Support 07 version of standard and new features for v2.0 (openwallet-…

…foundation#46) Signed-off-by: Lukas <[email protected]>
cre8 · Feb 1, 2024 · b43afa7 · b43afa7
1 parent 6aa790c
commit b43afa7
Show file tree

Hide file tree

Showing 10 changed files with 277 additions and 49 deletions.
diff --git a/README.md b/README.md
@@ -10,7 +10,7 @@ This is the reference implmentation of [IETF SD-JWT specification](https://data
 
 Hopae, a founding member of OpenWallet Foundation, is building wallet module in Typesript and need this project as a core component.
 
-Currently compliant with: **draft-ietf-oauth-selective-disclosure-jwt-06**
+Currently compliant with: **draft-ietf-oauth-selective-disclosure-jwt-07**
 
 ## **Background**
 

diff --git a/examples/kb.ts b/examples/kb.ts
@@ -23,7 +23,7 @@ export const createKeyPair = () => {
     aud: 'https://example.com',
     nonce: '1234',
     custom: 'data',
-    _sd_hash: '1234',
+    sd_hash: '1234',
   };
 
   const encodedSdjwt = await sdjwt.issue(claims, privateKey, disclosureFrame, {

diff --git a/src/index.ts b/src/index.ts
@@ -1,4 +1,5 @@
 import { generateSalt, digest, getHasher } from './crypto';
+import { SDJWTException } from './error';
 import { Jwt } from './jwt';
 import { KBJwt } from './kbjwt';
 import { SDJwt, pack } from './sdjwt';
@@ -25,6 +26,8 @@ export const defaultConfig: Required<SDJWTConfig> = {
   omitTyp: false,
   hasher: digest,
   saltGenerator: generateSalt,
+  signer: null,
+  verifier: null,
 };
 
 export class SDJwtInstance {
@@ -135,48 +138,43 @@ export class SDJwtInstance {
         publicKey: Uint8Array | KeyLike;
       };
     },
-  ): Promise<boolean> {
+  ) {
     const sdjwt = SDJwt.fromEncode(encodedSDJwt);
     if (!sdjwt.jwt) {
-      return false;
-    }
-    const validated = await this.validate(encodedSDJwt, publicKey);
-    if (!validated) {
-      return false;
+      throw new SDJWTException('Invalid SD JWT');
     }
+    const { payload, header } = await this.validate(encodedSDJwt, publicKey);
 
     if (requiredClaimKeys) {
       const keys = await sdjwt.keys();
       const missingKeys = requiredClaimKeys.filter((k) => !keys.includes(k));
       if (missingKeys.length > 0) {
-        return false;
+        throw new SDJWTException(
+          'Missing required claim keys: ' + missingKeys.join(', '),
+        );
       }
     }
 
     if (options?.kb) {
       if (!sdjwt.kbJwt) {
-        return false;
-      }
-      const kbVerified = await sdjwt.kbJwt.verify(options.kb.publicKey);
-      if (!kbVerified) {
-        return false;
+        throw new SDJWTException('Key Binding JWT not exist');
       }
+      const kb = await sdjwt.kbJwt.verify(options.kb.publicKey);
+      return { payload, header, kb };
     }
 
-    return true;
+    return { payload, header };
   }
 
-  public async validate(
-    encodedSDJwt: string,
-    publicKey: Uint8Array | KeyLike,
-  ): Promise<boolean> {
+  public async validate(encodedSDJwt: string, publicKey: Uint8Array | KeyLike) {
     const sdjwt = SDJwt.fromEncode(encodedSDJwt);
     if (!sdjwt.jwt) {
-      return false;
+      throw new SDJWTException('Invalid SD JWT');
     }
 
-    const verified = await sdjwt.jwt.verify(publicKey);
-    return verified;
+    const verifiedPayloads = await sdjwt.jwt.verify(publicKey);
+    const claims = await sdjwt.getClaims();
+    return { payload: claims, header: verifiedPayloads.header };
   }
 
   public config(newConfig: SDJWTConfig) {

diff --git a/src/jwt.ts b/src/jwt.ts
@@ -1,7 +1,7 @@
 import { Base64Url } from './base64url';
 import { SDJWTException } from './error';
 import * as jose from 'jose';
-import { Base64urlString } from './type';
+import { Base64urlString, Signer, Verifier } from './type';
 
 export type JwtData<
   Header extends Record<string, any>,
@@ -86,6 +86,19 @@ export class Jwt<
     return encodedJwt;
   }
 
+  public async signWithSigner(signer: Signer) {
+    if (!this.header || !this.payload) {
+      throw new SDJWTException('Sign Error: Invalid JWT');
+    }
+
+    const header = Base64Url.encode(JSON.stringify(this.header));
+    const payload = Base64Url.encode(JSON.stringify(this.payload));
+    const data = `${header}.${payload}`;
+    this.signature = await signer(data);
+
+    return this.encodeJwt();
+  }
+
   public encodeJwt(): string {
     if (!this.header || !this.payload || !this.signature) {
       throw new SDJWTException('Serialize Error: Invalid JWT');
@@ -108,8 +121,24 @@ export class Jwt<
     try {
       await jose.jwtVerify(jwt, publicKey);
     } catch (e) {
-      return false;
+      throw new SDJWTException('Verify Error: Invalid JWT Signature');
+    }
+    return { payload: this.payload, header: this.header };
+  }
+
+  public async verifyWithVerifier(verifier: Verifier) {
+    if (!this.header || !this.payload || !this.signature) {
+      throw new SDJWTException('Verify Error: Invalid JWT');
+    }
+
+    const header = Base64Url.encode(JSON.stringify(this.header));
+    const payload = Base64Url.encode(JSON.stringify(this.payload));
+    const data = `${header}.${payload}`;
+
+    const verified = verifier(data, this.signature);
+    if (!verified) {
+      throw new SDJWTException('Verify Error: Invalid JWT Signature');
     }
-    return true;
+    return { payload: this.payload, header: this.header };
   }
 }
diff --git a/src/kbjwt.ts b/src/kbjwt.ts
@@ -1,7 +1,7 @@
 import { KeyLike } from 'jose';
 import { SDJWTException } from './error';
 import { Jwt } from './jwt';
-import { kbHeader, kbPayload } from './type';
+import { Verifier, kbHeader, kbPayload } from './type';
 
