@sd-jwt/core 0.19.1-next.9 → 0.20.1-next.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +28 -0
- package/dist/index.d.mts +22 -9
- package/dist/index.d.ts +22 -9
- package/dist/index.js +89 -31
- package/dist/index.mjs +89 -31
- package/package.json +2 -2
- package/src/decode/decode.ts +14 -4
- package/src/index.ts +69 -18
- package/src/jwt.ts +7 -0
- package/src/kbjwt.ts +15 -10
- package/src/test/index.spec.ts +192 -0
- package/src/test/kbjwt.spec.ts +211 -0
- package/src/utils/disclosure.ts +10 -7
- package/src/utils/strict-json.ts +17 -0
- package/test/app-e2e.spec.ts +31 -0
package/src/test/kbjwt.spec.ts
CHANGED
|
@@ -6,6 +6,7 @@ import {
|
|
|
6
6
|
type JwtPayload,
|
|
7
7
|
KB_JWT_TYP,
|
|
8
8
|
type KbVerifier,
|
|
9
|
+
type kbPayload,
|
|
9
10
|
type Signer,
|
|
10
11
|
} from '../types';
|
|
11
12
|
import type { SDJWTException } from '../utils';
|
|
@@ -287,6 +288,216 @@ describe('KB JWT', () => {
|
|
|
287
288
|
}
|
|
288
289
|
});
|
|
289
290
|
|
|
291
|
+
test('verify failed with expired exp claim', async () => {
|
|
292
|
+
const { privateKey, publicKey } = Crypto.generateKeyPairSync('ed25519');
|
|
293
|
+
const testSigner: Signer = async (data: string) => {
|
|
294
|
+
const sig = Crypto.sign(null, Buffer.from(data), privateKey);
|
|
295
|
+
return Buffer.from(sig).toString('base64url');
|
|
296
|
+
};
|
|
297
|
+
|
|
298
|
+
const payload = {
|
|
299
|
+
cnf: {
|
|
300
|
+
jwk: await exportJWK(publicKey),
|
|
301
|
+
},
|
|
302
|
+
};
|
|
303
|
+
const testVerifier: KbVerifier = async (
|
|
304
|
+
data: string,
|
|
305
|
+
sig: string,
|
|
306
|
+
payload: JwtPayload,
|
|
307
|
+
) => {
|
|
308
|
+
const publicKey = payload.cnf?.jwk;
|
|
309
|
+
return Crypto.verify(
|
|
310
|
+
null,
|
|
311
|
+
Buffer.from(data),
|
|
312
|
+
(await importJWK(publicKey as JWK, 'EdDSA')) as KeyLike,
|
|
313
|
+
Buffer.from(sig, 'base64url'),
|
|
314
|
+
);
|
|
315
|
+
};
|
|
316
|
+
|
|
317
|
+
const kbJwt = new KBJwt({
|
|
318
|
+
header: {
|
|
319
|
+
typ: KB_JWT_TYP,
|
|
320
|
+
alg: 'EdDSA',
|
|
321
|
+
},
|
|
322
|
+
payload: {
|
|
323
|
+
iat: 1,
|
|
324
|
+
aud: 'aud',
|
|
325
|
+
nonce: 'nonce',
|
|
326
|
+
sd_hash: 'hash',
|
|
327
|
+
// expired one hour before the current date used below
|
|
328
|
+
exp: 1000,
|
|
329
|
+
} as kbPayload,
|
|
330
|
+
});
|
|
331
|
+
const encodedKbJwt = await kbJwt.sign(testSigner);
|
|
332
|
+
const decoded = KBJwt.fromKBEncode(encodedKbJwt);
|
|
333
|
+
|
|
334
|
+
await expect(
|
|
335
|
+
decoded.verifyKB({
|
|
336
|
+
verifier: testVerifier,
|
|
337
|
+
payload,
|
|
338
|
+
nonce: 'nonce',
|
|
339
|
+
options: { currentDate: 5000 },
|
|
340
|
+
}),
|
|
341
|
+
).rejects.toThrow('Verify Error: JWT is expired');
|
|
342
|
+
});
|
|
343
|
+
|
|
344
|
+
test('verify failed with iat in the future', async () => {
|
|
345
|
+
const { privateKey, publicKey } = Crypto.generateKeyPairSync('ed25519');
|
|
346
|
+
const testSigner: Signer = async (data: string) => {
