# SD-JWT Holder-Verifier Scenarios

## Usecase: Certification of Registration credential in Domain Name Validation

## 0.0 Basic setup

In [7]:
import asyncio
from rich.console import Console

console = Console()
loop = asyncio.get_event_loop()

## 1.0 Holder receives and stores the credential from issuer

In [8]:
public_key_jwk_from_issuer = {
  "kty": "EC",
  "kid": "tJ7_O_Xu862O_9L4oxdBSkRotGJ2Id9smSovHtnUUo8",
  "crv": "P-256",
  "x": "PTKECXSeSzIRRjYBKPECaRBRp1VH_g2EztKLJf8jpVc",
  "y": "HHpPqdZ8P0ZVz9CSryp7FvmtTTnNImmlQuiatJncoNM"
}
credential_from_issuer = "eyJhbGciOiJFUzI1NiJ9.eyJfc2QiOlsiMXNiV2JaNTI1N3NCTkhQcGlUSGpaQWszUHNZNVpCR3VFV2RCMHdNcGZZRSIsIjVQN241U29KV2RkQ2o5WU8xZURMUDRvMmdRMDdqTzczOVhZX2RtVzdIVW8iLCI5Snl2UTRsdnk2V2sxdE1pYm0wd2E2WmI3THdKQkpDMXlDYnJFZXFYa1BBIiwiQTRtRDQ1dUVFRDNwSlZNcEs2NGdTaG9GVnlxRTZOci0tUklrN2h3X0RSZyIsIkNrWHJHSExqVjVlbWpUOWhiZklLeTVVUnJDX1ZIeVFjWndWRGcxbGtRd28iLCJIQTl1WDFjc2ZWRkJvMHhBSXYxdVNFeUN0cGRwR3JHZUh3RFo0dk1FVEtvIiwiSXpBcEc4Z1dVUm1aUnNmTTNoWnJNX0VOdXRZbzFseUdrRHktSzQ5TC1YbyIsIlNwaTJfWHl1bk1iZmVFNXd3c0pFc1BlT01faGpLeDhRZ1hUTEhpRTJtWXciLCJVSWpTMWQ1VEQ0R050TURLWjhqV0ZNRGFIX24ydTBGU3lPMVNOdUh4TWFRIiwiVm1WUF9JYVQxMUgxbnBZWlVZUjJrZHFjTmxlOFhoaGNYUjRMWlNlSVQtYyIsIlppb1J6UTlaQ2VtWFQ1Z0QtTjZzOHc5UmhmMWZlaTVNdTM2Tjh2ejk4OG8iLCJfX3Y1M3JqZWlNWFhTVzlQeVFORWJHZXhXazJORmExMnVTWVhjSTU5NW13IiwiX2pXc3VvLVhWLWhiX3B4UUpMZGhKQVJJWkFEZVBxVlNra2F1d1RtV0ZZUSIsImJPWExycGNodTYwMkhSMXY5NWhuNHBRVzR1YmxoMVFja25WdE41S1FHU28iLCJlQ0R2S2N2WXVzOGpicDZDbE0xV1ZkbUIwQ3RUTWFLYU5qSkE4M2NXYUJBIiwiczc5czlFRFl1OE94ZV8tN19vbDJIWnMteVh1MlZzNnh1OHpGWjlwTUZEayIsInVfRjJlY0wxZWRxNlZTTUdvWFNpbDdqd1BUaVdwTS1MVUh3UzM2bE9QWTAiXSwiX3NkX2FsZyI6InNoYS0yNTYiLCJleHAiOjE2ODc3Njk1MjgsImlhdCI6MTY4Nzc2NTkyOCwiaXNzIjoiaHR0cHM6Ly9pc3N1ZXIuaWdyYW50LmlvIn0.GAaC2OsIYgcEGcWDxQNewcOBCuNLnHyQCcPKBx9qq0ccsMqzZUEoiYq6dIRseNtBuVAgR7Y7y_PQisS_5lGcgQ~WyI4MGQzOTM0YTNhMWEzNGU3YTI3ODdhMTE2Mzc0YWYwYSIsICJsZWdhbFN0YXR1cyIsICJBQ1RJVkUiXQ~WyI5MWM1YmE3OTRiYjYwZGMwZTM2YTUxMzc0YWU4NmJhOSIsICJsZWdhbEZvcm0iLCAiQWt0aWVib2xhZyJd~WyJkMDRmODUwODUyNTlhYmE2MWFkZTIyODYzNmRiMGZlYiIsICJhY3Rpdml0eSIsICJDb25zdHJ1Y3Rpb24gSW5kdXN0cnkiXQ~WyI3ZjE2NDZlNDMxZTEwOGMyZGE2Njc3Y2FiOWU1NjdmMiIsICJvcmdOdW1iZXIiLCAiNTU5MTMzLTI3MjAiXQ~WyI1NWE5Njg4MTI1NWJjMzU3ZDg3ZDNhMWQxMTlmOTZkNyIsICJyZWdpc3RyYXRpb25EYXRlIiwgIjIwMDUtMTAtMTgiXQ~WyI4NmFhNDcyMmQxNTQzNzE5MjUyZmZiY2M2MzhmZGI5YyIsICJyZWdpc3RlcmVkQWRkcmVzcyIsIHsiZnVsbEFkZHJlc3MiOiAiMTIzIE1haW4gU3QiLCAidGhvcm91Z2hGYXJlIjogIlN2ZWF2XHUwMGU0Z2VuIiwgInBvc3ROYW1lIjogIlN0b2NraG9sbSIsICJsb2NhdG9yRGVzaWduYXRvciI6ICIxMTEgMzQiLCAiY29kZSI6ICI0OCIsICJhZG1pblVuaXRMZXZlbDEiOiAiU0UifV0~WyI4YTFlZTFhNDE5NDE2ODg2YjFhZDhlNmRjZGFjNDE0NCIsICJhdHRlc3RhdGlvblZhbGlkaXR5IiwgIjMxLURlYy0yMDIyIl0~WyIwMmMzYmI0YWZkNGUxODkxZTdiMDI3Y2VjN2RkMWE4ZSIsIDAsIDBd~WyIxM2RmMGQ5ZTIxOTM2NGI3MTU2NTk1ODU5NmQ1YzE0MSIsIDEsIDFd~WyIzOGYwN2RmZWY1ZTM4OTQyYTVkNDZhYTM0NGZiZmY2OCIsIDIsIDJd~WyJlZjdlYTg3MjFkYTc3MTkxM2M4MDllMzliZDk2NTE4OCIsIDMsIDNd~WyJkZDZmNTU3ZDkxY2JhYTcwOWVlODY0OGYyMzY4NzdmNCIsIDQsIDRd~WyJkMzVjNzYwOTc4MzIxOGRhNjllNTIyMDdlODI4YTNjNiIsIDUsIDVd~WyIxYzlkZTA4N2NmMWQzMGMyNDA1YzBkZDQ2MDc1ZTYxNSIsIDYsIDZd~WyI0ZTI3NzM5YmYzNWI4ZDExMjg5ZDdlNTJmYTU5ZWM2YyIsIDcsIDdd~WyI1NDIwYTAzYzFhNmQ4YTEwMzc4Y2UzYmZmZWFhZWEzMiIsIDgsIDhd~WyJjMzM4YmFhMzAyY2E0NWRiOTgyMjcxZTkxMzhmMTExMCIsIDksIDld"

