verifier

package

v0.0.0-...-64dd8ac Latest Latest Go to latest Published: Mar 27, 2024 License: Apache-2.0 Imports: 12 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/hyperledger/aries-framework-go

Links

Open Source Insights

Documentation ¶

Overview ¶

Package verifier enables the Verifier: An entity that requests, checks and extracts the claims from an SD-JWT and respective Disclosures.

Index ¶

func Parse(combinedFormatForPresentation string, opts ...ParseOpt) (map[string]interface{}, error)
type ParseOpt

Examples ¶

Parse

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func Parse ¶

func Parse(combinedFormatForPresentation string, opts ...ParseOpt) (map[string]interface{}, error)

Parse parses combined format for presentation and returns verified claims. The Verifier has to verify that all disclosed claim values were part of the original, Issuer-signed SD-JWT.

At a high level, the Verifier:

receives the Combined Format for Presentation from the Holder and verifies the signature of the SD-JWT using the Issuer's public key,
verifies the Holder (Key) Binding JWT, if Holder Verification is required by the Verifier's policy, using the public key included in the SD-JWT,
calculates the digests over the Holder-Selected Disclosures and verifies that each digest is contained in the SD-JWT.

Detailed algorithm: nolint:lll V2 https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-02.html#name-verification-by-the-verifier V5 https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-05.html#name-verification-by-the-verifier

The Verifier will not, however, learn any claim values not disclosed in the Disclosures.

Example ¶

package main

import (
	"crypto/ed25519"
	"crypto/rand"
	"encoding/json"
	"fmt"

	afjwt "github.com/hyperledger/aries-framework-go/component/models/jwt"
	"github.com/hyperledger/aries-framework-go/component/models/sdjwt/common"
	"github.com/hyperledger/aries-framework-go/component/models/sdjwt/holder"
	"github.com/hyperledger/aries-framework-go/component/models/sdjwt/issuer"
)

func main() {
	signer, signatureVerifier, err := setUp()
	if err != nil {
		fmt.Println("failed to set-up test: %w", err.Error())
	}

	claims := map[string]interface{}{
		"given_name": "Albert",
		"last_name":  "Smith",
	}

	// Issuer will issue SD-JWT for specified claims.
	token, err := issuer.New(testIssuer, claims, nil, signer)
	if err != nil {
		fmt.Println("failed to issue SD-JWT: %w", err.Error())
	}

	combinedFormatForIssuance, err := token.Serialize(false)
	if err != nil {
		fmt.Println("failed to issue SD-JWT: %w", err.Error())
	}

	// Holder will parse combined format for issuance for verification purposes.
	_, err = holder.Parse(combinedFormatForIssuance, holder.WithSignatureVerifier(signatureVerifier))
	if err != nil {
		fmt.Println("holder failed to parse SD-JWT: %w", err.Error())
	}

	// The Holder will disclose all claims.
	combinedFormatForPresentation := combinedFormatForIssuance + common.CombinedFormatSeparator

	// Verifier will validate combined format for presentation and create verified claims.
	verifiedClaims, err := Parse(combinedFormatForPresentation,
		WithSignatureVerifier(signatureVerifier))
	if err != nil {
		fmt.Println("verifier failed to parse holder presentation: %w", err.Error())
	}

	verifiedClaimsJSON, err := marshalObj(verifiedClaims)
	if err != nil {
		fmt.Println("verifier failed to marshal verified claims: %w", err.Error())
	}

	fmt.Println(verifiedClaimsJSON)

}

func setUp() (*afjwt.JoseED25519Signer, *afjwt.JoseEd25519Verifier, error) {
	issuerPublicKey, issuerPrivateKey, err := ed25519.GenerateKey(rand.Reader)
	if err != nil {
		return nil, nil, err
	}

	signer := afjwt.NewEd25519Signer(issuerPrivateKey)

	signatureVerifier, err := afjwt.NewEd25519Verifier(issuerPublicKey)
	if err != nil {
		return nil, nil, err
	}

	return signer, signatureVerifier, nil
}

func marshalObj(obj interface{}) (string, error) {
	objBytes, err := json.Marshal(obj)
	if err != nil {
		fmt.Println("failed to marshal object: %w", err.Error())
	}

	return prettyPrint(objBytes)
}

Output:

{
	"given_name": "Albert",
	"iss": "https://example.com/issuer",
	"last_name": "Smith"
}

Types ¶

func WithExpectedAudienceForHolderBinding ¶

func WithExpectedAudienceForHolderBinding(audience string) ParseOpt

WithExpectedAudienceForHolderBinding option is to pass expected audience for holder binding. Deprecated: use WithExpectedAudienceForHolderVerification instead.

func WithExpectedAudienceForHolderVerification ¶

func WithExpectedAudienceForHolderVerification(audience string) ParseOpt

WithExpectedAudienceForHolderVerification option is to pass expected audience for holder verification.

func WithExpectedNonceForHolderBinding ¶

func WithExpectedNonceForHolderBinding(nonce string) ParseOpt

WithExpectedNonceForHolderBinding option is to pass nonce value for holder binding. Deprecated: use WithExpectedNonceForHolderVerification instead.

func WithExpectedNonceForHolderVerification ¶

func WithExpectedNonceForHolderVerification(nonce string) ParseOpt

WithExpectedNonceForHolderVerification option is to pass nonce value for holder verification.

func WithExpectedTypHeader ¶

func WithExpectedTypHeader(typ string) ParseOpt

WithExpectedTypHeader is an option for JWT typ header validation. Might be relevant for SDJWT V5 VC validation. Spec: https://vcstuff.github.io/draft-terbu-sd-jwt-vc/draft-terbu-oauth-sd-jwt-vc.html#name-header-parameters

func WithHolderBindingRequired ¶

func WithHolderBindingRequired(flag bool) ParseOpt

WithHolderBindingRequired option is for enforcing holder binding. Deprecated: use WithHolderVerificationRequired instead.

func WithHolderSigningAlgorithms ¶

func WithHolderSigningAlgorithms(algorithms []string) ParseOpt

WithHolderSigningAlgorithms option is for defining secure signing algorithms (for holder).

func WithHolderVerificationRequired ¶

func WithHolderVerificationRequired(flag bool) ParseOpt

WithHolderVerificationRequired option is for enforcing holder verification. For SDJWT V2 - this option defines Holder Binding verification as required. For SDJWT V5 - this option defines Key Binding verification as required.

func WithIssuerSigningAlgorithms ¶

func WithIssuerSigningAlgorithms(algorithms []string) ParseOpt

WithIssuerSigningAlgorithms option is for defining secure signing algorithms (for issuer).

func WithJWTDetachedPayload ¶

func WithJWTDetachedPayload(payload []byte) ParseOpt

WithJWTDetachedPayload option is for definition of JWT detached payload.

func WithLeewayForClaimsValidation ¶

func WithLeewayForClaimsValidation(duration time.Duration) ParseOpt

WithLeewayForClaimsValidation is an option for claims time(s) validation.

func WithSignatureVerifier ¶

func WithSignatureVerifier(signatureVerifier jose.SignatureVerifier) ParseOpt

WithSignatureVerifier option is for definition of signature verifier.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL