16.4.1.5. Credential Verifier Test Matrix¶
This section provides the set of test cases designed for technical implementers and development teams responsible for creating and deploying Credential Verifiers / Relying Parties.
16.4.1.5.1. Remote Credential Verifier Test Matrix¶
This section provides the set of test cases designed for technical implementers and development teams responsible for creating and deploying Credential Verifiers solutions for remote flows. It is also intended for assessment bodies inspecting and validating the implementations of Credential Verifiers solutions for remote flows.
Note
References about official OpenID4VP test plans will update this section in future releases.
Test Case ID |
Purpose |
Description |
Expected Result |
---|---|---|---|
RPR-01 |
Same Device Flow |
Verify HTTP redirect (302) URL. |
Relying Party issues a correct URL using the base url provided within its metadata. |
RPR-02 |
Cross Device Flow |
Verify QR Code generation for Wallet Instance. |
Relying Party issues QR Code successfully. |
RPR-03 |
Cross Device Flow |
Verify QR Code contains correct URL parameters. |
Relying Party issues the QR-Code containing an URL using the base url provided within its metadata. |
RPR-04 |
Cross Device Flow |
Test QR Code scanning in low light. |
QR Code is scanned successfully. |
RPR-05 |
Cross Device Flow |
Verify QR Code error correction level. |
QR Code remains readable if damaged. |
RPR-06 |
Cross Device Flow |
Test QR Code scanning with different devices. |
QR Code is scanned successfully. |
RPR-07 |
Request URI Method |
Test |
Relying Party accepts Wallet Instance metadata via POST and replies with an updated Request Object. |
RPR-08 |
Request URI Method |
Test |
Relying Party issues the Request Object via HTTP GET response. |
RPR-09 |
Request URI Method |
Test absence of |
Relying Party accepts defaults to GET method. |
RPR-10 |
Metadata |
Verify parameters match OpenID Credential Verifier metadata. |
Only allowed parameters will be considered. |
RPR-11 |
User Consent |
Test eligibility of a Credential Verifier in requesting User attributes. |
User can modify data selection about optional attributes. |
RPR-12 |
Authorization Response |
Test sending of Presentation Response. |
Relying Party receives and validates response with |
RPR-13 |
Authorization Response |
Verify response encryption. |
Relying Party evaluates the encrypted response using its public key (one of its keys). |
RPR-14 |
Error Handling |
Test invalid Request Object handling. |
Error Response is sent. |
RPR-15 |
Error Handling |
Verify error logging. |
Errors are logged appropriately. |
RPR-16 |
Error Handling |
Test recovery from Authorization Request Error. |
Relying Party prompts the User to retry or scan new QR code. |
RPR-17 |
Error Handling |
Test fake HTTP Cookie. |
Relying Party checks the User session consistency coupling the session http cookie and the state and nonces provided. |
RPR-19 |
Redirect URI |
Test redirection to Relying Party's endpoint. |
User is redirected correctly, the endpoint works. |
RPR-20 |
Redirect URI |
Verify handling of invalid redirect_uri. |
Error response is returned. |
RPR-23 |
Credential Presentation |
Verify response format compliance. |
Relying Party supports all the Credential format included within its |
RPR-24 |
Authorization Response |
Test handling of response timeouts. |
Retries must be successful unless response is acquired. |
RPR-25 |
Error Handling |
Verify handling of malformed claims in presentation payload. |
Authorization Error Response is sent. |
RPR-26 |
Error Handling |
Verify handling of malformed claims in presented credentials. |
Authorization Error Response is sent. |
RPR-27 |
Error Handling |
Test handling of expired requests. |
Holder is notified of expiration. |
RPR-28 |
Relying Party Response |
Verify inclusion of response code. |
Response code is cryptographically random. |
RPR-29 |
Relying Party Response |
Test handling of invalid response codes. |
Error response is returned. |
RPR-30 |
Status Endpoint |
Verify handling of unauthorized access. |
Unauthorized access is denied. |
RPR-31 |
Status Endpoint |
Test handling of invalid session IDs. |
Error response is returned. |
RPR-32 |
Redirect URI |
Verify handling of expired sessions. |
Error response is returned. |
RPR-33 |
Redirect URI |
Test handling of server errors. |
Error response is returned. |
RPR-34 |
Same and Cross Device Flow |
Verify handling of slow network conditions. |
Relying Party provides the http response within the maximum limit of 2 seconds. |
RPR-36 |
