feat(sd-jwt-vc): Module for Issuer, Holder and verifier

[berendsliedrecht]

Module for interacting with SD-JWTs as an issuer, holder and verifier.

The module is called SdJwtModule, however since we only deal with SdJwtVc I think it should be renamed to SdJwtVcModule.

As an issuer you get the SdJwtModule.create function which allows you to create an sd-jwt-vc where the framework sets all the required properties (like iat). It returns a record and a compact form of the sd-jwt-vc. Since key binding is required in sd-jwt-vc, a holderDidUrl is required for creation, which will be turned into a JWK and embedded in the payload as a cnf claim.

The holder gets the SdJwtModule.receive and SdJwtModule.present. The receive function simply validates that the signature is correct and the correct holder key is used. The present method allows a user to remove certain items from the sd-jwt-vc. The present method returns a compact format of the sd-jwt-vc which can be send to the verifier.

The verifier gets the SdJwtModule.verify method. This checks the keybinding, issuer signature and whether all the required fields are included.

Note: The module also exposes some repository functionality as we do not have a generic repository module, yet.

[TimoGlastra]

No tags at all will make it especially hard to query the credentials for input in a VP...

[berendsliedrecht]

yeah I was wondering what the best tag structure would be for this. Right now I added the disclosure keys as an array, but I am not sure whether that is supported within askar.

Will likely also include the claimKeys, combined with the selectively disclosable keys.

[TimoGlastra]

You can add arrays. It will currently be added as an <attr>:<value>: 1/0 I think. So disclosureKeys:age: 1. Maybe askar also supports something for this natively, which we maybe should look into

[berendsliedrecht]

Tags will be left as-is for now. Once we do the integration with openid they can be added as at that point we will know exactly how to query.

[codecov-commenter]

Codecov Report

Merging #1607 (c95fe6a) into main (1785479) will increase coverage by 0.00%.
The diff coverage is 86.38%.

@@           Coverage Diff            @@
##             main    #1607    +/-   ##
========================================
  Coverage   85.66%   85.67%            
========================================
  Files         950      959     +9     
  Lines       22879    23082   +203     
  Branches     4022     4049    +27     
========================================
+ Hits        19600    19775   +175     
- Misses       3095     3123    +28     
  Partials      184      184            

Files	Coverage Δ
packages/core/src/crypto/jose/jwk/Jwk.ts	80.00% <100.00%> (ø)
packages/core/src/crypto/jose/jwk/index.ts	100.00% <100.00%> (ø)
packages/core/src/index.ts	100.00% <100.00%> (ø)
...odules/generic-records/repository/GenericRecord.ts	100.00% <ø> (ø)
...ages/openid4vc-client/src/OpenId4VcClientModule.ts	100.00% <ø> (ø)
packages/sd-jwt-vc/src/SdJwtVcError.ts	100.00% <100.00%> (ø)
packages/sd-jwt-vc/src/SdJwtVcModule.ts	100.00% <100.00%> (ø)
...ckages/sd-jwt-vc/src/__tests__/sdjwtvc.fixtures.ts	100.00% <100.00%> (ø)
packages/sd-jwt-vc/src/index.ts	100.00% <100.00%> (ø)
packages/sd-jwt-vc/src/repository/SdJwtVcRecord.ts	100.00% <100.00%> (ø)
... and 5 more

[TimoGlastra]

These will both already be in the JWT right?

[berendsliedrecht]

I changed it to issuerKey and holderkey which are used to confirm the signature and check whether the cnf claim is correct. If this info is invalid the sd-jwt cannot be used.

[berendsliedrecht]

now using issuerDidUrl and holderDidUrl.

[berendsliedrecht]

Somehow I can't reply to your comment...

Why does the issuer need to provide both an issuerDid and an issuerKey? I think with other places we've required to pass a key reference within the did then (did:key:123#123) and based on that we can get the issuerDid and issuerKey.

Usually I try to avoid two params that can clash (as you can provide a key that doesn't belong to the did). We can call the parameter the keyId (or something like that, forgot what it's called) and also add it to the header of the JWT

Yeah I was thinking about this for a bit and a did with key reference would be good. I did not do it like that for now as you would need to resolve your own did. I will add it where you have to pass a did with key reference. It will make the method slower though.

[TimoGlastra]

Somehow I can't reply to your comment...

Why does the issuer need to provide both an issuerDid and an issuerKey? I think with other places we've required to pass a key reference within the did then (did🔑123#123) and based on that we can get the issuerDid and issuerKey.

Usually I try to avoid two params that can clash (as you can provide a key that doesn't belong to the did). We can call the parameter the keyId (or something like that, forgot what it's called) and also add it to the header of the JWT

Yeah I was thinking about this for a bit and a did with key reference would be good. I did not do it like that for now as you would need to resolve your own did. I will add it where you have to pass a did with key reference. It will make the method slower though.

I think that is fine for now. We have this in a few other places, where we resolve our own did. But I thin we should solve this generically by allowing the did to be retrieved from local storage / cache.

[TimoGlastra]

Nice work @berendsliedrecht. Mostly some small improvements

[berendsliedrecht]

@karimStekelenburg @TimoGlastra Quickly before merging, should the module be called SdJwtVc or SdJwt? It is SdJwt right now but we only really handle SdJwtVc.

[karimStekelenburg]

Looking good overall. I left a few comments here and there, but they're mostly suggestions. I only see happy flow tests though. Doesn't have to bne noew, but I think we should add sad flow tests when we combine it with OID4VC.

[karimStekelenburg]

Maybe add a test where the holder tries to disclose a non-disclosable value?

[berendsliedrecht]

Yeah good point regarding the non-happy flow tests. I would like to add them in a separate PR to keep this one "small".

[genaris]

I like the simplicity of the API, seems to be very fun to use!

Just left a comment regarding an old discussion that we never completely materialized in code (maybe for a further breaking change PR now we are introducing a new major version).

[genaris]

Following the convention used in other module APIs (and services in general) we'd call it findAllCredentialRecordsByQuery, to make more explicit about the fact that we expect multiple records to be retrieved. Actually, in most modules we make naming simpler (e.g. findAllByQuery), but I see it's not the case here and W3cCredentialsApi (the API this module is based on I guess).

Of course if we change this here and leave W3cCredentialsApi as is, it would not be consistent. And if we change it in W3cCredentialsApi as well we'll introduce a breaking change. But I just wanted to point out this to bother you 😄

[berendsliedrecht]

Ah good point! I think we can change this in a separate PR which changes both the w3c and this one.

[berendsliedrecht]

I am actually not sure what the best name would be here. I think findAllByQuery is the best as it is already scoped under sdJwt within the agent.modules api.

[berendsliedrecht]

I think all of them to findById, findAllByQuery. They will be removed in the future and I think they were too verbose before.

[genaris]

What's the problem here that required a ts-ignore? It's about not using askar-nodejs as direct dependency?

[berendsliedrecht]

The expected ariesAskar type did not match the one from the module as I think it used 0.2.0-dev.1 and I used 0.1.0. I think I can remove it again

[genaris]

Do you expect SD-JWT to take that long?

[berendsliedrecht]

Copied from another test. It is quite quick, but askar and agent initialization makes some steps a bit slow. Better overestimate here I guess ;).