16.4.1.5. Credential Verifier Test Matrix

This section provides the set of test cases designed for technical implementers and development teams responsible for creating and deploying Credential Verifiers / Relying Parties.

16.4.1.5.1. Remote Credential Verifier Test Matrix

This section provides the set of test cases designed for technical implementers and development teams responsible for creating and deploying Credential Verifiers solutions for remote flows. It is also intended for assessment bodies inspecting and validating the implementations of Credential Verifiers solutions for remote flows.

Note

References about official OpenID4VP test plans will update this section in future releases.

Test Case ID

Purpose

Description

Expected Result

RPR-01

Same Device Flow

Verify HTTP redirect (302) URL.

Relying Party issues a correct URL using the base url provided within its metadata.

RPR-02

Cross Device Flow

Verify QR Code generation for Wallet Instance.

Relying Party issues QR Code successfully.

RPR-03

Cross Device Flow

Verify QR Code contains correct URL parameters.

Relying Party issues the QR-Code containing an URL using the base url provided within its metadata.

RPR-04

Cross Device Flow

Test QR Code scanning in low light.

QR Code is scanned successfully.

RPR-05

Cross Device Flow

Verify QR Code error correction level.

QR Code remains readable if damaged.

RPR-06

Cross Device Flow

Test QR Code scanning with different devices.

QR Code is scanned successfully.

RPR-07

Request URI Method

Test request_uri_method as post.

Relying Party accepts Wallet Instance metadata via POST and replies with an updated Request Object.

RPR-08

Request URI Method

Test request_uri_method as get.

Relying Party issues the Request Object via HTTP GET response.

RPR-09

Request URI Method

Test absence of request_uri_method.

Relying Party accepts defaults to GET method.

RPR-10

Metadata

Verify parameters match OpenID Credential Verifier metadata.

Only allowed parameters will be considered.

RPR-11

User Consent

Test eligibility of a Credential Verifier in requesting User attributes.

User can modify data selection about optional attributes.

RPR-12

Authorization Response

Test sending of Presentation Response.

Relying Party receives and validates response with state and nonce values.

RPR-13

Authorization Response

Verify response encryption.

Relying Party evaluates the encrypted response using its public key (one of its keys).

RPR-14

Error Handling

Test invalid Request Object handling.

Error Response is sent.

RPR-15

Error Handling

Verify error logging.

Errors are logged appropriately.

RPR-16

Error Handling

Test recovery from Authorization Request Error.

Relying Party prompts the User to retry or scan new QR code.

RPR-17

Error Handling

Test fake HTTP Cookie.

Relying Party checks the User session consistency coupling the session http cookie and the state and nonces provided.

RPR-19

Redirect URI

Test redirection to Relying Party's endpoint.

User is redirected correctly, the endpoint works.

RPR-20

Redirect URI

Verify handling of invalid redirect_uri.

Error response is returned.

RPR-23

Credential Presentation

Verify response format compliance.

Relying Party supports all the Credential format included within its vp_formats_supported metadata parameter.

RPR-24

Authorization Response

Test handling of response timeouts.

Retries must be successful unless response is acquired.

RPR-25

Error Handling

Verify handling of malformed claims in presentation payload.

Authorization Error Response is sent.

RPR-26

Error Handling

Verify handling of malformed claims in presented credentials.

Authorization Error Response is sent.

RPR-27

Error Handling

Test handling of expired requests.

Holder is notified of expiration.

RPR-28

Relying Party Response

Verify inclusion of response code.

Response code is cryptographically random.

RPR-29

Relying Party Response

Test handling of invalid response codes.

Error response is returned.

RPR-30

Status Endpoint

Verify handling of unauthorized access.

Unauthorized access is denied.

RPR-31

Status Endpoint

Test handling of invalid session IDs.

Error response is returned.

RPR-32

Redirect URI

Verify handling of expired sessions.

Error response is returned.