Presentation Response |
Verify handling of large response payloads. |
Response is evaluated within appropriate security thresholds. |
RPR-37 |
Presentation Response |
Test handling of response encryption failures. |
Error response is returned. |
RPR-38 |
Error Handling |
Verify handling of invalid signatures. |
Authorization Error Response is sent. |
RPR-39 |
Error Handling |
Test handling of invalid nonce values. |
Error response is returned. |
RPR-40 |
Relying Party Response |
Verify handling of malformed responses. |
Error response is returned. |
RPR-41 |
Relying Party Response |
Test handling of missing response parameters. |
Error response is returned. |
RPR-42 |
Status Endpoint |
Verify handling of session timeouts. |
Error response is returned. |
RPR-43 |
Status Endpoint |
Test handling of invalid status codes. |
Error response is returned. |
RPR-44 |
Redirect URI |
Verify handling of invalid user sessions. |
Error response is returned. |
RPR-45 |
Redirect URI |
Test handling of unavailable services. |
Error response is returned. |
RPR-46 |
Same Device Flow |
Verify handling of user cancellations. |
User can cancel the process. |
RPR-47 |
Cross Device Flow |
Test QR Code scanning with different apps. |
QR Code is scanned successfully. |
RPR-48 |
Cross Device Flow |
Verify QR Code scanning with different lighting. |
QR Code is scanned successfully. |
RPR-49 |
Request URI Method |
Test handling of unsupported content types. |
Error response is returned. |
RPR-50 |
User Consent |
Verify user notification of consent changes. |
User is informed about consent changes. |
RPR-51 |
User Consent |
Test user consent for sensitive data. |
User can consent to sensitive data. |
RPR-52 |
Authorization Response |
Verify handling of response decryption failures. |
Error response is returned. |
RPR-53 |
Authorization Response |
Test handling of response integrity checks. |
Response integrity is verified. |
RPR-54 |
Relying Party Response |
Verify handling of response validation failures. |
Error response is returned. |
RPR-55 |
Relying Party Response |
Test handling of response processing errors. |
Error response is returned. |
RPR-56 |
Protected Resource Endpoint |
Verify handling of unauthorized session access. |
Unauthorized access is denied. |
RPR-57 |
Redirect URI |
Verify handling of invalid redirect parameters. |
Error response is returned. |
RPR-58 |
Redirect URI |
Test handling of redirect failures. |
Error response is returned. |
RPR-59 |
Same Device Flow |
Verify handling of user interruptions. |
User can resume or cancel the process. |
RPR-60 |
Request URI Method |
Test handling of invalid HTTP methods. |
Error response is returned. |
RPR-61 |
User Consent |
Verify user notification of consent revocation. |
User is informed about consent revocation. |
RPR-62 |
User Consent |
Test user consent for optional data. |
User can consent to optional data. |
RPR-63 |
Authorization Response |
Verify handling of response signature failures. |
Error response is returned. |
RPR-64 |
Authorization Response |
Test handling of response format errors. |
Error response is returned. |
RPR-65 |
Error Handling |
Verify handling of invalid JWT signatures. |
Authorization Error Response is sent. |
RPR-66 |
Error Handling |
Test handling of invalid JWT claims. |
Error response is returned. |
RPR-67 |
Relying Party Response |
Verify handling of response parsing errors. |
Error response is returned. |
RPR-68 |
Relying Party Response |
Test handling of response timeout errors. |
Error response is returned. |
RPR-69 |
Status Endpoint |
Verify handling of session expiration. |
Error response is returned. |
RPR-70 |
Status Endpoint |
Test handling of session renewal errors. |
Error response is returned. |
RPR-71 |
Redirect URI |
Verify handling of redirect loop errors. |
Error response is returned. |
RPR-72 |
Redirect URI |
Test handling of redirect security errors. |
Error response is returned. |
RPR-73 |
Same Device Flow |
Verify handling of user timeouts. |
User is notified of timeout. |
RPR-74 |
Cross Device Flow |
Test QR Code scanning with different devices. |
QR Code is scanned successfully. |
RPR-75 |
Cross Device Flow |
Verify QR Code scanning with different apps. |
QR Code is scanned successfully. |
RPR-76 |
Request URI Method |
Test handling of unsupported HTTP methods. |
Error response is returned. |
RPR-77 |
QR Code Generation |
Verify that QR Code error correction level is Q (Quartile - up to 25%). |
QR Code uses the required Q error correction level. |
RPR-78 |
Wallet Attestation Request |
Test that Wallet Attestation request uses standard DCQL query. |
