From f66aa68afc8efbe2f5744e52fbb937cb8dd9e267 Mon Sep 17 00:00:00 2001
From: Zicchio <33022304+Zicchio@users.noreply.github.com>
Date: Fri, 18 Oct 2024 11:43:34 +0200
Subject: [PATCH] feat: support for vc+sd-jwt (#273)

* sd-jwt format regexp + test + linting

* wip: authn response processing

* wip: vc+sd-jwt schema

* wip: vc+sd-jwt

* wip: unit test redo

* wip: test for vc+sd-jwt

* fix: miscellaneous minor fixes

* chore: cleanup

* chore: docs, linting, cleanup

* applied some suggestions

* applied come code suggestions

* wip: ideas, brainstoming, etc

* wip: intent clarification

* wip: new trust model and vp interface

* wip: backend configuration example

* wip

* wip: stub of response with trust model and vp parser

* wip: unit tests

* chore: renamed function

* wip: unit tests, fixes

* wip: cleanup

* wip: cleanup

* wip: fixes

* wip: integration test review

* wip: patch get connection

* Apply suggestions from code review

* Apply suggestions from code review

* fix: changed file name

* Apply suggestions from code review

* wip: storage layer of trust eval

* wip: storage layer + tests fixes

* wip: integration tests

* wip: fix python 3.12 retrocompatibility + todos

* wip: exception handling

---------

Co-authored-by: elisanp <elisa.nicolussi@tndigit.it>
Co-authored-by: elisanp <118907120+elisanp@users.noreply.github.com>
Co-authored-by: Giuseppe De Marco <giuseppe.demarco@teamdigitale.governo.it>
---
 docs/STORAGE.md                               |  15 +-
 example/satosa/integration_test/commons.py    | 109 ++---
 .../cross_device_integration_test.py          |  74 ++--
 example/satosa/integration_test/main.py       | 277 ------------
 .../same_device_integration_test.py           | 111 +++++
 example/satosa/integration_test/settings.py   |   5 +-
 example/satosa/pyeudiw_backend.yaml           |  86 +++-
 pyeudiw/federation/statements.py              |  12 +-
 .../trust_chain/__init__.py}                  |   0
 pyeudiw/federation/trust_chain/builder.py     |   1 +
 pyeudiw/federation/trust_chain/parse.py       |   5 +
 pyeudiw/federation/trust_chain/validator.py   |   1 +
 pyeudiw/federation/trust_chain_validator.py   |   6 +-
 pyeudiw/jwk/__init__.py                       |   2 +-
 pyeudiw/jwt/parse.py                          |  57 +++
 pyeudiw/jwt/utils.py                          |  30 +-
 pyeudiw/jwt/verification.py                   |  30 ++
 pyeudiw/openid4vp/authorization_response.py   |  66 +++
 pyeudiw/openid4vp/exceptions.py               |  16 +
 pyeudiw/openid4vp/interface.py                |  55 +++
 pyeudiw/openid4vp/utils.py                    |  42 +-
 pyeudiw/openid4vp/vp.py                       |  17 +-
 pyeudiw/openid4vp/vp_sd_jwt.py                |   9 +-
 pyeudiw/openid4vp/vp_sd_jwt_vc.py             |  52 +++
 pyeudiw/satosa/default/openid4vp_backend.py   |  16 +-
 pyeudiw/satosa/default/response_handler.py    | 265 +++++++-----
 pyeudiw/satosa/exceptions.py                  |  28 ++
 pyeudiw/satosa/schemas/config.py              |   8 +-
 pyeudiw/satosa/utils/trust.py                 |  15 +-
 pyeudiw/sd_jwt/__init__.py                    |  19 +-
 pyeudiw/sd_jwt/exceptions.py                  |   8 +
 pyeudiw/sd_jwt/schema.py                      | 121 +++++-
 pyeudiw/sd_jwt/sd_jwt.py                      | 219 ++++++++++
 pyeudiw/storage/base_storage.py               |  16 +-
 pyeudiw/storage/db_engine.py                  |  14 +-
 pyeudiw/storage/mongo_storage.py              |  37 +-
 pyeudiw/tests/openid4vp/utility.py            |  41 ++
 pyeudiw/tests/satosa/test_backend.py          | 258 +++++++-----
 pyeudiw/tests/satosa/test_backend_trust.py    |  28 ++
 pyeudiw/tests/sd_jwt/test_sdjwt.py            | 222 ++++++++++
 pyeudiw/tests/sd_jwt/test_sdjwt_schema.py     | 166 ++++++++
 pyeudiw/tests/settings.py                     | 395 ++++++++++++++++--
 pyeudiw/tests/trust/default/settings.py       |  24 ++
 .../tests/trust/default/test_direct_trust.py  |  20 +
 pyeudiw/tests/trust/test_dynamic.py           |  76 ++++
 pyeudiw/tools/utils.py                        |  21 +
 pyeudiw/trust/_log.py                         |   4 +
 pyeudiw/trust/default/__init__.py             |  20 +
 .../trust/default/direct_trust_sd_jwt_vc.py   |  70 ++++
 pyeudiw/trust/default/federation.py           | 285 +++++++++++++
 pyeudiw/trust/default/x509.py                 |   6 +
 pyeudiw/trust/dynamic.py                      | 126 ++++++
 pyeudiw/trust/exceptions.py                   |   4 +
 pyeudiw/trust/interface.py                    |  35 ++
 .../{openid4vp/request.py => vci/__init__.py} |   0
 pyeudiw/vci/exception.py                      |   5 +
 pyeudiw/vci/jwks_provider.py                  |  97 +++++
 pyeudiw/vci/utils.py                          |  29 ++
 pyeudiw/x509/verify.py                        |   6 +
 59 files changed, 3034 insertions(+), 748 deletions(-)
 delete mode 100644 example/satosa/integration_test/main.py
 create mode 100644 example/satosa/integration_test/same_device_integration_test.py
 rename pyeudiw/{openid4vp/redirect.py => federation/trust_chain/__init__.py} (100%)
 create mode 100644 pyeudiw/federation/trust_chain/builder.py
 create mode 100644 pyeudiw/federation/trust_chain/parse.py
 create mode 100644 pyeudiw/federation/trust_chain/validator.py
 create mode 100644 pyeudiw/jwt/parse.py
 create mode 100644 pyeudiw/jwt/verification.py
 create mode 100644 pyeudiw/openid4vp/authorization_response.py
 create mode 100644 pyeudiw/openid4vp/interface.py
 create mode 100644 pyeudiw/openid4vp/vp_sd_jwt_vc.py
 create mode 100644 pyeudiw/sd_jwt/sd_jwt.py
 create mode 100644 pyeudiw/tests/openid4vp/utility.py
 create mode 100644 pyeudiw/tests/satosa/test_backend_trust.py
 create mode 100644 pyeudiw/tests/sd_jwt/test_sdjwt.py
 create mode 100644 pyeudiw/tests/sd_jwt/test_sdjwt_schema.py
 create mode 100644 pyeudiw/tests/trust/default/settings.py
 create mode 100644 pyeudiw/tests/trust/default/test_direct_trust.py
 create mode 100644 pyeudiw/tests/trust/test_dynamic.py
 create mode 100644 pyeudiw/trust/_log.py
 create mode 100644 pyeudiw/trust/default/__init__.py
 create mode 100644 pyeudiw/trust/default/direct_trust_sd_jwt_vc.py
 create mode 100644 pyeudiw/trust/default/federation.py
 create mode 100644 pyeudiw/trust/default/x509.py
 create mode 100644 pyeudiw/trust/dynamic.py
 create mode 100644 pyeudiw/trust/interface.py
 rename pyeudiw/{openid4vp/request.py => vci/__init__.py} (100%)
 create mode 100644 pyeudiw/vci/exception.py
 create mode 100644 pyeudiw/vci/jwks_provider.py
 create mode 100644 pyeudiw/vci/utils.py

diff --git a/docs/STORAGE.md b/docs/STORAGE.md
index dfb44491..580ae076 100644
--- a/docs/STORAGE.md
+++ b/docs/STORAGE.md
@@ -101,11 +101,22 @@ This classes can be used as references while providing a custom implementation f
     "federation" : {
       "chain": ARRAY[EC,ES,ES],
       "exp": datetime,
-      "update": datetime
+      "update": datetime,
+      "jwks": {
+        "keys": ARRAY[object]
+      },
     },
     "x509": {
       "x5c": ARRAY[bytestring(DER), bytestring(DER), bytestring(DER)] -> contains public keys,
-      "exp": datetime
+      "exp": datetime,
+      "jwks": {
+        "keys": ARRAY[object]
+      },
+    },
+    "direct_trust_sd_jwt_vc": {
+      "jwks": {
+        "keys": ARRAY[object]
+      }
     }
     "metadata": object
   }
diff --git a/example/satosa/integration_test/commons.py b/example/satosa/integration_test/commons.py
index 2b72213b..6dc70f6d 100644
--- a/example/satosa/integration_test/commons.py
+++ b/example/satosa/integration_test/commons.py
@@ -1,21 +1,18 @@
 import base64
+from bs4 import BeautifulSoup
 import datetime
 import requests
-import uuid
 from typing import Any, Literal
-from bs4 import BeautifulSoup
-from sd_jwt.holder import SDJWTHolder
 
 from pyeudiw.jwk import JWK
-from pyeudiw.jwt import DEFAULT_SIG_KTY_MAP, JWEHelper, JWSHelper
+from pyeudiw.jwt import DEFAULT_SIG_KTY_MAP, JWEHelper
 from pyeudiw.jwt.utils import decode_jwt_payload
-from pyeudiw.presentation_exchange.schemas.oid4vc_presentation_definition import PresentationDefinition
 from pyeudiw.sd_jwt import (
-    # _adapt_keys,
     import_ec,
     issue_sd_jwt,
     load_specification_from_yaml_string
 )
+from pyeudiw.storage.base_storage import TrustType
 from pyeudiw.storage.db_engine import DBEngine
 from pyeudiw.tests.federation.base import (
     EXP,
@@ -30,10 +27,11 @@
     leaf_wallet_signed,
     trust_chain_issuer
 )
-from pyeudiw.tools.utils import iat_now, exp_from_now
+from sd_jwt.holder import SDJWTHolder
+from saml2_sp import saml2_request
 
-from saml2_sp import IDP_BASEURL
 from settings import (
+    IDP_BASEURL,
     CONFIG_DB,
     RP_EID,
     its_trust_chain
@@ -42,25 +40,19 @@
 CREDENTIAL_ISSUER_JWK = JWK(leaf_cred_jwk_prot.serialize(private=True))
 ISSUER_CONF = {
     "sd_specification": """
-        user_claims:
-            !sd unique_id: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
-            !sd given_name: "Mario"
-            !sd family_name: "Rossi"
-            !sd birthdate: "1980-01-10"
-            !sd place_of_birth:
-                country: "IT"
-                locality: "Rome"
-            !sd tax_id_code: "TINIT-XXXXXXXXXXXXXXXX"
-
-        holder_disclosed_claims:
-            { "given_name": "Mario", "family_name": "Rossi", "place_of_birth": {country: "IT", locality: "Rome"}, "tax_id_code": "TINIT-XXXXXXXXXXXXXXXX" }
-
-        key_binding: True
+        !sd unique_id: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+        !sd given_name: "Mario"
+        !sd family_name: "Rossi"
+        !sd birthdate: "1980-01-10"
+        !sd place_of_birth:
+            country: "IT"
+            locality: "Rome"
+        !sd tax_id_code: "TINIT-XXXXXXXXXXXXXXXX"
     """,
     "issuer": leaf_cred['sub'],
-    "default_exp": 1024
+    "default_exp": 1024,
+    "key_binding": True
 }
-ISSUER_PRIVATE_JWK = JWK(leaf_cred_jwk.serialize(private=True))
 WALLET_PRIVATE_JWK = JWK(leaf_wallet_jwk.serialize(private=True))
 WALLET_PUBLIC_JWK = JWK(leaf_wallet_jwk.serialize())
 
@@ -71,7 +63,7 @@ def setup_test_db_engine() -> DBEngine:
 
 def apply_trust_settings(db_engine_inst: DBEngine) -> DBEngine:
     db_engine_inst.add_trust_anchor(
-        entity_id=ta_ec['iss'],
+        entity_id=ta_ec["iss"],
         entity_configuration=ta_ec_signed,
         exp=EXP
     )
@@ -83,24 +75,32 @@ def apply_trust_settings(db_engine_inst: DBEngine) -> DBEngine:
     )
 
     db_engine_inst.add_or_update_trust_attestation(
-        entity_id=leaf_wallet['iss'],
+        entity_id=leaf_wallet["iss"],
         attestation=leaf_wallet_signed,
         exp=datetime.datetime.now().isoformat()
     )
 
     db_engine_inst.add_or_update_trust_attestation(
-        entity_id=leaf_cred['iss'],
+        entity_id=leaf_cred["iss"],
         attestation=leaf_cred_signed,
         exp=datetime.datetime.now().isoformat()
     )
+
+    settings = ISSUER_CONF
+    db_engine_inst.add_or_update_trust_attestation(
+            entity_id=settings["issuer"],
+            trust_type=TrustType.DIRECT_TRUST_SD_JWT_VC,
+            jwks=leaf_cred_jwk_prot.serialize())
     return db_engine_inst
 
+def create_saml_auth_request() -> str:
+    auth_req_url = f"{saml2_request["headers"][0][1]}&idp_hinting=wallet"
+    return auth_req_url
 
 def create_issuer_test_data() -> dict[Literal["jws"] | Literal["issuance"], str]:
     # create a SD-JWT signed by a trusted credential issuer
     settings = ISSUER_CONF
-    settings['issuer'] = leaf_cred['iss']
-    settings['default_exp'] = 33
+    settings["default_exp"] = 33
     sd_specification = load_specification_from_yaml_string(
         settings["sd_specification"]
     )
@@ -110,16 +110,13 @@ def create_issuer_test_data() -> dict[Literal["jws"] | Literal["issuance"], str]
         settings,
         CREDENTIAL_ISSUER_JWK,
         WALLET_PUBLIC_JWK,
-        trust_chain=trust_chain_issuer
+        additional_headers={"typ": "vc+sd-jwt"}
     )
     return issued_jwt
 
 
-def create_holder_test_data(issued_jwt: dict[Literal["jws"] | Literal["issuance"], str], request_nonce: str) -> str:
+def create_holder_test_data(issued_jwt: dict[Literal["jws"] | Literal["issuance"], str], request_nonce: str, request_aud: str) -> str:
     settings = ISSUER_CONF
-    sd_specification = load_specification_from_yaml_string(
-        settings["sd_specification"]
-    )
 
     sdjwt_at_holder = SDJWTHolder(
         issued_jwt["issuance"],
@@ -127,56 +124,40 @@ def create_holder_test_data(issued_jwt: dict[Literal["jws"] | Literal["issuance"
     )
     sdjwt_at_holder.create_presentation(
         claims_to_disclose={
-            'tax_id_code': "TIN-that",
-            'given_name': 'Raffaello',
-            'family_name': 'Mascetti'
+            "tax_id_code": True,
+            "given_name": True,
+            "family_name": True
         },
-        nonce=str(uuid.uuid4()),
-        aud=str(uuid.uuid4()),
+        nonce=request_nonce,
+        aud=request_aud,
         sign_alg=DEFAULT_SIG_KTY_MAP[WALLET_PRIVATE_JWK.key.kty],
         holder_key=(
             import_ec(
                 WALLET_PRIVATE_JWK.key.priv_key,
                 kid=WALLET_PRIVATE_JWK.kid
             )
-            if sd_specification.get("key_binding", False)
+            if settings.get("key_binding", False)
             else None
         )
     )
 
-    data = {
-        "iss": "https://wallet-provider.example.org/instance/vbeXJksM45xphtANnCiG6mCyuU4jfGNzopGuKvogg9c",
-        "jti": str(uuid.uuid4()),
-        "aud": "https://relying-party.example.org/callback",
-        "iat": iat_now(),
-        "exp": exp_from_now(minutes=5),
-        "nonce": request_nonce,
-        "vp": sdjwt_at_holder.sd_jwt_presentation,
-    }
-
-    vp_token = JWSHelper(WALLET_PRIVATE_JWK).sign(
-        data,
-        protected={"typ": "JWT"}
-    )
+    vp_token = sdjwt_at_holder.sd_jwt_presentation
     return vp_token
 
-
-def create_authorize_response(vp_token: str, state: str, nonce: str, response_uri: str) -> str:
-    # take relevant information from RP's entity configuration
+def create_authorize_response(vp_token: str, state: str, response_uri: str) -> str:
+    # Extract public key from RP's entity configuration
     client = requests.Session()
     rp_ec_jwt = client.get(
-        f'{IDP_BASEURL}/OpenID4VP/.well-known/openid-federation',
+        f"{IDP_BASEURL}/OpenID4VP/.well-known/openid-federation",
         verify=False
     ).content.decode()
     rp_ec = decode_jwt_payload(rp_ec_jwt)
 
-    presentation_definition = rp_ec["metadata"]["wallet_relying_party"]["presentation_definition"]
-    PresentationDefinition(**presentation_definition)
-    assert response_uri == rp_ec["metadata"]['wallet_relying_party']["response_uris_supported"][0]
+    assert response_uri == rp_ec["metadata"]["wallet_relying_party"]["response_uris_supported"][0]
+    encryption_key = rp_ec["metadata"]["wallet_relying_party"]["jwks"]["keys"][1]
 
     response = {
         "state": state,
-        "nonce": nonce,
         "vp_token": vp_token,
         "presentation_submission": {
             "definition_id": "32f54163-7166-48f1-93d8-ff217bdb0653",
@@ -192,8 +173,8 @@ def create_authorize_response(vp_token: str, state: str, nonce: str, response_ur
         }
     }
     encrypted_response = JWEHelper(
-        # RSA (EC is not fully supported todate)
-        JWK(rp_ec["metadata"]['wallet_relying_party']['jwks']['keys'][1])
+        # RSA (EC is not fully supported to date)
+        JWK(encryption_key)
     ).encrypt(response)
     return encrypted_response
 
diff --git a/example/satosa/integration_test/cross_device_integration_test.py b/example/satosa/integration_test/cross_device_integration_test.py
index a48ecf91..4b2034d5 100644
--- a/example/satosa/integration_test/cross_device_integration_test.py
+++ b/example/satosa/integration_test/cross_device_integration_test.py
@@ -1,31 +1,27 @@
-import urllib.parse
-import requests
-import urllib
 from bs4 import BeautifulSoup
 import re
+import requests
+import urllib.parse
 
 from pyeudiw.jwt.utils import decode_jwt_payload
 
 from commons import (
     ISSUER_CONF,
+    setup_test_db_engine,
     apply_trust_settings,
+    create_saml_auth_request,
     create_authorize_response,
     create_holder_test_data,
     create_issuer_test_data,
-    extract_saml_attributes,
-    setup_test_db_engine,
+    extract_saml_attributes
 )
-from saml2_sp import saml2_request
 from settings import TIMEOUT_S
 
+# put a trust attestation related itself into the storage
+# this is then used as trust_chain header parameter in the signed request object
 db_engine_inst = setup_test_db_engine()
 db_engine_inst = apply_trust_settings(db_engine_inst)
 
-headers_browser = {
-    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.79 Safari/537.36"
-}
-
-
 def _verify_status(status_uri: str, expected_code: int):
     status_check = http_user_agent.get(
         status_uri,
@@ -38,16 +34,16 @@ def _verify_status(status_uri: str, expected_code: int):
 def _extract_request_uri(bs: BeautifulSoup) -> str:
     # Request URI is extracted by parsing the QR code in the response page
     qrcode_element = list(bs.find(id="content-qrcode-payload").children)[1]
-    qrcode_text = qrcode_element.get('contents')
-    request_uri = urllib.parse.parse_qs(qrcode_text)['request_uri'][0]
+    qrcode_text = qrcode_element.get("contents")
+    request_uri = urllib.parse.parse_qs(qrcode_text)["request_uri"][0]
     return request_uri
 
 
 def _extract_status_uri(bs: BeautifulSoup) -> str:
     # Status uri is extracted by parsing a matching regexp in the <script> portion of the HTML.
     # This funciton is somewhat unstable as it supposes that "qr_code.html" has certain properties
-    #  which might not be true.
-    qrcode_script_element: str = bs.find_all('script')[-1].string
+    # which might not be true.
+    qrcode_script_element: str = bs.find_all("script")[-1].string
     qrcode_script_element_formatted = [item.strip() for item in qrcode_script_element.splitlines()]
     qrcode_script_element_formatted = str.join("", qrcode_script_element_formatted)
 
@@ -61,16 +57,18 @@ def _extract_status_uri(bs: BeautifulSoup) -> str:
 http_user_agent = requests.Session()
 wallet_user_agent = requests.Session()
 
-initiating_saml_request_uri = f"{saml2_request['headers'][0][1]}&idp_hinting=wallet"
+auth_req_url = create_saml_auth_request()
+headers_browser = {
+    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.79 Safari/537.36"
+}
 request_uri = ""
 authn_response = http_user_agent.get(
-    url=initiating_saml_request_uri,
+    url=auth_req_url,
     verify=False,
     headers=headers_browser,
     timeout=TIMEOUT_S
 )
 
-
 # Extract request URI and status endpoint by parsing the response page
 qrcode_page = BeautifulSoup(authn_response.content.decode(), features="html.parser")
 request_uri = _extract_request_uri(qrcode_page)
@@ -85,7 +83,7 @@ def _extract_status_uri(bs: BeautifulSoup) -> str:
     timeout=TIMEOUT_S)
 
 request_object_claims = decode_jwt_payload(sign_request_obj.text)
-response_uri = request_object_claims['response_uri']
+response_uri = request_object_claims["response_uri"]
 
 # Wallet obtained the Request Object; verify that status is 202
 _verify_status(status_uri, expected_code=202)
@@ -94,24 +92,24 @@ def _extract_status_uri(bs: BeautifulSoup) -> str:
 verifiable_credential = create_issuer_test_data()
 verifiable_presentations = create_holder_test_data(
     verifiable_credential,
-    request_object_claims['nonce']
+    request_object_claims["nonce"],
+    request_object_claims["client_id"]
 )
 wallet_response_data = create_authorize_response(
     verifiable_presentations,
     request_object_claims["state"],
-    request_object_claims["nonce"],
     response_uri
 )
 
-authz_response_feedback = wallet_user_agent.post(
+authz_response = wallet_user_agent.post(
     response_uri,
     verify=False,
-    data={'response': wallet_response_data},
+    data={"response": wallet_response_data},
     timeout=TIMEOUT_S
 )
 
-assert authz_response_feedback.status_code == 200
-assert authz_response_feedback.json().get("redirect_uri", None) is None
+assert authz_response.status_code == 200
+assert authz_response.json().get("redirect_uri", None) is None
 
 status_check = http_user_agent.get(
     status_uri,
@@ -121,15 +119,15 @@ def _extract_status_uri(bs: BeautifulSoup) -> str:
 assert status_check.status_code == 200
 assert status_check.json().get("redirect_uri", None) is not None
 
-callback_uri = status_check.json().get("redirect_uri", None)
 # TODO: this test does not check that the login page is properly updated with a login button linkint to the redirect uri
+callback_uri = status_check.json().get("redirect_uri", None)
 satosa_authn_response = http_user_agent.get(
     callback_uri,
     verify=False,
     timeout=TIMEOUT_S
 )
 
-assert 'SAMLResponse' in satosa_authn_response.content.decode()
+assert "SAMLResponse" in satosa_authn_response.content.decode()
 print(satosa_authn_response.content.decode())
 
 attributes = extract_saml_attributes(satosa_authn_response.content.decode())
@@ -138,16 +136,20 @@ def _extract_status_uri(bs: BeautifulSoup) -> str:
 
 expected = {
     # https://oidref.com/2.5.4.42
-    "urn:oid:2.5.4.42": ISSUER_CONF['sd_specification'].split('!sd given_name:')[1].split('"')[1],
+    "urn:oid:2.5.4.42": ISSUER_CONF["sd_specification"].split("!sd given_name:")[1].split('"')[1].lower(),
     # https://oidref.com/2.5.4.4
-    "urn:oid:2.5.4.4": ISSUER_CONF['sd_specification'].split('!sd family_name:')[1].split('"')[1]
+    "urn:oid:2.5.4.4": ISSUER_CONF["sd_specification"].split("!sd family_name:")[1].split('"')[1].lower()
 }
 
-for attribute in attributes:
-    name = attribute["name"]
-    value = attribute.contents[0].contents[0]
-    expected_value = expected.get(name, None)
-    if expected_value:
-        assert value == expected_value.lower()
+for exp_att_name, exp_att_value in expected.items():
+    result_index = -1
+    for i, attribute in enumerate(attributes):
+        if attribute["name"] == exp_att_name:
+            result_index = i
+            break
+    assert result_index != -1, f"missing attribute with name=[{exp_att_name}] in result set"
+    obt_att_value = attributes[result_index].contents[0].contents[0]
+    assert exp_att_value == obt_att_value, f"wrong attrirbute parsing expected {exp_att_value}, obtained {obt_att_value}"
+
 
-print('TEST PASSED')
+print("TEST PASSED")
diff --git a/example/satosa/integration_test/main.py b/example/satosa/integration_test/main.py
deleted file mode 100644
index 82531477..00000000
--- a/example/satosa/integration_test/main.py
+++ /dev/null
@@ -1,277 +0,0 @@
-import json
-import requests
-import uuid
-import urllib
-import datetime
-import base64
-from bs4 import BeautifulSoup
-
-from pyeudiw.jwt import DEFAULT_SIG_KTY_MAP
-from pyeudiw.presentation_exchange.schemas.oid4vc_presentation_definition import PresentationDefinition
-from pyeudiw.tests.federation.base import (
-    EXP,
-    leaf_cred,
-    leaf_cred_jwk,
-    leaf_wallet_jwk,
-    leaf_wallet,
-    leaf_wallet_signed,
-    trust_chain_issuer,
-    ta_ec,
-    ta_ec_signed,
-    leaf_cred_signed, leaf_cred_jwk_prot
-)
-
-from pyeudiw.jwk import JWK
-from pyeudiw.jwt import JWSHelper, JWEHelper
-from pyeudiw.sd_jwt import (
-    load_specification_from_yaml_string,
-    issue_sd_jwt,
-    _adapt_keys,
-    import_ec
-)
-from pyeudiw.storage.db_engine import DBEngine
-from pyeudiw.jwt.utils import decode_jwt_payload
-from pyeudiw.tools.utils import iat_now, exp_from_now
-
-from saml2_sp import saml2_request, IDP_BASEURL
-from sd_jwt.holder import SDJWTHolder
-
-from settings import (
-    CONFIG_DB,
-    RP_EID,
-    its_trust_chain
-)
-
-TIMEOUT_S = 4
-
-# put a trust attestation related itself into the storage
-# this then is used as trust_chain header paramenter in the signed
-# request object
-db_engine_inst = DBEngine(CONFIG_DB)
-
-# STORAGE ####
-db_engine_inst.add_trust_anchor(
-    entity_id=ta_ec['iss'],
-    entity_configuration=ta_ec_signed,
-    exp=EXP
-)
-
-db_engine_inst.add_or_update_trust_attestation(
-    entity_id=RP_EID,
-    attestation=its_trust_chain,
-    exp=datetime.datetime.now().isoformat()
-)
-
-db_engine_inst.add_or_update_trust_attestation(
-    entity_id=leaf_wallet['iss'],
-    attestation=leaf_wallet_signed,
-    exp=datetime.datetime.now().isoformat()
-)
-
-db_engine_inst.add_or_update_trust_attestation(
-    entity_id=leaf_cred['iss'],
-    attestation=leaf_cred_signed,
-    exp=datetime.datetime.now().isoformat()
-)
-
-req_url = f"{saml2_request['headers'][0][1]}&idp_hinting=wallet"
-headers_mobile = {
-    'User-Agent': 'Mozilla/5.0 (iPhone; CPU iPhone OS 9_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13B137 Safari/601.1'
-}
-request_uri = ''
-
-# initialize the user-agent
-http_user_agent = requests.Session()
-
-try:
-    authn_response = http_user_agent.get(
-        url=req_url,
-        verify=False,
-        headers=headers_mobile,
-        timeout=TIMEOUT_S
-    )
-except requests.exceptions.InvalidSchema as e:
-    request_uri = urllib.parse.unquote_plus(
-        e.args[0].split("request_uri="
-                        )[1][:-1]
-    )
-
-WALLET_PRIVATE_JWK = JWK(leaf_wallet_jwk.serialize(private=True))
-WALLET_PUBLIC_JWK = JWK(leaf_wallet_jwk.serialize())
-jwshelper = JWSHelper(WALLET_PRIVATE_JWK)
-
-sign_request_obj = http_user_agent.get(
-    request_uri,
-    verify=False,
-    timeout=TIMEOUT_S)
-print(sign_request_obj.text)
-
-response_uri = decode_jwt_payload(sign_request_obj.text)[
-    'response_uri']
-
-# create a SD-JWT signed by a trusted credential issuer
-issuer_jwk = leaf_cred_jwk
-ISSUER_CONF = {
-    "sd_specification": """
-        user_claims:
-            !sd unique_id: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
-            !sd given_name: "Mario"
-            !sd family_name: "Rossi"
-            !sd birthdate: "1980-01-10"
-            !sd place_of_birth:
-                country: "IT"
-                locality: "Rome"
-            !sd tax_id_code: "TINIT-XXXXXXXXXXXXXXXX"
-
-        holder_disclosed_claims:
-            { "given_name": "Mario", "family_name": "Rossi", "place_of_birth": {country: "IT", locality: "Rome"}, "tax_id_code": "TINIT-XXXXXXXXXXXXXXXX" }
-
-        key_binding: True
-    """,
-    "issuer": leaf_cred['sub'],
-    "default_exp": 1024
-}
-settings = ISSUER_CONF
-settings['issuer'] = leaf_cred['iss']
-settings['default_exp'] = 33
-
-sd_specification = load_specification_from_yaml_string(
-    settings["sd_specification"]
-)
-
-ISSUER_PRIVATE_JWK = JWK(leaf_cred_jwk.serialize(private=True))
-
-CREDENTIAL_ISSUER_JWK = JWK(leaf_cred_jwk_prot.serialize(private=True))
-
-issued_jwt = issue_sd_jwt(
-    sd_specification,
-    settings,
-    CREDENTIAL_ISSUER_JWK,
-    WALLET_PUBLIC_JWK,
-    trust_chain=trust_chain_issuer
-)
-
-adapted_keys = _adapt_keys(
-    issuer_key=ISSUER_PRIVATE_JWK,
-    holder_key=WALLET_PUBLIC_JWK,
-)
-
-sdjwt_at_holder = SDJWTHolder(
-    issued_jwt["issuance"],
-    serialization_format="compact",
-)
-sdjwt_at_holder.create_presentation(
-    claims_to_disclose={
-        'tax_id_code': "TIN-that",
-        'given_name': 'Raffaello',
-        'family_name': 'Mascetti'
-    },
-    nonce=str(uuid.uuid4()),
-    aud=str(uuid.uuid4()),
-    sign_alg=DEFAULT_SIG_KTY_MAP[WALLET_PRIVATE_JWK.key.kty],
-    holder_key=(
-        import_ec(
-            WALLET_PRIVATE_JWK.key.priv_key,
-            kid=WALLET_PRIVATE_JWK.kid
-        )
-        if sd_specification.get("key_binding", False)
-        else None
-    )
-)
-
-red_data = decode_jwt_payload(sign_request_obj.text)
-req_nonce = red_data['nonce']
-
-data = {
-    "iss": "https://wallet-provider.example.org/instance/vbeXJksM45xphtANnCiG6mCyuU4jfGNzopGuKvogg9c",
-    "jti": str(uuid.uuid4()),
-    "aud": "https://relying-party.example.org/callback",
-    "iat": iat_now(),
-    "exp": exp_from_now(minutes=5),
-    "nonce": req_nonce,
-    "vp": sdjwt_at_holder.sd_jwt_presentation,
-}
-
-vp_token = JWSHelper(WALLET_PRIVATE_JWK).sign(
-    data,
-    protected={"typ": "JWT"}
-)
-
-# take relevant information from RP's EC
-rp_ec_jwt = http_user_agent.get(
-    f'{IDP_BASEURL}/OpenID4VP/.well-known/openid-federation',
-    verify=False
-).content.decode()
-rp_ec = decode_jwt_payload(rp_ec_jwt)
-
-presentation_definition = rp_ec["metadata"]["wallet_relying_party"]["presentation_definition"]
-PresentationDefinition(**presentation_definition)
-assert response_uri == rp_ec["metadata"]['wallet_relying_party']["response_uris_supported"][0]
-
-response = {
-    "state": red_data['state'],
-    "nonce": req_nonce,
-    "vp_token": vp_token,
-    "presentation_submission": {
-        "definition_id": "32f54163-7166-48f1-93d8-ff217bdb0653",
-        "id": "04a98be3-7fb0-4cf5-af9a-31579c8b0e7d",
-        "descriptor_map": [
-            {
-                "id": "pid-sd-jwt:unique_id+given_name+family_name",
-                "path": "$.vp_token.verified_claims.claims._sd[0]",
-                "format": "vc+sd-jwt"
-            }
-        ],
-        "aud": response_uri
-    }
-}
-encrypted_response = JWEHelper(
-    # RSA (EC is not fully supported todate)
-    JWK(rp_ec["metadata"]['wallet_relying_party']['jwks']['keys'][1])
-).encrypt(response)
-
-
-authz_response_ok = http_user_agent.post(
-    response_uri,
-    verify=False,
-    data={'response': encrypted_response},
-    timeout=TIMEOUT_S
-)
-assert 'redirect_uri' in authz_response_ok.content.decode()
-callback_uri = json.loads(authz_response_ok.content.decode())['redirect_uri']
-satosa_authn_response = http_user_agent.get(
-    callback_uri,
-    verify=False,
-    timeout=TIMEOUT_S
-)
-
-assert 'SAMLResponse' in satosa_authn_response.content.decode()
-print(satosa_authn_response.content.decode())
-
-soup = BeautifulSoup(satosa_authn_response.content.decode(), features="lxml")
-form = soup.find("form")
-assert "/saml2" in form["action"]
-input_tag = soup.find("input")
-assert input_tag["name"] == "SAMLResponse"
-
-lowered = base64.b64decode(input_tag["value"]).lower()
-value = BeautifulSoup(lowered, features="xml")
-attributes = value.find_all("saml:attribute")
-# expect to have a non-empty list of attributes
-assert attributes
-
-expected = {
-    # https://oidref.com/2.5.4.42
-    "urn:oid:2.5.4.42": ISSUER_CONF['sd_specification'].split('!sd given_name:')[1].split('"')[1],
-    # https://oidref.com/2.5.4.4
-    "urn:oid:2.5.4.4": ISSUER_CONF['sd_specification'].split('!sd family_name:')[1].split('"')[1]
-}
-
-for attribute in attributes:
-    name = attribute["name"]
-    value = attribute.contents[0].contents[0]
-    expected_value = expected.get(name, None)
-    if expected_value:
-        assert value == expected_value.lower()
-
-print('test passed')
diff --git a/example/satosa/integration_test/same_device_integration_test.py b/example/satosa/integration_test/same_device_integration_test.py
new file mode 100644
index 00000000..d52cd447
--- /dev/null
+++ b/example/satosa/integration_test/same_device_integration_test.py
@@ -0,0 +1,111 @@
+import re
+import requests
+import urllib.parse
+
+from pyeudiw.jwt.utils import decode_jwt_payload
+
+from commons import (
+    ISSUER_CONF,
+    setup_test_db_engine,
+    apply_trust_settings,
+    create_saml_auth_request,
+    create_authorize_response,
+    create_holder_test_data,
+    create_issuer_test_data,
+    extract_saml_attributes
+)
+from settings import TIMEOUT_S
+
+# put a trust attestation related itself into the storage
+# this is then used as trust_chain header parameter in the signed request object
+db_engine_inst = setup_test_db_engine()
+db_engine_inst = apply_trust_settings(db_engine_inst)
+
+def _extract_request_uri(e: requests.exceptions.InvalidSchema) -> str:
+    request_uri = re.search(r'request_uri=(.*?)(?:\'|$)', urllib.parse.unquote_plus(e.args[0])).group(1)
+    return request_uri
+
+
+# initialize the user-agent
+http_user_agent = requests.Session()
+
+auth_req_url = create_saml_auth_request()
+headers_mobile = {
+    "User-Agent": "Mozilla/5.0 (iPhone; CPU iPhone OS 9_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13B137 Safari/601.1"
+}
+request_uri = ""
+
+try:
+    authn_response = http_user_agent.get(
+        url=auth_req_url,
+        verify=False,
+        headers=headers_mobile,
+        timeout=TIMEOUT_S
+    )
+except requests.exceptions.InvalidSchema as e:
+    request_uri = _extract_request_uri(e)
+
+sign_request_obj = http_user_agent.get(
+    request_uri,
+    verify=False,
+    timeout=TIMEOUT_S)
+
+request_object_claims = decode_jwt_payload(sign_request_obj.text)
+response_uri = request_object_claims["response_uri"]
+
+# Provide an authentication response
+verifiable_credential = create_issuer_test_data()
+verifiable_presentations = create_holder_test_data(
+    verifiable_credential,
+    request_object_claims["nonce"],
+    request_object_claims["client_id"]
+)
+wallet_response_data = create_authorize_response(
+    verifiable_presentations,
+    request_object_claims["state"],
+    response_uri
+)
+
+authz_response = http_user_agent.post(
+    response_uri,
+    verify=False,
+    data={"response": wallet_response_data},
+    timeout=TIMEOUT_S
+)
+
+assert authz_response.status_code == 200
+assert authz_response.json().get("redirect_uri", None) is not None
+
+callback_uri = authz_response.json().get("redirect_uri", None)
+satosa_authn_response = http_user_agent.get(
+    callback_uri,
+    verify=False,
+    timeout=TIMEOUT_S
+)
+
+assert "SAMLResponse" in satosa_authn_response.content.decode()
+print(satosa_authn_response.content.decode())
+
+attributes = extract_saml_attributes(satosa_authn_response.content.decode())
+# expect to have a non-empty list of attributes
+assert attributes
+
+expected = {
+    # https://oidref.com/2.5.4.42
+    "urn:oid:2.5.4.42": ISSUER_CONF["sd_specification"].split("!sd given_name:")[1].split('"')[1].lower(),
+    # https://oidref.com/2.5.4.4
+    "urn:oid:2.5.4.4": ISSUER_CONF["sd_specification"].split("!sd family_name:")[1].split('"')[1].lower()
+}
+
+for exp_att_name, exp_att_value in expected.items():
+    result_index = -1
+    for i, attribute in enumerate(attributes):
+        if attribute["name"] == exp_att_name:
+            result_index = i
+            break
+    assert result_index != -1, f"missing attribute with name=[{exp_att_name}] in result set"
+    obt_att_value = attributes[result_index].contents[0].contents[0]
+    assert exp_att_value == obt_att_value, f"wrong attrirbute parsing expected {exp_att_value}, obtained {obt_att_value}"
+
+
+print("TEST PASSED")
diff --git a/example/satosa/integration_test/settings.py b/example/satosa/integration_test/settings.py
index 38ceb565..58082359 100644
--- a/example/satosa/integration_test/settings.py
+++ b/example/satosa/integration_test/settings.py
@@ -1,4 +1,3 @@
-
 from cryptojwt.jws.jws import JWS
 from cryptojwt.jwk.jwk import key_from_jwk_dict
 from pyeudiw.tests.federation.base import (
@@ -11,8 +10,8 @@
 
