Class: SdJwtCredentialValidator
identity_wasm.SdJwtCredentialValidator
A type for decoding and validating Credential.
Table of contents
Constructors
Methods
Constructors
constructor
• new SdJwtCredentialValidator(signatureVerifier?)
Creates a new SdJwtCredentialValidator. If a signatureVerifier is provided it will be used when
verifying decoded JWS signatures, otherwise a default verifier capable of handling the EdDSA, ES256, ES256K
algorithms will be used.
Parameters
| Name | Type |
|---|---|
signatureVerifier? | IJwsVerifier |
Methods
validateCredential
▸ validateCredential(sd_jwt, issuer, options, fail_fast): DecodedJwtCredential
Decodes and validates a Credential issued as an SD-JWT. A DecodedJwtCredential is returned upon success.
The credential is constructed by replacing disclosures following the
Selective Disclosure for JWTs (SD-JWT) standard.
The following properties are validated according to options:
- the issuer's signature on the JWS,
- the expiration date,
- the issuance date,
- the semantic structure.
Warning
- The key binding JWT is not validated. If needed, it must be validated separately using
SdJwtValidator::validate_key_binding_jwt. - The lack of an error returned from this method is in of itself not enough to conclude that the credential can be trusted. This section contains more information on additional checks that should be carried out before and after calling this method.
The state of the issuer's DID Document
The caller must ensure that issuer represents an up-to-date DID Document.
Properties that are not validated
There are many properties defined in The Verifiable Credentials Data Model that are not validated, such as:
proof, credentialStatus, type, credentialSchema, refreshService and more.
These should be manually checked after validation, according to your requirements.
Errors
An error is returned whenever a validated condition is not satisfied.
Parameters
| Name | Type |
|---|---|
sd_jwt | SdJwt |
issuer | IToCoreDocument | CoreDocument |
options | JwtCredentialValidationOptions |
fail_fast | FailFast |
Returns
verifySignature
▸ verifySignature(credential, trustedIssuers, options): DecodedJwtCredential
Decode and verify the JWS signature of a Credential issued as an SD-JWT using the DID Document of a trusted
issuer and replaces the disclosures.
A DecodedJwtCredential is returned upon success.
Warning
The caller must ensure that the DID Documents of the trusted issuers are up-to-date.
Proofs
Only the JWS signature is verified. If the Credential contains a proof property this will not be verified
by this method.
Errors
- If the issuer' URL cannot be parsed.
- If Signature verification fails.
- If SD decoding fails.
Parameters
| Name | Type |
|---|---|
credential | SdJwt |
trustedIssuers | (IToCoreDocument | CoreDocument)[] |
options | JwsVerificationOptions |
Returns
validateKeyBindingJwt
▸ validateKeyBindingJwt(sdJwt, holder, options): KeyBindingJwtClaims
Validates a Key Binding JWT (KB-JWT) according to https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-07.html#name-key-binding-jwt.
The Validation process includes:
- Signature validation using public key materials defined in the
holderdocument. typvalue in KB-JWT header.sd_hashclaim value in the KB-JWT claim.- Optional
nonce,audand issuance date validation.
Parameters
| Name | Type |
|---|---|
sdJwt | SdJwt |
holder | IToCoreDocument | CoreDocument |
options | KeyBindingJWTValidationOptions |