 export class KBJwt<
   Header extends kbHeader = kbHeader,
@@ -14,13 +14,29 @@ export class KBJwt<
       !this.payload?.iat ||
       !this.payload?.aud ||
       !this.payload?.nonce ||
-      !this.payload?._sd_hash
+      // this is for backward compatibility with version 06
+      !(this.payload?.sd_hash || (this.payload as any)?._sd_hash)
     ) {
       throw new SDJWTException('Invalid Key Binding Jwt');
     }
     return await super.verify(publicKey);
   }
 
+  public async verifyWithVerifier(verifier: Verifier) {
+    if (
+      !this.header?.alg ||
+      !this.header.typ ||
+      !this.payload?.iat ||
+      !this.payload?.aud ||
+      !this.payload?.nonce ||
+      // this is for backward compatibility with version 06
+      !(this.payload?.sd_hash || (this.payload as any)?._sd_hash)
+    ) {
+      throw new SDJWTException('Invalid Key Binding Jwt');
+    }
+    return await super.verifyWithVerifier(verifier);
+  }
+
   public static fromKBEncode<
     Header extends kbHeader = kbHeader,
     Payload extends kbPayload = kbPayload,

diff --git a/src/test/index.spec.ts b/src/test/index.spec.ts
@@ -23,7 +23,7 @@ describe('index', () => {
         kb: {
           alg: 'EdDSA',
           payload: {
-            _sd_hash: 'sha-256',
+            sd_hash: 'sha-256',
             aud: '1',
             iat: 1,
             nonce: '342',
@@ -50,7 +50,7 @@ describe('index', () => {
         kb: {
           alg: 'EdDSA',
           payload: {
-            _sd_hash: 'sha-256',
+            sd_hash: 'sha-256',
             aud: '1',
             iat: 1,
             nonce: '342',

diff --git a/src/test/jwt.spec.ts b/src/test/jwt.spec.ts
@@ -1,6 +1,7 @@
 import { SDJWTException } from '../error';
 import { Jwt } from '../jwt';
 import Crypto from 'node:crypto';
+import { Signer, Verifier } from '../type';
 
 describe('JWT', () => {
   test('create', async () => {
@@ -43,11 +44,15 @@ describe('JWT', () => {
     const encodedJwt = await jwt.sign(privateKey);
     const newJwt = Jwt.fromEncode(encodedJwt);
     const verified = await newJwt.verify(publicKey);
-    expect(verified).toBe(true);
-    const notVerified = await newJwt.verify(
-      Crypto.generateKeyPairSync('ed25519').privateKey,
-    );
-    expect(notVerified).toBe(false);
+    expect(verified).toStrictEqual({
+      header: { alg: 'EdDSA' },
+      payload: { foo: 'bar' },
+    });
+    try {
+      await newJwt.verify(Crypto.generateKeyPairSync('ed25519').privateKey);
+    } catch (e: unknown) {
+      expect(e).toBeInstanceOf(SDJWTException);
+    }
   });
 
   test('encode', async () => {
@@ -104,4 +109,53 @@ describe('JWT', () => {
       expect(e).toBeInstanceOf(SDJWTException);
     }
   });
+
+  test('custom signer', async () => {
+    const { privateKey, publicKey } = Crypto.generateKeyPairSync('ed25519');
+    const testSigner: Signer = async (data: string) => {
+      const sig = Crypto.sign(null, Buffer.from(data), privateKey);
+      return Buffer.from(sig).toString('base64url');
+    };
+
+    const jwt = new Jwt({
+      header: { alg: 'EdDSA' },
+      payload: { foo: 'bar' },
+    });
+
+    const encodedJwt = await jwt.signWithSigner(testSigner);
+    const encodedJwt2 = await jwt.sign(privateKey);
+    expect(encodedJwt).toEqual(encodedJwt2);
+
+    const newJwt = Jwt.fromEncode(encodedJwt);
+    const verified = await newJwt.verify(publicKey);
+    expect(verified).toStrictEqual({
+      header: { alg: 'EdDSA' },
+      payload: { foo: 'bar' },
+    });
+  });
+
+  test('custom verifier', async () => {
+    const { privateKey, publicKey } = Crypto.generateKeyPairSync('ed25519');
+    const testVerifier: Verifier = async (data: string, sig: string) => {
+      return Crypto.verify(
+        null,
+        Buffer.from(data),
+        publicKey,
+        Buffer.from(sig, 'base64url'),
+      );
+    };
+
+    const jwt = new Jwt({
+      header: { alg: 'EdDSA' },
+      payload: { foo: 'bar' },
+    });
+
+    const encodedJwt = await jwt.sign(privateKey);
+    const newJwt = Jwt.fromEncode(encodedJwt);
+    const verified = await newJwt.verifyWithVerifier(testVerifier);
+    expect(verified).toStrictEqual({
+      header: { alg: 'EdDSA' },
+      payload: { foo: 'bar' },
+    });
+  });
 });