@sd-jwt/core 0.12.0 → 0.12.1-next.1

package/dist/index.d.mts

@@ -25,7 +25,14 @@ declare class Jwt<Header extends Record<string, unknown> = Record<string, unknow
     protected getUnsignedToken(): string;
     sign(signer: Signer): Promise<string>;
     encodeJwt(): string;
-    verify(verifier: Verifier): Promise<{
+    /**
+     * Verify the JWT using the provided verifier function.
+     * It checks the signature and validates the iat, nbf, and exp claims if they are present.
+     * @param verifier
+     * @param currentDate
+     * @returns
+     */
+    verify(verifier: Verifier, currentDate?: number): Promise<{
         payload: Payload | undefined;
         header: Header | undefined;
     }>;
@@ -197,7 +204,14 @@ declare class SDJwtInstance<ExtendedPayload extends SdJwtPayload> {
         };
     }>;
     private calculateSDHash;
-    validate(encodedSDJwt: string): Promise<{
+    /**
+     * This function is for validating the SD JWT
+     * Checking signature, if provided the iat and exp when provided and return its the claims
+     * @param encodedSDJwt
+     * @param currentDate
+     * @returns
+     */
+    validate(encodedSDJwt: string, currentDate?: number): Promise<{
         payload: unknown;
         header: Record<string, unknown> | undefined;
     }>;

package/dist/index.d.ts

@@ -25,7 +25,14 @@ declare class Jwt<Header extends Record<string, unknown> = Record<string, unknow
     protected getUnsignedToken(): string;
     sign(signer: Signer): Promise<string>;
     encodeJwt(): string;
-    verify(verifier: Verifier): Promise<{
+    /**
+     * Verify the JWT using the provided verifier function.
+     * It checks the signature and validates the iat, nbf, and exp claims if they are present.
+     * @param verifier
+     * @param currentDate
+     * @returns
+     */
+    verify(verifier: Verifier, currentDate?: number): Promise<{
         payload: Payload | undefined;
         header: Header | undefined;
     }>;
@@ -197,7 +204,14 @@ declare class SDJwtInstance<ExtendedPayload extends SdJwtPayload> {
         };
     }>;
     private calculateSDHash;
-    validate(encodedSDJwt: string): Promise<{
+    /**
+     * This function is for validating the SD JWT
+     * Checking signature, if provided the iat and exp when provided and return its the claims
+     * @param encodedSDJwt
+     * @param currentDate
+     * @returns
+     */
+    validate(encodedSDJwt: string, currentDate?: number): Promise<{
         payload: unknown;
         header: Record<string, unknown> | undefined;
     }>;

