@sphereon/ssi-sdk.mdl-mdoc 0.37.2-next.34 → 0.38.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sphereon/ssi-sdk.mdl-mdoc",
-  "version": "0.37.2-next.34+99164365",
+  "version": "0.38.0",
   "source": "src/index.ts",
   "type": "module",
   "main": "./dist/index.cjs",
@@ -26,15 +26,15 @@
     "build": "tsup --config ../../tsup.config.ts --tsconfig ../../tsconfig.tsup.json"
   },
   "dependencies": {
-    "@sphereon/did-auth-siop-adapter": "0.20.1",
+    "@sphereon/did-auth-siop-adapter": "0.21.0",
     "@sphereon/kmp-mdoc-core": "0.2.0-SNAPSHOT.26",
     "@sphereon/pex": "5.0.0-unstable.28",
     "@sphereon/pex-models": "^2.3.2",
-    "@sphereon/ssi-sdk-ext.did-utils": "0.37.2-next.34+99164365",
-    "@sphereon/ssi-sdk-ext.key-utils": "0.37.2-next.34+99164365",
-    "@sphereon/ssi-sdk-ext.x509-utils": "0.37.2-next.34+99164365",
-    "@sphereon/ssi-sdk.core": "0.37.2-next.34+99164365",
-    "@sphereon/ssi-types": "0.37.2-next.34+99164365",
+    "@sphereon/ssi-sdk-ext.did-utils": "0.38.0",
+    "@sphereon/ssi-sdk-ext.key-utils": "0.38.0",
+    "@sphereon/ssi-sdk-ext.x509-utils": "0.38.0",
+    "@sphereon/ssi-sdk.core": "0.38.0",
+    "@sphereon/ssi-types": "0.38.0",
     "@veramo/core": "4.2.0",
     "@veramo/did-manager": "4.2.0",
     "@veramo/utils": "4.2.0",
@@ -47,13 +47,13 @@
     "uuid": "^9.0.1"
   },
   "devDependencies": {
-    "@sphereon/oid4vci-client": "0.20.1",
-    "@sphereon/oid4vci-common": "0.20.1",
-    "@sphereon/ssi-express-support": "0.37.2-next.34+99164365",
-    "@sphereon/ssi-sdk-ext.key-manager": "0.37.2-next.34+99164365",
-    "@sphereon/ssi-sdk-ext.kms-local": "0.37.2-next.34+99164365",
-    "@sphereon/ssi-sdk.agent-config": "0.37.2-next.34+99164365",
-    "@sphereon/ssi-sdk.public-key-hosting": "0.37.2-next.34+99164365",
+    "@sphereon/oid4vci-client": "0.21.0",
+    "@sphereon/oid4vci-common": "0.21.0",
+    "@sphereon/ssi-express-support": "0.38.0",
+    "@sphereon/ssi-sdk-ext.key-manager": "0.38.0",
+    "@sphereon/ssi-sdk-ext.kms-local": "0.38.0",
+    "@sphereon/ssi-sdk.agent-config": "0.38.0",
+    "@sphereon/ssi-sdk.public-key-hosting": "0.38.0",
     "@transmute/json-web-signature": "0.7.0-unstable.81",
     "@types/cors": "^2.8.17",
     "@types/express": "^4.17.21",
@@ -88,5 +88,5 @@
     "EBSI",
     "EBSI Authorization Client"
   ],
-  "gitHead": "99164365a50f29bc9b528a94d23eedd285399f23"
+  "gitHead": "a93cb5bf52d46acaf3b2b2d8eba83cc88aa5cda4"
 }

package/src/agent/mDLMdoc.ts

@@ -52,7 +52,9 @@ export class MDLMdoc implements IAgentPlugin {
     mdocOid4vpHolderPresent: this.mdocOid4vpHolderPresent.bind(this),
     mdocOid4vpRPVerify: this.mdocOid4vpRPVerify.bind(this),
   }
-  private readonly trustAnchors: string[]
+  private readonly staticTrustAnchors: string[]
+  private readonly trustAnchorProvider?: () => string[]
+  private readonly blindlyTrustedAnchorProvider?: () => string[]
   private opts: {
     trustRootWhenNoAnchors?: boolean
     allowSingleNoCAChainElement?: boolean
@@ -61,6 +63,10 @@ export class MDLMdoc implements IAgentPlugin {
 
   constructor(args?: {
     trustAnchors?: string[]
+    // Provider returning runtime trust anchors, merged with the static (constructor) trustAnchors on every verification.
+    trustAnchorProvider?: () => string[]
+    // Provider returning runtime blindly-trusted anchors, merged with opts.blindlyTrustedAnchors on every verification.
