feat: Add "no proof check" option for VC decoding

closes hyperledger-archives#1002 Signed-off-by: Dima <dkinoshenko@gmail.com>
kdimak · Dec 20, 2019 · 24ae483 · 24ae483
1 parent 1674d60
commit 24ae483
Show file tree

Hide file tree

Showing 13 changed files with 128 additions and 67 deletions.
diff --git a/pkg/doc/verifiable/credential.go b/pkg/doc/verifiable/credential.go
@@ -426,6 +426,7 @@ type credentialOpts struct {
 	modelValidationMode    vcModelValidationMode
 	allowedCustomContexts  map[string]bool
 	allowedCustomTypes     map[string]bool
+	disabledProofCheck     bool
 }
 
 // CredentialOpt is the Verifiable Credential decoding option
@@ -573,7 +574,7 @@ func NewCredential(vcData []byte, opts ...CredentialOpt) (*Credential, []byte, e
 	vcOpts := parseCredentialOpts(opts)
 
 	// Decode credential (e.g. from JWT).
-	vcDataDecoded, err := decodeRaw(vcData, vcOpts.issuerPublicKeyFetcher)
+	vcDataDecoded, err := decodeRaw(vcData, !vcOpts.disabledProofCheck, vcOpts.issuerPublicKeyFetcher)
 	if err != nil {
 		return nil, nil, fmt.Errorf("decode new credential: %w", err)
 	}
@@ -735,13 +736,13 @@ func newCredential(raw *rawCredential, schemas []TypedID) (*Credential, error) {
 	}, nil
 }
 
-func decodeRaw(vcData []byte, pubKeyFetcher PublicKeyFetcher) ([]byte, error) {
+func decodeRaw(vcData []byte, checkProof bool, pubKeyFetcher PublicKeyFetcher) ([]byte, error) {
 	if isJWS(vcData) {
 		if pubKeyFetcher == nil {
 			return nil, errors.New("public key fetcher is not defined")
 		}
 
-		vcDecodedBytes, err := decodeCredJWS(vcData, pubKeyFetcher)
+		vcDecodedBytes, err := decodeCredJWS(vcData, checkProof, pubKeyFetcher)
 		if err != nil {
 			return nil, fmt.Errorf("JWS decoding: %w", err)
 		}

diff --git a/pkg/doc/verifiable/credential_jws.go b/pkg/doc/verifiable/credential_jws.go
@@ -17,7 +17,7 @@ func (jcc *JWTCredClaims) MarshalJWS(signatureAlg JWSAlgorithm, privateKey inter
 	return marshalJWS(jcc, signatureAlg, privateKey, keyID)
 }
 
-func unmarshalJWSClaims(rawJwt []byte, fetcher PublicKeyFetcher) (*JWTCredClaims, error) {
+func unmarshalJWSClaims(rawJwt []byte, checkProof bool, fetcher PublicKeyFetcher) (*JWTCredClaims, error) {
 	parsedJwt, err := jwt.ParseSigned(string(rawJwt))
 	if err != nil {
 		return nil, fmt.Errorf("parse VC from signed JWS: %w", err)
@@ -30,16 +30,18 @@ func unmarshalJWSClaims(rawJwt []byte, fetcher PublicKeyFetcher) (*JWTCredClaims
 		return nil, fmt.Errorf("parse VC JWT claims: %w", err)
 	}
 
-	err = verifyJWTSignature(parsedJwt, fetcher, credClaims.Issuer, credClaims)
-	if err != nil {
-		return nil, fmt.Errorf("VC JWT signature verification: %w", err)
+	if checkProof {
+		err = verifyJWTSignature(parsedJwt, fetcher, credClaims.Issuer, credClaims)
+		if err != nil {
+			return nil, fmt.Errorf("VC JWT signature verification: %w", err)
+		}
 	}
 
 	return credClaims, nil
 }
 
-func decodeCredJWS(rawJwt []byte, fetcher PublicKeyFetcher) ([]byte, error) {
+func decodeCredJWS(rawJwt []byte, checkProof bool, fetcher PublicKeyFetcher) ([]byte, error) {
 	return decodeCredJWT(rawJwt, func(vcJWTBytes []byte) (*JWTCredClaims, error) {
-		return unmarshalJWSClaims(rawJwt, fetcher)
+		return unmarshalJWSClaims(rawJwt, checkProof, fetcher)
 	})
 }
diff --git a/pkg/doc/verifiable/credential_jws_test.go b/pkg/doc/verifiable/credential_jws_test.go
@@ -30,7 +30,7 @@ func TestJWTCredClaimsMarshalJWS(t *testing.T) {
 		jws, err := jwtClaims.MarshalJWS(RS256, privateKey, "any")
 		require.NoError(t, err)
 
-		vcBytes, err := decodeCredJWS([]byte(jws), func(issuerID, keyID string) (i interface{}, e error) {
+		vcBytes, err := decodeCredJWS([]byte(jws), true, func(issuerID, keyID string) (i interface{}, e error) {
 			publicKey, pcErr := readPublicKey(filepath.Join(certPrefix, "issuer_public.pem"))
 			require.NoError(t, pcErr)
 			require.NotNil(t, publicKey)
@@ -76,7 +76,7 @@ func TestCredJWSDecoderUnmarshal(t *testing.T) {
 	validJWS := createJWS(t, []byte(jwtTestCredential), false)
 
 	t.Run("Successful JWS decoding", func(t *testing.T) {
-		vcBytes, err := decodeCredJWS(validJWS, pkFetcher)
+		vcBytes, err := decodeCredJWS(validJWS, true, pkFetcher)
 		require.NoError(t, err)
 
 		vcRaw := new(rawCredential)
@@ -89,7 +89,7 @@ func TestCredJWSDecoderUnmarshal(t *testing.T) {
 	})
 
 	t.Run("Invalid serialized JWS", func(t *testing.T) {
-		jws, err := decodeCredJWS([]byte("invalid JWS"), pkFetcher)
+		jws, err := decodeCredJWS([]byte("invalid JWS"), true, pkFetcher)
 		require.Error(t, err)
 		require.Contains(t, err.Error(), "unmarshal VC JWT claims: parse VC from signed JWS")
 		require.Nil(t, jws)
@@ -109,7 +109,7 @@ func TestCredJWSDecoderUnmarshal(t *testing.T) {
 		rawJWT, err := jwt.Signed(signer).Claims(claims).CompactSerialize()
 		require.NoError(t, err)
 
-		jws, err := decodeCredJWS([]byte(rawJWT), pkFetcher)
+		jws, err := decodeCredJWS([]byte(rawJWT), true, pkFetcher)
 		require.Error(t, err)
 		require.Contains(t, err.Error(), "unmarshal VC JWT claims: parse VC JWT claims")
 		require.Nil(t, jws)
@@ -125,7 +125,7 @@ func TestCredJWSDecoderUnmarshal(t *testing.T) {
 			return publicKey, nil
 		}
 
-		jws, err := decodeCredJWS(validJWS, pkFetcherOther)
+		jws, err := decodeCredJWS(validJWS, true, pkFetcherOther)
 		require.Error(t, err)
 		require.Contains(t, err.Error(), "unmarshal VC JWT claims: VC JWT signature verification")
 		require.Nil(t, jws)

diff --git a/pkg/doc/verifiable/credential_test.go b/pkg/doc/verifiable/credential_test.go
@@ -646,7 +646,7 @@ func TestWithCredentialSchemaLoader(t *testing.T) {
 	require.Nil(t, opts.schemaLoader.cache)
 }
 
-func TestWithAnyContextAndType(t *testing.T) {
+func TestWithJSONLDValidation(t *testing.T) {
 	credentialOpt := WithJSONLDValidation()
 	require.NotNil(t, credentialOpt)
 
@@ -657,7 +657,7 @@ func TestWithAnyContextAndType(t *testing.T) {
 	require.Empty(t, opts.allowedCustomTypes)
 }
 
-func TestWithBaseOnlyContextAndType(t *testing.T) {
+func TestWithBaseContextValidation(t *testing.T) {
 	credentialOpt := WithBaseContextValidation()
 	require.NotNil(t, credentialOpt)
 
@@ -668,7 +668,7 @@ func TestWithBaseOnlyContextAndType(t *testing.T) {
 	require.Empty(t, opts.allowedCustomTypes)
 }
 
