@sphereon/ssi-sdk.sd-jwt 0.34.1-next.3 → 0.34.1-next.323

package/src/__tests__/sd-jwt-vcdm2.test.ts

@@ -0,0 +1,316 @@
+import { beforeAll, describe, expect, it } from 'vitest'
+import { KBJwt } from '@sd-jwt/core'
+import { decodeSdJwt } from '@sd-jwt/decode'
+import { SdJwtVcPayload } from '@sd-jwt/sd-jwt-vc'
+import { DisclosureFrame, kbPayload } from '@sd-jwt/types'
+import { JwkDIDProvider } from '@sphereon/ssi-sdk-ext.did-provider-jwk'
+import { getDidJwkResolver } from '@sphereon/ssi-sdk-ext.did-resolver-jwk'
+import { IdentifierResolution, IIdentifierResolution } from '@sphereon/ssi-sdk-ext.identifier-resolution'
+import { IJwtService, JwtService } from '@sphereon/ssi-sdk-ext.jwt-service'
+import { MemoryKeyStore, MemoryPrivateKeyStore, SphereonKeyManager } from '@sphereon/ssi-sdk-ext.key-manager'
+import { SphereonKeyManagementSystem } from '@sphereon/ssi-sdk-ext.kms-local'
+import { ImDLMdoc, MDLMdoc } from '@sphereon/ssi-sdk.mdl-mdoc'
+import { createAgent, IDIDManager, IKeyManager, IResolver, TAgent } from '@veramo/core'
+import { DIDManager, MemoryDIDStore } from '@veramo/did-manager'
+import { DIDResolverPlugin } from '@veramo/did-resolver'
+import { DIDDocument, Resolver, VerificationMethod } from 'did-resolver'
+import { defaultGenerateDigest } from '../defaultCallbacks'
+import { ISDJwtPlugin, SDJwtPlugin } from '../index'
+import { SdJwtVcdm2Payload } from '@sphereon/ssi-types'
+
+type AgentType = IDIDManager & IKeyManager & IIdentifierResolution & IJwtService & IResolver & ISDJwtPlugin & ImDLMdoc
+
+describe('Agent plugin', () => {
+  let agent: TAgent<AgentType>
+
+  let issuer: string
+
+  let holder: string
+
+  // Issuer Define the claims object with the user's information
+  const claims = {
+    sub: '',
+    credentialSubject: {
+      given_name: 'John',
+      family_name: 'Deo',
+      email: 'johndeo@example.com',
+      phone: '+1-202-555-0101',
+      address: {
+        street_address: '123 Main St',
+        locality: 'Anytown',
+        region: 'Anystate',
+        country: 'US',
+      },
+      birthdate: '1940-01-01',
+    },
+  }
+
+  // Issuer Define the disclosure frame to specify which claims can be disclosed
+  const disclosureFrame: DisclosureFrame<typeof claims> = {
+    credentialSubject: {
+      _sd: ['given_name', 'family_name', 'email', 'phone', 'address', 'birthdate'],
+    },
+  }
+  let testVcdm2SdJwtCredentialPayload: SdJwtVcdm2Payload
+
+  beforeAll(async () => {
+    agent = createAgent<AgentType>({
+      plugins: [
+        new SDJwtPlugin(),
+        new IdentifierResolution(),
+        new JwtService(),
+        new SphereonKeyManager({
+          store: new MemoryKeyStore(),
+          kms: {
+            local: new SphereonKeyManagementSystem(new MemoryPrivateKeyStore()),
+          },
+        }),
+        new DIDResolverPlugin({
+          resolver: new Resolver({
+            ...getDidJwkResolver(),
+          }),
+        }),
+        new DIDManager({
+          store: new MemoryDIDStore(),
+          defaultProvider: 'did:jwk',
+          providers: {
+            'did:jwk': new JwkDIDProvider({
+              defaultKms: 'local',
+            }),
+          },
+        }),
+      ],
+    })
+    issuer = await agent
+      .didManagerCreate({
+        kms: 'local',
+        provider: 'did:jwk',
+        alias: 'issuer',
+        //we use this curve since nodejs does not support ES256k which is the default one.
+        options: { keyType: 'Secp256r1' },
+      })
+      .then((did) => {
+        // we add a key reference
+        return `${did.did}#0`
+      })
+    holder = await agent
+      .didManagerCreate({
+        kms: 'local',
+        provider: 'did:jwk',
+        alias: 'holder',
+        //we use this curve since nodejs does not support ES256k which is the default one.
+        options: { keyType: 'Secp256r1' },
+      })
+      .then((did) => `${did.did}#0`)
+    claims.sub = holder
+
+    testVcdm2SdJwtCredentialPayload = {
+      ...claims,
+      '@context': ['https://www.w3.org/ns/credentials/v2'],
+      type: ['VerifiableCredential'],
+      issuer,
+      validFrom: '2021-01-01T00:00:00Z',
+      // iat: Math.floor(new Date().getTime() / 1000),
+    }
+  })
+
+  it('create a sd-jwt vcdm2', async () => {
+    const credentialPayload: SdJwtVcdm2Payload = {
+      ...claims,
+      '@context': ['https://www.w3.org/ns/credentials/v2'],
+      type: ['VerifiableCredential'],
+      issuer,
+      validFrom: '2021-01-01T00:00:00Z',
+      iat: Math.floor(new Date().getTime() / 1000),
+    }
+    const credential = await agent.createSdJwtVc({
+      credentialPayload,
+      disclosureFrame,
+    })
+    expect(credential).toBeDefined()
+  })
+
+  it('create sd-jwt vcdm2 without an issuer', async () => {
+    const credentialPayload = {
+      ...claims,
+      '@context': ['https://www.w3.org/ns/credentials/v2'],
+      type: ['VerifiableCredential'],
+      validFrom: '2021-01-01T00:00:00Z',
+      // iat: Math.floor(new Date().getTime() / 1000),
+    }
+    await expect(
+      agent.createSdJwtVc({
+        credentialPayload: credentialPayload as unknown as SdJwtVcPayload,
+        disclosureFrame,
+      }),
+    ).rejects.toThrow('No issuer (iss or VCDM 2 issuer) found in SD-JWT or no VCDM2 SD-JWT or SD-JWT VC')
+  })
+
+  it('verify a sd-jwt vcdm2', async () => {
+    const credential = await agent.createSdJwtVc({
+      credentialPayload: testVcdm2SdJwtCredentialPayload,
+      disclosureFrame: disclosureFrame,
+    })
+    const result = await agent.verifySdJwtVc({
+      credential: credential.credential,
+    })
+    expect(result.payload).toBeDefined()
+  }, 5000)
+
+  it('create a presentation', async () => {
+    const credentialPayload = testVcdm2SdJwtCredentialPayload
+    const credential = await agent.createSdJwtVc({
+      credentialPayload,
+      disclosureFrame,
+    })
+    const presentation = await agent.createSdJwtPresentation({
+      presentation: credential.credential,
+      presentationFrame: { given_name: true },
+      kb: {
+        payload: {
+          aud: '1',
+          iat: 1,
+          nonce: '342',
+        },
+      },
+    })
+    expect(presentation).toBeDefined()
+    const decoded = await decodeSdJwt(presentation.presentation, defaultGenerateDigest)
+    expect(decoded.kbJwt).toBeDefined()
+    expect(((decoded.kbJwt as KBJwt).payload as kbPayload).aud).toBe('1')
+  })
+
+  it('create presentation with cnf', async () => {
+    const did = await agent.didManagerFind({ alias: 'holder' }).then((dids) => dids[0])
+    const resolvedDid = await agent.resolveDid({ didUrl: `${did.did}#0` })
+    const jwk: JsonWebKey = ((resolvedDid.didDocument as DIDDocument).verificationMethod as VerificationMethod[])[0].publicKeyJwk as JsonWebKey
+    const credentialPayload = {
+      ...testVcdm2SdJwtCredentialPayload,
+      cnf: {
+        jwk,
+      },
+    }
+    const credential = await agent.createSdJwtVc({
+      credentialPayload,
+      disclosureFrame,
+    })
+    const presentation = await agent.createSdJwtPresentation({
+      presentation: credential.credential,
+      presentationFrame: { given_name: true },
+      kb: {
+        payload: {
+          aud: '1',
+          iat: 1,
+          nonce: '342',
+        },
+      },
+    })
+    expect(presentation).toBeDefined()
+    const decoded = await decodeSdJwt(presentation.presentation, defaultGenerateDigest)
+    expect(decoded.kbJwt).toBeDefined()
+    expect(((decoded.kbJwt as KBJwt).payload as kbPayload).aud).toBe('1')
+  })
+
+  it('includes no holder reference', async () => {
+    const newClaims = JSON.parse(JSON.stringify(claims))
+    newClaims.sub = undefined
+    const credentialPayload: SdJwtVcPayload = {
+      ...newClaims,
+      iss: issuer,
+      iat: Math.floor(new Date().getTime() / 1000),
+      vct: '',
+    }
+    const credential = await agent.createSdJwtVc({
+      credentialPayload,
+      disclosureFrame,
+    })
+    const presentation = agent.createSdJwtPresentation({
+      presentation: credential.credential,
+      presentationFrame: { given_name: true },
+      kb: {
+        payload: {
+          aud: '1',
+          iat: 1,
+          nonce: '342',
+        },
+      },
+    })
+    await expect(presentation).rejects.toThrow('credential does not include a holder reference')
+  })
+
+  it('verify a presentation', async () => {
+    const holderDId = await agent.resolveDid({ didUrl: holder })
+    const jwk: JsonWebKey = ((holderDId.didDocument as DIDDocument).verificationMethod as VerificationMethod[])[0].publicKeyJwk as JsonWebKey
+    const credentialPayload: SdJwtVcPayload = {
+      ...claims,
+      iss: issuer,
+      iat: Math.floor(new Date().getTime() / 1000),
+      vct: '',
+      cnf: {
+        jwk,
+      },
+    }
+    const credential = await agent.createSdJwtVc({
+      credentialPayload,
+      disclosureFrame,
+    })
+    const presentation = await agent.createSdJwtPresentation({
+      presentation: credential.credential,
+      presentationFrame: { credentialSubject: { given_name: true } },
+      kb: {
+        payload: {
+          aud: '1',
+          iat: 1,
+          nonce: '342',
+        },
+      },
+    })
+    const result = await agent.verifySdJwtPresentation({
+      presentation: presentation.presentation,
+      requiredClaimKeys: ['credentialSubject.given_name'],
+      // we are not able to verify the kb yet since we have no reference to the public key of the holder.
+      keyBindingAud: '1',
+      keyBindingNonce: '342',
+    })
+    expect(result).toBeDefined()
+    expect((result.payload as typeof claims).credentialSubject.given_name).toBe('John')
+  })
+
+  it('verify a presentation with sub set', async () => {
+    const holderDId = await agent.resolveDid({ didUrl: holder })
+    const jwk: JsonWebKey = ((holderDId.didDocument as DIDDocument).verificationMethod as VerificationMethod[])[0].publicKeyJwk as JsonWebKey
+    const credentialPayload: SdJwtVcPayload = {
+      ...claims,
+      iss: issuer,
+      iat: Math.floor(new Date().getTime() / 1000),
+      vct: '',
+      cnf: {
+        jwk,
+      },
+    }
+    const credential = await agent.createSdJwtVc({
+      credentialPayload,
+      disclosureFrame,
+    })
+    const presentation = await agent.createSdJwtPresentation({
+      presentation: credential.credential,
+      presentationFrame: { credentialSubject: { given_name: true } },
+      kb: {
+        payload: {
+          aud: '1',
+          iat: 1,
+          nonce: '342',
+        },
+      },
+    })
+    const result = await agent.verifySdJwtPresentation({
+      presentation: presentation.presentation,
+      requiredClaimKeys: ['credentialSubject.given_name'],
+      // we are not able to verify the kb yet since we have no reference to the public key of the holder.
+      keyBindingAud: '1',
+      keyBindingNonce: '342',
+    })
+    expect(result).toBeDefined()
+    expect((result.payload as typeof claims).credentialSubject.given_name).toBe('John')
+  })
+})

package/src/action-handler.ts

@@ -1,16 +1,23 @@
-import { Jwt, SDJwt } from '@sd-jwt/core'
-import { SDJwtVcInstance, SdJwtVcPayload } from '@sd-jwt/sd-jwt-vc'
-import { DisclosureFrame, Hasher, JwtPayload, KbVerifier, PresentationFrame, Signer, Verifier } from '@sd-jwt/types'
+import { Jwt, SDJwt, type SdJwtPayload, type VerifierOptions } from '@sd-jwt/core'
+import { SDJwtVcInstance, type SdJwtVcPayload } from '@sd-jwt/sd-jwt-vc'
+import type { DisclosureFrame, HashAlgorithm, Hasher, JwtPayload, KbVerifier, PresentationFrame, Signer, Verifier } from '@sd-jwt/types'
 import { calculateJwkThumbprint, signatureAlgorithmFromKey } from '@sphereon/ssi-sdk-ext.key-utils'
-import { X509CertificateChainValidationOpts } from '@sphereon/ssi-sdk-ext.x509-utils'
-import { HasherSync, JsonWebKey, JWK, SdJwtTypeMetadata } from '@sphereon/ssi-types'
-import { IAgentPlugin } from '@veramo/core'
-import { decodeBase64url } from '@veramo/utils'
+import type { X509CertificateChainValidationOpts } from '@sphereon/ssi-sdk-ext.x509-utils'
+import type { HasherSync, JsonWebKey, JWK, SdJwtTypeMetadata } from '@sphereon/ssi-types'
+import type { IAgentPlugin } from '@veramo/core'
+// import { decodeBase64url } from '@veramo/utils'
 import Debug from 'debug'
 import { defaultGenerateDigest, defaultGenerateSalt, defaultVerifySignature } from './defaultCallbacks'
 import { funkeTestCA, sphereonCA } from './trustAnchors'
-import { assertValidTypeMetadata, fetchUrlWithErrorHandling, validateIntegrity } from './utils'
 import {
+  assertValidTypeMetadata,
+  fetchUrlWithErrorHandling,
+  getIssuerFromSdJwt,
+  isSdjwtVcPayload,
+  isVcdm2SdJwtPayload,
+  validateIntegrity,
+} from './utils'
+import type {
   Claims,
   FetchSdJwtTypeMetadataFromVctUrlArgs,
   GetSignerForIdentifierArgs,
@@ -30,6 +37,10 @@ import {
   SignKeyArgs,
   SignKeyResult,
 } from './types'
+import { SDJwtVcdm2Instance, SDJwtVcdmInstanceFactory } from './sdJwtVcdm2Instance'
+
+// @ts-ignore
+import * as u8a from 'uint8arrays'
 
 const debug = Debug('@sphereon/ssi-sdk.sd-jwt')
 
@@ -101,27 +112,47 @@ export class SDJwtPlugin implements IAgentPlugin {
    * @returns A signed SD-JWT credential.
    */
   async createSdJwtVc(args: ICreateSdJwtVcArgs, context: IRequiredContext): Promise<ICreateSdJwtVcResult> {
-    const issuer = args.credentialPayload.iss
+    const payload = args.credentialPayload
+    const isVcdm2 = isVcdm2SdJwtPayload(payload)
+    const isSdJwtVc = isSdjwtVcPayload(payload)
+    const type = args.type ?? (isVcdm2 ? 'vc+sd-jwt' : 'dc+sd-jwt')
+
+    const issuer = getIssuerFromSdJwt(args.credentialPayload)
     if (!issuer) {
       throw new Error('credential.issuer must not be empty')
     }
     const { alg, signer, signingKey } = await this.getSignerForIdentifier({ identifier: issuer, resolution: args.resolution }, context)
-    const sdjwt = new SDJwtVcInstance({
+    const signAlg = alg ?? signingKey?.alg ?? 'ES256'
+    const hashAlg: HashAlgorithm = /(\d{3})$/.test(signAlg) ? (`sha-${signAlg.slice(-3)}` as HashAlgorithm) : 'sha-256'
+    const sdjwt = SDJwtVcdmInstanceFactory.create(type, {
+      omitTyp: true,
       signer,
       hasher: this.registeredImplementations.hasher,
       saltGenerator: this.registeredImplementations.saltGenerator,
-      signAlg: alg ?? 'ES256',
-      hashAlg: 'sha-256',
+      signAlg,
+      hashAlg,
     })
 
-    const credential = await sdjwt.issue(args.credentialPayload, args.disclosureFrame as DisclosureFrame<typeof args.credentialPayload>, {
-      header: {
-        ...(signingKey?.key.kid !== undefined && { kid: signingKey.key.kid }),
-        ...(signingKey?.key.x5c !== undefined && { x5c: signingKey.key.x5c }),
-      },
-    })
+    const header = {
+      ...(signingKey?.key.kid !== undefined && { kid: signingKey.key.kid }),
+      ...(signingKey?.key.x5c !== undefined && { x5c: signingKey.key.x5c }),
+      ...(type && { typ: type }),
+    }
+    let credential: string
+    if (isVcdm2) {
+      credential = await (sdjwt as SDJwtVcdm2Instance).issue(
+        payload,
+        // @ts-ignore
+        args.disclosureFrame as DisclosureFrame<typeof payload>,
+        { header },
+      )
+    } else if (isSdJwtVc) {
+      credential = await (sdjwt as SDJwtVcInstance).issue(payload, args.disclosureFrame as DisclosureFrame<typeof payload>, { header })
+    } else {
+      return Promise.reject(new Error(`invalid_argument: credential '${type}' type is not supported`))
+    }
 
-    return { credential }
+    return { type, credential }
   }
 
   /**
@@ -183,10 +214,13 @@ export class SDJwtPlugin implements IAgentPlugin {
    * @returns A signed SD-JWT presentation.
    */
   async createSdJwtPresentation(args: ICreateSdJwtPresentationArgs, context: IRequiredContext): Promise<ICreateSdJwtPresentationResult> {
+    const type = args.type ?? 'dc+sd-jwt'
+
     const cred = await SDJwt.fromEncode(args.presentation, this.registeredImplementations.hasher!)
+
     const claims = await cred.getClaims<Claims>(this.registeredImplementations.hasher!)
     let holder: string
-    // we primarly look for a cnf field, if it's not there we look for a sub field. If this is also not given, we throw an error since we can not sign it.
+    // we primarily look for a cnf field, if it's not there, we look for a sub field. If this is also not given, we throw an error since we can not sign it.
     if (args.holder) {
       holder = args.holder
     } else if (claims.cnf?.jwk) {
@@ -201,15 +235,17 @@ export class SDJwtPlugin implements IAgentPlugin {
     }
     const { alg, signer } = await this.getSignerForIdentifier({ identifier: holder }, context)
 
-    const sdjwt = new SDJwtVcInstance({
-      hasher: this.registeredImplementations.hasher ?? defaultGenerateDigest,
+    const sdjwt = SDJwtVcdmInstanceFactory.create(type, {
+      omitTyp: true,
+      hasher: this.registeredImplementations.hasher,
       saltGenerator: this.registeredImplementations.saltGenerator,
       kbSigner: signer,
       kbSignAlg: alg ?? 'ES256',
     })
+
     const presentation = await sdjwt.present(args.presentation, args.presentationFrame as PresentationFrame<SdJwtVcPayload>, { kb: args.kb })
 
-    return { presentation }
+    return { type, presentation }
   }
 
   /**
@@ -220,11 +256,17 @@ export class SDJwtPlugin implements IAgentPlugin {
    */
   async verifySdJwtVc(args: IVerifySdJwtVcArgs, context: IRequiredContext): Promise<IVerifySdJwtVcResult> {
     // callback
-    const verifier: Verifier = async (data: string, signature: string) => this.verify(sdjwt, context, data, signature)
-    const sdjwt = new SDJwtVcInstance({ verifier, hasher: this.registeredImplementations.hasher ?? defaultGenerateDigest })
-    const { header = {}, payload, kb } = await sdjwt.verify(args.credential)
+    const verifier: Verifier = async (data: string, signature: string) => this.verifyCallbackImpl(sdjwt, context, data, signature)
+
+    const cred = await SDJwt.fromEncode(args.credential, this.registeredImplementations.hasher!)
+    const type = isVcdm2SdJwtPayload(cred.jwt?.payload as SdJwtPayload) ? 'vc+sd-jwt' : 'dc+sd-jwt'
+
+    const sdjwt = SDJwtVcdmInstanceFactory.create(type, { verifier, hasher: this.registeredImplementations.hasher ?? defaultGenerateDigest })
+    // FIXME: Findynet. Issuer returns expired status lists, and low level lib throws errors on these. We need to fix this in our implementation by wrapping the verification function
+    // For now a workaround is to ad 5 days of skew seconds, yuck
+    const { header = {}, payload, kb } = await sdjwt.verify(args.credential, { skewSeconds: 60 * 60 * 24 * 5 })
 
