feat(openid4vci): verify signed_metadata in issuer metadata

When the credential issuer's metadata contains signed_metadata (v1.0
Section 12.2.3), verify the JWT signature using the issuer's key from
the DID document. Validates typ header, required claims (sub, iat), and
compares metadata claims against the unsigned metadata. Rejects metadata
if verification fails; proceeds without it if absent (field is OPTIONAL).

Author: JorisHeadease

auth/client/iam/client.go

@@ -21,6 +21,7 @@ package iam
 import (
 	"bytes"
 	"context"
+	stdcrypto "crypto"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -282,7 +283,52 @@ func (hb HTTPClient) OpenIdCredentialIssuerMetadata(ctx context.Context, oauthIs
 	if err != nil {
 		return nil, err
 	}
-	return &metadata, err
+	if metadata.SignedMetadata != "" {
+		if err = hb.verifySignedMetadata(ctx, &metadata); err != nil {
+			return nil, fmt.Errorf("signed_metadata verification failed: %w", err)
+		}
+	}
+	return &metadata, nil
+}
+
+// verifySignedMetadata verifies the signed_metadata JWT against the issuer's key (v1.0 Section 12.2.3).
+// It validates the JWT signature, typ header, required claims (sub, iat), and compares
+// key metadata claims (credential_issuer, credential_endpoint) against the unsigned metadata.
+func (hb HTTPClient) verifySignedMetadata(ctx context.Context, metadata *oauth.OpenIDCredentialIssuerMetadata) error {
+	// Verify typ header to prevent JWT type confusion attacks
+	typ, err := crypto.JWTTyp(metadata.SignedMetadata)
+	if err != nil {
+		return fmt.Errorf("invalid JWT: %w", err)
+	}
+	if typ != "openidvci-issuer-metadata+jwt" {
+		return fmt.Errorf("typ header must be openidvci-issuer-metadata+jwt, got %q", typ)
+	}
+	// Parse, verify signature, and validate standard claims using shared infrastructure
+	token, err := crypto.ParseJWT(metadata.SignedMetadata, func(kid string) (stdcrypto.PublicKey, error) {
+		return hb.keyResolver.ResolveKeyByID(kid, nil, resolver.AssertionMethod)
+	}, jwt.WithValidate(true), jwt.WithAcceptableSkew(5*time.Second))
+	if err != nil {
+		return fmt.Errorf("invalid JWT: %w", err)
+	}
+	// sub is REQUIRED, must match credential_issuer. iss is OPTIONAL per spec.
+	if token.Subject() != metadata.CredentialIssuer {
+		return fmt.Errorf("sub %q does not match credential_issuer %q", token.Subject(), metadata.CredentialIssuer)
+	}
+	if token.IssuedAt().IsZero() {
+		return fmt.Errorf("iat claim is required")
+	}
+	// Compare metadata claims from JWT payload against unsigned metadata
+	claims, err := token.AsMap(ctx)
+	if err != nil {
+		return fmt.Errorf("failed to extract claims: %w", err)
+	}
+	if ci, _ := claims["credential_issuer"].(string); ci != metadata.CredentialIssuer {
+		return fmt.Errorf("credential_issuer claim %q does not match metadata %q", ci, metadata.CredentialIssuer)
+	}
+	if ce, _ := claims["credential_endpoint"].(string); ce != "" && ce != metadata.CredentialEndpoint {
+		return fmt.Errorf("credential_endpoint claim %q does not match metadata %q", ce, metadata.CredentialEndpoint)
+	}
+	return nil
 }
 
 func (hb HTTPClient) OpenIDConfiguration(ctx context.Context, issuerURL string) (*oauth.OpenIDConfiguration, error) {