RPR-33

Redirect URI

Test handling of server errors.

Error response is returned.

RPR-34

Same and Cross Device Flow

Verify handling of slow network conditions.

Relying Party provides the http response within the maximum limit of 2 seconds.

RPR-36

Presentation Response

Verify handling of large response payloads.

Response is evaluated within appropriate security thresholds.

RPR-37

Presentation Response

Test handling of response encryption failures.

Error response is returned.

RPR-38

Error Handling

Verify handling of invalid signatures.

Authorization Error Response is sent.

RPR-39

Error Handling

Test handling of invalid nonce values.

Error response is returned.

RPR-40

Relying Party Response

Verify handling of malformed responses.

Error response is returned.

RPR-41

Relying Party Response

Test handling of missing response parameters.

Error response is returned.

RPR-42

Status Endpoint

Verify handling of session timeouts.

Error response is returned.

RPR-43

Status Endpoint

Test handling of invalid status codes.

Error response is returned.

RPR-44

Redirect URI

Verify handling of invalid user sessions.

Error response is returned.

RPR-45

Redirect URI

Test handling of unavailable services.

Error response is returned.

RPR-46

Same Device Flow

Verify handling of user cancellations.

User can cancel the process.

RPR-47

Cross Device Flow

Test QR Code scanning with different apps.

QR Code is scanned successfully.

RPR-48

Cross Device Flow

Verify QR Code scanning with different lighting.

QR Code is scanned successfully.

RPR-49

Request URI Method

Test handling of unsupported content types.

Error response is returned.

RPR-50

User Consent

Verify user notification of consent changes.

User is informed about consent changes.

RPR-51

User Consent

Test user consent for sensitive data.

User can consent to sensitive data.

RPR-52

Authorization Response

Verify handling of response decryption failures.

Error response is returned.

RPR-53

Authorization Response

Test handling of response integrity checks.

Response integrity is verified.

RPR-54

Relying Party Response

Verify handling of response validation failures.

Error response is returned.

RPR-55

Relying Party Response

Test handling of response processing errors.

Error response is returned.

RPR-56

Protected Resource Endpoint

Verify handling of unauthorized session access.

Unauthorized access is denied.

RPR-57

Redirect URI

Verify handling of invalid redirect parameters.

Error response is returned.

RPR-58

Redirect URI

Test handling of redirect failures.

Error response is returned.

RPR-59

Same Device Flow

Verify handling of user interruptions.

User can resume or cancel the process.

RPR-60

Request URI Method

Test handling of invalid HTTP methods.

Error response is returned.

RPR-61

User Consent

Verify user notification of consent revocation.

User is informed about consent revocation.

RPR-62

User Consent

Test user consent for optional data.

User can consent to optional data.

RPR-63

Authorization Response

Verify handling of response signature failures.

Error response is returned.

RPR-64

Authorization Response

Test handling of response format errors.

Error response is returned.

RPR-65

Error Handling

Verify handling of invalid JWT signatures.

Authorization Error Response is sent.

RPR-66

Error Handling

Test handling of invalid JWT claims.

Error response is returned.

RPR-67

Relying Party Response

Verify handling of response parsing errors.

Error response is returned.

RPR-68

Relying Party Response

Test handling of response timeout errors.

Error response is returned.

RPR-69

Status Endpoint

Verify handling of session expiration.

Error response is returned.

RPR-70

Status Endpoint

Test handling of session renewal errors.

Error response is returned.

RPR-71

Redirect URI

Verify handling of redirect loop errors.

Error response is returned.

RPR-72

Redirect URI

Test handling of redirect security errors.

Error response is returned.

RPR-73

Same Device Flow

Verify handling of user timeouts.

User is notified of timeout.

RPR-74

Cross Device Flow

Test QR Code scanning with different devices.

QR Code is scanned successfully.

RPR-75

Cross Device Flow

Verify QR Code scanning with different apps.

QR Code is scanned successfully.

