Merge pull request #17 from adorsys/39-disable-kb-jwt-iat

Disable unreliable check between current times of different systems
adorsys · Oct 2, 2024 · eb4a26a · eb4a26a
2 parents d000dd7 + 5f5c946
commit eb4a26a
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 22 deletions.
diff --git a/pom.xml b/pom.xml
@@ -4,7 +4,7 @@
   <groupId>de.adorsys</groupId>
   <artifactId>sd-jwt</artifactId>
   <packaging>jar</packaging>
-  <version>1.1</version>
+  <version>1.2-SNAPSHOT</version>
   <name>${project.artifactId}</name>
   <description>Library for the production, verification and consumption of SD-JWT documents</description>
   <url>https://github.com/adorsys/sd-jwt</url>

diff --git a/src/main/java/de/adorsys/sdjwt/SdJws.java b/src/main/java/de/adorsys/sdjwt/SdJws.java
@@ -98,12 +98,9 @@ public void verifySignature(JWSVerifier verifier) throws JOSEException {
     }
 
     public void verifyIssuedAtClaim() throws SdJwtVerificationException {
-        long now = Instant.now().getEpochSecond();
-        long iat = SdJwtUtils.readTimeClaim(payload, "iat");
-
-        if (now < iat) {
-            throw new SdJwtVerificationException("jwt issued in the future");
-        }
+        // The purpose of this method was to check if `iat` is not in the future.
+        // However, this cannot be achieved at high resolution between times provided
+        // by different systems. So we removed our unreliable implementation.
     }
 
     public void verifyExpClaim() throws SdJwtVerificationException {

diff --git a/src/test/java/de/adorsys/sdjwt/sdjwtvp/SdJwtVPVerificationTest.java b/src/test/java/de/adorsys/sdjwt/sdjwtvp/SdJwtVPVerificationTest.java
@@ -203,21 +203,6 @@ public void testShouldFail_IfKbSdHashInvalid() {
         );
     }
 
-    @Test
-    public void testShouldFail_IfKbIssuedInFuture() {
-        long now = Instant.now().getEpochSecond();
-
-        var kbPayload = exampleS20KbPayload();
-        kbPayload.set("iat", mapper.valueToTree(now + 1000));
-
-        testShouldFailGenericS20(
-                kbPayload,
-                defaultKeyBindingJwtVerificationOpts().build(),
-                "Key binding JWT: Invalid `iat` claim",
-                "jwt issued in the future"
-        );
-    }
-
     @Test
     public void testShouldFail_IfKbTooOld() {
         long issuerSignedJwtIat = 1683000000; // same value in test vector