auth/client/iam/openid4vp_test.go

@@ -20,10 +20,14 @@ package iam
 
 import (
 	"context"
+	"crypto/ecdsa"
 	"crypto/tls"
 	"encoding/json"
 	"errors"
 	"fmt"
+	"github.com/lestrrat-go/jwx/v2/jwa"
+	"github.com/lestrrat-go/jwx/v2/jws"
+	"github.com/lestrrat-go/jwx/v2/jwt"
 	"github.com/nuts-foundation/nuts-node/http/client"
 	test2 "github.com/nuts-foundation/nuts-node/test"
 	"github.com/nuts-foundation/nuts-node/vcr/credential"
@@ -40,6 +44,7 @@ import (
 	"github.com/nuts-foundation/nuts-node/audit"
 	"github.com/nuts-foundation/nuts-node/auth/oauth"
 	"github.com/nuts-foundation/nuts-node/crypto"
+	cryptoTest "github.com/nuts-foundation/nuts-node/crypto/test"
 	http2 "github.com/nuts-foundation/nuts-node/test/http"
 	"github.com/nuts-foundation/nuts-node/vcr/holder"
 	"github.com/nuts-foundation/nuts-node/vcr/openid4vci"
@@ -486,8 +491,9 @@ func createClientTestContext(t *testing.T, tlsConfig *tls.Config) *clientTestCon
 			wallet:         wallet,
 			subjectManager: subjectManager,
 			httpClient: HTTPClient{
-				strictMode: false,
-				httpClient: client.NewWithTLSConfig(10*time.Second, tlsConfig),
+				strictMode:  false,
+				httpClient:  client.NewWithTLSConfig(10*time.Second, tlsConfig),
+				keyResolver: keyResolver,
 			},
 			jwtSigner:   jwtSigner,
 			keyResolver: keyResolver,
@@ -697,6 +703,238 @@ func TestIAMClient_OpenIdCredentialIssuerMetadata(t *testing.T) {
 		assert.Nil(t, response)
 		assert.EqualError(t, err, "failed to retrieve Openid credential issuer metadata: server returned HTTP 404 (expected: 200)")
 	})
+	t.Run("ok - signed_metadata is verified", func(t *testing.T) {
+		ctx := createClientServerTestContext(t)
+		ecKey := cryptoTest.GenerateECKey()
+		kid := "did:web:example.com#key-1"
+		signedJWT := createSignedMetadataJWT(t, ecKey, kid, map[string]interface{}{
+			"credential_issuer":   "https://issuer.example.com",
+			"credential_endpoint": "https://issuer.example.com/credential",
+		})
+		issuerMetadata := &oauth.OpenIDCredentialIssuerMetadata{
+			CredentialIssuer:   "https://issuer.example.com",
+			CredentialEndpoint: "https://issuer.example.com/credential",
+			SignedMetadata:     signedJWT,
+		}
+		ctx.openIDCredentialIssuerMetadata = issuerMetadata
+		ctx.credentialIssuerMetadata = func(writer http.ResponseWriter) {
+			writer.Header().Add("Content-Type", "application/json")
+			writer.WriteHeader(http.StatusOK)
+			bytes, _ := json.Marshal(*issuerMetadata)
+			_, _ = writer.Write(bytes)
+		}
+		ctx.keyResolver.EXPECT().ResolveKeyByID(kid, nil, resolver.AssertionMethod).Return(ecKey.Public(), nil)
+
+		metadata, err := ctx.client.OpenIdCredentialIssuerMetadata(context.Background(), ctx.tlsServer.URL+"/issuer")
+
+		require.NoError(t, err)
+		require.NotNil(t, metadata)
+		assert.Equal(t, "https://issuer.example.com", metadata.CredentialIssuer)
+	})
+	t.Run("error - signed_metadata JWT signature invalid", func(t *testing.T) {
+		ctx := createClientServerTestContext(t)
+		issuerMetadata := &oauth.OpenIDCredentialIssuerMetadata{
+			CredentialIssuer:   "https://issuer.example.com",
+			CredentialEndpoint: "https://issuer.example.com/credential",
+			SignedMetadata:     "invalid.jwt.token",
+		}
+		ctx.credentialIssuerMetadata = func(writer http.ResponseWriter) {
+			writer.Header().Add("Content-Type", "application/json")
+			writer.WriteHeader(http.StatusOK)
+			bytes, _ := json.Marshal(*issuerMetadata)
+			_, _ = writer.Write(bytes)
+		}
+
+		metadata, err := ctx.client.OpenIdCredentialIssuerMetadata(context.Background(), ctx.tlsServer.URL+"/issuer")
+
+		require.Error(t, err)
+		assert.Nil(t, metadata)
+		assert.ErrorContains(t, err, "signed_metadata verification failed")
+	})
+	t.Run("error - signed_metadata sub mismatch", func(t *testing.T) {
+		ctx := createClientServerTestContext(t)
+		ecKey := cryptoTest.GenerateECKey()
+		kid := "did:web:example.com#key-1"
+		signedJWT := createSignedMetadataJWT(t, ecKey, kid, map[string]interface{}{
+			"credential_issuer":   "https://other-issuer.example.com",
+			"credential_endpoint": "https://issuer.example.com/credential",
+		})
+		issuerMetadata := &oauth.OpenIDCredentialIssuerMetadata{
+			CredentialIssuer:   "https://issuer.example.com",
+			CredentialEndpoint: "https://issuer.example.com/credential",
+			SignedMetadata:     signedJWT,
+		}
+		ctx.credentialIssuerMetadata = func(writer http.ResponseWriter) {
+			writer.Header().Add("Content-Type", "application/json")
+			writer.WriteHeader(http.StatusOK)
+			bytes, _ := json.Marshal(*issuerMetadata)
+			_, _ = writer.Write(bytes)
+		}
+		ctx.keyResolver.EXPECT().ResolveKeyByID(kid, nil, resolver.AssertionMethod).Return(ecKey.Public(), nil)
+
+		metadata, err := ctx.client.OpenIdCredentialIssuerMetadata(context.Background(), ctx.tlsServer.URL+"/issuer")
+
+		require.Error(t, err)
+		assert.Nil(t, metadata)
+		assert.ErrorContains(t, err, "sub")
+		assert.ErrorContains(t, err, "does not match credential_issuer")
+	})
+	t.Run("error - signed_metadata credential_endpoint mismatch", func(t *testing.T) {
+		ctx := createClientServerTestContext(t)
+		ecKey := cryptoTest.GenerateECKey()
+		kid := "did:web:example.com#key-1"
+		signedJWT := createSignedMetadataJWT(t, ecKey, kid, map[string]interface{}{
+			"credential_issuer":   "https://issuer.example.com",
+			"credential_endpoint": "https://evil.example.com/credential",
+		})
+		issuerMetadata := &oauth.OpenIDCredentialIssuerMetadata{
+			CredentialIssuer:   "https://issuer.example.com",
+			CredentialEndpoint: "https://issuer.example.com/credential",
+			SignedMetadata:     signedJWT,
+		}
+		ctx.credentialIssuerMetadata = func(writer http.ResponseWriter) {
+			writer.Header().Add("Content-Type", "application/json")
+			writer.WriteHeader(http.StatusOK)
+			bytes, _ := json.Marshal(*issuerMetadata)
+			_, _ = writer.Write(bytes)
+		}
+		ctx.keyResolver.EXPECT().ResolveKeyByID(kid, nil, resolver.AssertionMethod).Return(ecKey.Public(), nil)
+
+		metadata, err := ctx.client.OpenIdCredentialIssuerMetadata(context.Background(), ctx.tlsServer.URL+"/issuer")
+
+		require.Error(t, err)
+		assert.Nil(t, metadata)
+		assert.ErrorContains(t, err, "credential_endpoint claim")
+		assert.ErrorContains(t, err, "does not match metadata")
+	})
+	t.Run("error - signed_metadata wrong typ header", func(t *testing.T) {
+		ctx := createClientServerTestContext(t)
+		ecKey := cryptoTest.GenerateECKey()
+		kid := "did:web:example.com#key-1"
+		signedJWT := createSignedMetadataJWTCustom(t, ecKey, kid, "jwt", map[string]interface{}{
+			"iss":                 "https://issuer.example.com",
+			"sub":                 "https://issuer.example.com",
+			"credential_issuer":   "https://issuer.example.com",
+			"credential_endpoint": "https://issuer.example.com/credential",
+		}, true, true)
+		issuerMetadata := &oauth.OpenIDCredentialIssuerMetadata{
+			CredentialIssuer:   "https://issuer.example.com",
+			CredentialEndpoint: "https://issuer.example.com/credential",
+			SignedMetadata:     signedJWT,
+		}
+		ctx.credentialIssuerMetadata = func(writer http.ResponseWriter) {
+			writer.Header().Add("Content-Type", "application/json")
+			writer.WriteHeader(http.StatusOK)
+			bytes, _ := json.Marshal(*issuerMetadata)
+			_, _ = writer.Write(bytes)
+		}
+
+		metadata, err := ctx.client.OpenIdCredentialIssuerMetadata(context.Background(), ctx.tlsServer.URL+"/issuer")
+
+		require.Error(t, err)
+		assert.Nil(t, metadata)
+		assert.ErrorContains(t, err, "typ header must be openidvci-issuer-metadata+jwt")
+	})
+	t.Run("error - signed_metadata missing sub", func(t *testing.T) {
+		ctx := createClientServerTestContext(t)
+		ecKey := cryptoTest.GenerateECKey()
+		kid := "did:web:example.com#key-1"
+		signedJWT := createSignedMetadataJWTCustom(t, ecKey, kid, "openidvci-issuer-metadata+jwt", map[string]interface{}{
+			"iss":                 "https://issuer.example.com",
+			"credential_issuer":   "https://issuer.example.com",