RPR-76

Request URI Method

Test handling of unsupported HTTP methods.

Error response is returned.

RPR-77

QR Code Generation

Verify that QR Code error correction level is Q (Quartile - up to 25%).

QR Code uses the required Q error correction level.

RPR-78

Wallet Attestation Request

Test that Wallet Attestation request uses standard DCQL query.

Wallet Attestation request correctly uses standard DCQL query.

RPR-79

Wallet Attestation Request

Verify that claims parameter is not included in DCQL query for Wallet Attestation.

claims parameter is not included in DCQL query for Wallet Attestation.

RPR-80

Wallet Attestation Request

Test that vct_values parameter is required in DCQL query for Wallet Attestation.

vct_values parameter is correctly required in DCQL query.

RPR-81

Wallet Nonce

Test that Relying Party checks wallet_nonce when present.

Relying Party correctly checks wallet_nonce when present.

RPR-82

Response Types

Verify that response_types_supported is set to vp_token when present.

response_types_supported is correctly set to vp_token.

RPR-83

Redirect URI

Test that Relying Party correctly provides redirect_uri parameter to Wallet Instance.

Relying Party correctly provides and handles redirect_uri.

RPR-84

Flow Support

Test that Relying Party supports required remote flows.

Relying Party supports both Same Device and Cross Device flows.

RPR-85

Endpoint Security

Test that request_uri is attested by trusted third party.

request_uri parameter is properly attested by trusted third party.

RPR-86

Privacy Protection

Test that Relying Party correctly validates Wallet Instance metadata without User information.

Relying Party correctly evaluates Wallet Instance technical capabilities.

RPR-87

Request URI POST Method

Test that Relying Party supports receiving Wallet Instance metadata via POST to request_uri endpoint with content type application/x-www-form-urlencoded.

Relying Party correctly accepts and processes Wallet Instance metadata sent via POST with the required content type.

RPR-88

Algorithm Validation

Test that JWT algorithm is supported and not none or MAC.

JWT algorithm is from supported list and not none or MAC identifier.

RPR-89

Media Type Validation

Test that JWT typ is set to oauth-authz-req+jwt.

JWT typ parameter is correctly set to oauth-authz-req+jwt.

RPR-90

Response Mode Validation

Test that response_mode is set to direct_post.jwt.

response_mode parameter is correctly set to direct_post.jwt.

RPR-91

Response Type Validation

Test that response_type is set to vp_token.

response_type parameter is correctly set to vp_token.

RPR-92

Response URI Usage

Test that Relying Party correctly provides response_uri parameter to Wallet Instance.

Relying Party sends Authorization Response to correct response_uri endpoint.

RPR-93

Nonce Entropy

Test that nonce has sufficient entropy (32+ digits).

nonce parameter has sufficient entropy with at least 32 digits.

RPR-94

JWT Expiration

Test that JWT exp is set correctly.

JWT exp parameter is correctly set and not expired.

RPR-95

Response URI Security

Test that response_uri is attested by trusted third party.

response_uri parameter is properly attested by trusted third party.

RPR-96

Client Metadata Handling

Test that Relying Party correctly handles Wallet Instance client_metadata.

The client_metadata is correctly aligned with Trust Chain metadata.

RPR-97

Wallet Attestation Request

Test that Relying Party requests Wallet Attestation via DCQL.

Relying Party correctly requests Wallet Attestation using DCQL query.

RPR-98

Error Response Format

Test that error response uses application/json content type.

Error response correctly uses application/json content type.

RPR-99

Error Response Parameters

Test that error response includes required parameters.

Error response includes error and error_description parameters.

RPR-100

Wallet Attestation Presentation

Test that Relying Party correctly requests Wallet Attestation from Wallet Instance.

Relying Party correctly evaluates Wallet Attestation when requested.

RPR-101

Presentation Array

Test that vp_token contains the requested signed presentations.

vp_token contains the requested signed presentations as required.