-func TestWithCustomContextAndType(t *testing.T) {
+func TestWithBaseContextExtendedValidation(t *testing.T) {
 	credentialOpt := WithBaseContextExtendedValidation(
 		[]string{"https://www.w3.org/2018/credentials/examples/v1"},
 		[]string{"UniversityDegreeCredential", "AlumniCredential"})

diff --git a/pkg/doc/verifiable/credential_testsuite.go b/pkg/doc/verifiable/credential_testsuite.go
@@ -0,0 +1,26 @@
+// +build testsuite
+
+/*
+Copyright SecureKey Technologies Inc. All Rights Reserved.
+SPDX-License-Identifier: Apache-2.0
+
+This is not actually a test but rather a stand-alone generator application
+that is used by VC Test Suite (https://github.com/w3c/vc-test-suite).
+To run VC Test Suite, execute `make vc-test-suite`.
+*/
+
+package verifiable
+
+// WithNoProofCheck disables checking of Verifiable Credential's proofs.
+func WithNoProofCheck() CredentialOpt {
+	return func(opts *credentialOpts) {
+		opts.disabledProofCheck = true
+	}
+}
+
+// WithPresNoProofCheck tells to skip checking of Verifiable Presentation's proofs.
+func WithPresNoProofCheck() PresentationOpt {
+	return func(opts *presentationOpts) {
+		opts.disabledProofCheck = true
+	}
+}
diff --git a/pkg/doc/verifiable/credential_testsuite_test.go b/pkg/doc/verifiable/credential_testsuite_test.go
@@ -0,0 +1,35 @@
+// +build testsuite
+
+/*
+Copyright SecureKey Technologies Inc. All Rights Reserved.
+SPDX-License-Identifier: Apache-2.0
+
+This is not actually a test but rather a stand-alone generator application
+that is used by VC Test Suite (https://github.com/w3c/vc-test-suite).
+To run VC Test Suite, execute `make vc-test-suite`.
+*/
+
+package verifiable
+
+import (
+	"github.com/stretchr/testify/require"
+	"testing"
+)
+
+func TestWithNoProofCheck(t *testing.T) {
+	credentialOpt := WithNoProofCheck()
+	require.NotNil(t, credentialOpt)
+
+	opts := &credentialOpts{}
+	credentialOpt(opts)
+	require.True(t, opts.disabledProofCheck)
+}
+
+func TestWithPresSkippedEmbeddedProofCheck(t *testing.T) {
+	vpOpt := WithPresNoProofCheck()
+	require.NotNil(t, vpOpt)
+
+	opts := &presentationOpts{}
+	vpOpt(opts)
+	require.True(t, opts.disabledProofCheck)
+}
diff --git a/pkg/doc/verifiable/example_presentation_test.go b/pkg/doc/verifiable/example_presentation_test.go
@@ -85,12 +85,19 @@ func ExamplePresentation_JWTClaims() {
       ]
     }
   ],
-  "holder": "did:example:ebfeb1f712ebc6f1c276e12ec21"
+  "holder": "did:example:ebfeb1f712ebc6f1c276e12ec21",
+  "proof": {
+    "type": "RsaSignature2018",
+    "created": "2018-06-18T21:19:10Z",
+    "proofPurpose": "assertionMethod",
+    "verificationMethod": "https://example.com/jdoe/keys/1",
+    "jws": "eyJhbGciOiJQUzI1N..Dw_mmMCjs9qxg0zcZzqEJw"
+  }
 }
 `
 
 	// The Holder wants to send the presentation to the Verifier in JWS.
-	vp, err := verifiable.NewPresentation([]byte(vpStrFromWallet), verifiable.WithPresSkippedEmbeddedProofCheck())
+	vp, err := verifiable.NewPresentation([]byte(vpStrFromWallet))
 	if err != nil {
 		fmt.Println(fmt.Errorf("failed to decode VP JSON: %w", err))
 	}
@@ -105,7 +112,7 @@ func ExamplePresentation_JWTClaims() {
 	fmt.Println(jws)
 
 	//nolint
-	//Output: eyJhbGciOiJFZERTQSIsImtpZCI6IiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJkaWQ6ZXhhbXBsZTo0YTU3NTQ2OTczNDM2ZjZmNmM0YTRhNTc1NzMiLCJpc3MiOiJkaWQ6ZXhhbXBsZTplYmZlYjFmNzEyZWJjNmYxYzI3NmUxMmVjMjEiLCJqdGkiOiJ1cm46dXVpZDozOTc4MzQ0Zi04NTk2LTRjM2EtYTk3OC04ZmNhYmEzOTAzYzUiLCJ2cCI6eyJAY29udGV4dCI6WyJodHRwczovL3d3dy53My5vcmcvMjAxOC9jcmVkZW50aWFscy92MSIsImh0dHBzOi8vd3d3LnczLm9yZy8yMDE4L2NyZWRlbnRpYWxzL2V4YW1wbGVzL3YxIl0sInR5cGUiOlsiVmVyaWZpYWJsZVByZXNlbnRhdGlvbiIsIlVuaXZlcnNpdHlEZWdyZWVDcmVkZW50aWFsIl0sInZlcmlmaWFibGVDcmVkZW50aWFsIjpbeyJAY29udGV4dCI6WyJodHRwczovL3d3dy53My5vcmcvMjAxOC9jcmVkZW50aWFscy92MSIsImh0dHBzOi8vd3d3LnczLm9yZy8yMDE4L2NyZWRlbnRpYWxzL2V4YW1wbGVzL3YxIl0sImNyZWRlbnRpYWxTY2hlbWEiOltdLCJjcmVkZW50aWFsU3ViamVjdCI6eyJkZWdyZWUiOnsidHlwZSI6IkJhY2hlbG9yRGVncmVlIiwidW5pdmVyc2l0eSI6Ik1JVCJ9LCJpZCI6ImRpZDpleGFtcGxlOmViZmViMWY3MTJlYmM2ZjFjMjc2ZTEyZWMyMSIsIm5hbWUiOiJKYXlkZW4gRG9lIiwic3BvdXNlIjoiZGlkOmV4YW1wbGU6YzI3NmUxMmVjMjFlYmZlYjFmNzEyZWJjNmYxIn0sImV4cGlyYXRpb25EYXRlIjoiMjAyMC0wMS0wMVQxOToyMzoyNFoiLCJpZCI6Imh0dHA6Ly9leGFtcGxlLmVkdS9jcmVkZW50aWFscy8xODcyIiwiaXNzdWFuY2VEYXRlIjoiMjAxMC0wMS0wMVQxOToyMzoyNFoiLCJpc3N1ZXIiOnsiaWQiOiJkaWQ6ZXhhbXBsZTo3NmUxMmVjNzEyZWJjNmYxYzIyMWViZmViMWYiLCJuYW1lIjoiRXhhbXBsZSBVbml2ZXJzaXR5In0sInJlZmVyZW5jZU51bWJlciI6OC4zMjk0ODQ3ZSswNywidHlwZSI6WyJWZXJpZmlhYmxlQ3JlZGVudGlhbCIsIlVuaXZlcnNpdHlEZWdyZWVDcmVkZW50aWFsIl19XX19.fYIKWhFN699O0GJl6DoYw0L_IcpR24GQREPT9G_0lIWGT02NFDuOFFuvydedujGd6twiNW9Drizm997Z7oYtDw
