@sd-jwt/core 0.3.2-next.75 → 0.3.2-next.94

package/README.md

@@ -32,44 +32,7 @@ Ensure you have Node.js installed as a prerequisite.
 
 ### Usage
 
-Here's a basic example of how to use this library:
-
-```jsx
-import { DisclosureFrame } from '@sd-jwt/core';
-
-// Issuer defines the claims object with the user's information
-const claims = {
-  firstname: 'John',
-  lastname: 'Doe',
-  ssn: '123-45-6789',
-  id: '1234',
-};
-
-// Issuer defines the disclosure frame to specify which claims can be disclosed/undisclosed
-const disclosureFrame: DisclosureFrame<typeof claims> = {
-  _sd: ['firstname', 'lastname', 'ssn'],
-};
-
-// Issuer issues a signed JWT credential with the specified claims and disclosure frame
-// returns an encoded JWT
-const credential = await sdjwt.issue(claims, disclosureFrame);
-
-// Holder may validate the credential from the issuer
-const valid = await sdjwt.validate(credential);
-
-// Holder defines the presentation frame to specify which claims should be presented
-// The list of presented claims must be a subset of the disclosed claims
-const presentationFrame = ['firstname', 'ssn'];
-
-// Holder creates a presentation using the issued credential and the presentation frame
-// returns an encoded SD JWT.
-const presentation = await sdjwt.present(credential, presentationFrame);
-
-// Verifier can verify the presentation using the Issuer's public key
-const verified = await sdjwt.verify(presentation);
-```
-
-Check out more details in our [documentation](https://github.com/openwallet-foundation-labs/sd-jwt-js/tree/next/docs) or [examples](https://github.com/openwallet-foundation-labs/sd-jwt-js/tree/next/examples)
+This library can not be used on it's own, it is a dependency for other implementations like `@sd-jwt/sd-jwt-vc`.
 
 ### Dependencies
 

package/dist/index.d.mts

@@ -66,16 +66,19 @@ declare const pack: <T extends Record<string, unknown>>(claims: T, disclosureFra
 
 declare const createDecoy: (hash: HasherAndAlg, saltGenerator: SaltGenerator) => Promise<string>;
 
-declare class SDJwtInstance {
+type SdJwtPayload = Record<string, unknown>;
+declare abstract class SDJwtInstance<ExtendedPayload extends SdJwtPayload> {
+    protected abstract type: string;
     static DEFAULT_hashAlg: string;
     private userConfig;
     constructor(userConfig?: SDJWTConfig);
     private createKBJwt;
     private SignJwt;
     private VerifyJwt;
-    issue<Payload extends Record<string, unknown>>(payload: Payload, disclosureFrame?: DisclosureFrame<Payload>, options?: {
+    issue<Payload extends ExtendedPayload>(payload: Payload, disclosureFrame?: DisclosureFrame<Payload>, options?: {
         header?: object;
     }): Promise<SDJWTCompact>;
+    protected abstract validateReservedFields<T extends ExtendedPayload>(disclosureFrame: DisclosureFrame<T>): void;
     present(encodedSDJwt: string, presentationKeys?: string[], options?: {
         kb?: KBOptions;
     }): Promise<SDJWTCompact>;
@@ -91,6 +94,7 @@ declare class SDJwtInstance {
             header: _sd_jwt_types.kbHeader;
         };
     }>;
+    private calculateSDHash;
     validate(encodedSDJwt: string): Promise<{
         payload: unknown;
         header: Record<string, unknown>;
@@ -103,4 +107,4 @@ declare class SDJwtInstance {
     getClaims(endcodedSDJwt: SDJWTCompact): Promise<unknown>;
 }
 
-export { Jwt, type JwtData, KBJwt, SDJwt, type SDJwtData, SDJwtInstance, createDecoy, listKeys, pack };
+export { Jwt, type JwtData, KBJwt, SDJwt, type SDJwtData, SDJwtInstance, type SdJwtPayload, createDecoy, listKeys, pack };

package/dist/index.d.ts

@@ -66,16 +66,19 @@ declare const pack: <T extends Record<string, unknown>>(claims: T, disclosureFra
 
 declare const createDecoy: (hash: HasherAndAlg, saltGenerator: SaltGenerator) => Promise<string>;
 
