Documentation
¶
Overview ¶
Package verifier enables the Verifier: An entity that requests, checks and extracts the claims from an SD-JWT and respective Disclosures.
Index ¶
- func Parse(combinedFormatForPresentation string, opts ...ParseOpt) (map[string]interface{}, error)
- type ParseOpt
- func WithExpectedAudienceForHolderBinding(audience string) ParseOpt
- func WithExpectedNonceForHolderBinding(nonce string) ParseOpt
- func WithHolderBindingRequired(flag bool) ParseOpt
- func WithHolderSigningAlgorithms(algorithms []string) ParseOpt
- func WithIssuerSigningAlgorithms(algorithms []string) ParseOpt
- func WithJWTDetachedPayload(payload []byte) ParseOpt
- func WithLeewayForClaimsValidation(duration time.Duration) ParseOpt
- func WithSignatureVerifier(signatureVerifier jose.SignatureVerifier) ParseOpt
Examples ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func Parse ¶
Parse parses combined format for presentation and returns verified claims. The Verifier has to verify that all disclosed claim values were part of the original, Issuer-signed SD-JWT.
At a high level, the Verifier:
- receives the Combined Format for Presentation from the Holder and verifies the signature of the SD-JWT using the Issuer's public key,
- verifies the Holder Binding JWT, if Holder Binding is required by the Verifier's policy, using the public key included in the SD-JWT,
- calculates the digests over the Holder-Selected Disclosures and verifies that each digest is contained in the SD-JWT.
Detailed algorithm: https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-02.html#name-verification-by-the-verifier
The Verifier will not, however, learn any claim values not disclosed in the Disclosures.
Example ¶
package main
import (
"crypto/ed25519"
"crypto/rand"
"encoding/json"
"fmt"
afjwt "github.com/hyperledger/aries-framework-go/pkg/doc/jwt"
"github.com/hyperledger/aries-framework-go/pkg/doc/sdjwt/common"
"github.com/hyperledger/aries-framework-go/pkg/doc/sdjwt/holder"
"github.com/hyperledger/aries-framework-go/pkg/doc/sdjwt/issuer"
)
func main() {
signer, signatureVerifier, err := setUp()
if err != nil {
fmt.Println("failed to set-up test: %w", err.Error())
}
claims := map[string]interface{}{
"given_name": "Albert",
"last_name": "Smith",
}
// Issuer will issue SD-JWT for specified claims.
token, err := issuer.New(testIssuer, claims, nil, signer)
if err != nil {
fmt.Println("failed to issue SD-JWT: %w", err.Error())
}
combinedFormatForIssuance, err := token.Serialize(false)
if err != nil {
fmt.Println("failed to issue SD-JWT: %w", err.Error())
}
// Holder will parse combined format for issuance for verification purposes.
_, err = holder.Parse(combinedFormatForIssuance, holder.WithSignatureVerifier(signatureVerifier))
if err != nil {
fmt.Println("holder failed to parse SD-JWT: %w", err.Error())
}
// The Holder will disclose all claims.
combinedFormatForPresentation := combinedFormatForIssuance + common.CombinedFormatSeparator
// Verifier will validate combined format for presentation and create verified claims.
verifiedClaims, err := Parse(combinedFormatForPresentation,
WithSignatureVerifier(signatureVerifier))
if err != nil {
fmt.Println("verifier failed to parse holder presentation: %w", err.Error())
}
verifiedClaimsJSON, err := marshalObj(verifiedClaims)
if err != nil {
fmt.Println("verifier failed to marshal verified claims: %w", err.Error())
}
fmt.Println(verifiedClaimsJSON)
}
func setUp() (*afjwt.JoseED25519Signer, *afjwt.JoseEd25519Verifier, error) {
issuerPublicKey, issuerPrivateKey, err := ed25519.GenerateKey(rand.Reader)
if err != nil {
return nil, nil, err
}
signer := afjwt.NewEd25519Signer(issuerPrivateKey)
signatureVerifier, err := afjwt.NewEd25519Verifier(issuerPublicKey)
if err != nil {
return nil, nil, err
}
return signer, signatureVerifier, nil
}
func marshalObj(obj interface{}) (string, error) {
objBytes, err := json.Marshal(obj)
if err != nil {
fmt.Println("failed to marshal object: %w", err.Error())
}
return prettyPrint(objBytes)
}
Output: { "given_name": "Albert", "iss": "https://example.com/issuer", "last_name": "Smith" }
Types ¶
type ParseOpt ¶
type ParseOpt func(opts *parseOpts)
ParseOpt is the SD-JWT Parser option.
func WithExpectedAudienceForHolderBinding ¶
WithExpectedAudienceForHolderBinding option is to pass expected audience for holder binding.
func WithExpectedNonceForHolderBinding ¶
WithExpectedNonceForHolderBinding option is to pass nonce value for holder binding.
func WithHolderBindingRequired ¶
WithHolderBindingRequired option is for enforcing holder binding.
func WithHolderSigningAlgorithms ¶
WithHolderSigningAlgorithms option is for defining secure signing algorithms (for holder).
func WithIssuerSigningAlgorithms ¶
WithIssuerSigningAlgorithms option is for defining secure signing algorithms (for issuer).
func WithJWTDetachedPayload ¶
WithJWTDetachedPayload option is for definition of JWT detached payload.
func WithLeewayForClaimsValidation ¶
WithLeewayForClaimsValidation is an option for claims time(s) validation.
func WithSignatureVerifier ¶
func WithSignatureVerifier(signatureVerifier jose.SignatureVerifier) ParseOpt
WithSignatureVerifier option is for definition of signature verifier.
Source Files