+    blindlyTrustedAnchorProvider?: () => string[]
     opts?: {
       // Trust the supplied root from the chain, when no anchors are being passed in.
       trustRootWhenNoAnchors?: boolean
@@ -71,10 +77,21 @@ export class MDLMdoc implements IAgentPlugin {
       blindlyTrustedAnchors?: string[]
     }
   }) {
-    this.trustAnchors = args?.trustAnchors ?? []
+    this.staticTrustAnchors = args?.trustAnchors ?? []
+    this.trustAnchorProvider = args?.trustAnchorProvider
+    this.blindlyTrustedAnchorProvider = args?.blindlyTrustedAnchorProvider
     this.opts = args?.opts ?? { trustRootWhenNoAnchors: true }
   }
 
+  // Live-merged anchors: static (constructor) + provider (runtime/user). Read on every verification.
+  private get trustAnchors(): string[] {
+    return [...this.staticTrustAnchors, ...(this.trustAnchorProvider?.() ?? [])]
+  }
+
+  private get effectiveBlindlyTrustedAnchors(): string[] {
+    return [...(this.opts.blindlyTrustedAnchors ?? []), ...(this.blindlyTrustedAnchorProvider?.() ?? [])]
+  }
+
   /**
    * Processes and verifies the provided mdoc, generates device response and presentation submission tokens.
    *
@@ -129,18 +146,46 @@ export class MDLMdoc implements IAgentPlugin {
         if (!result.error || responseUri.includes('openid.net')) {
           // TODO: We relax for the conformance suite, as the cert would be invalid
           try {
-            const cborKey = result.keyInfo?.key ? CoseKeyCbor.Static.fromDTO(result.keyInfo.key) : undefined
+            // Source the DEVICE key from the matched document's deviceKeyInfo (the mdoc MSO device key). The validation
+            // result.keyInfo is the x5chain ISSUER key, which kmp-mdoc-core does not (yet) convert to a CborKey
+            // ("we do not convert all properties to a Cborkey yet"), so result.keyInfo.key is undefined. Without a
+            // complete device keyInfo the device-response assembly later fails ("Cannot read property 'toJson' of undefined").
+            const matchDeviceKeyInfo: any = (match as any).deviceKeyInfo
+            const deviceKeyInfoSource: any = matchDeviceKeyInfo ?? result.keyInfo
+            console.log(
+              `(mdl-mdoc:deviceKey) amend: match.deviceKeyInfo present=${!!matchDeviceKeyInfo}, match.deviceKeyInfo.key present=${!!matchDeviceKeyInfo?.key}, ` +
+                `result.keyInfo present=${!!result.keyInfo}, result.keyInfo.key present=${!!result.keyInfo?.key}, source=${matchDeviceKeyInfo ? 'match.deviceKeyInfo' : 'result.keyInfo'}`,
+            )
+            const cborKey = deviceKeyInfoSource?.key ? CoseKeyCbor.Static.fromDTO(deviceKeyInfoSource.key) : undefined
             if (!cborKey) {
-              throw Error('No key found in result')
+              // Note: this is the PUBLIC device key only (the private key is hardware-backed in the KMS). We only need
+              // the public key here to look up the matching KMS key reference by thumbprint.
+              throw Error(
+                'No device (public) key found to amend: neither match.deviceKeyInfo.key nor result.keyInfo.key is populated. ' +
+                  'The mdoc MSO device public key is required to resolve the hardware-backed KMS key for signing.',
+              )
             }
             let jwk = CoseJoseKeyMappingService.toJoseJwk(cborKey).toJsonDTO<JWK>()
-            if (!result.keyInfo?.kmsKeyRef) {
-              const keyInfo = result.keyInfo!
-              const kid = jwk.kid ?? calculateJwkThumbprint({ jwk: jwk })
+            if (!deviceKeyInfoSource?.kmsKeyRef) {
+              const keyInfo = deviceKeyInfoSource
+              const thumbprint = calculateJwkThumbprint({ jwk: jwk })
+              const kid = jwk.kid ?? thumbprint
+              console.log(`(mdl-mdoc:deviceKey) amend: resolved device public jwk kid=${jwk.kid}, thumbprint=${thumbprint}`)
 
-              const key = await _context.agent.keyManagerGet({ kid })
+              // The device COSE key kid can be the (mangled) x-coordinate; the KMS resolves the key by its JWK
+              // thumbprint, so fall back to that when the kid lookup fails.