 from pyeudiw.tools.utils import iat_now, exp_from_now
 
-TIMEOUT_S = 4
-
+TIMEOUT_S = 10
+IDP_BASEURL = "https://localhost"
 RP_EID = "https://localhost/OpenID4VP"
 
 CONFIG_DB = {
diff --git a/example/satosa/pyeudiw_backend.yaml b/example/satosa/pyeudiw_backend.yaml
index 045b5760..c5384282 100644
--- a/example/satosa/pyeudiw_backend.yaml
+++ b/example/satosa/pyeudiw_backend.yaml
@@ -80,29 +80,69 @@ config:
       session:
         timeout: 6
 
-  federation:
-    metadata_type: "wallet_relying_party"
-    authority_hints:
-        - http://127.0.0.1:8000
-    trust_anchors:
-        - http://127.0.0.1:8000
-    default_sig_alg: "RS256"
-    federation_entity_metadata:
-        organization_name: Developers Italia SATOSA OpenID4VP backend
-        homepage_uri: https://developers.italia.it
-        policy_uri: https://developers.italia.it
-        tos_uri: https://developers.italia.it
-        logo_uri: https://developers.italia.it/assets/icons/logo-it.svg
-
-    # private jwk
-    federation_jwks:
-      - kty: RSA
-        d: QUZsh1NqvpueootsdSjFQz-BUvxwd3Qnzm5qNb-WeOsvt3rWMEv0Q8CZrla2tndHTJhwioo1U4NuQey7znijhZ177bUwPPxSW1r68dEnL2U74nKwwoYeeMdEXnUfZSPxzs7nY6b7vtyCoA-AjiVYFOlgKNAItspv1HxeyGCLhLYhKvS_YoTdAeLuegETU5D6K1xGQIuw0nS13Icjz79Y8jC10TX4FdZwdX-NmuIEDP5-s95V9DMENtVqJAVE3L-wO-NdDilyjyOmAbntgsCzYVGH9U3W_djh4t3qVFCv3r0S-DA2FD3THvlrFi655L0QHR3gu_Fbj3b9Ybtajpue_Q
-        e: AQAB
-        kid: 9Cquk0X-fNPSdePQIgQcQZtD6J0IjIRrFigW2PPK_-w
-        n: utqtxbs-jnK0cPsV7aRkkZKA9t4S-WSZa3nCZtYIKDpgLnR_qcpeF0diJZvKOqXmj2cXaKFUE-8uHKAHo7BL7T-Rj2x3vGESh7SG1pE0thDGlXj4yNsg0qNvCXtk703L2H3i1UXwx6nq1uFxD2EcOE4a6qDYBI16Zl71TUZktJwmOejoHl16CPWqDLGo9GUSk_MmHOV20m4wXWkB4qbvpWVY8H6b2a0rB1B1YPOs5ZLYarSYZgjDEg6DMtZ4NgiwZ-4N1aaLwyO-GLwt9Vf-NBKwoxeRyD3zWE2FXRFBbhKGksMrCGnFDsNl5JTlPjaM3kYyImE941ggcuc495m-Fw
-        p: 2zmGXIMCEHPphw778YjVTar1eycih6fFSJ4I4bl1iq167GqO0PjlOx6CZ1-OdBTVU7HfrYRiUK_BnGRdPDn-DQghwwkB79ZdHWL14wXnpB5y-boHz_LxvjsEqXtuQYcIkidOGaMG68XNT1nM4F9a8UKFr5hHYT5_UIQSwsxlRQ0
-        q: 2jMFt2iFrdaYabdXuB4QMboVjPvbLA-IVb6_0hSG_-EueGBvgcBxdFGIZaG6kqHqlB7qMsSzdptU0vn6IgmCZnX-Hlt6c5X7JB_q91PZMLTO01pbZ2Bk58GloalCHnw_mjPh0YPviH5jGoWM5RHyl_HDDMI-UeLkzP7ImxGizrM
+  trust:
+    direct_trust_sd_jwt_vc:
+      module: pyeudiw.trust.default.direct_trust_sd_jwt_vc
+      class: DirectTrustSdJwtVc
+      config:
+        jwk_endpoint: /.well-known/jwt-vc-issuer
+    federation:
+      module: pyeudiw.trust.default.federation
+      class: FederationTrustModel
+      config:
+        metadata_type: "wallet_relying_party"
+        authority_hints:
+            - http://127.0.0.1:8000
+        trust_anchors:
+            - public_keys: [ ... ]
+            - http://127.0.0.1:8000
+        default_sig_alg: "RS256"
+        federation_entity_metadata:
+            organization_name: Developers Italia SATOSA OpenID4VP backend
+            homepage_uri: https://developers.italia.it
+            policy_uri: https://developers.italia.it
+            tos_uri: https://developers.italia.it
+            logo_uri: https://developers.italia.it/assets/icons/logo-it.svg
+        federation_jwks:
+          - kty: RSA
+            d: QUZsh1NqvpueootsdSjFQz-BUvxwd3Qnzm5qNb-WeOsvt3rWMEv0Q8CZrla2tndHTJhwioo1U4NuQey7znijhZ177bUwPPxSW1r68dEnL2U74nKwwoYeeMdEXnUfZSPxzs7nY6b7vtyCoA-AjiVYFOlgKNAItspv1HxeyGCLhLYhKvS_YoTdAeLuegETU5D6K1xGQIuw0nS13Icjz79Y8jC10TX4FdZwdX-NmuIEDP5-s95V9DMENtVqJAVE3L-wO-NdDilyjyOmAbntgsCzYVGH9U3W_djh4t3qVFCv3r0S-DA2FD3THvlrFi655L0QHR3gu_Fbj3b9Ybtajpue_Q
+            e: AQAB
+            kid: 9Cquk0X-fNPSdePQIgQcQZtD6J0IjIRrFigW2PPK_-w
+            n: utqtxbs-jnK0cPsV7aRkkZKA9t4S-WSZa3nCZtYIKDpgLnR_qcpeF0diJZvKOqXmj2cXaKFUE-8uHKAHo7BL7T-Rj2x3vGESh7SG1pE0thDGlXj4yNsg0qNvCXtk703L2H3i1UXwx6nq1uFxD2EcOE4a6qDYBI16Zl71TUZktJwmOejoHl16CPWqDLGo9GUSk_MmHOV20m4wXWkB4qbvpWVY8H6b2a0rB1B1YPOs5ZLYarSYZgjDEg6DMtZ4NgiwZ-4N1aaLwyO-GLwt9Vf-NBKwoxeRyD3zWE2FXRFBbhKGksMrCGnFDsNl5JTlPjaM3kYyImE941ggcuc495m-Fw
+            p: 2zmGXIMCEHPphw778YjVTar1eycih6fFSJ4I4bl1iq167GqO0PjlOx6CZ1-OdBTVU7HfrYRiUK_BnGRdPDn-DQghwwkB79ZdHWL14wXnpB5y-boHz_LxvjsEqXtuQYcIkidOGaMG68XNT1nM4F9a8UKFr5hHYT5_UIQSwsxlRQ0
+            q: 2jMFt2iFrdaYabdXuB4QMboVjPvbLA-IVb6_0hSG_-EueGBvgcBxdFGIZaG6kqHqlB7qMsSzdptU0vn6IgmCZnX-Hlt6c5X7JB_q91PZMLTO01pbZ2Bk58GloalCHnw_mjPh0YPviH5jGoWM5RHyl_HDDMI-UeLkzP7ImxGizrM
+    x509:
+      module: pyeudiw.trust.default.x509
+      class: X509TrustModel
+      config:
+        trust_anchor_certificates:
+            - "todo"
+        trust_anchors_cn: # we might mix CN and SAN together
+            - http://127.0.0.1:8000
+  # FORMER IMPLEMENTATION OF TRUST CONFIGURATION
+  # federation:
+  #   metadata_type: "wallet_relying_party"
+  #   authority_hints:
+  #       - http://127.0.0.1:8000
+  #   trust_anchors:
+  #       - http://127.0.0.1:8000
+  #   default_sig_alg: "RS256"
+  #   federation_entity_metadata:
+  #       organization_name: Developers Italia SATOSA OpenID4VP backend
+  #       homepage_uri: https://developers.italia.it
+  #       policy_uri: https://developers.italia.it
+  #       tos_uri: https://developers.italia.it
+  #       logo_uri: https://developers.italia.it/assets/icons/logo-it.svg
+
+  #   # private jwk
+  #   federation_jwks:
+  #     - kty: RSA
+  #       d: QUZsh1NqvpueootsdSjFQz-BUvxwd3Qnzm5qNb-WeOsvt3rWMEv0Q8CZrla2tndHTJhwioo1U4NuQey7znijhZ177bUwPPxSW1r68dEnL2U74nKwwoYeeMdEXnUfZSPxzs7nY6b7vtyCoA-AjiVYFOlgKNAItspv1HxeyGCLhLYhKvS_YoTdAeLuegETU5D6K1xGQIuw0nS13Icjz79Y8jC10TX4FdZwdX-NmuIEDP5-s95V9DMENtVqJAVE3L-wO-NdDilyjyOmAbntgsCzYVGH9U3W_djh4t3qVFCv3r0S-DA2FD3THvlrFi655L0QHR3gu_Fbj3b9Ybtajpue_Q
+  #       e: AQAB
+  #       kid: 9Cquk0X-fNPSdePQIgQcQZtD6J0IjIRrFigW2PPK_-w
+  #       n: utqtxbs-jnK0cPsV7aRkkZKA9t4S-WSZa3nCZtYIKDpgLnR_qcpeF0diJZvKOqXmj2cXaKFUE-8uHKAHo7BL7T-Rj2x3vGESh7SG1pE0thDGlXj4yNsg0qNvCXtk703L2H3i1UXwx6nq1uFxD2EcOE4a6qDYBI16Zl71TUZktJwmOejoHl16CPWqDLGo9GUSk_MmHOV20m4wXWkB4qbvpWVY8H6b2a0rB1B1YPOs5ZLYarSYZgjDEg6DMtZ4NgiwZ-4N1aaLwyO-GLwt9Vf-NBKwoxeRyD3zWE2FXRFBbhKGksMrCGnFDsNl5JTlPjaM3kYyImE941ggcuc495m-Fw
+  #       p: 2zmGXIMCEHPphw778YjVTar1eycih6fFSJ4I4bl1iq167GqO0PjlOx6CZ1-OdBTVU7HfrYRiUK_BnGRdPDn-DQghwwkB79ZdHWL14wXnpB5y-boHz_LxvjsEqXtuQYcIkidOGaMG68XNT1nM4F9a8UKFr5hHYT5_UIQSwsxlRQ0
+  #       q: 2jMFt2iFrdaYabdXuB4QMboVjPvbLA-IVb6_0hSG_-EueGBvgcBxdFGIZaG6kqHqlB7qMsSzdptU0vn6IgmCZnX-Hlt6c5X7JB_q91PZMLTO01pbZ2Bk58GloalCHnw_mjPh0YPviH5jGoWM5RHyl_HDDMI-UeLkzP7ImxGizrM
     
     # trust_marks: # todo
     # - ...
diff --git a/pyeudiw/federation/statements.py b/pyeudiw/federation/statements.py
index 4cabb50c..f8cf9fe2 100644
--- a/pyeudiw/federation/statements.py
+++ b/pyeudiw/federation/statements.py
@@ -16,7 +16,7 @@
 from pydantic import ValidationError
 from pyeudiw.jwt.utils import decode_jwt_payload, decode_jwt_header
 from pyeudiw.jwt import JWSHelper
-from pyeudiw.jwk import find_jwk
+from pyeudiw.jwk import find_jwk_by_kid
 from pyeudiw.tools.utils import get_http_url
 
 import logging
@@ -171,7 +171,7 @@ def validate_by(self, ec: dict) -> bool:
                 f"{self.header.get('kid')} not found in {ec.jwks}"
             )
 
-        _jwk = find_jwk(_kid, ec.jwks)
+        _jwk = find_jwk_by_kid(_kid, ec.jwks)
 
         # verify signature
         jwsh = JWSHelper(_jwk)
@@ -211,7 +211,7 @@ def validate_by_its_issuer(self) -> bool:
             return False
 
         # verify signature
-        _jwk = find_jwk(_kid, ec.jwks)
+        _jwk = find_jwk_by_kid(_kid, ec.jwks)
         jwsh = JWSHelper(_jwk)
         payload = jwsh.verify(self.jwt)
         self.is_valid = True
@@ -314,7 +314,7 @@ def validate_by_itself(self) -> bool:
                 f"{_kid} not found in {self.jwks}")  # pragma: no cover
 
         # verify signature
-        _jwk = find_jwk(_kid, self.jwks)
+        _jwk = find_jwk_by_kid(_kid, self.jwks)
         jwsh = JWSHelper(_jwk)
         jwsh.verify(self.jwt)
         self.is_valid = True
@@ -539,7 +539,7 @@ def validate_descendant_statement(self, jwt: str) -> bool:
                 f"{_kid} not found in {self.jwks}")
 
         # verify signature
-        _jwk = find_jwk(_kid, self.jwks)
+        _jwk = find_jwk_by_kid(_kid, self.jwks)
         jwsh = JWSHelper(_jwk)
         payload = jwsh.verify(jwt)
 
@@ -565,7 +565,7 @@ def validate_by_superior_statement(self, jwt: str, ec: 'EntityStatement') -> str
             ec.validate_by_itself()
             ec.validate_descendant_statement(jwt)
             _jwks = get_federation_jwks(payload)
-            _jwk = find_jwk(self.header["kid"], _jwks)
+            _jwk = find_jwk_by_kid(self.header["kid"], _jwks)
 
             jwsh = JWSHelper(_jwk)
             payload = jwsh.verify(self.jwt)
diff --git a/pyeudiw/openid4vp/redirect.py b/pyeudiw/federation/trust_chain/__init__.py
similarity index 100%
rename from pyeudiw/openid4vp/redirect.py
rename to pyeudiw/federation/trust_chain/__init__.py
diff --git a/pyeudiw/federation/trust_chain/builder.py b/pyeudiw/federation/trust_chain/builder.py
new file mode 100644
index 00000000..621a7348
--- /dev/null
+++ b/pyeudiw/federation/trust_chain/builder.py
@@ -0,0 +1 @@
+# TODO: move trust_chain_builder.py here
diff --git a/pyeudiw/federation/trust_chain/parse.py b/pyeudiw/federation/trust_chain/parse.py
new file mode 100644
index 00000000..7a188563
--- /dev/null
+++ b/pyeudiw/federation/trust_chain/parse.py
@@ -0,0 +1,5 @@
+from pyeudiw.jwk import JWK
+
+
+def get_public_key_from_trust_chain(trust_chain: list[str]) -> JWK:
+    raise NotImplementedError("TODO")
diff --git a/pyeudiw/federation/trust_chain/validator.py b/pyeudiw/federation/trust_chain/validator.py
new file mode 100644
index 00000000..01c037d5
--- /dev/null
+++ b/pyeudiw/federation/trust_chain/validator.py
@@ -0,0 +1 @@
+# TODO: move trust_chain_validator.py here
diff --git a/pyeudiw/federation/trust_chain_validator.py b/pyeudiw/federation/trust_chain_validator.py
index e91b45c4..9e499c05 100644
--- a/pyeudiw/federation/trust_chain_validator.py
+++ b/pyeudiw/federation/trust_chain_validator.py
@@ -15,7 +15,7 @@
     InvalidEntityStatement
 )
 
-from pyeudiw.jwk import find_jwk
+from pyeudiw.jwk import find_jwk_by_kid
 from pyeudiw.jwk.exceptions import KidNotFoundError, InvalidKid
 
 logger = logging.getLogger(__name__)
@@ -127,7 +127,7 @@ def validate(self) -> bool:
         es_header = decode_jwt_header(last_element)
         es_payload = decode_jwt_payload(last_element)
 
-        ta_jwk = find_jwk(
+        ta_jwk = find_jwk_by_kid(
             es_header.get("kid", None), self.trust_anchor_jwks
         )
 
@@ -165,7 +165,7 @@ def validate(self) -> bool:
             st_payload = decode_jwt_payload(st)
 
             try:
-                jwk = find_jwk(
+                jwk = find_jwk_by_kid(
                     st_header.get("kid", None), fed_jwks
                 )
             except (KidNotFoundError, InvalidKid):
diff --git a/pyeudiw/jwk/__init__.py b/pyeudiw/jwk/__init__.py
index db95c63f..c5ec9030 100644
--- a/pyeudiw/jwk/__init__.py
+++ b/pyeudiw/jwk/__init__.py
@@ -153,7 +153,7 @@ def jwk_form_dict(key: dict, hash_func: str = "SHA-256") -> RSAJWK | ECJWK:
         return ECJWK(key, hash_func, ec_crv)
 
 
-def find_jwk(kid: str, jwks: list[dict], as_dict: bool = True) -> dict | JWK:
+def find_jwk_by_kid(kid: str, jwks: list[dict], as_dict: bool = True) -> dict | JWK:
     """
     Find the JWK with the indicated kid in the jwks list.
 
diff --git a/pyeudiw/jwt/parse.py b/pyeudiw/jwt/parse.py
new file mode 100644
index 00000000..a27ecdd3
--- /dev/null
+++ b/pyeudiw/jwt/parse.py
@@ -0,0 +1,57 @@
+from dataclasses import dataclass
+from jwcrypto.common import base64url_decode, json_decode
+from pyeudiw.federation.trust_chain.parse import get_public_key_from_trust_chain
+from pyeudiw.jwk import JWK
+from pyeudiw.jwt.utils import is_jwt_format
+from pyeudiw.x509.verify import get_public_key_from_x509_chain
+
+KeyIdentifier_T = str
+
+
+@dataclass(frozen=True)
+class DecodedJwt:
+    """
+    Schema class for a decoded jwt.
+    This class is not meant to be instantiated directly. Use instead
+    the static metho parse(str) -> UnverfiedJwt
+    """
+    jwt: str
+    header: dict
+    payload: dict
+    signature: str
+
+    def parse(jws: str) -> 'DecodedJwt':
+        return unsafe_parse_jws(jws)
+
+
+def _unsafe_decode_part(part: str) -> dict:
+    return json_decode(base64url_decode(part))
+
+
+def unsafe_parse_jws(token: str) -> DecodedJwt:
+    """Parse a token into it's component.
+    Correctness of this function  is not guaranteed when the token is in a
+    derived format, such as sd-jwt and jwe.
+    """
+    if not is_jwt_format(token):
+        raise ValueError(f"unable to parse {token}: not a jwt")
+    b64header, b64payload, signature, *_ = token.split(".")
+    head = {}
+    payload = {}
+    try:
+        head = _unsafe_decode_part(b64header)
+        payload = _unsafe_decode_part(b64payload)
+    except Exception as e:
+        raise ValueError(f"unable to decode JWS part: {e}")
+    return DecodedJwt(token, head, payload, signature=signature)
+
+
+def extract_key_identifier(token_header: dict) -> JWK | KeyIdentifier_T:
+    # TODO: the trust evaluation order might be mapped on the same configuration ordering
+    if "kid" in token_header.keys():
+        return KeyIdentifier_T(token_header["kid"])
+    if "trust_chain" in token_header.keys():
+        return get_public_key_from_trust_chain(token_header["kid"])
+    if "x5c" in token_header.keys():
+        return get_public_key_from_x509_chain(token_header["x5c"])
+    raise ValueError(f"unable to infer identifying key from token head: searched among keys {token_header.keys()}")
diff --git a/pyeudiw/jwt/utils.py b/pyeudiw/jwt/utils.py
index 723d0c97..a6c0c70e 100644
--- a/pyeudiw/jwt/utils.py
+++ b/pyeudiw/jwt/utils.py
@@ -1,13 +1,13 @@
 import base64
 import json
 import re
-
 from typing import Dict
+
+from pyeudiw.jwk import find_jwk_by_kid
 from pyeudiw.jwt.exceptions import JWTInvalidElementPosition
-from pyeudiw.jwk import find_jwk
 
-# JWT_REGEXP = r"^(([-A-Za-z0-9\=_])*\.([-A-Za-z0-9\=_])*\.([-A-Za-z0-9\=_])*)$"
-JWT_REGEXP = r'^[\w\-]+\.[\w\-]+\.[\w\-]+'
+# jwt regexp pattern is non terminating, hence it match jwt, sd-jwt and sd-jwt with kb
+JWT_REGEXP = r'^[_\w\-]+\.[_\w\-]+\.[_\w\-]+'
 
 
 def decode_jwt_element(jwt: str, position: int) -> dict:
@@ -84,7 +84,7 @@ def get_jwk_from_jwt(jwt: str, provider_jwks: Dict[str, dict]) -> dict:
     if isinstance(provider_jwks, dict) and provider_jwks.get('keys'):
         provider_jwks = provider_jwks['keys']
 
-    return find_jwk(kid, provider_jwks)
+    return find_jwk_by_kid(kid, provider_jwks)
 
 
 def is_jwt_format(jwt: str) -> bool:
@@ -138,3 +138,23 @@ def is_jws_format(jwt: str):
         return False
 
     return not is_jwe_format(jwt)
+
+
+def base64_urlencode(v: bytes) -> str:
+    """Urlsafe base64 encoding without padding symbols
+
+    :returns: the encooded data
+    :rtype: str
+    """
+    return base64.urlsafe_b64encode(v).decode("ascii").strip("=")
+
+
+def base64_urldecode(v: str) -> bytes:
+    """Urlsafe base64 decoding. This function will handle missing
+    padding symbols.
+
+    :returns: the decoded data in bytes, format, convert to str use method '.decode("utf-8")' on result
+    :rtype: bytes
+    """
+    padded = f"{v}{'=' * divmod(len(v), 4)[1]}"
+    return base64.urlsafe_b64decode(padded)
diff --git a/pyeudiw/jwt/verification.py b/pyeudiw/jwt/verification.py
new file mode 100644
index 00000000..89888aa2
--- /dev/null
+++ b/pyeudiw/jwt/verification.py
@@ -0,0 +1,30 @@
+from pyeudiw.jwk import JWK
+from pyeudiw.jwt import JWSHelper
+from pyeudiw.jwt.exceptions import JWSVerificationError
+from pyeudiw.jwt.utils import decode_jwt_payload
+from pyeudiw.tools.utils import iat_now
+
+
+def verify_jws_with_key(jws: str, key: JWK) -> None:
+    """
+    :raises JWSVerificationError: is signature verification fails for *any* reason
+    """
+    try:
+        verifier = JWSHelper(key)
+        verifier.verify(jws)
+    except Exception as e:
+        raise JWSVerificationError(f"error during signature verification: {e}", e)
+
+
+def is_payload_expired(token_payload: dict) -> bool:
+    exp = token_payload.get("exp", None)
+    if not exp:
+        return True
+    if exp < iat_now():
+        return True
+    return False
+
+
+def is_jwt_expired(token: str) -> bool:
+    payalod = decode_jwt_payload(token)
+    return is_payload_expired(payalod)
diff --git a/pyeudiw/openid4vp/authorization_response.py b/pyeudiw/openid4vp/authorization_response.py
new file mode 100644
index 00000000..05132643
--- /dev/null
+++ b/pyeudiw/openid4vp/authorization_response.py
@@ -0,0 +1,66 @@
+from dataclasses import dataclass
+import json
+
+from pyeudiw.jwk import JWK
+from pyeudiw.jwt import JWEHelper, JWSHelper
+from pyeudiw.jwk.exceptions import KidNotFoundError
+from pyeudiw.jwt.utils import decode_jwt_header, is_jwe_format, is_jwt_format
+
+_RESPONSE_KEY = "response"
+
+
+@dataclass
+class AuthorizeResponsePayload:
+    state: str
+    vp_token: str | list[str]
+    presentation_submission: dict
+
+    def serialize_json(self) -> str:
+        return json.dumps(self.__dict__)
+
+
+def _get_jwk_kid_from_store(jwt: str, key_store: dict[str, dict]) -> dict:
+    headers = decode_jwt_header(jwt)
+    kid: str | None = headers.get("kid", None)
+    if kid is None:
+        raise KidNotFoundError("authorization response is missing mandatory parameter [kid] in header section")
+    jwk_dict = key_store.get(kid, None)
+    if jwk_dict is None:
+        raise KidNotFoundError(f"authorization response is encrypted with jwk with kid='{kid}' not found in store")
+    return jwk_dict
+
+
+def _decrypt_jwe(jwe: str, decrypting_jwk: JWK) -> dict:
+    decrypter = JWEHelper(decrypting_jwk)
+    return decrypter.decrypt(jwe)
+
+
+def _verify_and_decode_jwt(jwt: str, verifying_jwk: JWK) -> dict:
+    verifier = JWSHelper(verifying_jwk)
+    raw_payload: str = verifier.verify(jwt)["msg"]
+    payload: dict = json.loads(raw_payload)
+    return payload
+
+
+@dataclass
+class AuthorizeResponseDirectPost:
+    response: str  # jwt
+
+    def __post_init__(self):
+        jwt = self.response
+        if not is_jwe_format(jwt) and not is_jwt_format(jwt):
+            raise ValueError(f"input {_RESPONSE_KEY}={jwt} is neither jwt not jwe format")
+
+    def decode_payload(self, key_store_by_kid: dict[str, dict]) -> AuthorizeResponsePayload:
+        jwt = self.response
+        jwk_dict = _get_jwk_kid_from_store(jwt, key_store_by_kid)
+        jwk = JWK(jwk_dict)
+
+        payload = {}
+        if is_jwe_format(jwt):
+            payload = _decrypt_jwe(jwt, jwk)
+        elif is_jwt_format(jwt):
+            payload = _verify_and_decode_jwt(jwt, jwk)
+        else:
+            raise ValueError(f"unexpected state: input jwt={jwt} is neither a jwt nor a jwe")
+        return AuthorizeResponsePayload(**payload)
diff --git a/pyeudiw/openid4vp/exceptions.py b/pyeudiw/openid4vp/exceptions.py
index d874f674..c93d5d85 100644
--- a/pyeudiw/openid4vp/exceptions.py
+++ b/pyeudiw/openid4vp/exceptions.py
@@ -4,6 +4,10 @@ class KIDNotFound(Exception):
     """
 
 
+class VPSchemaException(Exception):
+    pass
+
+
 class VPNotFound(Exception):
     pass
 
@@ -24,6 +28,18 @@ class InvalidVPToken(Exception):
     """
 
 
+class InvalidVPKeyBinding(InvalidVPToken):
+    """Raised when a given VP contains a proof of possession key binding with
+    wrong parameters.
+    """
+
+
+class InvalidVPSignature(InvalidVPKeyBinding):
+    """Raised when a VP contains a proof of possession key binding and
+    its signature verification failed.
+    """
+
+
 class RevokedVPToken(Exception):
     """
     Raised when a given VP is revoked
diff --git a/pyeudiw/openid4vp/interface.py b/pyeudiw/openid4vp/interface.py
new file mode 100644
index 00000000..c43beaf4
--- /dev/null
+++ b/pyeudiw/openid4vp/interface.py
@@ -0,0 +1,55 @@
+from pyeudiw.jwk import JWK
+from pyeudiw.jwt.parse import KeyIdentifier_T
+
+
+class VpTokenParser:
+    """VpTokenParser is an interface that specify that an object is able to
+    extract verifiable credentials from a VP token.
+    """
+    def get_credentials(self) -> dict:
+        raise NotImplementedError
+
+    def get_issuer_name(self) -> str:
+        raise NotImplementedError
+
+    def get_signing_key(self) -> dict | KeyIdentifier_T:
+        """
+        :returns: a public key either as a dictionary or as an identifier
+            (kid string) of a public key as seen in header
+        :rtype: dict | str
+        """
+        raise NotImplementedError
+
+
+class VpTokenVerifier:
+    """VpTokenVerifier is an interface that specify that an object is able to
+    verify a vp token.
+    The interface supposes that the verification process requires a public
+    key (os the token issuer)
+    """
+    def is_expired(self) -> bool:
+        raise NotImplementedError
+
+    def is_revoked(self) -> bool:
+        """
+        :returns: if the credential is revoked
+        """
+        raise NotImplementedError
+
+    def is_active(self) -> bool:
+        return (not self.is_expired()) and (not self.is_revoked())
+
+    def verify_signature(self, public_key: JWK) -> None:
+        """
+        :raises [InvalidSignatureException]:
+        """
+        raise NotImplementedError
+    
+    def verify_challenge(self) -> None:
+        """
+        :raises []:
+        """
+        raise NotImplementedError
+
+
+    # TODO: VP proof of possession verification method should be implemented
diff --git a/pyeudiw/openid4vp/utils.py b/pyeudiw/openid4vp/utils.py
index 75d9da8e..26887890 100644
--- a/pyeudiw/openid4vp/utils.py
+++ b/pyeudiw/openid4vp/utils.py
@@ -1,7 +1,8 @@
+from typing import Any
 from pyeudiw.openid4vp.vp import Vp
 from pyeudiw.openid4vp.vp_mdoc_cbor import VpMDocCbor
 from pyeudiw.openid4vp.vp_sd_jwt import VpSdJwt
-from pyeudiw.jwt.utils import decode_jwt_header
+from pyeudiw.jwt.utils import decode_jwt_header, decode_jwt_payload
 from pyeudiw.openid4vp.exceptions import VPFormatNotSupported
 