|
|
347
|
+
const sig = Crypto.sign(null, Buffer.from(data), privateKey);
|
|
348
|
+
return Buffer.from(sig).toString('base64url');
|
|
349
|
+
};
|
|
350
|
+
|
|
351
|
+
const payload = {
|
|
352
|
+
cnf: {
|
|
353
|
+
jwk: await exportJWK(publicKey),
|
|
354
|
+
},
|
|
355
|
+
};
|
|
356
|
+
const testVerifier: KbVerifier = async (
|
|
357
|
+
data: string,
|
|
358
|
+
sig: string,
|
|
359
|
+
payload: JwtPayload,
|
|
360
|
+
) => {
|
|
361
|
+
const publicKey = payload.cnf?.jwk;
|
|
362
|
+
return Crypto.verify(
|
|
363
|
+
null,
|
|
364
|
+
Buffer.from(data),
|
|
365
|
+
(await importJWK(publicKey as JWK, 'EdDSA')) as KeyLike,
|
|
366
|
+
Buffer.from(sig, 'base64url'),
|
|
367
|
+
);
|
|
368
|
+
};
|
|
369
|
+
|
|
370
|
+
const kbJwt = new KBJwt({
|
|
371
|
+
header: {
|
|
372
|
+
typ: KB_JWT_TYP,
|
|
373
|
+
alg: 'EdDSA',
|
|
374
|
+
},
|
|
375
|
+
payload: {
|
|
376
|
+
iat: 5000,
|
|
377
|
+
aud: 'aud',
|
|
378
|
+
nonce: 'nonce',
|
|
379
|
+
sd_hash: 'hash',
|
|
380
|
+
},
|
|
381
|
+
});
|
|
382
|
+
const encodedKbJwt = await kbJwt.sign(testSigner);
|
|
383
|
+
const decoded = KBJwt.fromKBEncode(encodedKbJwt);
|
|
384
|
+
|
|
385
|
+
await expect(
|
|
386
|
+
decoded.verifyKB({
|
|
387
|
+
verifier: testVerifier,
|
|
388
|
+
payload,
|
|
389
|
+
nonce: 'nonce',
|
|
390
|
+
// iat (5000) is after the current date (1000)
|
|
391
|
+
options: { currentDate: 1000 },
|
|
392
|
+
}),
|
|
393
|
+
).rejects.toThrow('Verify Error: JWT is not yet valid');
|
|
394
|
+
});
|
|
395
|
+
|
|
396
|
+
test('verify failed with nbf in the future', async () => {
|
|
397
|
+
const { privateKey, publicKey } = Crypto.generateKeyPairSync('ed25519');
|
|
398
|
+
const testSigner: Signer = async (data: string) => {
|
|
399
|
+
const sig = Crypto.sign(null, Buffer.from(data), privateKey);
|
|
400
|
+
return Buffer.from(sig).toString('base64url');
|
|
401
|
+
};
|
|
402
|
+
|
|
403
|
+
const payload = {
|
|
404
|
+
cnf: {
|
|
405
|
+
jwk: await exportJWK(publicKey),
|
|
406
|
+
},
|
|
407
|
+
};
|
|
408
|
+
const testVerifier: KbVerifier = async (
|
|
409
|
+
data: string,
|
|
410
|
+
sig: string,
|
|
411
|
+
payload: JwtPayload,
|
|
412
|
+
) => {
|
|
413
|
+
const publicKey = payload.cnf?.jwk;
|
|
414
|
+
return Crypto.verify(
|
|
415
|
+
null,
|
|
416
|
+
Buffer.from(data),
|
|
417
|
+
(await importJWK(publicKey as JWK, 'EdDSA')) as KeyLike,
|
|
418
|
+
Buffer.from(sig, 'base64url'),
|
|
419
|
+
);
|
|
420
|
+
};
|
|
421
|
+
|
|
422
|
+
const kbJwt = new KBJwt({
|
|
423
|
+
header: {
|
|
424
|
+
typ: KB_JWT_TYP,
|
|
425
|
+
alg: 'EdDSA',
|
|
426
|
+
},
|
|
427
|
+
payload: {
|
|
428
|
+
iat: 1,
|
|
429
|
+
aud: 'aud',
|
|
430
|
+
nonce: 'nonce',
|
|
431
|
+
sd_hash: 'hash',
|
|
432
|
+
nbf: 5000,
|
|
433
|
+
} as kbPayload,
|
|
434
|
+
});
|
|
435
|
+
const encodedKbJwt = await kbJwt.sign(testSigner);
|
|
436
|
+
const decoded = KBJwt.fromKBEncode(encodedKbJwt);
|
|
437
|
+
|
|
438
|
+
await expect(
|
|
439
|
+
decoded.verifyKB({
