@digitalbazaar/vc 6.2.0 → 7.0.0

package/README.md

@@ -48,7 +48,7 @@ the following:
 
 ## Install
 
-- Browsers and Node.js 14+ are supported.
+- Browsers and Node.js 18+ are supported.
 
 To install from NPM:
 
@@ -122,15 +122,18 @@ Pre-requisites:
 
 * You have a private key (with id and controller) and corresponding suite
 * You have are using a cryptosuite that supports selective disclosure, such
-  as `ecdsa-sd-2023`
+  as `ecdsa-sd-2023` or `bbs-2023`
 * If you're using a custom `@context`, make sure it's resolvable
 * (Recommended) You have a strategy for where to publish your Controller
   Document and Public Key
 
+Issuing using `ecdsa-sd-2023`:
+
 ```js
-import * as vc from '@digitalbazaar/vc';
+import * as EcdsaMultikey from '@digitalbazaar/ecdsa-multikey';
 import * as ecdsaSd2023Cryptosuite from
   '@digitalbazaar/ecdsa-sd-2023-cryptosuite';
+import * as vc from '@digitalbazaar/vc';
 import {DataIntegrityProof} from '@digitalbazaar/data-integrity';
 
 const ecdsaKeyPair = await EcdsaMultikey.generate({
@@ -139,6 +142,18 @@ const ecdsaKeyPair = await EcdsaMultikey.generate({
   controller: 'https://example.edu/issuers/565049'
 });
 
+// sample exported key pair
+/*
+{
+  "@context": "https://w3id.org/security/multikey/v1",
+  "id": "https://example.edu/issuers/keys/2",
+  "type": "Multikey",
+  "controller": "https://example.edu/issuers/565049",
+  "publicKeyMultibase": "zDnaeWJjGpXnQAbEpRur3kSWFapGZbwGnFCkzyhiq7nDeXXrM",
+  "secretKeyMultibase": "z42trzSpncjWFaB9cKE2Gg5hxtbuAQa5mVJgGwjrugHMacdM"
+}
+*/
+
 // sample unsigned credential
 const credential = {
   "@context": [
@@ -176,6 +191,68 @@ const signedVC = await vc.issue({credential, suite, documentLoader});
 console.log(JSON.stringify(signedVC, null, 2));
 ```
 
+Issuing using `bbs-2023`:
+
+```js
+import * as bbs2023Cryptosuite from '@digitalbazaar/bbs-2023-cryptosuite';
+import * as bls12381Multikey from '@digitalbazaar/bls12-381-multikey';
+import * as vc from '@digitalbazaar/vc';
+import {DataIntegrityProof} from '@digitalbazaar/data-integrity';
+
+const bbsKeyPair = await bls12381Multikey.generate({
+  algorithm: 'BBS-BLS12-381-SHA-256';
+  id: 'https://example.edu/issuers/keys/3',
+  controller: 'https://example.edu/issuers/565049'
+});
+
+// sample exported key pair
+/*
+{
+  "@context": "https://w3id.org/security/multikey/v1",
+  "id": "https://example.edu/issuers/keys/3",
+  "type": "Multikey",
+  "controller": "https://example.edu/issuers/565049",
+  "publicKeyMultibase": "zUC72jQrt2BfyE57AVgHgThKCsH6HNo85X9SLNpAJaHb42cNDXhsRWL2KkrFtaiztPbbZjfDVQnQQMw2nMqAPUHnaQ3xEr7kUmcnBgv7S2wQSbRbr7mqsP153nU7yMh3ZN4ZryL",
+  "secretKeyMultibase": "z488y1niFCWnaV2i86q1raaa7qwBWZ6WTLeS1W1PrsbcsoNg"
+}
+*/
+
+// sample unsigned credential
+const credential = {
+  "@context": [
+    "https://www.w3.org/2018/credentials/v1",
+    "https://www.w3.org/2018/credentials/examples/v1"
+  ],
+  // omit `id` to enable unlinkable disclosure
+  "type": ["VerifiableCredential", "AlumniCredential"],
+  "issuer": "https://example.edu/issuers/565049",
+  // use less precise date that is shared by a sufficiently large group
+  // of VCs to enable unlinkable disclosure
+  "issuanceDate": "2010-01-01T01:00:00Z",
+  "credentialSubject": {
+    // omit `id` to enable unlinkable disclosure
+    "alumniOf": "Example University"
+  }
+};
+
+// setup bbs-2023 suite for signing unlinkable selective disclosure VCs
+const suite = new DataIntegrityProof({
+  signer: bbsKeyPair.signer(),
+  cryptosuite: createSignCryptosuite({
+    // require the `issuer` and `issuanceDate` fields to always be disclosed
+    // by the holder (presenter)
+    mandatoryPointers: [
+      '/issuanceDate',
+      '/issuer'
+    ]
+  })
+});
+// note: do not include a proof ID to enable unlinkable selective disclosure
+
+const signedVC = await vc.issue({credential, suite, documentLoader});
+console.log(JSON.stringify(signedVC, null, 2));
+```
+
 ### Deriving a Selective Disclosure Verifiable Credential
 
