Upgrade to SD-JWT v12 & API rework #14
Conversation
| ``` | ||
|
|
||
| Now `encoder.object()?` will return the encoded object. | ||
| Internally, builder's object now looks like: | ||
|
|
||
| ```json |
There was a problem hiding this comment.
(nitpicking)
Should we use align the example calls with the example output to keep them talking about the same data? E.g. the example calls only hide /phone/0 but the example shows more phone entries as hidden, and the _sd array has 7 entries, though it should have 6?
We could also re-use the example code for the readme and use output from it, might be easier to keep in sync. ^^
There was a problem hiding this comment.
According to spec about the _sd array: "The array MAY be empty in case the Issuer decided not to selectively disclose any of the claims at that level. However, it is RECOMMENDED to omit the _sd key in this case to save space."
Wanted to test this behavior, but ran into issues, when creating a SD-JWT without any concealable properties. The serialized object had two of the tilde characters directly following another, which should not be the case according to the ABNF (SD-JWT = JWT "~" *[DISCLOSURE "~"]). This broke the parsing a step, that comes afterwards in the example. Removing them by hand lead to another error when parsing the SD-JWT without disclosures.
|
According to spec about the I think, currently the order depends on the order the properties are marked as concealable or decoys are added. The shuffling could be done via calling the builder functions in a random order and only adding one decoy at a time per level, but as the spec also lists sorting the hashes alphabetically, sorting them when adding or serializing might be a nice way to make sure that their order is "shuffled". |
|
Couldn't find a definitive answer in the spec, but when an issuer uses the But then again, the spec shifts the responsibility for deciding whether the KB-JWT is required or entirely to the verifier, but imho it sounds weird to present a SD-JWT with |
|
Could we fix the "erros" -> "errors" typo in the |
|
I guess, we'll have to update the CI for the Windows build. Does not seem to be a temporary thing. >.< |
Co-authored-by: wulfraem <[email protected]>
Co-authored-by: wulfraem <[email protected]>
Co-authored-by: wulfraem <[email protected]>
Co-authored-by: wulfraem <[email protected]>
|
Thank you @wulfraem for being the best reviewer ever. Going through your comments RN. |
I fixed this and added a test that makes sure an SD-JWT with 0 disclosure is properly serialized / deserialized even when a KB-JWT is present. |
| } | ||
|
|
||
| /// Creates an SD-JWT with the provided data. | ||
| pub async fn finish<S>(self, signer: &S, alg: &str) -> Result<SdJwt> |
There was a problem hiding this comment.
NIT:
When using the Builder pattern, I think it is more standard to name this function as build
Co-authored-by: Yasir <[email protected]>
Co-authored-by: Yasir <[email protected]>
Co-authored-by: Yasir <[email protected]>
Updated the code base to support SD-JWT version 12 and modified the API to make it simpler and more ergonomic.
Major changes
SdObjectEncoder/SdObjectDecoderare not public anymore, and are only used internally.SdJwtcan only be constructed by parsing a string or through the newSdJwtBuilder.SdJwtBuilderwhich has the same functionalities ofSdObjectEncoderbut:SdObjectEncoder::concealbecomesSdJwtBuilder::make_concealable.SdJwtBuilder::finishreturns a whole and validSdJwtinstead of a plaintext object and disclosures.JwsSignertrait, to create a JWS from header & payload.SdJwtPresentationBuilderwhich wraps anSdJwtand provides methods to easily conceal disclosable claims and attaching a KeyBinding JWT (KB-JWT).KeyBindingJwtBuilderto simplify the creation of KB-JWTs.RequiredKeyBindingto model a proof of possession for a given key through JWT'sctfclaim.Fixes