+              let key
+              try {
+                key = await _context.agent.keyManagerGet({ kid })
+              } catch (e) {
+                console.log(
+                  `(mdl-mdoc:deviceKey) amend: keyManagerGet by kid '${kid}' failed (${(e as any)?.message}); retrying by thumbprint '${thumbprint}'`,
+                )
+                key = await _context.agent.keyManagerGet({ kid: thumbprint })
+              }
               const kms = key.kms
-              const kmsKeyRef = key.meta?.kmsKeyRef
+              const kmsKeyRef = key.meta?.kmsKeyRef ?? key.kid
+              console.log(`(mdl-mdoc:deviceKey) amend: resolved hardware KMS key kms=${kms}, kmsKeyRef=${kmsKeyRef}`)
               const updateCborKey = cborKey.copy(false, cborKey.kty, cborKey.kid ?? new CborByteString(decodeFrom(kid, Encoding.UTF8)))
               const deviceKeyInfo = KeyInfo.Static.fromDTO(keyInfo).copy(
                 kid,
@@ -171,17 +216,100 @@ export class MDLMdoc implements IAgentPlugin {
       }
       return Promise.reject(Error('No matching documents found'))
     }
-    const deviceResponse = await oid4vpService.createDeviceResponse(
-      docsAndDescriptors,
-      presentationDefinition as IOid4VPPresentationDefinition,
-      clientId,
-      responseUri,
-      authorizationRequestNonce,
-    )
-    const vp_token = encodeTo(deviceResponse.cborEncode(), Encoding.BASE64URL)
-    const presentation_submission = Oid4VPPresentationSubmission.Static.fromPresentationDefinition(
-      presentationDefinition as IOid4VPPresentationDefinition,
-    )
+    // Log all createDeviceResponse arguments so we can reason about the post-sign 'toJson of undefined' crash.
+    try {
+      console.log(
+        `(mdl-mdoc:deviceResponse) args: clientId=${clientId}, responseUri=${responseUri}, authorizationRequestNonce=${authorizationRequestNonce}, docCount=${docsAndDescriptors.length}`,
+      )
+      try {
+        console.log(`(mdl-mdoc:deviceResponse) presentationDefinition=${JSON.stringify(presentationDefinition)}`)
+      } catch (e: any) {
+        console.log(`(mdl-mdoc:deviceResponse) presentationDefinition stringify failed: ${e?.message}`)
+      }
+      docsAndDescriptors.forEach((d: any, idx: number) => {
+        const dk: any = d?.deviceKeyInfo
+        let docType: any = undefined
+        try {
+          docType = d?.document?.docType?.value ?? d?.document?.MSO?.value?.docType?.value ?? d?.document?.getDocType?.()
+        } catch {
+          /* ignore */
+        }
+        console.log(
+          `(mdl-mdoc:deviceResponse) doc[${idx}]: inputDescriptor.id=${d?.inputDescriptor?.id?.value ?? d?.inputDescriptor?.id}, docType=${docType}, ` +
+            `document present=${!!d?.document}, documentError present=${!!d?.documentError}, ` +
+            `deviceKeyInfo present=${!!dk}, deviceKeyInfo.key present=${!!dk?.key}, deviceKeyInfo.kid=${dk?.kid}, kmsKeyRef=${dk?.kmsKeyRef}, kms=${dk?.kms}, ` +
+            `signatureAlgorithm=${dk?.signatureAlgorithm}, x5c present=${!!dk?.x5c}`,
+        )
+        try {
+          const dkJson = dk?.toJson ? dk.toJson() : dk
+          console.log(`(mdl-mdoc:deviceResponse) doc[${idx}] deviceKeyInfo=${JSON.stringify(dkJson)}`)
+        } catch (e: any) {
+          console.log(`(mdl-mdoc:deviceResponse) doc[${idx}] deviceKeyInfo serialize failed: ${e?.message}`)
+        }
+        try {
+          const keyJson = dk?.key?.toJson ? dk.key.toJson() : dk?.key
+          console.log(`(mdl-mdoc:deviceResponse) doc[${idx}] deviceKeyInfo.key=${JSON.stringify(keyJson)}`)
+        } catch (e: any) {
+          console.log(`(mdl-mdoc:deviceResponse) doc[${idx}] deviceKeyInfo.key serialize failed: ${e?.message}`)
+        }
+      })
+    } catch (e: any) {
+      console.log(`(mdl-mdoc:deviceResponse) argument logging failed: ${e?.message}`)
+    }
+
+    let deviceResponse
+    try {
+      deviceResponse = await oid4vpService.createDeviceResponse(
+        docsAndDescriptors,
+        presentationDefinition as IOid4VPPresentationDefinition,
+        clientId,
+        responseUri,
+        authorizationRequestNonce,
+      )
+    } catch (e: any) {
+      console.log(`(mdl-mdoc:deviceResponse) createDeviceResponse failed: ${e?.message}`)
+      console.log(`(mdl-mdoc:deviceResponse) STACK: ${e?.stack}`)
+      throw e
+    }
+    // NOTE: the 'Cannot read property toJson of undefined' crash happens HERE (after createDeviceResponse returns),
+    // during cborEncode() of the assembled DeviceResponse — NOT inside createDeviceResponse. Probe + stack-log it.