 
@@ -20,9 +21,36 @@ def vp_parser(jwt: str) -> Vp:
 
     headers = decode_jwt_header(jwt)
 
-    if headers["typ"].lower() == "jwt":
-        return VpSdJwt(jwt)
-    elif headers["typ"].lower() == "mdoc_cbor":
-        return VpMDocCbor(jwt) 
-    
-    raise VPFormatNotSupported("VP Digital credentials type not implemented yet: {_typ}")
+    typ: str | None = headers.get("typ", None)
+    if typ is None:
+        raise ValueError("missing mandatory header [typ] in jwt header")
+
+    match typ.lower():
+        case "jwt":
+            return VpSdJwt(jwt)
+        case "vc+sd-jwt":
+            raise NotImplementedError("parsing of vp tokens with typ vc+sd-jwt not supported yet")
+        case "mcdoc_cbor":
+            return VpMDocCbor(jwt)
+        case unsupported:
+            raise VPFormatNotSupported(f"parsing of unsupported vp typ [{unsupported}]")
+
+
+def infer_vp_header_claim(jws: str, claim_name: str) -> Any:
+    headers = decode_jwt_header(jws)
+    claim_value = headers.get(claim_name, "")
+    return claim_value
+
+
+def infer_vp_payload_claim(jws: str, claim_name: str) -> Any:
+    headers = decode_jwt_payload(jws)
+    claim_value: str = headers.get(claim_name, "")
+    return claim_value
+
+
+def infer_vp_typ(jws: str) -> str:
+    return infer_vp_header_claim(jws, claim_name="typ")
+
+
+def infer_vp_iss(jws: str) -> str:
+    return infer_vp_payload_claim(jws, claim_name="iss")
diff --git a/pyeudiw/openid4vp/vp.py b/pyeudiw/openid4vp/vp.py
index b104bdb3..5818e1bd 100644
--- a/pyeudiw/openid4vp/vp.py
+++ b/pyeudiw/openid4vp/vp.py
@@ -1,11 +1,24 @@
 from pyeudiw.tools.base_logger import BaseLogger
 
+JWT_TYPE = "JWT"
+VC_SD_JWT_TYPE = "vc+sd-jwt"
+WALLET_ATTESTATION_TYPE = "wallet-attestation+jwt"
+MDOC_BCOR_TYPE = "mdoc_cbor"
+
+SUPPORTED_VC_TYPES = (
+    JWT_TYPE,
+    VC_SD_JWT_TYPE,
+    WALLET_ATTESTATION_TYPE,
+    MDOC_BCOR_TYPE
+)
+
+
 class Vp(BaseLogger):
     """Class for Verifiable Presentation istance."""
-    
+
     def parse_digital_credential(self) -> None:
         raise NotImplementedError
-    
+
     def _detect_vp_type(self) -> str:
         """
         Detects and return the type of verifiable presentation.
diff --git a/pyeudiw/openid4vp/vp_sd_jwt.py b/pyeudiw/openid4vp/vp_sd_jwt.py
index 16b091e7..f897a0fd 100644
--- a/pyeudiw/openid4vp/vp_sd_jwt.py
+++ b/pyeudiw/openid4vp/vp_sd_jwt.py
@@ -8,6 +8,7 @@
 from pyeudiw.openid4vp.vp import Vp
 from pyeudiw.openid4vp.exceptions import InvalidVPToken
 
+
 class VpSdJwt(Vp):
     """Class for SD-JWT Format"""
 
@@ -96,7 +97,7 @@ def verify(
             result.update(result['verified_claims'].get('claims', {}))
 
         return True
-    
+
     def get_credential_jwks(self) -> list[dict]:
         """
         Returns the credential JWKs.
@@ -105,7 +106,7 @@ def get_credential_jwks(self) -> list[dict]:
         :rtype: list[dict]
         """
         return self.credential_jwks or {}
-    
+
     def set_credential_jwks(self, credential_jwks: list[dict]) -> None:
         """
         Set the credential JWKs for the current istance.
@@ -114,7 +115,7 @@ def set_credential_jwks(self, credential_jwks: list[dict]) -> None:
         :type credential_jwks: list[dict]
         """
         self._credential_jwks = credential_jwks
-    
+
     def _detect_vp_type(self) -> str:
         """
         Detects and return the type of verifiable presentation.
@@ -134,4 +135,4 @@ def credential_issuer(self) -> str:
         """Returns the credential issuer"""
         if not self.credential_payload.get('iss', None):
             self.parse_digital_credential()
-        return self.credential_payload.get('iss', None)
\ No newline at end of file
+        return self.credential_payload.get('iss', None)
diff --git a/pyeudiw/openid4vp/vp_sd_jwt_vc.py b/pyeudiw/openid4vp/vp_sd_jwt_vc.py
new file mode 100644
index 00000000..6417be08
--- /dev/null
+++ b/pyeudiw/openid4vp/vp_sd_jwt_vc.py
@@ -0,0 +1,52 @@
+from typing import Optional
+
+from pyeudiw.jwk import JWK
+from pyeudiw.jwt.parse import KeyIdentifier_T, extract_key_identifier
+from pyeudiw.jwt.verification import is_jwt_expired
+from pyeudiw.openid4vp.exceptions import InvalidVPKeyBinding
+from pyeudiw.openid4vp.interface import VpTokenParser, VpTokenVerifier
+from pyeudiw.sd_jwt.exceptions import InvalidKeyBinding, UnsupportedSdAlg
+from pyeudiw.sd_jwt.schema import VerifierChallenge, is_sd_jwt_kb_format
+from pyeudiw.sd_jwt.sd_jwt import SdJwt
+
+
+class VpVcSdJwtParserVerifier(VpTokenParser, VpTokenVerifier):
+    def __init__(self, token: str, verifier_id: Optional[str] = None, verifier_nonce: Optional[str] = None):
+        self.token = token
+        if not is_sd_jwt_kb_format(token):
+            raise ValueError(f"input [token]={token} is not an sd-jwt with key binding: maybe it is a regular jwt or key binding jwt is missing?")
+        self.verifier_id = verifier_id
+        self.verifier_nonce = verifier_nonce
+        # precomputed values
+        self.sdjwt = SdJwt(self.token)
+
+    def get_issuer_name(self) -> str:
+        iss = self.sdjwt.issuer_jwt.payload.get("iss", None)
+        if not iss:
+            raise Exception("missing required information in token paylaod: [iss]")
+        return iss
+
+    def get_credentials(self) -> dict:
+        return self.sdjwt.get_disclosed_claims()
+
+    def get_signing_key(self) -> JWK | KeyIdentifier_T:
+        return extract_key_identifier(self.sdjwt.issuer_jwt.header)
+
+    def is_revoked(self) -> bool:
+        # TODO: implement revocation check
+        return False
+
+    def is_expired(self) -> bool:
+        return is_jwt_expired(self.sdjwt.issuer_jwt)
+
+    def verify_signature(self, public_key: JWK) -> None:
+        return self.sdjwt.verify_issuer_jwt_signature(public_key)
+    
+    def verify_challenge(self) -> None:
+        challenge : VerifierChallenge = {}
+        challenge["aud"] = self.verifier_id
+        challenge["nonce"] = self.verifier_nonce
+        try:
+            self.sdjwt.verify_holder_kb_jwt(challenge)
+        except (UnsupportedSdAlg, InvalidKeyBinding):
+            raise InvalidVPKeyBinding
diff --git a/pyeudiw/satosa/default/openid4vp_backend.py b/pyeudiw/satosa/default/openid4vp_backend.py
index 25b24306..4db4edbd 100644
--- a/pyeudiw/satosa/default/openid4vp_backend.py
+++ b/pyeudiw/satosa/default/openid4vp_backend.py
@@ -1,4 +1,3 @@
-import json
 import uuid
 from typing import Callable
 from urllib.parse import quote_plus, urlencode
@@ -18,6 +17,7 @@
 from pyeudiw.storage.exceptions import StorageWriteError
 from pyeudiw.tools.mobile import is_smartphone
 from pyeudiw.tools.utils import iat_now
+from pyeudiw.trust.dynamic import CombinedTrustEvaluator, dynamic_trust_evaluators_loader
 
 from ..interfaces.openid4vp_backend import OpenID4VPBackendInterface
 
@@ -87,7 +87,6 @@ def __init__(
             else self.base_url
         )
 
-        self.init_trust_resources()
         try:
             PyeudiwBackendConfig(**config)
         except ValidationError as e:
@@ -95,11 +94,9 @@ def __init__(
             self._log_warning("OpenID4VPBackend", debug_message)
 
         self.response_code_helper = ResponseCodeSource(self.config["response_code"]["sym_key"])
-
-        self._log_debug(
-            "OpenID4VP init",
-            f"loaded configuration: {json.dumps(config)}"
-        )
+        trust_configuration = self.config.get("trust", {})
+        self.trust_evaluator = CombinedTrustEvaluator(dynamic_trust_evaluators_loader(trust_configuration), self.db_engine)
+        self.init_trust_resources()  # Questo carica risorse, metadata endpoint (sotto formate di attributi con pattern *_endpoint) etc, che satosa deve pubblicare
 
     def register_endpoints(self) -> list[tuple[str, Callable[[Context], Response]]]:
         """
@@ -182,7 +179,10 @@ def pre_request_endpoint(self, context: Context, internal_request, **kwargs) ->
         if not context.target_frontend:
             _msg = "Preventing session creation: context is not linked to any previous authn session."
             self._log_warning(context, _msg)
-            return self._handle_400(context, "previous authn session not found. It seems that the flow did not started with a valid authn request to one of the configured frontend.")
+            return self._handle_400(
+                context,
+                "previous authn session not found. It seems that the flow did not started with a valid authn request to one of the configured frontend."
+            )
 
         # Init session
         try:
diff --git a/pyeudiw/satosa/default/response_handler.py b/pyeudiw/satosa/default/response_handler.py
index da613d9d..40c13667 100644
--- a/pyeudiw/satosa/default/response_handler.py
+++ b/pyeudiw/satosa/default/response_handler.py
@@ -1,29 +1,38 @@
+from copy import deepcopy
 import datetime
 import hashlib
 import json
 import logging
+from typing import Any
 
 from pydantic import ValidationError
 from satosa.context import Context
 from satosa.internal import AuthenticationInformation, InternalData
 from satosa.response import Redirect
 
-from pyeudiw.openid4vp.direct_post_response import DirectPostResponse
-from pyeudiw.openid4vp.exceptions import (InvalidVPToken, KIDNotFound,
-                                          NoNonceInVPToken, VPInvalidNonce,
-                                          VPNotFound)
-from pyeudiw.openid4vp.schemas.response import ResponseSchema
+from pyeudiw.jwk import JWK
+from pyeudiw.openid4vp.authorization_response import AuthorizeResponseDirectPost, AuthorizeResponsePayload
+from pyeudiw.openid4vp.exceptions import InvalidVPKeyBinding, InvalidVPToken, KIDNotFound
+from pyeudiw.openid4vp.interface import VpTokenParser, VpTokenVerifier
 from pyeudiw.openid4vp.vp import Vp
+from pyeudiw.openid4vp.vp_sd_jwt_vc import VpVcSdJwtParserVerifier
 from pyeudiw.openid4vp.vp_sd_jwt import VpSdJwt
-from pyeudiw.satosa.exceptions import NotTrustedFederationError, HTTPError
+from pyeudiw.satosa.exceptions import (AuthorizeUnmatchedResponse, BadRequestError, FinalizedSessionError,
+                                       InvalidInternalStateError, NotTrustedFederationError, HTTPError)
 from pyeudiw.satosa.interfaces.response_handler import ResponseHandlerInterface
 from pyeudiw.satosa.utils.response import JsonResponse
 from pyeudiw.satosa.utils.trust import BackendTrust
+from pyeudiw.sd_jwt.schema import VerifierChallenge
 from pyeudiw.storage.exceptions import StorageWriteError
 from pyeudiw.tools.utils import iat_now
+from pyeudiw.trust.interface import TrustEvaluator
 
 
 class ResponseHandler(ResponseHandlerInterface, BackendTrust):
+    _SUPPORTED_RESPONSE_METHOD = "post"
+    _SUPPORTED_RESPONSE_CONTENT_TYPE = "application/x-www-form-urlencoded"
+    _ACCEPTED_ISSUER_METADATA_TYPE = "openid_credential_issuer"
+
     def _handle_credential_trust(self, context: Context, vp: Vp) -> bool:
         try:
             # establish the trust with the issuer of the credential by checking it to the revocation
@@ -62,131 +71,153 @@ def _extract_all_user_attributes(self, attributes_by_issuers: dict) -> dict:
             all_user_attributes.update(**i)
         return all_user_attributes
 
-    def response_endpoint(self, context: Context, *args: tuple) -> Redirect | JsonResponse:
-        self._log_function_debug("request_endpoint", context, "args", args)
+    def _parse_http_request(self, context: Context) -> dict:
+        """Parse the http layer of the request to extract the dictionary data.
+
+        :param context: the satosa context containing, among the others, the details of the HTTP request
+        :type context: satosa.Context
+
+        :return: a dictionary containing the request data
+        :rtype: dict
+
+        :raises BadRequestError: when request paramets are in a not processable state; the expected handling is returning 400
+        """
+        if (http_method := context.request_method.lower()) != ResponseHandler._SUPPORTED_RESPONSE_METHOD:
+            raise BadRequestError(f"HTTP method [{http_method}] not supported")
+
+        if (content_type := context.http_headers['HTTP_CONTENT_TYPE']) != ResponseHandler._SUPPORTED_RESPONSE_CONTENT_TYPE:
+            raise BadRequestError(f"HTTP content type [{content_type}] not supported")
 
-        if context.request_method.lower() != 'post':
-            return self._handle_400(context, "HTTP Method not supported")
-        _endpoint = f'{self.server_url}{context.request_uri}'
+        _endpoint = f"{self.server_url}{context.request_uri}"
         if self.config["metadata"].get('response_uris_supported', None):
             if _endpoint not in self.config["metadata"]['response_uris_supported']:
-                return self._handle_400(context, "response_uri not valid")
+                raise BadRequestError("response_uri not valid")
 
-        # take the encrypted jwt, decrypt with my public key (one of the metadata) -> if not -> exception
-        jwt = context.request.get("response", None)
-        if not jwt:
-            _msg = "Response error, missing JWT"
-            self._log_error(context, _msg)
-            return self._handle_400(context, _msg)
+        return context.request
 
-        try:
-            vpt = DirectPostResponse(jwt, self.metadata_jwks_by_kids)
-            debug_message = f"Redirect uri endpoint Response using direct post contains: {vpt.payload}"
-            self._log_debug(context, debug_message)
-            ResponseSchema(**vpt.payload)
-        except Exception as e:
-            _msg = f"DirectPostResponse parse and validation error: {e}"
-            self._log_error(context, _msg)
-            return self._handle_400(context, _msg, HTTPError(f"Error:{e}, with JWT: {jwt}"))
+    def _retrieve_session_from_state(self, state: str) -> dict:
+        """_retrieve_session_and_nonce_from_state tries to recover an
+        authenticasion session by matching it with the state. Returns the whole
+        session data (if found) and the nonce proposed in the authentication
+        request that should be matched by the holder response.
 
-        # state MUST be present in the response since it was in the request
-        # then do lookup on the db -> if not -> exception
-        state = vpt.payload.get("state", None)
-        if not state:
-            return self._handle_400(context, _msg, HTTPError(f"{_msg} with: {vpt.payload}"))
+        :returns: the authentication session information and the nonce challenge
+            associated to that authentication request
+        :rtype: tuple[dict, str]
 
+        :raises AuthorizeUnmatchedResponse: if the state is not matched to any session
+        :raises FinalizedSessionError: if the state is matched to an already closed session
+        :raises InvalidInternalStateError: if the session contains invalid, corrupted or missing
+            data of known reason.
+        """
+        request_session: dict = {}
         try:
-            stored_session = self.db_engine.get_by_state(state=state)
-        except Exception as e:
-            _msg = "Session lookup by state value failed"
-            return self._handle_400(context, _msg, e)
+            request_session = self.db_engine.get_by_state(state=state)
+        except Exception as err:
+            raise AuthorizeUnmatchedResponse(f"unable to find document-session associated to state {state}", err)
+
+        if not request_session:
+            raise InvalidInternalStateError(f"unable to find document-session associated to state {state}")
+
+        if request_session.get("finalized", True):
+            raise FinalizedSessionError(f"cannot accept response: session for state {state} corrupted or already finalized")
+
+        nonce = request_session.get("nonce", None)
+        if not nonce:
+            raise InvalidInternalStateError(f"unable to find nonce in session associated to state {state}: corrupted data")
+        return request_session
+
+    def _is_same_device_flow(request_session: dict, context: Context) -> bool:
+        initiating_session_id: str | None = request_session.get("session_id", None)
+        if initiating_session_id is None:
+            raise ValueError("invalid session storage information: missing [session_id]")
+        current_session_id: str | None = context.state.get("SESSION_ID", None)
+        if current_session_id is None:
+            raise ValueError("missing session id in wallet authorization response")
+        return initiating_session_id == current_session_id
 
-        if stored_session["finalized"]:
-            _msg = "Session already finalized"
-            return self._handle_400(context, _msg, HTTPError(_msg))
+    def response_endpoint(self, context: Context, *args: tuple) -> Redirect | JsonResponse:
+        self._log_function_debug("response_endpoint", context, "args", args)
 
+        request_dict = {}
         try:
-            vpt.load_nonce(stored_session['nonce'])
-            vps: list[Vp] = vpt.get_presentation_vps()
-            vpt.validate()
-
-        except VPNotFound as e:
-            _msg = "Error while retrieving VP. Payload 'vp_token' is empty or has an unexpected value."
-            return self._handle_400(context, _msg, e)
-
-        except NoNonceInVPToken as e:
-            _msg = "Error while validating VP: vp has no nonce."
-            return self._handle_400(context, _msg, e)
-
-        except VPInvalidNonce as e:
-            _msg = "Error while validating VP: unexpected value."
-            return self._handle_400(context, _msg, e)
+            request_dict = self._parse_http_request(context)
+        except BadRequestError as e:
+            return self._handle_400(context, e.args[0], e)
 
+        # parse and decrypt jwt in response
+        authz_response: None | AuthorizeResponseDirectPost = None
+        authz_payload: None | AuthorizeResponsePayload = None
+        try:
+            authz_response = AuthorizeResponseDirectPost(**request_dict)
         except Exception as e:
-            _msg = (
-                "DirectPostResponse content parse and validation error. "
-                "Single VPs are faulty."
-            )
-            return self._handle_400(context, _msg, e)
-
-        # evaluate the trust to each credential issuer found in the vps
-        # look for trust chain or x509 or do discovery!
-        cred_issuers = tuple(vpt.credentials_by_issuer.keys())
-        attributes_by_issuers = {k: {} for k in cred_issuers}
-
-        for vp in vps:
-            self._handle_credential_trust(context, vp)
-
-            # the trust is established to the credential issuer, then we can get the disclosed user attributes
+            return self._handle_400(context, "response error: invalid schema or missing jwt", e)
+        try:
+            authz_payload = authz_response.decode_payload(self.metadata_jwks_by_kids)
+        except Exception as e:
+            _msg = f"authorization response parsing and/or validation error: {e}"
+            self._log_error(context, _msg)
+            return self._handle_400(context, _msg, HTTPError(f"error: {e}, with request: {request_dict}"))
+        self._log_debug(context, f"response URI endpoint response with payload {authz_payload}")
 
+        request_session: dict = {}
+        try:
+            request_session = self._retrieve_session_from_state(authz_payload.state)
+        except AuthorizeUnmatchedResponse as e400:
+            return self._handle_400(context, e400.args[0], e400.args[1])
+        except InvalidInternalStateError as e500:
+            return self._handle_500(context, e500.args[0], "invalid state")
+        except FinalizedSessionError as e400:
+            return self._handle_400(context, e400.args[0], HTTPError(e400.args[0]))
+
+        # the flow below is a simplified algorithm of authentication response processing, where:
+        # (1) we don't check that presentation submission matches definition (yet)
+        # (2) we don't check that vp tokens are aligned with information declared in the presentation submission
+        # (3) we use all disclosed claims in vp tokens to build the user identity
+        attributes_by_issuer: dict[str, dict[str, Any]] = {}
+        credential_issuers: list[str] = []
+        encoded_vps: list[str] = [authz_payload.vp_token] if isinstance(authz_payload.vp_token, str) else authz_payload.vp_token
+        for vp_token in encoded_vps:
+            # verify vp token and extract user information
+            # TODO: specialized try/except for each call, from line 182 to line 187
             try:
-                if isinstance(vp, VpSdJwt):
-                    jwks_by_kid = {
-                        i['kid']: i for i in vp.credential_jwks
-                    }
-                    vp.verify(issuer_jwks_by_kid=jwks_by_kid)
-                else:
-                    vp.verify()
-            except Exception as e:
-                return self._handle_400(context, f"VP validation error with {self.data}: {e}")
-
-            # vp.result
-            attributes_by_issuers[vp.credential_issuer] = vp.disclosed_user_attributes
-
-            debug_message = f"Disclosed user attributes from {vp.credential_issuer}: {vp.disclosed_user_attributes}"
-            self._log_debug(context, debug_message)
-
-            vp.check_revocation()
-
-        all_user_attributes = self._extract_all_user_attributes(
-            attributes_by_issuers)
-
-        self._log_debug(context, f"Wallet disclosure: {all_user_attributes}")
-
-        # TODO: not sure that we want these issuers in the following form ... please recheck.
-        _info = {"issuer": ';'.join(cred_issuers)}
-        internal_resp = self._translate_response(
-            all_user_attributes, _info["issuer"], context
-        )
+                token_parser, token_verifier = self._vp_verifier_factory(authz_payload.presentation_submission, vp_token, request_session)
+            except ValueError as e:
+                return self._handle_400(context, f"VP parsing error: {e}")
+            pub_jwk = _find_vp_token_key(token_parser, self.trust_evaluator)
+            token_verifier.verify_signature(pub_jwk)
+            try:
+                token_verifier.verify_challenge()
+            except InvalidVPKeyBinding as e:
+                return self._handle_400(context, f"VP parsing error: {e}")
+            claims = token_parser.get_credentials()
+            iss = token_parser.get_issuer_name()
+            attributes_by_issuer[iss] = claims
+            self._log_debug(context, f"disclosed claims {claims} from issuer {iss}")
+          
+        all_attributes = self._extract_all_user_attributes(attributes_by_issuer)
+        iss_list_serialized = ";".join(credential_issuers)  # marshaling is whatever
+        internal_resp = self._translate_response(all_attributes, iss_list_serialized, context)
+
+        state = authz_payload.state
         response_code = self.response_code_helper.create_code(state)
-
         try:
             self.db_engine.update_response_object(
-                stored_session['nonce'], state, internal_resp
+                request_session['nonce'], state, internal_resp
             )
             # authentication finalized!
-            self.db_engine.set_finalized(stored_session['document_id'])
+            self.db_engine.set_finalized(request_session['document_id'])
             if self.effective_log_level == logging.DEBUG:
-                stored_session = self.db_engine.get_by_state(state=state)
+                request_session = self.db_engine.get_by_state(state=state)
                 self._log_debug(
-                    context, f"Session update on storage: {stored_session}")
+                    context, f"Session update on storage: {request_session}")
 
         except StorageWriteError as e:
             # TODO - do we have to block in the case the update cannot be done?
             self._log_error(context, f"Session update on storage failed: {e}")
             return self._handle_500(context, "Cannot update response object.", e)
 
-        if stored_session['session_id'] == context.state["SESSION_ID"]:
+        if ResponseHandler._is_same_device_flow(request_session, context):
             # Same device flow
             cb_redirect_uri = f"{self.registered_get_response_endpoint}?response_code={response_code}"
             return JsonResponse({"redirect_uri": cb_redirect_uri}, status="200")
@@ -208,7 +239,6 @@ def _translate_response(self, response: dict, issuer: str, context: Context) ->
         """
         # it may depends by credential type and attested security context evaluated
         # if WIA was previously submitted by the Wallet
-
         timestamp_epoch = (
             response.get("auth_time")
             or response.get("iat")
@@ -264,3 +294,30 @@ def _translate_response(self, response: dict, issuer: str, context: Context) ->
         )
         internal_resp.subject_id = sub
         return internal_resp
+
+    def _vp_verifier_factory(self, presentation_submission: dict, token: str, session_data: dict) -> tuple[VpTokenParser, VpTokenVerifier]:
+        # TODO: la funzione dovrebbe consumare la presentation submission per sapere quale token
+        # ritornare - per ora viene ritornata l'unica implementazione possibile
+        challenge = self._get_verifier_challenge(session_data)
+        token_processor = VpVcSdJwtParserVerifier(token, challenge["aud"], challenge["nonce"])
+        return (token_processor, deepcopy(token_processor))
+
+    def _get_verifier_challenge(self, session_data: dict) -> VerifierChallenge:
+        return {"aud": self.client_id, "nonce": session_data["nonce"]}
+
+
+def _find_vp_token_key(token_parser: VpTokenParser, key_source: TrustEvaluator) -> JWK:
+    # TODO: move somewhere appropriate: this doesn't HAVE to be in the response handler
+    issuer = token_parser.get_issuer_name()
+    trusted_pub_keys = key_source.get_public_keys(issuer)
+    verification_key = token_parser.get_signing_key()
+    if isinstance(verification_key, str):
+        # search by kid
+        kid = verification_key
+        pub_jwks = [key for key in trusted_pub_keys if key.get("kid", "") == kid]
+        if len(pub_jwks) != 1:
+            raise Exception(f"no unique valid trusted key with kid={kid} for issuer {issuer}")
+        return JWK(pub_jwks[0])
+    if isinstance(verification_key, dict):
+        raise NotImplementedError("TODO: matching of public key (ex. from x5c) with keys from trust source")
+    raise Exception(f"invalid state: key with type {type(verification_key)}")
diff --git a/pyeudiw/satosa/exceptions.py b/pyeudiw/satosa/exceptions.py
index f12837c5..1c04562f 100644
--- a/pyeudiw/satosa/exceptions.py
+++ b/pyeudiw/satosa/exceptions.py
@@ -6,6 +6,28 @@ class BadRequestError(Exception):
     """
 
 
+class InternalServerError(Exception):
+    """
+    Bad Request error.
+
+    This exception should be raised when we want to return an HTTP 400 Bad Request
+    """
+
+
+class InvalidInternalStateError(InternalServerError):
+    """
+    This is specification of InternalServerError that specify that the internal
+    error is caused by an invalid backend, storage or cache state.
+    """
+
+
+class FinalizedSessionError(BadRequestError):
+    """
+    Raised when an authorization request or respsonse attempts at updating or modifying
+    an already finalized authentication session.
+    """
+
+
 class NoBoundEndpointError(Exception):
     """
     Raised when a given url path is not bound to any endpoint function
@@ -38,3 +60,9 @@ class DPOPValidationError(Exception):
     """
     Raised when a DPoP validation error occurs
     """
+
+
+class AuthorizeUnmatchedResponse(Exception):
+    """
+    Raised when an authorization response cannot be matched to an authentication request
+    """
diff --git a/pyeudiw/satosa/schemas/config.py b/pyeudiw/satosa/schemas/config.py
index 75e2cae7..be8f1b2d 100644
--- a/pyeudiw/satosa/schemas/config.py
+++ b/pyeudiw/satosa/schemas/config.py
@@ -1,15 +1,15 @@
 from pydantic import BaseModel
+from pyeudiw.federation.schemas.wallet_relying_party import WalletRelyingParty
+from pyeudiw.jwt.schemas.jwt import JWTConfig
 from pyeudiw.jwk.schemas.public import JwkSchema
 from pyeudiw.satosa.schemas.endpoint import EndpointsConfig
 from pyeudiw.satosa.schemas.qrcode import QRCode
 from pyeudiw.satosa.schemas.response import ResponseConfig
 from pyeudiw.satosa.schemas.autorization import AuthorizationConfig
 from pyeudiw.satosa.schemas.user_attributes import UserAttributesConfig
-from pyeudiw.federation.schemas.federation_configuration import FederationConfig
-from pyeudiw.federation.schemas.wallet_relying_party import WalletRelyingParty
 from pyeudiw.satosa.schemas.ui import UiConfig
-from pyeudiw.jwt.schemas.jwt import JWTConfig
 from pyeudiw.storage.schemas.storage import Storage
+from pyeudiw.trust.dynamic import TrustModuleConfiguration_T
 
 
 class PyeudiwBackendConfig(BaseModel):
@@ -21,7 +21,7 @@ class PyeudiwBackendConfig(BaseModel):
     authorization: AuthorizationConfig
     user_attributes: UserAttributesConfig
     network: dict
-    federation: FederationConfig
+    trust: dict[str, TrustModuleConfiguration_T]
     metadata_jwks: list[JwkSchema]
     storage: Storage
     metadata: WalletRelyingParty
diff --git a/pyeudiw/satosa/utils/trust.py b/pyeudiw/satosa/utils/trust.py
index c0f2e0ba..4cb79f17 100644
--- a/pyeudiw/satosa/utils/trust.py
+++ b/pyeudiw/satosa/utils/trust.py
@@ -24,14 +24,15 @@ def init_trust_resources(self) -> None:
         """
         Initializes the trust resources.
         """
+        # TODO: adapt method to init ALL types of trust resources (if configured)
 
         # private keys by kid
         self.federations_jwks_by_kids = {
-            i['kid']: i for i in self.config['federation']['federation_jwks']
+            i['kid']: i for i in self.config['trust']['federation']['config']['federation_jwks']
         }
         # dumps public jwks
         self.federation_public_jwks = [
-            JWK(i).public_key for i in self.config['federation']['federation_jwks']
+            JWK(i).public_key for i in self.config['trust']['federation']['config']['federation_jwks']
         ]
         # we close the connection in this constructor since it must be fork safe and
         # get reinitialized later on, within each fork
@@ -77,7 +78,7 @@ def update_trust_anchors(self):
         Updates the trust anchors of current instance.
         """
 
-        tas = self.config['federation']['trust_anchors']
+        tas = self.config['trust']['federation']['config']['trust_anchors']
         self._log_info("Trust Anchors updates", f"Trying to update: {tas}")
 
         for ta in tas:
@@ -188,10 +189,10 @@ def entity_configuration_as_dict(self) -> dict:
                 "keys": self.federation_public_jwks
             },
             "metadata": {
-                self.config['federation']["metadata_type"]: self.config['metadata'],
-                "federation_entity": self.config['federation']['federation_entity_metadata']
+                self.config['trust']['federation']['config']["metadata_type"]: self.config['metadata'],
+                "federation_entity": self.config['trust']['federation']['config']['federation_entity_metadata']
             },
-            "authority_hints": self.config['federation']['authority_hints']
+            "authority_hints": self.config['trust']['federation']['config']['authority_hints']
         }
         return ec_payload
 
@@ -202,7 +203,7 @@ def entity_configuration(self) -> dict:
         jwshelper = JWSHelper(self.default_federation_private_jwk)
         return jwshelper.sign(
             protected={
-                "alg": self.config['federation']["default_sig_alg"],
+                "alg": self.config['trust']['federation']['config']["default_sig_alg"],
                 "kid": self.default_federation_private_jwk["kid"],
                 "typ": "entity-statement+jwt"
             },
diff --git a/pyeudiw/sd_jwt/__init__.py b/pyeudiw/sd_jwt/__init__.py
index 390b77c6..8966e0f1 100644
--- a/pyeudiw/sd_jwt/__init__.py
+++ b/pyeudiw/sd_jwt/__init__.py
@@ -4,7 +4,7 @@
 
 from binascii import unhexlify
 from io import StringIO
-from typing import Dict
+from typing import Dict, Optional
 
 from sd_jwt.issuer import SDJWTIssuer
 from sd_jwt.utils.yaml_specification import _yaml_load_specification
@@ -20,6 +20,7 @@
 from json import dumps, loads
 
 import jwcrypto
+import jwcrypto.jwk
 
 from typing import Any
 from cryptojwt.jwk.rsa import RSAKey
@@ -81,8 +82,8 @@ def _create_signed_jws(self):
         self.sd_jwt = JWS(payload=dumps(self.sd_jwt_payload))
 
         _protected_headers = {"alg": self._sign_alg}
-        if getattr(self, "SD_JWT_TYP_HEADER", None):
-            _protected_headers["typ"] = self.SD_JWT_TYP_HEADER
+        if getattr(self, "SD_JWT_HEADER", None):
+            _protected_headers["typ"] = self.SD_JWT_HEADER
 
         for k, v in self.additional_headers.items():
             _protected_headers[k] = v
@@ -262,7 +263,8 @@ def issue_sd_jwt(
     settings: dict,
     issuer_key: JWK,
     holder_key: JWK,
-    trust_chain: list[str] | None = None
+    trust_chain: list[str] | None = None,
+    additional_headers: Optional[dict] = None
 ) -> str:
     """
     Issue a SD-JWT.
@@ -277,6 +279,8 @@ def issue_sd_jwt(
     :type holder_key: JWK
     :param trust_chain: the trust chain.
     :type trust_chain: list[str] | None
+    :param additional_headers: use case specific header claims, such as 'typ'
+    :type additional_headers: dict
 