+			"credential_endpoint": "https://issuer.example.com/credential",
+		}, true, true)
+		issuerMetadata := &oauth.OpenIDCredentialIssuerMetadata{
+			CredentialIssuer:   "https://issuer.example.com",
+			CredentialEndpoint: "https://issuer.example.com/credential",
+			SignedMetadata:     signedJWT,
+		}
+		ctx.credentialIssuerMetadata = func(writer http.ResponseWriter) {
+			writer.Header().Add("Content-Type", "application/json")
+			writer.WriteHeader(http.StatusOK)
+			bytes, _ := json.Marshal(*issuerMetadata)
+			_, _ = writer.Write(bytes)
+		}
+		ctx.keyResolver.EXPECT().ResolveKeyByID(kid, nil, resolver.AssertionMethod).Return(ecKey.Public(), nil)
+
+		metadata, err := ctx.client.OpenIdCredentialIssuerMetadata(context.Background(), ctx.tlsServer.URL+"/issuer")
+
+		require.Error(t, err)
+		assert.Nil(t, metadata)
+		assert.ErrorContains(t, err, "sub")
+		assert.ErrorContains(t, err, "does not match credential_issuer")
+	})
+	t.Run("error - signed_metadata missing iat", func(t *testing.T) {
+		ctx := createClientServerTestContext(t)
+		ecKey := cryptoTest.GenerateECKey()
+		kid := "did:web:example.com#key-1"
+		signedJWT := createSignedMetadataJWTCustom(t, ecKey, kid, "openidvci-issuer-metadata+jwt", map[string]interface{}{
+			"sub":                 "https://issuer.example.com",
+			"credential_issuer":   "https://issuer.example.com",
+			"credential_endpoint": "https://issuer.example.com/credential",
+		}, false, false)
+		issuerMetadata := &oauth.OpenIDCredentialIssuerMetadata{
+			CredentialIssuer:   "https://issuer.example.com",
+			CredentialEndpoint: "https://issuer.example.com/credential",
+			SignedMetadata:     signedJWT,
+		}
+		ctx.credentialIssuerMetadata = func(writer http.ResponseWriter) {
+			writer.Header().Add("Content-Type", "application/json")
+			writer.WriteHeader(http.StatusOK)
+			bytes, _ := json.Marshal(*issuerMetadata)
+			_, _ = writer.Write(bytes)
+		}
+		ctx.keyResolver.EXPECT().ResolveKeyByID(kid, nil, resolver.AssertionMethod).Return(ecKey.Public(), nil)
+
+		metadata, err := ctx.client.OpenIdCredentialIssuerMetadata(context.Background(), ctx.tlsServer.URL+"/issuer")
+
+		require.Error(t, err)
+		assert.Nil(t, metadata)
+		assert.ErrorContains(t, err, "iat claim is required")
+	})
+}
+
+func createSignedMetadataJWT(t *testing.T, key *ecdsa.PrivateKey, kid string, claims map[string]interface{}) string {
+	t.Helper()
+	token := jwt.New()
+	for k, v := range claims {
+		require.NoError(t, token.Set(k, v))
+	}
+	if iss, ok := claims["credential_issuer"].(string); ok {
+		require.NoError(t, token.Set(jwt.IssuerKey, iss))
+		require.NoError(t, token.Set(jwt.SubjectKey, iss))
+	}
+	require.NoError(t, token.Set(jwt.IssuedAtKey, time.Now().Unix()))
+	require.NoError(t, token.Set(jwt.ExpirationKey, time.Now().Add(time.Hour).Unix()))
+	hdrs := jws.NewHeaders()
+	require.NoError(t, hdrs.Set(jws.KeyIDKey, kid))
+	require.NoError(t, hdrs.Set(jws.TypeKey, "openidvci-issuer-metadata+jwt"))
+	signed, err := jwt.Sign(token, jwt.WithKey(jwa.ES256, key, jws.WithProtectedHeaders(hdrs)))
+	require.NoError(t, err)
+	return string(signed)
+}
+
+// createSignedMetadataJWTCustom allows overriding specific JWT fields for negative tests.
+func createSignedMetadataJWTCustom(t *testing.T, key *ecdsa.PrivateKey, kid string, typ string, claims map[string]interface{}, setIat bool, setExp bool) string {
+	t.Helper()
+	token := jwt.New()
+	for k, v := range claims {
+		require.NoError(t, token.Set(k, v))
+	}
+	if setIat {
+		require.NoError(t, token.Set(jwt.IssuedAtKey, time.Now().Unix()))
+	}
+	if setExp {
+		require.NoError(t, token.Set(jwt.ExpirationKey, time.Now().Add(time.Hour).Unix()))
+	}
+	hdrs := jws.NewHeaders()
+	require.NoError(t, hdrs.Set(jws.KeyIDKey, kid))
+	if typ != "" {
+		require.NoError(t, hdrs.Set(jws.TypeKey, typ))
+	}
+	signed, err := jwt.Sign(token, jwt.WithKey(jwa.ES256, key, jws.WithProtectedHeaders(hdrs)))
+	require.NoError(t, err)
+	return string(signed)
 }
 