+	//Output: eyJhbGciOiJFZERTQSIsImtpZCI6IiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJkaWQ6ZXhhbXBsZTo0YTU3NTQ2OTczNDM2ZjZmNmM0YTRhNTc1NzMiLCJpc3MiOiJkaWQ6ZXhhbXBsZTplYmZlYjFmNzEyZWJjNmYxYzI3NmUxMmVjMjEiLCJqdGkiOiJ1cm46dXVpZDozOTc4MzQ0Zi04NTk2LTRjM2EtYTk3OC04ZmNhYmEzOTAzYzUiLCJ2cCI6eyJAY29udGV4dCI6WyJodHRwczovL3d3dy53My5vcmcvMjAxOC9jcmVkZW50aWFscy92MSIsImh0dHBzOi8vd3d3LnczLm9yZy8yMDE4L2NyZWRlbnRpYWxzL2V4YW1wbGVzL3YxIl0sInByb29mIjp7ImNyZWF0ZWQiOiIyMDE4LTA2LTE4VDIxOjE5OjEwWiIsImp3cyI6ImV5SmhiR2NpT2lKUVV6STFOLi5Ed19tbU1DanM5cXhnMHpjWnpxRUp3IiwicHJvb2ZQdXJwb3NlIjoiYXNzZXJ0aW9uTWV0aG9kIiwidHlwZSI6IlJzYVNpZ25hdHVyZTIwMTgiLCJ2ZXJpZmljYXRpb25NZXRob2QiOiJodHRwczovL2V4YW1wbGUuY29tL2pkb2Uva2V5cy8xIn0sInR5cGUiOlsiVmVyaWZpYWJsZVByZXNlbnRhdGlvbiIsIlVuaXZlcnNpdHlEZWdyZWVDcmVkZW50aWFsIl0sInZlcmlmaWFibGVDcmVkZW50aWFsIjpbeyJAY29udGV4dCI6WyJodHRwczovL3d3dy53My5vcmcvMjAxOC9jcmVkZW50aWFscy92MSIsImh0dHBzOi8vd3d3LnczLm9yZy8yMDE4L2NyZWRlbnRpYWxzL2V4YW1wbGVzL3YxIl0sImNyZWRlbnRpYWxTY2hlbWEiOltdLCJjcmVkZW50aWFsU3ViamVjdCI6eyJkZWdyZWUiOnsidHlwZSI6IkJhY2hlbG9yRGVncmVlIiwidW5pdmVyc2l0eSI6Ik1JVCJ9LCJpZCI6ImRpZDpleGFtcGxlOmViZmViMWY3MTJlYmM2ZjFjMjc2ZTEyZWMyMSIsIm5hbWUiOiJKYXlkZW4gRG9lIiwic3BvdXNlIjoiZGlkOmV4YW1wbGU6YzI3NmUxMmVjMjFlYmZlYjFmNzEyZWJjNmYxIn0sImV4cGlyYXRpb25EYXRlIjoiMjAyMC0wMS0wMVQxOToyMzoyNFoiLCJpZCI6Imh0dHA6Ly9leGFtcGxlLmVkdS9jcmVkZW50aWFscy8xODcyIiwiaXNzdWFuY2VEYXRlIjoiMjAxMC0wMS0wMVQxOToyMzoyNFoiLCJpc3N1ZXIiOnsiaWQiOiJkaWQ6ZXhhbXBsZTo3NmUxMmVjNzEyZWJjNmYxYzIyMWViZmViMWYiLCJuYW1lIjoiRXhhbXBsZSBVbml2ZXJzaXR5In0sInJlZmVyZW5jZU51bWJlciI6OC4zMjk0ODQ3ZSswNywidHlwZSI6WyJWZXJpZmlhYmxlQ3JlZGVudGlhbCIsIlVuaXZlcnNpdHlEZWdyZWVDcmVkZW50aWFsIl19XX19.MlXIfD30TmmHGvTjFf1eMtgLnplPLfMjtgJkmZSu6NscohOy8iDdR6D9QRALXCWGbsaLVxd0U_hN5xCVxrXtAA
 }
 