package/dist/index.js

@@ -143,8 +143,25 @@ var Jwt = class _Jwt {
     this.encoded = compact;
     return compact;
   }
-  verify(verifier) {
-    return __async(this, null, function* () {
+  /**
+   * Verify the JWT using the provided verifier function.
+   * It checks the signature and validates the iat, nbf, and exp claims if they are present.
+   * @param verifier
+   * @param currentDate
+   * @returns
+   */
+  verify(_0) {
+    return __async(this, arguments, function* (verifier, currentDate = Math.floor(Date.now() / 1e3)) {
+      var _a, _b, _c;
+      if (((_a = this.payload) == null ? void 0 : _a.iat) && this.payload.iat > currentDate) {
+        throw new import_utils.SDJWTException("Verify Error: JWT is not yet valid");
+      }
+      if (((_b = this.payload) == null ? void 0 : _b.nbf) && this.payload.nbf > currentDate) {
+        throw new import_utils.SDJWTException("Verify Error: JWT is not yet valid");
+      }
+      if (((_c = this.payload) == null ? void 0 : _c.exp) && this.payload.exp < currentDate) {
+        throw new import_utils.SDJWTException("Verify Error: JWT is expired");
+      }
       if (!this.signature) {
         throw new import_utils.SDJWTException("Verify Error: no signature in JWT");
       }
@@ -655,12 +672,12 @@ var _SDJwtInstance = class _SDJwtInstance {
       return jwt;
     });
   }
-  VerifyJwt(jwt) {
+  VerifyJwt(jwt, currentDate) {
     return __async(this, null, function* () {
       if (!this.userConfig.verifier) {
         throw new import_utils7.SDJWTException("Verifier not found");
       }
-      return jwt.verify(this.userConfig.verifier);
+      return jwt.verify(this.userConfig.verifier, currentDate);
     });
   }
   issue(payload, disclosureFrame, options) {
@@ -804,10 +821,15 @@ var _SDJwtInstance = class _SDJwtInstance {
       return sdHashStr;
     });
   }
-  // This function is for validating the SD JWT
-  // Just checking signature and return its the claims
-  validate(encodedSDJwt) {
-    return __async(this, null, function* () {
+  /**
+   * This function is for validating the SD JWT
+   * Checking signature, if provided the iat and exp when provided and return its the claims
+   * @param encodedSDJwt
+   * @param currentDate
+   * @returns
+   */
+  validate(_0) {
+    return __async(this, arguments, function* (encodedSDJwt, currentDate = Math.floor(Date.now() / 1e3)) {
       if (!this.userConfig.hasher) {
         throw new import_utils7.SDJWTException("Hasher not found");
       }
@@ -816,7 +838,7 @@ var _SDJwtInstance = class _SDJwtInstance {
       if (!sdjwt.jwt) {
         throw new import_utils7.SDJWTException("Invalid SD JWT");
       }
-      const verifiedPayloads = yield this.VerifyJwt(sdjwt.jwt);
+      const verifiedPayloads = yield this.VerifyJwt(sdjwt.jwt, currentDate);
       const claims = yield sdjwt.getClaims(hasher);
       return { payload: claims, header: verifiedPayloads.header };
     });

package/dist/index.mjs

@@ -118,8 +118,25 @@ var Jwt = class _Jwt {
     this.encoded = compact;
     return compact;
   }
-  verify(verifier) {
-    return __async(this, null, function* () {
+  /**
+   * Verify the JWT using the provided verifier function.
+   * It checks the signature and validates the iat, nbf, and exp claims if they are present.
+   * @param verifier
+   * @param currentDate
+   * @returns
+   */
+  verify(_0) {
+    return __async(this, arguments, function* (verifier, currentDate = Math.floor(Date.now() / 1e3)) {
+      var _a, _b, _c;
+      if (((_a = this.payload) == null ? void 0 : _a.iat) && this.payload.iat > currentDate) {
+        throw new SDJWTException("Verify Error: JWT is not yet valid");
+      }
+      if (((_b = this.payload) == null ? void 0 : _b.nbf) && this.payload.nbf > currentDate) {
+        throw new SDJWTException("Verify Error: JWT is not yet valid");
+      }
+      if (((_c = this.payload) == null ? void 0 : _c.exp) && this.payload.exp < currentDate) {
+        throw new SDJWTException("Verify Error: JWT is expired");
+      }
       if (!this.signature) {
         throw new SDJWTException("Verify Error: no signature in JWT");
       }
@@ -640,12 +657,12 @@ var _SDJwtInstance = class _SDJwtInstance {
       return jwt;
     });
   }
-  VerifyJwt(jwt) {
+  VerifyJwt(jwt, currentDate) {
     return __async(this, null, function* () {
       if (!this.userConfig.verifier) {
         throw new SDJWTException6("Verifier not found");
       }
-      return jwt.verify(this.userConfig.verifier);
+      return jwt.verify(this.userConfig.verifier, currentDate);
     });
   }
   issue(payload, disclosureFrame, options) {
@@ -789,10 +806,15 @@ var _SDJwtInstance = class _SDJwtInstance {
       return sdHashStr;
     });
   }
-  // This function is for validating the SD JWT
-  // Just checking signature and return its the claims
-  validate(encodedSDJwt) {
-    return __async(this, null, function* () {
+  /**
+   * This function is for validating the SD JWT
+   * Checking signature, if provided the iat and exp when provided and return its the claims
+   * @param encodedSDJwt
+   * @param currentDate
+   * @returns
+   */
+  validate(_0) {
+    return __async(this, arguments, function* (encodedSDJwt, currentDate = Math.floor(Date.now() / 1e3)) {
       if (!this.userConfig.hasher) {
         throw new SDJWTException6("Hasher not found");
       }
@@ -801,7 +823,7 @@ var _SDJwtInstance = class _SDJwtInstance {
       if (!sdjwt.jwt) {
         throw new SDJWTException6("Invalid SD JWT");
       }
-      const verifiedPayloads = yield this.VerifyJwt(sdjwt.jwt);
+      const verifiedPayloads = yield this.VerifyJwt(sdjwt.jwt, currentDate);
       const claims = yield sdjwt.getClaims(hasher);
       return { payload: claims, header: verifiedPayloads.header };
     });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sd-jwt/core",
-  "version": "0.12.0",
+  "version": "0.12.1-next.1+0a2f20b",
   "description": "sd-jwt draft 7 implementation in typescript",
   "main": "dist/index.js",
   "module": "dist/index.mjs",
@@ -38,13 +38,13 @@
   },
   "license": "Apache-2.0",
   "devDependencies": {
-    "@sd-jwt/crypto-nodejs": "0.12.0"
+    "@sd-jwt/crypto-nodejs": "0.12.1-next.1+0a2f20b"
   },
   "dependencies": {
-    "@sd-jwt/decode": "0.12.0",
-    "@sd-jwt/present": "0.12.0",
-    "@sd-jwt/types": "0.12.0",
-    "@sd-jwt/utils": "0.12.0"
+    "@sd-jwt/decode": "0.12.1-next.1+0a2f20b",
+    "@sd-jwt/present": "0.12.1-next.1+0a2f20b",
+    "@sd-jwt/types": "0.12.1-next.1+0a2f20b",
+    "@sd-jwt/utils": "0.12.1-next.1+0a2f20b"
   },
   "publishConfig": {
     "access": "public"
@@ -62,5 +62,5 @@
       "esm"
     ]
   },
-  "gitHead": "36e0b22eb619f3ca9ae8522a26617e50c3680526"
+  "gitHead": "0a2f20b6383d2356540e7a9cc37748c7b9caced2"
 }