-declare class SDJwtInstance {
+type SdJwtPayload = Record<string, unknown>;
+declare abstract class SDJwtInstance<ExtendedPayload extends SdJwtPayload> {
+    protected abstract type: string;
     static DEFAULT_hashAlg: string;
     private userConfig;
     constructor(userConfig?: SDJWTConfig);
     private createKBJwt;
     private SignJwt;
     private VerifyJwt;
-    issue<Payload extends Record<string, unknown>>(payload: Payload, disclosureFrame?: DisclosureFrame<Payload>, options?: {
+    issue<Payload extends ExtendedPayload>(payload: Payload, disclosureFrame?: DisclosureFrame<Payload>, options?: {
         header?: object;
     }): Promise<SDJWTCompact>;
+    protected abstract validateReservedFields<T extends ExtendedPayload>(disclosureFrame: DisclosureFrame<T>): void;
     present(encodedSDJwt: string, presentationKeys?: string[], options?: {
         kb?: KBOptions;
     }): Promise<SDJWTCompact>;
@@ -91,6 +94,7 @@ declare class SDJwtInstance {
             header: _sd_jwt_types.kbHeader;
         };
     }>;
+    private calculateSDHash;
     validate(encodedSDJwt: string): Promise<{
         payload: unknown;
         header: Record<string, unknown>;
@@ -103,4 +107,4 @@ declare class SDJwtInstance {
     getClaims(endcodedSDJwt: SDJWTCompact): Promise<unknown>;
 }
 
-export { Jwt, type JwtData, KBJwt, SDJwt, type SDJwtData, SDJwtInstance, createDecoy, listKeys, pack };
+export { Jwt, type JwtData, KBJwt, SDJwt, type SDJwtData, SDJwtInstance, type SdJwtPayload, createDecoy, listKeys, pack };

package/dist/index.js

@@ -403,6 +403,7 @@ var pack = (claims, disclosureFrame, hash, saltGenerator) => __async(void 0, nul
 
 // src/index.ts
 var import_types2 = require("@sd-jwt/types");
+var import_decode3 = require("@sd-jwt/decode");
 var _SDJwtInstance = class _SDJwtInstance {
   constructor(userConfig) {
     this.userConfig = {};
@@ -410,7 +411,7 @@ var _SDJwtInstance = class _SDJwtInstance {
       this.userConfig = userConfig;
     }
   }
-  createKBJwt(options) {
+  createKBJwt(options, sdHash) {
     return __async(this, null, function* () {
       if (!this.userConfig.kbSigner) {
         throw new import_utils5.SDJWTException("Key Binding Signer not found");
@@ -424,7 +425,7 @@ var _SDJwtInstance = class _SDJwtInstance {
           typ: import_types2.KB_JWT_TYP,
           alg: this.userConfig.kbSignAlg
         },
-        payload
+        payload: __spreadProps(__spreadValues({}, payload), { sd_hash: sdHash })
       });
       yield kbJwt.sign(this.userConfig.kbSigner);
       return kbJwt;
@@ -459,6 +460,9 @@ var _SDJwtInstance = class _SDJwtInstance {
       if (!this.userConfig.signAlg) {
         throw new import_utils5.SDJWTException("sign alogrithm not specified");
       }
+      if (disclosureFrame) {
+        this.validateReservedFields(disclosureFrame);
+      }
       const hasher = this.userConfig.hasher;
       const hashAlg = (_a = this.userConfig.hashAlg) != null ? _a : _SDJwtInstance.DEFAULT_hashAlg;
       const { packedClaims, disclosures } = yield pack(
@@ -469,7 +473,7 @@ var _SDJwtInstance = class _SDJwtInstance {
       );
       const alg = this.userConfig.signAlg;
       const OptionHeader = (_b = options == null ? void 0 : options.header) != null ? _b : {};
-      const CustomHeader = this.userConfig.omitTyp ? OptionHeader : __spreadValues({ typ: import_types2.SD_JWT_TYP }, OptionHeader);
+      const CustomHeader = this.userConfig.omitTyp ? OptionHeader : __spreadValues({ typ: this.type }, OptionHeader);
       const header = __spreadProps(__spreadValues({}, CustomHeader), { alg });
       const jwt = new Jwt({
         header,
@@ -487,6 +491,7 @@ var _SDJwtInstance = class _SDJwtInstance {
   }
   present(encodedSDJwt, presentationKeys, options) {
     return __async(this, null, function* () {
+      var _a;
       if (!presentationKeys)
         return encodedSDJwt;
       if (!this.userConfig.hasher) {
@@ -494,8 +499,21 @@ var _SDJwtInstance = class _SDJwtInstance {
       }
       const hasher = this.userConfig.hasher;
       const sdjwt = yield SDJwt.fromEncode(encodedSDJwt, hasher);
-      const kbJwt = (options == null ? void 0 : options.kb) ? yield this.createKBJwt(options.kb) : void 0;
-      sdjwt.kbJwt = kbJwt;
+      if (!((_a = sdjwt.jwt) == null ? void 0 : _a.payload))
+        throw new import_utils5.SDJWTException("Payload not found");
+      const presentSdJwtWithoutKb = yield sdjwt.present(
+        presentationKeys.sort(),
+        hasher
+      );
+      if (!(options == null ? void 0 : options.kb)) {
+        return presentSdJwtWithoutKb;
+      }
+      const sdHashStr = yield this.calculateSDHash(
+        presentSdJwtWithoutKb,
+        sdjwt,
+        hasher
+      );
+      sdjwt.kbJwt = yield this.createKBJwt(options.kb, sdHashStr);
       return sdjwt.present(presentationKeys.sort(), hasher);
     });
   }
@@ -509,7 +527,7 @@ var _SDJwtInstance = class _SDJwtInstance {
       }
       const hasher = this.userConfig.hasher;
       const sdjwt = yield SDJwt.fromEncode(encodedSDJwt, hasher);
-      if (!sdjwt.jwt) {
+      if (!sdjwt.jwt || !sdjwt.jwt.payload) {
         throw new import_utils5.SDJWTException("Invalid SD JWT");
       }
       const { payload, header } = yield this.validate(encodedSDJwt);
@@ -532,9 +550,34 @@ var _SDJwtInstance = class _SDJwtInstance {
         throw new import_utils5.SDJWTException("Key Binding Verifier not found");
       }
       const kb = yield sdjwt.kbJwt.verify(this.userConfig.kbVerifier);
+      const sdHashfromKb = kb.payload.sd_hash;
+      const sdjwtWithoutKb = new SDJwt({
+        jwt: sdjwt.jwt,
+        disclosures: sdjwt.disclosures
+      });
+      const presentSdJwtWithoutKb = sdjwtWithoutKb.encodeSDJwt();
+      const sdHashStr = yield this.calculateSDHash(
+        presentSdJwtWithoutKb,
+        sdjwt,
+        hasher
+      );
+      if (sdHashStr !== sdHashfromKb) {
+        throw new import_utils5.SDJWTException("Invalid sd_hash in Key Binding JWT");
+      }
       return { payload, header, kb };
     });
   }
+  calculateSDHash(presentSdJwtWithoutKb, sdjwt, hasher) {
+    return __async(this, null, function* () {
+      if (!sdjwt.jwt || !sdjwt.jwt.payload) {
+        throw new import_utils5.SDJWTException("Invalid SD JWT");
+      }
+      const { _sd_alg } = (0, import_decode3.getSDAlgAndPayload)(sdjwt.jwt.payload);
+      const sdHash = yield hasher(presentSdJwtWithoutKb, _sd_alg);
+      const sdHashStr = (0, import_utils5.Uint8ArrayToBase64Url)(sdHash);
+      return sdHashStr;
+    });
+  }
   // This function is for validating the SD JWT
   // Just checking signature and return its the claims
   validate(encodedSDJwt) {

package/dist/index.mjs

@@ -42,7 +42,7 @@ var __async = (__this, __arguments, generator) => {
 };
 
 // src/index.ts
-import { SDJWTException as SDJWTException4 } from "@sd-jwt/utils";
+import { SDJWTException as SDJWTException4, Uint8ArrayToBase64Url as Uint8ArrayToBase64Url2 } from "@sd-jwt/utils";
 
 // src/jwt.ts
 import { Base64urlEncode, SDJWTException } from "@sd-jwt/utils";
@@ -381,9 +381,9 @@ var pack = (claims, disclosureFrame, hash, saltGenerator) => __async(void 0, nul
 
 // src/index.ts
 import {
-  KB_JWT_TYP,
-  SD_JWT_TYP
+  KB_JWT_TYP as KB_JWT_TYP2
 } from "@sd-jwt/types";
+import { getSDAlgAndPayload as getSDAlgAndPayload2 } from "@sd-jwt/decode";
 var _SDJwtInstance = class _SDJwtInstance {
   constructor(userConfig) {
     this.userConfig = {};
@@ -391,7 +391,7 @@ var _SDJwtInstance = class _SDJwtInstance {
       this.userConfig = userConfig;
     }
   }
-  createKBJwt(options) {
+  createKBJwt(options, sdHash) {
     return __async(this, null, function* () {
       if (!this.userConfig.kbSigner) {
         throw new SDJWTException4("Key Binding Signer not found");
@@ -402,10 +402,10 @@ var _SDJwtInstance = class _SDJwtInstance {
       const { payload } = options;
       const kbJwt = new KBJwt({
         header: {
-          typ: KB_JWT_TYP,
+          typ: KB_JWT_TYP2,
           alg: this.userConfig.kbSignAlg
         },
-        payload
+        payload: __spreadProps(__spreadValues({}, payload), { sd_hash: sdHash })
       });
       yield kbJwt.sign(this.userConfig.kbSigner);
       return kbJwt;
@@ -440,6 +440,9 @@ var _SDJwtInstance = class _SDJwtInstance {
       if (!this.userConfig.signAlg) {
         throw new SDJWTException4("sign alogrithm not specified");
       }
+      if (disclosureFrame) {
+        this.validateReservedFields(disclosureFrame);
+      }
       const hasher = this.userConfig.hasher;
       const hashAlg = (_a = this.userConfig.hashAlg) != null ? _a : _SDJwtInstance.DEFAULT_hashAlg;
       const { packedClaims, disclosures } = yield pack(
@@ -450,7 +453,7 @@ var _SDJwtInstance = class _SDJwtInstance {
       );
       const alg = this.userConfig.signAlg;
       const OptionHeader = (_b = options == null ? void 0 : options.header) != null ? _b : {};
-      const CustomHeader = this.userConfig.omitTyp ? OptionHeader : __spreadValues({ typ: SD_JWT_TYP }, OptionHeader);
+      const CustomHeader = this.userConfig.omitTyp ? OptionHeader : __spreadValues({ typ: this.type }, OptionHeader);
       const header = __spreadProps(__spreadValues({}, CustomHeader), { alg });
       const jwt = new Jwt({
         header,
@@ -468,6 +471,7 @@ var _SDJwtInstance = class _SDJwtInstance {
   }
   present(encodedSDJwt, presentationKeys, options) {
     return __async(this, null, function* () {
+      var _a;
       if (!presentationKeys)
         return encodedSDJwt;
       if (!this.userConfig.hasher) {
@@ -475,8 +479,21 @@ var _SDJwtInstance = class _SDJwtInstance {
       }
       const hasher = this.userConfig.hasher;
       const sdjwt = yield SDJwt.fromEncode(encodedSDJwt, hasher);
-      const kbJwt = (options == null ? void 0 : options.kb) ? yield this.createKBJwt(options.kb) : void 0;
-      sdjwt.kbJwt = kbJwt;
+      if (!((_a = sdjwt.jwt) == null ? void 0 : _a.payload))
