Skip to main content
Version: 1.3

Class: JwtCredentialValidator

identity_wasm.JwtCredentialValidator

A type for decoding and validating Credential.

Table of contents

Constructors

Methods

Constructors

constructor

new JwtCredentialValidator(signatureVerifier?)

Creates a new JwtCredentialValidator. If a signatureVerifier is provided it will be used when verifying decoded JWS signatures, otherwise a default verifier capable of handling the EdDSA, ES256, ES256K algorithms will be used.

Parameters

NameType
signatureVerifier?IJwsVerifier

Methods

validate

validate(credential_jwt, issuer, options, fail_fast): DecodedJwtCredential

Decodes and validates a Credential issued as a JWS. A DecodedJwtCredential is returned upon success.

The following properties are validated according to options:

  • the issuer's signature on the JWS,
  • the expiration date,
  • the issuance date,
  • the semantic structure.

Warning

The lack of an error returned from this method is in of itself not enough to conclude that the credential can be trusted. This section contains more information on additional checks that should be carried out before and after calling this method.

The state of the issuer's DID Document

The caller must ensure that issuer represents an up-to-date DID Document.

Properties that are not validated

There are many properties defined in The Verifiable Credentials Data Model that are not validated, such as: proof, credentialStatus, type, credentialSchema, refreshService and more. These should be manually checked after validation, according to your requirements.

Errors

An error is returned whenever a validated condition is not satisfied.

Parameters

NameType
credential_jwtJwt
issuerIToCoreDocument | CoreDocument
optionsJwtCredentialValidationOptions
fail_fastFailFast

Returns

DecodedJwtCredential


verifySignature

verifySignature(credential, trustedIssuers, options): DecodedJwtCredential

Decode and verify the JWS signature of a Credential issued as a JWT using the DID Document of a trusted issuer.

A DecodedJwtCredential is returned upon success.

Warning

The caller must ensure that the DID Documents of the trusted issuers are up-to-date.

Proofs

Only the JWS signature is verified. If the Credential contains a proof property this will not be verified by this method.

Errors

This method immediately returns an error if the credential issuer' url cannot be parsed to a DID belonging to one of the trusted issuers. Otherwise an attempt to verify the credential's signature will be made and an error is returned upon failure.

Parameters

NameType
credentialJwt
trustedIssuers(IToCoreDocument | CoreDocument)[]
optionsJwsVerificationOptions

Returns

DecodedJwtCredential


checkExpiresOnOrAfter

Static checkExpiresOnOrAfter(credential, timestamp): void

Validate that the credential expires on or after the specified timestamp.

Parameters

NameType
credentialCredential
timestampTimestamp

Returns

void


checkIssuedOnOrBefore

Static checkIssuedOnOrBefore(credential, timestamp): void

Validate that the credential is issued on or before the specified timestamp.

Parameters

NameType
credentialCredential
timestampTimestamp

Returns

void


checkSubjectHolderRelationship

Static checkSubjectHolderRelationship(credential, holder, relationship): void

Validate that the relationship between the holder and the credential subjects is in accordance with relationship. The holder parameter is expected to be the URL of the holder.

Parameters

NameType
credentialCredential
holderstring
relationshipSubjectHolderRelationship

Returns

void


checkStatus

Static checkStatus(credential, trustedIssuers, statusCheck): void

Checks whether the credential status has been revoked.

Only supports RevocationBitmap2022.

Parameters

NameType
credentialCredential
trustedIssuers(IToCoreDocument | CoreDocument)[]
statusCheckStatusCheck

Returns

void


checkStatusWithStatusList2021

Static checkStatusWithStatusList2021(credential, status_list, status_check): void

Checks wheter the credential status has been revoked using StatusList2021.

Parameters

NameType
credentialCredential
status_listStatusList2021Credential
status_checkStatusCheck

Returns

void


extractIssuer

Static extractIssuer(credential): CoreDID

Utility for extracting the issuer field of a Credential as a DID.

Errors

Fails if the issuer field is not a valid DID.

Parameters

NameType
credentialCredential

Returns

CoreDID


extractIssuerFromJwt

Static extractIssuerFromJwt(credential): CoreDID

Utility for extracting the issuer field of a credential in JWT representation as DID.

Errors

If the JWT decoding fails or the issuer field is not a valid DID.

Parameters

NameType
credentialJwt

Returns

CoreDID