 Note: This step is performed as a holder of a verifiable credential, not as
@@ -184,13 +261,16 @@ an issuer.
 Pre-requisites:
 
 * You have a verifiable credential that was issued using a cryptosuite that
-  supports selective disclosure, such as `ecdsa-sd-2023`
+  supports selective disclosure, such as `ecdsa-sd-2023` or `bbs-2023`
 * If you're using a custom `@context`, make sure it's resolvable
 
+Deriving using `ecdsa-sd-2023`:
+
 ```js
-import * as vc from '@digitalbazaar/vc';
+import * as EcdsaMultikey from '@digitalbazaar/ecdsa-multikey';
 import * as ecdsaSd2023Cryptosuite from
   '@digitalbazaar/ecdsa-sd-2023-cryptosuite';
+import * as vc from '@digitalbazaar/vc';
 import {DataIntegrityProof} from '@digitalbazaar/data-integrity';
 
 const {
@@ -199,8 +279,8 @@ const {
   createVerifyCryptosuite
 } = ecdsaSd2023Cryptosuite;
 
-// sample signed credential
-const credential = {
+// sample VC
+const verifiableCredential = {
   "@context": [
     "https://www.w3.org/2018/credentials/v1",
     "https://www.w3.org/2018/credentials/examples/v1",
@@ -218,13 +298,13 @@ const credential = {
     "alumniOf": "<span lang=\"en\">Example University</span>"
   },
   "proof": {
-    "id": "urn:uuid:2ef8c7ce-a4da-44b4-ba7f-3d43eaf1e50c",
+    "id": "urn:uuid:318d9dce-bc7b-40b9-a956-c9160bf910db",
     "type": "DataIntegrityProof",
-    "created": "2023-11-13T22:58:06Z",
+    "created": "2024-01-12T21:53:11Z",
     "verificationMethod": "https://example.edu/issuers/keys/2",
     "cryptosuite": "ecdsa-sd-2023",
     "proofPurpose": "assertionMethod",
-    "proofValue": "u2V0AhVhAtYPKUQxwULXzMdsAfqtipsiX6YEPURYSBFYxoFY-v0vCPyAs1Ckyy61Wtk3xZWyBGNaEr3w0wQiJHHd5B9uR-1gjgCQCVtFPMk-ECi0CJFYv_GTjCChf8St0FQjuExTAnwP0-ipYIOHSun3YqabOfNe2DYFkHBTZa0Csf1a7YUDW8hhsOHqTglhA8aqnyanT-Ybo2-aHBTcI-UmHX0iluGb2IxoHLLhQoOPm2rDW0eB04Fa2Dh6WMKoOl_Bz3wZZDGQ31XoGrQvgIlhAo8qspvC-QQ-xI3KADiA12sO5LRsZ7hl9ozoJEECVsDOKlxWd-dhices5b2ZQIiiRE9XxxJx8YuwCMoD2bRLbOIJtL2lzc3VhbmNlRGF0ZWcvaXNzdWVy"
+    "proofValue": "u2V0AhVhAsl6PQKYE15R0O5Qd267ntwHGNH6JRvZ1y8A-fTCQLUoupP8SCZzzmyc0a1AnabHEVKhpHtYV8j9Kapp-fHFBtFgjgCQCIMn2L1R7D5VPnNn_2foxdj8qvsuUTGFqA34YBkguzCpYILfJ-qNQpn6_dJGpkG24FynqbHpnzoHWVJc2kiLqEKHRglhAUmZtstR9MOLrZjcR8J303MXFvRiE6J3bbaPT1_I9-6578-Wj-eydv2TEGBq_dmsjxsOh4_2Va0etw8CXXMAzaVhA9fr7_Sl9D67AfvLhkJTZ0uJCAXcbL2MaS-DmoC7K-ABxroL1_wj119J8yTMlazxzYBwYkihrdp4ZWJZxraX9tIJtL2lzc3VhbmNlRGF0ZWcvaXNzdWVy"
   }
 };
 
@@ -250,6 +330,65 @@ const derivedVC = await vc.derive({
 console.log(JSON.stringify(derivedVC, null, 2));
 ```
 
