@sd-jwt/sd-jwt-vc 0.12.1-next.1 → 0.12.1-next.3

package/dist/index.d.mts

@@ -1,5 +1,5 @@
 import { SDJWTConfig, kbPayload, kbHeader, DisclosureFrame } from '@sd-jwt/types';
-import { SdJwtPayload, SDJwtInstance } from '@sd-jwt/core';
+import { SdJwtPayload, SDJwtInstance, VerifierOptions } from '@sd-jwt/core';
 
 /**
  * Logo metadata used in rendering a credential.
@@ -217,7 +217,7 @@ declare class SDJwtVcInstance extends SDJwtInstance<SdJwtVcPayload> {
      * Verifies the SD-JWT-VC. It will validate the signature, the keybindings when required, the status, and the VCT.
      * @param currentDate current time in seconds
      */
-    verify(encodedSDJwt: string, requiredClaimKeys?: string[], requireKeyBindings?: boolean, currentDate?: number): Promise<VerificationResult>;
+    verify(encodedSDJwt: string, requiredClaimKeys?: string[], requireKeyBindings?: boolean, options?: VerifierOptions): Promise<VerificationResult>;
     /**
      * Gets VCT Metadata of the raw SD-JWT-VC. Returns the type metadata format. If the SD-JWT-VC is invalid or does not contain a vct claim, an error is thrown.
      * @param encodedSDJwt
@@ -254,10 +254,16 @@ declare class SDJwtVcInstance extends SDJwtInstance<SdJwtVcPayload> {
      * @returns
      */
     private fetchVct;
+    /**
+     * Fetches VCT Metadata from the header of the SD-JWT-VC. Returns the type metadata format. If the SD-JWT-VC does not contain a vct claim, an error is thrown.
+     * @param result
+     * @param
+     */
+    private fetchVctFromHeader;
     /**
      * Verifies the status of the SD-JWT-VC.
      * @param result
-     * @param currentDate current time in seconds
+     * @param options
      */
     private verifyStatus;
 }

package/dist/index.d.ts

@@ -1,5 +1,5 @@
 import { SDJWTConfig, kbPayload, kbHeader, DisclosureFrame } from '@sd-jwt/types';
-import { SdJwtPayload, SDJwtInstance } from '@sd-jwt/core';
+import { SdJwtPayload, SDJwtInstance, VerifierOptions } from '@sd-jwt/core';
 
 /**
  * Logo metadata used in rendering a credential.
@@ -217,7 +217,7 @@ declare class SDJwtVcInstance extends SDJwtInstance<SdJwtVcPayload> {
      * Verifies the SD-JWT-VC. It will validate the signature, the keybindings when required, the status, and the VCT.
      * @param currentDate current time in seconds
      */
-    verify(encodedSDJwt: string, requiredClaimKeys?: string[], requireKeyBindings?: boolean, currentDate?: number): Promise<VerificationResult>;
+    verify(encodedSDJwt: string, requiredClaimKeys?: string[], requireKeyBindings?: boolean, options?: VerifierOptions): Promise<VerificationResult>;
     /**
      * Gets VCT Metadata of the raw SD-JWT-VC. Returns the type metadata format. If the SD-JWT-VC is invalid or does not contain a vct claim, an error is thrown.
      * @param encodedSDJwt
@@ -254,10 +254,16 @@ declare class SDJwtVcInstance extends SDJwtInstance<SdJwtVcPayload> {
      * @returns
      */
     private fetchVct;
+    /**
+     * Fetches VCT Metadata from the header of the SD-JWT-VC. Returns the type metadata format. If the SD-JWT-VC does not contain a vct claim, an error is thrown.
+     * @param result
+     * @param
+     */
+    private fetchVctFromHeader;
     /**
      * Verifies the status of the SD-JWT-VC.
      * @param result
-     * @param currentDate current time in seconds
+     * @param options
      */
     private verifyStatus;
 }