RPR-102

KB-JWT Inclusion

Test that Holder includes KB-JWT in SD-JWT.

Holder correctly includes KB-JWT in SD-JWT presentation.

RPR-103

KB-JWT Validation

Test that Relying Party validates KB-JWT signature.

Relying Party correctly validates KB-JWT signature using public key.

RPR-104

KB-JWT Header

Test that KB-JWT contains required header parameters.

KB-JWT contains required typ and alg header parameters.

RPR-105

KB-JWT Payload

Test that KB-JWT contains required payload parameters.

KB-JWT contains required iat, aud, nonce, and sd_hash parameters.

RPR-106

KB-JWT Audience

Test that KB-JWT aud matches Relying Party identifier.

KB-JWT aud parameter matches Relying Party unique entity identifier.

RPR-107

KB-JWT Nonce

Test that KB-JWT nonce matches request object nonce.

KB-JWT nonce parameter matches nonce from request object.

RPR-108

Authorization Error Response

Test that Relying Party correctly handles Wallet Instance Authorization Error Response on validation failure.

Relying Party correctly evaluates Authorization Error Response when validation fails.

RPR-109

Error Response Encoding

Test that Authorization Error Response is encoded correctly.

Authorization Error Response is encoded in application/x-www-form-urlencoded format.

RPR-110

Response Processing

Test that Response URI returns HTTP 200 on successful processing.

Response URI returns HTTP 200 with application/json content type.

RPR-111

Error Code Consistency

Test that error codes are consistent across different endpoints.

Error codes are consistent across all Relying Party endpoints.

RPR-112

Response Code Inclusion

Test that Relying Party includes response code in redirect_uri.

Relying Party includes fresh response code in redirect_uri.

RPR-113

Redirect URI Security

Test that redirect_uri is attested by trusted third party.

redirect_uri parameter is properly attested by trusted third party.

RPR-114

Validation Error Response

Test that Response URI returns error response on validation failure.

Response URI returns error response when validation checks fail.

16.4.1.5.2. Proximity Credential Verifier Test Matrix

This section provides the set of test cases designed for technical implementers and development teams responsible for creating and deploying Credential Verifiers solutions for proximity flows. It is also intended for assessment bodies inspecting and validating the implementations of Credential Verifiers solutions for proximity flows.

Note

Further references about official ISO-18013-5 test plans, if available, will update this section in future releases.

Test Case ID

Purpose

Description

Expected Result

PPR-001

Device Engagement

Test the initiation of device engagement using QR code.

Device engagement is successfully initiated and QR code is scanned.

PPR-002

Session Establishment

Verify session establishment with correct session keys.

Session is established securely with correct session keys.

PPR-003

Communication

Test the transmission of mdoc request over BLE.

mdoc request is transmitted securely over BLE.

PPR-004

User Authentication

Validate user authentication via WSCA.

User is authenticated successfully using WSCA.

PPR-005

Attribute Consent

Check user consent for attribute release.

User consents to release requested attributes.

PPR-006

Data Retrieval

Test retrieval of mdoc Digital Credentials.

mdoc Digital Credentials are retrieved successfully.

PPR-007

Session Termination

Verify session termination after data exchange.

Session is terminated and keys are destroyed.

PPR-008

Error Handling

Test handling of invalid session keys.

Appropriate error message is displayed for invalid keys.

PPR-009

BLE Connection

Test BLE connection stability during data exchange.

BLE connection remains stable throughout the exchange.

PPR-010

Document Verification

Verify the integrity of received documents.

Documents are verified and integrity is confirmed.

PPR-011

Security

Test encryption of mdoc requests and responses.

All mdoc requests and responses are encrypted correctly.

PPR-012

User Interface

Check the user interface for attribute consent.

User interface displays attribute consent request clearly.

PPR-013

Error Handling

Test response to unsupported document types.

System returns appropriate error for unsupported document types.

