HAIP 1.0 OID4VP Verifier — conformance self-test results
Independent evidence that the CodeB EU Wallet Verifier passes the OpenID Foundation OID4VP-1.0-FINAL + HAIP-1.0-FINAL Verifier certification profile (alpha), executed by the OIDF-hosted conformance harness on 2026-07-19.
Test plan finished 2026-07-19
9 tests passed · 0 failures · 0 warnings
9
tests total
9
passed
0
failures
0
warnings
Self-test result on the OIDF alpha profile, not the OpenID Certified™ mark. Results generated by the OpenID Foundation conformance suite hosted at certification.openid.net. The OID4VP-1.0-FINAL + HAIP-1.0-FINAL Verifier profile is currently in alpha self-certification. Formal listing on the OpenID certified deployments page follows the OIDF submission process; this page attests that the exact EU Wallet Verifier shipped inside every CodeB tenant deployment passes the alpha suite end-to-end without failures or warnings. Formal submission is on the roadmap.
Summary
| Area | What it verifies | Result |
|---|---|---|
| Happy path | End-to-end DCQL query, JAR, wallet response, JWE decrypt, SD-JWT VC parse, KB-JWT verify, claim mapping | Pass |
Minimal cnf.jwk | Accepts holder-binding JWKs that carry only required fields (kty/crv/x/y), no optional metadata | Pass |
| Issuer signature integrity | Rejects VP whose SD-JWT issuer JWS signature has been tampered with | Pass |
| Key Binding JWT signature | Rejects VP whose KB-JWT signature fails to verify against the credential’s cnf key | Pass |
| Selective-disclosure integrity | Rejects VP where the KB-JWT’s sd_hash does not match the presented SD-JWT bytes | Pass |
| KB-JWT nonce binding | Rejects VP where KB-JWT nonce does not match the authorization-request nonce | Pass |
| KB-JWT audience binding | Rejects VP where KB-JWT aud does not match the verifier client identifier | Pass |
| KB-JWT time skew (past) | Rejects VP whose KB-JWT iat is outside the acceptable freshness window (1 year in the past) | Pass |
| KB-JWT time skew (future) | Rejects VP whose KB-JWT iat is outside the acceptable freshness window (1 year in the future) | Pass |
Evidence
Three independent evidence trails, any one is enough to reproduce the test on your own infrastructure.
Live OIDF plan (read-only)
certification.openid.net » plan Wa46KCPHMZ5EV
Signed private link, valid through 2029-04-14. Opens the OIDF-hosted plan-detail view of every individual test run.
Certification package (ZIP)
oid4vp-1final-verifier-haip-test-plan · 441 KB
OIDF-generated bundle: plan metadata, per-test JSON + HTML logs, JWS signatures over each log for tamper-evident inspection.
EU Wallet Verifier reference
Endpoints, algorithms, cryptography
What the verifier exposes: DCQL query builder, JAR request signing, direct_post.jwt handling, per-tenant X.509 chain, verified-claims file.
Test breakdown — 9 tests, all passed
Every test finished with harness status FINISHED and result PASSED.
Happy path (2)
| Test name | Result |
|---|---|
| oid4vp-1final-verifier-happy-flow | Pass |
| oid4vp-1final-verifier-minimal-cnf-jwk | Pass |
Cryptographic integrity (3)
| Test name | Result |
|---|---|
| oid4vp-1final-verifier-invalid-credential-signature | Pass |
| oid4vp-1final-verifier-invalid-kb-jwt-signature | Pass |
| oid4vp-1final-verifier-invalid-sd-hash | Pass |
Session binding (2)
| Test name | Result |
|---|---|
| oid4vp-1final-verifier-invalid-kb-jwt-nonce | Pass |
| oid4vp-1final-verifier-invalid-kb-jwt-aud | Pass |
Freshness (2)
| Test name | Result |
|---|---|
| oid4vp-1final-verifier-kb-jwt-iat-in-past | Pass |
| oid4vp-1final-verifier-kb-jwt-iat-in-future | Pass |
How to reproduce
- Sign up for a free account at certification.openid.net, create a plan of type “OID4VP-1.0-FINAL + HAIP-1.0-FINAL Verifier” (alpha) with variant
credential_format=sd_jwt_vcandresponse_mode=direct_post.jwt. - Configure the plan’s
serversection with your CodeB tenant verifier metadata: the authorization endpoint URL, your per-tenant X.509 leaf public key, and your chosenclient_id_prefix(bothx509_hashandx509_san_dnsare supported). - Run all 10 sub-tests. The verifier drives each end-to-end from wallet selection through decrypted-response claim delivery; no manual interaction is needed.
- Download the certification package ZIP from your plan-detail page and compare per-test
resultsarrays against the JSON bundle linked above.
Roadmap to the OpenID Certified™ mark
Passing the alpha conformance suite is step one. The full path to being listed on the OpenID Foundation certified-implementations page is:
- Done — OID4VP-1.0-FINAL + HAIP-1.0-FINAL Verifier alpha suite,
sd_jwt_vc+direct_post.jwtvariant, zero-failure zero-warning run on the OIDF harness. - Next — run the same suite against the additional variants the profile allows (
request_uri_method=post, mDL credential format) once the OIDF harness advances beyond alpha, and archive each plan. - Then — submit the plan IDs + OIDF certification fee to the OpenID Foundation using the process at openid.net/certification/instructions/. Listing typically appears within one to two weeks of submission.
- Also on the plan — OpenID4VCI 1.0 Issuer certification for the credential-issuance side (tracked separately once OIDF publishes the corresponding Issuer conformance profile).
Details about the run
| Certification profile | OID4VP-1.0-FINAL + HAIP-1.0-FINAL Verifier (alpha) |
|---|---|
| Plan name | oid4vp-1final-verifier-haip-test-plan |
| Plan ID | Wa46KCPHMZ5EV |
| Variant | credential_format=sd_jwt_vc, response_mode=direct_post.jwt, client_id_prefix=x509_hash, request_method=request_uri_signed, vp_profile=haip |
| Plan started | 2026-07-18 22:23:21 UTC |
| Plan finished | 2026-07-19 |
| Tests | 10 total — 9 PASSED, 1 SKIPPED (variant-out-of-scope) |
| Failures | 0 |
| Warnings | 0 |
| Verifier under test | CodeB EU Wallet Verifier — the same code path shipped in every CodeB tenant deployment, running on production infrastructure at the time of the test |
Related specifications
- OpenID for Verifiable Presentations 1.0 (FINAL) — the wallet-verifier protocol under test.
- High Assurance Interoperability Profile 1.0 (FINAL) — the eIDAS 2.0-aligned profile that pins credential format, cryptography, client-id prefixes, response mode, and key binding.
- SD-JWT VC (IETF) — the credential format used throughout the test plan.
- OpenID4VCI 1.0 — the companion Issuer specification (separate CodeB conformance track).
Last updated 2026-07-19. Related pages: HAIP implementation notes · EU Wallet Verifier reference · OIDC Basic OP conformance · API reference · Deutsch