package/dist/index.js

@@ -131,8 +131,8 @@ var SDJwtVcInstance = class _SDJwtVcInstance extends import_core.SDJwtInstance {
    * Verifies the SD-JWT-VC. It will validate the signature, the keybindings when required, the status, and the VCT.
    * @param currentDate current time in seconds
    */
-  verify(_0, _1, _2) {
-    return __async(this, arguments, function* (encodedSDJwt, requiredClaimKeys, requireKeyBindings, currentDate = Math.floor(Date.now() / 1e3)) {
+  verify(encodedSDJwt, requiredClaimKeys, requireKeyBindings, options) {
+    return __async(this, null, function* () {
       const result = yield __superGet(_SDJwtVcInstance.prototype, this, "verify").call(this, encodedSDJwt, requiredClaimKeys, requireKeyBindings).then((res) => {
         return {
           payload: res.payload,
@@ -140,7 +140,7 @@ var SDJwtVcInstance = class _SDJwtVcInstance extends import_core.SDJwtInstance {
           kb: res.kb
         };
       });
-      yield this.verifyStatus(result, currentDate);
+      yield this.verifyStatus(result, options);
       if (this.userConfig.loadTypeMetadataFormat) {
         yield this.verifyVct(result);
       }
@@ -281,22 +281,51 @@ var SDJwtVcInstance = class _SDJwtVcInstance extends import_core.SDJwtInstance {
    */
   fetchVct(result) {
     return __async(this, null, function* () {
-      var _a;
+      var _a, _b;
       if (!result.payload.vct) {
         throw new import_utils.SDJWTException("vct claim is required");
       }
-      const fetcher = (_a = this.userConfig.vctFetcher) != null ? _a : (uri, integrity) => this.fetch(uri, integrity);
+      if ((_a = result.header) == null ? void 0 : _a.vctm) {
+        return this.fetchVctFromHeader(result.payload.vct, result);
+      }
+      const fetcher = (_b = this.userConfig.vctFetcher) != null ? _b : (uri, integrity) => this.fetch(uri, integrity);
       return fetcher(result.payload.vct, result.payload["vct#Integrity"]);
     });
   }
+  /**
+   * Fetches VCT Metadata from the header of the SD-JWT-VC. Returns the type metadata format. If the SD-JWT-VC does not contain a vct claim, an error is thrown.
+   * @param result
+   * @param
+   */
+  fetchVctFromHeader(vct, result) {
+    return __async(this, null, function* () {
+      var _a;
+      const vctmHeader = (_a = result.header) == null ? void 0 : _a.vctm;
+      if (!vctmHeader || !Array.isArray(vctmHeader)) {
+        throw new Error("vctm claim in SD JWT header is invalid");
+      }
+      const typeMetadataFormat = vctmHeader.map((vctm) => {
+        if (!(typeof vctm === "string")) {
+          throw new Error("vctm claim in SD JWT header is invalid");
+        }
+        return JSON.parse((0, import_utils.base64urlDecode)(vctm));
+      }).find((typeMetadataFormat2) => {
+        return typeMetadataFormat2.vct === vct;
+      });
+      if (!typeMetadataFormat) {
+        throw new Error("could not find VCT Metadata in JWT header");
+      }
+      return typeMetadataFormat;
+    });
+  }
   /**
    * Verifies the status of the SD-JWT-VC.
    * @param result
-   * @param currentDate current time in seconds
+   * @param options
    */
-  verifyStatus(result, currentDate) {
+  verifyStatus(result, options) {
     return __async(this, null, function* () {
-      var _a, _b, _c;
+      var _a, _b, _c, _d;
       if (result.payload.status) {
         if (result.payload.status.status_list) {
           const fetcher = (_a = this.userConfig.statusListFetcher) != null ? _a : this.statusListFetcher.bind(this);
@@ -304,15 +333,16 @@ var SDJwtVcInstance = class _SDJwtVcInstance extends import_core.SDJwtInstance {
             result.payload.status.status_list.uri
           );
           const slJWT = import_core.Jwt.fromEncode(statusListJWT);
-          yield slJWT.verify(this.userConfig.verifier, currentDate);
-          if (((_b = slJWT.payload) == null ? void 0 : _b.exp) && slJWT.payload.exp < currentDate) {
+          yield slJWT.verify(this.userConfig.verifier, options);
+          const currentDate = (_b = options == null ? void 0 : options.currentDate) != null ? _b : Math.floor(Date.now() / 1e3);
+          if (((_c = slJWT.payload) == null ? void 0 : _c.exp) && slJWT.payload.exp < currentDate) {
             throw new import_utils.SDJWTException("Status list is expired");
           }
           const statusList = (0, import_jwt_status_list.getListFromStatusListJWT)(statusListJWT);
           const status = statusList.getStatus(
             result.payload.status.status_list.idx
           );
-          const statusValidator = (_c = this.userConfig.statusValidator) != null ? _c : this.statusValidator.bind(this);
+          const statusValidator = (_d = this.userConfig.statusValidator) != null ? _d : this.statusValidator.bind(this);
           yield statusValidator(status);
         }
       }