PPR-014

Performance

Measure time taken for session establishment.

Session is established within acceptable time limits.

PPR-015

Compatibility

Verify compatibility with different mobile devices.

System works seamlessly across various mobile devices.

PPR-016

Data Integrity

Test integrity of data during transmission.

Data integrity is maintained during transmission.

PPR-017

Session Management

Test session management under high load.

Sessions are managed effectively under high load conditions.

PPR-018

BLE Connection

Test reconnection after BLE disconnection.

System reconnects successfully after BLE disconnection.

PPR-019

User Experience

Evaluate user experience during the proximity flow.

Users report a positive experience with the proximity flow.

PPR-020

Security

Test resistance to replay attacks.

System is resistant to replay attacks.

PPR-021

Device Engagement

Verify that Device Engagement structure is CBOR encoded.

Device Engagement structure is correctly encoded in CBOR format.

PPR-022

Device Engagement

Test that ephemeral public key is of type allowed by selected cipher suite.

Ephemeral public key meets the requirements of the selected cipher suite.

PPR-023

BLE Configuration

Verify that only Central Client mode is supported.

Only Central Client mode is supported for BLE connections.

PPR-024

Capabilities

Test that HandoverSessionEstablishmentSupport is set to true when present.

HandoverSessionEstablishmentSupport is correctly set to true.

PPR-025

Capabilities

Verify that ReaderAuthAllSupport is set to true when present.

ReaderAuthAllSupport is correctly set to true.

PPR-026

mdoc Request

Test that mdoc Request messages are CBOR encoded.

mdoc Request messages are correctly encoded in CBOR format.

PPR-027

mdoc Request

Verify that mdoc request is encrypted with session key.

mdoc request is correctly encrypted with session key.

PPR-028

mdoc Request

Test that mdoc request is transmitted via BLE protocol.

mdoc request is correctly transmitted via BLE protocol.

PPR-029

mdoc Response

Verify that mdoc Response messages are CBOR encoded.

mdoc Response messages are correctly encoded in CBOR format.

PPR-030

mdoc Response

Test that mdoc response is encrypted with session key.

mdoc response is correctly encrypted with session key.

PPR-031

Key Management

Test that private ephemeral key is kept secret.

Private ephemeral key is properly secured and not exposed.

PPR-032

Key Management

Test that public ephemeral key is used in session establishment.

Public ephemeral key is correctly used for session establishment.

PPR-033

Session Key Derivation

Test that session keys are derived using key agreement protocol.

Session keys are correctly derived using the key agreement protocol.

PPR-034

Session Establishment

Test that SessionEstablishment message is prepared correctly.

SessionEstablishment message is properly prepared with required components.

PPR-035

Session Establishment

Test that SessionEstablishment message is signed by RP Instance.

SessionEstablishment message is correctly signed by Relying Party Instance.

PPR-036

Session Establishment

Test that SessionEstablishment message is encrypted with session keys.

SessionEstablishment message is properly encrypted with session keys.

PPR-037

Session Establishment

Test that SessionEstablishment includes EReaderKey.Pub and attribute request.

SessionEstablishment message includes required EReaderKey.Pub and attribute request.

PPR-038

Message Transmission

Test that SessionEstablishment is transmitted over secure BLE connection.

SessionEstablishment message is transmitted over secure BLE connection.

PPR-039

Session Key Computation

Test that Relying Party correctly handles Wallet Instance session key computation.

Wallet Instance correctly computes session key.

PPR-040

Message Decryption

Test that Relying Party correctly handles Wallet Instance decrypting SessionEstablishment message.

Wallet Instance successfully decrypts SessionEstablishment message.

PPR-041

Signature Verification

Test that Relying Party correctly handles Wallet Instance verifying RP Instance signature.

Wallet Instance correctly verifies Relying Party Instance signature.

PPR-042

Attribute Request Processing

Test that Relying Party correctly handles Wallet Instance decrypting attribute request.

