@sd-jwt/core 0.3.2-next.74 → 0.3.2-next.76

package/dist/index.d.mts

@@ -91,6 +91,7 @@ declare class SDJwtInstance {
             header: _sd_jwt_types.kbHeader;
         };
     }>;
+    private calculateSDHash;
     validate(encodedSDJwt: string): Promise<{
         payload: unknown;
         header: Record<string, unknown>;

package/dist/index.d.ts

@@ -91,6 +91,7 @@ declare class SDJwtInstance {
             header: _sd_jwt_types.kbHeader;
         };
     }>;
+    private calculateSDHash;
     validate(encodedSDJwt: string): Promise<{
         payload: unknown;
         header: Record<string, unknown>;

package/dist/index.js

@@ -403,6 +403,7 @@ var pack = (claims, disclosureFrame, hash, saltGenerator) => __async(void 0, nul
 
 // src/index.ts
 var import_types2 = require("@sd-jwt/types");
+var import_decode3 = require("@sd-jwt/decode");
 var _SDJwtInstance = class _SDJwtInstance {
   constructor(userConfig) {
     this.userConfig = {};
@@ -410,7 +411,7 @@ var _SDJwtInstance = class _SDJwtInstance {
       this.userConfig = userConfig;
     }
   }
-  createKBJwt(options) {
+  createKBJwt(options, sdHash) {
     return __async(this, null, function* () {
       if (!this.userConfig.kbSigner) {
         throw new import_utils5.SDJWTException("Key Binding Signer not found");
@@ -424,7 +425,7 @@ var _SDJwtInstance = class _SDJwtInstance {
           typ: import_types2.KB_JWT_TYP,
           alg: this.userConfig.kbSignAlg
         },
-        payload
+        payload: __spreadProps(__spreadValues({}, payload), { sd_hash: sdHash })
       });
       yield kbJwt.sign(this.userConfig.kbSigner);
       return kbJwt;
@@ -474,7 +475,7 @@ var _SDJwtInstance = class _SDJwtInstance {
       const jwt = new Jwt({
         header,
         payload: __spreadProps(__spreadValues({}, packedClaims), {
-          _sd_alg: hashAlg
+          _sd_alg: disclosureFrame ? hashAlg : void 0
         })
       });
       yield this.SignJwt(jwt);
@@ -487,6 +488,7 @@ var _SDJwtInstance = class _SDJwtInstance {
   }
   present(encodedSDJwt, presentationKeys, options) {
     return __async(this, null, function* () {
+      var _a;
       if (!presentationKeys)
         return encodedSDJwt;
       if (!this.userConfig.hasher) {
@@ -494,8 +496,21 @@ var _SDJwtInstance = class _SDJwtInstance {
       }
       const hasher = this.userConfig.hasher;
       const sdjwt = yield SDJwt.fromEncode(encodedSDJwt, hasher);
-      const kbJwt = (options == null ? void 0 : options.kb) ? yield this.createKBJwt(options.kb) : void 0;
-      sdjwt.kbJwt = kbJwt;
+      if (!((_a = sdjwt.jwt) == null ? void 0 : _a.payload))
+        throw new import_utils5.SDJWTException("Payload not found");
+      const presentSdJwtWithoutKb = yield sdjwt.present(
+        presentationKeys.sort(),
+        hasher
+      );
+      if (!(options == null ? void 0 : options.kb)) {
+        return presentSdJwtWithoutKb;
+      }
+      const sdHashStr = yield this.calculateSDHash(
+        presentSdJwtWithoutKb,
+        sdjwt,
+        hasher
+      );
+      sdjwt.kbJwt = yield this.createKBJwt(options.kb, sdHashStr);
       return sdjwt.present(presentationKeys.sort(), hasher);
     });
   }
@@ -509,7 +524,7 @@ var _SDJwtInstance = class _SDJwtInstance {
       }
       const hasher = this.userConfig.hasher;
       const sdjwt = yield SDJwt.fromEncode(encodedSDJwt, hasher);
-      if (!sdjwt.jwt) {
+      if (!sdjwt.jwt || !sdjwt.jwt.payload) {
         throw new import_utils5.SDJWTException("Invalid SD JWT");
       }
       const { payload, header } = yield this.validate(encodedSDJwt);
@@ -532,9 +547,34 @@ var _SDJwtInstance = class _SDJwtInstance {
         throw new import_utils5.SDJWTException("Key Binding Verifier not found");
       }
       const kb = yield sdjwt.kbJwt.verify(this.userConfig.kbVerifier);
+      const sdHashfromKb = kb.payload.sd_hash;
+      const sdjwtWithoutKb = new SDJwt({
+        jwt: sdjwt.jwt,
+        disclosures: sdjwt.disclosures
+      });
+      const presentSdJwtWithoutKb = sdjwtWithoutKb.encodeSDJwt();
+      const sdHashStr = yield this.calculateSDHash(
+        presentSdJwtWithoutKb,
+        sdjwt,
+        hasher
+      );
+      if (sdHashStr !== sdHashfromKb) {
+        throw new import_utils5.SDJWTException("Invalid sd_hash in Key Binding JWT");
+      }
       return { payload, header, kb };
     });
   }
+  calculateSDHash(presentSdJwtWithoutKb, sdjwt, hasher) {
+    return __async(this, null, function* () {
+      if (!sdjwt.jwt || !sdjwt.jwt.payload) {
+        throw new import_utils5.SDJWTException("Invalid SD JWT");
+      }
+      const { _sd_alg } = (0, import_decode3.getSDAlgAndPayload)(sdjwt.jwt.payload);
+      const sdHash = yield hasher(presentSdJwtWithoutKb, _sd_alg);
+      const sdHashStr = (0, import_utils5.Uint8ArrayToBase64Url)(sdHash);
+      return sdHashStr;
+    });
+  }
   // This function is for validating the SD JWT
   // Just checking signature and return its the claims
   validate(encodedSDJwt) {

package/dist/index.mjs

@@ -42,7 +42,7 @@ var __async = (__this, __arguments, generator) => {
 };
 
 // src/index.ts
-import { SDJWTException as SDJWTException4 } from "@sd-jwt/utils";
+import { SDJWTException as SDJWTException4, Uint8ArrayToBase64Url as Uint8ArrayToBase64Url2 } from "@sd-jwt/utils";
 
 // src/jwt.ts
 import { Base64urlEncode, SDJWTException } from "@sd-jwt/utils";
@@ -381,9 +381,10 @@ var pack = (claims, disclosureFrame, hash, saltGenerator) => __async(void 0, nul
 
 // src/index.ts
 import {
-  KB_JWT_TYP,
+  KB_JWT_TYP as KB_JWT_TYP2,
   SD_JWT_TYP
 } from "@sd-jwt/types";
+import { getSDAlgAndPayload as getSDAlgAndPayload2 } from "@sd-jwt/decode";
 var _SDJwtInstance = class _SDJwtInstance {
   constructor(userConfig) {
     this.userConfig = {};
@@ -391,7 +392,7 @@ var _SDJwtInstance = class _SDJwtInstance {
       this.userConfig = userConfig;
     }
   }
-  createKBJwt(options) {
+  createKBJwt(options, sdHash) {
     return __async(this, null, function* () {
       if (!this.userConfig.kbSigner) {
         throw new SDJWTException4("Key Binding Signer not found");
@@ -402,10 +403,10 @@ var _SDJwtInstance = class _SDJwtInstance {
       const { payload } = options;
       const kbJwt = new KBJwt({
         header: {
-          typ: KB_JWT_TYP,
+          typ: KB_JWT_TYP2,
           alg: this.userConfig.kbSignAlg
         },
-        payload
+        payload: __spreadProps(__spreadValues({}, payload), { sd_hash: sdHash })
       });
       yield kbJwt.sign(this.userConfig.kbSigner);
       return kbJwt;
@@ -455,7 +456,7 @@ var _SDJwtInstance = class _SDJwtInstance {
       const jwt = new Jwt({
         header,
         payload: __spreadProps(__spreadValues({}, packedClaims), {
-          _sd_alg: hashAlg
+          _sd_alg: disclosureFrame ? hashAlg : void 0
         })
       });
       yield this.SignJwt(jwt);
@@ -468,6 +469,7 @@ var _SDJwtInstance = class _SDJwtInstance {
   }
   present(encodedSDJwt, presentationKeys, options) {
     return __async(this, null, function* () {
+      var _a;
       if (!presentationKeys)
         return encodedSDJwt;
       if (!this.userConfig.hasher) {
@@ -475,8 +477,21 @@ var _SDJwtInstance = class _SDJwtInstance {
       }
       const hasher = this.userConfig.hasher;
       const sdjwt = yield SDJwt.fromEncode(encodedSDJwt, hasher);
-      const kbJwt = (options == null ? void 0 : options.kb) ? yield this.createKBJwt(options.kb) : void 0;
-      sdjwt.kbJwt = kbJwt;
+      if (!((_a = sdjwt.jwt) == null ? void 0 : _a.payload))
+        throw new SDJWTException4("Payload not found");
+      const presentSdJwtWithoutKb = yield sdjwt.present(
+        presentationKeys.sort(),
+        hasher
+      );
+      if (!(options == null ? void 0 : options.kb)) {
+        return presentSdJwtWithoutKb;
+      }
+      const sdHashStr = yield this.calculateSDHash(
+        presentSdJwtWithoutKb,
+        sdjwt,
+        hasher
+      );
+      sdjwt.kbJwt = yield this.createKBJwt(options.kb, sdHashStr);
       return sdjwt.present(presentationKeys.sort(), hasher);
     });
   }
@@ -490,7 +505,7 @@ var _SDJwtInstance = class _SDJwtInstance {
       }
       const hasher = this.userConfig.hasher;
       const sdjwt = yield SDJwt.fromEncode(encodedSDJwt, hasher);
-      if (!sdjwt.jwt) {
+      if (!sdjwt.jwt || !sdjwt.jwt.payload) {
         throw new SDJWTException4("Invalid SD JWT");
       }
       const { payload, header } = yield this.validate(encodedSDJwt);
@@ -513,9 +528,34 @@ var _SDJwtInstance = class _SDJwtInstance {
         throw new SDJWTException4("Key Binding Verifier not found");
       }
       const kb = yield sdjwt.kbJwt.verify(this.userConfig.kbVerifier);
+      const sdHashfromKb = kb.payload.sd_hash;
+      const sdjwtWithoutKb = new SDJwt({
+        jwt: sdjwt.jwt,
+        disclosures: sdjwt.disclosures
+      });
+      const presentSdJwtWithoutKb = sdjwtWithoutKb.encodeSDJwt();
+      const sdHashStr = yield this.calculateSDHash(
+        presentSdJwtWithoutKb,
+        sdjwt,
+        hasher
+      );
+      if (sdHashStr !== sdHashfromKb) {
+        throw new SDJWTException4("Invalid sd_hash in Key Binding JWT");
+      }
       return { payload, header, kb };
     });
   }
+  calculateSDHash(presentSdJwtWithoutKb, sdjwt, hasher) {
+    return __async(this, null, function* () {
+      if (!sdjwt.jwt || !sdjwt.jwt.payload) {
+        throw new SDJWTException4("Invalid SD JWT");
+      }
+      const { _sd_alg } = getSDAlgAndPayload2(sdjwt.jwt.payload);
+      const sdHash = yield hasher(presentSdJwtWithoutKb, _sd_alg);
+      const sdHashStr = Uint8ArrayToBase64Url2(sdHash);
+      return sdHashStr;
+    });
+  }
   // This function is for validating the SD JWT
   // Just checking signature and return its the claims
   validate(encodedSDJwt) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sd-jwt/core",
-  "version": "0.3.2-next.74+d503996",
+  "version": "0.3.2-next.76+270ba1b",
   "description": "sd-jwt draft 7 implementation in typescript",
   "main": "dist/index.js",
   "module": "dist/index.mjs",
@@ -39,12 +39,12 @@
   },
   "license": "Apache-2.0",
   "devDependencies": {
-    "@sd-jwt/crypto-nodejs": "0.3.2-next.74+d503996"
+    "@sd-jwt/crypto-nodejs": "0.3.2-next.76+270ba1b"
   },
   "dependencies": {
-    "@sd-jwt/decode": "0.3.2-next.74+d503996",
-    "@sd-jwt/types": "0.3.2-next.74+d503996",
-    "@sd-jwt/utils": "0.3.2-next.74+d503996"
+    "@sd-jwt/decode": "0.3.2-next.76+270ba1b",
+    "@sd-jwt/types": "0.3.2-next.76+270ba1b",
+    "@sd-jwt/utils": "0.3.2-next.76+270ba1b"
   },
   "publishConfig": {
     "access": "public"
@@ -62,5 +62,5 @@
       "esm"
     ]
   },
-  "gitHead": "d5039962a53cb1b55a28dc956d71eab865c05917"
+  "gitHead": "270ba1b51bde3fd8c4f2dc7d9eaf09e1225c7873"
 }

