Skip to main content
Version: 1.3

Class: SdJwtCredentialValidator

identity_wasm.SdJwtCredentialValidator

A type for decoding and validating Credential.

Table of contents

Constructors

Methods

Constructors

constructor

new SdJwtCredentialValidator(signatureVerifier?)

Creates a new SdJwtCredentialValidator. If a signatureVerifier is provided it will be used when verifying decoded JWS signatures, otherwise a default verifier capable of handling the EdDSA, ES256, ES256K algorithms will be used.

Parameters

NameType
signatureVerifier?IJwsVerifier

Methods

validateCredential

validateCredential(sd_jwt, issuer, options, fail_fast): DecodedJwtCredential

Decodes and validates a Credential issued as an SD-JWT. A DecodedJwtCredential is returned upon success. The credential is constructed by replacing disclosures following the Selective Disclosure for JWTs (SD-JWT) standard.

The following properties are validated according to options:

  • the issuer's signature on the JWS,
  • the expiration date,
  • the issuance date,
  • the semantic structure.

Warning

  • The key binding JWT is not validated. If needed, it must be validated separately using SdJwtValidator::validate_key_binding_jwt.
  • The lack of an error returned from this method is in of itself not enough to conclude that the credential can be trusted. This section contains more information on additional checks that should be carried out before and after calling this method.

The state of the issuer's DID Document

The caller must ensure that issuer represents an up-to-date DID Document.

Properties that are not validated

There are many properties defined in The Verifiable Credentials Data Model that are not validated, such as: proof, credentialStatus, type, credentialSchema, refreshService and more. These should be manually checked after validation, according to your requirements.

Errors

An error is returned whenever a validated condition is not satisfied.

Parameters

NameType
sd_jwtSdJwt
issuerIToCoreDocument | CoreDocument
optionsJwtCredentialValidationOptions
fail_fastFailFast

Returns

DecodedJwtCredential


verifySignature

verifySignature(credential, trustedIssuers, options): DecodedJwtCredential

Decode and verify the JWS signature of a Credential issued as an SD-JWT using the DID Document of a trusted issuer and replaces the disclosures.

A DecodedJwtCredential is returned upon success.

Warning

The caller must ensure that the DID Documents of the trusted issuers are up-to-date.

Proofs

Only the JWS signature is verified. If the Credential contains a proof property this will not be verified by this method.

Errors

  • If the issuer' URL cannot be parsed.
  • If Signature verification fails.
  • If SD decoding fails.

Parameters

NameType
credentialSdJwt
trustedIssuers(IToCoreDocument | CoreDocument)[]
optionsJwsVerificationOptions

Returns

DecodedJwtCredential


validateKeyBindingJwt

validateKeyBindingJwt(sdJwt, holder, options): KeyBindingJwtClaims

Validates a Key Binding JWT (KB-JWT) according to https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-07.html#name-key-binding-jwt. The Validation process includes:

  • Signature validation using public key materials defined in the holder document.
  • typ value in KB-JWT header.
  • sd_hash claim value in the KB-JWT claim.
  • Optional nonce, aud and issuance date validation.

Parameters

NameType
sdJwtSdJwt
holderIToCoreDocument | CoreDocument
optionsKeyBindingJWTValidationOptions

Returns

KeyBindingJwtClaims