 func ExampleCredential_Presentation() {

diff --git a/pkg/doc/verifiable/presentation.go b/pkg/doc/verifiable/presentation.go
@@ -247,14 +247,12 @@ type rawPresentation struct {
 	Holder         string      `json:"holder,omitempty"`
 	Proof          Proof       `json:"proof,omitempty"`
 	RefreshService *TypedID    `json:"refreshService,omitempty"`
-
-	proved bool
 }
 
 // presentationOpts holds options for the Verifiable Presentation decoding
 type presentationOpts struct {
-	publicKeyFetcher       PublicKeyFetcher
-	skipEmbeddedProofCheck bool
+	publicKeyFetcher   PublicKeyFetcher
+	disabledProofCheck bool
 }
 
 // PresentationOpt is the Verifiable Presentation decoding option
@@ -268,13 +266,6 @@ func WithPresPublicKeyFetcher(fetcher PublicKeyFetcher) PresentationOpt {
 	}
 }
 
-// WithPresSkippedEmbeddedProofCheck tells to skip a check of embedded proof presence.
-func WithPresSkippedEmbeddedProofCheck() PresentationOpt {
-	return func(opts *presentationOpts) {
-		opts.skipEmbeddedProofCheck = true
-	}
-}
-
 // NewPresentation creates an instance of Verifiable Presentation by reading a JSON document from bytes.
 // It also applies miscellaneous options like custom decoders or settings of schema validation.
 func NewPresentation(vpData []byte, opts ...PresentationOpt) (*Presentation, error) {
@@ -295,11 +286,6 @@ func NewPresentation(vpData []byte, opts ...PresentationOpt) (*Presentation, err
 		return nil, err
 	}
 
-	// check that embedded proof is present, if not, it's not a verifiable presentation
-	if !vpOpts.skipEmbeddedProofCheck && !vpRaw.proved && vpRaw.Proof == nil {
-		return nil, errors.New("embedded proof is missing")
-	}
-
 	types, err := decodeType(vpRaw.Type)
 	if err != nil {
 		return nil, fmt.Errorf("fill presentation types from raw: %w", err)
@@ -342,7 +328,7 @@ func decodeCredentials(rawCred interface{}, opts *presentationOpts) ([]interface
 		if sCred, ok := cred.(string); ok {
 			bCred := []byte(sCred)
 
-			credDecoded, err := decodeRaw(bCred, opts.publicKeyFetcher)
+			credDecoded, err := decodeRaw(bCred, !opts.disabledProofCheck, opts.publicKeyFetcher)
 			if err != nil {
 				return nil, fmt.Errorf("decode credential of presentation: %w", err)
 			}
@@ -402,13 +388,11 @@ func decodeRawPresentation(vpData []byte, vpOpts *presentationOpts) ([]byte, *ra
 			return nil, nil, errors.New("public key fetcher is not defined")
 		}
 
-		vcDataFromJwt, rawCred, err := decodeVPFromJWS(vpData, vpOpts.publicKeyFetcher)
+		vcDataFromJwt, rawCred, err := decodeVPFromJWS(vpData, !vpOpts.disabledProofCheck, vpOpts.publicKeyFetcher)
 		if err != nil {
 			return nil, nil, fmt.Errorf("decoding of Verifiable Presentation from JWS: %w", err)
 		}
 
-		rawCred.proved = true
-
 		return vcDataFromJwt, rawCred, nil
 	}
 
@@ -418,12 +402,20 @@ func decodeRawPresentation(vpData []byte, vpOpts *presentationOpts) ([]byte, *ra
 			return nil, nil, fmt.Errorf("decoding of Verifiable Presentation from unsecured JWT: %w", err)
 		}
 
-		rawCred.proved = true
-
 		return rawBytes, rawCred, nil
 	}
 
-	return decodeVPFromJSON(vpData)
+	vpBytes, vpRaw, err := decodeVPFromJSON(vpData)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	// check that embedded proof is present, if not, it's not a verifiable presentation
+	if !vpOpts.disabledProofCheck && vpRaw.Proof == nil {
+		return nil, nil, errors.New("embedded proof is missing")
+	}
+
+	return vpBytes, vpRaw, err
 }
 
 func decodeVPFromJSON(vpData []byte) ([]byte, *rawPresentation, error) {

diff --git a/pkg/doc/verifiable/presentation_jws.go b/pkg/doc/verifiable/presentation_jws.go
@@ -17,13 +17,13 @@ func (jpc *JWTPresClaims) MarshalJWS(signatureAlg JWSAlgorithm, privateKey inter
 	return marshalJWS(jpc, signatureAlg, privateKey, keyID)
 }
 
-func decodeVPFromJWS(vpJWTBytes []byte, fetcher PublicKeyFetcher) ([]byte, *rawPresentation, error) {
+func decodeVPFromJWS(vpJWTBytes []byte, checkProof bool, fetcher PublicKeyFetcher) ([]byte, *rawPresentation, error) {
 	return decodePresJWT(vpJWTBytes, func(vpJWTBytes []byte) (*JWTPresClaims, error) {
-		return unmarshalPresJWSClaims(vpJWTBytes, fetcher)
+		return unmarshalPresJWSClaims(vpJWTBytes, checkProof, fetcher)
 	})
 }
 