+Deriving using `bbs-2023`:
+
+```js
+import * as bbs2023Cryptosuite from '@digitalbazaar/bbs-2023-cryptosuite';
+import * as bls12381Multikey from '@digitalbazaar/bls12-381-multikey';
+import * as vc from '@digitalbazaar/vc';
+import {DataIntegrityProof} from '@digitalbazaar/data-integrity';
+
+const {
+  createDiscloseCryptosuite,
+  createSignCryptosuite,
+  createVerifyCryptosuite
+} = bbs2023Cryptosuite;
+
+// sample VC
+const verifiableCredential = {
+  "@context": [
+    "https://www.w3.org/2018/credentials/v1",
+    "https://www.w3.org/2018/credentials/examples/v1",
+    "https://w3id.org/security/data-integrity/v2"
+  ],
+  "type": [
+    "VerifiableCredential",
+    "AlumniCredential"
+  ],
+  "issuer": "https://example.edu/issuers/565049",
+  "issuanceDate": "2010-01-01T01:00:00Z",
+  "credentialSubject": {
+    "alumniOf": "<span lang=\"en\">Example University</span>"
+  },
+  "proof": {
+    "type": "DataIntegrityProof",
+    "verificationMethod": "https://example.edu/issuers/keys/3",
+    "cryptosuite": "bbs-2023",
+    "proofPurpose": "assertionMethod",
+    "proofValue": "u2V0ChVhQp1smqO-Qmc-1KpNkShjevTeylTdVlpH_RNXeJ_cNniErWPbEWILvsoH5mYjnun5ibZHq0m7BEIaLv8sfMtLfcmgPj6tbAFwDWvEcbRWg7CFYQGWqCAnvTpL_Aao3aVCg5svdzFuvKqnvneA0UwaN0lagvGpWT7fCDGgcYPyNPKaCX94Xo06aTcSwOXgyGUbtN1xYYIU6t5wv20lVdESfzkYOFXTxIZa1HSBAZYWDyEgQ3A3ajzWX5qeFc3cwmnnrGUfJYwawgGLQAY3vBi3LTM2i3jCOPvxCEJALPIjK4tEmWb6uFjT4PWLlIEeTtYj_0yEv91ggsm9vw1PPlK6q8wQiw2i2joZ-OKkvHz7rDSxPYfmQNrqCbS9pc3N1YW5jZURhdGVnL2lzc3Vlcg"
+  }
+};
+
+// note no `signer` needed; the selective disclosure credential will be
+// derived from the base proof already provided by the issuer
+const suite = new DataIntegrityProof({
+  cryptosuite: createDiscloseCryptosuite({
+    // selectively disclose the entire credential subject; different JSON
+    // pointers could be provided to selectively disclose different information;
+    // the issuer will have mandatory fields that will be automatically
+    // disclosed such as the `issuer` and `issuanceDate` fields
+    selectivePointers: [
+      '/credentialSubject'
+    ]
+  })
+});
+
+const derivedVC = await vc.derive({
+  verifiableCredential, suite, documentLoader
+});
+console.log(JSON.stringify(derivedVC, null, 2));
+```
+
 ### Creating a Verifiable Presentation
 
 Pre-requisites:

package/lib/contexts/index.js

@@ -1,12 +1,10 @@
 /*!
- * Copyright (c) 2019-2023 Digital Bazaar, Inc. All rights reserved.
+ * Copyright (c) 2019-2024 Digital Bazaar, Inc. All rights reserved.
  */
 import {
-  contexts as credentialContexts
-} from 'credentials-context';
+  contexts as credentialsContexts
+} from '@digitalbazaar/credentials-context';
 
