Skip to content

fix: reject credentials missing required _sd_alg claim#8

Open
hydeta wants to merge 1 commit into
agent-intent:mainfrom
hydeta:fix/require-sd-alg-claim
Open

fix: reject credentials missing required _sd_alg claim#8
hydeta wants to merge 1 commit into
agent-intent:mainfrom
hydeta:fix/require-sd-alg-claim

Conversation

@hydeta

@hydeta hydeta commented Mar 10, 2026

Copy link
Copy Markdown

Summary

The _sd_alg claim is REQUIRED on L1, L2, and L3 credentials per the credential format spec (L1 §3.3, L2 §4.3, L3 §5.3) and RFC 9901 §5.1.1. The verification chain currently only checks that _sd_alg equals "sha-256" when present, silently accepting credentials that omit the claim entirely.

This changes the three _sd_alg checks in verify_chain from:

if l1_sd_alg is not None and l1_sd_alg != "sha-256":

to:

if l1_sd_alg != "sha-256":

so that a missing _sd_alg is now treated as a verification failure rather than a pass.

All issuance functions already include _sd_alg: "sha-256" in every credential they produce, so this only affects externally constructed or malformed credentials reaching the verifier.

Changes

  • verification/chain.py: Remove the is not None guard on all three _sd_alg checks (L1, L2, L3)
  • tests/test_verification_hardening.py: Add two tests for missing _sd_alg on L1 and L2; add _sd_alg to hand-crafted payloads in existing tests so they continue to reach their intended error paths
  • tests/test_mode_inference.py: Add _sd_alg to hand-crafted L2 payload for same reason

Test plan

  • pytest — 310 tests pass, 0 failures
  • New test_missing_sd_alg_l1_rejected confirms L1 without _sd_alg is rejected
  • New test_missing_sd_alg_l2_rejected confirms L2 without _sd_alg is rejected
  • Existing tests unchanged in behavior — only added _sd_alg to hand-crafted payloads that previously omitted it

Signed-off-by: Timothy Hyde <tim@baselayer.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant