HAIP 1.0 OID4VP Verifier — conformance self-test results

Independent evidence that the CodeB EU Wallet Verifier passes the OpenID Foundation OID4VP-1.0-FINAL + HAIP-1.0-FINAL Verifier certification profile (alpha), executed by the OIDF-hosted conformance harness on 2026-07-19.

Test plan finished 2026-07-19
9 tests passed · 0 failures · 0 warnings
9
tests total
9
passed
0
failures
0
warnings
Self-test result on the OIDF alpha profile, not the OpenID Certified™ mark. Results generated by the OpenID Foundation conformance suite hosted at certification.openid.net. The OID4VP-1.0-FINAL + HAIP-1.0-FINAL Verifier profile is currently in alpha self-certification. Formal listing on the OpenID certified deployments page follows the OIDF submission process; this page attests that the exact EU Wallet Verifier shipped inside every CodeB tenant deployment passes the alpha suite end-to-end without failures or warnings. Formal submission is on the roadmap.

Summary

AreaWhat it verifiesResult
Happy pathEnd-to-end DCQL query, JAR, wallet response, JWE decrypt, SD-JWT VC parse, KB-JWT verify, claim mappingPass
Minimal cnf.jwkAccepts holder-binding JWKs that carry only required fields (kty/crv/x/y), no optional metadataPass
Issuer signature integrityRejects VP whose SD-JWT issuer JWS signature has been tampered withPass
Key Binding JWT signatureRejects VP whose KB-JWT signature fails to verify against the credential’s cnf keyPass
Selective-disclosure integrityRejects VP where the KB-JWT’s sd_hash does not match the presented SD-JWT bytesPass
KB-JWT nonce bindingRejects VP where KB-JWT nonce does not match the authorization-request noncePass
KB-JWT audience bindingRejects VP where KB-JWT aud does not match the verifier client identifierPass
KB-JWT time skew (past)Rejects VP whose KB-JWT iat is outside the acceptable freshness window (1 year in the past)Pass
KB-JWT time skew (future)Rejects VP whose KB-JWT iat is outside the acceptable freshness window (1 year in the future)Pass

Evidence

Three independent evidence trails, any one is enough to reproduce the test on your own infrastructure.

Live OIDF plan (read-only)
certification.openid.net » plan Wa46KCPHMZ5EV
Signed private link, valid through 2029-04-14. Opens the OIDF-hosted plan-detail view of every individual test run.
Certification package (ZIP)
oid4vp-1final-verifier-haip-test-plan · 441 KB
OIDF-generated bundle: plan metadata, per-test JSON + HTML logs, JWS signatures over each log for tamper-evident inspection.
EU Wallet Verifier reference
Endpoints, algorithms, cryptography
What the verifier exposes: DCQL query builder, JAR request signing, direct_post.jwt handling, per-tenant X.509 chain, verified-claims file.

Test breakdown — 9 tests, all passed

Every test finished with harness status FINISHED and result PASSED.

Happy path (2)

Test nameResult
oid4vp-1final-verifier-happy-flowPass
oid4vp-1final-verifier-minimal-cnf-jwkPass

Cryptographic integrity (3)

Test nameResult
oid4vp-1final-verifier-invalid-credential-signaturePass
oid4vp-1final-verifier-invalid-kb-jwt-signaturePass
oid4vp-1final-verifier-invalid-sd-hashPass

Session binding (2)

Test nameResult
oid4vp-1final-verifier-invalid-kb-jwt-noncePass
oid4vp-1final-verifier-invalid-kb-jwt-audPass

Freshness (2)

Test nameResult
oid4vp-1final-verifier-kb-jwt-iat-in-pastPass
oid4vp-1final-verifier-kb-jwt-iat-in-futurePass

How to reproduce

  1. Sign up for a free account at certification.openid.net, create a plan of type “OID4VP-1.0-FINAL + HAIP-1.0-FINAL Verifier” (alpha) with variant credential_format=sd_jwt_vc and response_mode=direct_post.jwt.
  2. Configure the plan’s server section with your CodeB tenant verifier metadata: the authorization endpoint URL, your per-tenant X.509 leaf public key, and your chosen client_id_prefix (both x509_hash and x509_san_dns are supported).
  3. Run all 10 sub-tests. The verifier drives each end-to-end from wallet selection through decrypted-response claim delivery; no manual interaction is needed.
  4. Download the certification package ZIP from your plan-detail page and compare per-test results arrays against the JSON bundle linked above.

Roadmap to the OpenID Certified™ mark

Passing the alpha conformance suite is step one. The full path to being listed on the OpenID Foundation certified-implementations page is:

  1. Done — OID4VP-1.0-FINAL + HAIP-1.0-FINAL Verifier alpha suite, sd_jwt_vc + direct_post.jwt variant, zero-failure zero-warning run on the OIDF harness.
  2. Next — run the same suite against the additional variants the profile allows (request_uri_method=post, mDL credential format) once the OIDF harness advances beyond alpha, and archive each plan.
  3. Then — submit the plan IDs + OIDF certification fee to the OpenID Foundation using the process at openid.net/certification/instructions/. Listing typically appears within one to two weeks of submission.
  4. Also on the plan — OpenID4VCI 1.0 Issuer certification for the credential-issuance side (tracked separately once OIDF publishes the corresponding Issuer conformance profile).

Details about the run

Certification profileOID4VP-1.0-FINAL + HAIP-1.0-FINAL Verifier (alpha)
Plan nameoid4vp-1final-verifier-haip-test-plan
Plan IDWa46KCPHMZ5EV
Variantcredential_format=sd_jwt_vc, response_mode=direct_post.jwt, client_id_prefix=x509_hash, request_method=request_uri_signed, vp_profile=haip
Plan started2026-07-18 22:23:21 UTC
Plan finished2026-07-19
Tests10 total — 9 PASSED, 1 SKIPPED (variant-out-of-scope)
Failures0
Warnings0
Verifier under testCodeB EU Wallet Verifier — the same code path shipped in every CodeB tenant deployment, running on production infrastructure at the time of the test

Related specifications

Last updated 2026-07-19. Related pages: HAIP implementation notes · EU Wallet Verifier reference · OIDC Basic OP conformance · API reference · Deutsch