multipaz/org.multipaz.sdjwt/SdJwt

SdJwt

class SdJwt(val compactSerialization: String)

A SD-JWT according to draft-ietf-oauth-selective-disclosure-jwt.

When a SdJwt instance is initialized, cursory checks on the provided string with the compact serialization are performed. Full verification of the SD-JWT can be performed using the verify method which also returns the processed payload.

For presentment, first use one of the filter methods to generate an SD-JWT with a reduced set of disclosures. If the SD-JWT is not using key-binding (can be checked by see if kbKey is null), the resulting SD-JWT can be sent to the verifier. Otherwise use one of the present methods to generate a SdJwtKb instance. This implementation supports SD-JWTs with disclosures nested at any level.

To create a SD-JWT, use Companion.create. This currently only supports creating SD-JWT with fully recursive disclosures.

This class is immutable.

Parameters

compactSerialization

the compact serialization of the SD-JWT.

Throws

if the given compact serialization is malformed.

Constructors

Link copied to clipboard
constructor(compactSerialization: String)

Types

Link copied to clipboard
object Companion

Properties

Link copied to clipboard
Link copied to clipboard
val credentialType: String?

The value of the vct claim in the issuer-signed JWT, if present.

Link copied to clipboard
lateinit var digestAlg: Algorithm

The digest algorithm used.

Link copied to clipboard
val disclosures: List<String>

The disclosures in the SD-JWT.

Link copied to clipboard
val issuedAt: Instant?

The value of the iat claim in the issuer-signed JWT, if present.

Link copied to clipboard
val issuer: String

The value of the iss claim in the issuer-signed JWT.

Link copied to clipboard
lateinit var jwtBody: JsonObject

The body of the issuer-signed JWT.

Link copied to clipboard
val jwtHeader: JsonObject

The header of the issuer-signed JWT.

Link copied to clipboard
val kbKey: EcPublicKey?

The value of the cnf claim in the issuer-signed JWT, if present.

Link copied to clipboard
val subject: String?

The value of the sub claim in the issuer-signed JWT, if present.

Link copied to clipboard
val validFrom: Instant?

The value of the nbf claim in the issuer-signed JWT, if present.

Link copied to clipboard
val validUntil: Instant?

The value of the exp claim in the issuer-signed JWT, if present.

Link copied to clipboard
val x5c: X509CertChain?

The certificate chain in the x5c header element of the issuer-signed JWT, if present.

Functions

Link copied to clipboard
fun filter(includeDisclosure: (path: JsonArray, value: JsonElement) -> Boolean): SdJwt

Generates a new SD-JWT by removing disclosures.

fun filter(pathsToInclude: List<JsonArray>): SdJwt

Generates a new SD-JWT by filtering which claims should be included,

Link copied to clipboard
fun present(kbKey: EcPrivateKey, kbAlgorithm: Algorithm, nonce: String, audience: String, creationTime: Instant = Clock.System.now()): SdJwtKb

Presents an SD-JWT to a verifier.

suspend fun present(kbSecureArea: SecureArea, kbAlias: String, kbKeyUnlockData: KeyUnlockData?, nonce: String, audience: String, creationTime: Instant = Clock.System.now()): SdJwtKb

Presents an SD-JWT to a verifier, using a key in a SecureArea.

Link copied to clipboard
fun verify(issuerKey: EcPublicKey): JsonObject

Verifies a SD-JWT according to Section 7.1 of the SD-JWT specification.