 func TestIAMClient_RequestNonce(t *testing.T) {

auth/oauth/types.go

@@ -423,6 +423,8 @@ type OpenIDCredentialIssuerMetadata struct {
 	AuthorizationServers              []string                          `json:"authorization_servers,omitempty"`
 	CredentialConfigurationsSupported map[string]map[string]interface{} `json:"credential_configurations_supported,omitempty"`
 	Display                           []map[string]string               `json:"display,omitempty"`
+	// SignedMetadata is a JWT containing signed issuer metadata for trust verification (v1.0 Section 12.2.3).
+	SignedMetadata string `json:"signed_metadata,omitempty"`
 }
 
 // OpenIDConfiguration represents the OpenID configuration

crypto/jwx.go

@@ -165,6 +165,18 @@ func JWTKidAlg(tokenString string) (string, jwa.SignatureAlgorithm, error) {
 	return hdrs.KeyID(), hdrs.Algorithm(), nil
 }
 
+// JWTTyp parses a JWT without validation and returns the 'typ' header.
+func JWTTyp(tokenString string) (string, error) {
+	j, err := jws.ParseString(tokenString)
+	if err != nil {
+		return "", err
+	}
+	if len(j.Signatures()) != 1 {
+		return "", errors.New("incorrect number of signatures in JWT")
+	}
+	return j.Signatures()[0].ProtectedHeaders().Type(), nil
+}
+
 // PublicKeyFunc defines a function that resolves a public key based on a kid
 type PublicKeyFunc func(kid string) (crypto.PublicKey, error)