-func unmarshalPresJWSClaims(jwtBytes []byte, fetcher PublicKeyFetcher) (claims *JWTPresClaims, e error) {
+func unmarshalPresJWSClaims(jwtBytes []byte, checkProof bool, fetcher PublicKeyFetcher) (claims *JWTPresClaims, e error) { //nolint:lll
 	parsedJwt, err := jwt.ParseSigned(string(jwtBytes))
 	if err != nil {
 		return nil, fmt.Errorf("VP is not valid serialized JWS: %w", err)
@@ -36,9 +36,11 @@ func unmarshalPresJWSClaims(jwtBytes []byte, fetcher PublicKeyFetcher) (claims *
 		return nil, fmt.Errorf("parse JWT claims: %w", err)
 	}
 
-	err = verifyJWTSignature(parsedJwt, fetcher, credClaims.Issuer, credClaims)
-	if err != nil {
-		return nil, fmt.Errorf("JWT signature verification: %w", err)
+	if checkProof {
+		err = verifyJWTSignature(parsedJwt, fetcher, credClaims.Issuer, credClaims)
+		if err != nil {
+			return nil, fmt.Errorf("JWT signature verification: %w", err)
+		}
 	}
 
 	return credClaims, nil

diff --git a/pkg/doc/verifiable/presentation_jws_test.go b/pkg/doc/verifiable/presentation_jws_test.go
@@ -20,7 +20,7 @@ func TestJWTPresClaims_MarshalJWS(t *testing.T) {
 
 	jws := createCredJWS(t, vp)
 
-	_, rawVC, err := decodeVPFromJWS([]byte(jws), holderPublicKeyFetcher(t))
+	_, rawVC, err := decodeVPFromJWS([]byte(jws), true, holderPublicKeyFetcher(t))
 
 	require.NoError(t, err)
 	require.Equal(t, vp.raw().stringJSON(t), rawVC.stringJSON(t))
@@ -41,13 +41,13 @@ func TestUnmarshalPresJWSClaims(t *testing.T) {
 
 		jws := createCredJWS(t, vp)
 
-		claims, err := unmarshalPresJWSClaims([]byte(jws), testFetcher)
+		claims, err := unmarshalPresJWSClaims([]byte(jws), true, testFetcher)
 		require.NoError(t, err)
 		require.Equal(t, vp.raw().stringJSON(t), claims.Presentation.stringJSON(t))
 	})
 
 	t.Run("Invalid serialized JWS", func(t *testing.T) {
-		claims, err := unmarshalPresJWSClaims([]byte("invalid JWS"), testFetcher)
+		claims, err := unmarshalPresJWSClaims([]byte("invalid JWS"), true, testFetcher)
 		require.Error(t, err)
 		require.Contains(t, err.Error(), "VP is not valid serialized JWS")
 		require.Nil(t, claims)
@@ -70,7 +70,7 @@ func TestUnmarshalPresJWSClaims(t *testing.T) {
 		token, err := jwt.Signed(signer).Claims(claims).CompactSerialize()
 		require.NoError(t, err)
 
-		uc, err := unmarshalPresJWSClaims([]byte(token), testFetcher)
+		uc, err := unmarshalPresJWSClaims([]byte(token), true, testFetcher)
 		require.Error(t, err)
 		require.Contains(t, err.Error(), "parse JWT claims")
 		require.Nil(t, uc)
@@ -82,7 +82,7 @@ func TestUnmarshalPresJWSClaims(t *testing.T) {
 
 		jws := createCredJWS(t, vp)
 
-		uc, err := unmarshalPresJWSClaims([]byte(jws), func(issuerID, keyID string) (interface{}, error) {
+		uc, err := unmarshalPresJWSClaims([]byte(jws), true, func(issuerID, keyID string) (interface{}, error) {
 			// use public key of VC Issuer (while expecting to use the ones of VP Holder)
 			publicKey, pkErr := readPublicKey(filepath.Join(certPrefix, "issuer_public.pem"))
 			require.NoError(t, pkErr)