verifier

package
v1.3.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 16, 2024 License: Apache-2.0 Imports: 22 Imported by: 0

Documentation

Overview

Package verifier enables the Verifier: An entity that requests, checks and extracts the claims from an SD-JWT and respective Disclosures.

Index

Examples

Constants

This section is empty.

Variables

This section is empty.

Functions

func Parse

func Parse(combinedFormatForPresentation string, opts ...ParseOpt) (map[string]interface{}, error)

Parse parses combined format for presentation and returns verified claims. The Verifier has to verify that all disclosed claim values were part of the original, Issuer-signed SD-JWT.

At a high level, the Verifier:

  • receives the Combined Format for Presentation from the Holder and verifies the signature of the SD-JWT using the Issuer's public key,
  • verifies the Holder (Key) Binding JWT, if Holder Verification is required by the Verifier's policy, using the public key included in the SD-JWT,
  • calculates the digests over the Holder-Selected Disclosures and verifies that each digest is contained in the SD-JWT.

Detailed algorithm: nolint:lll V2 https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-02.html#name-verification-by-the-verifier V5 https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-05.html#name-verification-by-the-verifier

The Verifier will not, however, learn any claim values not disclosed in the Disclosures.

Example
package main

import (
	"crypto/ed25519"
	"crypto/rand"
	"encoding/json"
	"fmt"

	"github.com/trustbloc/vc-go/crypto-ext/testutil"
	"github.com/trustbloc/vc-go/proof/checker"
	"github.com/trustbloc/vc-go/proof/testsupport"
	"github.com/trustbloc/vc-go/sdjwt/common"
	"github.com/trustbloc/vc-go/sdjwt/holder"
	"github.com/trustbloc/vc-go/sdjwt/issuer"
)

func main() {
	signer, signatureVerifier, err := setUp()
	if err != nil {
		fmt.Println("failed to set-up test: %w", err.Error())
	}

	claims := map[string]interface{}{
		"given_name": "Albert",
		"last_name":  "Smith",
	}

	// Issuer will issue SD-JWT for specified claims.
	token, err := issuer.New(testIssuer, claims, nil, signer)
	if err != nil {
		fmt.Println("failed to issue SD-JWT: %w", err.Error())
	}

	combinedFormatForIssuance, err := token.Serialize(false)
	if err != nil {
		fmt.Println("failed to issue SD-JWT: %w", err.Error())
	}

	// Holder will parse combined format for issuance for verification purposes.
	_, err = holder.Parse(combinedFormatForIssuance, holder.WithSignatureVerifier(signatureVerifier))
	if err != nil {
		fmt.Println("holder failed to parse SD-JWT: %w", err.Error())
	}

	// The Holder will disclose all claims.
	combinedFormatForPresentation := combinedFormatForIssuance + common.CombinedFormatSeparator

	// Verifier will validate combined format for presentation and create verified claims.
	verifiedClaims, err := Parse(combinedFormatForPresentation,
		WithSignatureVerifier(signatureVerifier))
	if err != nil {
		fmt.Println("verifier failed to parse holder presentation: %w", err.Error())
	}

	verifiedClaimsJSON, err := marshalObj(verifiedClaims)
	if err != nil {
		fmt.Println("verifier failed to marshal verified claims: %w", err.Error())
	}

	fmt.Println(verifiedClaimsJSON)

}

func setUp() (*testutil.Ed25519Signer, *checker.EmbeddedVMProofChecker, error) {
	issuerPublicKey, issuerPrivateKey, err := ed25519.GenerateKey(rand.Reader)
	if err != nil {
		return nil, nil, err
	}

	signer := testutil.NewEd25519Signer(issuerPrivateKey)

	signatureVerifier := testsupport.NewEd25519Verifier(issuerPublicKey)

	return signer, signatureVerifier, nil
}

func marshalObj(obj interface{}) (string, error) {
	objBytes, err := json.Marshal(obj)
	if err != nil {
		fmt.Println("failed to marshal object: %w", err.Error())
	}

	return prettyPrint(objBytes)
}
Output:

{
	"given_name": "Albert",
	"iss": "https://example.com/issuer",
	"last_name": "Smith"
}

Types

type ParseOpt

type ParseOpt func(opts *parseOpts)

ParseOpt is the SD-JWT Parser option.

func WithExpectedAudienceForHolderBinding

func WithExpectedAudienceForHolderBinding(audience string) ParseOpt

WithExpectedAudienceForHolderBinding option is to pass expected audience for holder binding. Deprecated: use WithExpectedAudienceForHolderVerification instead.

func WithExpectedAudienceForHolderVerification

func WithExpectedAudienceForHolderVerification(audience string) ParseOpt

WithExpectedAudienceForHolderVerification option is to pass expected audience for holder verification.

func WithExpectedNonceForHolderBinding

func WithExpectedNonceForHolderBinding(nonce string) ParseOpt

WithExpectedNonceForHolderBinding option is to pass nonce value for holder binding. Deprecated: use WithExpectedNonceForHolderVerification instead.

func WithExpectedNonceForHolderVerification

func WithExpectedNonceForHolderVerification(nonce string) ParseOpt

WithExpectedNonceForHolderVerification option is to pass nonce value for holder verification.

func WithExpectedTypHeader

func WithExpectedTypHeader(typ string) ParseOpt

WithExpectedTypHeader is an option for JWT typ header validation. Might be relevant for SDJWT V5 VC validation. Spec: https://vcstuff.github.io/draft-terbu-sd-jwt-vc/draft-terbu-oauth-sd-jwt-vc.html#name-header-parameters

func WithHolderBindingRequired

func WithHolderBindingRequired(flag bool) ParseOpt

WithHolderBindingRequired option is for enforcing holder binding. Deprecated: use WithHolderVerificationRequired instead.

func WithHolderSigningAlgorithms

func WithHolderSigningAlgorithms(algorithms []string) ParseOpt

WithHolderSigningAlgorithms option is for defining secure signing algorithms (for holder).

func WithHolderVerificationRequired

func WithHolderVerificationRequired(flag bool) ParseOpt

WithHolderVerificationRequired option is for enforcing holder verification. For SDJWT V2 - this option defines Holder Binding verification as required. For SDJWT V5 - this option defines Key Binding verification as required.

func WithIssuerSigningAlgorithms

func WithIssuerSigningAlgorithms(algorithms []string) ParseOpt

WithIssuerSigningAlgorithms option is for defining secure signing algorithms (for issuer).

func WithJWTDetachedPayload

func WithJWTDetachedPayload(payload []byte) ParseOpt

WithJWTDetachedPayload option is for definition of JWT detached payload.

func WithLeewayForClaimsValidation

func WithLeewayForClaimsValidation(duration time.Duration) ParseOpt

WithLeewayForClaimsValidation is an option for claims time(s) validation.

func WithSignatureVerifier

func WithSignatureVerifier(signatureVerifier afgjwt.ProofChecker) ParseOpt

WithSignatureVerifier option is for definition of signature verifier.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL