Correctly sort concealing JSON pointers. (#614)

crates/claims/crates/sd-jwt/src/conceal.rs

@@ -154,13 +154,8 @@ impl SdJwtPayload {
         let mut sorted_pointers: Vec<_> = pointers.iter().map(Borrow::borrow).collect();
         sorted_pointers.sort_unstable();
 
-        for pointer in pointers.iter().rev() {
-            disclosures.push(conceal_object_at(
-                &mut claims,
-                &mut rng,
-                sd_alg,
-                pointer.borrow(),
-            )?);
+        for pointer in sorted_pointers.into_iter().rev() {
+            disclosures.push(conceal_object_at(&mut claims, &mut rng, sd_alg, pointer)?);
         }
 
         let concealed = Self { sd_alg, claims };

crates/claims/crates/sd-jwt/tests/full_pathway.rs

@@ -177,7 +177,8 @@ async fn nested_claims() {
         })
         .unwrap();
 
-    let base_sd_jwt = base_claims
+    // Conceal the base claims.
+    base_claims
         .conceal_and_sign(
             SdAlg::Sha256,
             &[json_pointer!("/outer"), json_pointer!("/outer/inner")],
@@ -186,6 +187,16 @@ async fn nested_claims() {
         .await
         .unwrap();
 
+    // Conceal again but changing the order of pointers (this should have no effect).
+    let base_sd_jwt = base_claims
+        .conceal_and_sign(
+            SdAlg::Sha256,
+            &[json_pointer!("/outer/inner"), json_pointer!("/outer")],
+            &*JWK,
+        )
+        .await
+        .unwrap();
+
     let inner_revealed = base_sd_jwt.decode_reveal::<Claims>().unwrap();
 
     let params = VerificationParameters::from_resolver(&*JWK);