+    try {
+      console.log(`(mdl-mdoc:deviceResponse) createDeviceResponse returned: present=${!!deviceResponse}, type=${typeof deviceResponse}`)
+      const dr: any = deviceResponse as any
+      try {
+        const docs = dr?.documents ?? dr?.b3p_1 ?? undefined
+        console.log(
+          `(mdl-mdoc:deviceResponse) deviceResponse.version present=${!!dr?.version}, status present=${dr?.status != null}, ` +
+            `documents present=${!!docs}, documentsCount=${docs?.length ?? docs?.size ?? 'n/a'}`,
+        )
+      } catch (e: any) {
+        console.log(`(mdl-mdoc:deviceResponse) deviceResponse structure probe failed: ${e?.message}`)
+      }
+    } catch {
+      /* ignore */
+    }
+
+    let vp_token: string
+    try {
+      const encoded = deviceResponse.cborEncode()
+      console.log(`(mdl-mdoc:deviceResponse) cborEncode OK, byteLen=${encoded?.length}`)
+      vp_token = encodeTo(encoded, Encoding.BASE64URL)
+    } catch (e: any) {
+      console.log(`(mdl-mdoc:deviceResponse) cborEncode failed: ${e?.message}`)
+      console.log(`(mdl-mdoc:deviceResponse) cborEncode STACK: ${e?.stack}`)
+      throw e
+    }
+
+    let presentation_submission
+    try {
+      presentation_submission = Oid4VPPresentationSubmission.Static.fromPresentationDefinition(
+        presentationDefinition as IOid4VPPresentationDefinition,
+      )
+    } catch (e: any) {
+      console.log(`(mdl-mdoc:deviceResponse) fromPresentationDefinition failed: ${e?.message}`)
+      console.log(`(mdl-mdoc:deviceResponse) fromPresentationDefinition STACK: ${e?.stack}`)
+      throw e
+    }
     return { vp_token, presentation_submission }
   }
 
@@ -274,7 +402,7 @@ export class MDLMdoc implements IAgentPlugin {
     const validationResult = await new X509CallbackService(Array.from(mergedAnchors)).verifyCertificateChain({
       ...args,
       trustAnchors: Array.from(trustAnchors),
-      opts: { ...args?.opts, ...this.opts },
+      opts: { ...args?.opts, ...this.opts, blindlyTrustedAnchors: this.effectiveBlindlyTrustedAnchors },
     })
     console.log(
       `x509 validation for ${validationResult.error ? 'Error' : 'Success'}. message: ${validationResult.message}, details: ${validationResult.detailMessage}`,

package/src/functions/index.ts

@@ -17,6 +17,8 @@ import * as crypto from 'crypto'
 import { Certificate, CryptoEngine, setEngine } from 'pkijs'
 // @ts-ignore
 import { fromString } from 'uint8arrays/from-string'
+// @ts-ignore
+import { toString as u8aToString } from 'uint8arrays/to-string'
 import { IRequiredContext, VerifyCertificateChainArgs } from '../types/ImDLMdoc'
 
 type CoseKeyCbor = mdocPkg.com.sphereon.crypto.cose.CoseKeyCbor
@@ -31,13 +33,238 @@ type Jwk = mdocPkg.com.sphereon.crypto.jose.Jwk
 const KeyInfo = mdocPkg.com.sphereon.crypto.KeyInfo
 type X509VerificationProfile = mdocPkg.com.sphereon.crypto.X509VerificationProfile
 const DateTimeUtils = mdocPkg.com.sphereon.kmp.DateTimeUtils
-const decodeFrom = mdocPkg.com.sphereon.kmp.decodeFrom
-const encodeTo = mdocPkg.com.sphereon.kmp.encodeTo
-const Encoding = mdocPkg.com.sphereon.kmp.Encoding
 type LocalDateTimeKMP = mdocPkg.com.sphereon.kmp.LocalDateTimeKMP
 const SignatureAlgorithm = mdocPkg.com.sphereon.crypto.generic.SignatureAlgorithm
 const DefaultCallbacks = mdocPkg.com.sphereon.crypto.DefaultCallbacks
 
+// ---------- Minimal CBOR helpers for the kmp-mdoc-core kid-mangling workaround ----------
+function toU8(bytes: unknown): Uint8Array {
+  if (bytes instanceof Uint8Array) return bytes
+  if (ArrayBuffer.isView(bytes)) {
+    const v = bytes as ArrayBufferView