package/dist/index.mjs

@@ -24,7 +24,7 @@ var __async = (__this, __arguments, generator) => {
 
 // src/sd-jwt-vc-instance.ts
 import { Jwt, SDJwt, SDJwtInstance } from "@sd-jwt/core";
-import { SDJWTException } from "@sd-jwt/utils";
+import { base64urlDecode, SDJWTException } from "@sd-jwt/utils";
 import {
   getListFromStatusListJWT
 } from "@sd-jwt/jwt-status-list";
@@ -99,8 +99,8 @@ var SDJwtVcInstance = class _SDJwtVcInstance extends SDJwtInstance {
    * Verifies the SD-JWT-VC. It will validate the signature, the keybindings when required, the status, and the VCT.
    * @param currentDate current time in seconds
    */
-  verify(_0, _1, _2) {
-    return __async(this, arguments, function* (encodedSDJwt, requiredClaimKeys, requireKeyBindings, currentDate = Math.floor(Date.now() / 1e3)) {
+  verify(encodedSDJwt, requiredClaimKeys, requireKeyBindings, options) {
+    return __async(this, null, function* () {
       const result = yield __superGet(_SDJwtVcInstance.prototype, this, "verify").call(this, encodedSDJwt, requiredClaimKeys, requireKeyBindings).then((res) => {
         return {
           payload: res.payload,
@@ -108,7 +108,7 @@ var SDJwtVcInstance = class _SDJwtVcInstance extends SDJwtInstance {
           kb: res.kb
         };
       });
-      yield this.verifyStatus(result, currentDate);
+      yield this.verifyStatus(result, options);
       if (this.userConfig.loadTypeMetadataFormat) {
         yield this.verifyVct(result);
       }
@@ -249,22 +249,51 @@ var SDJwtVcInstance = class _SDJwtVcInstance extends SDJwtInstance {
    */
   fetchVct(result) {
     return __async(this, null, function* () {
-      var _a;
+      var _a, _b;
       if (!result.payload.vct) {
         throw new SDJWTException("vct claim is required");
       }
-      const fetcher = (_a = this.userConfig.vctFetcher) != null ? _a : (uri, integrity) => this.fetch(uri, integrity);
+      if ((_a = result.header) == null ? void 0 : _a.vctm) {
+        return this.fetchVctFromHeader(result.payload.vct, result);
+      }
+      const fetcher = (_b = this.userConfig.vctFetcher) != null ? _b : (uri, integrity) => this.fetch(uri, integrity);
       return fetcher(result.payload.vct, result.payload["vct#Integrity"]);
     });
   }
+  /**
+   * Fetches VCT Metadata from the header of the SD-JWT-VC. Returns the type metadata format. If the SD-JWT-VC does not contain a vct claim, an error is thrown.
+   * @param result
+   * @param
+   */
+  fetchVctFromHeader(vct, result) {
+    return __async(this, null, function* () {
+      var _a;
+      const vctmHeader = (_a = result.header) == null ? void 0 : _a.vctm;
+      if (!vctmHeader || !Array.isArray(vctmHeader)) {
+        throw new Error("vctm claim in SD JWT header is invalid");
+      }
+      const typeMetadataFormat = vctmHeader.map((vctm) => {
+        if (!(typeof vctm === "string")) {
+          throw new Error("vctm claim in SD JWT header is invalid");
+        }
+        return JSON.parse(base64urlDecode(vctm));
+      }).find((typeMetadataFormat2) => {
+        return typeMetadataFormat2.vct === vct;
+      });
+      if (!typeMetadataFormat) {
+        throw new Error("could not find VCT Metadata in JWT header");
+      }
+      return typeMetadataFormat;
+    });
+  }
   /**
    * Verifies the status of the SD-JWT-VC.
    * @param result
-   * @param currentDate current time in seconds
+   * @param options
    */
-  verifyStatus(result, currentDate) {
+  verifyStatus(result, options) {
     return __async(this, null, function* () {
-      var _a, _b, _c;
+      var _a, _b, _c, _d;
       if (result.payload.status) {
         if (result.payload.status.status_list) {
           const fetcher = (_a = this.userConfig.statusListFetcher) != null ? _a : this.statusListFetcher.bind(this);
@@ -272,15 +301,16 @@ var SDJwtVcInstance = class _SDJwtVcInstance extends SDJwtInstance {
             result.payload.status.status_list.uri
           );
           const slJWT = Jwt.fromEncode(statusListJWT);
-          yield slJWT.verify(this.userConfig.verifier, currentDate);
-          if (((_b = slJWT.payload) == null ? void 0 : _b.exp) && slJWT.payload.exp < currentDate) {
+          yield slJWT.verify(this.userConfig.verifier, options);
+          const currentDate = (_b = options == null ? void 0 : options.currentDate) != null ? _b : Math.floor(Date.now() / 1e3);
+          if (((_c = slJWT.payload) == null ? void 0 : _c.exp) && slJWT.payload.exp < currentDate) {
             throw new SDJWTException("Status list is expired");
           }
           const statusList = getListFromStatusListJWT(statusListJWT);
           const status = statusList.getStatus(
             result.payload.status.status_list.idx
           );
-          const statusValidator = (_c = this.userConfig.statusValidator) != null ? _c : this.statusValidator.bind(this);
+          const statusValidator = (_d = this.userConfig.statusValidator) != null ? _d : this.statusValidator.bind(this);
           yield statusValidator(status);
         }
       }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sd-jwt/sd-jwt-vc",
-  "version": "0.12.1-next.1+0a2f20b",
+  "version": "0.12.1-next.3+f89ba44",
   "description": "sd-jwt draft 7 implementation in typescript",
   "main": "dist/index.js",
   "module": "dist/index.mjs",
@@ -39,15 +39,15 @@
   },
   "license": "Apache-2.0",
   "dependencies": {
-    "@sd-jwt/core": "0.12.1-next.1+0a2f20b",
-    "@sd-jwt/jwt-status-list": "0.12.1-next.1+0a2f20b",
-    "@sd-jwt/utils": "0.12.1-next.1+0a2f20b",
+    "@sd-jwt/core": "0.12.1-next.3+f89ba44",
+    "@sd-jwt/jwt-status-list": "0.12.1-next.3+f89ba44",
+    "@sd-jwt/utils": "0.12.1-next.3+f89ba44",
     "ajv": "^8.17.1",
     "ajv-formats": "^3.0.1"
   },
   "devDependencies": {
-    "@sd-jwt/crypto-nodejs": "0.12.1-next.1+0a2f20b",
-    "@sd-jwt/types": "0.12.1-next.1+0a2f20b",
+    "@sd-jwt/crypto-nodejs": "0.12.1-next.3+f89ba44",
+    "@sd-jwt/types": "0.12.1-next.3+f89ba44",
     "jose": "^5.2.2",
     "msw": "^2.3.5"
   },
@@ -67,5 +67,5 @@
       "esm"
     ]
   },
-  "gitHead": "0a2f20b6383d2356540e7a9cc37748c7b9caced2"
+  "gitHead": "f89ba445aeb57ce342ec76b58a0eb6d0c090a4e9"
 }

