Advisories for Npm/Vp-Toolkit package

2020

Holder can generate proof of ownership for credentials it does not control in vp-toolkit

The verifyVerifiablePresentation() method check the cryptographic integrity of the Verifiable Presentation, but it does not check if the credentialSubject.id` DID matches the signer of the VP proof.

Holder can (re)create authentic credentials after receiving a credential in vp-toolkit

The verifyVerifiableCredential() method check the cryptographic integrity of the Verifiable Credential, but it does not check if the credential.issuer DID matches the signer of the credential.