Skip to main content

Crate auths_verifier

Crate auths_verifier 

Source
Expand description

§auths-verifier

Attestation verification library for Auths.

This crate provides signature and chain verification without requiring access to private keys or platform keychains. It’s designed to be:

  • Lightweight — minimal dependencies
  • Cross-platform — works on any target including WASM
  • FFI-friendly — C-compatible interface available

§Quick Start

use auths_verifier::{verify_chain, VerificationStatus};

let report = verify_chain(&attestations)?;

match report.status {
    VerificationStatus::Valid => println!("Chain verified!"),
    VerificationStatus::Expired { at } => println!("Expired at {}", at),
    VerificationStatus::InvalidSignature { step } => {
        println!("Bad signature at step {}", step);
    }
    _ => println!("Verification failed"),
}

§Authority via Credentials

The verifier checks authenticity only — signatures, chain linkage, expiry, and witness quorum. Capability/role authority is no longer read from the attestation; it flows exclusively through a holder-verified ACDC credential presentation (see auths_id::policy::context_from_credential).

§Feature Flags

  • wasm — Enable WASM bindings via wasm-bindgen

Re-exports§

pub use types::AssuranceLevel;
pub use types::AssuranceLevelParseError;
pub use types::CanonicalDid;
pub use types::DidConversionError;
pub use types::DidParseError;
pub use types::IdentityDID;
pub use types::VerificationReport;
pub use types::VerificationStatus;
pub use types::signer_hex_to_did;
pub use types::validate_did;
pub use action::ActionEnvelope;
pub use core::ATTESTATION_VERSION;
pub use core::Attestation;
pub use core::CommitOid;
pub use core::CommitOidError;
pub use core::DevicePublicKey;
pub use core::EcdsaP256Error;
pub use core::EcdsaP256PublicKey;
pub use core::EcdsaP256Signature;
pub use core::Ed25519KeyError;
pub use core::Ed25519PublicKey;
pub use core::Ed25519Signature;
pub use core::IdentityBundle;
pub use core::InvalidKeyError;
pub use core::MAX_ATTESTATION_JSON_SIZE;
pub use core::MAX_JSON_BATCH_SIZE;
pub use core::OidcBinding;
pub use core::PolicyId;
pub use core::PublicKeyDecodeError;
pub use core::PublicKeyHex;
pub use core::PublicKeyHexError;
pub use core::ResourceId;
pub use core::Role;
pub use core::RoleParseError;
pub use core::SignatureAlgorithm;
pub use core::SignatureLengthError;
pub use core::SignatureVerifyError;
pub use core::ThresholdPolicy;
pub use core::TypedSignature;
pub use core::VerifiedAttestation;
pub use core::decode_public_key_bytes;
pub use core::decode_public_key_hex;
pub use commit_error::CommitVerificationError;
pub use error::AttestationError;
pub use verifier::Verifier;
pub use verify::verify_at_time;
pub use verify::verify_chain;
pub use verify::verify_chain_with_witnesses;
pub use verify::verify_device_authorization;
pub use verify::verify_with_keys;
pub use verify::DeviceLinkVerification;
pub use verify::compute_attestation_seal_digest;
pub use verify::is_device_listed;
pub use witness::WitnessQuorum;
pub use witness::WitnessReceiptResult;
pub use witness::WitnessVerifyConfig;
pub use commit::VerifiedCommit;
pub use commit_kel::ANCHOR_SEQ_TRAILER;
pub use commit_kel::CommitVerdict;
pub use commit_kel::SCOPE_TRAILER;
pub use commit_kel::VerifierWitnessPolicy;
pub use commit_kel::WitnessGateStatus;
pub use commit_kel::WitnessedVerdict;
pub use commit_kel::anchor_seq_trailer;
pub use commit_kel::scope_trailer;
pub use commit_kel::verify_commit_against_kel;
pub use commit_kel::verify_commit_against_kel_scoped;
pub use commit_kel::verify_commit_against_kel_witnessed;
pub use ssh_sig::SshKeyType;
pub use ssh_sig::SshSigEnvelope;
pub use credential::CredentialVerdict;
pub use credential::LifecycleEvent;
pub use credential::SignedAcdc;
pub use credential::verify_credential;
pub use credential::verify_credential_sync;
pub use presentation::PresentationBinding;
pub use presentation::PresentationEnvelope;
pub use presentation::PresentationVerdict;
pub use presentation::verify_presentation;
pub use presentation::verify_presentation_sync;
pub use contract::SCHEMA_VERSION;
pub use contract::verify_credential_json;
pub use contract::verify_presentation_json;
pub use clock::ClockProvider;
pub use clock::SystemClock;

Modules§

action
Typed action envelope for signed actions.
clock
Clock provider abstraction for injectable time.
commit
Git commit SSH signature extraction and verification.
commit_error
Error types for commit signature verification.
commit_kel
KEL-native commit verdict — the heart of Epic B.
contract
The single cross-boundary verify contract (JSON request → tagged verdict). The single cross-boundary verify contract: one JSON request in, one tagged verdict out.
core
Core attestation types and canonical serialization.
credential
Pure ACDC credential verification — report facts, never resolve (Epic F.5).
duplicity
Detect diverging rotation events on a shared identity KEL.
error
Error types for attestation and verification operations.
presentation
Holder-binding + presentation verification — credentials are not bearer tokens (Epic F.8).
ssh_sig
SSHSIG envelope parsing for SSH signature verification.
types
Verification types: reports, statuses, and device DIDs.
verifier
Dependency-injected Verifier for attestation and chain verification.
verify
Free-function verification API wrapping crate::verifier::Verifier.
witness
Witness receipt verification for the auths-verifier crate.

Structs§

Capability
A validated capability identifier.
Hash256
32-byte hash digest (SHA-256, Blake3, or any content address).
KeriIcpEvent
Inception event — creates a new KERI identity.
KeriIxnEvent
Interaction event — anchors data without key rotation.
KeriRotEvent
Rotation event — rotates to pre-committed key.
KeriTypeError
Error when constructing KERI newtypes with invalid values.
Prefix
Strongly-typed KERI identifier prefix (e.g., "ETest123...", "DKey456...").
Said
KERI Self-Addressing Identifier (SAID).
SignedReceipt
A receipt paired with its detached witness signature.

Enums§

CapabilityError
Error type for capability parsing and validation.
KeriEvent
Unified event enum for processing any KERI event type.
KeriSeal
KERI seal — anchors external data in an event’s a field.
ValidationError
Errors specific to KEL validation.

Traits§

AuthsErrorInfo
Trait for error metadata providing structured error codes and actionable suggestions.
CryptoProvider
Curve-agnostic abstraction for cryptographic operations across target architectures.

Functions§

compute_said
Computes a spec-compliant SAID for a KERI event (KERI10JSON protocol tag).
find_seal_in_kel
Search for a seal with the given digest in any IXN event in the KEL.
parse_kel_json
Parse a KEL from a JSON string.