+        throw new SDJWTException4("Payload not found");
+      const presentSdJwtWithoutKb = yield sdjwt.present(
+        presentationKeys.sort(),
+        hasher
+      );
+      if (!(options == null ? void 0 : options.kb)) {
+        return presentSdJwtWithoutKb;
+      }
+      const sdHashStr = yield this.calculateSDHash(
+        presentSdJwtWithoutKb,
+        sdjwt,
+        hasher
+      );
+      sdjwt.kbJwt = yield this.createKBJwt(options.kb, sdHashStr);
       return sdjwt.present(presentationKeys.sort(), hasher);
     });
   }
@@ -490,7 +507,7 @@ var _SDJwtInstance = class _SDJwtInstance {
       }
       const hasher = this.userConfig.hasher;
       const sdjwt = yield SDJwt.fromEncode(encodedSDJwt, hasher);
-      if (!sdjwt.jwt) {
+      if (!sdjwt.jwt || !sdjwt.jwt.payload) {
         throw new SDJWTException4("Invalid SD JWT");
       }
       const { payload, header } = yield this.validate(encodedSDJwt);
@@ -513,9 +530,34 @@ var _SDJwtInstance = class _SDJwtInstance {
         throw new SDJWTException4("Key Binding Verifier not found");
       }
       const kb = yield sdjwt.kbJwt.verify(this.userConfig.kbVerifier);
+      const sdHashfromKb = kb.payload.sd_hash;
+      const sdjwtWithoutKb = new SDJwt({
+        jwt: sdjwt.jwt,
+        disclosures: sdjwt.disclosures
+      });
+      const presentSdJwtWithoutKb = sdjwtWithoutKb.encodeSDJwt();
+      const sdHashStr = yield this.calculateSDHash(
+        presentSdJwtWithoutKb,
+        sdjwt,
+        hasher
+      );
+      if (sdHashStr !== sdHashfromKb) {
+        throw new SDJWTException4("Invalid sd_hash in Key Binding JWT");
+      }
       return { payload, header, kb };
     });
   }
+  calculateSDHash(presentSdJwtWithoutKb, sdjwt, hasher) {
+    return __async(this, null, function* () {
+      if (!sdjwt.jwt || !sdjwt.jwt.payload) {
+        throw new SDJWTException4("Invalid SD JWT");
+      }
+      const { _sd_alg } = getSDAlgAndPayload2(sdjwt.jwt.payload);
+      const sdHash = yield hasher(presentSdJwtWithoutKb, _sd_alg);
+      const sdHashStr = Uint8ArrayToBase64Url2(sdHash);
+      return sdHashStr;
+    });
+  }
   // This function is for validating the SD JWT
   // Just checking signature and return its the claims
   validate(encodedSDJwt) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sd-jwt/core",
-  "version": "0.3.2-next.75+c1b701d",
+  "version": "0.3.2-next.94+32af6cf",
   "description": "sd-jwt draft 7 implementation in typescript",
   "main": "dist/index.js",
   "module": "dist/index.mjs",
@@ -39,12 +39,12 @@
   },
   "license": "Apache-2.0",
   "devDependencies": {
-    "@sd-jwt/crypto-nodejs": "0.3.2-next.75+c1b701d"
+    "@sd-jwt/crypto-nodejs": "0.3.2-next.94+32af6cf"
   },
   "dependencies": {
-    "@sd-jwt/decode": "0.3.2-next.75+c1b701d",
-    "@sd-jwt/types": "0.3.2-next.75+c1b701d",
-    "@sd-jwt/utils": "0.3.2-next.75+c1b701d"
+    "@sd-jwt/decode": "0.3.2-next.94+32af6cf",
+    "@sd-jwt/types": "0.3.2-next.94+32af6cf",
+    "@sd-jwt/utils": "0.3.2-next.94+32af6cf"
   },
   "publishConfig": {
     "access": "public"
@@ -62,5 +62,5 @@
       "esm"
     ]
   },
-  "gitHead": "c1b701d6c1998c22dcc9efc0f91229177c7c8eea"
+  "gitHead": "32af6cfa150fceb440fc9225bcaf2791a6aeee90"
 }

