UNPKG

@sd-jwt/sd-jwt-vc

Version:

sd-jwt draft 7 implementation in typescript

github.com/openwallet-foundation-labs/sd-jwt-js/wiki

openwallet-foundation-labs/sd-jwt-js

273 lines (264 loc) 9.62 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
import { SDJWTConfig, Verifier, kbPayload, kbHeader, DisclosureFrame } from '@sd-jwt/types'; import { SdJwtPayload, SDJwtInstance, VerifierOptions } from '@sd-jwt/core'; /** * Logo metadata used in rendering a credential. */ type Logo = { /** REQUIRED. A URI pointing to the logo image. */ uri: string; /** OPTIONAL. An "integrity metadata" string as described in Section 7. */ 'uri#integrity'?: string; /** OPTIONAL. A string containing alternative text for the logo image. */ alt_text?: string; }; /** * The simple rendering method is intended for applications that do not support SVG. */ type SimpleRendering = { /** OPTIONAL. Logo metadata to display for the credential. */ logo?: Logo; /** OPTIONAL. RGB color value for the credential background (e.g., "#FFFFFF"). */ background_color?: string; /** OPTIONAL. RGB color value for the credential text (e.g., "#000000"). */ text_color?: string; }; /** Enum of valid values for rendering orientation. */ type Orientation = 'portrait' | 'landscape'; /** Enum of valid values for rendering color schemes. */ type ColorScheme = 'light' | 'dark'; /** Enum of valid values for rendering contrast. */ type Contrast = 'normal' | 'high'; /** * Properties that describe the display preferences for an SVG template rendering. */ type SvgTemplateProperties = { /** OPTIONAL. Orientation optimized for the template. */ orientation?: Orientation; /** OPTIONAL. Color scheme optimized for the template. */ color_scheme?: ColorScheme; /** OPTIONAL. Contrast level optimized for the template. */ contrast?: Contrast; }; /** * SVG rendering metadata containing URI and optional integrity and properties. */ type SvgTemplateRendering = { /** REQUIRED. A URI pointing to the SVG template. */ uri: string; /** OPTIONAL. An "integrity metadata" string as described in Section 7. */ 'uri#integrity'?: string; /** REQUIRED if more than one SVG template is present. */ properties?: SvgTemplateProperties; }; /** * Rendering metadata, either simple or SVG-based, for a credential. */ type Rendering = { /** OPTIONAL. Simple rendering metadata. */ simple?: SimpleRendering; /** OPTIONAL. Array of SVG template rendering objects. */ svg_template?: SvgTemplateRendering[]; }; /** * Display metadata associated with a credential type. */ type Display = { /** REQUIRED. Language tag according to RFC 5646 (e.g., "en", "de"). */ lang: string; /** REQUIRED. Human-readable name for the credential type. */ name: string; /** OPTIONAL. Description of the credential type for end users. */ description?: string; /** OPTIONAL. Rendering information (simple or SVG) for the credential. */ rendering?: Rendering; }; /** * Claim path within the credential's JSON structure. * Example: ["address", "street_address"] */ type ClaimPath = Array<string | null>; /** * Display metadata for a specific claim. */ type ClaimDisplay = { /** REQUIRED. Language tag according to RFC 5646. */ lang: string; /** REQUIRED. Human-readable label for the claim. */ label: string; /** OPTIONAL. Description of the claim for end users. */ description?: string; }; /** * Indicates whether a claim is selectively disclosable. */ type ClaimSelectiveDisclosure = 'always' | 'allowed' | 'never'; /** * Metadata for individual claims in the credential type. */ type Claim = { /** * REQUIRED. Array of one or more paths to the claim in the credential subject. * Each path is an array of strings (or null for array elements). */ path: ClaimPath; /** OPTIONAL. Display metadata in multiple languages. */ display?: ClaimDisplay[]; /** OPTIONAL. Controls whether the claim must, may, or must not be selectively disclosed. */ sd?: ClaimSelectiveDisclosure; /** * OPTIONAL. Unique string identifier for referencing the claim in an SVG template. * Must consist of alphanumeric characters or underscores and must not start with a digit. */ svg_id?: string; }; /** * Type metadata for a specific Verifiable Credential (VC) type. * Reference: https://www.ietf.org/archive/id/draft-ietf-oauth-sd-jwt-vc-09.html#name-type-metadata-format */ type TypeMetadataFormat = { /** REQUIRED. A URI uniquely identifying the credential type. */ vct: string; /** OPTIONAL. Human-readable name for developers. */ name?: string; /** OPTIONAL. Human-readable description for developers. */ description?: string; /** OPTIONAL. URI of another type that this one extends. */ extends?: string; /** OPTIONAL. Integrity metadata for the 'extends' field. */ 'extends#Integrity'?: string; /** OPTIONAL. Array of localized display metadata for the type. */ display?: Display[]; /** OPTIONAL. Array of claim metadata. */ claims?: Claim[]; /** * OPTIONAL. Embedded JSON Schema describing the VC structure. * Must not be present if schema_uri is provided. */ schema?: object; /** * OPTIONAL. URI pointing to a JSON Schema for the VC structure. * Must not be present if schema is provided. */ schema_uri?: string; /** OPTIONAL. Integrity metadata for the schema_uri field. */ 'schema_uri#Integrity'?: string; }; type VcTFetcher = (uri: string, integrity?: string) => Promise<TypeMetadataFormat>; type StatusListFetcher = (uri: string) => Promise<string>; type StatusValidator = (status: number) => Promise<void>; /** * Configuration for SD-JWT-VC */ type SDJWTVCConfig = SDJWTConfig & { statusListFetcher?: StatusListFetcher; statusValidator?: StatusValidator; vctFetcher?: VcTFetcher; statusVerifier?: Verifier; loadTypeMetadataFormat?: boolean; timeout?: number; }; interface SDJWTVCStatusReference { status_list: { idx: number; uri: string; }; } interface SdJwtVcPayload extends SdJwtPayload { iss?: string; nbf?: number; exp?: number; cnf?: unknown; vct: string; 'vct#Integrity'?: string; status?: SDJWTVCStatusReference; sub?: string; iat?: number; } type VerificationResult = { payload: SdJwtVcPayload; header: Record<string, unknown> | undefined; kb: { payload: kbPayload; header: kbHeader; } | undefined; typeMetadataFormat?: TypeMetadataFormat; }; declare class SDJwtVcInstance extends SDJwtInstance<SdJwtVcPayload> { /** * The type of the SD-JWT-VC set in the header.typ field. */ protected type: string; protected userConfig: SDJWTVCConfig; constructor(userConfig?: SDJWTVCConfig); /** * Validates if the disclosureFrame contains any reserved fields. If so it will throw an error. * @param disclosureFrame */ protected validateReservedFields(disclosureFrame: DisclosureFrame<SdJwtVcPayload>): void; /** * Fetches the status list from the uri with a timeout of 10 seconds. * @param uri The URI to fetch from. * @returns A promise that resolves to a compact JWT. */ private statusListFetcher; /** * Validates the status, throws an error if the status is not 0. * @param status * @returns */ private statusValidator; /** * Verifies the SD-JWT-VC. It will validate the signature, the keybindings when required, the status, and the VCT. * @param currentDate current time in seconds */ verify(encodedSDJwt: string, options?: VerifierOptions): Promise<VerificationResult>; /** * Gets VCT Metadata of the raw SD-JWT-VC. Returns the type metadata format. If the SD-JWT-VC is invalid or does not contain a vct claim, an error is thrown. * @param encodedSDJwt * @returns */ getVct(encodedSDJwt: string): Promise<TypeMetadataFormat>; /** * Validates the integrity of the response if the integrity is passed. If the integrity does not match, an error is thrown. * @param integrity * @param response */ private validateIntegrity; /** * Fetches the content from the url with a timeout of 10 seconds. * @param url * @returns */ private fetch; /** * Loads the schema either from the object or as fallback from the uri. * @param typeMetadataFormat * @returns */ private loadSchema; /** * Verifies the VCT of the SD-JWT-VC. Returns the type metadata format. If the schema does not match, an error is thrown. If it matches, it will return the type metadata format. * @param result * @returns */ private verifyVct; /** * Fetches VCT Metadata of the SD-JWT-VC. Returns the type metadata format. If the SD-JWT-VC does not contain a vct claim, an error is thrown. * @param result * @returns */ private fetchVct; /** * Fetches VCT Metadata from the header of the SD-JWT-VC. Returns the type metadata format. If the SD-JWT-VC does not contain a vct claim, an error is thrown. * @param result * @param */ private fetchVctFromHeader; /** * Verifies the status of the SD-JWT-VC. * @param result * @param options */ private verifyStatus; } export { type Claim, type ClaimDisplay, type ClaimPath, type ClaimSelectiveDisclosure, type Display, type Logo, type Rendering, type SDJWTVCConfig, type SDJWTVCStatusReference, SDJwtVcInstance, type SdJwtVcPayload, type SimpleRendering, type StatusListFetcher, type StatusValidator, type SvgTemplateProperties, type SvgTemplateRendering, type TypeMetadataFormat, type VcTFetcher, type VerificationResult };