Rewrite SD-JWT routines. #1021
Merged
Rewrite SD-JWT routines. #1021
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
davidz25
force-pushed
the
sdjwt-work
branch
6 times, most recently
from
cea8646 to
c4f828d
Compare
Our current SD-JWT implementation only supports disclosures at the top-level, rewrite this to support disclosures at any level including full recursion. This is needed to support a verifier asking for e.g. `['address' 'street_address']` given e.g. the EU PID document type from ARF 1.8 and onwards. Also add comprehensive testing against the test vectors in the SD-JWT specification. The new implementation is intended to target low-level SD-JWTs instead of the higher SD-JWT VC which the old implementation targeted. As such, it only contains two classes, `SdJwt` and `SdJwtKb`. Replace `JsonWebKey` with methods on `EcPublicKey` and also use existing `JsonWebSignature` support routines instead of `JwtObject`, `JwtHeader`, `JwtBody` classes. Rewrite `JsonWebSignature` to not use nimbus at runtime (thus making it multiplatform) but retain the nimbus tests in the JVM specific tests, to ensure interoperability. Also add the functionality to sign with a `SecureArea`. Port all code to use these new SD-JWT routines. A few changes to `VcClaim` and `VcRequestedClaim` are still needed to fully support non-top-level claims. A future PR will address that, this PR lays the groundwork for that change. Test: ./gradlew check && ./gradlew connectedCheck Test: Manually tested VerifierServlet against samples/testapp Signed-off-by: David Zeuthen <[email protected]>
sorotokin
approved these changes
Jun 3, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Our current SD-JWT implementation only supports disclosures at the top-level, rewrite this to support disclosures at any level including full recursion. This is needed to support a verifier asking for e.g.
['address' 'street_address']given e.g. the EU PID document type from ARF 1.8 and onwards.Also add comprehensive testing against the test vectors in the SD-JWT specification. The new implementation is intended to target low-level SD-JWTs instead of the higher SD-JWT VC which the old implementation targeted. As such, it only contains two classes,
SdJwtandSdJwtKb.Replace
JsonWebKeywith methods onEcPublicKeyand also use existingJsonWebSignaturesupport routines instead ofJwtObject,JwtHeader,JwtBodyclasses. RewriteJsonWebSignatureto not use nimbus at runtime (thus making it multiplatform) but retain the nimbus tests in the JVM specific tests, to ensure interoperability. Also add the functionality to sign with aSecureArea.Port all code to use these new SD-JWT routines.
A few changes to
VcClaimandVcRequestedClaimare still needed to fully support non-top-level claims. A future PR will address that, this PR lays the groundwork for that change.Test: ./gradlew check && ./gradlew connectedCheck
Test: Manually tested VerifierServlet against samples/testapp