package/src/sd-jwt-vc-instance.ts

@@ -1,6 +1,6 @@
-import { Jwt, SDJwt, SDJwtInstance } from '@sd-jwt/core';
+import { Jwt, SDJwt, SDJwtInstance, type VerifierOptions } from '@sd-jwt/core';
 import type { DisclosureFrame, Hasher, Verifier } from '@sd-jwt/types';
-import { SDJWTException } from '@sd-jwt/utils';
+import { base64urlDecode, SDJWTException } from '@sd-jwt/utils';
 import type { SdJwtVcPayload } from './sd-jwt-vc-payload';
 import type {
   SDJWTVCConfig,
@@ -110,9 +110,10 @@ export class SDJwtVcInstance extends SDJwtInstance<SdJwtVcPayload> {
    */
   async verify(
     encodedSDJwt: string,
+    //TODO: we need to move these values in options, causing a breaking change
     requiredClaimKeys?: string[],
     requireKeyBindings?: boolean,
-    currentDate: number = Math.floor(Date.now() / 1000),
+    options?: VerifierOptions,
   ) {
     // Call the parent class's verify method
     const result: VerificationResult = await super
@@ -125,7 +126,7 @@ export class SDJwtVcInstance extends SDJwtInstance<SdJwtVcPayload> {
         };
       });
 
-    await this.verifyStatus(result, currentDate);
+    await this.verifyStatus(result, options);
     if (this.userConfig.loadTypeMetadataFormat) {
       await this.verifyVct(result);
     }
@@ -293,20 +294,58 @@ export class SDJwtVcInstance extends SDJwtInstance<SdJwtVcPayload> {
       throw new SDJWTException('vct claim is required');
     }
 
+    if (result.header?.vctm) {
+      return this.fetchVctFromHeader(result.payload.vct, result);
+    }
+
     const fetcher: VcTFetcher =
       this.userConfig.vctFetcher ??
       ((uri, integrity) => this.fetch(uri, integrity));
     return fetcher(result.payload.vct, result.payload['vct#Integrity']);
   }
 
+  /**
+   * Fetches VCT Metadata from the header of the SD-JWT-VC. Returns the type metadata format. If the SD-JWT-VC does not contain a vct claim, an error is thrown.
+   * @param result
+   * @param
+   */
+  private async fetchVctFromHeader(
+    vct: string,
+    result: VerificationResult,
+  ): Promise<TypeMetadataFormat> {
+    const vctmHeader = result.header?.vctm;
+
+    if (!vctmHeader || !Array.isArray(vctmHeader)) {
+      throw new Error('vctm claim in SD JWT header is invalid');
+    }
+
+    const typeMetadataFormat = (vctmHeader as unknown[])
+      .map((vctm) => {
+        if (!(typeof vctm === 'string')) {
+          throw new Error('vctm claim in SD JWT header is invalid');
+        }
+
+        return JSON.parse(base64urlDecode(vctm));
+      })
+      .find((typeMetadataFormat) => {
+        return typeMetadataFormat.vct === vct;
+      });
+
+    if (!typeMetadataFormat) {
+      throw new Error('could not find VCT Metadata in JWT header');
+    }
+
+    return typeMetadataFormat;
+  }
+
   /**
    * Verifies the status of the SD-JWT-VC.
    * @param result
-   * @param currentDate current time in seconds
+   * @param options
    */
   private async verifyStatus(
     result: VerificationResult,
-    currentDate: number,
+    options?: VerifierOptions,
   ): Promise<void> {
     if (result.payload.status) {
       //checks if a status field is present in the payload based on https://www.ietf.org/archive/id/draft-ietf-oauth-status-list-02.html
@@ -325,8 +364,10 @@ export class SDJwtVcInstance extends SDJwtInstance<SdJwtVcPayload> {
           StatusListJWTPayload
         >(statusListJWT);
         // check if the status list has a valid signature. The presence of the verifier is checked in the parent class.
-        await slJWT.verify(this.userConfig.verifier as Verifier, currentDate);
+        await slJWT.verify(this.userConfig.verifier as Verifier, options);
 
+        const currentDate =
+          options?.currentDate ?? Math.floor(Date.now() / 1000);
         //check if the status list is expired
         if (slJWT.payload?.exp && (slJWT.payload.exp as number) < currentDate) {
           throw new SDJWTException('Status list is expired');

package/src/test/vct.spec.ts

@@ -9,6 +9,16 @@ import { HttpResponse, http } from 'msw';
 import { afterEach } from 'node:test';
 import type { TypeMetadataFormat } from '../sd-jwt-vc-type-metadata-format';
 
+const exampleVctm = {
+  vct: 'http://example.com/example',
+  name: 'ExampleCredentialType',
+  description: 'An example credential type',
+  schema_uri: 'http://example.com/schema/example',
+  //this value could be generated on demand to make it easier when changing the values
+  'schema_uri#Integrity':
+    'sha256-48a61b283ded3b55e8d9a9b063327641dc4c53f76bd5daa96c23f232822167ae',
+};
+
 const restHandlers = [
   http.get('http://example.com/schema/example', () => {
     const res = {
@@ -42,15 +52,7 @@ const restHandlers = [
     return HttpResponse.json(res);
   }),
   http.get('http://example.com/example', () => {
-    const res: TypeMetadataFormat = {
-      vct: 'http://example.com/example',
-      name: 'ExampleCredentialType',
-      description: 'An example credential type',
-      schema_uri: 'http://example.com/schema/example',
-      //this value could be generated on demand to make it easier when changing the values
-      'schema_uri#Integrity':
-        'sha256-48a61b283ded3b55e8d9a9b063327641dc4c53f76bd5daa96c23f232822167ae',
-    };
+    const res: TypeMetadataFormat = exampleVctm;
     return HttpResponse.json(res);
   }),
   http.get('http://example.com/timeout', () => {
@@ -133,6 +135,26 @@ describe('App', () => {
     await sdjwt.verify(encodedSdjwt);
   });
 
+  test('VCT from JWT header Validation', async () => {
+    const expectedPayload: SdJwtVcPayload = {
+      iat,
+      iss,
+      vct,
+      'vct#Integrity': vctIntegrity,
+      ...claims,
+    };
+    const header = {
+      vctm: [Buffer.from(JSON.stringify(exampleVctm)).toString('base64url')],
+    };
+    const encodedSdjwt = await sdjwt.issue(
+      expectedPayload,
+      disclosureFrame as unknown as DisclosureFrame<SdJwtVcPayload>,
+      { header },
+    );
+
+    await sdjwt.verify(encodedSdjwt);
+  });
+
   test('VCT Validation with timeout', async () => {
     const vct = 'http://example.com/timeout';
     const expectedPayload: SdJwtVcPayload = {