : W3cJwtVerifiableCredential.fromSerializedJwt(options.credential)
 
         // Verify the JWT payload (verifies whether it's not expired, etc...)
-        credential.jwt.payload.validate()
+        credential.jwt.payload.validate({
+          skewSeconds: agentContext.config.validitySkewSeconds,
+        })
 
         validationResults.validations.dataModel = {
           isValid: true,
@@ -279,7 +281,9 @@ export class W3cJwtCredentialService {
             : W3cJwtVerifiablePresentation.fromSerializedJwt(options.presentation)
 
         // Verify the JWT payload (verifies whether it's not expired, etc...)
-        presentation.jwt.payload.validate()
+        presentation.jwt.payload.validate({
+          skewSeconds: agentContext.config.validitySkewSeconds,
+        })
 
         // Make sure challenge matches nonce
         if (options.challenge !== presentation.jwt.payload.additionalClaims.nonce) {
diff --git a/packages/core/src/modules/vc/jwt-vc/W3cV2JwtCredentialService.ts b/packages/core/src/modules/vc/jwt-vc/W3cV2JwtCredentialService.ts
@@ -106,7 +106,9 @@ export class W3cV2JwtCredentialService {
             : W3cV2JwtVerifiableCredential.fromCompact(options.credential)
 
         // Verify the JWT payload (verifies whether it's not expired, etc...)
-        credential.jwt.payload.validate()
+        credential.jwt.payload.validate({
+          skewSeconds: agentContext.config.validitySkewSeconds,
+        })
 
         validationResults.validations.dataModel = {
           isValid: true,
@@ -259,7 +261,9 @@ export class W3cV2JwtCredentialService {
             : W3cV2JwtVerifiablePresentation.fromCompact(options.presentation)
 
         // Verify the JWT payload (verifies whether it's not expired, etc...)
-        presentation.jwt.payload.validate()
+        presentation.jwt.payload.validate({
+          skewSeconds: agentContext.config.validitySkewSeconds,
+        })
 
         // Make sure challenge matches nonce
         if (options.challenge !== presentation.jwt.payload.additionalClaims.nonce) {
diff --git a/packages/core/src/modules/vc/jwt-vc/__tests__/W3cJwtCredentialService.test.ts b/packages/core/src/modules/vc/jwt-vc/__tests__/W3cJwtCredentialService.test.ts
@@ -283,7 +283,7 @@ describe('W3cJwtCredentialService', () => {
     test('returns invalid result when credential is expired', async () => {
       const jwtVc = W3cJwtVerifiableCredential.fromSerializedJwt(CredoEs256DidJwkJwtVc)
 
-      jwtVc.jwt.payload.exp = new Date('2020-01-01').getTime() / 1000
+      jwtVc.jwt.payload.exp = 1577836800
 
       const result = await w3cJwtCredentialService.verifyCredential(agentContext, {
         credential: jwtVc,
diff --git a/packages/core/src/modules/vc/jwt-vc/__tests__/W3cV2JwtCredentialService.test.ts b/packages/core/src/modules/vc/jwt-vc/__tests__/W3cV2JwtCredentialService.test.ts
@@ -292,7 +292,7 @@ describe('W3cV2JwtCredentialService', () => {
     test('returns invalid result when credential is expired', async () => {
       const jwtVc = W3cV2JwtVerifiableCredential.fromCompact(CredoEs256DidJwkJwtVc)
 
-      jwtVc.jwt.payload.exp = new Date('2020-01-01').getTime() / 1000
+      jwtVc.jwt.payload.exp = 1577836800
 
       const result = await w3cV2JwtCredentialService.verifyCredential(agentContext, {
         credential: jwtVc,
@@ -308,7 +308,7 @@ describe('W3cV2JwtCredentialService', () => {
         },
       })
 
-      expect(result.validations.dataModel?.error?.message).toContain('JWT expired at 1698151532')
+      expect(result.validations.dataModel?.error?.message).toContain('JWT expired at 1577836800')
     })
 
     test('returns invalid result when signature is not valid', async () => {
diff --git a/packages/core/src/modules/vc/sd-jwt-vc/W3cV2SdJwtCredentialService.ts b/packages/core/src/modules/vc/sd-jwt-vc/W3cV2SdJwtCredentialService.ts
@@ -132,7 +132,9 @@ export class W3cV2SdJwtCredentialService {
             : W3cV2SdJwtVerifiableCredential.fromCompact(options.credential)
 
         // Validate JWT payload
-        JwtPayload.fromJson(credential.sdJwt.payload).validate()
+        JwtPayload.fromJson(credential.sdJwt.payload).validate({
+          skewSeconds: agentContext.config.validitySkewSeconds,
+        })
 
         validationResults.validations.dataModel = {
           isValid: true,
@@ -158,7 +160,9 @@ export class W3cV2SdJwtCredentialService {
       })
 
       try {
-        await sdJwt.verify(credential.encoded)
+        await sdJwt.verify(credential.encoded, {
+          skewSeconds: agentContext.config.validitySkewSeconds,
+        })
 
         validationResults.validations.signature = {
           isValid: true,
@@ -271,7 +275,9 @@ export class W3cV2SdJwtCredentialService {
             : W3cV2SdJwtVerifiablePresentation.fromCompact(options.presentation)
 
