@sd-jwt/core 0.3.2-next.98 → 0.4.0

package/src/sdjwt.ts

@@ -6,19 +6,18 @@ import {
   DisclosureFrame,
   Hasher,
   HasherAndAlg,
-  KBOptions,
-  KB_JWT_TYP,
+  PresentationFrame,
   SDJWTCompact,
   SD_DECOY,
   SD_DIGEST,
   SD_LIST_KEY,
   SD_SEPARATOR,
   SaltGenerator,
-  Signer,
   kbHeader,
   kbPayload,
 } from '@sd-jwt/types';
 import { createHashMapping, getSDAlgAndPayload, unpack } from '@sd-jwt/decode';
+import { transformPresentationFrame } from '@sd-jwt/present';
 
 export type SDJwtData<
   Header extends Record<string, unknown>,
@@ -117,7 +116,10 @@ export class SDJwt<
     });
   }
 
-  public async present(keys: string[], hasher: Hasher): Promise<SDJWTCompact> {
+  public async present<T extends Record<string, unknown>>(
+    presentFrame: PresentationFrame<T> | undefined,
+    hasher: Hasher,
+  ): Promise<SDJWTCompact> {
     if (!this.jwt?.payload || !this.disclosures) {
       throw new SDJWTException('Invalid sd-jwt: jwt or disclosures is missing');
     }
@@ -130,15 +132,12 @@ export class SDJwt<
       hasher,
     );
 
-    const presentableKeys = Object.keys(disclosureKeymap);
-    const missingKeys = keys.filter((k) => !presentableKeys.includes(k));
-    if (missingKeys.length > 0) {
-      throw new SDJWTException(
-        `Invalid sd-jwt: invalid present keys: ${missingKeys.join(', ')}`,
-      );
-    }
-
-    const disclosures = keys.map((k) => hashmap[disclosureKeymap[k]]);
+    const keys = presentFrame
+      ? transformPresentationFrame(presentFrame)
+      : await this.presentableKeys(hasher);
+    const disclosures = keys
+      .map((k) => hashmap[disclosureKeymap[k]])
+      .filter((d) => d !== undefined);
     const presentSDJwt = new SDJwt({
       jwt: this.jwt,
       disclosures,

package/src/test/index.spec.ts

@@ -1,8 +1,9 @@
 import { SDJwtInstance, SdJwtPayload } from '../index';
-import { Signer, Verifier } from '@sd-jwt/types';
-import Crypto from 'node:crypto';
+import { Signer, Verifier, KbVerifier, JwtPayload } from '@sd-jwt/types';
+import Crypto, { KeyLike } from 'node:crypto';
 import { describe, expect, test } from 'vitest';
 import { digest, generateSalt } from '@sd-jwt/crypto-nodejs';
+import { importJWK, exportJWK, JWK } from 'jose';
 
 export const createSignerVerifier = () => {
   const { privateKey, publicKey } = Crypto.generateKeyPairSync('ed25519');
@@ -52,15 +53,19 @@ describe('index', () => {
 
     expect(credential).toBeDefined();
 
-    const presentation = await sdjwt.present(credential, ['foo'], {
-      kb: {
-        payload: {
-          aud: '1',
-          iat: 1,
-          nonce: '342',
+    const presentation = await sdjwt.present(
+      credential,
+      { foo: true },
+      {
+        kb: {
+          payload: {
+            aud: '1',
+            iat: 1,
+            nonce: '342',
+          },
         },
       },
-    });
+    );
 
     expect(presentation).toBeDefined();
   });
@@ -162,15 +167,19 @@ describe('index', () => {
       },
     );
 
-    const presentation = await sdjwt.present(credential, ['foo'], {
-      kb: {
-        payload: {
-          aud: '',
-          iat: 1,
-          nonce: '342',
+    const presentation = await sdjwt.present(
+      credential,
+      { foo: true },
+      {
+        kb: {
+          payload: {
+            aud: '',
+            iat: 1,
+            nonce: '342',
+          },
         },
       },
-    });
+    );
 
     try {
       await sdjwt.verify(presentation);
@@ -181,38 +190,72 @@ describe('index', () => {
 
   test('verify with kbJwt', async () => {
     const { signer, verifier } = createSignerVerifier();
+
+    const { privateKey, publicKey } = Crypto.generateKeyPairSync('ed25519');
+
+    //TODO: maybe we can pass a minial class of the jwt to pass the token
+    const kbVerifier: KbVerifier = async (
+      data: string,
+      sig: string,
+      payload: JwtPayload,
+    ) => {
+      let publicKey: JsonWebKey;
+      if (payload.cnf) {
+        // use the key from the cnf
+        publicKey = payload.cnf.jwk;
+      } else {
+        throw Error('key binding not supported');
+      }
+      // get the key of the holder to verify the signature
+      return Crypto.verify(
+        null,
+        Buffer.from(data),
+        (await importJWK(publicKey as JWK, 'EdDSA')) as KeyLike,
+        Buffer.from(sig, 'base64url'),
+      );
+    };
+
+    const kbSigner = (data: string) => {
+      const sig = Crypto.sign(null, Buffer.from(data), privateKey);
+      return Buffer.from(sig).toString('base64url');
+    };
+
     const sdjwt = new SDJwtInstance<SdJwtPayload>({
       signer,
       signAlg: 'EdDSA',
       verifier,
       hasher: digest,
       saltGenerator: generateSalt,
-      kbSigner: signer,
-      kbVerifier: verifier,
+      kbSigner: kbSigner,
+      kbVerifier: kbVerifier,
       kbSignAlg: 'EdDSA',
     });
-
     const credential = await sdjwt.issue(
       {
         foo: 'bar',
-        iss: 'Issuer',
         iat: new Date().getTime(),
-        vct: '',
+        cnf: {
+          jwk: await exportJWK(publicKey),
+        },
       },
       {
         _sd: ['foo'],
       },
     );
 
-    const presentation = await sdjwt.present(credential, ['foo'], {
-      kb: {
-        payload: {
-          aud: '1',
-          iat: 1,
-          nonce: '342',
+    const presentation = await sdjwt.present(
+      credential,
+      { foo: true },
+      {
+        kb: {
+          payload: {
+            aud: '1',
+            iat: 1,
+            nonce: '342',
+          },
         },
       },
-    });
+    );
 
     const results = await sdjwt.verify(presentation, ['foo'], true);
     expect(results).toBeDefined();
@@ -310,15 +353,19 @@ describe('index', () => {
       },
     );
 
-    const presentation = await sdjwt.present(credential, ['foo'], {
-      kb: {
-        payload: {
-          aud: '1',
-          iat: 1,
-          nonce: '342',
+    const presentation = await sdjwt.present(
+      credential,
+      { foo: true },
+      {
+        kb: {
+          payload: {
+            aud: '1',
+            iat: 1,
+            nonce: '342',
+          },
         },
       },
-    });
+    );
     try {
       const results = await sdjwt.verify(presentation, ['foo'], true);
     } catch (e) {
@@ -350,15 +397,19 @@ describe('index', () => {
       },
     );
     try {
-      const presentation = await sdjwt.present(credential, ['foo'], {
-        kb: {
-          payload: {
-            aud: '1',
-            iat: 1,
-            nonce: '342',
+      const presentation = await sdjwt.present(
+        credential,
+        { foo: true },
+        {
+          kb: {
+            payload: {
+              aud: '1',
+              iat: 1,
+              nonce: '342',
+            },
           },
         },
-      });
+      );
     } catch (e) {
       expect(e).toBeDefined();
     }
@@ -388,15 +439,19 @@ describe('index', () => {
       },
     );
 
-    const presentation = await sdjwt.present(credential, ['foo'], {
-      kb: {
-        payload: {
-          aud: '1',
-          iat: 1,
-          nonce: '342',
+    const presentation = await sdjwt.present(
+      credential,
+      { foo: true },
+      {
+        kb: {
+          payload: {
+            aud: '1',
+            iat: 1,
+            nonce: '342',
+          },
         },
       },
-    });
+    );
     try {
       const results = await sdjwt.verify(presentation, ['foo'], true);
     } catch (e) {
@@ -427,15 +482,19 @@ describe('index', () => {
       },
     );
 