package/src/index.ts

@@ -1,15 +1,17 @@
-import { SDJWTException } from '@sd-jwt/utils';
+import { SDJWTException, Uint8ArrayToBase64Url } from '@sd-jwt/utils';
 import { Jwt } from './jwt';
 import { KBJwt } from './kbjwt';
 import { SDJwt, pack } from './sdjwt';
 import {
   DisclosureFrame,
+  Hasher,
   KBOptions,
   KB_JWT_TYP,
   SDJWTCompact,
   SDJWTConfig,
   SD_JWT_TYP,
 } from '@sd-jwt/types';
+import { getSDAlgAndPayload } from '@sd-jwt/decode';
 
 export * from './sdjwt';
 export * from './kbjwt';
@@ -27,20 +29,24 @@ export class SDJwtInstance {
     }
   }
 
-  private async createKBJwt(options: KBOptions): Promise<KBJwt> {
+  private async createKBJwt(
+    options: KBOptions,
+    sdHash: string,
+  ): Promise<KBJwt> {
     if (!this.userConfig.kbSigner) {
       throw new SDJWTException('Key Binding Signer not found');
     }
     if (!this.userConfig.kbSignAlg) {
       throw new SDJWTException('Key Binding sign algorithm not specified');
     }
+
     const { payload } = options;
     const kbJwt = new KBJwt({
       header: {
         typ: KB_JWT_TYP,
         alg: this.userConfig.kbSignAlg,
       },
-      payload,
+      payload: { ...payload, sd_hash: sdHash },
     });
 
     await kbJwt.sign(this.userConfig.kbSigner);
@@ -100,7 +106,7 @@ export class SDJwtInstance {
       header,
       payload: {
         ...packedClaims,
-        _sd_alg: hashAlg,
+        _sd_alg: disclosureFrame ? hashAlg : undefined,
       },
     });
     await this.SignJwt(jwt);
@@ -127,9 +133,24 @@ export class SDJwtInstance {
     const hasher = this.userConfig.hasher;
 
     const sdjwt = await SDJwt.fromEncode(encodedSDJwt, hasher);
-    const kbJwt = options?.kb ? await this.createKBJwt(options.kb) : undefined;
-    sdjwt.kbJwt = kbJwt;
 
+    if (!sdjwt.jwt?.payload) throw new SDJWTException('Payload not found');
+    const presentSdJwtWithoutKb = await sdjwt.present(
+      presentationKeys.sort(),
+      hasher,
+    );
+
+    if (!options?.kb) {
+      return presentSdJwtWithoutKb;
+    }
+
+    const sdHashStr = await this.calculateSDHash(
+      presentSdJwtWithoutKb,
+      sdjwt,
+      hasher,
+    );
+
+    sdjwt.kbJwt = await this.createKBJwt(options.kb, sdHashStr);
     return sdjwt.present(presentationKeys.sort(), hasher);
   }
 