     :returns: the issued SD-JWT.
     :rtype: str
@@ -291,8 +295,11 @@ def issue_sd_jwt(
     specification.update(claims)
     use_decoys = specification.get("add_decoy_claims", True)
     adapted_keys = _adapt_keys(issuer_key, holder_key)
-    additional_headers = {"trust_chain": trust_chain} if trust_chain else {}
-    additional_headers['kid'] = issuer_key.kid
+    if additional_headers is None:
+        additional_headers = {}
+    if trust_chain:
+        additional_headers["trust_chain"] = trust_chain
+    additional_headers["kid"] = issuer_key.kid
 
     sdjwt_at_issuer = TrustChainSDJWTIssuer(
         user_claims=specification,
diff --git a/pyeudiw/sd_jwt/exceptions.py b/pyeudiw/sd_jwt/exceptions.py
index d46299db..ee7489d8 100644
--- a/pyeudiw/sd_jwt/exceptions.py
+++ b/pyeudiw/sd_jwt/exceptions.py
@@ -1,2 +1,10 @@
 class UnknownCurveNistName(Exception):
     pass
+
+
+class InvalidKeyBinding(Exception):
+    pass
+
+
+class UnsupportedSdAlg(Exception):
+    pass
diff --git a/pyeudiw/sd_jwt/schema.py b/pyeudiw/sd_jwt/schema.py
index ab905e63..c7d1f849 100644
--- a/pyeudiw/sd_jwt/schema.py
+++ b/pyeudiw/sd_jwt/schema.py
@@ -1,11 +1,27 @@
+import sys
 import re
-from typing import Dict, Literal
+from typing import Dict, Literal, Optional, TypeVar
+from typing_extensions import Self
 
-from pydantic import BaseModel, HttpUrl
+if float(f"{sys.version_info.major}.{sys.version_info.minor}") >= 3.12:
+    from typing import TypedDict
+else:
+    from typing_extensions import TypedDict
+
+from pydantic import BaseModel, HttpUrl, field_validator, model_validator
 
 from pyeudiw.jwk.schemas.public import JwkSchema
 
-SD_JWT_REGEXP = r"^(([-A-Za-z0-9\=_])*\.([-A-Za-z0-9\=_])*\.([-A-Za-z0-9\=_])*)(~([-A-Za-z0-9\=_\.])*)*$"
+
+_OptionalDict_T = TypeVar('T', None, dict)
+
+_IDENTIFYING_VC_TYP = "vc+sd-jwt"
+_IDENTIFYING_KB_TYP = "kb+jwt"
+
+# this pattern matches sd-jwt and sd-jwt w/ kb
+SD_JWT_REGEXP = r"^([-A-Za-z0-9_]+\.[-A-Za-z0-9_]+\.[-A-Za-z0-9_]+)(~[-A-Za-z0-9_]+)*(~)([-A-Za-z0-9_]+\.[-A-Za-z0-9_]+\.[-A-Za-z0-9_]+)*$"
+# this pattern matches sd-jwt w/ kb
+SD_JWT_KB_REGEXP = r"^([-A-Za-z0-9_]+\.[-A-Za-z0-9_]+\.[-A-Za-z0-9_]+)(~[-A-Za-z0-9_]+)*(~)([-A-Za-z0-9_]+\.[-A-Za-z0-9_]+\.[-A-Za-z0-9_]+)$"
 
 
 def is_sd_jwt_format(sd_jwt: str) -> bool:
@@ -13,21 +29,98 @@ def is_sd_jwt_format(sd_jwt: str) -> bool:
     return bool(res)
 
 
-def is_sd_jwt_list_format(sd_jwt_list: list[str]) -> bool:
-    if len(sd_jwt_list) == 0:
-        return False
+def is_sd_jwt_kb_format(sd_jwt_kb: str) -> bool:
+    res = re.match(SD_JWT_KB_REGEXP, sd_jwt_kb)
+    return bool(res)
+
+
+class VcSdJwtHeaderSchema(BaseModel):
+    typ: str
+    alg: str
+    kid: Optional[str] = None
+    trust_chain: Optional[list[str]] = None
+    x5c: Optional[str] = None
+    vctm: Optional[list[str]] = None
+
+    @field_validator("typ")
+    def validate_typ(cls, v: str) -> str:
+        if v != _IDENTIFYING_VC_TYP:
+            raise ValueError(f"header parameter [typ] must be '{_IDENTIFYING_VC_TYP}', found instead '{v}'")
+        return v
 
-    for sd_jwt in sd_jwt_list:
-        if not is_sd_jwt_format(sd_jwt):
-            return False
+    @model_validator(mode="after")
+    def check_typ_when_not_x5c(self) -> Self:
+        if (not self.x5c) and (not self.kid):
+            raise ValueError("[kid] must be defined if [x5c] claim is not defined")
+        return self
 
-    return True
 
+class _StatusAssertionSchema(BaseModel):
+    credential_hash_alg: str
 
-class SDJWTSchema(BaseModel):
+
+class _StatusSchema(BaseModel):
+    status_assertion: _StatusAssertionSchema
+
+
+class _EvidenceSchema(BaseModel):
+    method: str | list | dict
+
+
+class _VerificationSchema(BaseModel):
+    trust_framework: str
+    assurance_level: str
+    evidence: _EvidenceSchema
+
+
+class VcSdJwtPayloadSchema(BaseModel):
     iss: HttpUrl
-    iat: int
-    exp: int
     sub: str
-    _sd_alg: str
+    iat: int  # selectively disclosable
+    exp: int
+    status: dict
     cnf: Dict[Literal["jwk"], JwkSchema]
+    vct: str
+    verification: dict
+    _sd_alg: str
+
+    _sd: Optional[list[str]] = None
+
+    @field_validator("status")
+    def validate_status(cls, v: dict) -> dict:
+        try:
+            _StatusSchema(**v)
+        except ValueError as e:
+            raise ValueError(f"parameter [status] value '{v}' does not comply with schema {_StatusSchema.model_fields}: {e}")
+        return v
+
+    @field_validator("verification")
+    def validate_verification(cls, v: dict) -> dict:
+        try:
+            _VerificationSchema(**v)
+        except ValueError as e:
+            raise ValueError(f"parameter [verification] value '{v}' does not comply with schema {_VerificationSchema.model_fields}: {e}")
+        return v
+
+
+class KeyBindingJwtHeader(BaseModel):
+    typ: str
+    alg: str
+
+    @field_validator("typ")
+    def validate_typ(cls, v: str) -> str:
+        if v != _IDENTIFYING_KB_TYP:
+            raise ValueError(f"header parameter [typ] must be '{_IDENTIFYING_KB_TYP}', found instead '{v}'")
+        return v
+
+
+class KeyBindingJwtPayload(BaseModel):
+    iat: int
+    aud: str
+    nonce: str
+    sd_hash: str
+
+
+class VerifierChallenge(TypedDict):
+    aud: str
+    nonce: str
diff --git a/pyeudiw/sd_jwt/sd_jwt.py b/pyeudiw/sd_jwt/sd_jwt.py
new file mode 100644
index 00000000..cf8965a8
--- /dev/null
+++ b/pyeudiw/sd_jwt/sd_jwt.py
@@ -0,0 +1,219 @@
+from hashlib import sha256
+import json
+from typing import Any, Callable, TypeVar
+import sd_jwt.common as sd_jwtcommon
+from sd_jwt.common import SDJWTCommon
+
+from pyeudiw.jwk import JWK
+from pyeudiw.jwt.utils import base64_urldecode, base64_urlencode
+from pyeudiw.jwt.verification import verify_jws_with_key
+from pyeudiw.sd_jwt.exceptions import InvalidKeyBinding, UnsupportedSdAlg
+from pyeudiw.sd_jwt.schema import is_sd_jwt_format, is_sd_jwt_kb_format, VerifierChallenge
+from pyeudiw.jwt.parse import DecodedJwt
+from pyeudiw.tools.utils import iat_now
+
+
+_JsonTypes = dict | list | str | int | float | bool | None
+_JsonTypes_T = TypeVar('_JsonTypes_T', bound=_JsonTypes)
+
+DEFAULT_SD_ALG = "sha-256"
+DIGEST_ALG_KEY = sd_jwtcommon.DIGEST_ALG_KEY
+FORMAT_SEPARATOR = SDJWTCommon.COMBINED_SERIALIZATION_FORMAT_SEPARATOR
+SD_DIGESTS_KEY = sd_jwtcommon.SD_DIGESTS_KEY
+SD_LIST_PREFIX = sd_jwtcommon.SD_LIST_PREFIX
+
+SUPPORTED_SD_ALG_FN: dict[str, Callable[[str], str]] = {
+    "sha-256": lambda s: base64_urlencode(sha256(s.encode("ascii")).digest())
+}
+
+
+class SdJwt:
+    """
+    SdJwt is an utility class to easily parse and verify sd jwt.
+    All class attributes are intended to be read only
+    """
+
+    def __init__(self, token: str):
+        if not is_sd_jwt_format(token):
+            raise ValueError(f"input [token]={token} is not an sd-jwt with: maybe it is a regular jwt?")
+        self.token = token
+        # precomputed values
+        self.token_without_kb: str = ""
+        self.issuer_jwt: DecodedJwt = DecodedJwt("", "", "", "")
+        self.disclosures: list[str] = []
+        self.holder_kb: DecodedJwt | None = None
+        self._post_init_precomputed_values()
+
+    def _post_init_precomputed_values(self):
+        iss_jwt, *disclosures, kb_jwt = self.token.split(FORMAT_SEPARATOR)
+        self.token_without_kb = iss_jwt + FORMAT_SEPARATOR + ''.join(disc + FORMAT_SEPARATOR for disc in disclosures)
+        self.issuer_jwt = DecodedJwt.parse(iss_jwt)
+        self.disclosures = disclosures
+        if kb_jwt:
+            self.holder_kb = DecodedJwt.parse(kb_jwt)
+        # TODO: schema validations(?)
+
+    def get_confirmation_key(self) -> dict:
+        cnf: dict = self.issuer_jwt.payload.get("cnf", {}).get("jwk", {})
+        if not cnf:
+            raise ValueError("missing confirmation (cnf) key from issuer payload claims")
+        return cnf
+
+    def get_encoded_disclosures(self) -> list[str]:
+        return self.disclosures
+
+    def get_disclosed_claims(self) -> dict:
+        return _extract_claims_from_payload(self.issuer_jwt.payload, self.disclosures, SUPPORTED_SD_ALG_FN[self.get_sd_alg()])
+
+    def get_issuer_jwt(self) -> str:
+        return self.issuer_jwt.jwt
+
+    def get_holder_key_binding_jwt(self) -> str:
+        return self.holder_kb.jwt
+
+    def get_sd_alg(self) -> str:
+        return self.issuer_jwt.payload.get("_sd_alg", DEFAULT_SD_ALG)
+
+    def has_key_binding(self) -> bool:
+        return self.holder_kb is not None
+
+    def verify_issuer_jwt_signature(self, key: JWK) -> None:
+        verify_jws_with_key(self.issuer_jwt.jwt, key)
+
+    def verify_holder_kb_jwt(self, challenge: VerifierChallenge) -> None:
+        """
+        Checks validity of holder key binding.
+        This procedure always passes when no key binding is used
+
+        :raises UnsupportedSdAlg: if verification fails due to an unkown _sd_alg
+        :raises InvalidKeyBinding: if the verification fails for a known reason
+        """
+        if not self.has_key_binding():
+            return
+        _verify_key_binding(self.token_without_kb, self.get_sd_alg(),
+                            self.holder_kb, challenge)
+        self.verify_holder_kb_jwt_signature()
+
+    def verify_holder_kb_jwt_signature(self) -> None:
+        if not self.has_key_binding():
+            return
+        cnf = self.get_confirmation_key()
+        verify_jws_with_key(self.holder_kb.jwt, JWK(cnf))
+
+
+class SdJwtKb(SdJwt):
+
+    def __init__(self, token: str):
+        if not is_sd_jwt_kb_format(token):
+            raise ValueError(f"input [token]={token} is not an sd-jwt with key binding with: maybe it is a regular jwt?")
+        super().__init__(token)
+        if not self.holder_kb:
+            raise ValueError("missing key binding jwt")
+
+
+def _verify_challenge(hkb: DecodedJwt, challenge: VerifierChallenge):
+    if (obt := hkb.payload.get("aud", None)) != (exp := challenge["aud"]):
+        raise InvalidKeyBinding(f"challenge audience {exp} does not match obtained audience {obt}")
+    if (obt := hkb.payload.get("nonce", None)) != (exp := challenge["nonce"]):
+        raise InvalidKeyBinding(f"challenge nonce {exp} does not match obtained nonce {obt}")
+
+
+def _verify_sd_hash(token_without_hkb: str, sd_hash_alg: str, expected_digest: str):
+    hash_fn = SUPPORTED_SD_ALG_FN.get(sd_hash_alg, None)
+    if not hash_fn:
+        raise UnsupportedSdAlg(f"unsupported sd_alg: {sd_hash_alg}")
+    if expected_digest != (obt_digest := hash_fn(token_without_hkb)):
+        raise InvalidKeyBinding(f"sd-jwt digest {obt_digest} does not match expected digest {expected_digest}")
+
+
+def _verify_iat(payload: dict) -> None:
+    iat: int | None = payload.get("iat", None)
+    if not isinstance(iat, int):
+        raise ValueError("missing or invalid parameter [iat] in kbjwt")
+    now = iat_now()
+    if iat > now:
+        raise InvalidKeyBinding("invalid parameter [iat] in kbjwt: issuance after present time")
+    return
+
+
+def _verify_key_binding(token_without_hkb: str, sd_hash_alg: str, hkb: DecodedJwt, challenge: VerifierChallenge):
+    _verify_challenge(hkb, challenge)
+    _verify_sd_hash(token_without_hkb, sd_hash_alg, hkb.payload.get("sd_hash", ""))
+    _verify_iat(hkb.payload)
+
+
+def _disclosures_to_hash_mappings(disclosures: list[str], sd_alg: Callable[[str], str]) -> tuple[dict[str, str], dict[str, Any]]:
+    """
+    :returns: in order
+        (i)  hash_to_disclosure, a map: digest -> raw disclosure (base64 encoded)
+        (ii) hash_to_dec_disclosure, a map: digest -> decoded disclosure
+    :rtype: tuple[dict[str, str], dict[str, Any]]
+    """
+    hash_to_disclosure: dict[str, str] = {}
+    hash_to_dec_disclosure: dict[str, Any] = {}
+    for disclosure in disclosures:
+        decoded_disclosure = json.loads(base64_urldecode(disclosure).decode("utf-8"))
+        digest = sd_alg(disclosure)
+        if digest in hash_to_dec_disclosure:
+            raise ValueError(f"duplicate disclosure for digest {digest}")
+        hash_to_dec_disclosure[digest] = decoded_disclosure
+        hash_to_disclosure[digest] = disclosure
+    return hash_to_disclosure, hash_to_dec_disclosure
+
+
+def _extract_claims_from_payload(payload: dict, disclosures: list[str], sd_alg: Callable[[str], str]) -> dict:
+    hash_to_disclosure, hash_to_dec_disclosure = _disclosures_to_hash_mappings(disclosures, sd_alg)
+    return _unpack_claims(payload, hash_to_dec_disclosure, sd_alg, [])
+
+
+def _is_element_leaf(element: Any) -> bool:
+    return (type(element) is dict and len(element) == 1 and SD_LIST_PREFIX in element
+            and type(element[SD_LIST_PREFIX]) is str)
+
+
+def _unpack_json_array(claims: list, decoded_disclosures_by_digest: dict[str, Any], sd_alg: Callable[[str], str], processed_digests: list[str]) -> list:
+    result = []
+    for element in claims:
+        if _is_element_leaf(element):
+            digest: str = element[SD_LIST_PREFIX]
+            if digest in decoded_disclosures_by_digest:
+                _, value = decoded_disclosures_by_digest[digest]
+                result.append(_unpack_claims(value, decoded_disclosures_by_digest, sd_alg, processed_digests))
+        else:
+            result.append(_unpack_claims(element, decoded_disclosures_by_digest, sd_alg, processed_digests))
+    return result
+
+
+def _unpack_json_dict(claims: dict, decoded_disclosures_by_digest: dict[str, Any], sd_alg: Callable[[str], str], proceessed_digests: list[str]) -> dict:
+    # First, try to figure out if there are any claims to be
+    # disclosed in this dict. If so, replace them by their
+    # disclosed values.
+    filtered_unpacked_claims = {}
+    for k, v in claims.items():
+        if k != SD_DIGESTS_KEY and k != DIGEST_ALG_KEY:
+            filtered_unpacked_claims[k] = _unpack_claims(v, decoded_disclosures_by_digest, sd_alg, proceessed_digests)
+
+    for disclosed_digests in claims.get(SD_DIGESTS_KEY, []):
+        if disclosed_digests in proceessed_digests:
+            raise ValueError(f"duplicate hash found in SD-JWT: {disclosed_digests}")
+        proceessed_digests.append(disclosed_digests)
+
+        if disclosed_digests in decoded_disclosures_by_digest:
+            _, key, value = decoded_disclosures_by_digest[disclosed_digests]
+            if key in filtered_unpacked_claims:
+                raise ValueError(
+                        f"duplicate key found when unpacking disclosed claim: '{key}' in {filtered_unpacked_claims}; this is not allowed."
+                    )
+            unpacked_value = _unpack_claims(value, decoded_disclosures_by_digest, sd_alg, proceessed_digests)
+            filtered_unpacked_claims[key] = unpacked_value
+    return filtered_unpacked_claims
+
+
+def _unpack_claims(claims: _JsonTypes_T, decoded_disclosures_by_digest: dict[str, Any],
+                   sd_alg: Callable[[str], str], proceessed_digests: list[str]) -> _JsonTypes_T:
+    if type(claims) is list:
+        return _unpack_json_array(claims, decoded_disclosures_by_digest, sd_alg, proceessed_digests)
+    elif type(claims) is dict:
+        return _unpack_json_dict(claims, decoded_disclosures_by_digest, sd_alg, proceessed_digests)
+    else:
+        return claims
diff --git a/pyeudiw/storage/base_storage.py b/pyeudiw/storage/base_storage.py
index 51ce5b81..067a9e55 100644
--- a/pyeudiw/storage/base_storage.py
+++ b/pyeudiw/storage/base_storage.py
@@ -7,13 +7,15 @@
 
 
 class TrustType(Enum):
-    X509 = 0
-    FEDERATION = 1
+    X509 = "x509"
+    FEDERATION = "federation"
+    DIRECT_TRUST_SD_JWT_VC = "direct_trust_sd_jwt_vc"
 
 
 trust_type_map: dict = {
     TrustType.X509: "x509",
-    TrustType.FEDERATION: "federation"
+    TrustType.FEDERATION: "federation",
+    TrustType.DIRECT_TRUST_SD_JWT_VC: "direct_trust_sd_jwt_vc"
 }
 
 trust_attestation_field_map: dict = {
@@ -170,7 +172,7 @@ def has_trust_anchor(self, entity_id: str) -> bool:
         """
         raise NotImplementedError()
 
-    def add_trust_attestation(self, entity_id: str, attestation: list[str], exp: datetime, trust_type: TrustType) -> str:
+    def add_trust_attestation(self, entity_id: str, attestation: list[str], exp: datetime, trust_type: TrustType, jwks: dict) -> str:
         """
         Add a trust attestation.
 
@@ -182,6 +184,8 @@ def add_trust_attestation(self, entity_id: str, attestation: list[str], exp: dat
         :type exp: datetime
         :param trust_type: the trust type.
         :type trust_type: TrustType
+        :param jwks: cached jwks
+        :type jwks: dict
 
         :returns: the document id.
         :rtype: str
@@ -220,7 +224,7 @@ def add_trust_anchor(self, entity_id: str, entity_configuration: str, exp: datet
         """
         raise NotImplementedError()
 
-    def update_trust_attestation(self, entity_id: str, attestation: list[str], exp: datetime, trust_type: TrustType) -> str:
+    def update_trust_attestation(self, entity_id: str, attestation: list[str], exp: datetime, trust_type: TrustType, jwks: dict) -> str:
         """
         Update a trust attestation.
 
@@ -232,6 +236,8 @@ def update_trust_attestation(self, entity_id: str, attestation: list[str], exp:
         :type exp: datetime
         :param trust_type: the trust type.
         :type trust_type: TrustType
+        :param jwks: cached jwks
+        :type jwks: dict
 
         :returns: the document id.
         :rtype: str
diff --git a/pyeudiw/storage/db_engine.py b/pyeudiw/storage/db_engine.py
index e1de39b1..83b7fddb 100644
--- a/pyeudiw/storage/db_engine.py
+++ b/pyeudiw/storage/db_engine.py
@@ -156,8 +156,8 @@ def has_trust_attestation(self, entity_id: str) -> bool:
     def has_trust_anchor(self, entity_id: str) -> bool:
         return self.get_trust_anchor(entity_id) is not None
 
-    def add_trust_attestation(self, entity_id: str, attestation: list[str], exp: datetime, trust_type: TrustType = TrustType.FEDERATION) -> str:
-        return self.write("add_trust_attestation", entity_id, attestation, exp, trust_type)
+    def add_trust_attestation(self, entity_id: str, attestation: list[str] = [], exp: datetime = None, trust_type: TrustType = TrustType.FEDERATION, jwks: dict = None) -> str:
+        return self.write("add_trust_attestation", entity_id, attestation, exp, trust_type, jwks)
 
     def add_trust_attestation_metadata(self, entity_id: str, metadat_type: str, metadata: dict) -> str:
         return self.write("add_trust_attestation_metadata", entity_id, metadat_type, metadata)
@@ -165,15 +165,15 @@ def add_trust_attestation_metadata(self, entity_id: str, metadat_type: str, meta
     def add_trust_anchor(self, entity_id: str, entity_configuration: str, exp: datetime, trust_type: TrustType = TrustType.FEDERATION) -> str:
         return self.write("add_trust_anchor", entity_id, entity_configuration, exp, trust_type)
 
-    def update_trust_attestation(self, entity_id: str, attestation: list[str], exp: datetime, trust_type: TrustType = TrustType.FEDERATION) -> str:
-        return self.write("update_trust_attestation", entity_id, attestation, exp, trust_type)
+    def update_trust_attestation(self, entity_id: str, attestation: list[str] = [], exp: datetime = None, trust_type: TrustType = TrustType.FEDERATION, jwks: dict = None) -> str:
+        return self.write("update_trust_attestation", entity_id, attestation, exp, trust_type, jwks)
 
-    def add_or_update_trust_attestation(self, entity_id: str, attestation: list[str], exp: datetime, trust_type: TrustType = TrustType.FEDERATION) -> str:
+    def add_or_update_trust_attestation(self, entity_id: str, attestation: list[str] = [], exp: datetime = None, trust_type: TrustType = TrustType.FEDERATION, jwks: dict = None) -> str:
         try:
             self.get_trust_attestation(entity_id)
-            return self.write("update_trust_attestation", entity_id, attestation, exp, trust_type)
+            return self.write("update_trust_attestation", entity_id, attestation, exp, trust_type, jwks)
         except (EntryNotFound, ChainNotExist):
-            return self.write("add_trust_attestation", entity_id, attestation, exp, trust_type)
+            return self.write("add_trust_attestation", entity_id, attestation, exp, trust_type, jwks)
 
     def update_trust_anchor(self, entity_id: str, entity_configuration: dict, exp: datetime, trust_type: TrustType = TrustType.FEDERATION) -> str:
         return self.write("update_trust_anchor", entity_id, entity_configuration, exp, trust_type)
diff --git a/pyeudiw/storage/mongo_storage.py b/pyeudiw/storage/mongo_storage.py
index 443be04b..86adb35c 100644
--- a/pyeudiw/storage/mongo_storage.py
+++ b/pyeudiw/storage/mongo_storage.py
@@ -12,6 +12,7 @@
     trust_anchor_field_map
 )
 from pyeudiw.storage.exceptions import (
+    ChainAlreadyExist,
     ChainNotExist,
     StorageEntryUpdateFailed
 )
@@ -238,25 +239,28 @@ def _add_entry(
 
         meth_suffix = collection[:-1]
         if getattr(self, f"has_{meth_suffix}")(entity_id):
-            # update it
-            getattr(self, f"update_{meth_suffix}")(entity_id, attestation, exp)
-            return entity_id
-            # raise ChainAlreadyExist(
-            # f"Chain with entity id {entity_id} already exist"
-            # )
+            # TODO: bug detected. Commentato l'update e lasciato il raise dell'eccezione
+            # l'attestation passata come parametro non è quello che si aspetta il metodo di update
+            # bensì è l'intero oggetto trust_attestation
+
+            # # update it
+            # getattr(self, f"update_{meth_suffix}")(entity_id, attestation, exp)
+            # return entity_id
+            raise ChainAlreadyExist(f"Chain with entity id {entity_id} already exists")
 
         db_collection = getattr(self, collection)
         db_collection.insert_one(attestation)
         return entity_id
 
-    def _update_attestation_metadata(self, entity: dict, attestation: list[str], exp: datetime, trust_type: TrustType):
+    def _update_attestation_metadata(self, entity: dict, attestation: list[str], exp: datetime, trust_type: TrustType, jwks: dict):
         trust_name = trust_type_map[trust_type]
-        trust_field = trust_attestation_field_map[trust_type]
+        trust_field = trust_attestation_field_map.get(trust_type, None)
 
         trust_entity = entity.get(trust_name, {})
 
-        trust_entity[trust_field] = attestation
-        trust_entity["exp"] = exp
+        if trust_field and attestation: trust_entity[trust_field] = attestation
+        if exp: trust_entity["exp"] = exp
+        if jwks: trust_entity["jwks"] = jwks
 
         entity[trust_name] = trust_entity
 
@@ -264,27 +268,28 @@ def _update_attestation_metadata(self, entity: dict, attestation: list[str], exp
 
     def _update_anchor_metadata(self, entity: dict, attestation: list[str], exp: datetime, trust_type: TrustType):
         trust_name = trust_type_map[trust_type]
-        trust_field = trust_anchor_field_map[trust_type]
+        trust_field = trust_anchor_field_map.get(trust_type, None)
 
         trust_entity = entity.get(trust_name, {})
 
-        trust_entity[trust_field] = attestation
+        if trust_field and attestation: trust_entity[trust_field] = attestation
         trust_entity["exp"] = exp
 
         entity[trust_name] = trust_entity
 
         return entity
 
-    def add_trust_attestation(self, entity_id: str, attestation: list[str], exp: datetime, trust_type: TrustType) -> str:
+    def add_trust_attestation(self, entity_id: str, attestation: list[str], exp: datetime, trust_type: TrustType, jwks: dict) -> str:
         entity = {
             "entity_id": entity_id,
             "federation": {},
             "x509": {},
+            "direct_trust_sd_jwt_vc": {},
             "metadata": {}
         }
 
         updated_entity = self._update_attestation_metadata(
-            entity, attestation, exp, trust_type)
+            entity, attestation, exp, trust_type, jwks)
 
         return self._add_entry(
             "trust_attestations", entity_id, updated_entity, exp
@@ -326,11 +331,11 @@ def _update_trust_attestation(self, collection: str, entity_id: str, entity: dic
         )
         return documentStatus
 
-    def update_trust_attestation(self, entity_id: str, attestation: list[str], exp: datetime, trust_type: TrustType) -> str:
+    def update_trust_attestation(self, entity_id: str, attestation: list[str], exp: datetime, trust_type: TrustType, jwks: dict) -> str:
         old_entity = self._get_trust_attestation(
             "trust_attestations", entity_id) or {}
         upd_entity = self._update_attestation_metadata(
-            old_entity, attestation, exp, trust_type)
+            old_entity, attestation, exp, trust_type, jwks)
 
         return self._update_trust_attestation("trust_attestations", entity_id, upd_entity)
 
diff --git a/pyeudiw/tests/openid4vp/utility.py b/pyeudiw/tests/openid4vp/utility.py
new file mode 100644
index 00000000..9e78275d
--- /dev/null
+++ b/pyeudiw/tests/openid4vp/utility.py
@@ -0,0 +1,41 @@
+from pyeudiw.jwk import JWK
+from pyeudiw.openid4vp.interface import VpTokenParser, VpTokenVerifier
+
+
+class VpParserVoid(VpTokenParser):
+    """Default implementation of VpTokenParser. This should be used only
+    for mocking and testing purposes only.
+    """
+    def get_credentials(self) -> dict:
+        return {}
+
+    def get_issuer_name(self) -> str:
+        return ""
+
+    def get_signing_key(self) -> dict | str:
+        """
+        :returns: a public key or an identifier of a public key as seen in header
+        """
+        return ""
+
+
+class VpVerifierVoid(VpTokenVerifier):
+    """Default implementation of VpTokenVerifier. This should be used only
+    for mocking and testing purposes only.
+    """
+    def is_expired(self) -> bool:
+        return False
+
+    def is_revoked(self) -> bool:
+        return False
+
+    def verify_signature(self, public_key: JWK) -> None:
+        return
+
+
+class VpParserVerifierVoid(VpParserVoid, VpVerifierVoid):
+    """Default implementation of VpTokenParser and VpTokenVerifier. This should be
+    used only for mocking and testing purposes only.
+    The function always returnm "zero value" for all its methods.
+    """
+    pass
diff --git a/pyeudiw/tests/satosa/test_backend.py b/pyeudiw/tests/satosa/test_backend.py
index 87704518..6562c710 100644
--- a/pyeudiw/tests/satosa/test_backend.py
+++ b/pyeudiw/tests/satosa/test_backend.py
@@ -24,8 +24,8 @@
     load_specification_from_yaml_string,
     import_ec
 )
+from pyeudiw.storage.base_storage import TrustType
 from pyeudiw.storage.db_engine import DBEngine
-from pyeudiw.tools.utils import exp_from_now, iat_now
 from pyeudiw.tests.federation.base import (
     trust_chain_wallet,
     trust_chain_issuer,
@@ -39,8 +39,9 @@
 from pyeudiw.tests.settings import (
     BASE_URL,
     CONFIG,
+    CREDENTIAL_ISSUER_ENTITY_ID,
     INTERNAL_ATTRIBUTES,
-    ISSUER_CONF,
+    CREDENTIAL_ISSUER_CONF,
     PRIVATE_JWK,
     WALLET_INSTANCE_ATTESTATION
 )
@@ -58,6 +59,12 @@ def create_backend(self):
             exp=EXP,
         )
 
+        issuer_jwk = leaf_cred_jwk_prot.serialize(private=True)
+        db_engine_inst.add_or_update_trust_attestation(
+            entity_id=CREDENTIAL_ISSUER_ENTITY_ID,
+            trust_type=TrustType.DIRECT_TRUST_SD_JWT_VC,
+            jwks=issuer_jwk)
+
         self.backend = OpenID4VPBackend(
             Mock(), INTERNAL_ATTRIBUTES, CONFIG, BASE_URL, "name")
 
@@ -169,8 +176,8 @@ def test_vp_validation_in_response_endpoint(self, context):
         issuer_jwk = JWK(leaf_cred_jwk_prot.serialize(private=True))
         holder_jwk = JWK(leaf_wallet_jwk.serialize(private=True))
 
-        settings = ISSUER_CONF
-        settings['issuer'] = "https://issuer.example.com"
+        settings = CREDENTIAL_ISSUER_CONF
+        settings['issuer'] = CREDENTIAL_ISSUER_ENTITY_ID
         settings['default_exp'] = CONFIG['jwt']['default_exp']
 
         sd_specification = load_specification_from_yaml_string(
@@ -181,7 +188,8 @@ def test_vp_validation_in_response_endpoint(self, context):
             settings,
             issuer_jwk,
             holder_jwk,
-            trust_chain=trust_chain_issuer
+            trust_chain=trust_chain_issuer,
+            additional_headers={"typ": "vc+sd-jwt"}
         )
 
         _adapt_keys(issuer_jwk, holder_jwk)
@@ -195,34 +203,19 @@ def test_vp_validation_in_response_endpoint(self, context):
         sdjwt_at_holder.create_presentation(
             {},
             nonce,
-            str(uuid.uuid4()),
+            self.backend.client_id,
             import_ec(holder_jwk.key.priv_key, kid=holder_jwk.kid) if sd_specification.get(
                 "key_binding", False) else None,
             sign_alg=DEFAULT_SIG_KTY_MAP[holder_jwk.key.kty],
         )
 