+    return new Uint8Array(v.buffer, v.byteOffset, v.byteLength)
+  }
+  if (Array.isArray(bytes)) return Uint8Array.from((bytes as number[]).map((b) => b & 0xff))
+  throw new Error('unsupported raw bytes type')
+}
+function extractIssuerAuthRawParts(rawInput: unknown): { protectedBytes: Uint8Array; payloadBytes: Uint8Array } | undefined {
+  const u8 = toU8(rawInput)
+  let pos = 0
+  const readHead = (): { mt: number; len: number } => {
+    const b = u8[pos++]
+    const mt = b >> 5
+    const info = b & 0x1f
+    let len: number
+    if (info < 24) len = info
+    else if (info === 24) {
+      len = u8[pos]
+      pos += 1
+    } else if (info === 25) {
+      len = (u8[pos] << 8) | u8[pos + 1]
+      pos += 2
+    } else if (info === 26) {
+      len = u8[pos] * 0x1000000 + (u8[pos + 1] << 16) + (u8[pos + 2] << 8) + u8[pos + 3]
+      pos += 4
+    } else throw new Error('unsupported cbor length info ' + info)
+    return { mt, len }
+  }
+  const skip = (): void => {
+    const h = readHead()
+    switch (h.mt) {
+      case 0:
+      case 1:
+      case 7:
+        return
+      case 2:
+      case 3:
+        pos += h.len
+        return
+      case 4:
+        for (let i = 0; i < h.len; i++) skip()
+        return
+      case 5:
+        for (let i = 0; i < h.len * 2; i++) skip()
+        return
+      case 6:
+        skip()
+        return
+    }
+  }
+  const readBstr = (): Uint8Array => {
+    const h = readHead()
+    if (h.mt !== 2) throw new Error('expected bstr, got mt ' + h.mt)
+    const out = u8.slice(pos, pos + h.len)
+    pos += h.len
+    return out
+  }
+  const readTstr = (): string => {
+    const h = readHead()
+    if (h.mt !== 3) throw new Error('expected tstr, got mt ' + h.mt)
+    const out = new TextDecoder().decode(u8.slice(pos, pos + h.len))
+    pos += h.len
+    return out
+  }
+  const outer = readHead()
+  if (outer.mt !== 5) return undefined
+  for (let i = 0; i < outer.len; i++) {
+    const key = readTstr()
+    if (key === 'issuerAuth') {
+      const arr = readHead()
+      if (arr.mt !== 4 || arr.len !== 4) throw new Error('issuerAuth is not a 4-element array')
+      const protectedBytes = readBstr()
+      skip()
+      const payloadBytes = readBstr()
+      return { protectedBytes, payloadBytes }
+    }
+    skip()
+  }
+  return undefined
+}
+function encodeBstrHeader(len: number): Uint8Array {
+  if (len < 24) return new Uint8Array([0x40 | len])
+  if (len < 0x100) return new Uint8Array([0x58, len])
+  if (len < 0x10000) return new Uint8Array([0x59, (len >> 8) & 0xff, len & 0xff])
+  return new Uint8Array([0x5a, (len >>> 24) & 0xff, (len >> 16) & 0xff, (len >> 8) & 0xff, len & 0xff])
+}
+function concatU8(parts: Uint8Array[]): Uint8Array {
+  let total = 0
+  for (const p of parts) total += p.length
+  const out = new Uint8Array(total)
+  let off = 0
+  for (const p of parts) {
+    out.set(p, off)
+    off += p.length
+  }
+  return out
+}
+function buildSig1Structure(protectedBytes: Uint8Array, payloadBytes: Uint8Array): Uint8Array {
+  const sig1Label = new Uint8Array([0x6a, 0x53, 0x69, 0x67, 0x6e, 0x61, 0x74, 0x75, 0x72, 0x65, 0x31])
+  return concatU8([
+    new Uint8Array([0x84]),
+    sig1Label,
+    encodeBstrHeader(protectedBytes.length),
+    protectedBytes,
+    new Uint8Array([0x40]),
+    encodeBstrHeader(payloadBytes.length),
+    payloadBytes,
+  ])
+}
+
+// Convert a DER-encoded ECDSA signature (SEQUENCE { INTEGER r, INTEGER s }) to the raw fixed-width r||s
+// form that COSE_Sign1 requires (each coordinate left-padded to `coordSize`, e.g. 32 bytes for ES256/P-256).
