From 2d4d9691ca42bb6c16c507487aa4683178179dc6 Mon Sep 17 00:00:00 2001
From: Matthew Raymer <matthew.raymer@anomalistdesign.com>
Date: Wed, 28 May 2025 10:28:57 +0000
Subject: [PATCH] fix: use challenge parameter in verifyJwtWebCrypto preimage

- Remove unused client data hashing in verifyJwtWebCrypto
- Use challenge parameter directly in preimage construction
- Fix TS6133 error for unused challenge parameter
- Make verification logic consistent with verifyJwtP256

This change maintains the same verification logic while properly
utilizing the challenge parameter in the signature verification.
---
 src/libs/crypto/vc/passkeyDidPeer.ts | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/src/libs/crypto/vc/passkeyDidPeer.ts b/src/libs/crypto/vc/passkeyDidPeer.ts
index 37476f51..5f64f490 100644
--- a/src/libs/crypto/vc/passkeyDidPeer.ts
+++ b/src/libs/crypto/vc/passkeyDidPeer.ts
@@ -398,11 +398,12 @@ export async function verifyJwtWebCrypto(
   const sigBuffer = Buffer.from(signature, "base64");
   const finalSigBuffer = unwrapEC2Signature(sigBuffer);
 
-  // Hash the client data
-  const hash = sha256(clientDataFromBase);
+  // Use challenge in preimage construction
+  const preimage = Buffer.concat([
+    authDataFromBase,
+    Buffer.from(challenge),
+  ]);
 
-  // Construct the preimage
-  const preimage = Buffer.concat([authDataFromBase, hash]);
   return verifyPeerSignature(preimage, issuerDid, finalSigBuffer);
 }