|
|
440
|
+
verifier: testVerifier,
|
|
441
|
+
payload,
|
|
442
|
+
nonce: 'nonce',
|
|
443
|
+
options: { currentDate: 1000 },
|
|
444
|
+
}),
|
|
445
|
+
).rejects.toThrow('Verify Error: JWT is not yet valid');
|
|
446
|
+
});
|
|
447
|
+
|
|
448
|
+
test('verify succeeds for expired exp within the allowed skew', async () => {
|
|
449
|
+
const { privateKey, publicKey } = Crypto.generateKeyPairSync('ed25519');
|
|
450
|
+
const testSigner: Signer = async (data: string) => {
|
|
451
|
+
const sig = Crypto.sign(null, Buffer.from(data), privateKey);
|
|
452
|
+
return Buffer.from(sig).toString('base64url');
|
|
453
|
+
};
|
|
454
|
+
|
|
455
|
+
const payload = {
|
|
456
|
+
cnf: {
|
|
457
|
+
jwk: await exportJWK(publicKey),
|
|
458
|
+
},
|
|
459
|
+
};
|
|
460
|
+
const testVerifier: KbVerifier = async (
|
|
461
|
+
data: string,
|
|
462
|
+
sig: string,
|
|
463
|
+
payload: JwtPayload,
|
|
464
|
+
) => {
|
|
465
|
+
const publicKey = payload.cnf?.jwk;
|
|
466
|
+
return Crypto.verify(
|
|
467
|
+
null,
|
|
468
|
+
Buffer.from(data),
|
|
469
|
+
(await importJWK(publicKey as JWK, 'EdDSA')) as KeyLike,
|
|
470
|
+
Buffer.from(sig, 'base64url'),
|
|
471
|
+
);
|
|
472
|
+
};
|
|
473
|
+
|
|
474
|
+
const kbJwt = new KBJwt({
|
|
475
|
+
header: {
|
|
476
|
+
typ: KB_JWT_TYP,
|
|
477
|
+
alg: 'EdDSA',
|
|
478
|
+
},
|
|
479
|
+
payload: {
|
|
480
|
+
iat: 1,
|
|
481
|
+
aud: 'aud',
|
|
482
|
+
nonce: 'nonce',
|
|
483
|
+
sd_hash: 'hash',
|
|
484
|
+
exp: 1000,
|
|
485
|
+
} as kbPayload,
|
|
486
|
+
});
|
|
487
|
+
const encodedKbJwt = await kbJwt.sign(testSigner);
|
|
488
|
+
const decoded = KBJwt.fromKBEncode(encodedKbJwt);
|
|
489
|
+
|
|
490
|
+
// exp (1000) is before the current date (1100) but within the 200s skew
|
|
491
|
+
const verified = await decoded.verifyKB({
|
|
492
|
+
verifier: testVerifier,
|
|
493
|
+
payload,
|
|
494
|
+
nonce: 'nonce',
|
|
495
|
+
options: { currentDate: 1100, skewSeconds: 200 },
|
|
496
|
+
});
|
|
497
|
+
|
|
498
|
+
expect(verified.payload.exp).toBe(1000);
|
|
499
|
+
});
|
|
500
|
+
|
|
290
501
|
test('compatibility test for version 06', async () => {
|
|
291
502
|
const { privateKey, publicKey } = Crypto.generateKeyPairSync('ed25519');
|
|
292
503
|
const testSigner: Signer = async (data: string) => {
|
package/src/utils/disclosure.ts
CHANGED
|
@@ -1,10 +1,7 @@
|
|
|
1
1
|
import type { DisclosureData, HasherAndAlg, HasherAndAlgSync } from '../types';
|
|
2
|
-
import {
|
|
3
|
-
base64urlDecode,
|
|
4
|
-
base64urlEncode,
|
|
5
|
-
uint8ArrayToBase64Url,
|
|
6
|
-
} from './base64url';
|
|
2
|
+
import { base64urlEncode, uint8ArrayToBase64Url } from './base64url';
|
|
7
3
|
import { SDJWTException } from './error';
|
|
4
|
+
import { decodeBase64urlJsonStrict } from './strict-json';
|
|
8
5
|
|
|
9
6
|
export class Disclosure<T = unknown> {
|
|
10
7
|
public salt: string;
|
|
@@ -42,7 +39,10 @@ export class Disclosure<T = unknown> {
|
|
|
42
39
|
const { hasher, alg } = hash;