+function derEcdsaToRaw(der: Uint8Array, coordSize: number): Uint8Array {
+  let offset = 0
+  if (der[offset++] !== 0x30) throw new Error('Invalid DER ECDSA signature: missing SEQUENCE tag')
+  let seqLen = der[offset++]
+  if (seqLen & 0x80) {
+    const numBytes = seqLen & 0x7f
+    seqLen = 0
+    for (let i = 0; i < numBytes; i++) seqLen = (seqLen << 8) | der[offset++]
+  }
+  const readInt = (): Uint8Array => {
+    if (der[offset++] !== 0x02) throw new Error('Invalid DER ECDSA signature: missing INTEGER tag')
+    const len = der[offset++]
+    let val = der.slice(offset, offset + len)
+    offset += len
+    let start = 0
+    while (start < val.length - 1 && val[start] === 0x00) start++ // strip DER sign/leading zero bytes
+    val = val.slice(start)
+    if (val.length > coordSize) throw new Error(`Invalid DER ECDSA signature: integer (${val.length}) exceeds ${coordSize}`)
+    const out = new Uint8Array(coordSize)
+    out.set(val, coordSize - val.length) // left-pad
+    return out
+  }
+  const r = readInt()
+  const s = readInt()
+  return concatU8([r, s])
+}
+
+// The KMS/MUSAP bridge returns the signature as a base64 (or base64url) string. COSE needs raw r||s bytes.
+// Normalize to url-safe unpadded base64, decode, and DER->raw-convert when the bytes are a DER ECDSA signature.
+function decodeKmsSignatureToRaw(signature: string, coordSize: number): Uint8Array {
+  const normalized = signature.trim().replace(/\s+/g, '').replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/g, '')
+  const bytes = fromString(normalized, 'base64url') as Uint8Array
+  if (bytes.length > coordSize * 2 && bytes[0] === 0x30) {
+    return derEcdsaToRaw(bytes, coordSize)
+  }
+  return bytes
+}
+
+// ---------- Minimal CBOR length walker (definite-length items only) ----------
+function cborHeader(buf: Uint8Array, off: number): { major: number; headerLen: number; argument: number } {
+  const ib = buf[off]
+  const major = ib >> 5
+  const ai = ib & 0x1f
+  if (ai < 24) return { major, headerLen: 1, argument: ai }
+  if (ai === 24) return { major, headerLen: 2, argument: buf[off + 1] }
+  if (ai === 25) return { major, headerLen: 3, argument: (buf[off + 1] << 8) | buf[off + 2] }
+  if (ai === 26) return { major, headerLen: 5, argument: buf[off + 1] * 0x1000000 + (buf[off + 2] << 16) + (buf[off + 3] << 8) + buf[off + 4] }
+  if (ai === 27) {
+    let v = 0
+    for (let i = 1; i <= 8; i++) v = v * 256 + buf[off + i]
+    return { major, headerLen: 9, argument: v }
+  }
+  throw new Error(`unsupported CBOR additional-info ${ai} at offset ${off}`)
+}
+
+function cborItemLen(buf: Uint8Array, off: number): number {
+  const h = cborHeader(buf, off)
+  let total = h.headerLen
+  switch (h.major) {
+    case 0: // uint
+    case 1: // negint
+    case 7: // simple/float (null/true/false/floats — argument captured in headerLen)
+      break
+    case 2: // bstr
+    case 3: // tstr
+      total += h.argument
+      break
+    case 4: // array
+      for (let i = 0; i < h.argument; i++) total += cborItemLen(buf, off + total)
+      break
+    case 5: // map
+      for (let i = 0; i < h.argument * 2; i++) total += cborItemLen(buf, off + total)
+      break
+    case 6: // tag (one following item)
+      total += cborItemLen(buf, off + total)
+      break
+    default:
+      throw new Error(`unsupported CBOR major type ${h.major}`)
+  }
+  return total
+}
+
+// The bundled kmp-mdoc-core builds the DeviceAuth COSE Sig_structure non-conformantly: per ISO 18013-5 §9.1.3 (and the
+// reference impls auth0/mdl + IDK) the signed payload MUST be DeviceAuthenticationBytes = #6.24(bstr .cbor
+// ["DeviceAuthentication", [null,null,OpenID4VPHandover], docType, #6.24(bstr .cbor DeviceNameSpaces)]), and the
+// Sig_structure payload = bstr(DeviceAuthenticationBytes). kmp omits BOTH tag-24 wrappers (element 4 + the outer one).
+// Re-wrap them here so the device signature matches a conformant verifier. (Element 2 = the SessionTranscript
+// [null,null,handover] is already produced by the kmp-mdoc-core handover patch.) "Signature1" / protected / external_aad
+// are left untouched. Returns the input unchanged if the structure isn't the expected DeviceAuth Sig_structure.