-        data = {
-            "iss": "https://wallet-provider.example.org/instance/vbeXJksM45xphtANnCiG6mCyuU4jfGNzopGuKvogg9c",
-            "jti": str(uuid.uuid4()),
-            "aud": "https://verifier.example.org/callback",
-            "iat": iat_now(),
-            "exp": exp_from_now(minutes=15),
-            "nonce": nonce,
-            "vp": sdjwt_at_holder.sd_jwt_presentation,
-        }
-
-        vp_token = JWSHelper(leaf_wallet_jwk.serialize(private=True)).sign(
-            data,
-            protected={"typ": "JWT"}
-        )
-
+        vp_token = sdjwt_at_holder.sd_jwt_presentation
         context.request_method = "POST"
         context.request_uri = CONFIG["metadata"]["response_uris_supported"][0].removeprefix(
             CONFIG["base_url"])
 
         state = str(uuid.uuid4())
         response = {
-            "nonce": nonce,
             "state": state,
             "vp_token": vp_token,
             "presentation_submission": {
@@ -255,48 +248,7 @@ def test_vp_validation_in_response_endpoint(self, context):
         context.request = {
             "response": encrypted_response
         }
-        request_endpoint = self.backend.response_endpoint(context)
-        assert request_endpoint.status == "400"
-        msg = json.loads(request_endpoint.message)
-        assert msg["error"] == "invalid_request"
-        assert msg["error_description"]
-
-        # Recreate data without nonce
-        # This will trigger a `NoNonceInVPToken` error
-        data = {
-            "iss": "https://wallet-provider.example.org/instance/vbeXJksM45xphtANnCiG6mCyuU4jfGNzopGuKvogg9c",
-            "jti": str(uuid.uuid4()),
-            "aud": "https://verifier.example.org/callback",
-            "iat": iat_now(),
-            "exp": exp_from_now(minutes=15),
-            "vp": sdjwt_at_holder.sd_jwt_presentation,
-        }
-
-        vp_token = JWSHelper(leaf_wallet_jwk.serialize(private=True)).sign(
-            data,
-            protected={"typ": "JWT"}
-        )
-        response = {
-            "nonce": nonce,
-            "state": state,
-            "vp_token": vp_token,
-            "presentation_submission": {
-                "definition_id": "32f54163-7166-48f1-93d8-ff217bdb0653",
-                "id": "04a98be3-7fb0-4cf5-af9a-31579c8b0e7d",
-                "descriptor_map": [
-                    {
-                        "id": "pid-sd-jwt:unique_id+given_name+family_name",
-                        "path": "$.vp_token.verified_claims.claims._sd[0]",
-                        "format": "vc+sd-jwt"
-                    }
-                ]
-            }
-        }
-        encrypted_response = JWEHelper(
-            JWK(CONFIG["metadata_jwks"][1])).encrypt(response)
-        context.request = {
-            "response": encrypted_response
-        }
+        context.http_headers = {"HTTP_CONTENT_TYPE": "application/x-www-form-urlencoded"}
         request_endpoint = self.backend.response_endpoint(context)
         assert request_endpoint.status == "400"
         msg = json.loads(request_endpoint.message)
@@ -314,16 +266,16 @@ def test_vp_validation_in_response_endpoint(self, context):
         assert request_endpoint.status == "400"
         msg = json.loads(request_endpoint.message)
         assert msg["error"] == "invalid_request"
-        assert msg["error_description"] == "DirectPostResponse content parse and validation error. Single VPs are faulty."
+        assert msg["error_description"]
 
-    def test_redirect_endpoint(self, context):
+    def test_response_endpoint(self, context):
         self.backend.register_endpoints()
 
         issuer_jwk = JWK(leaf_cred_jwk_prot.serialize(private=True))
         holder_jwk = JWK(leaf_wallet_jwk.serialize(private=True))
 
-        settings = ISSUER_CONF
-        settings['issuer'] = "https://issuer.example.com"
+        settings = CREDENTIAL_ISSUER_CONF
+        settings['issuer'] = CREDENTIAL_ISSUER_ENTITY_ID
         settings['default_exp'] = CONFIG['jwt']['default_exp']
 
         sd_specification = load_specification_from_yaml_string(
@@ -334,7 +286,8 @@ def test_redirect_endpoint(self, context):
             settings,
             issuer_jwk,
             holder_jwk,
-            trust_chain=trust_chain_issuer
+            trust_chain=trust_chain_issuer,
+            additional_headers={"typ": "vc+sd-jwt"}
         )
 
         _adapt_keys(issuer_jwk, holder_jwk)
@@ -345,38 +298,43 @@ def test_redirect_endpoint(self, context):
         )
 
         nonce = str(uuid.uuid4())
+        state = str(uuid.uuid4())
+        aud = self.backend.client_id
+
+        session_id = context.state["SESSION_ID"]
+        self.backend.db_engine.init_session(
+            state=state,
+            session_id=session_id
+        )
+        doc_id = self.backend.db_engine.get_by_state(state)["document_id"]
+
+        self.backend.db_engine.update_request_object(
+            document_id=doc_id,
+            request_object={"nonce": nonce, "state": state})
+
+        bad_nonce = str(uuid.uuid4())
+        bad_state = str(uuid.uuid4())
+        bad_aud = str(uuid.uuid4())
+
+        # case (1): bad nonce
         sdjwt_at_holder.create_presentation(
             {},
-            nonce,
-            str(uuid.uuid4()),
+            bad_nonce,
+            aud,
             import_ec(holder_jwk.key.priv_key, kid=holder_jwk.kid) if sd_specification.get(
                 "key_binding", False) else None,
             sign_alg=DEFAULT_SIG_KTY_MAP[holder_jwk.key.kty],
         )
 
-        data = {
-            "iss": "https://wallet-provider.example.org/instance/vbeXJksM45xphtANnCiG6mCyuU4jfGNzopGuKvogg9c",
-            "jti": str(uuid.uuid4()),
-            "aud": "https://verifier.example.org/callback",
-            "iat": iat_now(),
-            "exp": exp_from_now(minutes=15),
-            "nonce": nonce,
-            "vp": sdjwt_at_holder.sd_jwt_presentation,
-        }
-
-        vp_token = JWSHelper(leaf_wallet_jwk.serialize(private=True)).sign(
-            data,
-            protected={"typ": "JWT"}
-        )
+        vp_token_bad_nonce = sdjwt_at_holder.sd_jwt_presentation
 
         context.request_method = "POST"
         context.request_uri = CONFIG["metadata"]["response_uris_supported"][0].removeprefix(
             CONFIG["base_url"])
 
-        state = str(uuid.uuid4())
-        response = {
+        response_with_bad_nonce = {
             "state": state,
-            "vp_token": vp_token,
+            "vp_token": vp_token_bad_nonce,
             "presentation_submission": {
                 "definition_id": "32f54163-7166-48f1-93d8-ff217bdb0653",
                 "id": "04a98be3-7fb0-4cf5-af9a-31579c8b0e7d",
@@ -390,52 +348,136 @@ def test_redirect_endpoint(self, context):
             }
         }
         encrypted_response = JWEHelper(
-            JWK(CONFIG["metadata_jwks"][1])).encrypt(response)
+            JWK(CONFIG["metadata_jwks"][1])).encrypt(response_with_bad_nonce)
         context.request = {
             "response": encrypted_response
         }
+        context.http_headers = {"HTTP_CONTENT_TYPE": "application/x-www-form-urlencoded"}
 
-        # no nonce
         request_endpoint = self.backend.response_endpoint(context)
         msg = json.loads(request_endpoint.message)
+        assert request_endpoint.status != "200"
         assert msg["error"] == "invalid_request"
-        assert "nonce" in msg["error_description"]
-        assert "missing" in msg["error_description"]
 
-        # wrong nonce
-        response["nonce"] = str(uuid.uuid4())
+        # case (2): bad state
+        sdjwt_at_holder.create_presentation(
+            {},
+            nonce,
+            aud,
+            import_ec(holder_jwk.key.priv_key, kid=holder_jwk.kid) if sd_specification.get(
+                "key_binding", False) else None,
+            sign_alg=DEFAULT_SIG_KTY_MAP[holder_jwk.key.kty],
+        )
+
+        vp_token = sdjwt_at_holder.sd_jwt_presentation
+
+        response_with_bad_state = {
+            "state": bad_state,
+            "vp_token": vp_token,
+            "presentation_submission": {
+                "definition_id": "32f54163-7166-48f1-93d8-ff217bdb0653",
+                "id": "04a98be3-7fb0-4cf5-af9a-31579c8b0e7d",
+                "descriptor_map": [
+                    {
+                        "id": "pid-sd-jwt:unique_id+given_name+family_name",
+                        "path": "$.vp_token.verified_claims.claims._sd[0]",
+                        "format": "vc+sd-jwt"
+                    }
+                ]
+            }
+        }
+
         encrypted_response = JWEHelper(
-            JWK(CONFIG["metadata_jwks"][1])).encrypt(response)
+            JWK(CONFIG["metadata_jwks"][1])).encrypt(response_with_bad_state)
         context.request = {
             "response": encrypted_response
         }
+        context.http_headers = {"HTTP_CONTENT_TYPE": "application/x-www-form-urlencoded"}
+
         request_endpoint = self.backend.response_endpoint(context)
         msg = json.loads(request_endpoint.message)
+        assert request_endpoint.status != "200"
         assert msg["error"] == "invalid_request"
-        assert msg["error_description"] == "Session lookup by state value failed"
 
-        # correct nonce but not the state
-        response["nonce"] = nonce
+        # case (3): bad aud
+        sdjwt_at_holder.create_presentation(
+            {},
+            nonce,
+            bad_aud,
+            import_ec(holder_jwk.key.priv_key, kid=holder_jwk.kid) if sd_specification.get(
+                "key_binding", False) else None,
+            sign_alg=DEFAULT_SIG_KTY_MAP[holder_jwk.key.kty],
+        )
+
+        vp_token_bad_aud = sdjwt_at_holder.sd_jwt_presentation
+
+        response_with_bad_aud = {
+            "state": state,
+            "vp_token": vp_token_bad_aud,
+            "presentation_submission": {
+                "definition_id": "32f54163-7166-48f1-93d8-ff217bdb0653",
+                "id": "04a98be3-7fb0-4cf5-af9a-31579c8b0e7d",
+                "descriptor_map": [
+                    {
+                        "id": "pid-sd-jwt:unique_id+given_name+family_name",
+                        "path": "$.vp_token.verified_claims.claims._sd[0]",
+                        "format": "vc+sd-jwt"
+                    }
+                ]
+            }
+        }
         encrypted_response = JWEHelper(
-            JWK(CONFIG["metadata_jwks"][1])).encrypt(response)
+            JWK(CONFIG["metadata_jwks"][1])).encrypt(response_with_bad_aud)
         context.request = {
             "response": encrypted_response
         }
+        context.http_headers = {"HTTP_CONTENT_TYPE": "application/x-www-form-urlencoded"}
+
         request_endpoint = self.backend.response_endpoint(context)
         msg = json.loads(request_endpoint.message)
+        assert request_endpoint.status != "200"
         assert msg["error"] == "invalid_request"
-        assert msg["error_description"] == "Session lookup by state value failed"
 
-        session_id = context.state["SESSION_ID"]
-        self.backend.db_engine.init_session(
-            state=state,
-            session_id=session_id
+        # case (4): good aud, nonce and state
+        sdjwt_at_holder.create_presentation(
+            {},
+            nonce,
+            aud,
+            import_ec(holder_jwk.key.priv_key, kid=holder_jwk.kid) if sd_specification.get(
+                "key_binding", False) else None,
+            sign_alg=DEFAULT_SIG_KTY_MAP[holder_jwk.key.kty],
         )
-        doc_id = self.backend.db_engine.get_by_state(state)["document_id"]
 
-        self.backend.db_engine.update_request_object(
-            document_id=doc_id,
-            request_object={"nonce": nonce, "state": state})
+        vp_token = sdjwt_at_holder.sd_jwt_presentation
+
+        response = {
+            "state": state,
+            "vp_token": vp_token,
+            "presentation_submission": {
+                "definition_id": "32f54163-7166-48f1-93d8-ff217bdb0653",
+                "id": "04a98be3-7fb0-4cf5-af9a-31579c8b0e7d",
+                "descriptor_map": [
+                    {
+                        "id": "pid-sd-jwt:unique_id+given_name+family_name",
+                        "path": "$.vp_token.verified_claims.claims._sd[0]",
+                        "format": "vc+sd-jwt"
+                    }
+                ]
+            }
+        }
+
+        encrypted_response = JWEHelper(
+            JWK(CONFIG["metadata_jwks"][1])).encrypt(response)
+        context.request = {
+            "response": encrypted_response
+        }
+        context.http_headers = {"HTTP_CONTENT_TYPE": "application/x-www-form-urlencoded"}
+
+        encrypted_response = JWEHelper(
+            JWK(CONFIG["metadata_jwks"][1])).encrypt(response)
+        context.request = {
+            "response": encrypted_response
+        }
         request_endpoint = self.backend.response_endpoint(context)
         assert request_endpoint.status == "200"
 