@@ -147,7 +168,7 @@ export class SDJwtInstance {
     const hasher = this.userConfig.hasher;
 
     const sdjwt = await SDJwt.fromEncode(encodedSDJwt, hasher);
-    if (!sdjwt.jwt) {
+    if (!sdjwt.jwt || !sdjwt.jwt.payload) {
       throw new SDJWTException('Invalid SD JWT');
     }
     const { payload, header } = await this.validate(encodedSDJwt);
@@ -173,9 +194,40 @@ export class SDJwtInstance {
       throw new SDJWTException('Key Binding Verifier not found');
     }
     const kb = await sdjwt.kbJwt.verify(this.userConfig.kbVerifier);
+    const sdHashfromKb = kb.payload.sd_hash;
+    const sdjwtWithoutKb = new SDJwt({
+      jwt: sdjwt.jwt,
+      disclosures: sdjwt.disclosures,
+    });
+
+    const presentSdJwtWithoutKb = sdjwtWithoutKb.encodeSDJwt();
+    const sdHashStr = await this.calculateSDHash(
+      presentSdJwtWithoutKb,
+      sdjwt,
+      hasher,
+    );
+
+    if (sdHashStr !== sdHashfromKb) {
+      throw new SDJWTException('Invalid sd_hash in Key Binding JWT');
+    }
+
     return { payload, header, kb };
   }
 
+  private async calculateSDHash(
+    presentSdJwtWithoutKb: string,
+    sdjwt: SDJwt,
+    hasher: Hasher,
+  ) {
+    if (!sdjwt.jwt || !sdjwt.jwt.payload) {
+      throw new SDJWTException('Invalid SD JWT');
+    }
+    const { _sd_alg } = getSDAlgAndPayload(sdjwt.jwt.payload);
+    const sdHash = await hasher(presentSdJwtWithoutKb, _sd_alg);
+    const sdHashStr = Uint8ArrayToBase64Url(sdHash);
+    return sdHashStr;
+  }
+
   // This function is for validating the SD JWT
   // Just checking signature and return its the claims
   public async validate(encodedSDJwt: string) {

package/src/sdjwt.ts

@@ -6,12 +6,15 @@ import {
   DisclosureFrame,
   Hasher,
   HasherAndAlg,
+  KBOptions,
+  KB_JWT_TYP,
   SDJWTCompact,
   SD_DECOY,
   SD_DIGEST,
   SD_LIST_KEY,
   SD_SEPARATOR,
   SaltGenerator,
+  Signer,
   kbHeader,
   kbPayload,
 } from '@sd-jwt/types';

package/src/test/index.spec.ts

@@ -52,7 +52,6 @@ describe('index', () => {
     const presentation = await sdjwt.present(credential, ['foo'], {
       kb: {
         payload: {
-          sd_hash: 'sha-256',
           aud: '1',
           iat: 1,
           nonce: '342',
@@ -154,8 +153,7 @@ describe('index', () => {
     const presentation = await sdjwt.present(credential, ['foo'], {
       kb: {
         payload: {
-          sd_hash: '',
-          aud: '1',
+          aud: '',
           iat: 1,
           nonce: '342',
         },
@@ -194,7 +192,6 @@ describe('index', () => {
     const presentation = await sdjwt.present(credential, ['foo'], {
       kb: {
         payload: {
-          sd_hash: 'sha-256',
           aud: '1',
           iat: 1,
           nonce: '342',
@@ -289,7 +286,6 @@ describe('index', () => {
     const presentation = await sdjwt.present(credential, ['foo'], {
       kb: {
         payload: {
-          sd_hash: 'sha-256',
           aud: '1',
           iat: 1,
           nonce: '342',
@@ -327,7 +323,6 @@ describe('index', () => {
       const presentation = await sdjwt.present(credential, ['foo'], {
         kb: {
           payload: {
-            sd_hash: 'sha-256',
             aud: '1',
             iat: 1,
             nonce: '342',
@@ -363,7 +358,6 @@ describe('index', () => {
     const presentation = await sdjwt.present(credential, ['foo'], {
       kb: {
         payload: {
-          sd_hash: 'sha-256',
           aud: '1',
           iat: 1,
           nonce: '342',