Skip to main content

Crate affinidi_data_integrity

Crate affinidi_data_integrity 

Source
Expand description

W3C Data Integrity — sign and verify Data Integrity Proofs for Verifiable Credentials, DID documents, and arbitrary JSON documents.

§Quickstart — sign and verify

use affinidi_data_integrity::{DataIntegrityProof, SignOptions, VerifyOptions};
use affinidi_secrets_resolver::secrets::Secret;
use serde_json::json;

let secret = Secret::generate_ed25519(Some("did:key:z6Mk...#key-0"), None);
let doc = json!({ "name": "Alice" });

// Sign — the library picks `eddsa-jcs-2022` automatically via
// Signer::cryptosuite() because `secret` is an Ed25519 key.
let proof = DataIntegrityProof::sign(&doc, &secret, SignOptions::new()).await?;

// Verify — pass the raw public-key bytes.
proof.verify_with_public_key(&doc, secret.get_public_bytes(), VerifyOptions::new())?;

§Post-quantum cryptography

Enable the post-quantum feature (off by default) to sign with ML-DSA-44 or SLH-DSA-SHA2-128s:

[dependencies]
affinidi-data-integrity = { version = "0.5", features = ["post-quantum"] }

Then generate a PQC key — the library selects mldsa44-jcs-2024 or slhdsa128-jcs-2024 automatically from the key type.

§Cryptosuites

See crypto_suites::CryptoSuite for the full list. Each suite has a canonicalization (JCS or RDFC), a signing algorithm, and a compatible_key_types list. Callers rarely need to pick a suite directly — Signer::cryptosuite provides a sensible default per key type, and SignOptions::with_cryptosuite is the escape hatch for explicit selection (e.g. forcing RDFC).

§Forward compatibility

All public enums (KeyType, CryptoSuite, DataIntegrityError) are #[non_exhaustive]. Future algorithms and error variants arrive in minor releases without breaking callers that include a _ => arm.

§Out of scope

This crate implements W3C Data Integrity only. JOSE / JWS / COSE post-quantum profiles are being standardised separately by IETF and will live in sibling crates (affinidi-data-integrity-jose, -cose) when those drafts stabilise.

Re-exports§

pub use caching_signer::CachingSigner;
pub use caching_signer::GetPrivateBytes;
pub use conformance::verify_conformance;
pub use did_vm::DidKeyResolver;
pub use did_vm::ResolvedKey;
pub use did_vm::VerificationMethodResolver;
pub use multi::MultiVerifyResult;
pub use multi::VerifyPolicy;
pub use multi::verify_multi;
pub use error::DataIntegrityError;
pub use error::SignatureFailure;
pub use options::SignOptions;
pub use options::VerifyOptions;

Modules§

caching_signer
CachingSigner — wraps any Signer and caches the expanded signing key on first use.
conformance
Spec-shape conformance checking for Data Integrity proofs.
crypto_suites
Recognized crypto suites
did_vm
DID verification-method helpers.
error
Structured error type for data-integrity operations.
multi
Multi-proof signing and verification.
options
Options passed to crate::DataIntegrityProof::sign and crate::DataIntegrityProof::verify_with_public_key.
signer
Signer trait for abstracting signing operations.
suite_ops
Per-cryptosuite operations.
verification_proof

Structs§

DataIntegrityProof
Serialized Data Integrity proof.

Functions§

prepare_sign_input
Returns the byte string a Signer is expected to sign over, given a document, a partial proof config, and the target cryptosuite.