|
|
43
40
|
const digest = await hasher(s, alg);
|
|
44
41
|
const digestStr = uint8ArrayToBase64Url(digest);
|
|
45
|
-
const item =
|
|
42
|
+
const item = decodeBase64urlJsonStrict<DisclosureData<T>>(
|
|
43
|
+
s,
|
|
44
|
+
'Invalid disclosure data',
|
|
45
|
+
);
|
|
46
46
|
return Disclosure.fromArray<T>(item, { digest: digestStr, encoded: s });
|
|
47
47
|
}
|
|
48
48
|
|
|
@@ -50,7 +50,10 @@ export class Disclosure<T = unknown> {
|
|
|
50
50
|
const { hasher, alg } = hash;
|
|
51
51
|
const digest = hasher(s, alg);
|
|
52
52
|
const digestStr = uint8ArrayToBase64Url(digest);
|
|
53
|
-
const item =
|
|
53
|
+
const item = decodeBase64urlJsonStrict<DisclosureData<T>>(
|
|
54
|
+
s,
|
|
55
|
+
'Invalid disclosure data',
|
|
56
|
+
);
|
|
54
57
|
return Disclosure.fromArray<T>(item, { digest: digestStr, encoded: s });
|
|
55
58
|
}
|
|
56
59
|
|
|
@@ -0,0 +1,17 @@
|
|
|
1
|
+
import { base64UrlToUint8Array } from './base64url';
|
|
2
|
+
import { SDJWTException } from './error';
|
|
3
|
+
|
|
4
|
+
const utf8Decoder = new TextDecoder('utf-8', { fatal: true });
|
|
5
|
+
|
|
6
|
+
export const decodeBase64urlJsonStrict = <T>(
|
|
7
|
+
encoded: string,
|
|
8
|
+
errorMessage: string,
|
|
9
|
+
): T => {
|
|
10
|
+
try {
|
|
11
|
+
const bytes = base64UrlToUint8Array(encoded);
|
|
12
|
+
const decoded = utf8Decoder.decode(bytes);
|
|
13
|
+
return JSON.parse(decoded) as T;
|
|
14
|
+
} catch {
|
|
15
|
+
throw new SDJWTException(errorMessage);
|
|
16
|
+
}
|
|
17
|
+
};
|
package/test/app-e2e.spec.ts
CHANGED
|
@@ -135,6 +135,37 @@ describe('App', () => {
|
|
|
135
135
|
expect(verified).toBeDefined();
|
|
136
136
|
});
|
|
137
137
|
|
|
138
|
+
test('rejects tampered disclosure bytes', async () => {
|
|
139
|
+
const { signer, verifier } = createSignerVerifier();
|
|
140
|
+
const sdjwt = new SDJwtInstance<SdJwtPayload>({
|
|
141
|
+
signer,
|
|
142
|
+
signAlg: 'EdDSA',
|
|
143
|
+
verifier,
|
|
144
|
+
hasher: digest,
|
|
145
|
+
hashAlg: 'sha-256',
|
|
146
|
+
saltGenerator: generateSalt,
|
|
147
|
+
});
|
|
148
|
+
|
|
149
|
+
const claims = {
|
|
150
|
+
firstname: 'John',
|
|
151
|
+
lastname: 'Doe',
|
|
152
|
+
};
|
|
153
|
+
const disclosureFrame: DisclosureFrame<typeof claims> = {
|
|
154
|
+
_sd: ['firstname', 'lastname'],
|
|
155
|
+
};
|
|
156
|
+
|
|
157
|
+
const encodedSdjwt = await sdjwt.issue(claims, disclosureFrame);
|
|
158
|
+
const parts = encodedSdjwt.split('~');
|
|
159
|
+
const disclosureBytes = Buffer.from(parts[1], 'base64url');
|
|
160
|
+
disclosureBytes[2] = 0xf2;
|
|
161
|
+
parts[1] = Buffer.from(disclosureBytes).toString('base64url');
|
|
162
|
+
const tamperedSdjwt = parts.join('~');
|
|
163
|
+
|
|
164
|
+
await expect(sdjwt.verify(tamperedSdjwt)).rejects.toThrow(
|
|
165
|
+
'Invalid disclosure data',
|
|
166
|
+
);
|
|
167
|
+
});
|
|
168
|
+
|
|
138
169
|
test('From JSON (complex)', async () => {
|
|
139
170
|
await JSONtest('./complex.json');
|
|
140
171
|
});
|