-    return { header, payload: payload as SdJwtVcPayload, kb }
+    return { type, header, payload, kb }
   }
 
   /**
@@ -236,10 +278,13 @@ export class SDJwtPlugin implements IAgentPlugin {
    * @param payload - The payload of the SD-JWT
    * @returns
    */
-  private verifyKb(sdjwt: SDJwtVcInstance, context: IRequiredContext, data: string, signature: string, payload: JwtPayload): Promise<boolean> {
+  private verifyKb(context: IRequiredContext, data: string, signature: string, payload: JwtPayload): Promise<boolean> {
     if (!payload.cnf) {
       throw Error('other method than cnf is not supported yet')
     }
+
+    // TODO add aud verification
+
     return this.verifySignatureCallback(context)(data, signature, this.getJwk(payload))
   }
 
@@ -251,15 +296,16 @@ export class SDJwtPlugin implements IAgentPlugin {
    * @param signature - The signature
    * @returns
    */
-  async verify(
-    sdjwt: SDJwtVcInstance,
+  async verifyCallbackImpl(
+    sdjwt: SDJwtVcInstance | SDJwtVcdm2Instance,
     context: IRequiredContext,
     data: string,
     signature: string,
     opts?: { x5cValidation?: X509CertificateChainValidationOpts },
   ): Promise<boolean> {
     const decodedVC = await sdjwt.decode(`${data}.${signature}`)
-    const issuer: string = ((decodedVC.jwt as Jwt).payload as Record<string, unknown>).iss as string
+    const payload: SdJwtPayload = (decodedVC.jwt as Jwt).payload as SdJwtPayload
+    const issuer: string = getIssuerFromSdJwt(payload)
     const header = (decodedVC.jwt as Jwt).header as Record<string, any>
     const x5c: string[] | undefined = header?.x5c as string[]
     let jwk: JWK | JsonWebKey | undefined = header.jwk
@@ -329,16 +375,20 @@ export class SDJwtPlugin implements IAgentPlugin {
    */
   async verifySdJwtPresentation(args: IVerifySdJwtPresentationArgs, context: IRequiredContext): Promise<IVerifySdJwtPresentationResult> {
     let sdjwt: SDJwtVcInstance
-    const verifier: Verifier = async (data: string, signature: string) => this.verify(sdjwt, context, data, signature)
-    const verifierKb: KbVerifier = async (data: string, signature: string, payload: JwtPayload) =>
-      this.verifyKb(sdjwt, context, data, signature, payload)
+    const verifier: Verifier = async (data: string, signature: string) => this.verifyCallbackImpl(sdjwt, context, data, signature)
+    const verifierKb: KbVerifier = async (data: string, signature: string, payload: JwtPayload) => this.verifyKb(context, data, signature, payload)
     sdjwt = new SDJwtVcInstance({
       verifier,
       hasher: this.registeredImplementations.hasher,
       kbVerifier: verifierKb,
     })
 
-    return sdjwt.verify(args.presentation, args.requiredClaimKeys, args.kb)
+    const verifierOpts: VerifierOptions = {
+      requiredClaimKeys: args.requiredClaimKeys,
+      keyBindingNonce: args.keyBindingNonce,
+    }
+
+    return sdjwt.verify(args.presentation, verifierOpts)
   }
 
   /**
@@ -411,7 +461,7 @@ export class SDJwtPlugin implements IAgentPlugin {
       // extract JWK from kid FIXME isn't there a did function for this already? Otherwise create one
       // FIXME this is a quick-fix to make verification but we need a real solution
       const encoded = this.extractBase64FromDIDJwk(payload.cnf.kid)
-      const decoded = decodeBase64url(encoded)
+      const decoded = u8a.toString(u8a.fromString(encoded, 'base64url'), 'utf-8')
       const jwt = JSON.parse(decoded)
       return jwt as JsonWebKey
     }

package/src/index.ts

@@ -1,3 +1,4 @@
 export { SDJwtPlugin } from './action-handler'
+export { defaultGenerateDigest } from './defaultCallbacks'
 export * from './utils'
 export * from './types'