-    const presentation = sdjwt.present(credential, ['foo'], {
-      kb: {
-        payload: {
-          aud: '1',
-          iat: 1,
-          nonce: '342',
+    const presentation = sdjwt.present(
+      credential,
+      { foo: true },
+      {
+        kb: {
+          payload: {
+            aud: '1',
+            iat: 1,
+            nonce: '342',
+          },
         },
       },
-    });
+    );
     expect(presentation).rejects.toThrow(
       'Key Binding sign algorithm not specified',
     );
@@ -465,7 +524,7 @@ describe('index', () => {
     expect(sdjwt.presentableKeys('')).rejects.toThrow('Hasher not found');
     expect(sdjwt.getClaims('')).rejects.toThrow('Hasher not found');
     expect(() => sdjwt.decode('')).toThrowError('Hasher not found');
-    expect(sdjwt.present(credential, ['foo'])).rejects.toThrow(
+    expect(sdjwt.present(credential, { foo: true })).rejects.toThrow(
       'Hasher not found',
     );
   });
@@ -493,4 +552,42 @@ describe('index', () => {
     expect(keys).toBeDefined();
     expect(keys).toEqual(['foo']);
   });
+
+  test('present all disclosures with kb jwt', async () => {
+    const { signer } = createSignerVerifier();
+    const sdjwt = new SDJwtInstance<SdJwtPayload>({
+      signer,
+      kbSigner: signer,
+      hasher: digest,
+      saltGenerator: generateSalt,
+      signAlg: 'EdDSA',
+      kbSignAlg: 'EdDSA',
+    });
+    const credential = await sdjwt.issue(
+      {
+        foo: 'bar',
+        iss: 'Issuer',
+        iat: new Date().getTime(),
+        vct: '',
+      },
+      {
+        _sd: ['foo'],
+      },
+    );
+
+    const presentation = await sdjwt.present(credential, undefined, {
+      kb: {
+        payload: {
+          aud: '1',
+          iat: 1,
+          nonce: '342',
+        },
+      },
+    });
+
+    const decoded = await sdjwt.decode(presentation);
+    expect(decoded.jwt).toBeDefined();
+    expect(decoded.disclosures).toBeDefined();
+    expect(decoded.kbJwt).toBeDefined();
+  });
 });

package/src/test/kbjwt.spec.ts

@@ -1,8 +1,15 @@
 import { SDJWTException } from '@sd-jwt/utils';
 import { KBJwt } from '../kbjwt';
-import { KB_JWT_TYP, Signer, Verifier } from '@sd-jwt/types';
-import Crypto from 'node:crypto';
+import {
+  JwtPayload,
+  KB_JWT_TYP,
+  KbVerifier,
+  Signer,
+  Verifier,
+} from '@sd-jwt/types';
+import Crypto, { KeyLike } from 'node:crypto';
 import { describe, expect, test } from 'vitest';
+import { JWK, exportJWK, importJWK } from 'jose';
 
 describe('KB JWT', () => {
   test('create', async () => {
@@ -69,11 +76,27 @@ describe('KB JWT', () => {
       const sig = Crypto.sign(null, Buffer.from(data), privateKey);
       return Buffer.from(sig).toString('base64url');
     };
-    const testVerifier: Verifier = async (data: string, sig: string) => {
+
+    const payload = {
+      cnf: {
+        jwk: await exportJWK(publicKey),
+      },
+    };
+
+    const testVerifier: KbVerifier = async (
+      data: string,
+      sig: string,
+      payload: JwtPayload,
+    ) => {
+      expect(payload).toStrictEqual(payload);
+      expect(payload.cnf?.jwk).toBeDefined();
+
+      const publicKey = payload.cnf?.jwk;
+
       return Crypto.verify(
         null,
         Buffer.from(data),
-        publicKey,
+        (await importJWK(publicKey as JWK, 'EdDSA')) as KeyLike,
         Buffer.from(sig, 'base64url'),
       );
     };
@@ -91,7 +114,10 @@ describe('KB JWT', () => {
     });
     const encodedKbJwt = await kbJwt.sign(testSigner);
     const decoded = KBJwt.fromKBEncode(encodedKbJwt);
-    const verified = await decoded.verify(testVerifier);
+    const verified = await decoded.verifyKB({
+      verifier: testVerifier,
+      payload,
+    });
     expect(verified).toStrictEqual({
       header: {
         typ: KB_JWT_TYP,
@@ -112,11 +138,26 @@ describe('KB JWT', () => {
       const sig = Crypto.sign(null, Buffer.from(data), privateKey);
       return Buffer.from(sig).toString('base64url');
     };
-    const testVerifier: Verifier = async (data: string, sig: string) => {
+
+    const payload = {
+      cnf: {
+        jwk: await exportJWK(publicKey),
+      },
+    };
+    const testVerifier: KbVerifier = async (
+      data: string,
+      sig: string,
+      payload: JwtPayload,
+    ) => {
+      expect(payload).toStrictEqual(payload);
+      expect(payload.cnf?.jwk).toBeDefined();
+
+      const publicKey = payload.cnf?.jwk;
+
       return Crypto.verify(
         null,
         Buffer.from(data),
-        publicKey,
+        (await importJWK(publicKey as JWK, 'EdDSA')) as KeyLike,
         Buffer.from(sig, 'base64url'),
       );
     };
@@ -136,26 +177,34 @@ describe('KB JWT', () => {
     const encodedKbJwt = await kbJwt.sign(testSigner);
     const decoded = KBJwt.fromKBEncode(encodedKbJwt);
     try {
-      await decoded.verify(testVerifier);
+      await decoded.verifyKB({ verifier: testVerifier, payload });
     } catch (e: unknown) {
       const error = e as SDJWTException;
       expect(error.message).toBe('Invalid Key Binding Jwt');
     }
   });
 