package/src/index.ts

@@ -86,11 +86,11 @@ export class SDJwtInstance<ExtendedPayload extends SdJwtPayload> {
     return jwt;
   }
 
-  private async VerifyJwt(jwt: Jwt) {
+  private async VerifyJwt(jwt: Jwt, currentDate: number) {
     if (!this.userConfig.verifier) {
       throw new SDJWTException('Verifier not found');
     }
-    return jwt.verify(this.userConfig.verifier);
+    return jwt.verify(this.userConfig.verifier, currentDate);
   }
 
   public async issue<Payload extends ExtendedPayload>(
@@ -273,9 +273,17 @@ export class SDJwtInstance<ExtendedPayload extends SdJwtPayload> {
     return sdHashStr;
   }
 
-  // This function is for validating the SD JWT
-  // Just checking signature and return its the claims
-  public async validate(encodedSDJwt: string) {
+  /**
+   * This function is for validating the SD JWT
+   * Checking signature, if provided the iat and exp when provided and return its the claims
+   * @param encodedSDJwt
+   * @param currentDate
+   * @returns
+   */
+  public async validate(
+    encodedSDJwt: string,
+    currentDate: number = Math.floor(Date.now() / 1000),
+  ) {
     if (!this.userConfig.hasher) {
       throw new SDJWTException('Hasher not found');
     }
@@ -286,7 +294,7 @@ export class SDJwtInstance<ExtendedPayload extends SdJwtPayload> {
       throw new SDJWTException('Invalid SD JWT');
     }
 