Wallet Instance successfully decrypts attribute request.

PPR-043

User Consent

Test that Relying Party correctly handles Wallet Instance prompting user for consent.

Wallet Instance correctly prompts user for consent to release attributes.

PPR-044

Certificate Display

Test that Relying Party correctly handles Wallet Instance displaying RP Registration Certificate.

Wallet Instance displays Relying Party Registration Certificate for transparency.

PPR-045

Credential Retrieval

Test that Relying Party correctly handles Wallet Instance retrieving requested mdoc Digital Credentials.

Wallet Instance successfully retrieves requested mdoc Digital Credentials.

PPR-046

SessionData Preparation

Test that Relying Party correctly handles Wallet Instance preparing SessionData message.

Wallet Instance correctly prepares SessionData message with Digital Credentials.

PPR-047

Authentication Data Signing

Test that Relying Party correctly handles Wallet Instance signing required authentication data.

Wallet Instance correctly signs required authentication data.

PPR-048

Message Encryption

Test that SessionData is encrypted with session keys.

SessionData message is properly encrypted with session keys.

PPR-049

CBOR Encoding

Test that mdoc response is encoded in CBOR format.

mdoc response is correctly encoded in CBOR format.

PPR-050

Data Verification

Test that RP Instance decrypts SessionData.

Relying Party Instance successfully decrypts SessionData.

PPR-051

Signature Verification

Test that RP Instance verifies Wallet Instance signature.

Relying Party Instance correctly verifies Wallet Instance signature.

PPR-052

Document Validation

Test that RP Instance checks mdoc validity and Issuer signature.

Relying Party Instance correctly validates mdoc and Issuer signature.

PPR-053

BLE Disconnection

Test that GATT Client unsubscribes from characteristics.

GATT Client properly unsubscribes from characteristics.

PPR-054

BLE Disconnection

Test that GATT Client disconnects from GATT server.

GATT Client properly disconnects from GATT server.

PPR-055

Request Structure Compliance

Test that mdoc Request is compliant with required structure.

mdoc Request complies with required structure and includes necessary components.

PPR-056

Response Structure Compliance

Test that mdoc Response is compliant with required structure.

mdoc Response complies with required structure and includes necessary components.

PPR-057

Document Structure Compliance

Test that documents are compliant with required structure.

Documents comply with required structure and include necessary components.

PPR-058

Document Type Validation

Test that mDL document type is correctly set.

mDL document type is correctly set to org.iso.18013.5.1.mDL.

PPR-059

DeviceSigned Structure

Test that deviceSigned structure is compliant.

deviceSigned structure complies with required format and includes necessary components.

PPR-060

Device Authentication

Test that deviceAuth includes deviceSignature.

deviceAuth structure includes required deviceSignature for authentication.

PPR-061

Wallet Attestation Inclusion

Test that Relying Party correctly handles Wallet Instance including Wallet Attestation when requested.

Wallet Instance includes Wallet Attestation when requested by Relying Party.

PPR-062

AAL Claim Inclusion

Test that Relying Party correctly handles Wallet Instance including aal claim in Wallet Attestation.

Wallet Instance includes aal claim as disclosure in Wallet Attestation.

PPR-063

User Consent Bypass

Test that Relying Party correctly handles Wallet Instance not requesting user consent for Wallet Attestation.

Wallet Instance does not request user consent for technical Wallet Attestation attributes.

PPR-064

Session Termination Conditions

Test that session is terminated under specified conditions.

Session is properly terminated when specified conditions occur.

PPR-065

Session Termination Initiation

Test that session termination is initiated correctly.

Session termination is properly initiated when no further requests are sent.

PPR-066

Key Destruction

Test that session keys are destroyed on termination.

Session keys and ephemeral key material are properly destroyed.

PPR-067

Channel Closure

Test that communication channel is closed on termination.

Communication channel used for data retrieval is properly closed.