Wallet Attestation request correctly uses standard DCQL query. |
RPR-79 |
Wallet Attestation Request |
Verify that |
|
RPR-80 |
Wallet Attestation Request |
Test that |
|
RPR-81 |
Wallet Nonce |
Test that Relying Party checks |
Relying Party correctly checks |
RPR-82 |
Response Types |
Verify that |
|
RPR-83 |
Redirect URI |
Test that Relying Party correctly provides |
Relying Party correctly provides and handles |
RPR-84 |
Flow Support |
Test that Relying Party supports required remote flows. |
Relying Party supports both Same Device and Cross Device flows. |
RPR-85 |
Endpoint Security |
Test that |
|
RPR-86 |
Privacy Protection |
Test that Relying Party correctly validates Wallet Instance metadata without User information. |
Relying Party correctly evaluates Wallet Instance technical capabilities. |
RPR-87 |
Request URI POST Method |
Test that Relying Party supports receiving Wallet Instance metadata via POST to |
Relying Party correctly accepts and processes Wallet Instance metadata sent via POST with the required content type. |
RPR-88 |
Algorithm Validation |
Test that JWT algorithm is supported and not |
JWT algorithm is from supported list and not |
RPR-89 |
Media Type Validation |
Test that JWT typ is set to |
JWT typ parameter is correctly set to |
RPR-90 |
Response Mode Validation |
Test that |
|
RPR-91 |
Response Type Validation |
Test that |
|
RPR-92 |
Response URI Usage |
Test that Relying Party correctly provides |
Relying Party sends Authorization Response to correct |
RPR-93 |
Nonce Entropy |
Test that nonce has sufficient entropy (32+ digits). |
nonce parameter has sufficient entropy with at least 32 digits. |
RPR-94 |
JWT Expiration |
Test that JWT |
JWT |
RPR-95 |
Response URI Security |
Test that |
|
RPR-96 |
Client Metadata Handling |
Test that Relying Party correctly handles Wallet Instance |
The |
RPR-97 |
Wallet Attestation Request |
Test that Relying Party requests Wallet Attestation via DCQL. |
Relying Party correctly requests Wallet Attestation using DCQL query. |
RPR-98 |
Error Response Format |
Test that error response uses |
Error response correctly uses |
RPR-99 |
Error Response Parameters |
Test that error response includes required parameters. |
Error response includes error and |
RPR-100 |
Wallet Attestation Presentation |
Test that Relying Party correctly requests Wallet Attestation from Wallet Instance. |
Relying Party correctly evaluates Wallet Attestation when requested. |
RPR-101 |
Presentation Array |
Test that |
|
RPR-102 |
KB-JWT Inclusion |
Test that Holder includes KB-JWT in SD-JWT. |
Holder correctly includes KB-JWT in SD-JWT presentation. |
RPR-103 |
KB-JWT Validation |
Test that Relying Party validates KB-JWT signature. |
Relying Party correctly validates KB-JWT signature using public key. |
RPR-104 |
KB-JWT Header |
Test that KB-JWT contains required header parameters. |
KB-JWT contains required |
RPR-105 |
KB-JWT Payload |
Test that KB-JWT contains required payload parameters. |
KB-JWT contains required |
RPR-106 |
KB-JWT Audience |
Test that KB-JWT |
KB-JWT |
RPR-107 |
KB-JWT Nonce |
Test that KB-JWT |
KB-JWT |
RPR-108 |
Authorization Error Response |
Test that Relying Party correctly handles Wallet Instance Authorization Error Response on validation failure. |
Relying Party correctly evaluates Authorization Error Response when validation fails. |
RPR-109 |
Error Response Encoding |
Test that Authorization Error Response is encoded correctly. |
Authorization Error Response is encoded in |
RPR-110 |
Response Processing |
Test that Response URI returns HTTP 200 on successful processing. |
Response URI returns HTTP 200 with |
RPR-111 |
Error Code Consistency |
Test that error codes are consistent across different endpoints. |
Error codes are consistent across all Relying Party endpoints. |
RPR-112 |
Response Code Inclusion |
Test that Relying Party includes response code in |
Relying Party includes fresh response code in |
RPR-113 |
Redirect URI Security |
Test that |
|
RPR-114 |
Validation Error Response |
Test that Response URI returns error response on validation failure. |
Response URI returns error response when validation checks fail. |
16.4.1.5.2. Proximity Credential Verifier Test Matrix¶
This section provides the set of test cases designed for technical implementers and development teams responsible for creating and deploying Credential Verifiers solutions for proximity flows. It is also intended for assessment bodies inspecting and validating the implementations of Credential Verifiers solutions for proximity flows.
