Alt Id Qr Verifier
Verifies an assembled AltID SignedQR (AltIdQrPayload) — the "verification phase".
This performs the offline cryptographic checks of AltID's validation, i.e. everything that needs no external infrastructure:
mdocGeneratedNonceis Base64URL of 16 bytes (step 5)the QR temporal window
nbf/exp(with clock skew) and its time-to-live (steps 3–4)the issuer signature (COSE_Sign1 over the MSO) against the embedded leaf certificate (step 7)
the disclosed IssuerSignedItem digests against the signed MSO (step 8)
the MSO
docTypematches the documentdocType(step 9)the MSO
ValidityInfowindow (step 10)the device signature (COSE_Sign1 over
DeviceAuthentication) against the MSO device key (step 11)mdocGeneratedNoncereplay protection (step 13)
Two checks are pluggable: issuer trust (step 6 — supply trustAnchors, e.g. AltIdTrustList.builtIn; a signing certificate is trusted when it byte-matches a trust-list leaf or a chain from it terminates in a trust-list CA) and the status-list check (step 12 — use the suspending verify(payload, currentTimeSeconds, statusCheck) overload, which fetches and validates the Token Status List referenced by the MSO).
Parameters
the issuer trust list; empty disables trust validation.
nonce replay guard; defaults to a process-wide in-memory set.
tolerance applied to temporal checks.
maximum allowed exp - nbf.
Constructors
Functions
Verifies payload including the status-list check (step 12) when the attestation's MSO references one. Runs all offline checks first, then — per statusCheck — fetches the Token Status List, validates it (signature, signer trust against the same trust list, sub, iat/exp), and rejects revoked attestations.