-export const contexts = new Map();
-
-for(const [url, context] of credentialContexts.entries()) {
-  contexts.set(url, context);
-}
+export const contexts = new Map([
+  ...credentialsContexts
+]);

package/lib/helpers.js

@@ -0,0 +1,103 @@
+/*!
+ * Copyright (c) 2023 Digital Bazaar, Inc. All rights reserved.
+ */
+import {named as vcNamedContexts} from '@digitalbazaar/credentials-context';
+
+// Z and T must be uppercase
+// xml schema date time RegExp
+// @see https://www.w3.org/TR/xmlschema11-2/#dateTime
+export const dateRegex = new RegExp(
+  '-?([1-9][0-9]{3,}|0[0-9]{3})' +
+  '-(0[1-9]|1[0-2])' +
+  '-(0[1-9]|[12][0-9]|3[01])' +
+  'T(([01][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9](\.[0-9]+)?|(24:00:00(\.0+)?))' +
+  '(Z|(\\+|-)((0[0-9]|1[0-3]):[0-5][0-9]|14:00))?');
+
+const CREDENTIALS_CONTEXT_V1_URL = vcNamedContexts.get('v1').id;
+const CREDENTIALS_CONTEXT_V2_URL = vcNamedContexts.get('v2').id;
+
+// mappings between credentials contexts and version numbers
+const credentialsContextUrlToVersion = new Map([
+  [CREDENTIALS_CONTEXT_V1_URL, 1.0],
+  [CREDENTIALS_CONTEXT_V2_URL, 2.0]
+]);
+const credentialsVersionToContextUrl = new Map([
+  [1.0, CREDENTIALS_CONTEXT_V1_URL],
+  [2.0, CREDENTIALS_CONTEXT_V2_URL]
+]);
+
+/**
+ * Asserts that a context array's first item is a credentials context.
+ *
+ * @param {object} options - Options.
+ * @param {Array} options.context - An array of contexts.
+ *
+ * @throws {Error} - Throws if the first context
+ *   is not a credentials context.
+ *
+ * @returns {undefined}
+ */
+export function assertCredentialContext({context}) {
+  // ensure first context is credentials context url
+  if(!credentialsContextUrlToVersion.has(context[0])) {
+    // throw if the first context is not a credentials context
+    throw new Error(
+      `"${CREDENTIALS_CONTEXT_V1_URL}" or "${CREDENTIALS_CONTEXT_V2_URL}"` +
+      ' needs to be first in the list of contexts.');
+  }
+}
+
+/**
+ * Throws if a Date is not in the correct format.
+ *
+ * @param {object} options - Options.
+ * @param {object} options.credential - A VC.
+ * @param {string} options.prop - A prop in the object.
+ *
+ * @throws {Error} Throws if the date is not a proper date string.
+ * @returns {undefined}
+ */
+export function assertDateString({credential, prop}) {
+  const value = credential[prop];
+  if(!dateRegex.test(value)) {
+    throw new Error(`"${prop}" must be a valid date: ${value}`);
+  }
+}
+
+/**
+ * Turns the first context in a VC into a numbered version.
+ *
+ * @param {object} options - Options.
+ * @param {object} options.credential - A VC.
+ *
+ * @returns {number} A number representing the version.
+ */
+function getContextVersion({credential} = {}) {
+  const firstContext = credential?.['@context']?.[0];
+  return credentialsContextUrlToVersion.get(firstContext);
+}
+
+/**
+ * Turns the first context in a VC into a numbered version.
+ *
+ * @param {object} options - Options.
+ * @param {number} options.version - A credentials context version.
+ *
+ * @returns {number} A number representing the version.
+ */
+export function getContextForVersion({version}) {
+  return credentialsVersionToContextUrl.get(version);
+}
+
+/**
+ * Checks if a VC is using a specific context version.
+ *
+ * @param {object} options - Options.
+ * @param {object} options.credential - A VC.
+ * @param {number} options.version - A VC Context version
+ *
+ * @returns {boolean} If the first context matches the version.
+ */
+export function checkContextVersion({credential, version}) {
+  return getContextVersion({credential}) === version;
+}

package/lib/index.js

@@ -34,27 +34,22 @@
  * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
+import {
+  assertCredentialContext,
+  assertDateString,
+  checkContextVersion,
+  getContextForVersion
+} from './helpers.js';
 import {documentLoader as _documentLoader} from './documentLoader.js';
 import {CredentialIssuancePurpose} from './CredentialIssuancePurpose.js';
 import jsigs from 'jsonld-signatures';
 import jsonld from 'jsonld';
-export const defaultDocumentLoader =
-  jsigs.extendContextLoader(_documentLoader);
-import * as credentialsContext from 'credentials-context';
 
 const {AssertionProofPurpose, AuthenticationProofPurpose} = jsigs.purposes;
-const {constants: {CREDENTIALS_CONTEXT_V1_URL}} = credentialsContext;
-
+export {dateRegex} from './helpers.js';
+export const defaultDocumentLoader = jsigs.extendContextLoader(_documentLoader);
 export {CredentialIssuancePurpose};
 
