Documentation ¶
Overview ¶
Package verifier enables the Verifier: An entity that requests, checks and extracts the claims from an SD-JWT and respective Disclosures.
Index ¶
- func Parse(combinedFormatForPresentation string, opts ...ParseOpt) (map[string]interface{}, error)
- type ParseOpt
- func WithExpectedAudienceForHolderBinding(audience string) ParseOpt
- func WithExpectedAudienceForHolderVerification(audience string) ParseOpt
- func WithExpectedNonceForHolderBinding(nonce string) ParseOpt
- func WithExpectedNonceForHolderVerification(nonce string) ParseOpt
- func WithExpectedTypHeader(typ string) ParseOpt
- func WithHolderBindingRequired(flag bool) ParseOpt
- func WithHolderSigningAlgorithms(algorithms []string) ParseOpt
- func WithHolderVerificationRequired(flag bool) ParseOpt
- func WithIssuerSigningAlgorithms(algorithms []string) ParseOpt
- func WithJWTDetachedPayload(payload []byte) ParseOpt
- func WithLeewayForClaimsValidation(duration time.Duration) ParseOpt
- func WithSignatureVerifier(signatureVerifier afgjwt.ProofChecker) ParseOpt
Examples ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func Parse ¶
Parse parses combined format for presentation and returns verified claims. The Verifier has to verify that all disclosed claim values were part of the original, Issuer-signed SD-JWT.
At a high level, the Verifier:
- receives the Combined Format for Presentation from the Holder and verifies the signature of the SD-JWT using the Issuer's public key,
- verifies the Holder (Key) Binding JWT, if Holder Verification is required by the Verifier's policy, using the public key included in the SD-JWT,
- calculates the digests over the Holder-Selected Disclosures and verifies that each digest is contained in the SD-JWT.
Detailed algorithm: nolint:lll V2 https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-02.html#name-verification-by-the-verifier V5 https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-05.html#name-verification-by-the-verifier
The Verifier will not, however, learn any claim values not disclosed in the Disclosures.
Example ¶
package main import ( "crypto/ed25519" "crypto/rand" "encoding/json" "fmt" "github.com/trustbloc/vc-go/crypto-ext/testutil" "github.com/trustbloc/vc-go/proof/checker" "github.com/trustbloc/vc-go/proof/testsupport" "github.com/trustbloc/vc-go/sdjwt/common" "github.com/trustbloc/vc-go/sdjwt/holder" "github.com/trustbloc/vc-go/sdjwt/issuer" ) func main() { signer, signatureVerifier, err := setUp() if err != nil { fmt.Println("failed to set-up test: %w", err.Error()) } claims := map[string]interface{}{ "given_name": "Albert", "last_name": "Smith", } // Issuer will issue SD-JWT for specified claims. token, err := issuer.New(testIssuer, claims, nil, signer) if err != nil { fmt.Println("failed to issue SD-JWT: %w", err.Error()) } combinedFormatForIssuance, err := token.Serialize(false) if err != nil { fmt.Println("failed to issue SD-JWT: %w", err.Error()) } // Holder will parse combined format for issuance for verification purposes. _, err = holder.Parse(combinedFormatForIssuance, holder.WithSignatureVerifier(signatureVerifier)) if err != nil { fmt.Println("holder failed to parse SD-JWT: %w", err.Error()) } // The Holder will disclose all claims. combinedFormatForPresentation := combinedFormatForIssuance + common.CombinedFormatSeparator // Verifier will validate combined format for presentation and create verified claims. verifiedClaims, err := Parse(combinedFormatForPresentation, WithSignatureVerifier(signatureVerifier)) if err != nil { fmt.Println("verifier failed to parse holder presentation: %w", err.Error()) } verifiedClaimsJSON, err := marshalObj(verifiedClaims) if err != nil { fmt.Println("verifier failed to marshal verified claims: %w", err.Error()) } fmt.Println(verifiedClaimsJSON) } func setUp() (*testutil.Ed25519Signer, *checker.EmbeddedVMProofChecker, error) { issuerPublicKey, issuerPrivateKey, err := ed25519.GenerateKey(rand.Reader) if err != nil { return nil, nil, err } signer := testutil.NewEd25519Signer(issuerPrivateKey) signatureVerifier := testsupport.NewEd25519Verifier(issuerPublicKey) return signer, signatureVerifier, nil } func marshalObj(obj interface{}) (string, error) { objBytes, err := json.Marshal(obj) if err != nil { fmt.Println("failed to marshal object: %w", err.Error()) } return prettyPrint(objBytes) }
Output: { "given_name": "Albert", "iss": "https://example.com/issuer", "last_name": "Smith" }
Types ¶
type ParseOpt ¶
type ParseOpt func(opts *parseOpts)
ParseOpt is the SD-JWT Parser option.
func WithExpectedAudienceForHolderBinding ¶
WithExpectedAudienceForHolderBinding option is to pass expected audience for holder binding. Deprecated: use WithExpectedAudienceForHolderVerification instead.
func WithExpectedAudienceForHolderVerification ¶
WithExpectedAudienceForHolderVerification option is to pass expected audience for holder verification.
func WithExpectedNonceForHolderBinding ¶
WithExpectedNonceForHolderBinding option is to pass nonce value for holder binding. Deprecated: use WithExpectedNonceForHolderVerification instead.
func WithExpectedNonceForHolderVerification ¶
WithExpectedNonceForHolderVerification option is to pass nonce value for holder verification.
func WithExpectedTypHeader ¶
WithExpectedTypHeader is an option for JWT typ header validation. Might be relevant for SDJWT V5 VC validation. Spec: https://vcstuff.github.io/draft-terbu-sd-jwt-vc/draft-terbu-oauth-sd-jwt-vc.html#name-header-parameters
func WithHolderBindingRequired ¶
WithHolderBindingRequired option is for enforcing holder binding. Deprecated: use WithHolderVerificationRequired instead.
func WithHolderSigningAlgorithms ¶
WithHolderSigningAlgorithms option is for defining secure signing algorithms (for holder).
func WithHolderVerificationRequired ¶
WithHolderVerificationRequired option is for enforcing holder verification. For SDJWT V2 - this option defines Holder Binding verification as required. For SDJWT V5 - this option defines Key Binding verification as required.
func WithIssuerSigningAlgorithms ¶
WithIssuerSigningAlgorithms option is for defining secure signing algorithms (for issuer).
func WithJWTDetachedPayload ¶
WithJWTDetachedPayload option is for definition of JWT detached payload.
func WithLeewayForClaimsValidation ¶
WithLeewayForClaimsValidation is an option for claims time(s) validation.
func WithSignatureVerifier ¶
func WithSignatureVerifier(signatureVerifier afgjwt.ProofChecker) ParseOpt
WithSignatureVerifier option is for definition of signature verifier.