Skip to content

Credential Query Validation Policy Reference

This reference documents the credential query validation policy for the validator service. The credential query policy validates that presentation submissions satisfy their corresponding credential queries, ensuring that credentials can fulfill the requested data requirements.

The credential query validation policy ensures that submitted verifiable presentations contain the credentials and data elements required by credential queries. It validates the compatibility between what is requested in a credential query and what is provided in the presentation submission, supporting multiple credential query standards and formats.

The credential query validation policy supports query validation across multiple credential query standards:

StandardOrganizationSpecificationQuery FormatValidation Aspect
DIF Presentation ExchangeDIFPresentation ExchangeJSONValidates presentations against presentation definitions
DCQLDIFDecentralized Credential Query LanguageDCQL Query LanguageValidates credential presentations against DCQL queries
ISO 18013-5 Device RequestISOISO 18013-5CBOR Device RequestValidates mDL presentations against device request data requirements

The validator supports the following credential query types and their validation mechanisms:

Query TypeDescriptionSupported FormatsPrimary Use Case
DIF.PresentationExchangeDIF Presentation Exchange standardW3C VC, JWT VC, SD-JWT VCGeneral purpose credential presentation requests
DCQLDecentralized Credential Query LanguageW3C VC, SD-JWT VC, mDL (mso_mdoc)Flexible credential data queries with selective disclosure
ISO18013-5.DeviceRequestISO 18013-5 mobile driving license requestsmDL (mso_mdoc)Mobile driving license data verification
flowchart TD
    subgraph "Credential Query Validation"
        Input[Presentation Submission] --> DetectType[Detect Query Type]
        DetectType --> DIF{DIF PE?}
        DetectType --> DCQL{DCQL?}
        DetectType --> MDL{ISO18013-5?}

        DIF -->|Yes| ValidatePD[Validate Presentation Definition]
        ValidatePD --> ValidatePS[Validate Presentation Submission]
        ValidatePS --> EvaluatePresentation[Evaluate Presentation]
        EvaluatePresentation --> DifResult[DIF Result]

        DCQL -->|Yes| ParseDCQL[Parse DCQL Query]
        ParseDCQL --> CreateDCQLPresentation[Create DCQL Presentation]
        CreateDCQLPresentation --> EvaluateDCQL[Evaluate DCQL Query]
        EvaluateDCQL --> DcqlResult[DCQL Result]

        MDL -->|Yes| DecodeDeviceRequest[Decode Device Request]
        DecodeDeviceRequest --> ValidateVersion[Validate mDL Version]
        ValidateVersion --> ValidateDataElements[Validate Data Elements]
        ValidateDataElements --> MdlResult[mDL Result]

        DIF -->|No| Next1[Next Middleware]
        DCQL -->|No| Next2[Next Middleware]
        MDL -->|No| UnsupportedError[Unsupported Query Type]

        Next1 --> Next2
        Next2 --> UnsupportedError

        DifResult --> Decision{Valid?}
        DcqlResult --> Decision
        MdlResult --> Decision
        UnsupportedError --> Decision

        Decision -->|Yes| Valid[Valid Query]
        Decision -->|No| Invalid[Invalid Query]
    end

    style Input fill:#f9f9f9,stroke:#333,stroke-width:1px
    style DetectType fill:#e1f5fe,stroke:#333,stroke-width:1px
    style DIF fill:#e1f5fe,stroke:#333,stroke-width:1px
    style DCQL fill:#e1f5fe,stroke:#333,stroke-width:1px
    style MDL fill:#e1f5fe,stroke:#333,stroke-width:1px
    style ValidatePD fill:#e8f5e8,stroke:#333,stroke-width:1px
    style ValidatePS fill:#e8f5e8,stroke:#333,stroke-width:1px
    style EvaluatePresentation fill:#e8f5e8,stroke:#333,stroke-width:1px
    style ParseDCQL fill:#fff3e0,stroke:#333,stroke-width:1px
    style CreateDCQLPresentation fill:#fff3e0,stroke:#333,stroke-width:1px
    style EvaluateDCQL fill:#fff3e0,stroke:#333,stroke-width:1px
    style DecodeDeviceRequest fill:#f3e5f5,stroke:#333,stroke-width:1px
    style ValidateVersion fill:#f3e5f5,stroke:#333,stroke-width:1px
    style ValidateDataElements fill:#f3e5f5,stroke:#333,stroke-width:1px
    style Valid fill:#dcedc8,stroke:#333,stroke-width:1px
    style Invalid fill:#ffcdd2,stroke:#333,stroke-width:1px

When validating credential queries, the policy follows these steps:

  1. Query type detection - Identifies the type of credential query being validated
  2. Format-specific validation - Applies validation logic specific to the detected query type
  3. Presentation evaluation - Evaluates whether the presentation satisfies the query requirements
  4. Result determination - Returns validation results with detailed error information if validation fails

For DIF Presentation Exchange queries, the policy:

  1. Validates presentation definition - Ensures the presentation definition is well-formed
  2. Validates presentation submission - Checks the presentation submission structure
  3. Evaluates presentation - Uses the PEX library to evaluate whether the presentation satisfies the definition
  4. Handles warnings - Processes evaluation warnings based on configuration

For DCQL queries, the policy:

  1. Parses DCQL query - Validates and parses the DCQL query syntax
  2. Creates credential presentation - Transforms submitted credentials into DCQL presentation format
  3. Evaluates query - Determines if the presentation can satisfy the DCQL query requirements
  4. Supports multiple formats - Handles W3C VC, SD-JWT VC, and mDL credentials

For mDL device requests, the policy:

  1. Decodes device request - Parses the CBOR-encoded device request
  2. Validates version compatibility - Ensures mDL version matches device request version
  3. Validates data elements - Checks that all requested data elements are present in the mDL
  4. Handles multiple documents - Validates against multiple document types if required

The credential query policy returns specific errors for various validation scenarios:

Error TypeDescriptionTypical Cause
Credential Query Format ErrorQuery format is invalid or malformedInvalid DIF PE definition, malformed DCQL query
Presentation Submission Format ErrorPresentation submission structure is invalidMissing required fields, invalid submission format
Presentation Submission Evaluation ErrorPresentation cannot satisfy query requirementsMissing credentials, insufficient data elements
Unsupported Query Type ErrorQuery type is not supportedUnknown or unsupported credential query format

The credential query validation policy can be configured through the validator configuration:

  • Skip presentation submission policies - Allows bypassing credential query validation entirely
  • Presentation evaluation warning handling - Configures how to handle evaluation warnings (valid/warning/error)

For detailed configuration options, parameters, and default values, see the Validator Configuration Reference.

Credential FormatDIF PEDCQLISO18013-5Notes
W3C VC (JSON-LD)Full support for W3C credentials
JWT VCJWT-format verifiable credentials
SD-JWT VCSelective disclosure JWT credentials
mDL (mso_mdoc)Mobile driving license format
IETF Digital CredIETF digital credentials

When using credential query validation:

  1. Use appropriate query types - Choose the query type that best fits your use case and credential formats
  2. Handle warnings appropriately - Configure warning handling based on your security requirements
  3. Validate query structure - Ensure queries are well-formed before submission
  4. Consider selective disclosure - Use DCQL for scenarios requiring selective attribute disclosure
  5. Test with multiple formats - Validate your queries work with all supported credential formats