-// Z and T can be lowercase
-// RFC3339 regex
-export const dateRegex = new RegExp('^(\\d{4})-(0[1-9]|1[0-2])-' +
-    '(0[1-9]|[12][0-9]|3[01])T([01][0-9]|2[0-3]):' +
-    '([0-5][0-9]):([0-5][0-9]|60)' +
-    '(\\.[0-9]+)?(Z|(\\+|-)([01][0-9]|2[0-3]):' +
-    '([0-5][0-9]))$', 'i');
-
 /**
  * @typedef {object} LinkedDataSignature
  */
@@ -131,9 +126,10 @@ export async function issue({
   if(!credential) {
     throw new TypeError('"credential" parameter is required for issuing.');
   }
-
-  // Set the issuance date to now(), if missing
-  if(!credential.issuanceDate) {
+  if(checkContextVersion({
+    credential,
+    version: 1.0
+  }) && !credential.issuanceDate) {
     const now = (new Date()).toJSON();
     credential.issuanceDate = `${now.slice(0, now.length - 5)}Z`;
   }
@@ -167,7 +163,8 @@ export async function derive({
   documentLoader = defaultDocumentLoader
 } = {}) {
   if(!verifiableCredential) {
-    throw new TypeError('"credential" parameter is required for deriving.');
+    throw new TypeError(
+      '"verifiableCredential" parameter is required for deriving.');
   }
   if(!suite) {
     throw new TypeError('"suite" parameter is required for deriving.');
@@ -342,7 +339,6 @@ async function _verifyCredential(options = {}) {
       result.verified = false;
     }
   }
-
   return result;
 }
 
@@ -356,6 +352,7 @@ async function _verifyCredential(options = {}) {
  * @param {string} [options.holder] - Optional presentation holder url.
  * @param {string|Date} [options.now] - A string representing date time in
  *   ISO 8601 format or an instance of Date. Defaults to current date time.
+ * @param {number} [options.version = 2.0] - The VC context version to use.
  *
  * @throws {TypeError} If verifiableCredential param is missing.
  * @throws {Error} If the credential (or the presentation params) are missing
@@ -365,10 +362,11 @@ async function _verifyCredential(options = {}) {
  *   VerifiablePresentation.
  */
 export function createPresentation({
-  verifiableCredential, id, holder, now
+  verifiableCredential, id, holder, now, version = 2.0
 } = {}) {
+  const initialContext = getContextForVersion({version});
   const presentation = {
-    '@context': [CREDENTIALS_CONTEXT_V1_URL],
+    '@context': [initialContext],
     type: ['VerifiablePresentation']
   };
   if(verifiableCredential) {
@@ -547,13 +545,7 @@ export function _checkPresentation(presentation) {
   // normalize to an array to allow the common case of context being a string
   const context = Array.isArray(presentation['@context']) ?
     presentation['@context'] : [presentation['@context']];
-
-  // ensure first context is 'https://www.w3.org/2018/credentials/v1'
-  if(context[0] !== CREDENTIALS_CONTEXT_V1_URL) {
-    throw new Error(
-      `"${CREDENTIALS_CONTEXT_V1_URL}" needs to be first in the ` +
-      'list of contexts.');
-  }
+  assertCredentialContext({context});
 
   const types = jsonld.getValues(presentation, 'type');
 
@@ -563,6 +555,15 @@ export function _checkPresentation(presentation) {
   }
 }
 
+// these props of a VC must be an object with a type
+// if present in a VC or VP
+const mustHaveType = [
+  'proof',
+  'credentialStatus',
+  'termsOfUse',
+  'evidence'
+];
+
 // export for testing
 /**
  * @param {object} options - The options.
@@ -582,12 +583,7 @@ export function _checkCredential({
   if(typeof now === 'string') {
     now = new Date(now);
   }
-  // ensure first context is 'https://www.w3.org/2018/credentials/v1'
-  if(credential['@context'][0] !== CREDENTIALS_CONTEXT_V1_URL) {
-    throw new Error(
-      `"${CREDENTIALS_CONTEXT_V1_URL}" needs to be first in the ` +
-      'list of contexts.');
-  }
+  assertCredentialContext({context: credential['@context']});
 