diff --git a/pyeudiw/tests/satosa/test_backend_trust.py b/pyeudiw/tests/satosa/test_backend_trust.py
new file mode 100644
index 00000000..175d1a1a
--- /dev/null
+++ b/pyeudiw/tests/satosa/test_backend_trust.py
@@ -0,0 +1,28 @@
+import pytest
+
+from unittest.mock import Mock, patch
+
+from pyeudiw.satosa.backend import OpenID4VPBackend
+
+from pyeudiw.tests.settings import (
+    BASE_URL,
+    CONFIG,
+    INTERNAL_ATTRIBUTES,
+)
+
+
+class TestOpenID4VPBackend:
+
+    @pytest.fixture(autouse=True)
+    def setup_direct_trust(self):
+        self.backend = OpenID4VPBackend(
+            Mock(),
+            INTERNAL_ATTRIBUTES,
+            CONFIG,
+            BASE_URL,
+            "name"
+        )
+
+    def test_response_endpoint(self):
+        # TODO
+        pass
diff --git a/pyeudiw/tests/sd_jwt/test_sdjwt.py b/pyeudiw/tests/sd_jwt/test_sdjwt.py
new file mode 100644
index 00000000..fecc4d90
--- /dev/null
+++ b/pyeudiw/tests/sd_jwt/test_sdjwt.py
@@ -0,0 +1,222 @@
+import builtins
+from dataclasses import dataclass
+
+from pyeudiw.jwk import JWK
+from pyeudiw.sd_jwt.schema import VerifierChallenge
+from pyeudiw.sd_jwt.sd_jwt import SdJwt
+
+# DEVELOPER NOTE: test data is collected from https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-12.html
+# Test data might eventually be outdated if the reference specs changes or is updated.
+# For the latest version, see https://github.com/oauth-wg/oauth-selective-disclosure-jwt
+
+ISSUER_JWK = {
+    "kty": "EC",
+    "d": "Ur2bNKuBPOrAaxsRnbSH6hIhmNTxSGXshDSUD1a1y7g",
+    "crv": "P-256",
+    "x": "b28d4MwZMjw8-00CG4xfnn9SLMVMM19SlqZpVb_uNtQ",
+    "y": "Xv5zWwuoaTgdS6hV43yI6gBwTnjukmFQQnJ_kCxzqk8"
+}
+
+PRESENTATION_WITHOUT_KB = \
+    "eyJhbGciOiAiRVMyNTYiLCAidHlwIjogImV4YW1wbGUrc2Qtand0In0.eyJfc2QiOiBb" \
+    "IkNyUWU3UzVrcUJBSHQtbk1ZWGdjNmJkdDJTSDVhVFkxc1VfTS1QZ2tqUEkiLCAiSnpZ" \
+    "akg0c3ZsaUgwUjNQeUVNZmVadTZKdDY5dTVxZWhabzdGN0VQWWxTRSIsICJQb3JGYnBL" \
+    "dVZ1Nnh5bUphZ3ZrRnNGWEFiUm9jMkpHbEFVQTJCQTRvN2NJIiwgIlRHZjRvTGJnd2Q1" \
+    "SlFhSHlLVlFaVTlVZEdFMHc1cnREc3JaemZVYW9tTG8iLCAiWFFfM2tQS3QxWHlYN0tB" \
+    "TmtxVlI2eVoyVmE1TnJQSXZQWWJ5TXZSS0JNTSIsICJYekZyendzY002R242Q0pEYzZ2" \
+    "Vks4QmtNbmZHOHZPU0tmcFBJWmRBZmRFIiwgImdiT3NJNEVkcTJ4Mkt3LXc1d1BFemFr" \
+    "b2I5aFYxY1JEMEFUTjNvUUw5Sk0iLCAianN1OXlWdWx3UVFsaEZsTV8zSmx6TWFTRnpn" \
+    "bGhRRzBEcGZheVF3TFVLNCJdLCAiaXNzIjogImh0dHBzOi8vaXNzdWVyLmV4YW1wbGUu" \
+    "Y29tIiwgImlhdCI6IDE2ODMwMDAwMDAsICJleHAiOiAxODgzMDAwMDAwLCAic3ViIjog" \
+    "InVzZXJfNDIiLCAibmF0aW9uYWxpdGllcyI6IFt7Ii4uLiI6ICJwRm5kamtaX1ZDem15" \
+    "VGE2VWpsWm8zZGgta284YUlLUWM5RGxHemhhVllvIn0sIHsiLi4uIjogIjdDZjZKa1B1" \
+    "ZHJ5M2xjYndIZ2VaOGtoQXYxVTFPU2xlclAwVmtCSnJXWjAifV0sICJfc2RfYWxnIjog" \
+    "InNoYS0yNTYiLCAiY25mIjogeyJqd2siOiB7Imt0eSI6ICJFQyIsICJjcnYiOiAiUC0y" \
+    "NTYiLCAieCI6ICJUQ0FFUjE5WnZ1M09IRjRqNFc0dmZTVm9ISVAxSUxpbERsczd2Q2VH" \
+    "ZW1jIiwgInkiOiAiWnhqaVdXYlpNUUdIVldLVlE0aGJTSWlyc1ZmdWVjQ0U2dDRqVDlG" \
+    "MkhaUSJ9fX0.ZfSxIFLHf7f84WIMqt7Fzme8-586WutjFnXH4TO5XuWG_peQ4hPsqDpi" \
+    "MBClkh2aUJdl83bwyyOriqvdFra-bg~WyIyR0xDNDJzS1F2ZUNmR2ZyeU5STjl3IiwgI" \
+    "mdpdmVuX25hbWUiLCAiSm9obiJd~WyJlbHVWNU9nM2dTTklJOEVZbnN4QV9BIiwgImZh" \
+    "bWlseV9uYW1lIiwgIkRvZSJd~WyI2SWo3dE0tYTVpVlBHYm9TNXRtdlZBIiwgImVtYWl" \
+    "sIiwgImpvaG5kb2VAZXhhbXBsZS5jb20iXQ~WyJlSThaV205UW5LUHBOUGVOZW5IZGhR" \
+    "IiwgInBob25lX251bWJlciIsICIrMS0yMDItNTU1LTAxMDEiXQ~WyJRZ19PNjR6cUF4Z" \
+    "TQxMmExMDhpcm9BIiwgInBob25lX251bWJlcl92ZXJpZmllZCIsIHRydWVd~WyJBSngt" \
+    "MDk1VlBycFR0TjRRTU9xUk9BIiwgImFkZHJlc3MiLCB7InN0cmVldF9hZGRyZXNzIjog" \
+    "IjEyMyBNYWluIFN0IiwgImxvY2FsaXR5IjogIkFueXRvd24iLCAicmVnaW9uIjogIkFu" \
+    "eXN0YXRlIiwgImNvdW50cnkiOiAiVVMifV0~WyJQYzMzSk0yTGNoY1VfbEhnZ3ZfdWZR" \
+    "IiwgImJpcnRoZGF0ZSIsICIxOTQwLTAxLTAxIl0~WyJHMDJOU3JRZmpGWFE3SW8wOXN5" \
+    "YWpBIiwgInVwZGF0ZWRfYXQiLCAxNTcwMDAwMDAwXQ~WyJsa2x4RjVqTVlsR1RQVW92T" \
+    "U5JdkNBIiwgIlVTIl0~WyJuUHVvUW5rUkZxM0JJZUFtN0FuWEZBIiwgIkRFIl0~"
+
+PRESENTATION_WITH_KB = \
+    "eyJhbGciOiAiRVMyNTYiLCAidHlwIjogImV4YW1wbGUrc2Qtand0In0.eyJfc2QiOiBb" \
+    "IkNyUWU3UzVrcUJBSHQtbk1ZWGdjNmJkdDJTSDVhVFkxc1VfTS1QZ2tqUEkiLCAiSnpZ" \
+    "akg0c3ZsaUgwUjNQeUVNZmVadTZKdDY5dTVxZWhabzdGN0VQWWxTRSIsICJQb3JGYnBL" \
+    "dVZ1Nnh5bUphZ3ZrRnNGWEFiUm9jMkpHbEFVQTJCQTRvN2NJIiwgIlRHZjRvTGJnd2Q1" \
+    "SlFhSHlLVlFaVTlVZEdFMHc1cnREc3JaemZVYW9tTG8iLCAiWFFfM2tQS3QxWHlYN0tB" \
+    "TmtxVlI2eVoyVmE1TnJQSXZQWWJ5TXZSS0JNTSIsICJYekZyendzY002R242Q0pEYzZ2" \
+    "Vks4QmtNbmZHOHZPU0tmcFBJWmRBZmRFIiwgImdiT3NJNEVkcTJ4Mkt3LXc1d1BFemFr" \
+    "b2I5aFYxY1JEMEFUTjNvUUw5Sk0iLCAianN1OXlWdWx3UVFsaEZsTV8zSmx6TWFTRnpn" \
+    "bGhRRzBEcGZheVF3TFVLNCJdLCAiaXNzIjogImh0dHBzOi8vaXNzdWVyLmV4YW1wbGUu" \
+    "Y29tIiwgImlhdCI6IDE2ODMwMDAwMDAsICJleHAiOiAxODgzMDAwMDAwLCAic3ViIjog" \
+    "InVzZXJfNDIiLCAibmF0aW9uYWxpdGllcyI6IFt7Ii4uLiI6ICJwRm5kamtaX1ZDem15" \
+    "VGE2VWpsWm8zZGgta284YUlLUWM5RGxHemhhVllvIn0sIHsiLi4uIjogIjdDZjZKa1B1" \
+    "ZHJ5M2xjYndIZ2VaOGtoQXYxVTFPU2xlclAwVmtCSnJXWjAifV0sICJfc2RfYWxnIjog" \
+    "InNoYS0yNTYiLCAiY25mIjogeyJqd2siOiB7Imt0eSI6ICJFQyIsICJjcnYiOiAiUC0y" \
+    "NTYiLCAieCI6ICJUQ0FFUjE5WnZ1M09IRjRqNFc0dmZTVm9ISVAxSUxpbERsczd2Q2VH" \
+    "ZW1jIiwgInkiOiAiWnhqaVdXYlpNUUdIVldLVlE0aGJTSWlyc1ZmdWVjQ0U2dDRqVDlG" \
+    "MkhaUSJ9fX0.ZfSxIFLHf7f84WIMqt7Fzme8-586WutjFnXH4TO5XuWG_peQ4hPsqDpi" \
+    "MBClkh2aUJdl83bwyyOriqvdFra-bg~WyJlbHVWNU9nM2dTTklJOEVZbnN4QV9BIiwgI" \
+    "mZhbWlseV9uYW1lIiwgIkRvZSJd~WyJBSngtMDk1VlBycFR0TjRRTU9xUk9BIiwgImFk" \
+    "ZHJlc3MiLCB7InN0cmVldF9hZGRyZXNzIjogIjEyMyBNYWluIFN0IiwgImxvY2FsaXR5" \
+    "IjogIkFueXRvd24iLCAicmVnaW9uIjogIkFueXN0YXRlIiwgImNvdW50cnkiOiAiVVMi" \
+    "fV0~WyIyR0xDNDJzS1F2ZUNmR2ZyeU5STjl3IiwgImdpdmVuX25hbWUiLCAiSm9obiJd" \
+    "~WyJsa2x4RjVqTVlsR1RQVW92TU5JdkNBIiwgIlVTIl0~eyJhbGciOiAiRVMyNTYiLCA" \
+    "idHlwIjogImtiK2p3dCJ9.eyJub25jZSI6ICIxMjM0NTY3ODkwIiwgImF1ZCI6ICJodH" \
+    "RwczovL3ZlcmlmaWVyLmV4YW1wbGUub3JnIiwgImlhdCI6IDE3MjUzNzQ0MTMsICJzZF" \
+    "9oYXNoIjogIkF5T0p2TFlQVk1sS2REbGZacnpVeTFrX2ltQ0tfTFZKMzI2Yl94QmtFM0" \
+    "0ifQ.B2o5kubh-Dzcd-2v_mWxUMPNM5WSAJqMQTDsGQUXkZXzsN1U5Ou5mr-7iJsCGcx" \
+    "6_uU39u-2HKB0xLvYd9BMcQ"
+
+
+ISSUER_JWT = \
+    "eyJhbGciOiAiRVMyNTYiLCAidHlwIjogImV4YW1wbGUrc2Qtand0In0.eyJfc2QiOiBb" \
+    "IkNyUWU3UzVrcUJBSHQtbk1ZWGdjNmJkdDJTSDVhVFkxc1VfTS1QZ2tqUEkiLCAiSnpZ" \
+    "akg0c3ZsaUgwUjNQeUVNZmVadTZKdDY5dTVxZWhabzdGN0VQWWxTRSIsICJQb3JGYnBL" \
+    "dVZ1Nnh5bUphZ3ZrRnNGWEFiUm9jMkpHbEFVQTJCQTRvN2NJIiwgIlRHZjRvTGJnd2Q1" \
+    "SlFhSHlLVlFaVTlVZEdFMHc1cnREc3JaemZVYW9tTG8iLCAiWFFfM2tQS3QxWHlYN0tB" \
+    "TmtxVlI2eVoyVmE1TnJQSXZQWWJ5TXZSS0JNTSIsICJYekZyendzY002R242Q0pEYzZ2" \
+    "Vks4QmtNbmZHOHZPU0tmcFBJWmRBZmRFIiwgImdiT3NJNEVkcTJ4Mkt3LXc1d1BFemFr" \
+    "b2I5aFYxY1JEMEFUTjNvUUw5Sk0iLCAianN1OXlWdWx3UVFsaEZsTV8zSmx6TWFTRnpn" \
+    "bGhRRzBEcGZheVF3TFVLNCJdLCAiaXNzIjogImh0dHBzOi8vaXNzdWVyLmV4YW1wbGUu" \
+    "Y29tIiwgImlhdCI6IDE2ODMwMDAwMDAsICJleHAiOiAxODgzMDAwMDAwLCAic3ViIjog" \
+    "InVzZXJfNDIiLCAibmF0aW9uYWxpdGllcyI6IFt7Ii4uLiI6ICJwRm5kamtaX1ZDem15" \
+    "VGE2VWpsWm8zZGgta284YUlLUWM5RGxHemhhVllvIn0sIHsiLi4uIjogIjdDZjZKa1B1" \
+    "ZHJ5M2xjYndIZ2VaOGtoQXYxVTFPU2xlclAwVmtCSnJXWjAifV0sICJfc2RfYWxnIjog" \
+    "InNoYS0yNTYiLCAiY25mIjogeyJqd2siOiB7Imt0eSI6ICJFQyIsICJjcnYiOiAiUC0y" \
+    "NTYiLCAieCI6ICJUQ0FFUjE5WnZ1M09IRjRqNFc0dmZTVm9ISVAxSUxpbERsczd2Q2VH" \
+    "ZW1jIiwgInkiOiAiWnhqaVdXYlpNUUdIVldLVlE0aGJTSWlyc1ZmdWVjQ0U2dDRqVDlG" \
+    "MkhaUSJ9fX0.ZfSxIFLHf7f84WIMqt7Fzme8-586WutjFnXH4TO5XuWG_peQ4hPsqDpi" \
+    "MBClkh2aUJdl83bwyyOriqvdFra-bg"
+
+DISCLOSURES = [
+    "WyJlbHVWNU9nM2dTTklJOEVZbnN4QV9BIiwgImZhbWlseV9uYW1lIiwgIkRvZSJd",
+    "WyJBSngtMDk1VlBycFR0TjRRTU9xUk9BIiwgImFkZHJlc3MiLCB7InN0cmVldF9hZGRy" +
+    "ZXNzIjogIjEyMyBNYWluIFN0IiwgImxvY2FsaXR5IjogIkFueXRvd24iLCAicmVnaW9u" +
+    "IjogIkFueXN0YXRlIiwgImNvdW50cnkiOiAiVVMifV0",
+    "WyIyR0xDNDJzS1F2ZUNmR2ZyeU5STjl3IiwgImdpdmVuX25hbWUiLCAiSm9obiJd",
+    "WyJsa2x4RjVqTVlsR1RQVW92TU5JdkNBIiwgIlVTIl0",
+]
+HOLDER_KB_JWT = \
+    "eyJhbGciOiAiRVMyNTYiLCAidHlwIjogImtiK2p3dCJ9.eyJub25jZSI6ICIxMjM0NTY" \
+    "3ODkwIiwgImF1ZCI6ICJodHRwczovL3ZlcmlmaWVyLmV4YW1wbGUub3JnIiwgImlhdCI" \
+    "6IDE3MjUzNzQ0MTMsICJzZF9oYXNoIjogIkF5T0p2TFlQVk1sS2REbGZacnpVeTFrX2l" \
+    "tQ0tfTFZKMzI2Yl94QmtFM00ifQ.B2o5kubh-Dzcd-2v_mWxUMPNM5WSAJqMQTDsGQUX" \
+    "kZXzsN1U5Ou5mr-7iJsCGcx6_uU39u-2HKB0xLvYd9BMcQ"
+
+AUD = "https://verifier.example.org"
+NONCE = "1234567890"
+
+DISCLOSED_CLAIMS = {
+    "given_name": "John",
+    "family_name": "Doe",
+    "address": {
+        "street_address": "123 Main St",
+        "locality": "Anytown",
+        "region": "Anystate",
+        "country": "US"
+    },
+    "nationalities": [
+        "US"
+    ]
+}
+
+
+def test_sdkwt_parts():
+    sdjwt = SdJwt(PRESENTATION_WITH_KB)
+    assert ISSUER_JWT == sdjwt.get_issuer_jwt()
+    assert DISCLOSURES == sdjwt.get_encoded_disclosures()
+    assert HOLDER_KB_JWT == sdjwt.get_holder_key_binding_jwt()
+
+
+def test_sdjwt_hash_hey_binding():
+    sdjwt = SdJwt(PRESENTATION_WITHOUT_KB)
+    assert not sdjwt.has_key_binding()
+
+    sdjwt = SdJwt(PRESENTATION_WITH_KB)
+    assert sdjwt.has_key_binding()
+
+
+def test_sd_jwt_verify_issuer_jwt():
+    sdjwt = SdJwt(PRESENTATION_WITH_KB)
+    sdjwt.verify_issuer_jwt_signature(JWK(ISSUER_JWK))
+
+
+def test_sd_jwt_verify_holder_kb_signature():
+    sdjwt = SdJwt(PRESENTATION_WITH_KB)
+    sdjwt.verify_holder_kb_jwt_signature()
+
+
+def test_sd_jwt_verify_holder_kb():
+    sdjwt = SdJwt(PRESENTATION_WITH_KB)
+
+    @dataclass
+    class TestCase:
+        challenge: VerifierChallenge
+        expected_result: bool
+        explanation: str
+
+    test_cases: list[TestCase] = [
+        TestCase(
+            challenge={"aud": "https://bad-aud.example", "nonce": "000000"},
+            expected_result=False,
+            explanation="bad challenge (both aud and nonce are wrong)"
+        ),
+        TestCase(
+            challenge={"aud": AUD, "nonce": "000000"},
+            expected_result=False,
+            explanation="bad challenge (nonce is wrong)"
+        ),
+        TestCase(
+            challenge={"aud": "https://bad-aud.example", "nonce": NONCE},
+            expected_result=False,
+            explanation="bad challenge (aud is wrong)"
+        ),
+        TestCase(
+            challenge={"aud": AUD, "nonce": NONCE},
+            expected_result=True,
+            explanation="valid challenge (challenge aud and nonce are correct)"
+        )
+    ]
+
+    for i, case in enumerate(test_cases):
+        try:
+            # bad challenge: should fail
+            sdjwt.verify_holder_kb_jwt(case.challenge)
+            if case.expected_result is False:
+                assert False, f"failed test {i} on holder key binding: test case: {case.explanation}: should have launched a verification exception"
+            else:
+                assert True
+        except Exception as e:
+            if case.expected_result is False:
+                assert True
+            else:
+                assert False, f"failed test {i}: test case: {case.explanation}; launched an unxpected verification exception: {e}"
+
+
+def test_sd_jwt_get_disclosed_claims():
+    sdjwt = SdJwt(PRESENTATION_WITH_KB)
+    obtained_claims = sdjwt.get_disclosed_claims()
+    for claim in DISCLOSED_CLAIMS:
+        assert claim in obtained_claims, f"failed to disclose claim {claim}"
+        exp_claim_value = DISCLOSED_CLAIMS[claim]
+        obt_claim_value = obtained_claims[claim]
+        # NOTE: this comparison algorithm for disclosures in general does not work;
+        #  the ideal would be a recursive approach is required, but it is ok for this test
+        match type(exp_claim_value):
+            case builtins.list:
+                assert all(v in obt_claim_value for v in exp_claim_value), f"failed proper disclosure of claim {claim}"
+            case builtins.dict:
+                assert exp_claim_value.items() <= obt_claim_value.items()
+            case _:
+                assert obt_claim_value == exp_claim_value, f"failed proper disclosure of claim {claim}"
diff --git a/pyeudiw/tests/sd_jwt/test_sdjwt_schema.py b/pyeudiw/tests/sd_jwt/test_sdjwt_schema.py
new file mode 100644
index 00000000..251abd09
--- /dev/null
+++ b/pyeudiw/tests/sd_jwt/test_sdjwt_schema.py
@@ -0,0 +1,166 @@
+from dataclasses import dataclass
+
+from pyeudiw.sd_jwt.schema import is_sd_jwt_format, is_sd_jwt_kb_format
+
+
+def test_is_sd_jwt_format():
+    @dataclass
+    class TestCase:
+        input: str
+        expected_result: bool
+        explanation: str
+
+    test_table: list[TestCase] = [
+        TestCase(
+            "eyJhbGciOiAiRVMyNTYiLCAidHlwIjogImV4YW1wbGUrc2Qtand0In0.eyJfc2QiOiBbIkNyUWU3UzVrcUJBSHQtbk1ZWGdjNmJkdDJTSDVhVFkxc1VfTS1QZ2tqUEkiLCAiSnpZakg0c3ZsaUgwUjNQeUVNZmVadTZKdDY5dTVxZWhabzdGN0VQWWxTRSIsICJQb3JGYnBLdVZ1Nnh5bUphZ3ZrRnNGWEFiUm9jMkpHbEFVQTJCQTRvN2NJIiwgIlRHZjRvTGJnd2Q1SlFhSHlLVlFaVTlVZEdFMHc1cnREc3JaemZVYW9tTG8iLCAiWFFfM2tQS3QxWHlYN0tBTmtxVlI2eVoyVmE1TnJQSXZQWWJ5TXZSS0JNTSIsICJYekZyendzY002R242Q0pEYzZ2Vks4QmtNbmZHOHZPU0tmcFBJWmRBZmRFIiwgImdiT3NJNEVkcTJ4Mkt3LXc1d1BFemFrb2I5aFYxY1JEMEFUTjNvUUw5Sk0iLCAianN1OXlWdWx3UVFsaEZsTV8zSmx6TWFTRnpnbGhRRzBEcGZheVF3TFVLNCJdLCAiaXNzIjogImh0dHBzOi8vaXNzdWVyLmV4YW1wbGUuY29tIiwgImlhdCI6IDE2ODMwMDAwMDAsICJleHAiOiAxODgzMDAwMDAwLCAic3ViIjogInVzZXJfNDIiLCAibmF0aW9uYWxpdGllcyI6IFt7Ii4uLiI6ICJwRm5kamtaX1ZDem15VGE2VWpsWm8zZGgta284YUlLUWM5RGxHemhhVllvIn0sIHsiLi4uIjogIjdDZjZKa1B1ZHJ5M2xjYndIZ2VaOGtoQXYxVTFPU2xlclAwVmtCSnJXWjAifV0sICJfc2RfYWxnIjogInNoYS0yNTYiLCAiY25mIjogeyJqd2siOiB7Imt0eSI6ICJFQyIsICJjcnYiOiAiUC0yNTYiLCAieCI6ICJUQ0FFUjE5WnZ1M09IRjRqNFc0dmZTVm9ISVAxSUxpbERsczd2Q2VHZW1jIiwgInkiOiAiWnhqaVdXYlpNUUdIVldLVlE0aGJTSWlyc1ZmdWVjQ0U2dDRqVDlGMkhaUSJ9fX0.GhUbWZvUw7I6ndaIK6rtU1rDEOkjqFuSXl_J5cuDkmnKt9jhZ3v5sghdwZ1WKH-g-4kna57RgWEl7YHlr-IZqw~WyIyR0xDNDJzS1F2ZUNmR2ZyeU5STjl3IiwgImdpdmVuX25hbWUiLCAiSm9obiJd~WyJlbHVWNU9nM2dTTklJOEVZbnN4QV9BIiwgImZhbWlseV9uYW1lIiwgIkRvZSJd~WyI2SWo3dE0tYTVpVlBHYm9TNXRtdlZBIiwgImVtYWlsIiwgImpvaG5kb2VAZXhhbXBsZS5jb20iXQ~WyJlSThaV205UW5LUHBOUGVOZW5IZGhRIiwgInBob25lX251bWJlciIsICIrMS0yMDItNTU1LTAxMDEiXQ~WyJRZ19PNjR6cUF4ZTQxMmExMDhpcm9BIiwgInBob25lX251bWJlcl92ZXJpZmllZCIsIHRydWVd~WyJBSngtMDk1VlBycFR0TjRRTU9xUk9BIiwgImFkZHJlc3MiLCB7InN0cmVldF9hZGRyZXNzIjogIjEyMyBNYWluIFN0IiwgImxvY2FsaXR5IjogIkFueXRvd24iLCAicmVnaW9uIjogIkFueXN0YXRlIiwgImNvdW50cnkiOiAiVVMifV0~WyJQYzMzSk0yTGNoY1VfbEhnZ3ZfdWZRIiwgImJpcnRoZGF0ZSIsICIxOTQwLTAxLTAxIl0~WyJHMDJOU3JRZmpGWFE3SW8wOXN5YWpBIiwgInVwZGF0ZWRfYXQiLCAxNTcwMDAwMDAwXQ~WyJsa2x4RjVqTVlsR1RQVW92TU5JdkNBIiwgIlVTIl0~WyJuUHVvUW5rUkZxM0JJZUFtN0FuWEZBIiwgIkRFIl0~", 
+            True,
+            "sd-jwt without key binding"
+        ),
+        TestCase(
+            "eyJhbGciOiAiRVMyNTYiLCAidHlwIjogImV4YW1wbGUrc2Qtand0In0.eyJfc2QiOiBbIkNyUWU3UzVrcUJBSHQtbk1ZWGdjNmJkdDJTSDVhVFkxc1VfTS1QZ2tqUEkiLCAiSnpZakg0c3ZsaUgwUjNQeUVNZmVadTZKdDY5dTVxZWhabzdGN0VQWWxTRSIsICJQb3JGYnBLdVZ1Nnh5bUphZ3ZrRnNGWEFiUm9jMkpHbEFVQTJCQTRvN2NJIiwgIlRHZjRvTGJnd2Q1SlFhSHlLVlFaVTlVZEdFMHc1cnREc3JaemZVYW9tTG8iLCAiWFFfM2tQS3QxWHlYN0tBTmtxVlI2eVoyVmE1TnJQSXZQWWJ5TXZSS0JNTSIsICJYekZyendzY002R242Q0pEYzZ2Vks4QmtNbmZHOHZPU0tmcFBJWmRBZmRFIiwgImdiT3NJNEVkcTJ4Mkt3LXc1d1BFemFrb2I5aFYxY1JEMEFUTjNvUUw5Sk0iLCAianN1OXlWdWx3UVFsaEZsTV8zSmx6TWFTRnpnbGhRRzBEcGZheVF3TFVLNCJdLCAiaXNzIjogImh0dHBzOi8vaXNzdWVyLmV4YW1wbGUuY29tIiwgImlhdCI6IDE2ODMwMDAwMDAsICJleHAiOiAxODgzMDAwMDAwLCAic3ViIjogInVzZXJfNDIiLCAibmF0aW9uYWxpdGllcyI6IFt7Ii4uLiI6ICJwRm5kamtaX1ZDem15VGE2VWpsWm8zZGgta284YUlLUWM5RGxHemhhVllvIn0sIHsiLi4uIjogIjdDZjZKa1B1ZHJ5M2xjYndIZ2VaOGtoQXYxVTFPU2xlclAwVmtCSnJXWjAifV0sICJfc2RfYWxnIjogInNoYS0yNTYiLCAiY25mIjogeyJqd2siOiB7Imt0eSI6ICJFQyIsICJjcnYiOiAiUC0yNTYiLCAieCI6ICJUQ0FFUjE5WnZ1M09IRjRqNFc0dmZTVm9ISVAxSUxpbERsczd2Q2VHZW1jIiwgInkiOiAiWnhqaVdXYlpNUUdIVldLVlE0aGJTSWlyc1ZmdWVjQ0U2dDRqVDlGMkhaUSJ9fX0.GhUbWZvUw7I6ndaIK6rtU1rDEOkjqFuSXl_J5cuDkmnKt9jhZ3v5sghdwZ1WKH-g-4kna57RgWEl7YHlr-IZqw~WyJlbHVWNU9nM2dTTklJOEVZbnN4QV9BIiwgImZhbWlseV9uYW1lIiwgIkRvZSJd~WyJBSngtMDk1VlBycFR0TjRRTU9xUk9BIiwgImFkZHJlc3MiLCB7InN0cmVldF9hZGRyZXNzIjogIjEyMyBNYWluIFN0IiwgImxvY2FsaXR5IjogIkFueXRvd24iLCAicmVnaW9uIjogIkFueXN0YXRlIiwgImNvdW50cnkiOiAiVVMifV0~WyIyR0xDNDJzS1F2ZUNmR2ZyeU5STjl3IiwgImdpdmVuX25hbWUiLCAiSm9obiJd~WyJsa2x4RjVqTVlsR1RQVW92TU5JdkNBIiwgIlVTIl0~eyJhbGciOiAiRVMyNTYiLCAidHlwIjogImtiK2p3dCJ9.eyJub25jZSI6ICIxMjM0NTY3ODkwIiwgImF1ZCI6ICJodHRwczovL3ZlcmlmaWVyLmV4YW1wbGUub3JnIiwgImlhdCI6IDE3MjA0MzU5MzYsICJzZF9oYXNoIjogIjNvc0U3T2I0VHJqcW80ckJHdkRfMWJkQ0lhTEY4cFB5Wlk3RUctcVBYN1UifQ.MBXm8GktzZw6GKCD_X2zUqec9oWXHGD0K77HzKLehoOsIVUI8dbP_ruNWDX8nfZ6G3s06iFlxRNLO76nGo51Mw",
+            True,
+            "sd-jwt with key binding"
+        ),
+        TestCase(
+            "eyJhbGciOiAiRVMyNTYiLCAidHlwIjogImV4YW1wbGUrc2Qtand0In0.eyJfc2QiOiBbIkNyUWU3UzVrcUJBSHQtbk1ZWGdjNmJkdDJTSDVhVFkxc1VfTS1QZ2tqUEkiLCAiSnpZakg0c3ZsaUgwUjNQeUVNZmVadTZKdDY5dTVxZWhabzdGN0VQWWxTRSIsICJQb3JGYnBLdVZ1Nnh5bUphZ3ZrRnNGWEFiUm9jMkpHbEFVQTJCQTRvN2NJIiwgIlRHZjRvTGJnd2Q1SlFhSHlLVlFaVTlVZEdFMHc1cnREc3JaemZVYW9tTG8iLCAiWFFfM2tQS3QxWHlYN0tBTmtxVlI2eVoyVmE1TnJQSXZQWWJ5TXZSS0JNTSIsICJYekZyendzY002R242Q0pEYzZ2Vks4QmtNbmZHOHZPU0tmcFBJWmRBZmRFIiwgImdiT3NJNEVkcTJ4Mkt3LXc1d1BFemFrb2I5aFYxY1JEMEFUTjNvUUw5Sk0iLCAianN1OXlWdWx3UVFsaEZsTV8zSmx6TWFTRnpnbGhRRzBEcGZheVF3TFVLNCJdLCAiaXNzIjogImh0dHBzOi8vaXNzdWVyLmV4YW1wbGUuY29tIiwgImlhdCI6IDE2ODMwMDAwMDAsICJleHAiOiAxODgzMDAwMDAwLCAic3ViIjogInVzZXJfNDIiLCAibmF0aW9uYWxpdGllcyI6IFt7Ii4uLiI6ICJwRm5kamtaX1ZDem15VGE2VWpsWm8zZGgta284YUlLUWM5RGxHemhhVllvIn0sIHsiLi4uIjogIjdDZjZKa1B1ZHJ5M2xjYndIZ2VaOGtoQXYxVTFPU2xlclAwVmtCSnJXWjAifV0sICJfc2RfYWxnIjogInNoYS0yNTYiLCAiY25mIjogeyJqd2siOiB7Imt0eSI6ICJFQyIsICJjcnYiOiAiUC0yNTYiLCAieCI6ICJUQ0FFUjE5WnZ1M09IRjRqNFc0dmZTVm9ISVAxSUxpbERsczd2Q2VHZW1jIiwgInkiOiAiWnhqaVdXYlpNUUdIVldLVlE0aGJTSWlyc1ZmdWVjQ0U2dDRqVDlGMkhaUSJ9fX0.GhUbWZvUw7I6ndaIK6rtU1rDEOkjqFuSXl_J5cuDkmnKt9jhZ3v5sghdwZ1WKH-g-4kna57RgWEl7YHlr-IZqw~",
+            True,
+            "sd-jwt with 0 disclosures"
+        ),
+        TestCase(
+            "eyJhbGciOiAiRVMyNTYiLCAidHlwIjogImV4YW1wbGUrc2Qtand0In0.eyJfc2QiOiBbIkNyUWU3UzVrcUJBSHQtbk1ZWGdjNmJkdDJTSDVhVFkxc1VfTS1QZ2tqUEkiLCAiSnpZakg0c3ZsaUgwUjNQeUVNZmVadTZKdDY5dTVxZWhabzdGN0VQWWxTRSIsICJQb3JGYnBLdVZ1Nnh5bUphZ3ZrRnNGWEFiUm9jMkpHbEFVQTJCQTRvN2NJIiwgIlRHZjRvTGJnd2Q1SlFhSHlLVlFaVTlVZEdFMHc1cnREc3JaemZVYW9tTG8iLCAiWFFfM2tQS3QxWHlYN0tBTmtxVlI2eVoyVmE1TnJQSXZQWWJ5TXZSS0JNTSIsICJYekZyendzY002R242Q0pEYzZ2Vks4QmtNbmZHOHZPU0tmcFBJWmRBZmRFIiwgImdiT3NJNEVkcTJ4Mkt3LXc1d1BFemFrb2I5aFYxY1JEMEFUTjNvUUw5Sk0iLCAianN1OXlWdWx3UVFsaEZsTV8zSmx6TWFTRnpnbGhRRzBEcGZheVF3TFVLNCJdLCAiaXNzIjogImh0dHBzOi8vaXNzdWVyLmV4YW1wbGUuY29tIiwgImlhdCI6IDE2ODMwMDAwMDAsICJleHAiOiAxODgzMDAwMDAwLCAic3ViIjogInVzZXJfNDIiLCAibmF0aW9uYWxpdGllcyI6IFt7Ii4uLiI6ICJwRm5kamtaX1ZDem15VGE2VWpsWm8zZGgta284YUlLUWM5RGxHemhhVllvIn0sIHsiLi4uIjogIjdDZjZKa1B1ZHJ5M2xjYndIZ2VaOGtoQXYxVTFPU2xlclAwVmtCSnJXWjAifV0sICJfc2RfYWxnIjogInNoYS0yNTYiLCAiY25mIjogeyJqd2siOiB7Imt0eSI6ICJFQyIsICJjcnYiOiAiUC0yNTYiLCAieCI6ICJUQ0FFUjE5WnZ1M09IRjRqNFc0dmZTVm9ISVAxSUxpbERsczd2Q2VHZW1jIiwgInkiOiAiWnhqaVdXYlpNUUdIVldLVlE0aGJTSWlyc1ZmdWVjQ0U2dDRqVDlGMkhaUSJ9fX0.GhUbWZvUw7I6ndaIK6rtU1rDEOkjqFuSXl_J5cuDkmnKt9jhZ3v5sghdwZ1WKH-g-4kna57RgWEl7YHlr-IZqw",
+            False,
+            "sd-jwt with missing disclosure symbol ~"
+        ),
+        TestCase(
+            "eyJhbGciOiAiRVMyNTYiLCAidHlwIjogImV4YW1wbGUrc2Qtand0In0.eyJfc2QiOiBbIkNyUWU3UzVrcUJBSHQtbk1ZWGdjNmJkdDJTSDVhVFkxc1VfTS1QZ2tqUEkiLCAiSnpZakg0c3ZsaUgwUjNQeUVNZmVadTZKdDY5dTVxZWhabzdGN0VQWWxTRSIsICJQb3JGYnBLdVZ1Nnh5bUphZ3ZrRnNGWEFiUm9jMkpHbEFVQTJCQTRvN2NJIiwgIlRHZjRvTGJnd2Q1SlFhSHlLVlFaVTlVZEdFMHc1cnREc3JaemZVYW9tTG8iLCAiWFFfM2tQS3QxWHlYN0tBTmtxVlI2eVoyVmE1TnJQSXZQWWJ5TXZSS0JNTSIsICJYekZyendzY002R242Q0pEYzZ2Vks4QmtNbmZHOHZPU0tmcFBJWmRBZmRFIiwgImdiT3NJNEVkcTJ4Mkt3LXc1d1BFemFrb2I5aFYxY1JEMEFUTjNvUUw5Sk0iLCAianN1OXlWdWx3UVFsaEZsTV8zSmx6TWFTRnpnbGhRRzBEcGZheVF3TFVLNCJdLCAiaXNzIjogImh0dHBzOi8vaXNzdWVyLmV4YW1wbGUuY29tIiwgImlhdCI6IDE2ODMwMDAwMDAsICJleHAiOiAxODgzMDAwMDAwLCAic3ViIjogInVzZXJfNDIiLCAibmF0aW9uYWxpdGllcyI6IFt7Ii4uLiI6ICJwRm5kamtaX1ZDem15VGE2VWpsWm8zZGgta284YUlLUWM5RGxHemhhVllvIn0sIHsiLi4uIjogIjdDZjZKa1B1ZHJ5M2xjYndIZ2VaOGtoQXYxVTFPU2xlclAwVmtCSnJXWjAifV0sICJfc2RfYWxnIjogInNoYS0yNTYiLCAiY25mIjogeyJqd2siOiB7Imt0eSI6ICJFQyIsICJjcnYiOiAiUC0yNTYiLCAieCI6ICJUQ0FFUjE5WnZ1M09IRjRqNFc0dmZTVm9ISVAxSUxpbERsczd2Q2VHZW1jIiwgInkiOiAiWnhqaVdXYlpNUUdIVldLVlE0aGJTSWlyc1ZmdWVjQ0U2dDRqVDlGMkhaUSJ9fX0.~",
+            False,
+            "sd-jwt without signature"
+        ),
+        TestCase(
+            ".eyJfc2QiOiBbIkNyUWU3UzVrcUJBSHQtbk1ZWGdjNmJkdDJTSDVhVFkxc1VfTS1QZ2tqUEkiLCAiSnpZakg0c3ZsaUgwUjNQeUVNZmVadTZKdDY5dTVxZWhabzdGN0VQWWxTRSIsICJQb3JGYnBLdVZ1Nnh5bUphZ3ZrRnNGWEFiUm9jMkpHbEFVQTJCQTRvN2NJIiwgIlRHZjRvTGJnd2Q1SlFhSHlLVlFaVTlVZEdFMHc1cnREc3JaemZVYW9tTG8iLCAiWFFfM2tQS3QxWHlYN0tBTmtxVlI2eVoyVmE1TnJQSXZQWWJ5TXZSS0JNTSIsICJYekZyendzY002R242Q0pEYzZ2Vks4QmtNbmZHOHZPU0tmcFBJWmRBZmRFIiwgImdiT3NJNEVkcTJ4Mkt3LXc1d1BFemFrb2I5aFYxY1JEMEFUTjNvUUw5Sk0iLCAianN1OXlWdWx3UVFsaEZsTV8zSmx6TWFTRnpnbGhRRzBEcGZheVF3TFVLNCJdLCAiaXNzIjogImh0dHBzOi8vaXNzdWVyLmV4YW1wbGUuY29tIiwgImlhdCI6IDE2ODMwMDAwMDAsICJleHAiOiAxODgzMDAwMDAwLCAic3ViIjogInVzZXJfNDIiLCAibmF0aW9uYWxpdGllcyI6IFt7Ii4uLiI6ICJwRm5kamtaX1ZDem15VGE2VWpsWm8zZGgta284YUlLUWM5RGxHemhhVllvIn0sIHsiLi4uIjogIjdDZjZKa1B1ZHJ5M2xjYndIZ2VaOGtoQXYxVTFPU2xlclAwVmtCSnJXWjAifV0sICJfc2RfYWxnIjogInNoYS0yNTYiLCAiY25mIjogeyJqd2siOiB7Imt0eSI6ICJFQyIsICJjcnYiOiAiUC0yNTYiLCAieCI6ICJUQ0FFUjE5WnZ1M09IRjRqNFc0dmZTVm9ISVAxSUxpbERsczd2Q2VHZW1jIiwgInkiOiAiWnhqaVdXYlpNUUdIVldLVlE0aGJTSWlyc1ZmdWVjQ0U2dDRqVDlGMkhaUSJ9fX0.GhUbWZvUw7I6ndaIK6rtU1rDEOkjqFuSXl_J5cuDkmnKt9jhZ3v5sghdwZ1WKH-g-4kna57RgWEl7YHlr-IZqw~",
+            False,
+            "sd-jwt without header"
+        ),
+        TestCase(
+            "qwertyuiop",
+            False,
+            "non sense string: not a jwt"
+        ),
+        TestCase(
+            "qwe.rty.uio.azs~",
+            False,
+            "too many dots in base jwt"
+        ),
+        TestCase(
+            "qwe.rty~",
+            False,
+            "too few dots in base jwt"
+        ),
+        TestCase(
+            "qwe.rty~asd~",
+            False,
+            "too few dots in base jwt and diclosure lookalike"
+        ),
+        TestCase(
+            "qwe.rty.uio~asd~qwe",
+            False,
+            "sd-jwt with key binding that is not a jwt"
+        ),
+        TestCase(
+            "qwe.rty.uio~asd~qwe.asd.",
+            False,
+            "sd-jwt with key binding without signature"
+        ),
+    ]
+    for i, case in enumerate(test_table):
+        obt_result = is_sd_jwt_format(case.input)
+        assert obt_result == case.expected_result, f"failed test case {i}: scenario: {case.explanation}"
+
+
+def test_is_sd_jwt_kb_format():
+    @dataclass
+    class TestCase:
+        input: str
+        expected_result: bool
+        explanation: str
+
+    test_table: list[TestCase] = [
+        TestCase(
+            "eyJhbGciOiAiRVMyNTYiLCAidHlwIjogImV4YW1wbGUrc2Qtand0In0.eyJfc2QiOiBbIkNyUWU3UzVrcUJBSHQtbk1ZWGdjNmJkdDJTSDVhVFkxc1VfTS1QZ2tqUEkiLCAiSnpZakg0c3ZsaUgwUjNQeUVNZmVadTZKdDY5dTVxZWhabzdGN0VQWWxTRSIsICJQb3JGYnBLdVZ1Nnh5bUphZ3ZrRnNGWEFiUm9jMkpHbEFVQTJCQTRvN2NJIiwgIlRHZjRvTGJnd2Q1SlFhSHlLVlFaVTlVZEdFMHc1cnREc3JaemZVYW9tTG8iLCAiWFFfM2tQS3QxWHlYN0tBTmtxVlI2eVoyVmE1TnJQSXZQWWJ5TXZSS0JNTSIsICJYekZyendzY002R242Q0pEYzZ2Vks4QmtNbmZHOHZPU0tmcFBJWmRBZmRFIiwgImdiT3NJNEVkcTJ4Mkt3LXc1d1BFemFrb2I5aFYxY1JEMEFUTjNvUUw5Sk0iLCAianN1OXlWdWx3UVFsaEZsTV8zSmx6TWFTRnpnbGhRRzBEcGZheVF3TFVLNCJdLCAiaXNzIjogImh0dHBzOi8vaXNzdWVyLmV4YW1wbGUuY29tIiwgImlhdCI6IDE2ODMwMDAwMDAsICJleHAiOiAxODgzMDAwMDAwLCAic3ViIjogInVzZXJfNDIiLCAibmF0aW9uYWxpdGllcyI6IFt7Ii4uLiI6ICJwRm5kamtaX1ZDem15VGE2VWpsWm8zZGgta284YUlLUWM5RGxHemhhVllvIn0sIHsiLi4uIjogIjdDZjZKa1B1ZHJ5M2xjYndIZ2VaOGtoQXYxVTFPU2xlclAwVmtCSnJXWjAifV0sICJfc2RfYWxnIjogInNoYS0yNTYiLCAiY25mIjogeyJqd2siOiB7Imt0eSI6ICJFQyIsICJjcnYiOiAiUC0yNTYiLCAieCI6ICJUQ0FFUjE5WnZ1M09IRjRqNFc0dmZTVm9ISVAxSUxpbERsczd2Q2VHZW1jIiwgInkiOiAiWnhqaVdXYlpNUUdIVldLVlE0aGJTSWlyc1ZmdWVjQ0U2dDRqVDlGMkhaUSJ9fX0.GhUbWZvUw7I6ndaIK6rtU1rDEOkjqFuSXl_J5cuDkmnKt9jhZ3v5sghdwZ1WKH-g-4kna57RgWEl7YHlr-IZqw~WyJlbHVWNU9nM2dTTklJOEVZbnN4QV9BIiwgImZhbWlseV9uYW1lIiwgIkRvZSJd~WyJBSngtMDk1VlBycFR0TjRRTU9xUk9BIiwgImFkZHJlc3MiLCB7InN0cmVldF9hZGRyZXNzIjogIjEyMyBNYWluIFN0IiwgImxvY2FsaXR5IjogIkFueXRvd24iLCAicmVnaW9uIjogIkFueXN0YXRlIiwgImNvdW50cnkiOiAiVVMifV0~WyIyR0xDNDJzS1F2ZUNmR2ZyeU5STjl3IiwgImdpdmVuX25hbWUiLCAiSm9obiJd~WyJsa2x4RjVqTVlsR1RQVW92TU5JdkNBIiwgIlVTIl0~eyJhbGciOiAiRVMyNTYiLCAidHlwIjogImtiK2p3dCJ9.eyJub25jZSI6ICIxMjM0NTY3ODkwIiwgImF1ZCI6ICJodHRwczovL3ZlcmlmaWVyLmV4YW1wbGUub3JnIiwgImlhdCI6IDE3MjA0MzU5MzYsICJzZF9oYXNoIjogIjNvc0U3T2I0VHJqcW80ckJHdkRfMWJkQ0lhTEY4cFB5Wlk3RUctcVBYN1UifQ.MBXm8GktzZw6GKCD_X2zUqec9oWXHGD0K77HzKLehoOsIVUI8dbP_ruNWDX8nfZ6G3s06iFlxRNLO76nGo51Mw",
+            True,
+            "sd-jwt with key binding"
+        ),
+        TestCase(
+            "qwe.rty.uio~asd.fgh.jkl",
+            True,
+            "sd-jwt lookalike with 0 disclosures"
+        ),
+        TestCase(
+            "qwe.rty.uio~zxc~asd.fgh.jkl",
+            True,
+            "sd-jwt lookalike with 1 disclosure"
+        ),
+        TestCase(
+            "qwe.rty.uio~zxc~vbn~asd.fgh.jkl",
+            True,
+            "sd-jwt lookalike with 2 disclosures"
+        ),
+        TestCase(
+            "eyJhbGciOiAiRVMyNTYiLCAidHlwIjogImV4YW1wbGUrc2Qtand0In0.eyJfc2QiOiBbIkNyUWU3UzVrcUJBSHQtbk1ZWGdjNmJkdDJTSDVhVFkxc1VfTS1QZ2tqUEkiLCAiSnpZakg0c3ZsaUgwUjNQeUVNZmVadTZKdDY5dTVxZWhabzdGN0VQWWxTRSIsICJQb3JGYnBLdVZ1Nnh5bUphZ3ZrRnNGWEFiUm9jMkpHbEFVQTJCQTRvN2NJIiwgIlRHZjRvTGJnd2Q1SlFhSHlLVlFaVTlVZEdFMHc1cnREc3JaemZVYW9tTG8iLCAiWFFfM2tQS3QxWHlYN0tBTmtxVlI2eVoyVmE1TnJQSXZQWWJ5TXZSS0JNTSIsICJYekZyendzY002R242Q0pEYzZ2Vks4QmtNbmZHOHZPU0tmcFBJWmRBZmRFIiwgImdiT3NJNEVkcTJ4Mkt3LXc1d1BFemFrb2I5aFYxY1JEMEFUTjNvUUw5Sk0iLCAianN1OXlWdWx3UVFsaEZsTV8zSmx6TWFTRnpnbGhRRzBEcGZheVF3TFVLNCJdLCAiaXNzIjogImh0dHBzOi8vaXNzdWVyLmV4YW1wbGUuY29tIiwgImlhdCI6IDE2ODMwMDAwMDAsICJleHAiOiAxODgzMDAwMDAwLCAic3ViIjogInVzZXJfNDIiLCAibmF0aW9uYWxpdGllcyI6IFt7Ii4uLiI6ICJwRm5kamtaX1ZDem15VGE2VWpsWm8zZGgta284YUlLUWM5RGxHemhhVllvIn0sIHsiLi4uIjogIjdDZjZKa1B1ZHJ5M2xjYndIZ2VaOGtoQXYxVTFPU2xlclAwVmtCSnJXWjAifV0sICJfc2RfYWxnIjogInNoYS0yNTYiLCAiY25mIjogeyJqd2siOiB7Imt0eSI6ICJFQyIsICJjcnYiOiAiUC0yNTYiLCAieCI6ICJUQ0FFUjE5WnZ1M09IRjRqNFc0dmZTVm9ISVAxSUxpbERsczd2Q2VHZW1jIiwgInkiOiAiWnhqaVdXYlpNUUdIVldLVlE0aGJTSWlyc1ZmdWVjQ0U2dDRqVDlGMkhaUSJ9fX0.GhUbWZvUw7I6ndaIK6rtU1rDEOkjqFuSXl_J5cuDkmnKt9jhZ3v5sghdwZ1WKH-g-4kna57RgWEl7YHlr-IZqw~WyIyR0xDNDJzS1F2ZUNmR2ZyeU5STjl3IiwgImdpdmVuX25hbWUiLCAiSm9obiJd~WyJlbHVWNU9nM2dTTklJOEVZbnN4QV9BIiwgImZhbWlseV9uYW1lIiwgIkRvZSJd~WyI2SWo3dE0tYTVpVlBHYm9TNXRtdlZBIiwgImVtYWlsIiwgImpvaG5kb2VAZXhhbXBsZS5jb20iXQ~WyJlSThaV205UW5LUHBOUGVOZW5IZGhRIiwgInBob25lX251bWJlciIsICIrMS0yMDItNTU1LTAxMDEiXQ~WyJRZ19PNjR6cUF4ZTQxMmExMDhpcm9BIiwgInBob25lX251bWJlcl92ZXJpZmllZCIsIHRydWVd~WyJBSngtMDk1VlBycFR0TjRRTU9xUk9BIiwgImFkZHJlc3MiLCB7InN0cmVldF9hZGRyZXNzIjogIjEyMyBNYWluIFN0IiwgImxvY2FsaXR5IjogIkFueXRvd24iLCAicmVnaW9uIjogIkFueXN0YXRlIiwgImNvdW50cnkiOiAiVVMifV0~WyJQYzMzSk0yTGNoY1VfbEhnZ3ZfdWZRIiwgImJpcnRoZGF0ZSIsICIxOTQwLTAxLTAxIl0~WyJHMDJOU3JRZmpGWFE3SW8wOXN5YWpBIiwgInVwZGF0ZWRfYXQiLCAxNTcwMDAwMDAwXQ~WyJsa2x4RjVqTVlsR1RQVW92TU5JdkNBIiwgIlVTIl0~WyJuUHVvUW5rUkZxM0JJZUFtN0FuWEZBIiwgIkRFIl0~", 
+            False,
+            "sd-jwt without key binding"
+        ),
+        TestCase(
+            "eyJhbGciOiAiRVMyNTYiLCAidHlwIjogImV4YW1wbGUrc2Qtand0In0.eyJfc2QiOiBbIkNyUWU3UzVrcUJBSHQtbk1ZWGdjNmJkdDJTSDVhVFkxc1VfTS1QZ2tqUEkiLCAiSnpZakg0c3ZsaUgwUjNQeUVNZmVadTZKdDY5dTVxZWhabzdGN0VQWWxTRSIsICJQb3JGYnBLdVZ1Nnh5bUphZ3ZrRnNGWEFiUm9jMkpHbEFVQTJCQTRvN2NJIiwgIlRHZjRvTGJnd2Q1SlFhSHlLVlFaVTlVZEdFMHc1cnREc3JaemZVYW9tTG8iLCAiWFFfM2tQS3QxWHlYN0tBTmtxVlI2eVoyVmE1TnJQSXZQWWJ5TXZSS0JNTSIsICJYekZyendzY002R242Q0pEYzZ2Vks4QmtNbmZHOHZPU0tmcFBJWmRBZmRFIiwgImdiT3NJNEVkcTJ4Mkt3LXc1d1BFemFrb2I5aFYxY1JEMEFUTjNvUUw5Sk0iLCAianN1OXlWdWx3UVFsaEZsTV8zSmx6TWFTRnpnbGhRRzBEcGZheVF3TFVLNCJdLCAiaXNzIjogImh0dHBzOi8vaXNzdWVyLmV4YW1wbGUuY29tIiwgImlhdCI6IDE2ODMwMDAwMDAsICJleHAiOiAxODgzMDAwMDAwLCAic3ViIjogInVzZXJfNDIiLCAibmF0aW9uYWxpdGllcyI6IFt7Ii4uLiI6ICJwRm5kamtaX1ZDem15VGE2VWpsWm8zZGgta284YUlLUWM5RGxHemhhVllvIn0sIHsiLi4uIjogIjdDZjZKa1B1ZHJ5M2xjYndIZ2VaOGtoQXYxVTFPU2xlclAwVmtCSnJXWjAifV0sICJfc2RfYWxnIjogInNoYS0yNTYiLCAiY25mIjogeyJqd2siOiB7Imt0eSI6ICJFQyIsICJjcnYiOiAiUC0yNTYiLCAieCI6ICJUQ0FFUjE5WnZ1M09IRjRqNFc0dmZTVm9ISVAxSUxpbERsczd2Q2VHZW1jIiwgInkiOiAiWnhqaVdXYlpNUUdIVldLVlE0aGJTSWlyc1ZmdWVjQ0U2dDRqVDlGMkhaUSJ9fX0.GhUbWZvUw7I6ndaIK6rtU1rDEOkjqFuSXl_J5cuDkmnKt9jhZ3v5sghdwZ1WKH-g-4kna57RgWEl7YHlr-IZqw",
+            False,
+            "sd-jwt with missing disclosure symbol ~"
+        ),
+        TestCase(
+            "eyJhbGciOiAiRVMyNTYiLCAidHlwIjogImV4YW1wbGUrc2Qtand0In0.eyJfc2QiOiBbIkNyUWU3UzVrcUJBSHQtbk1ZWGdjNmJkdDJTSDVhVFkxc1VfTS1QZ2tqUEkiLCAiSnpZakg0c3ZsaUgwUjNQeUVNZmVadTZKdDY5dTVxZWhabzdGN0VQWWxTRSIsICJQb3JGYnBLdVZ1Nnh5bUphZ3ZrRnNGWEFiUm9jMkpHbEFVQTJCQTRvN2NJIiwgIlRHZjRvTGJnd2Q1SlFhSHlLVlFaVTlVZEdFMHc1cnREc3JaemZVYW9tTG8iLCAiWFFfM2tQS3QxWHlYN0tBTmtxVlI2eVoyVmE1TnJQSXZQWWJ5TXZSS0JNTSIsICJYekZyendzY002R242Q0pEYzZ2Vks4QmtNbmZHOHZPU0tmcFBJWmRBZmRFIiwgImdiT3NJNEVkcTJ4Mkt3LXc1d1BFemFrb2I5aFYxY1JEMEFUTjNvUUw5Sk0iLCAianN1OXlWdWx3UVFsaEZsTV8zSmx6TWFTRnpnbGhRRzBEcGZheVF3TFVLNCJdLCAiaXNzIjogImh0dHBzOi8vaXNzdWVyLmV4YW1wbGUuY29tIiwgImlhdCI6IDE2ODMwMDAwMDAsICJleHAiOiAxODgzMDAwMDAwLCAic3ViIjogInVzZXJfNDIiLCAibmF0aW9uYWxpdGllcyI6IFt7Ii4uLiI6ICJwRm5kamtaX1ZDem15VGE2VWpsWm8zZGgta284YUlLUWM5RGxHemhhVllvIn0sIHsiLi4uIjogIjdDZjZKa1B1ZHJ5M2xjYndIZ2VaOGtoQXYxVTFPU2xlclAwVmtCSnJXWjAifV0sICJfc2RfYWxnIjogInNoYS0yNTYiLCAiY25mIjogeyJqd2siOiB7Imt0eSI6ICJFQyIsICJjcnYiOiAiUC0yNTYiLCAieCI6ICJUQ0FFUjE5WnZ1M09IRjRqNFc0dmZTVm9ISVAxSUxpbERsczd2Q2VHZW1jIiwgInkiOiAiWnhqaVdXYlpNUUdIVldLVlE0aGJTSWlyc1ZmdWVjQ0U2dDRqVDlGMkhaUSJ9fX0.GhUbWZvUw7I6ndaIK6rtU1rDEOkjqFuSXl_J5cuDkmnKt9jhZ3v5sghdwZ1WKH-g-4kna57RgWEl7YHlr-IZqw~",
+            False,
+            "sd-jwt with 0 disclosures"
+        ),
+        TestCase(
+            "eyJhbGciOiAiRVMyNTYiLCAidHlwIjogImV4YW1wbGUrc2Qtand0In0.eyJfc2QiOiBbIkNyUWU3UzVrcUJBSHQtbk1ZWGdjNmJkdDJTSDVhVFkxc1VfTS1QZ2tqUEkiLCAiSnpZakg0c3ZsaUgwUjNQeUVNZmVadTZKdDY5dTVxZWhabzdGN0VQWWxTRSIsICJQb3JGYnBLdVZ1Nnh5bUphZ3ZrRnNGWEFiUm9jMkpHbEFVQTJCQTRvN2NJIiwgIlRHZjRvTGJnd2Q1SlFhSHlLVlFaVTlVZEdFMHc1cnREc3JaemZVYW9tTG8iLCAiWFFfM2tQS3QxWHlYN0tBTmtxVlI2eVoyVmE1TnJQSXZQWWJ5TXZSS0JNTSIsICJYekZyendzY002R242Q0pEYzZ2Vks4QmtNbmZHOHZPU0tmcFBJWmRBZmRFIiwgImdiT3NJNEVkcTJ4Mkt3LXc1d1BFemFrb2I5aFYxY1JEMEFUTjNvUUw5Sk0iLCAianN1OXlWdWx3UVFsaEZsTV8zSmx6TWFTRnpnbGhRRzBEcGZheVF3TFVLNCJdLCAiaXNzIjogImh0dHBzOi8vaXNzdWVyLmV4YW1wbGUuY29tIiwgImlhdCI6IDE2ODMwMDAwMDAsICJleHAiOiAxODgzMDAwMDAwLCAic3ViIjogInVzZXJfNDIiLCAibmF0aW9uYWxpdGllcyI6IFt7Ii4uLiI6ICJwRm5kamtaX1ZDem15VGE2VWpsWm8zZGgta284YUlLUWM5RGxHemhhVllvIn0sIHsiLi4uIjogIjdDZjZKa1B1ZHJ5M2xjYndIZ2VaOGtoQXYxVTFPU2xlclAwVmtCSnJXWjAifV0sICJfc2RfYWxnIjogInNoYS0yNTYiLCAiY25mIjogeyJqd2siOiB7Imt0eSI6ICJFQyIsICJjcnYiOiAiUC0yNTYiLCAieCI6ICJUQ0FFUjE5WnZ1M09IRjRqNFc0dmZTVm9ISVAxSUxpbERsczd2Q2VHZW1jIiwgInkiOiAiWnhqaVdXYlpNUUdIVldLVlE0aGJTSWlyc1ZmdWVjQ0U2dDRqVDlGMkhaUSJ9fX0.~",
+            False,
+            "sd-jwt without signature"
+        ),
+        TestCase(
+            ".eyJfc2QiOiBbIkNyUWU3UzVrcUJBSHQtbk1ZWGdjNmJkdDJTSDVhVFkxc1VfTS1QZ2tqUEkiLCAiSnpZakg0c3ZsaUgwUjNQeUVNZmVadTZKdDY5dTVxZWhabzdGN0VQWWxTRSIsICJQb3JGYnBLdVZ1Nnh5bUphZ3ZrRnNGWEFiUm9jMkpHbEFVQTJCQTRvN2NJIiwgIlRHZjRvTGJnd2Q1SlFhSHlLVlFaVTlVZEdFMHc1cnREc3JaemZVYW9tTG8iLCAiWFFfM2tQS3QxWHlYN0tBTmtxVlI2eVoyVmE1TnJQSXZQWWJ5TXZSS0JNTSIsICJYekZyendzY002R242Q0pEYzZ2Vks4QmtNbmZHOHZPU0tmcFBJWmRBZmRFIiwgImdiT3NJNEVkcTJ4Mkt3LXc1d1BFemFrb2I5aFYxY1JEMEFUTjNvUUw5Sk0iLCAianN1OXlWdWx3UVFsaEZsTV8zSmx6TWFTRnpnbGhRRzBEcGZheVF3TFVLNCJdLCAiaXNzIjogImh0dHBzOi8vaXNzdWVyLmV4YW1wbGUuY29tIiwgImlhdCI6IDE2ODMwMDAwMDAsICJleHAiOiAxODgzMDAwMDAwLCAic3ViIjogInVzZXJfNDIiLCAibmF0aW9uYWxpdGllcyI6IFt7Ii4uLiI6ICJwRm5kamtaX1ZDem15VGE2VWpsWm8zZGgta284YUlLUWM5RGxHemhhVllvIn0sIHsiLi4uIjogIjdDZjZKa1B1ZHJ5M2xjYndIZ2VaOGtoQXYxVTFPU2xlclAwVmtCSnJXWjAifV0sICJfc2RfYWxnIjogInNoYS0yNTYiLCAiY25mIjogeyJqd2siOiB7Imt0eSI6ICJFQyIsICJjcnYiOiAiUC0yNTYiLCAieCI6ICJUQ0FFUjE5WnZ1M09IRjRqNFc0dmZTVm9ISVAxSUxpbERsczd2Q2VHZW1jIiwgInkiOiAiWnhqaVdXYlpNUUdIVldLVlE0aGJTSWlyc1ZmdWVjQ0U2dDRqVDlGMkhaUSJ9fX0.GhUbWZvUw7I6ndaIK6rtU1rDEOkjqFuSXl_J5cuDkmnKt9jhZ3v5sghdwZ1WKH-g-4kna57RgWEl7YHlr-IZqw~",
+            False,
+            "sd-jwt without header"
+        ),
+        TestCase(
+            "qwertyuiop",
+            False,
+            "non sense string: not a jwt"
+        ),
+        TestCase(
+            "qwe.rty.uio.azs~",
+            False,
+            "too many dots in base jwt"
+        ),
+        TestCase(
+            "qwe.rty~",
+            False,
+            "too few dots in base jwt"
+        ),
+        TestCase(
+            "qwe.rty~asd~",
+            False,
+            "too few dots in base jwt and diclosure lookalike"
+        ),
+        TestCase(
+            "qwe.rty.uio~asd~qwe",
+            False,
+            "sd-jwt with key binding that is not a jwt"
+        ),
+        TestCase(
+            "qwe.rty.uio~asd~qwe.asd.",
+            False,
+            "sd-jwt with key binding without signature"
+        ),
+    ]
+    for i, case in enumerate(test_table):
+        obt_result = is_sd_jwt_kb_format(case.input)
+        assert obt_result == case.expected_result, f"failed test case {i}: scenario: {case.explanation}"
diff --git a/pyeudiw/tests/settings.py b/pyeudiw/tests/settings.py
index 9274bee8..541fe83d 100644
--- a/pyeudiw/tests/settings.py
+++ b/pyeudiw/tests/settings.py
@@ -59,50 +59,373 @@
     'network': {
         "httpc_params": httpc_params
     },
-    "federation": {
-        "metadata_type": "wallet_relying_party",
-        "authority_hints": [
-            "https://trust-anchor.example.org"
+    "trust": {
+        "direct_trust_sd_jwt_vc": {
+            "module": "pyeudiw.trust.default.direct_trust_sd_jwt_vc",
+            "class": "DirectTrustSdJwtVc",
+            "config": {
+                "jwk_endpoint": "/.well-known/jwt-vc-issuer",
+                "httpc_params": {
+                    "connection": {
+                        "ssl": True
+                    },
+                    "session": {
+                        "timeout": 6
+                    }
+                }
+            }
+        },
+        "federation": {
+            "module": "pyeudiw.trust.default.federation",
+            "class": "FederationTrustModel",
+            "config": {
+                "metadata_type": "wallet_relying_party",
+                "authority_hints": [
+                    "https://trust-anchor.example.org"
+                ],
+                "trust_anchors": [
+                    "https://trust-anchor.example.org"
+                ],
+                "default_sig_alg": "RS256",
+                "federation_jwks": [
+                    {
+                        "kty": "RSA",
+                        "d": "QUZsh1NqvpueootsdSjFQz-BUvxwd3Qnzm5qNb-WeOsvt3rWMEv0Q8CZrla2tndHTJhwioo1U4NuQey7znijhZ177bUwPPxSW1r68dEnL2U74nKwwoYeeMdEXnUfZSPxzs7nY6b7v"
+                        "tyCoA-AjiVYFOlgKNAItspv1HxeyGCLhLYhKvS_YoTdAeLuegETU5D6K1xGQIuw0nS13Icjz79Y8jC10TX4FdZwdX-NmuIEDP5-s95V9DMENtVqJAVE3L-wO-NdDilyjyOmAbntgsCzYVG"
+                        "H9U3W_djh4t3qVFCv3r0S-DA2FD3THvlrFi655L0QHR3gu_Fbj3b9Ybtajpue_Q",
+                        "e": "AQAB",
+                        "kid": "9Cquk0X-fNPSdePQIgQcQZtD6J0IjIRrFigW2PPK_-w",
+                        "n": "utqtxbs-jnK0cPsV7aRkkZKA9t4S-WSZa3nCZtYIKDpgLnR_qcpeF0diJZvKOqXmj2cXaKFUE-8uHKAHo7BL7T-Rj2x3vGESh7SG1pE0thDGlXj4yNsg0qNvCXtk703L2H3i1UXwx"
+                        "6nq1uFxD2EcOE4a6qDYBI16Zl71TUZktJwmOejoHl16CPWqDLGo9GUSk_MmHOV20m4wXWkB4qbvpWVY8H6b2a0rB1B1YPOs5ZLYarSYZgjDEg6DMtZ4NgiwZ-4N1aaLwyO-GLwt9Vf-NBK"
+                        "woxeRyD3zWE2FXRFBbhKGksMrCGnFDsNl5JTlPjaM3kYyImE941ggcuc495m-Fw",
+                        "p": "2zmGXIMCEHPphw778YjVTar1eycih6fFSJ4I4bl1iq167GqO0PjlOx6CZ1-OdBTVU7HfrYRiUK_BnGRdPDn-DQghwwkB79ZdHWL14wXnpB5y-boHz_LxvjsEqXtuQYcIkidOGaMG6"
+                        "8XNT1nM4F9a8UKFr5hHYT5_UIQSwsxlRQ0",
+                        "q": "2jMFt2iFrdaYabdXuB4QMboVjPvbLA-IVb6_0hSG_-EueGBvgcBxdFGIZaG6kqHqlB7qMsSzdptU0vn6IgmCZnX-Hlt6c5X7JB_q91PZMLTO01pbZ2Bk58GloalCHnw_mjPh0YPvi"
+                        "H5jGoWM5RHyl_HDDMI-UeLkzP7ImxGizrM"
+                    },
+                    {
+                        'kty': 'EC',
+                        'kid': 'xPFTWxeGHTVTaDlzGad0MKN5JmWOSnRqEjJCtvQpoyg',
+                        'crv': 'P-256',
+                        'x': 'EkMoe7qPLGMydWO_evC3AXEeXJlLQk9tNRkYcpp7xHo',
+                        'y': 'VLoHFl90D1SdTTjMvNf3WssWiCBXcU1lGNPbOmcCqdU',
+                        'd': 'oGzjgBbIYNL9opdJ_rDPnCJF89yN8yj8wegdkYfaxw0'
+                    }
+                ],
+                "trust_marks": [
+                    "..."
+                ],
+                "federation_entity_metadata": {
+                    "organization_name": "Example RP",
+                    "homepage_uri": "https://developers.italia.it",
+                    "policy_uri": "https://developers.italia.it/privacy-policy",
+                    "tos_uri": "https://developers.italia.it/privacy-policy",
+                    "logo_uri": "https://developers.italia.it/assets/img/io-it-logo-white.svg"
+                }
+            }
+        },
+    },
+    "metadata_jwks": [
+        {
+            "crv": "P-256",
+            "d": "KzQBowMMoPmSZe7G8QsdEWc1IvR2nsgE8qTOYmMcLtc",
+            "kid": "dDwPWXz5sCtczj7CJbqgPGJ2qQ83gZ9Sfs-tJyULi6s",
+            "kty": "EC",
+            "x": "TSO-KOqdnUj5SUuasdlRB2VVFSqtJOxuR5GftUTuBdk",
+            "y": "ByWgQt1wGBSnF56jQqLdoO1xKUynMY-BHIDB3eXlR7"
+        },
+        {
+            "kty": "RSA",
+            "d": "QUZsh1NqvpueootsdSjFQz-BUvxwd3Qnzm5qNb-WeOsvt3rWMEv0Q8CZrla2tndHTJhwioo1U4NuQey7znijhZ177bUwPPxSW1r68dEnL2U74nKwwoYeeMdEXnUfZSPxzs7nY6b7vtyCo"
+            "A-AjiVYFOlgKNAItspv1HxeyGCLhLYhKvS_YoTdAeLuegETU5D6K1xGQIuw0nS13Icjz79Y8jC10TX4FdZwdX-NmuIEDP5-s95V9DMENtVqJAVE3L-wO-NdDilyjyOmAbntgsCzYVGH9U3W_dj"
+            "h4t3qVFCv3r0S-DA2FD3THvlrFi655L0QHR3gu_Fbj3b9Ybtajpue_Q",
+            "e": "AQAB",
+            "use": "enc",
+            "kid": "9Cquk0X-fNPSdePQIgQcQZtD6J0IjIRrFigW2PPK_-w",
+            "n": "utqtxbs-jnK0cPsV7aRkkZKA9t4S-WSZa3nCZtYIKDpgLnR_qcpeF0diJZvKOqXmj2cXaKFUE-8uHKAHo7BL7T-Rj2x3vGESh7SG1pE0thDGlXj4yNsg0qNvCXtk703L2H3i1UXwx6nq1"
+            "uFxD2EcOE4a6qDYBI16Zl71TUZktJwmOejoHl16CPWqDLGo9GUSk_MmHOV20m4wXWkB4qbvpWVY8H6b2a0rB1B1YPOs5ZLYarSYZgjDEg6DMtZ4NgiwZ-4N1aaLwyO-GLwt9Vf-NBKwoxeRyD3"
+            "zWE2FXRFBbhKGksMrCGnFDsNl5JTlPjaM3kYyImE941ggcuc495m-Fw",
+            "p": "2zmGXIMCEHPphw778YjVTar1eycih6fFSJ4I4bl1iq167GqO0PjlOx6CZ1-OdBTVU7HfrYRiUK_BnGRdPDn-DQghwwkB79ZdHWL14wXnpB5y-boHz_LxvjsEqXtuQYcIkidOGaMG68XNT"
+            "1nM4F9a8UKFr5hHYT5_UIQSwsxlRQ0",
+            "q": "2jMFt2iFrdaYabdXuB4QMboVjPvbLA-IVb6_0hSG_-EueGBvgcBxdFGIZaG6kqHqlB7qMsSzdptU0vn6IgmCZnX-Hlt6c5X7JB_q91PZMLTO01pbZ2Bk58GloalCHnw_mjPh0YPviH5jG"
+            "oWM5RHyl_HDDMI-UeLkzP7ImxGizrM"
+        }
+    ],
+    "storage": {
+        "mongo_db": {
+            "cache": {
+                "module": "pyeudiw.storage.mongo_cache",
+                "class": "MongoCache",
+                "init_params": {
+                    "url": "mongodb://localhost:27017/?timeoutMS=2000",
+                    "conf": {
+                        "db_name": "eudiw"
+                    },
+                    "connection_params": {}
+                }
+            },
+            "storage": {
+                "module": "pyeudiw.storage.mongo_storage",
+                "class": "MongoStorage",
+                "init_params": {
+                    "url": "mongodb://localhost:27017/?timeoutMS=2000",
+                    "conf": {
+                        "db_name": "test-eudiw",
+                        "db_sessions_collection": "sessions",
+                        "db_trust_attestations_collection": "trust_attestations",
+                        "db_trust_anchors_collection": "trust_anchors"
+                    },
+                    "connection_params": {}
+                }
+            }
+        }
+    },
+    "metadata": {
+        "application_type": "web",
+        "authorization_encrypted_response_alg": [
+            "RSA-OAEP",
+            "RSA-OAEP-256"
         ],
-        "trust_anchors": [
-            "https://trust-anchor.example.org"
+        "authorization_encrypted_response_enc": [
+            "A128CBC-HS256",
+            "A192CBC-HS384",
+            "A256CBC-HS512",
+            "A128GCM",
+            "A192GCM",
+            "A256GCM"
+        ],
+        "authorization_signed_response_alg": [
+            "RS256",
+            "ES256"
+        ],
+        "client_id": f"{BASE_URL}/OpenID4VP",
+        "client_name": "Name of an example organization",
+        "contacts": [
+            "ops@verifier.example.org"
         ],
-        "default_sig_alg": "RS256",
-        "federation_jwks": [
+        "default_acr_values": [
+            "https://www.spid.gov.it/SpidL2",
+            "https://www.spid.gov.it/SpidL3"
+        ],
+        "default_max_age": 1111,
+        "id_token_encrypted_response_alg": [
+            "RSA-OAEP",
+            "RSA-OAEP-256"
+        ],
+        "id_token_encrypted_response_enc": [
+            "A128CBC-HS256",
+            "A192CBC-HS384",
+            "A256CBC-HS512",
+            "A128GCM",
+            "A192GCM",
+            "A256GCM"
+        ],
+        "id_token_signed_response_alg": [
+            "RS256",
+            "ES256"
+        ],
+        "presentation_definitions": [
             {
-                "kty": "RSA",
-                "d": "QUZsh1NqvpueootsdSjFQz-BUvxwd3Qnzm5qNb-WeOsvt3rWMEv0Q8CZrla2tndHTJhwioo1U4NuQey7znijhZ177bUwPPxSW1r68dEnL2U74nKwwoYeeMdEXnUfZSPxzs7nY6b7v"
-                "tyCoA-AjiVYFOlgKNAItspv1HxeyGCLhLYhKvS_YoTdAeLuegETU5D6K1xGQIuw0nS13Icjz79Y8jC10TX4FdZwdX-NmuIEDP5-s95V9DMENtVqJAVE3L-wO-NdDilyjyOmAbntgsCzYVG"
-                "H9U3W_djh4t3qVFCv3r0S-DA2FD3THvlrFi655L0QHR3gu_Fbj3b9Ybtajpue_Q",
-                "e": "AQAB",
-                "kid": "9Cquk0X-fNPSdePQIgQcQZtD6J0IjIRrFigW2PPK_-w",
-                "n": "utqtxbs-jnK0cPsV7aRkkZKA9t4S-WSZa3nCZtYIKDpgLnR_qcpeF0diJZvKOqXmj2cXaKFUE-8uHKAHo7BL7T-Rj2x3vGESh7SG1pE0thDGlXj4yNsg0qNvCXtk703L2H3i1UXwx"
-                "6nq1uFxD2EcOE4a6qDYBI16Zl71TUZktJwmOejoHl16CPWqDLGo9GUSk_MmHOV20m4wXWkB4qbvpWVY8H6b2a0rB1B1YPOs5ZLYarSYZgjDEg6DMtZ4NgiwZ-4N1aaLwyO-GLwt9Vf-NBK"
-                "woxeRyD3zWE2FXRFBbhKGksMrCGnFDsNl5JTlPjaM3kYyImE941ggcuc495m-Fw",
-                "p": "2zmGXIMCEHPphw778YjVTar1eycih6fFSJ4I4bl1iq167GqO0PjlOx6CZ1-OdBTVU7HfrYRiUK_BnGRdPDn-DQghwwkB79ZdHWL14wXnpB5y-boHz_LxvjsEqXtuQYcIkidOGaMG6"
-                "8XNT1nM4F9a8UKFr5hHYT5_UIQSwsxlRQ0",
-                "q": "2jMFt2iFrdaYabdXuB4QMboVjPvbLA-IVb6_0hSG_-EueGBvgcBxdFGIZaG6kqHqlB7qMsSzdptU0vn6IgmCZnX-Hlt6c5X7JB_q91PZMLTO01pbZ2Bk58GloalCHnw_mjPh0YPvi"
-                "H5jGoWM5RHyl_HDDMI-UeLkzP7ImxGizrM"
+                "id": "pid-sd-jwt:unique_id+given_name+family_name",
+                "input_descriptors": [
+                    {
+                        "format": {
+                            "constraints": {
+                                "fields": [
+                                    {
+                                        "filter": {
+                                            "const": "PersonIdentificationData",
+                                            "type": "string"
+                                        },
+                                        "path": [
+                                            "$.sd-jwt.type"
+                                        ]
+                                    },
+                                    {
+                                        "filter": {
+                                            "type": "object"
+                                        },
+                                        "path": [
+                                            "$.sd-jwt.cnf"
+                                        ]
+                                    },
+                                    {
+                                        "intent_to_retain": "true",
+                                        "path": [
+                                            "$.sd-jwt.family_name"
+                                        ]
+                                    },
+                                    {
+                                        "intent_to_retain": "true",
+                                        "path": [
+                                            "$.sd-jwt.given_name"
+                                        ]
+                                    },
+                                    {
+                                        "intent_to_retain": "true",
+                                        "path": [
+                                            "$.sd-jwt.unique_id"
+                                        ]
+                                    }
+                                ],
+                                "limit_disclosure": "required"
+                            },
+                            "jwt": {
+                                "alg": [
+                                    "EdDSA",
+                                    "ES256"
+                                ]
+                            }
+                        },
+                        "id": "sd-jwt"
+                    }
+                ]
             },
             {
-                'kty': 'EC',
-                'kid': 'xPFTWxeGHTVTaDlzGad0MKN5JmWOSnRqEjJCtvQpoyg',
-                'crv': 'P-256',
-                'x': 'EkMoe7qPLGMydWO_evC3AXEeXJlLQk9tNRkYcpp7xHo',
-                'y': 'VLoHFl90D1SdTTjMvNf3WssWiCBXcU1lGNPbOmcCqdU',
-                'd': 'oGzjgBbIYNL9opdJ_rDPnCJF89yN8yj8wegdkYfaxw0'
+                "id": "mDL-sample-req",
+                "input_descriptors": [
+                    {
+                        "format": {
+                            "constraints": {
+                                "fields": [
+                                    {
+                                        "filter": {
+                                            "const": "org.iso.18013.5.1.mDL",
+                                            "type": "string"
+                                        },
+                                        "path": [
+                                            "$.mdoc.doctype"
+                                        ]
+                                    },
+                                    {
+                                        "filter": {
+                                            "const": "org.iso.18013.5.1",
+                                            "type": "string"
+                                        },
+                                        "path": [
+                                            "$.mdoc.namespace"
+                                        ]
+                                    },
+                                    {
+                                        "intent_to_retain": "false",
+                                        "path": [
+                                            "$.mdoc.family_name"
+                                        ]
+                                    },
+                                    {
+                                        "intent_to_retain": "false",
+                                        "path": [
+                                            "$.mdoc.portrait"
+                                        ]
+                                    },
+                                    {
+                                        "intent_to_retain": "false",
+                                        "path": [
+                                            "$.mdoc.driving_privileges"
+                                        ]
+                                    }
+                                ],
+                                "limit_disclosure": "required"
+                            },
+                            "mso_mdoc": {
+                                "alg": [
+                                    "EdDSA",
+                                    "ES256"
+                                ]
+                            }
+                        },
+                        "id": "mDL"
+                    }
+                ]
             }
         ],
-        "trust_marks": [
-            "..."
+        "response_uris_supported": [
+            f"{BASE_URL}/OpenID4VP/response-uri"
+        ],
+        "request_uris": [
+            f"{BASE_URL}/OpenID4VP/request-uri"
         ],
-        "federation_entity_metadata": {
-            "organization_name": "Example RP",
-            "homepage_uri": "https://developers.italia.it",
-            "policy_uri": "https://developers.italia.it/privacy-policy",
-            "tos_uri": "https://developers.italia.it/privacy-policy",
-            "logo_uri": "https://developers.italia.it/assets/img/io-it-logo-white.svg"
+        "require_auth_time": True,
+        "subject_type": "pairwise",
+        "vp_formats": {
+            "vc+sd-jwt": {
+                "sd-jwt_alg_values": [
+                    "ES256",
+                    "ES384"
+                ],
+                "kb-jwt_alg_values": [
+                    "ES256",
+                    "ES384"
+                ]
+            }
+        }
+    }
+}
+
+CREDENTIAL_ISSUER_ENTITY_ID = "https://issuer.example.com"
+
+MODULE_DIRECT_TRUST_CONFIG = {
+    "module": "pyeudiw.trust.default.direct_trust_sd_jwt_vc",
+    "class": "DirectTrustSdJwtVc",
+    "config": {
+        "jwk_endpoint": "/.well-known/jwt-vc-issuer",
+        "httpc_params": {
+            "connection": {
+                "ssl": True
+            },
+            "session": {
+                "timeout": 6
+            }
         }
+    }
+}
+
+CONFIG_DIRECT_TRUST = {
+    "base_url": BASE_URL,
+
+    "ui": {
+        "static_storage_url": BASE_URL,
+        "template_folder": f"{pathlib.Path().absolute().__str__()}/pyeudiw/tests/satosa/templates",
+        "qrcode_template": "qrcode.html",
+        "error_template": "error.html",
+        "error_url": "https://localhost:9999/error_page.html"
+    },
+    "endpoints": {
+        "entity_configuration": "/.well-known/openid-federation",
+        "pre_request": "/pre-request",
+        "response": "/response-uri",
+        "request": "/request-uri",
+        "status": "/status-uri",
+        "get_response": "/get-response"
+    },
+    "response_code": {
+        "sym_key": "1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef"
+    },
+    "qrcode": {
+        "size": 100,
+        "color": "#2B4375",
+        "expiration_time": 120,
+        "logo_path": "pyeudiw/tests/satosa/static/logo.png"
+    },
+    "jwt": {
+        "default_sig_alg": "ES256",
+        "default_exp": 6
+    },
+    "authorization": {
+        "url_scheme": "haip",  # haip://
+        "scopes": ["pid-sd-jwt:unique_id+given_name+family_name"],
+        "default_acr_value": "https://www.spid.gov.it/SpidL2",
+        "expiration_time": 5,  # minutes
+    },
+    'user_attributes': {
+        "unique_identifiers": ["tax_id_code", "unique_id"],
+        "subject_id_random_value": "CHANGEME!"
+    },
+    'network': {
+        "httpc_params": httpc_params
+    },
+    "trust": {
+        "direct_trust_sd_jwt_vc": MODULE_DIRECT_TRUST_CONFIG
     },
     "metadata_jwks": [
         {
@@ -341,7 +664,7 @@
     }
 }
 