package/src/index.ts

@@ -1,22 +1,28 @@
-import { SDJWTException } from '@sd-jwt/utils';
+import { SDJWTException, Uint8ArrayToBase64Url } from '@sd-jwt/utils';
 import { Jwt } from './jwt';
 import { KBJwt } from './kbjwt';
 import { SDJwt, pack } from './sdjwt';
 import {
   DisclosureFrame,
+  Hasher,
   KBOptions,
   KB_JWT_TYP,
   SDJWTCompact,
   SDJWTConfig,
-  SD_JWT_TYP,
 } from '@sd-jwt/types';
+import { getSDAlgAndPayload } from '@sd-jwt/decode';
 
 export * from './sdjwt';
 export * from './kbjwt';
 export * from './jwt';
 export * from './decoy';
 
-export class SDJwtInstance {
+export type SdJwtPayload = Record<string, unknown>;
+
+export abstract class SDJwtInstance<ExtendedPayload extends SdJwtPayload> {
+  //header type
+  protected abstract type: string;
+
   public static DEFAULT_hashAlg = 'sha-256';
 
   private userConfig: SDJWTConfig = {};
@@ -27,20 +33,24 @@ export class SDJwtInstance {
     }
   }
 
-  private async createKBJwt(options: KBOptions): Promise<KBJwt> {
+  private async createKBJwt(
+    options: KBOptions,
+    sdHash: string,
+  ): Promise<KBJwt> {
     if (!this.userConfig.kbSigner) {
       throw new SDJWTException('Key Binding Signer not found');
     }
     if (!this.userConfig.kbSignAlg) {
       throw new SDJWTException('Key Binding sign algorithm not specified');
     }
+
     const { payload } = options;
     const kbJwt = new KBJwt({
       header: {
         typ: KB_JWT_TYP,
         alg: this.userConfig.kbSignAlg,
       },
-      payload,
+      payload: { ...payload, sd_hash: sdHash },
     });
 
     await kbJwt.sign(this.userConfig.kbSigner);
@@ -62,7 +72,7 @@ export class SDJwtInstance {
     return jwt.verify(this.userConfig.verifier);
   }
 
-  public async issue<Payload extends Record<string, unknown>>(
+  public async issue<Payload extends ExtendedPayload>(
     payload: Payload,
     disclosureFrame?: DisclosureFrame<Payload>,
     options?: {
@@ -81,6 +91,10 @@ export class SDJwtInstance {
       throw new SDJWTException('sign alogrithm not specified');
     }
 
+    if (disclosureFrame) {
+      this.validateReservedFields<Payload>(disclosureFrame);
+    }
+
     const hasher = this.userConfig.hasher;
     const hashAlg = this.userConfig.hashAlg ?? SDJwtInstance.DEFAULT_hashAlg;
 
@@ -94,7 +108,7 @@ export class SDJwtInstance {
     const OptionHeader = options?.header ?? {};
     const CustomHeader = this.userConfig.omitTyp
       ? OptionHeader
-      : { typ: SD_JWT_TYP, ...OptionHeader };
+      : { typ: this.type, ...OptionHeader };
     const header = { ...CustomHeader, alg };
     const jwt = new Jwt({
       header,
@@ -113,6 +127,10 @@ export class SDJwtInstance {
     return sdJwt.encodeSDJwt();
   }
 
+  protected abstract validateReservedFields<T extends ExtendedPayload>(
+    disclosureFrame: DisclosureFrame<T>,
+  ): void;
+
   public async present(
     encodedSDJwt: string,
     presentationKeys?: string[],
@@ -127,9 +145,24 @@ export class SDJwtInstance {
     const hasher = this.userConfig.hasher;
 
     const sdjwt = await SDJwt.fromEncode(encodedSDJwt, hasher);
-    const kbJwt = options?.kb ? await this.createKBJwt(options.kb) : undefined;
-    sdjwt.kbJwt = kbJwt;
 
+    if (!sdjwt.jwt?.payload) throw new SDJWTException('Payload not found');
+    const presentSdJwtWithoutKb = await sdjwt.present(
+      presentationKeys.sort(),
+      hasher,
+    );
+
+    if (!options?.kb) {
+      return presentSdJwtWithoutKb;
+    }
+
+    const sdHashStr = await this.calculateSDHash(
+      presentSdJwtWithoutKb,
+      sdjwt,
+      hasher,
+    );
+
+    sdjwt.kbJwt = await this.createKBJwt(options.kb, sdHashStr);
     return sdjwt.present(presentationKeys.sort(), hasher);
   }
 