   // check type presence and cardinality
   if(!credential.type) {
@@ -598,47 +594,71 @@ export function _checkCredential({
     throw new Error('"type" must include `VerifiableCredential`.');
   }
 
-  if(!credential.credentialSubject) {
-    throw new Error('"credentialSubject" property is required.');
-  }
-
-  // If credentialSubject.id is present and is not a URI, reject it
-  if(credential.credentialSubject.id) {
-    _validateUriId({
-      id: credential.credentialSubject.id, propertyName: 'credentialSubject.id'
-    });
-  }
+  _checkCredentialSubjects({credential});
 
   if(!credential.issuer) {
     throw new Error('"issuer" property is required.');
   }
+  if(checkContextVersion({credential, version: 1.0})) {
+    // check issuanceDate exists
+    if(!credential.issuanceDate) {
+      throw new Error('"issuanceDate" property is required.');
+    }
+    // check issuanceDate format on issue
+    assertDateString({credential, prop: 'issuanceDate'});
 
-  // check issuanceDate cardinality
-  if(jsonld.getValues(credential, 'issuanceDate').length > 1) {
-    throw new Error('"issuanceDate" property can only have one value.');
-  }
-
-  // check issued is a date
-  if(!credential.issuanceDate) {
-    throw new Error('"issuanceDate" property is required.');
-  }
-
-  if('issuanceDate' in credential) {
-    let {issuanceDate} = credential;
-    if(!dateRegex.test(issuanceDate)) {
-      throw new Error(`"issuanceDate" must be a valid date: ${issuanceDate}`);
+    // check issuanceDate cardinality
+    if(jsonld.getValues(credential, 'issuanceDate').length > 1) {
+      throw new Error('"issuanceDate" property can only have one value.');
+    }
+    // optionally check expirationDate
+    if('expirationDate' in credential) {
+      // check if `expirationDate` property is a date
+      assertDateString({credential, prop: 'expirationDate'});
+      if(mode === 'verify') {
+        // check if `now` is after `expirationDate`
+        if(now > new Date(credential.expirationDate)) {
+          throw new Error('Credential has expired.');
+        }
+      }
     }
     // check if `now` is before `issuanceDate` on verification
     if(mode === 'verify') {
-      issuanceDate = new Date(issuanceDate);
+      const issuanceDate = new Date(credential.issuanceDate);
       if(now < issuanceDate) {
         throw new Error(
           `The current date time (${now.toISOString()}) is before the ` +
-          `"issuanceDate" (${issuanceDate.toISOString()}).`);
+          `"issuanceDate" (${credential.issuanceDate}).`);
+      }
+    }
+  }
+  if(checkContextVersion({credential, version: 2.0})) {
+    // check if 'validUntil' and 'validFrom'
+    let {validUntil, validFrom} = credential;
+    if(validUntil) {
+      assertDateString({credential, prop: 'validUntil'});
+      if(mode === 'verify') {
+        validUntil = new Date(credential.validUntil);
+        if(now > validUntil) {
+          throw new Error(
+            `The current date time (${now.toISOString()}) is after ` +
+            `"validUntil" (${credential.validUntil}).`);
+        }
+      }
+    }
+    if(validFrom) {
+      assertDateString({credential, prop: 'validFrom'});
+      if(mode === 'verify') {
+      // check if `now` is before `validFrom`
+        validFrom = new Date(credential.validFrom);
+        if(now < validFrom) {
+          throw new Error(
+            `The current date time (${now.toISOString()}) is before ` +
+            `"validFrom" (${credential.validFrom}).`);
+        }
       }
     }
   }
-
   // check issuer cardinality
   if(jsonld.getValues(credential, 'issuer').length > 1) {
     throw new Error('"issuer" property can only have one value.');
@@ -653,14 +673,18 @@ export function _checkCredential({
     _validateUriId({id: issuer, propertyName: 'issuer'});
   }
 
-  if('credentialStatus' in credential) {
-    if(Array.isArray(credential.credentialStatus) ? credential.credentialStatus.some(cs => !cs.id) : !credential.credentialStatus.id) {
-      throw new Error('"credentialStatus" must include an id.');
+  // check credentialStatus
+  jsonld.getValues(credential, 'credentialStatus').forEach(cs => {
+    // check if optional "id" is a URL
+    if('id' in cs) {
+      _validateUriId({id: cs.id, propertyName: 'credentialStatus.id'});
     }
-    if(Array.isArray(credential.credentialStatus) ? credential.credentialStatus.some(cs => !cs.type) : !credential.credentialStatus.type) {
+
+    // check "type" present
+    if(!cs.type) {
       throw new Error('"credentialStatus" must include a type.');
     }
-  }
+  });
 
   // check evidences are URLs
   jsonld.getValues(credential, 'evidence').forEach(evidence => {
@@ -670,20 +694,144 @@ export function _checkCredential({
     }
   });
 
-  if('expirationDate' in credential) {
-    const {expirationDate} = credential;
-    // check if `expirationDate` property is a date
-    if(!dateRegex.test(expirationDate)) {
-      throw new Error(
-        `"expirationDate" must be a valid date: ${expirationDate}`);
-    }
-    // check if `now` is after `expirationDate`
-    if(now > new Date(expirationDate)) {
-      throw new Error('Credential has expired.');
+  // check if properties that require a type are
+  // defined, objects, and objects with types
+  for(const prop of mustHaveType) {
+    if(prop in credential) {
+      const _value = credential[prop];
+      if(Array.isArray(_value)) {
+        _value.forEach(entry => _checkTypedObject(entry, prop));
+        continue;
+      }
+      _checkTypedObject(_value, prop);
     }
   }
 }
 