+function reconstructMdocDeviceAuthSigStructure(sig: Uint8Array): Uint8Array {
+  if (sig[0] !== 0x84) return sig // Sig_structure must be a 4-element array
+  let off = 1
+  off += cborItemLen(sig, off) // "Signature1"
+  off += cborItemLen(sig, off) // protected (bstr)
+  off += cborItemLen(sig, off) // external_aad (bstr)
+  const payloadStart = off
+  const ph = cborHeader(sig, payloadStart)
+  if (ph.major !== 2) return sig // payload must be a bstr
+  const daStart = payloadStart + ph.headerLen
+  const da = sig.subarray(daStart, daStart + ph.argument) // cbor(DeviceAuthentication)
+  if (da[0] !== 0x84) return sig // DeviceAuthentication must be a 4-element array
+  let d = 1
+  d += cborItemLen(da, d) // "DeviceAuthentication"
+  d += cborItemLen(da, d) // SessionTranscript ([null,null,handover])
+  d += cborItemLen(da, d) // docType
+  const e4 = da.subarray(d, d + cborItemLen(da, d)) // deviceNameSpaces (currently un-tagged)
+  const e4Tagged = concatU8([new Uint8Array([0xd8, 0x18]), encodeBstrHeader(e4.length), e4]) // #6.24(bstr deviceNameSpaces)
+  const daCorrected = concatU8([da.subarray(0, d), e4Tagged])
+  const deviceAuthBytes = concatU8([new Uint8Array([0xd8, 0x18]), encodeBstrHeader(daCorrected.length), daCorrected]) // #6.24(bstr DeviceAuthentication)
+  const newPayload = concatU8([encodeBstrHeader(deviceAuthBytes.length), deviceAuthBytes]) // bstr(DeviceAuthenticationBytes)
+  return concatU8([sig.subarray(0, payloadStart), newPayload])
+}
+
 export class CoseCryptoService implements ICoseCryptoCallbackJS {
   constructor(private context?: IRequiredContext) {}
 
@@ -50,7 +277,28 @@ export class CoseCryptoService implements ICoseCryptoCallbackJS {
       throw Error('No context provided. Please provide a context with the setContext method or constructor')
     }
     const { keyInfo, alg, value } = input
+    // The kmp-mdoc-core Sig_structure omits the ISO 18013-5 §9.1.3 tag-24 wrappers around deviceNameSpaces and the
+    // whole DeviceAuthentication. Re-wrap them so the signed bytes match a conformant verifier (auth0/mdl, IDK).
+    let toBeSigned: Uint8Array = toU8(value as any)
+    try {
+      toBeSigned = reconstructMdocDeviceAuthSigStructure(toBeSigned)
+    } catch (e: any) {
+      console.log(`(mdl-mdoc:sign) Sig_structure tag-24 reconstruction failed, signing kmp original: ${e?.message}`)
+    }
+    // DIAGNOSTIC: dump the exact COSE Sig_structure (ToBeSigned) the holder signs, so it can be diffed
+    // byte-for-byte against the verifier's reconstructed DeviceAuthentication (handover/transcript debugging).
+    try {
+      let hex = ''
+      for (let i = 0; i < toBeSigned.length; i++) hex += (toBeSigned[i] & 0xff).toString(16).padStart(2, '0')
+      console.log(`(mdl-mdoc:sign) ToBeSigned len=${toBeSigned.length} hex=${hex}`)
+    } catch (e: any) {
+      console.log(`(mdl-mdoc:sign) ToBeSigned hex failed: ${e?.message}`)
+    }
     let kmsKeyRef = keyInfo.kmsKeyRef ?? undefined
+    // Additional key references to try if the primary keyRef is not found in the KMS. The COSE key kid coming from
+    // an mdoc deviceKey can be the (mangled) x-coordinate rather than the KMS kid; the KMS can also resolve a key by
+    // its JWK thumbprint, so we fall back to that.