-  test('verify with custom Verifier', async () => {
+  test('verify failed with verifier return false', async () => {
     const { privateKey, publicKey } = Crypto.generateKeyPairSync('ed25519');
     const testSigner: Signer = async (data: string) => {
       const sig = Crypto.sign(null, Buffer.from(data), privateKey);
       return Buffer.from(sig).toString('base64url');
     };
-    const testVerifier: Verifier = async (data: string, sig: string) => {
-      return Crypto.verify(
-        null,
-        Buffer.from(data),
-        publicKey,
-        Buffer.from(sig, 'base64url'),
-      );
+
+    const payload = {
+      cnf: {
+        jwk: await exportJWK(publicKey),
+      },
+    };
+    const testVerifier: KbVerifier = async (
+      data: string,
+      sig: string,
+      payload: JwtPayload,
+    ) => {
+      expect(payload).toStrictEqual(payload);
+      expect(payload.cnf?.jwk).toBeDefined();
+
+      return false;
     };
 
     const kbJwt = new KBJwt({
@@ -170,37 +219,37 @@ describe('KB JWT', () => {
         sd_hash: 'hash',
       },
     });
-
     const encodedKbJwt = await kbJwt.sign(testSigner);
     const decoded = KBJwt.fromKBEncode(encodedKbJwt);
-    const verified = await decoded.verify(testVerifier);
-    expect(verified).toStrictEqual({
-      header: {
-        typ: KB_JWT_TYP,
-        alg: 'EdDSA',
-      },
-      payload: {
-        iat: 1,
-        aud: 'aud',
-        nonce: 'nonce',
-        sd_hash: 'hash',
-      },
-    });
+    try {
+      await decoded.verifyKB({ verifier: testVerifier, payload });
+    } catch (e: unknown) {
+      const error = e as SDJWTException;
+      expect(error.message).toBe('Verify Error: Invalid JWT Signature');
+    }
   });
 
-  test('verify failed with custom Verifier', async () => {
+  test('verify failed with invalid jwt', async () => {
     const { privateKey, publicKey } = Crypto.generateKeyPairSync('ed25519');
     const testSigner: Signer = async (data: string) => {
       const sig = Crypto.sign(null, Buffer.from(data), privateKey);
       return Buffer.from(sig).toString('base64url');
     };
-    const testVerifier: Verifier = async (data: string, sig: string) => {
-      return Crypto.verify(
-        null,
-        Buffer.from(data),
-        publicKey,
-        Buffer.from(sig, 'base64url'),
-      );
+
+    const payload = {
+      cnf: {
+        jwk: await exportJWK(publicKey),
+      },
+    };
+    const testVerifier: KbVerifier = async (
+      data: string,
+      sig: string,
+      payload: JwtPayload,
+    ) => {
+      expect(payload).toStrictEqual(payload);
+      expect(payload.cnf?.jwk).toBeDefined();
+
+      return false;
     };
 
     const kbJwt = new KBJwt({
@@ -212,17 +261,17 @@ describe('KB JWT', () => {
         iat: 1,
         aud: 'aud',
         nonce: 'nonce',
-        sd_hash: '',
+        sd_hash: 'hash',
       },
     });
-
     const encodedKbJwt = await kbJwt.sign(testSigner);
     const decoded = KBJwt.fromKBEncode(encodedKbJwt);
+    decoded.signature = undefined;
     try {
-      await decoded.verify(testVerifier);
+      await decoded.verifyKB({ verifier: testVerifier, payload });
     } catch (e: unknown) {
       const error = e as SDJWTException;
-      expect(error.message).toBe('Invalid Key Binding Jwt');
+      expect(error.message).toBe('Verify Error: Invalid JWT');
     }
   });
 