## 2.0 Holder decodes the credential to see the disclosures and SD-JWT

In [16]:
import base64
import json
from jwcrypto import jwk, jws

disclosures = credential_from_issuer.split("~")[1:]
sd_jwt = credential_from_issuer.split("~")[0]

console.log("Number of disclosures", len(disclosures))

# Decode disclosures
decoded_disclosures = []
certificate_of_registration_credential = {}
for disclosure in disclosures:
    decoded_disclosure = json.loads(base64.urlsafe_b64decode(disclosure + "=" * (-len(disclosure) % 4)).decode("utf-8"))
    claim_key = decoded_disclosure[1]
    claim_value = decoded_disclosure[2]
    certificate_of_registration_credential[claim_key] = claim_value
    decoded_disclosures.append(decoded_disclosure)
console.log("Decoded disclosures", decoded_disclosures)
console.log("Certificate of registration credential", certificate_of_registration_credential)


# Verify the SD-JWT
jwk_public_key = jwk.JWK.from_json(json.dumps(public_key_jwk_from_issuer))
jwt_token = jws.JWS()
jwt_token.deserialize(sd_jwt)

is_valid = True
try:
    jwt_token.verify(jwk_public_key)
except jws.InvalidJWSSignature:
    is_valid = False

console.log("Is SD-JWT valid?: ", is_valid)

sd_jwt_payload = json.loads(jwt_token.payload.decode("utf-8"))

console.log("SD-JWT payload", sd_jwt_payload)