+    const fallbackKeyRefs: Array<string> = []
     if (!kmsKeyRef) {
       const key = keyInfo.key
       if (key == null) {
@@ -59,19 +307,52 @@ export class CoseCryptoService implements ICoseCryptoCallbackJS {
       const resolvedKeyInfo = com.sphereon.crypto.ResolvedKeyInfo.Static.fromKeyInfo(keyInfo, key)
       const jwkKeyInfo: mdocPkg.com.sphereon.crypto.ResolvedKeyInfo<Jwk> = CoseJoseKeyMappingService.toResolvedJwkKeyInfo(resolvedKeyInfo)
 
-      const kid = jwkKeyInfo.kid ?? calculateJwkThumbprint({ jwk: jwkKeyInfo.key.toJsonDTO() }) ?? jwkKeyInfo.key.getKidAsString(true)
+      const thumbprint = calculateJwkThumbprint({ jwk: jwkKeyInfo.key.toJsonDTO() })
+      const kid = jwkKeyInfo.kid ?? thumbprint ?? jwkKeyInfo.key.getKidAsString(true)
       if (!kid) {
         return Promise.reject(Error('No kid present and not kmsKeyRef provided'))
       }
       kmsKeyRef = kid
+      if (thumbprint && thumbprint !== kid) {
+        fallbackKeyRefs.push(thumbprint)
+      }
     }
-    const result = await this.context.agent.keyManagerSign({
-      algorithm: alg.jose!!.value,
-      data: encodeTo(value, Encoding.UTF8),
-      encoding: 'utf-8',
-      keyRef: kmsKeyRef!!,
-    })
-    return decodeFrom(result, Encoding.UTF8)
+    const doSign = (keyRef: string): Promise<string> =>
+      this.context!.agent.keyManagerSign({
+        algorithm: alg.jose!!.value,
+        // Pass the raw ToBeSigned (COSE Sig_structure) bytes as base64. The previous `encodeTo(value, UTF8)`
+        // interpreted the binary CBOR as UTF-8 text, corrupting every non-ASCII byte before the KMS even saw it
+        // (the MUSAP bridge then signed the mangled bytes -> verifier "Signature invalid"). base64 round-trips losslessly.
+        data: u8aToString(toBeSigned, 'base64'),
+        encoding: 'base64',
+        keyRef,
+      })
+    let result: string
+    try {
+      result = await doSign(kmsKeyRef!!)
+    } catch (error) {
+      let signed: string | undefined
+      for (const ref of fallbackKeyRefs) {
+        try {
+          signed = await doSign(ref)
+          break
+        } catch {
+          // try the next fallback key reference
+        }
+      }
+      if (signed === undefined) {
+        throw error
+      }
+      result = signed
+    }
+    // COSE_Sign1 needs the raw fixed-width r||s signature, not the base64(url)/DER form the KMS returns.
+    // (Previously this returned `decodeFrom(result, Encoding.UTF8)` — the UTF-8 bytes of the base64 string —
+    // which the verifier rejected with "Expected signature size 64, received: 86".)
+    const joseAlg = alg.jose?.value
+    const coordSize = joseAlg === 'ES512' ? 66 : joseAlg === 'ES384' ? 48 : 32
+    const raw = decodeKmsSignatureToRaw(result, coordSize)
+    console.log(`(mdl-mdoc:sign) signature decoded: alg=${joseAlg}, inputChars=${result.length}, rawLen=${raw.length} (expected ${coordSize * 2})`)
+    return Int8Array.from(raw)
   }
 
   async verify1Async<CborType>(
@@ -145,9 +426,27 @@ export class CoseCryptoService implements ICoseCryptoCallbackJS {
     )
     const recalculatedToBeSigned = input.toBeSignedJson(issuerCoseKeyInfo, SignatureAlgorithm.Static.fromCose(coseAlg))
     const key = CoseJoseKeyMappingService.toJoseJwk(issuerCoseKeyInfo.key!).toJsonDTO<JWK>()
+    let data = fromString(recalculatedToBeSigned.base64UrlValue, 'base64url')
+    const signatureBytes = fromString(sign1Json.signature, 'base64url')
+    // Workaround: kmp-mdoc-core mangles binary protected-header values (e.g. a bstr kid)
+    // by round-tripping them through a UTF-8 String. When the caller stashed the raw mdoc
+    // bytes on globalThis (see @sphereon/ssi-sdk.credential-validation cvVerifyMdoc), reparse
+    // them here to build the Sig_structure from the untouched protected/payload bstrs, instead
+    // of relying on input.toBeSignedJson() which re-encodes the mangled protected header.
+    const rawMdocBytes = (globalThis as unknown as { __sphereon_mdoc_raw_bytes?: Uint8Array }).__sphereon_mdoc_raw_bytes
+    if (rawMdocBytes) {
+      try {
+        const extracted = extractIssuerAuthRawParts(rawMdocBytes)
+        if (extracted) {
+          data = buildSig1Structure(extracted.protectedBytes, extracted.payloadBytes)
+        }
+      } catch (e) {
+        console.warn('[mdl-mdoc verify] failed to reparse raw mdoc; falling back to kmp-computed Sig_structure:', (e as Error).message)
+      }
+    }
     const valid = await verifyRawSignature({
-      data: fromString(recalculatedToBeSigned.base64UrlValue, 'base64url'),
-      signature: fromString(sign1Json.signature, 'base64url'),
+      data,
+      signature: signatureBytes,
       key,
     })