         // Validate JWT payload
-        JwtPayload.fromJson(presentation.sdJwt.payload).validate()
+        JwtPayload.fromJson(presentation.sdJwt.payload).validate({
+          skewSeconds: agentContext.config.validitySkewSeconds,
+        })
 
         validationResults.validations.dataModel = {
           isValid: true,
@@ -296,7 +302,9 @@ export class W3cV2SdJwtCredentialService {
       })
 
       try {
-        await sdjwt.verify(presentation.encoded)
+        await sdjwt.verify(presentation.encoded, {
+          skewSeconds: agentContext.config.validitySkewSeconds,
+        })
 
         validationResults.validations.presentationSignature = {
           isValid: true,
diff --git a/packages/core/src/modules/vc/sd-jwt-vc/__tests__/W3cV2SdJwtCredentialService.test.ts b/packages/core/src/modules/vc/sd-jwt-vc/__tests__/W3cV2SdJwtCredentialService.test.ts
@@ -301,7 +301,7 @@ describe('W3cV2SdJwtCredentialService', () => {
     test('returns invalid result when credential is expired', async () => {
       const jwtVc = W3cV2SdJwtVerifiableCredential.fromCompact(CredoEs256DidJwkJwtVc)
 
-      jwtVc.sdJwt.payload.exp = Math.floor(new Date('2020-01-01').getTime() / 1000)
+      jwtVc.sdJwt.payload.exp = 1577836800
 
       const result = await w3cV2JwtCredentialService.verifyCredential(agentContext, {
         credential: jwtVc,
@@ -317,7 +317,7 @@ describe('W3cV2SdJwtCredentialService', () => {
         },
       })
 
-      expect(result.validations.dataModel?.error?.message).toContain('JWT expired at 1698151532')
+      expect(result.validations.dataModel?.error?.message).toContain('JWT expired at 1577836800')
     })
   })
 
diff --git a/packages/core/src/types.ts b/packages/core/src/types.ts
@@ -17,6 +17,24 @@ export interface InitConfig {
    * @default false
    */
   allowInsecureHttpUrls?: boolean
+
+  /**
+   * The allowed skew in seconds that should be allowed for validity time of a credentials and other signed
+   * objects (e.g. StatusList). Mobile devices especially can run a bit behind actual time, making validity
+   * checks fail based on a milliseconds / seconds.
+   *
+   * NOTE: this does currently only affects JWT based objects and credentials:
+   * - Token Status List
+   * - SD-JWT VC
+   * - W3C VCDM 1.1 and 2.0 with JWT/SD-JWT
+   *
+   * It does not cover
+   * - W3C VCDM 1.1 JSON-LD
+   * - mDOC
+   *
+   * @default 30
+   */
+  validitySkewSeconds?: number
 }
 
 export type JsonValue = string | number | boolean | null | JsonObject | JsonArray
diff --git a/packages/openid4vc/src/openid4vc-issuer/OpenId4VcIssuerService.ts b/packages/openid4vc/src/openid4vc-issuer/OpenId4VcIssuerService.ts
@@ -1121,7 +1121,9 @@ export class OpenId4VcIssuerService {
 
     const key = issuer.resolvedAccessTokenPublicJwk
     const jwt = Jwt.fromSerializedJwt(cNonce)
-    jwt.payload.validate()
+    jwt.payload.validate({
+      skewSeconds: agentContext.config.validitySkewSeconds,
+    })
 
     if (jwt.payload.iss !== issuerMetadata.credentialIssuer.credential_issuer) {
       throw new CredoError(`Invalid 'iss' claim in cNonce jwt`)
@@ -1189,9 +1191,11 @@ export class OpenId4VcIssuerService {
     return refreshToken
   }
 
-  public parseRefreshToken(token: string) {
+  public parseRefreshToken(agentContext: AgentContext, token: string) {
     const jwt = Jwt.fromSerializedJwt(token)
-    jwt.payload.validate()
+    jwt.payload.validate({
+      skewSeconds: agentContext.config.validitySkewSeconds,
+    })
 
     if (!jwt.payload.exp) {
       throw new CredoError(`Missing 'exp' claim in refresh token jwt`)
diff --git a/packages/openid4vc/src/openid4vc-issuer/router/accessTokenEndpoint.ts b/packages/openid4vc/src/openid4vc-issuer/router/accessTokenEndpoint.ts
@@ -70,7 +70,7 @@ export function handleTokenRequest(config: OpenId4VcIssuerModuleConfig) {
             OpenId4VcIssuanceSessionState.CredentialRequestReceived,
             OpenId4VcIssuanceSessionState.CredentialsPartiallyIssued,
           ]
-          parsedRefreshToken = openId4VcIssuerService.parseRefreshToken(grant.refreshToken)
+          parsedRefreshToken = openId4VcIssuerService.parseRefreshToken(agentContext, grant.refreshToken)
           query = {
             preAuthorizedCode: parsedRefreshToken.preAuthorizedCode,
             authorizationCode: parsedRefreshToken.issuerState,

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,4 @@`
	`1`	`+import { DEFAULT_SKEW_TIME } from '../crypto/jose/jwt/JwtPayload'`
`1`	`2`	`import type { Logger } from '../logger'`
`2`	`3`	`import { ConsoleLogger, LogLevel } from '../logger'`
`3`	`4`	`import type { InitConfig } from '../types'`
`@@ -22,6 +23,10 @@ export class AgentConfig {`
`22`	`23`	`return this.initConfig.autoUpdateStorageOnStartup ?? false`
`23`	`24`	`}`
`24`	`25`
	`26`	`+ public get validitySkewSeconds() {`
	`27`	`+ return this.initConfig.validitySkewSeconds ?? DEFAULT_SKEW_TIME`
	`28`	`+ }`
	`29`	`+`
`25`	`30`	`public extend(config: Partial<InitConfig>): AgentConfig {`
`26`	`31`	`return new AgentConfig({ ...this.initConfig, logger: this.logger, ...config }, this.agentDependencies)`
`27`	`32`	`}`