Missing IssuerSigned Items in a mdoc authentication session

[vanhoanHoang]

Hi team,

I have recently looked at the OpenID4VP with mdoc format and run into a Wallet issue which does not send IssuerSigned items to Verifier. I have created a mdoc credential org.iso.18013.5.1.mDL containing 3 attributes: family_name, given_name, birth_date

I then created a verification session to request the Wallet to submit this credential. The presentation_definition looks like this:

{
   "id":"803c9bc1-ce15-47b2-8b60-9023db04cc0c",
   "input_descriptors":[
      {
         "id":"org.iso.18013.5.1.mDL",
         "purpose":"Testing mdoc",
         "format":{
            "mso_mdoc":{
               "alg":[
                  "RSA",
                  "ECDSA",
                  "EdDSA"
               ]
            }
         },
         "constraints":{
            "fields":[
               {
                  "path":[
                     "family_name"
                  ],
                  "filter":{
                     "pattern":".*",
                     "type":"string"
                  },
                  "intent_to_retain":true
               },
               {
                  "path":[
                     "$.type"
                  ],
                  "filter":{
                     "pattern":"org.iso.18013.5.1.mDL",
                     "type":"string"
                  },
                  "intent_to_retain":true
               }
            ]
         }
      }
   ]
}

Note that I added family_name in the presentation_definiton for testing purpose only. More specifically, I added this in the suspect of Wallet only sending attributes required explicitly in the presentation_definition. But removing it does not have any effect on Wallet behavior, resulting in the same vp_token which does not contain any IssuerSigned items as indicated below:

The following is an vp_token constructed by the Wallet to present to Verifier:

vp_token=o2d2ZXJzaW9uYzEuMGlkb2N1bWVudHOBo2dkb2NUeXBldW9yZy5pc28uMTgwMTMuNS4xLm1ETGxpc3N1ZXJTaWduZWSiam5hbWVTcGFjZXOhcW9yZy5pc28uMTgwMTMuNS4xgGppc3N1ZXJBdXRohEOhASahGCFZAUswggFHMIHuoAMCAQICCDntyHqaePkqMAoGCCqGSM49BAMCMBcxFTATBgNVBAMMDE1ET0MgUk9PVCBDQTAeFw0yNDA1MDIxMzEzMzBaFw0yNTA1MDIxMzEzMzBaMBsxGTAXBgNVBAMMEE1ET0MgVGVzdCBJc3N1ZXIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQbREg0GIX6hBQPd3kMad6BC5d6cjb0kNowagy-KgpEE3nd3hRrNqRLa6e7wGewS3G61LaSpGFgE9iT1ECuJTeBoyAwHjAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB_wQEAwIHgDAKBggqhkjOPQQDAgNIADBFAiEAjnAEEADd7CojCyWG7MWfis0Vb12TPZNjvF4iY7sKtpgCIBiFqLU3MnppsCJiDwfFxF1ik7hu7ZJ6PwToLMUcrfhjWQHD2BhZAb6mZ3ZlcnNpb25jMS4wb2RpZ2VzdEFsZ29yaXRobWdTSEEtMjU2bHZhbHVlRGlnZXN0c6Fxb3JnLmlzby4xODAxMy41LjGjAFggPOVIT8AfKkEtdFPwfNURxRweIxA5tcVzvFQ3eRBsBekBWCD-C-T_D9EyDjf9RYCShmR-NegK-QpjpLR4m0_0IaCJMQJYINidsvlZ2uy_lNQt86JlAf65aXxjG9zowy5R_0kCyoanbWRldmljZUtleUluZm-haWRldmljZUtleaQBAiABIVgge5FMzcP3o2brlVkHzXr3HLA9UWw4Z5IL-oXpKUatYLwiWCDHPlV4LYM5MtrPDorZgmNcE93i4fXco09IRGaRdQmIzWdkb2NUeXBldW9yZy5pc28uMTgwMTMuNS4xLm1ETGx2YWxpZGl0eUluZm-jZnNpZ25lZMB4HjIwMjQtMDktMDJUMDk6Mjg6MjQuNzM1NjkyNzgwWml2YWxpZEZyb23AeB4yMDI0LTA5LTAyVDA5OjI4OjI0LjczNTY5MzY1NVpqdmFsaWRVbnRpbMB4HjIwMjUtMDktMDJUMDk6Mjg6MjQuNzM1NjkzNzIzWlhATQVhul0vXQkexIdE2jGk3zPyfFPHoWygRKaQ8Vaw-pmOazSE2s8VaG7wEj01m4iZJz1G38ivukUujpKljKFJW2xkZXZpY2VTaWduZWSiam5hbWVTcGFjZXPYGEGgamRldmljZUF1dGihb2RldmljZVNpZ25hdHVyZYRDoQEmoRghgPZYQLgfCA5rVqA3cZKrwLjDcsrutRqeNoGzJCfhD6GiSZmdNL9qaKjfaxCl54QQvLrleCLlDqyPXMzbhHYzbWBiHv1mc3RhdHVzAA%3D%3D&presentation_submission=%7B%22id%22%3A%22pX019X5Dtlmu%22%2C%22definition_id%22%3A%22pX019X5Dtlmu%22%2C%22descriptor_map%22%3A%5B%7B%22id%22%3A%22org.iso.18013.5.1.mDL%22%2C%22format%22%3A%22mso_mdoc%22%2C%22path%22%3A%22%24%22%2C%22path_nested%22%3A%7B%22id%22%3A%22org.iso.18013.5.1.mDL%22%2C%22format%22%3A%22mso_mdoc%22%2C%22path%22%3A%22%24.documents%5B0%5D%22%7D%7D%5D%7D&state=bcQbBJjpuQU

By decoding the vp_token, we can obtain the mdoc details as shown in the Figure below:

We can see that the IssuerSigned items is an empty List as shown in the namespace org.iso.18013.5.1 . I guess there are some problems on the mdoc library side not to include all these items ?

Can you have a look at this please ?

Cheers,
Hoan Hoang

[vanhoanHoang]

I have looked into the iso 18013-7 spec and realized that my presentation_definition had not been relevant for mso_mdoc. I have created a new one as followings:

{
    "id": "7c80dc00-604f-4edd-9956-87a2426437fa",
    "input_descriptors": [
      {
        "id": "org.iso.18013.5.1.mDL",
        "purpose": "verify mdl of users",
        "format": {
          "mso_mdoc": {
            "alg": [
              "ECDSA"
            ]
          }
        },
        "constraints": {
          "fields": [
            {
              "path": [
                "$['org.iso.18013.5.1']['given_name']"
              ],
              "filter": {
                "type": "string",
                "pattern": ".*"
              },
              "intent_to_retain": true
            }
          ],
          "limit_disclosure": "required"
        }
      }
    ]
  }

However, the wallet still does not send the requested claim, which is given_name. The problem is currently with this line CODE in the InputDescriptorField class.

Currently, this line splits the namespace concatenated with the claim using a . as the delimiter. However, for namespaces that already contain a . (such as those in mdl), this causes the claim and the namespace to be incorrectly split and then added to the MDocRequestBuilder.

This is leading to incorrect behavior, as the claim isn't being processed as expected. Could we address this issue in the InputDescriptorField class to correctly handle namespaces with . in the next release ? @severinstampler :)

Thank you!