@@ -147,7 +180,7 @@ export class SDJwtInstance {
     const hasher = this.userConfig.hasher;
 
     const sdjwt = await SDJwt.fromEncode(encodedSDJwt, hasher);
-    if (!sdjwt.jwt) {
+    if (!sdjwt.jwt || !sdjwt.jwt.payload) {
       throw new SDJWTException('Invalid SD JWT');
     }
     const { payload, header } = await this.validate(encodedSDJwt);
@@ -173,9 +206,40 @@ export class SDJwtInstance {
       throw new SDJWTException('Key Binding Verifier not found');
     }
     const kb = await sdjwt.kbJwt.verify(this.userConfig.kbVerifier);
+    const sdHashfromKb = kb.payload.sd_hash;
+    const sdjwtWithoutKb = new SDJwt({
+      jwt: sdjwt.jwt,
+      disclosures: sdjwt.disclosures,
+    });
+
+    const presentSdJwtWithoutKb = sdjwtWithoutKb.encodeSDJwt();
+    const sdHashStr = await this.calculateSDHash(
+      presentSdJwtWithoutKb,
+      sdjwt,
+      hasher,
+    );
+
+    if (sdHashStr !== sdHashfromKb) {
+      throw new SDJWTException('Invalid sd_hash in Key Binding JWT');
+    }
+
     return { payload, header, kb };
   }
 
+  private async calculateSDHash(
+    presentSdJwtWithoutKb: string,
+    sdjwt: SDJwt,
+    hasher: Hasher,
+  ) {
+    if (!sdjwt.jwt || !sdjwt.jwt.payload) {
+      throw new SDJWTException('Invalid SD JWT');
+    }
+    const { _sd_alg } = getSDAlgAndPayload(sdjwt.jwt.payload);
+    const sdHash = await hasher(presentSdJwtWithoutKb, _sd_alg);
+    const sdHashStr = Uint8ArrayToBase64Url(sdHash);
+    return sdHashStr;
+  }
+
   // This function is for validating the SD JWT
   // Just checking signature and return its the claims
   public async validate(encodedSDJwt: string) {

package/src/sdjwt.ts

@@ -6,12 +6,15 @@ import {
   DisclosureFrame,
   Hasher,
   HasherAndAlg,
+  KBOptions,
+  KB_JWT_TYP,
   SDJWTCompact,
   SD_DECOY,
   SD_DIGEST,
   SD_LIST_KEY,
   SD_SEPARATOR,
   SaltGenerator,
+  Signer,
   kbHeader,
   kbPayload,
 } from '@sd-jwt/types';

package/src/test/index.spec.ts

@@ -1,9 +1,19 @@
-import { SDJwtInstance } from '../index';
-import { Signer, Verifier } from '@sd-jwt/types';
+import { SDJwtInstance, SdJwtPayload } from '../index';
+import { DisclosureFrame, Signer, Verifier } from '@sd-jwt/types';
 import Crypto from 'node:crypto';
 import { describe, expect, test } from 'vitest';
 import { digest, generateSalt } from '@sd-jwt/crypto-nodejs';
 
+export class TestInstance extends SDJwtInstance<SdJwtPayload> {
+  protected type = 'sd-jwt';
+
+  protected validateReservedFields(
+    disclosureFrame: DisclosureFrame<SdJwtPayload>,
+  ): void {
+    return;
+  }
+}
+
 export const createSignerVerifier = () => {
   const { privateKey, publicKey } = Crypto.generateKeyPairSync('ed25519');
   const signer: Signer = async (data: string) => {
@@ -23,13 +33,13 @@ export const createSignerVerifier = () => {
 
 describe('index', () => {
   test('create', async () => {
-    const sdjwt = new SDJwtInstance();
+    const sdjwt = new TestInstance();
     expect(sdjwt).toBeDefined();
   });
 
   test('kbJwt', async () => {
     const { signer, verifier } = createSignerVerifier();
-    const sdjwt = new SDJwtInstance({
+    const sdjwt = new TestInstance({
       signer,
       signAlg: 'EdDSA',
       verifier,
@@ -41,6 +51,9 @@ describe('index', () => {
     const credential = await sdjwt.issue(
       {
         foo: 'bar',
+        iss: 'Issuer',
+        iat: new Date().getTime(),
+        vct: '',
       },
       {
         _sd: ['foo'],
@@ -52,7 +65,6 @@ describe('index', () => {
     const presentation = await sdjwt.present(credential, ['foo'], {
       kb: {
         payload: {
-          sd_hash: 'sha-256',
           aud: '1',
           iat: 1,
           nonce: '342',
@@ -65,7 +77,7 @@ describe('index', () => {
 
   test('issue', async () => {
     const { signer, verifier } = createSignerVerifier();
-    const sdjwt = new SDJwtInstance({
+    const sdjwt = new TestInstance({
       signer,
       signAlg: 'EdDSA',
       verifier,
@@ -75,6 +87,9 @@ describe('index', () => {
     const credential = await sdjwt.issue(
       {
         foo: 'bar',
+        iss: 'Issuer',
+        iat: new Date().getTime(),
+        vct: '',
       },
       {
         _sd: ['foo'],
@@ -96,7 +111,7 @@ describe('index', () => {
       );
     };
 
-    const sdjwt = new SDJwtInstance({
+    const sdjwt = new TestInstance({
       signer,
       signAlg: 'EdDSA',
       verifier: failedverifier,
@@ -107,6 +122,9 @@ describe('index', () => {
     const credential = await sdjwt.issue(
       {
         foo: 'bar',
+        iss: 'Issuer',
+        iat: new Date().getTime(),
+        vct: '',
       },
       {
         _sd: ['foo'],
@@ -131,7 +149,7 @@ describe('index', () => {
         Buffer.from(sig, 'base64url'),
       );
     };
-    const sdjwt = new SDJwtInstance({
+    const sdjwt = new TestInstance({
       signer,
       signAlg: 'EdDSA',
       verifier,
@@ -145,6 +163,9 @@ describe('index', () => {
     const credential = await sdjwt.issue(
       {
         foo: 'bar',
+        iss: 'Issuer',
+        iat: new Date().getTime(),
+        vct: '',
       },
       {
         _sd: ['foo'],
@@ -154,8 +175,7 @@ describe('index', () => {
     const presentation = await sdjwt.present(credential, ['foo'], {
       kb: {
         payload: {
-          sd_hash: '',
-          aud: '1',
+          aud: '',
           iat: 1,
           nonce: '342',
         },
@@ -171,7 +191,7 @@ describe('index', () => {
 
   test('verify with kbJwt', async () => {
     const { signer, verifier } = createSignerVerifier();
-    const sdjwt = new SDJwtInstance({
+    const sdjwt = new TestInstance({
       signer,
       signAlg: 'EdDSA',
       verifier,
@@ -185,6 +205,9 @@ describe('index', () => {
     const credential = await sdjwt.issue(
       {
         foo: 'bar',
+        iss: 'Issuer',
+        iat: new Date().getTime(),
+        vct: '',
       },
       {
         _sd: ['foo'],
@@ -194,7 +217,6 @@ describe('index', () => {
     const presentation = await sdjwt.present(credential, ['foo'], {
       kb: {
         payload: {
-          sd_hash: 'sha-256',
           aud: '1',
           iat: 1,
           nonce: '342',
@@ -207,11 +229,14 @@ describe('index', () => {
   });
 
   test('Hasher not found', async () => {
-    const sdjwt = new SDJwtInstance({});
+    const sdjwt = new TestInstance({});
     try {
       const credential = await sdjwt.issue(
         {
           foo: 'bar',
+          iss: 'Issuer',
+          iat: new Date().getTime(),
+          vct: '',
         },
         {
           _sd: ['foo'],
@@ -225,13 +250,16 @@ describe('index', () => {
   });
 
   test('SaltGenerator not found', async () => {
-    const sdjwt = new SDJwtInstance({
+    const sdjwt = new TestInstance({
       hasher: digest,
     });
     try {
       const credential = await sdjwt.issue(
         {
           foo: 'bar',
+          iss: 'Issuer',
+          iat: new Date().getTime(),
+          vct: '',
         },
         {
           _sd: ['foo'],
@@ -245,7 +273,7 @@ describe('index', () => {
   });
 
   test('Signer not found', async () => {
-    const sdjwt = new SDJwtInstance({
+    const sdjwt = new TestInstance({
       hasher: digest,
       saltGenerator: generateSalt,
     });
@@ -253,6 +281,9 @@ describe('index', () => {
       const credential = await sdjwt.issue(
         {
           foo: 'bar',
+          iss: 'Issuer',
+          iat: new Date().getTime(),
+          vct: '',
         },
         {
           _sd: ['foo'],
@@ -267,7 +298,7 @@ describe('index', () => {
 
   test('Verifier not found', async () => {
     const { signer, verifier } = createSignerVerifier();
-    const sdjwt = new SDJwtInstance({
+    const sdjwt = new TestInstance({
       signer,
       hasher: digest,
       saltGenerator: generateSalt,
@@ -280,6 +311,9 @@ describe('index', () => {
     const credential = await sdjwt.issue(
       {
         foo: 'bar',
+        iss: 'Issuer',
+        iat: new Date().getTime(),
+        vct: '',
       },
       {
         _sd: ['foo'],
@@ -289,7 +323,6 @@ describe('index', () => {
     const presentation = await sdjwt.present(credential, ['foo'], {
       kb: {
         payload: {
-          sd_hash: 'sha-256',
           aud: '1',
           iat: 1,
           nonce: '342',
@@ -305,7 +338,7 @@ describe('index', () => {
 