-ISSUER_CONF = {
+CREDENTIAL_ISSUER_CONF = {
     "sd_specification": """
         user_claims:
             !sd unique_id: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
diff --git a/pyeudiw/tests/trust/default/settings.py b/pyeudiw/tests/trust/default/settings.py
new file mode 100644
index 00000000..1d325955
--- /dev/null
+++ b/pyeudiw/tests/trust/default/settings.py
@@ -0,0 +1,24 @@
+import json
+import requests
+
+
+issuer = "https://credential-issuer.example/vct/"
+issuer_jwk = {
+    "kty": "EC",
+    "kid": "MGaAh57cQghnevfWusalp0lNFXTzz2kHnkzO9wOjHq4",
+    "crv": "P-256",
+    "x": "S57KP4yGauTJJuNvO-wgWr2h_BYsatYUA1xW8Nae8i4", 
+    "y": "66DmArglfyJODHAzZsIiPTY24gK70eeXPbpT4Nk0768"
+}
+issuer_vct_md = {
+    "issuer": issuer,
+    "jwks": {
+        "keys": [
+            issuer_jwk
+        ]
+    }
+}
+jwt_vc_issuer_endpoint_response = requests.Response()
+jwt_vc_issuer_endpoint_response.status_code = 200
+jwt_vc_issuer_endpoint_response.headers.update({"Content-Type": "application/json"})
+jwt_vc_issuer_endpoint_response._content = json.dumps(issuer_vct_md).encode('utf-8')
diff --git a/pyeudiw/tests/trust/default/test_direct_trust.py b/pyeudiw/tests/trust/default/test_direct_trust.py
new file mode 100644
index 00000000..57c6fa6b
--- /dev/null
+++ b/pyeudiw/tests/trust/default/test_direct_trust.py
@@ -0,0 +1,20 @@
+import unittest.mock
+
+from pyeudiw.trust.default import DEFAULT_DIRECT_TRUST_PARAMS
+from pyeudiw.trust.default.direct_trust_sd_jwt_vc import DirectTrustSdJwtVc
+
+from pyeudiw.tests.trust.default.settings import issuer, jwt_vc_issuer_endpoint_response
+from pyeudiw.tests.trust.default.settings import issuer_jwk as expected_jwk
+
+
+def test_direct_trust_jwk():
+    mocked_issuer_jwt_vc_issuer_endpoint = unittest.mock.patch("pyeudiw.vci.jwks_provider.get_http_url", return_value=[jwt_vc_issuer_endpoint_response])
+    mocked_issuer_jwt_vc_issuer_endpoint.start()
+
+    trust_source = DirectTrustSdJwtVc(**DEFAULT_DIRECT_TRUST_PARAMS)
+    obtained_jwks = trust_source.get_public_keys(issuer)
+
+    mocked_issuer_jwt_vc_issuer_endpoint.stop()
+
+    assert len(obtained_jwks) == 1, f"expected 1 jwk, obtained {len(obtained_jwks)}"
+    assert expected_jwk == obtained_jwks[0]
diff --git a/pyeudiw/tests/trust/test_dynamic.py b/pyeudiw/tests/trust/test_dynamic.py
new file mode 100644
index 00000000..df466cbf
--- /dev/null
+++ b/pyeudiw/tests/trust/test_dynamic.py
@@ -0,0 +1,76 @@
+from pyeudiw.trust.default import DEFAULT_DIRECT_TRUST_PARAMS
+from pyeudiw.trust.default.direct_trust_sd_jwt_vc import DirectTrustSdJwtVc
+from pyeudiw.trust.dynamic import CombinedTrustEvaluator, dynamic_trust_evaluators_loader
+from pyeudiw.trust.interface import TrustEvaluator
+
+
+class MockTrustEvaluator(TrustEvaluator):
+    """Mock realization of TrustEvaluator for testing purposes only
+    """
+    mock_jwk = {
+        "crv": "P-256",
+        "kid": "qTo9RGpuU_CSolt6GZmndLyPXJJa48up5dH1YbxVDPs",
+        "kty": "EC",
+        "use": "sig",
+        "x": "xu0FC3OQLgsea27rL0-d2CpVyKijjwl8tF6HB-3zLUg",
+        "y": "fUEsB8IrX2DgzqABfVsCody1RypAXX54fXQ1keoPP5Y"
+    }
+
+    def __init__(self):
+        pass
+
+    def get_public_keys(self, issuer: str) -> list[dict]:
+        return [
+            MockTrustEvaluator.mock_jwk
+        ]
+
+    def get_metadata(self, issuer: str) -> dict:
+        return {
+            "json_key": "json_value"
+        }
+
+    def is_revoked(self, issuer: str) -> bool:
+        return False
+
+    def get_policies(self, issuer: str) -> dict:
+        return {}
+
+
+def test_trust_evaluators_loader():
+    config = {
+        "mock": {
+            "module": "pyeudiw.tests.trust.test_dynamic",
+            "class": "MockTrustEvaluator",
+            "config": {}
+        },
+        "direct_trust_sd_jwt_vc": {
+            "module": "pyeudiw.trust.default.direct_trust_sd_jwt_vc",
+            "class": "DirectTrustSdJwtVc",
+            "config": {
+                "jwk_endpoint": "/.well-known/jwt-vc-issuer",
+                "httpc_params": {
+                    "connection": {
+                        "ssl": True
+                    },
+                    "session": {
+                        "timeout": 6
+                    }
+                }
+            }
+        }
+    }
+    trust_sources = dynamic_trust_evaluators_loader(config)
+    assert "mock" in trust_sources
+    assert trust_sources["mock"].__class__.__name__ == "MockTrustEvaluator"
+    assert "direct_trust_sd_jwt_vc" in trust_sources
+    assert trust_sources["direct_trust_sd_jwt_vc"].__class__.__name__ == "DirectTrustSdJwtVc"
+
+
+def test_combined_trust_evaluator():
+    evaluators = {
+        "mock": MockTrustEvaluator(),
+        "direct_trust_sd_jwt_vc": DirectTrustSdJwtVc(**DEFAULT_DIRECT_TRUST_PARAMS)
+    }
+    combined = CombinedTrustEvaluator(evaluators)
+    # TODO: re-enable when fixed
+    # assert MockTrustEvaluator.mock_jwk in combined.get_public_keys("mock_issuer")
diff --git a/pyeudiw/tools/utils.py b/pyeudiw/tools/utils.py
index f015f047..bc8ff1d7 100644
--- a/pyeudiw/tools/utils.py
+++ b/pyeudiw/tools/utils.py
@@ -177,3 +177,24 @@ def dynamic_class_loader(module_name: str, class_name: str, init_params: dict =
     storage_instance = get_dynamic_class(
         module_name, class_name)(**init_params)
     return storage_instance
+
+
+def satisfy_interface(o: object, interface: type) -> bool:
+    """
+    Returns true if and only if an object satisfy an interface.
+
+    :param o: an object (instance of a class)
+    :type o: object
+    :param interface: an interface type
+    :type interface: type
+
+    :returns: True if the object satisfy the interface, otherwise False
+    """
+    for cls_attr in dir(interface):
+        if cls_attr.startswith('_'):
+            continue
+        if not hasattr(o, cls_attr):
+            return False
+        if callable(getattr(interface, cls_attr)) and not callable(getattr(o, cls_attr)):
+            return False
+    return True
diff --git a/pyeudiw/trust/_log.py b/pyeudiw/trust/_log.py
new file mode 100644
index 00000000..c5c1e1a3
--- /dev/null
+++ b/pyeudiw/trust/_log.py
@@ -0,0 +1,4 @@
+import logging
+
+
+_package_logger = logging.getLogger(__name__)
diff --git a/pyeudiw/trust/default/__init__.py b/pyeudiw/trust/default/__init__.py
new file mode 100644
index 00000000..c27d7e37
--- /dev/null
+++ b/pyeudiw/trust/default/__init__.py
@@ -0,0 +1,20 @@
+import os
+
+from pyeudiw.trust.default.direct_trust_sd_jwt_vc import DirectTrustSdJwtVc
+from pyeudiw.trust.interface import TrustEvaluator
+
+
+DEFAULT_DIRECT_TRUST_PARAMS = {
+    "httpc_params": {
+        "connection": {
+            "ssl": os.getenv("PYEUDIW_HTTPC_SSL", True)
+        },
+        "session": {
+            "timeout": os.getenv("PYEUDIW_HTTPC_TIMEOUT", 6)
+        }
+    }
+}
+
+
+def default_trust_evaluator() -> TrustEvaluator:
+    return DirectTrustSdJwtVc(**DEFAULT_DIRECT_TRUST_PARAMS)
diff --git a/pyeudiw/trust/default/direct_trust_sd_jwt_vc.py b/pyeudiw/trust/default/direct_trust_sd_jwt_vc.py
new file mode 100644
index 00000000..b4fb271c
--- /dev/null
+++ b/pyeudiw/trust/default/direct_trust_sd_jwt_vc.py
@@ -0,0 +1,70 @@
+import time
+
+from pyeudiw.tools.utils import get_http_url
+from pyeudiw.trust.interface import TrustEvaluator
+from pyeudiw.vci.jwks_provider import CachedVciJwksSource, RemoteVciJwksSource, VciJwksSource
+from pyeudiw.vci.utils import cacheable_get_http_url
+
+
+DEFAULT_ISSUER_JWK_ENDPOINT = "/.well-known/jwt-vc-issuer"
+DEFAULT_METADATA_ENDPOINT = "/.well-known/openid-credential-issuer"
+
+
+class DirectTrust(TrustEvaluator):
+    pass
+
+
+class DirectTrustSdJwtVc(DirectTrust):
+    """
+    DirectTrust trust models assumes that an issuer is always trusted, in the sense
+    that no trust verification actually happens. The issuer is assumed to be an URI
+    and its keys and metadata information are publicly exposed on the web.
+    Such keys/metadata can always be fetched remotely and long as the issuer is
+    available.
+    """
+    def __init__(self, httpc_params: dict, cache_ttl: int = 0, jwk_endpoint: str = DEFAULT_ISSUER_JWK_ENDPOINT,
+                 metadata_endpoint: str = DEFAULT_METADATA_ENDPOINT):
+        self.httpc_params = httpc_params
+        self.cache_ttl = cache_ttl
+        self.jwk_endpoint = jwk_endpoint
+        self.metadata_endpoint = metadata_endpoint
+        self._vci_jwks_source: VciJwksSource = None
+        if self.cache_ttl == 0:
+            self._vci_jwks_source = RemoteVciJwksSource(httpc_params, jwk_endpoint)
+        else:
+            self._vci_jwks_source = CachedVciJwksSource(self.cache_ttl, httpc_params, jwk_endpoint)
+
+    def get_public_keys(self, issuer: str) -> list[dict]:
+        """
+        Fetches the public key of the issuer by querying a given endpoint.
+        Previous responses might or might not be cached based on the cache_ttl
+        parameter.
+
+        :returns: a list of jwk(s)
+        """
+        return self._vci_jwks_source.get_jwks(issuer)
+
+    def get_metadata(self, issuer: str) -> dict:
+        """
+        Fetches the public metadata of an issuer by interrogating a given
+        endpoint. The endpoint must yield information in a format that
+        can be transalted to a meaning dictionary (such as json)
+
+        :returns: a dictionary of metadata information
+        """
+        if not issuer:
+            raise ValueError("invalid issuer: cannot be empty value")
+        issuer_normalized = [issuer if issuer[-1] != '/' else issuer[:-1]]
+        url = issuer_normalized + self.metadata_endpoint
+        if self.cache_ttl == 0:
+            return get_http_url(url, self.httpc_params)[0].json()
+        ttl_timestamp = round(time.time() / self.cache_ttl)
+        return cacheable_get_http_url(ttl_timestamp, url, self.httpc_params)[0].json()
+
+    def __str__(self) -> str:
+        return f"DirectTrustSdJwtVc(" \
+            f"httpc_params={self.httpc_params}, " \
+            f"cache_ttl={self.cache_ttl}, " \
+            f"jwk_endpoint={self.jwk_endpoint}, " \
+            f"metadata_endpoint={self.metadata_endpoint}" \
+            ")"
diff --git a/pyeudiw/trust/default/federation.py b/pyeudiw/trust/default/federation.py
new file mode 100644
index 00000000..b277b5e9
--- /dev/null
+++ b/pyeudiw/trust/default/federation.py
@@ -0,0 +1,285 @@
+import logging
+from typing import Any
+from jwcrypto.jwk import JWK
+
+import json
+
+from satosa.context import Context
+from satosa.response import Response
+
+from pyeudiw.jwk import JWK
+from pyeudiw.jwt import JWSHelper
+from pyeudiw.jwt.utils import decode_jwt_header
+from pyeudiw.satosa.exceptions import (DiscoveryFailedError,
+                                       NotTrustedFederationError)
+from pyeudiw.storage.exceptions import EntryNotFound
+from pyeudiw.tools.base_logger import BaseLogger
+from pyeudiw.tools.utils import exp_from_now, iat_now
+from pyeudiw.trust import TrustEvaluationHelper
+from pyeudiw.trust.trust_anchors import update_trust_anchors_ecs
+
+
+from pyeudiw.federation.policy import TrustChainPolicy
+from pyeudiw.jwt.utils import decode_jwt_payload
+from pyeudiw.trust.interface import TrustEvaluator
+
+logger = logging.getLogger(__name__)
+
+
+class FederationTrustModel(TrustEvaluator):
+    _ISSUER_METADATA_TYPE = "openid_credential_issuer"
+
+    def __init__(self, **kwargs):
+        # TODO; qui c'è dentro tutta la ciccia: trust chain verification, root of trust, etc
+        self.metadata_policy_resolver = TrustChainPolicy()
+        pass
+
+    def _verify_trust_chain(self, trust_chain: list[str]):
+        # TODO: qui c'è tutta la ciccia, ma si può fare copia incolla da terze parti (specialmente di pyeudiw.trust.__init__)
+        raise NotImplementedError
+
+    def get_verified_key(self, issuer: str, token_header: dict) -> JWK:
+        # (1) verifica trust chain
+        kid: str = token_header.get("kid", None)
+        if not kid:
+            raise ValueError("missing claim [kid] in token header")
+        trust_chain: list[str] = token_header.get("trust_chain", None)
+        if not trust_chain:
+            raise ValueError("missing trust chain in federation token")
+        if not isinstance(trust_chain, list):
+            raise ValueError*("invalid format of header claim [trust_claim]")
+        self._verify_trust_chain(trust_chain)  # TODO: check whick exceptions this might raise
+
+        # (2) metadata parsing ed estrazione Jwk set
+        # TODO: wrap in something that implements VciJwksSource
+        # apply policy of traust anchor only?
+        issuer_entity_configuration = trust_chain[0]
+        anchor_entity_configuration = trust_chain[-1]
+        issuer_payload: dict = decode_jwt_payload(issuer_entity_configuration)
+        anchor_payload = decode_jwt_payload(anchor_entity_configuration)
+        trust_anchor_policy = anchor_payload.get("metadata_policy", {})
+        final_issuer_metadata = self.metadata_policy_resolver.apply_policy(issuer_payload, trust_anchor_policy)
+        metadata: dict = final_issuer_metadata.get("metadata", None)
+        if not metadata:
+            raise ValueError("missing or invalid claim [metadata] in entity configuration")
+        issuer_metadata: dict = metadata.get(FederationTrustModel._ISSUER_METADATA_TYPE, None)
+        if not issuer_metadata:
+            raise ValueError(f"missing or invalid claim [metadata.{FederationTrustModel._ISSUER_METADATA_TYPE}] in entity configuration")
+        issuer_keys: list[dict] = issuer_metadata.get("jwks", {}).get("keys", [])
+        if not issuer_keys:
+            raise ValueError(f"missing or invalid claim [metadata.{FederationTrustModel._ISSUER_METADATA_TYPE}.jwks.keys] in entity configuration")
+        # check issuer = entity_id
+        if issuer != (obt_iss := final_issuer_metadata.get("iss", "")):
+            raise ValueError(f"invalid issuer metadata: expected '{issuer}', obtained '{obt_iss}'")
+
+        # (3) dato il set completo, fa il match per kid tra l'header e il jwk set
+        found_jwks: list[dict] = []
+        for key in issuer_keys:
+            obt_kid: str = key.get("kid", "")
+            if kid == obt_kid:
+                found_jwks.append(key)
+        if len(found_jwks) != 1:
+            raise ValueError(f"unable to uniquely identify a key with kid {kid} in appropriate section of issuer entity configuration")
+        try:
+            return JWK(**found_jwks[0])
+        except Exception as e:
+            raise ValueError(f"unable to parse issuer jwk: {e}")
+
+    # ---------------------------
+    # TODO: sistema da qui in giù
+    # ---------------------------
+
+    # def __getattribute__(self, name: str) -> Any:
+    #     if hasattr(self, name):
+    #         return getattr(self, name)
+    #     logger.critical("se vedi questo messaggio: sei perduto")
+    #     return None
+
+    def init_trust_resources(self) -> None:
+        """
+        Initializes the trust resources.
+        """
+
+        # private keys by kid
+        self.federations_jwks_by_kids = {
+            i['kid']: i for i in self.config['trust']['federation']['config']['federation_jwks']
+        }
+        # dumps public jwks
+        self.federation_public_jwks = [
+            JWK(i).public_key for i in self.config['trust']['federation']['config']['federation_jwks']
+        ]
+        # we close the connection in this constructor since it must be fork safe and
+        # get reinitialized later on, within each fork
+        self.update_trust_anchors()
+
+        try:
+            self.get_backend_trust_chain()
+        except Exception as e:
+            self._log_critical(
+                "Backend Trust",
+                f"Cannot fetch the trust anchor configuration: {e}"
+            )
+
+        self.db_engine.close()
+        self._db_engine = None
+
+    def entity_configuration_endpoint(self, context: Context) -> Response:
+        """
+        Entity Configuration endpoint.
+
+        :param context: The current context
+        :type context: Context
+
+        :return: The entity configuration
+        :rtype: Response
+        """
+
+        if context.qs_params.get('format', '') == 'json':
+            return Response(
+                json.dumps(self.entity_configuration_as_dict),
+                status="200",
+                content="application/json"
+            )
+
+        return Response(
+            self.entity_configuration,
+            status="200",
+            content="application/entity-statement+jwt"
+        )
+
+    def update_trust_anchors(self):
+        """
+        Updates the trust anchors of current instance.
+        """
+
+        tas = self.config['trust']['federation']['config']['trust_anchors']
+        self._log_info("Trust Anchors updates", f"Trying to update: {tas}")
+
+        for ta in tas:
+            try:
+                update_trust_anchors_ecs(
+                    db=self.db_engine,
+                    trust_anchors=[ta],
+                    httpc_params=self.config['network']['httpc_params']
+                )
+            except Exception as e:
+                self._log_warning("Trust Anchor updates",
+                                  f"{ta} update failed: {e}")
+
+            self._log_info("Trust Anchor updates", f"{ta} updated")
+
+    def get_backend_trust_chain(self) -> list[str]:
+        """
+        Get the backend trust chain. In case something raises an Exception (e.g. faulty storage), logs a warning message
+        and returns an empty list.
+
+        :return: The trust chain
+        :rtype: list
+        """
+        try:
+            trust_evaluation_helper = TrustEvaluationHelper.build_trust_chain_for_entity_id(
+                storage=self.db_engine,
+                entity_id=self.client_id,
+                entity_configuration=self.entity_configuration,
+                httpc_params=self.config['network']['httpc_params']
+            )
+            self.db_engine.add_or_update_trust_attestation(
+                entity_id=self.client_id,
+                attestation=trust_evaluation_helper.trust_chain,
+                exp=trust_evaluation_helper.exp
+            )
+            return trust_evaluation_helper.trust_chain
+
+        except (DiscoveryFailedError, EntryNotFound, Exception) as e:
+            message = (
+                f"Error while building trust chain for client with id: {self.client_id}. "
+                f"{e.__class__.__name__}: {e}"
+            )
+            self._log_warning("Trust Chain", message)
+
+        return []
+
+    def _validate_trust(self, context: Context, jws: str) -> TrustEvaluationHelper:
+        """
+        Validates the trust of the given jws.
+
+        :param context: the request context
+        :type context: satosa.context.Context
+        :param jws: the jws to validate
+        :type jws: str
+
+        :raises: NotTrustedFederationError: raises an error if the trust evaluation fails.
+
+        :return: the trust evaluation helper
+        :rtype: TrustEvaluationHelper
+        """
+
+        self._log_debug(context, "[TRUST EVALUATION] evaluating trust.")
+
+        headers = decode_jwt_header(jws)
+        trust_eval = TrustEvaluationHelper(
+            self.db_engine,
+            httpc_params=self.config['network']['httpc_params'],
+            **headers
+        )
+
+        try:
+            trust_eval.evaluation_method()
+        except EntryNotFound:
+            message = (
+                "[TRUST EVALUATION] not found for "
+                f"{trust_eval.entity_id}"
+            )
+            self._log_error(context, message)
+            raise NotTrustedFederationError(
+                f"{trust_eval.entity_id} not found for Trust evaluation."
+            )
+        except Exception as e:
+            message = (
+                "[TRUST EVALUATION] failed for "
+                f"{trust_eval.entity_id}: {e}"
+            )
+            self._log_error(context, message)
+            raise NotTrustedFederationError(
+                f"{trust_eval.entity_id} is not trusted."
+            )
+
+        return trust_eval
+
+    # @property
+    # def default_federation_private_jwk(self) -> dict:
+    #     """Returns the default federation private jwk."""
+    #     return tuple(self.federations_jwks_by_kids.values())[0]
+
+    # @property
+    # def entity_configuration_as_dict(self) -> dict:
+    #     """Returns the entity configuration as a dictionary."""
+    #     ec_payload = {
+    #         "exp": exp_from_now(minutes=self.default_exp),
+    #         "iat": iat_now(),
+    #         "iss": self.client_id,
+    #         "sub": self.client_id,
+    #         "jwks": {
+    #             "keys": self.federation_public_jwks
+    #         },
+    #         "metadata": {
+    #             self.config['trust']['federation']['config']["metadata_type"]: self.config['metadata'],
+    #             "federation_entity": self.config['trust']['federation']['config']['federation_entity_metadata']
+    #         },
+    #         "authority_hints": self.config['trust']['federation']['config']['authority_hints']
+    #     }
+    #     return ec_payload
+
+    # @property
+    # def entity_configuration(self) -> dict:
+    #     """Returns the entity configuration as a JWT."""
+    #     data = self.entity_configuration_as_dict
+    #     jwshelper = JWSHelper(self.default_federation_private_jwk)
+    #     return jwshelper.sign(
+    #         protected={
+    #             "alg": self.config['trust']['federation']['config']["default_sig_alg"],
+    #             "kid": self.default_federation_private_jwk["kid"],
+    #             "typ": "entity-statement+jwt"
+    #         },
+    #         plain_dict=data
+    #     )
diff --git a/pyeudiw/trust/default/x509.py b/pyeudiw/trust/default/x509.py
new file mode 100644
index 00000000..39e0adca
--- /dev/null
+++ b/pyeudiw/trust/default/x509.py
@@ -0,0 +1,6 @@
+from pyeudiw.trust.interface import TrustEvaluator
+
+
+class X509TrustModel(TrustEvaluator):
+    def __init__(self, **kwargs):
+        pass
diff --git a/pyeudiw/trust/dynamic.py b/pyeudiw/trust/dynamic.py
new file mode 100644
index 00000000..57f0f9de
--- /dev/null
+++ b/pyeudiw/trust/dynamic.py
@@ -0,0 +1,126 @@
+import sys
+from typing import Any, Optional
+
+if float(f"{sys.version_info.major}.{sys.version_info.minor}") >= 3.12:
+    from typing import TypedDict
+else:
+    from typing_extensions import TypedDict
+
+from pyeudiw.storage.base_storage import TrustType
+from pyeudiw.storage.db_engine import DBEngine
+from pyeudiw.tools.base_logger import BaseLogger
+from pyeudiw.tools.utils import get_dynamic_class, satisfy_interface
+from pyeudiw.trust.default import default_trust_evaluator
+from pyeudiw.trust.exceptions import TrustConfigurationError
+from pyeudiw.trust.interface import TrustEvaluator
+from pyeudiw.trust._log import _package_logger
+
+
+TrustModuleConfiguration_T = TypedDict("_DynamicTrustConfiguration", {"module": str, "class": str, "config": dict})
+
+def dynamic_trust_evaluators_loader(trust_config: dict[str, TrustModuleConfiguration_T]) -> dict[str, TrustEvaluator]: # type: ignore
+    """Load a dynamically importable/configurable set of TrustEvaluators,
+    identified by the trust model they refer to.
+    If not configurations a re given, a default is returned instead
+    implementation of TrustEvaluator is returned instead.
+
+    :return: a dictionary where the keys are common name identifiers
+        for the trust mechanism ,a nd the keys are acqual class instances that satisfy
+        the TrustEvaluator interface
+    :rtype: dict[str, TrustEvaluator]
+    """
+    trust_instances: dict[str, TrustEvaluator] = {}
+    if not trust_config:
+        _package_logger.warning("no configured trust model, using direct trust model")
+        trust_instances["direct_trust_sd_jwt_vc"] = default_trust_evaluator()
+        return trust_instances
+
+    for trust_model_name, trust_module_config in trust_config.items():
+        try:
+            uninstantiated_class: type[TrustEvaluator] = get_dynamic_class(trust_module_config["module"], trust_module_config["class"])
+            class_config: dict = trust_module_config["config"]
+            trust_evaluator_instance = uninstantiated_class(**class_config)
+        except Exception as e:
+            raise TrustConfigurationError(f"invalid configuration for {trust_model_name}: {e}", e)
+        if not satisfy_interface(trust_evaluator_instance, TrustEvaluator):
+            raise TrustConfigurationError(f"class {uninstantiated_class} does not satisfy the interface TrustEvaluator")
+        trust_instances[trust_model_name] = trust_evaluator_instance
+    return trust_instances
+
+
+class CombinedTrustEvaluator(TrustEvaluator, BaseLogger):
+    """CombinedTrustEvaluator is a wrapper around multiple implementations of
+    TrustEvaluator. It's primary purpose is to handle how multiple configured
+    trust sources are queried when some metadata or key material is requested.
+    """
+
+    def __init__(self, trust_evaluators: dict[str, TrustEvaluator], storage: Optional[DBEngine] = None):
+        self.trust_evaluators: dict[str, TrustEvaluator] = trust_evaluators
+        self.storage: DBEngine | None = storage
+
+    def _get_trust_identifier_names(self) -> str:
+        return f'[{",".join(self.trust_evaluators.keys())}]'
+    
+    def _get_public_keys_from_storage(self, eval_identifier: str, issuer: str) -> dict | None:
+        # note: keys are serialized as jwks
+        if trust_attestation := self.storage.get_trust_attestation(issuer):
+            if trust_entity := trust_attestation.get(eval_identifier, None):
+                if trust_entity_jwks := trust_entity.get("jwks", None):
+                    new_pks = trust_entity_jwks
+                    # TODO: check if cached key is still valid?
+                    # with mongodb we use ttl integrated in the engine
+                    return new_pks
+        return None
+    
+    def _get_public_keys(self, eval_identifier: str, eval_instance: TrustEvaluator, issuer: str) -> dict:
+        try:
+            new_pks = eval_instance.get_public_keys(issuer)
+            self.storage.add_or_update_trust_attestation(issuer, trust_type=TrustType(eval_identifier), jwks=new_pks)
+        except:
+            new_pks = self._get_public_keys_from_storage(eval_identifier, issuer)
+
+        if new_pks: return new_pks
+        else: raise Exception
+
+    def get_public_keys(self, issuer: str) -> list[dict]:
+        """
+        yields the public cryptographic material of the issuer
+
+        :returns: a list of jwk(s); note that those key are _not_ necessarely
+            identified by a kid claim
+        """
+        pks: list[dict] = []
+        for eval_identifier, eval_instance in self.trust_evaluators.items():
+            try:
+                new_pks = self._get_public_keys(eval_identifier, eval_instance, issuer)
+            except Exception as e:
+                self._log_warning(f"failed to find any key of issuer {issuer} with model {eval_identifier}: {eval_instance.__class__.__name__}", e)
+                continue
+            if new_pks:
+                pks.append(new_pks)
+        if not pks:
+            raise Exception(f"no trust evaluator can provide cyptographic material for {issuer}: searched among: {self._get_trust_identifier_names()}")
+        return pks
+
+    def get_metadata(self, issuer: str) -> dict:
+        """
+        yields a dictionary of metadata about an issuer, according to some
+        trust model.
+        """
+        md: dict = {}
+        for eval_identifier, eval_instance in self.trust_evaluators.items():
+            md = eval_instance.get_metadata(issuer)
+            if md:
+                return md
+        if not md:
+            raise Exception(f"no trust evaluator can provide metadata for {issuer}: searched among: {self._get_trust_identifier_names()}")
+
+    def is_revoked(self, issuer: str) -> bool:
+        """
+        yield if the trust toward the issuer was revoked according to some trust model;
+        this asusmed that  the isser exists, is valid, but is not trusted.
+        """
+        raise NotImplementedError("implementation details yet to be deifined for combined use")
+
+    def get_policies(self, issuer: str) -> dict:
+        raise NotImplementedError("reserved for future uses")
diff --git a/pyeudiw/trust/exceptions.py b/pyeudiw/trust/exceptions.py
index f73b61d7..e503834f 100644
--- a/pyeudiw/trust/exceptions.py
+++ b/pyeudiw/trust/exceptions.py
@@ -20,3 +20,7 @@ class InvalidTrustType(Exception):
 