-    const verifiedPayloads = await this.VerifyJwt(sdjwt.jwt);
+    const verifiedPayloads = await this.VerifyJwt(sdjwt.jwt, currentDate);
     const claims = await sdjwt.getClaims(hasher);
     return { payload: claims, header: verifiedPayloads.header };
   }

package/src/jwt.ts

@@ -113,7 +113,28 @@ export class Jwt<
     return compact;
   }
 
-  public async verify(verifier: Verifier) {
+  /**
+   * Verify the JWT using the provided verifier function.
+   * It checks the signature and validates the iat, nbf, and exp claims if they are present.
+   * @param verifier
+   * @param currentDate
+   * @returns
+   */
+  public async verify(
+    verifier: Verifier,
+    currentDate = Math.floor(Date.now() / 1000),
+  ) {
+    if (this.payload?.iat && (this.payload.iat as number) > currentDate) {
+      throw new SDJWTException('Verify Error: JWT is not yet valid');
+    }
+
+    if (this.payload?.nbf && (this.payload.nbf as number) > currentDate) {
+      throw new SDJWTException('Verify Error: JWT is not yet valid');
+    }
+    if (this.payload?.exp && (this.payload.exp as number) < currentDate) {
+      throw new SDJWTException('Verify Error: JWT is expired');
+    }
+
     if (!this.signature) {
       throw new SDJWTException('Verify Error: no signature in JWT');
     }

package/src/test/index.spec.ts

@@ -49,7 +49,7 @@ describe('index', () => {
       {
         foo: 'bar',
         iss: 'Issuer',
-        iat: new Date().getTime(),
+        iat: Math.floor(Date.now() / 1000),
         vct: '',
       },
       {
@@ -89,7 +89,7 @@ describe('index', () => {
       {
         foo: 'bar',
         iss: 'Issuer',
-        iat: new Date().getTime(),
+        iat: Math.floor(Date.now() / 1000),
         vct: '',
       },
       {
@@ -124,7 +124,7 @@ describe('index', () => {
       {
         foo: 'bar',
         iss: 'Issuer',
-        iat: new Date().getTime(),
+        iat: Math.floor(Date.now() / 1000),
         vct: '',
       },
       {
@@ -165,7 +165,7 @@ describe('index', () => {
       {
         foo: 'bar',
         iss: 'Issuer',
-        iat: new Date().getTime(),
+        iat: Math.floor(Date.now() / 1000),
         vct: '',
       },
       {
@@ -239,7 +239,7 @@ describe('index', () => {
     const credential = await sdjwt.issue(
       {
         foo: 'bar',
-        iat: new Date().getTime(),
+        iat: Math.floor(Date.now() / 1000),
         cnf: {
           jwk: await exportJWK(publicKey),
         },
@@ -274,7 +274,7 @@ describe('index', () => {
         {
           foo: 'bar',
           iss: 'Issuer',
-          iat: new Date().getTime(),
+          iat: Math.floor(Date.now() / 1000),
           vct: '',
         },
         {
@@ -297,7 +297,7 @@ describe('index', () => {
         {
           foo: 'bar',
           iss: 'Issuer',
-          iat: new Date().getTime(),
+          iat: Math.floor(Date.now() / 1000),
           vct: '',
         },
         {
@@ -321,7 +321,7 @@ describe('index', () => {
         {
           foo: 'bar',
           iss: 'Issuer',
-          iat: new Date().getTime(),
+          iat: Math.floor(Date.now() / 1000),
           vct: '',
         },
         {
@@ -351,7 +351,7 @@ describe('index', () => {
       {
         foo: 'bar',
         iss: 'Issuer',
-        iat: new Date().getTime(),
+        iat: Math.floor(Date.now() / 1000),
         vct: '',
       },
       {
@@ -395,7 +395,7 @@ describe('index', () => {
       {
         foo: 'bar',
         iss: 'Issuer',
-        iat: new Date().getTime(),
+        iat: Math.floor(Date.now() / 1000),
         vct: '',
       },
       {
@@ -437,7 +437,7 @@ describe('index', () => {
       {
         foo: 'bar',
         iss: 'Issuer',
-        iat: new Date().getTime(),
+        iat: Math.floor(Date.now() / 1000),
         vct: '',
       },
       {
@@ -480,7 +480,7 @@ describe('index', () => {
       {
         foo: 'bar',
         iss: 'Issuer',
-        iat: new Date().getTime(),
+        iat: Math.floor(Date.now() / 1000),
         vct: '',
       },
       {
@@ -518,7 +518,7 @@ describe('index', () => {
       {
         foo: 'bar',
         iss: 'Issuer',
-        iat: new Date().getTime(),
+        iat: Math.floor(Date.now() / 1000),
         vct: '',
       },
       {
@@ -547,7 +547,7 @@ describe('index', () => {
       {
         foo: 'bar',
         iss: 'Issuer',
-        iat: new Date().getTime(),
+        iat: Math.floor(Date.now() / 1000),
         vct: '',
       },
       {
@@ -573,7 +573,7 @@ describe('index', () => {
       {
         foo: 'bar',
         iss: 'Issuer',
-        iat: new Date().getTime(),
+        iat: Math.floor(Date.now() / 1000),
         vct: '',
       },
       {