+/**
+ * @private
+ * Checks that a property is non-empty object with
+ * property type.
+ *
+ * @param {object} obj - A potential object.
+ * @param {string} name - The name of the property.
+ *
+ * @throws {Error} if the property is not an object with a type.
+ *
+ * @returns {undefined} - Returns on success.
+ */
+function _checkTypedObject(obj, name) {
+  if(!isObject(obj)) {
+    throw new Error(`property "${name}" must be an object.`);
+  }
+  if(_emptyObject(obj)) {
+    throw new Error(`property "${name}" can not be an empty object.`);
+  }
+  if(!('type' in obj)) {
+    throw new Error(`property "${name}" must have property type.`);
+  }
+}
+
+/**
+ * @private
+ * Takes in a credential and checks the credentialSubject(s)
+ *
+ * @param {object} options - Options.
+ * @param {object} options.credential - The credential to check.
+ *
+ * @throws {Error} error - Throws on errors in the credential subject.
+ *
+ * @returns {undefined} - Returns on success.
+*/
+function _checkCredentialSubjects({credential}) {
+  if(!credential?.credentialSubject) {
+    throw new Error('"credentialSubject" property is required.');
+  }
+  if(Array.isArray(credential?.credentialSubject)) {
+    return credential?.credentialSubject.map(
+      subject => _checkCredentialSubject({subject}));
+  }
+  return _checkCredentialSubject({subject: credential?.credentialSubject});
+}
+
+/**
+ * @private
+ *
+ * Checks a credential subject is valid.
+ *
+ * @param {object} options - Options.
+ * @param {object} options.subject - A potential credential subject.
+ *
+ * @throws {Error} If the credentialSubject is not valid.
+ *
+ * @returns {undefined} Returns on success.
+ */
+function _checkCredentialSubject({subject}) {
+  if(isObject(subject) === false) {
+    throw new Error('"credentialSubject" must be a non-null object.');
+  }
+  if(_emptyObject(subject)) {
+    throw new Error('"credentialSubject" must make a claim.');
+  }
+  // If credentialSubject.id is present and is not a URI, reject it
+  if(subject.id) {
+    _validateUriId({
+      id: subject.id, propertyName: 'credentialSubject.id'
+    });
+  }
+}
+
+/**
+ * @private
+ * Checks if parameter is an object.
+ *
+ * @param {object} obj - A potential object.
+ *
+ * @returns {boolean} - Returns false if not an object or null.
+ */
+function isObject(obj) {
+  // return false for null even though it has type object
+  if(obj === null) {
+    return false;
+  }
+  // if something has type object and is not null return true
+  if((typeof obj) === 'object') {
+    return true;
+  }
+  // return false for strings, symbols, etc.
+  return false;
+}
+
+/**
+ * @private
+ * Is it an empty object?
+ *
+ * @param {object} obj - A potential object.
+ *
+ * @returns {boolean} - Is it empty?
+ */
+function _emptyObject(obj) {
+  // if the parameter is not an object return true
+  // as a non-object is an empty object
+  if(!isObject(obj)) {
+    return true;
+  }
+  return Object.keys(obj).length === 0;
+}
+
+/**
+ * @private
+ *
+ * Validates if an ID is a URL.
+ *
+ * @param {object} options - Options.
+ * @param {string} options.id - the id.
+ * @param {string} options.propertyName - The property name.
+ *
+ * @throws {Error} Throws if an id is not a URL.
+ *
+ * @returns {undefined} Returns on success.
+ */
 function _validateUriId({id, propertyName}) {
   let parsed;
   try {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@digitalbazaar/vc",
-  "version": "6.2.0",
+  "version": "7.0.0",
   "description": "Verifiable Credentials JavaScript library.",
   "homepage": "https://github.com/digitalbazaar/vc",
   "author": {
@@ -28,41 +28,45 @@
     "lib/**/*.js"
   ],
   "dependencies": {
-    "credentials-context": "^2.0.0",
+    "@digitalbazaar/credentials-context": "^3.1.0",
+    "ed25519-signature-2018-context": "^1.1.0",
     "jsonld": "^8.3.1",
     "jsonld-signatures": "^11.2.1"
   },
   "devDependencies": {
+    "@digitalbazaar/bbs-2023-cryptosuite": "^1.2.0",
+    "@digitalbazaar/bls12-381-multikey": "^1.3.0",
     "@digitalbazaar/credentials-examples-context": "^1.0.0",
-    "@digitalbazaar/data-integrity": "^2.0.0",
-    "@digitalbazaar/data-integrity-context": "^2.0.0",
-    "@digitalbazaar/ecdsa-multikey": "^1.6.0",
-    "@digitalbazaar/ecdsa-sd-2023-cryptosuite": "^3.0.0",
+    "@digitalbazaar/data-integrity": "^2.2.0",
+    "@digitalbazaar/data-integrity-context": "^2.0.1",
+    "@digitalbazaar/ecdsa-multikey": "^1.7.0",
+    "@digitalbazaar/ecdsa-sd-2023-cryptosuite": "^3.2.1",
     "@digitalbazaar/ed25519-signature-2018": "^4.0.0",
     "@digitalbazaar/ed25519-verification-key-2018": "^4.0.0",
-    "@digitalbazaar/multikey-context": "^1.0.0",
+    "@digitalbazaar/multikey-context": "^2.0.1",
     "@digitalbazaar/odrl-context": "^1.0.0",
-    "c8": "^8.0.1",
-    "chai": "^4.3.7",
+    "c8": "^10.1.2",
+    "chai": "^4.5.0",
     "cross-env": "^7.0.3",
     "did-context": "^3.1.1",
     "did-veres-one": "^16.0.0",
-    "eslint": "^8.53.0",
-    "eslint-config-digitalbazaar": "^5.0.1",
-    "eslint-plugin-jsdoc": "^46.9.0",
-    "eslint-plugin-unicorn": "^49.0.0",
-    "karma": "^6.4.1",
+    "eslint": "^8.57.0",
+    "eslint-config-digitalbazaar": "^5.2.0",
+    "eslint-plugin-jsdoc": "^48.10.2",
+    "eslint-plugin-unicorn": "^55.0.0",
+    "karma": "^6.4.4",
     "karma-chai": "^0.1.0",
-    "karma-chrome-launcher": "^3.1.1",
+    "karma-chrome-launcher": "^3.2.0",
     "karma-mocha": "^2.0.1",
     "karma-mocha-reporter": "^2.2.5",
     "karma-sourcemap-loader": "^0.4.0",
-    "karma-webpack": "^5.0.0",
-    "mocha": "^10.2.0",
+    "karma-webpack": "^5.0.1",
+    "klona": "^2.0.6",
+    "mocha": "^10.7.0",
     "mocha-lcov-reporter": "^1.3.0",
-    "uuid": "^9.0.0",
+    "uuid": "^10.0.0",
     "veres-one-context": "^12.0.0",
-    "webpack": "^5.75.0"
+    "webpack": "^5.93.0"
   },
   "c8": {
     "reporter": [
@@ -72,7 +76,7 @@
     ]
   },
   "engines": {
-    "node": ">=14"
+    "node": ">=18"
   },
   "keywords": [
     "JSON",