Note
Further references about official ISO-18013-5 test plans, if available, will update this section in future releases.
Test Case ID |
Purpose |
Description |
Expected Result |
---|---|---|---|
PPR-001 |
Device Engagement |
Test the initiation of device engagement using QR code. |
Device engagement is successfully initiated and QR code is scanned. |
PPR-002 |
Session Establishment |
Verify session establishment with correct session keys. |
Session is established securely with correct session keys. |
PPR-003 |
Communication |
Test the transmission of mdoc request over BLE. |
mdoc request is transmitted securely over BLE. |
PPR-004 |
User Authentication |
Validate user authentication via WSCA. |
User is authenticated successfully using WSCA. |
PPR-005 |
Attribute Consent |
Check user consent for attribute release. |
User consents to release requested attributes. |
PPR-006 |
Data Retrieval |
Test retrieval of mdoc Digital Credentials. |
mdoc Digital Credentials are retrieved successfully. |
PPR-007 |
Session Termination |
Verify session termination after data exchange. |
Session is terminated and keys are destroyed. |
PPR-008 |
Error Handling |
Test handling of invalid session keys. |
Appropriate error message is displayed for invalid keys. |
PPR-009 |
BLE Connection |
Test BLE connection stability during data exchange. |
BLE connection remains stable throughout the exchange. |
PPR-010 |
Document Verification |
Verify the integrity of received documents. |
Documents are verified and integrity is confirmed. |
PPR-011 |
Security |
Test encryption of mdoc requests and responses. |
All mdoc requests and responses are encrypted correctly. |
PPR-012 |
User Interface |
Check the user interface for attribute consent. |
User interface displays attribute consent request clearly. |
PPR-013 |
Error Handling |
Test response to unsupported document types. |
System returns appropriate error for unsupported document types. |
PPR-014 |
Performance |
Measure time taken for session establishment. |
Session is established within acceptable time limits. |
PPR-015 |
Compatibility |
Verify compatibility with different mobile devices. |
System works seamlessly across various mobile devices. |
PPR-016 |
Data Integrity |
Test integrity of data during transmission. |
Data integrity is maintained during transmission. |
PPR-017 |
Session Management |
Test session management under high load. |
Sessions are managed effectively under high load conditions. |
PPR-018 |
BLE Connection |
Test reconnection after BLE disconnection. |
System reconnects successfully after BLE disconnection. |
PPR-019 |
User Experience |
Evaluate user experience during the proximity flow. |
Users report a positive experience with the proximity flow. |
PPR-020 |
Security |
Test resistance to replay attacks. |
System is resistant to replay attacks. |
PPR-021 |
Device Engagement |
Verify that Device Engagement structure is CBOR encoded. |
Device Engagement structure is correctly encoded in CBOR format. |
PPR-022 |
Device Engagement |
Test that ephemeral public key is of type allowed by selected cipher suite. |
Ephemeral public key meets the requirements of the selected cipher suite. |
PPR-023 |
BLE Configuration |
Verify that only Central Client mode is supported. |
Only Central Client mode is supported for BLE connections. |
PPR-024 |
Capabilities |
Test that |
|
PPR-025 |
Capabilities |
Verify that |
|
PPR-026 |
mdoc Request |
Test that mdoc Request messages are CBOR encoded. |
mdoc Request messages are correctly encoded in CBOR format. |
PPR-027 |
mdoc Request |
Verify that mdoc request is encrypted with session key. |
mdoc request is correctly encrypted with session key. |
PPR-028 |
mdoc Request |
Test that mdoc request is transmitted via BLE protocol. |
mdoc request is correctly transmitted via BLE protocol. |
PPR-029 |
mdoc Response |
Verify that mdoc Response messages are CBOR encoded. |
mdoc Response messages are correctly encoded in CBOR format. |
PPR-030 |
mdoc Response |
Test that mdoc response is encrypted with session key. |
mdoc response is correctly encrypted with session key. |
PPR-031 |
Key Management |
Test that private ephemeral key is kept secret. |
Private ephemeral key is properly secured and not exposed. |
PPR-032 |
Key Management |
Test that public ephemeral key is used in session establishment. |
Public ephemeral key is correctly used for session establishment. |
PPR-033 |
Session Key Derivation |
Test that session keys are derived using key agreement protocol. |
Session keys are correctly derived using the key agreement protocol. |
PPR-034 |
Session Establishment |
Test that |
|
PPR-035 |
Session Establishment |
Test that |
|
PPR-036 |
Session Establishment |
Test that |
|
PPR-037 |
Session Establishment |
Test that |
|
PPR-038 |
Message Transmission |
Test that |
|
PPR-039 |
Session Key Computation |
Test that Relying Party correctly handles Wallet Instance session key computation. |
Wallet Instance correctly computes session key. |
PPR-040 |
Message Decryption |
Test that Relying Party correctly handles Wallet Instance decrypting |
Wallet Instance successfully decrypts |
PPR-041 |
Signature Verification |
Test that Relying Party correctly handles Wallet Instance verifying RP Instance signature. |
Wallet Instance correctly verifies Relying Party Instance signature. |
PPR-042 |
Attribute Request Processing |
Test that Relying Party correctly handles Wallet Instance decrypting attribute request. |
Wallet Instance successfully decrypts attribute request. |
PPR-043 |
User Consent |
Test that Relying Party correctly handles Wallet Instance prompting user for consent. |
Wallet Instance correctly prompts user for consent to release attributes. |
PPR-044 |
Certificate Display |
Test that Relying Party correctly handles Wallet Instance displaying RP Registration Certificate. |
Wallet Instance displays Relying Party Registration Certificate for transparency. |
PPR-045 |
Credential Retrieval |
Test that Relying Party correctly handles Wallet Instance retrieving requested mdoc Digital Credentials. |
Wallet Instance successfully retrieves requested mdoc Digital Credentials. |
PPR-046 |
SessionData Preparation |
Test that Relying Party correctly handles Wallet Instance preparing |
Wallet Instance correctly prepares |
PPR-047 |
Authentication Data Signing |
Test that Relying Party correctly handles Wallet Instance signing required authentication data. |
Wallet Instance correctly signs required authentication data. |
PPR-048 |
Message Encryption |
Test that |
|
PPR-049 |
CBOR Encoding |
Test that mdoc response is encoded in CBOR format. |
mdoc response is correctly encoded in CBOR format. |
PPR-050 |
Data Verification |
Test that RP Instance decrypts |
Relying Party Instance successfully decrypts |
PPR-051 |
Signature Verification |
Test that RP Instance verifies Wallet Instance signature. |
Relying Party Instance correctly verifies Wallet Instance signature. |
PPR-052 |
Document Validation |
Test that RP Instance checks mdoc validity and Issuer signature. |
Relying Party Instance correctly validates mdoc and Issuer signature. |
PPR-053 |
BLE Disconnection |
Test that GATT Client unsubscribes from characteristics. |
GATT Client properly unsubscribes from characteristics. |
PPR-054 |
BLE Disconnection |
Test that GATT Client disconnects from GATT server. |
GATT Client properly disconnects from GATT server. |
PPR-055 |
Request Structure Compliance |
Test that mdoc Request is compliant with required structure. |
mdoc Request complies with required structure and includes necessary components. |
PPR-056 |
Response Structure Compliance |
Test that mdoc Response is compliant with required structure. |
mdoc Response complies with required structure and includes necessary components. |
PPR-057 |
Document Structure Compliance |
Test that documents are compliant with required structure. |
Documents comply with required structure and include necessary components. |
PPR-058 |
Document Type Validation |
Test that mDL document type is correctly set. |
mDL document type is correctly set to |
PPR-059 |
DeviceSigned Structure |
Test that deviceSigned structure is compliant. |
deviceSigned structure complies with required format and includes necessary components. |
PPR-060 |
Device Authentication |
Test that |
|
PPR-061 |
Wallet Attestation Inclusion |
Test that Relying Party correctly handles Wallet Instance including Wallet Attestation when requested. |
Wallet Instance includes Wallet Attestation when requested by Relying Party. |
PPR-062 |
AAL Claim Inclusion |
Test that Relying Party correctly handles Wallet Instance including |
Wallet Instance includes |
PPR-063 |
User Consent Bypass |
Test that Relying Party correctly handles Wallet Instance not requesting user consent for Wallet Attestation. |
Wallet Instance does not request user consent for technical Wallet Attestation attributes. |
PPR-064 |
Session Termination Conditions |
Test that session is terminated under specified conditions. |
Session is properly terminated when specified conditions occur. |
PPR-065 |
Session Termination Initiation |
Test that session termination is initiated correctly. |
Session termination is properly initiated when no further requests are sent. |
PPR-066 |
Key Destruction |
Test that session keys are destroyed on termination. |
Session keys and ephemeral key material are properly destroyed. |
PPR-067 |
Channel Closure |
Test that communication channel is closed on termination. |
Communication channel used for data retrieval is properly closed. |