package/src/test/jwt.spec.ts

@@ -199,4 +199,82 @@ describe('JWT', () => {
       expect(e).toBeInstanceOf(SDJWTException);
     }
   });
+
+  test('verify with issuance date in the future', async () => {
+    const { privateKey, publicKey } = Crypto.generateKeyPairSync('ed25519');
+    const testVerifier: Verifier = async (data: string, sig: string) => {
+      return Crypto.verify(
+        null,
+        Buffer.from(data),
+        publicKey,
+        Buffer.from(sig, 'base64url'),
+      );
+    };
+
+    const jwt = new Jwt({
+      header: { alg: 'EdDSA' },
+      payload: { iat: Math.floor(Date.now() / 1000) + 100 },
+    });
+
+    try {
+      await jwt.verify(testVerifier);
+    } catch (e: unknown) {
+      expect(e).toBeInstanceOf(SDJWTException);
+      expect((e as SDJWTException).message).toBe(
+        'Verify Error: JWT is not yet valid',
+      );
+    }
+  });
+
+  test('verify with not before in the future', async () => {
+    const { privateKey, publicKey } = Crypto.generateKeyPairSync('ed25519');
+    const testVerifier: Verifier = async (data: string, sig: string) => {
+      return Crypto.verify(
+        null,
+        Buffer.from(data),
+        publicKey,
+        Buffer.from(sig, 'base64url'),
+      );
+    };
+
+    const jwt = new Jwt({
+      header: { alg: 'EdDSA' },
+      payload: { nbf: Math.floor(Date.now() / 1000) + 100 },
+    });
+
+    try {
+      await jwt.verify(testVerifier);
+    } catch (e: unknown) {
+      expect(e).toBeInstanceOf(SDJWTException);
+      expect((e as SDJWTException).message).toBe(
+        'Verify Error: JWT is not yet valid',
+      );
+    }
+  });
+
+  test('verify with expired', async () => {
+    const { privateKey, publicKey } = Crypto.generateKeyPairSync('ed25519');
+    const testVerifier: Verifier = async (data: string, sig: string) => {
+      return Crypto.verify(
+        null,
+        Buffer.from(data),
+        publicKey,
+        Buffer.from(sig, 'base64url'),
+      );
+    };
+
+    const jwt = new Jwt({
+      header: { alg: 'EdDSA' },
+      payload: { exp: Math.floor(Date.now() / 1000) },
+    });
+
+    try {
+      await jwt.verify(testVerifier, Math.floor(Date.now() / 1000) + 100);
+    } catch (e: unknown) {
+      expect(e).toBeInstanceOf(SDJWTException);
+      expect((e as SDJWTException).message).toBe(
+        'Verify Error: JWT is expired',
+      );
+    }
+  });
 });

package/test/app-e2e.spec.ts

@@ -224,7 +224,7 @@ async function JSONtest(filename: string) {
     payload: test.claims,
   });
 
-  const presentedSDJwt = await sdjwt.present<typeof claims>(
+  const presentedSDJwt = await sdjwt.present<typeof test.claims>(
     encodedSdjwt,
     test.presentationFrames,
   );