## 3.0 Holder verifies the disclosures against _sd digests

In [17]:
import hashlib
import base64

disclosure_membership_check = []
for disclosure in disclosures:
    sha256_hash = hashlib.sha256()
    sha256_hash.update(disclosure.encode('utf-8'))
    sha256_digest = sha256_hash.digest()
    disclosure_sha_256 = base64.urlsafe_b64encode(sha256_digest).decode('utf-8').rstrip("=")
    disclosure_membership_check.append(disclosure_sha_256 in sd_jwt_payload["_sd"])

console.log("Disclosure membership check", disclosure_membership_check)

## 4.0 Verifier requests for disclosures of legalStatus and legalForm claims

In [18]:
from collections import namedtuple
from eudi_wallet.util import generate_disclosure_content_and_base64

SelectedClaim = namedtuple('SelectedClaim', ['claim_key', 'claim_value'])

verifier_request = ["legalStatus", "legalForm"]

selected_claims = [
    SelectedClaim(claim_key="legalStatus", claim_value=certificate_of_registration_credential["legalStatus"]),
    SelectedClaim(claim_key="legalForm", claim_value=certificate_of_registration_credential["legalForm"]),
]

console.log("Selected claims", selected_claims)


Disclosure = namedtuple('Disclosure', ['content', 'content_base64'])

disclosures = []
for selected_claim in selected_claims:
    disclosure, disclosure_base64 = generate_disclosure_content_and_base64(selected_claim.claim_key, selected_claim.claim_value)
    disclosures.append(Disclosure(content=disclosure, content_base64=disclosure_base64))

console.log("Disclosures", disclosures)



## 6.0 Create combined format for presentation (a.k.a presentation to verifier)

*Note: Format is `<SD-JWT>~<Disclosure 1>~<Disclosure 2>~...~<Disclosure M>~<optional Holder Binding JWT>`*

In [19]:
combined_format_for_issuance = sd_jwt

for disclosure in disclosures:
    combined_format_for_issuance += "~" + disclosure.content_base64

print("Combined format for presentation : ", combined_format_for_issuance)

Combined format for issuance :  eyJhbGciOiJFUzI1NiJ9.eyJfc2QiOlsiMXNiV2JaNTI1N3NCTkhQcGlUSGpaQWszUHNZNVpCR3VFV2RCMHdNcGZZRSIsIjVQN241U29KV2RkQ2o5WU8xZURMUDRvMmdRMDdqTzczOVhZX2RtVzdIVW8iLCI5Snl2UTRsdnk2V2sxdE1pYm0wd2E2WmI3THdKQkpDMXlDYnJFZXFYa1BBIiwiQTRtRDQ1dUVFRDNwSlZNcEs2NGdTaG9GVnlxRTZOci0tUklrN2h3X0RSZyIsIkNrWHJHSExqVjVlbWpUOWhiZklLeTVVUnJDX1ZIeVFjWndWRGcxbGtRd28iLCJIQTl1WDFjc2ZWRkJvMHhBSXYxdVNFeUN0cGRwR3JHZUh3RFo0dk1FVEtvIiwiSXpBcEc4Z1dVUm1aUnNmTTNoWnJNX0VOdXRZbzFseUdrRHktSzQ5TC1YbyIsIlNwaTJfWHl1bk1iZmVFNXd3c0pFc1BlT01faGpLeDhRZ1hUTEhpRTJtWXciLCJVSWpTMWQ1VEQ0R050TURLWjhqV0ZNRGFIX24ydTBGU3lPMVNOdUh4TWFRIiwiVm1WUF9JYVQxMUgxbnBZWlVZUjJrZHFjTmxlOFhoaGNYUjRMWlNlSVQtYyIsIlppb1J6UTlaQ2VtWFQ1Z0QtTjZzOHc5UmhmMWZlaTVNdTM2Tjh2ejk4OG8iLCJfX3Y1M3JqZWlNWFhTVzlQeVFORWJHZXhXazJORmExMnVTWVhjSTU5NW13IiwiX2pXc3VvLVhWLWhiX3B4UUpMZGhKQVJJWkFEZVBxVlNra2F1d1RtV0ZZUSIsImJPWExycGNodTYwMkhSMXY5NWhuNHBRVzR1YmxoMVFja25WdE41S1FHU28iLCJlQ0R2S2N2WXVzOGpicDZDbE0xV1ZkbUIwQ3RUTWFLYU5qSkE4M2NXYUJBIiwiczc5czlFRFl1OE9