 class InvalidAnchor(Exception):
     pass
+
+
+class TrustConfigurationError(Exception):
+    pass
diff --git a/pyeudiw/trust/interface.py b/pyeudiw/trust/interface.py
new file mode 100644
index 00000000..e38f8756
--- /dev/null
+++ b/pyeudiw/trust/interface.py
@@ -0,0 +1,35 @@
+class TrustEvaluator:
+    """
+    TrustEvaluator is an interface that defined the expected behaviour of a
+    class that, as the very core, can:
+    (1) obtain the cryptographic material of an issuer, which might or might
+        not be trusted according to some trust model
+    (2) obtain the meta information about an issuer that is defined
+        according to some trust model
+    """
+
+    def get_public_keys(self, issuer: str) -> list[dict]:
+        """
+        yields the public cryptographic material of the issuer
+
+        :returns: a list of jwk(s); note that those key are _not_ necessarely
+            identified by a kid claim
+        """
+        raise NotImplementedError
+
+    def get_metadata(self, issuer: str) -> dict:
+        """
+        yields a dictionary of metadata about an issuer, according to some
+        trust model.
+        """
+        raise NotImplementedError
+
+    def is_revoked(self, issuer: str) -> bool:
+        """
+        yield if the trust toward the issuer was revoked according to some trust model;
+        this asusmed that  the isser exists, is valid, but is not trusted.
+        """
+        raise NotImplementedError
+
+    def get_policies(self, issuer: str) -> dict:
+        raise NotImplementedError("reserved for future uses")
diff --git a/pyeudiw/openid4vp/request.py b/pyeudiw/vci/__init__.py
similarity index 100%
rename from pyeudiw/openid4vp/request.py
rename to pyeudiw/vci/__init__.py
diff --git a/pyeudiw/vci/exception.py b/pyeudiw/vci/exception.py
new file mode 100644
index 00000000..3493f718
--- /dev/null
+++ b/pyeudiw/vci/exception.py
@@ -0,0 +1,5 @@
+class UnableToRetrieveJwks(Exception):
+    pass
+
+class UnableToRetrieveJwkSet(Exception):
+    pass
\ No newline at end of file
diff --git a/pyeudiw/vci/jwks_provider.py b/pyeudiw/vci/jwks_provider.py
new file mode 100644
index 00000000..e3997ff0
--- /dev/null
+++ b/pyeudiw/vci/jwks_provider.py
@@ -0,0 +1,97 @@
+import time
+from typing import Literal
+
+from pyeudiw.tools.utils import get_http_url
+from pyeudiw.vci.exception import UnableToRetrieveJwks, UnableToRetrieveJwkSet
+from pyeudiw.vci.utils import cacheable_get_http_url, final_issuer_endpoint
+
+DEFAULT_ENDPOINT = "/.well-known/jwt-vc-issuer"
+DEFAULT_TTL_CACHE = 60 * 60  # in seconds, hence 1 hour
+
+
+class VciJwksSource:
+    """VciJwksSource is an interface that provides a jwk set for verifiable credential issuer
+    """
+    def get_jwks(self, issuer: str) -> dict:
+        raise NotImplementedError
+
+
+class RemoteVciJwksSource(VciJwksSource):
+
+    def __init__(self, httpc_params: dict, endpoint: str = DEFAULT_ENDPOINT):
+        self.httpc_params = httpc_params
+        self.endpoint = endpoint
+
+    def _verify_response_issuer(self, exp_issuer: str, response_json: dict) -> None:
+        if exp_issuer != (obt_issuer := response_json.get("issuer", "")):
+            raise Exception(f"invalid issuing key metadata: expected issuer {exp_issuer}, obtained {obt_issuer}")
+
+    def _get_jwk_metadata(self, uri: str) -> dict:
+        try:
+            # TODO: sistemare httpc params
+            resp = get_http_url(uri, {"connection": {"ssl": False}, "session": {"timeout": 6}}, http_async=False)
+            response: dict = resp[0].json()
+            return response
+        except Exception as e:
+            raise UnableToRetrieveJwks(f"error during jwks retrieval: {e}", e)
+
+    def _get_jwkset_from_jwkset_uri(self, jwkset_uri: str) -> list[dict]:
+        try:
+            # TODO: sistemare httpc params
+            resp = get_http_url(jwkset_uri, {"connection": {"ssl": False}, "session": {"timeout": 6}}, http_async=False)
+            jwks: dict[Literal["keys"], list[dict]] = resp[0].json()
+            return jwks.get("keys", [])
+        except Exception as e:
+            raise UnableToRetrieveJwkSet(f"error during jwkset retrieval: {e}", e)
+
+    def _obtain_jwkset_from_response_json(self, response: dict) -> list[dict]:
+        jwks: dict[Literal["keys"], list[dict]] = response.get("jwks", None)
+        jwks_uri = response.get("jwks_uri", None)
+        if (not jwks) and (not jwks_uri):
+            raise Exception("invalid issuing key metadata: missing both claims [jwks] and [jwks_uri]")
+        if jwks:
+            return jwks.get("keys", [])
+        return self._get_jwkset_from_jwkset_uri(jwks_uri)
+
+    def get_jwks(self, issuer: str) -> list[dict]:
+        well_known_url = final_issuer_endpoint(issuer, self.endpoint)
+        resp_data = self._get_jwk_metadata(well_known_url)
+        self._verify_response_issuer(issuer, resp_data)
+        return self._obtain_jwkset_from_response_json(resp_data)
+
+
+class CachedVciJwksSource(RemoteVciJwksSource):
+
+    def __init__(self, ttl_cache: int = DEFAULT_TTL_CACHE, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.ttl_cache = ttl_cache
+
+    def _get_jwk_metadata(self, uri: str) -> dict:
+        ttl_timestamp = round(time.time() / self.ttl_cache)
+        try:
+            resp = cacheable_get_http_url(ttl_timestamp, uri, self.httpc_params)
+            response: dict = resp[0].json()
+            return response
+        except Exception as e:
+            raise UnableToRetrieveJwks(f"error during jwks retrieval: {e}", e)
+
+    def _get_jwkset_from_jwkset_uri(self, jwkset_uri: str) -> list[dict]:
+        ttl_timestamp = round(time.time() / self.ttl_cache)
+        try:
+            resp = cacheable_get_http_url(ttl_timestamp, jwkset_uri, self.httpc_params)
+            jwks: dict[Literal["keys"], list[dict]] = resp[0].json()
+            return jwks.get("keys", [])
+        except Exception as e:
+            raise UnableToRetrieveJwkSet(f"error during jwkset retrieval: {e}", e)
+
+    def _obtain_jwkset_from_response_json(self, response: dict) -> list[dict]:
+        jwks: dict[Literal["keys"], list[dict]] = response.get("jwks", None)
+        jwks_uri = response.get("jwks_uri", None)
+        if (not jwks) and (not jwks_uri):
+            raise Exception("invalid issuing key metadata: missing both claims [jwks] and [jwks_uri]")
+        if jwks:
+            return jwks.get("keys", [])
+        return self._get_jwkset_from_jwkset_uri(jwks_uri)
+
+    def get_jwks(self, issuer: str) -> list[dict]:
+        return super().get_jwks(issuer)
diff --git a/pyeudiw/vci/utils.py b/pyeudiw/vci/utils.py
new file mode 100644
index 00000000..6901bd94
--- /dev/null
+++ b/pyeudiw/vci/utils.py
@@ -0,0 +1,29 @@
+from functools import lru_cache
+from urllib.parse import ParseResult, urlparse
+
+import requests
+
+from pyeudiw.tools.utils import get_http_url
+
+
+def final_issuer_endpoint(issuer: str, wk_endpoint: str) -> str:
+    """Prepend the wk_endpoint part to the path of the issuer.
+    For example, if the issuer is 'https://example.com/tenant/1234' and the
+    well known endpoint is '/.well-known/jwt-vc-issuer', then the final
+    endpoint will be
+    'https://example.com/.well-known/jwt-vc-issuer/tenant/1234'
+    """
+    baseurl = urlparse(issuer)
+    well_known_path = wk_endpoint + baseurl.path
+    well_known_url: str = ParseResult(baseurl.scheme, baseurl.netloc, well_known_path, baseurl.params, baseurl.query, baseurl.fragment).geturl()
+    return well_known_url
+
+
+@lru_cache
+def cacheable_get_http_url(ttl_cache: int, urls: list[str] | str, httpc_params: dict, http_async: bool = True) -> list[requests.Response]:
+    """
+    wraps method 'get_http_url' around a ttl cache
+    """
+    # explicitly delete dummy argument ttl_cache since it is only needed for caching
+    del ttl_cache
+    return get_http_url(urls, httpc_params, http_async)
diff --git a/pyeudiw/x509/verify.py b/pyeudiw/x509/verify.py
index d89fd59e..2c8378e2 100644
--- a/pyeudiw/x509/verify.py
+++ b/pyeudiw/x509/verify.py
@@ -5,6 +5,8 @@
 from ssl import DER_cert_to_PEM_cert
 from cryptography.x509 import load_der_x509_certificate
 
+from pyeudiw.jwk import JWK
+
 LOG_ERROR = "x509 verification failed: {}"
 
 logger = logging.getLogger(__name__)
@@ -161,3 +163,7 @@ def is_der_format(cert: bytes) -> str:
     except crypto.Error as e:
         logging.error(LOG_ERROR.format(e))
         return False
+
+
+def get_public_key_from_x509_chain(x5c: list[bytes]) -> JWK:
+    raise NotImplementedError("TODO")