   test('kbSigner not found', async () => {
     const { signer, verifier } = createSignerVerifier();
-    const sdjwt = new SDJwtInstance({
+    const sdjwt = new TestInstance({
       signer,
       verifier,
       hasher: digest,
@@ -318,6 +351,9 @@ describe('index', () => {
     const credential = await sdjwt.issue(
       {
         foo: 'bar',
+        iss: 'Issuer',
+        iat: new Date().getTime(),
+        vct: '',
       },
       {
         _sd: ['foo'],
@@ -327,7 +363,6 @@ describe('index', () => {
       const presentation = await sdjwt.present(credential, ['foo'], {
         kb: {
           payload: {
-            sd_hash: 'sha-256',
             aud: '1',
             iat: 1,
             nonce: '342',
@@ -341,7 +376,7 @@ describe('index', () => {
 
   test('kbVerifier not found', async () => {
     const { signer, verifier } = createSignerVerifier();
-    const sdjwt = new SDJwtInstance({
+    const sdjwt = new TestInstance({
       signer,
       verifier,
       hasher: digest,
@@ -354,6 +389,9 @@ describe('index', () => {
     const credential = await sdjwt.issue(
       {
         foo: 'bar',
+        iss: 'Issuer',
+        iat: new Date().getTime(),
+        vct: '',
       },
       {
         _sd: ['foo'],
@@ -363,7 +401,6 @@ describe('index', () => {
     const presentation = await sdjwt.present(credential, ['foo'], {
       kb: {
         payload: {
-          sd_hash: 'sha-256',
           aud: '1',
           iat: 1,
           nonce: '342',
@@ -376,4 +413,47 @@ describe('index', () => {
       expect(e).toBeDefined();
     }
   });
+
+  test('kbSignAlg not found', async () => {
+    const { signer, verifier } = createSignerVerifier();
+    const sdjwt = new TestInstance({
+      signer,
+      verifier,
+      hasher: digest,
+      saltGenerator: generateSalt,
+      kbSigner: signer,
+      signAlg: 'EdDSA',
+    });
+
+    const credential = await sdjwt.issue(
+      {
+        foo: 'bar',
+        iss: 'Issuer',
+        iat: new Date().getTime(),
+        vct: '',
+      },
+      {
+        _sd: ['foo'],
+      },
+    );
+
+    const presentation = sdjwt.present(credential, ['foo'], {
+      kb: {
+        payload: {
+          sd_hash: 'sha-256',
+          aud: '1',
+          iat: 1,
+          nonce: '342',
+        },
+      },
+    });
+    expect(presentation).rejects.toThrow(
+      'Key Binding sign algorithm not specified',
+    );
+  });
+
+  test('hasher is not found', () => {
+    const sdjwt = new TestInstance({});
+    expect(sdjwt.keys('')).rejects.toThrow('Hasher not found');
+  });
 });

package/test/app-e2e.spec.ts

@@ -1,10 +1,11 @@
 import Crypto from 'node:crypto';
-import { SDJwtInstance } from '../src';
-import { DisclosureFrame, Signer, Verifier } from '@sd-jwt/types';
+import { SdJwtPayload } from '../src';
+import { DisclosureFrame, SD, Signer, Verifier } from '@sd-jwt/types';
 import fs from 'fs';
 import path from 'path';
 import { describe, expect, test } from 'vitest';
 import { digest, generateSalt } from '@sd-jwt/crypto-nodejs';
+import { TestInstance } from '../src/test/index.spec';
 
 export const createSignerVerifier = () => {
   const { privateKey, publicKey } = Crypto.generateKeyPairSync('ed25519');
@@ -26,7 +27,7 @@ export const createSignerVerifier = () => {
 describe('App', () => {
   test('Example', async () => {
     const { signer, verifier } = createSignerVerifier();
-    const sdjwt = new SDJwtInstance({
+    const sdjwt = new TestInstance({
       signer,
       signAlg: 'EdDSA',
       verifier,
@@ -192,7 +193,7 @@ describe('App', () => {
 async function JSONtest(filename: string) {
   const test = loadTestJsonFile(filename);
   const { signer, verifier } = createSignerVerifier();
-  const sdjwt = new SDJwtInstance({
+  const sdjwt = new TestInstance({
     signer,
     signAlg: 'EdDSA',
     verifier,
@@ -234,8 +235,8 @@ async function JSONtest(filename: string) {
 }
 
 type TestJson = {
-  claims: object;
-  disclosureFrame: DisclosureFrame<object>;
+  claims: SdJwtPayload;
+  disclosureFrame: DisclosureFrame<SdJwtPayload>;
   presentationKeys: string[];
   presenatedClaims: object;
   requiredClaimKeys: string[];