@@ -232,11 +281,25 @@ describe('KB JWT', () => {
       const sig = Crypto.sign(null, Buffer.from(data), privateKey);
       return Buffer.from(sig).toString('base64url');
     };
-    const testVerifier: Verifier = async (data: string, sig: string) => {
+    const payload = {
+      cnf: {
+        jwk: await exportJWK(publicKey),
+      },
+    };
+    const testVerifier: KbVerifier = async (
+      data: string,
+      sig: string,
+      payload: JwtPayload,
+    ) => {
+      expect(payload).toStrictEqual(payload);
+      expect(payload.cnf?.jwk).toBeDefined();
+
+      const publicKey = payload.cnf?.jwk;
+
       return Crypto.verify(
         null,
         Buffer.from(data),
-        publicKey,
+        (await importJWK(publicKey as JWK, 'EdDSA')) as KeyLike,
         Buffer.from(sig, 'base64url'),
       );
     };
@@ -258,7 +321,10 @@ describe('KB JWT', () => {
 
     const encodedKbJwt = await kbJwt.sign(testSigner);
     const decoded = KBJwt.fromKBEncode(encodedKbJwt);
-    const verified = await decoded.verify(testVerifier);
+    const verified = await decoded.verifyKB({
+      verifier: testVerifier,
+      payload,
+    });
     expect(verified).toStrictEqual({
       header: {
         typ: KB_JWT_TYP,

package/test/app-e2e.spec.ts

@@ -1,6 +1,11 @@
 import Crypto from 'node:crypto';
 import { SDJwtInstance, SdJwtPayload } from '../src';
-import { DisclosureFrame, Signer, Verifier } from '@sd-jwt/types';
+import {
+  DisclosureFrame,
+  PresentationFrame,
+  Signer,
+  Verifier,
+} from '@sd-jwt/types';
 import fs from 'fs';
 import path from 'path';
 import { describe, expect, test } from 'vitest';
@@ -105,7 +110,10 @@ describe('App', () => {
       'id',
     ]);
 
-    const presentationFrame = ['firstname', 'id'];
+    const presentationFrame = {
+      firstname: true,
+      id: true,
+    };
     const presentedSDJwt = await sdjwt.present(encodedSdjwt, presentationFrame);
     expect(presentedSDJwt).toBeDefined();
 
@@ -215,7 +223,7 @@ async function JSONtest(filename: string) {
 
   const presentedSDJwt = await sdjwt.present(
     encodedSdjwt,
-    test.presentationKeys,
+    test.presentationFrames,
   );
 
   expect(presentedSDJwt).toBeDefined();
@@ -236,7 +244,7 @@ async function JSONtest(filename: string) {
 type TestJson = {
   claims: SdJwtPayload;
   disclosureFrame: DisclosureFrame<SdJwtPayload>;
-  presentationKeys: string[];
+  presentationFrames: PresentationFrame<SdJwtPayload>;
   presenatedClaims: object;
   requiredClaimKeys: string[];
 };

package/test/array_data_types.json

@@ -7,14 +7,16 @@
       "_sd": [0, 1, 2, 3, 4, 5]
     }
   },
-  "presentationKeys": [
-    "data_types.0",
-    "data_types.1",
-    "data_types.2",
-    "data_types.3",
-    "data_types.4",
-    "data_types.5"
-  ],
+  "presentationFrames": {
+    "data_types": {
+      "0": true,
+      "1": true,
+      "2": true,
+      "3": true,
+      "4": true,
+      "5": true
+    }
+  },
   "presenatedClaims": {
     "data_types": [null, 42, 3.14, "foo", ["Test"], { "foo": "bar" }]
   },

package/test/array_full_sd.json

@@ -11,7 +11,7 @@
       "_sd": ["13", "18", "21"]
     }
   },
-  "presentationKeys": ["is_over.18"],
+  "presentationFrames": { "is_over": { "18": true } },
   "presenatedClaims": {
     "is_over": {
       "18": false