Crate bh_sd_jwt

Expand description

This crate implements Selective Disclosure JSON Web Tokens.

It provides functionality to create, sign, and verify JWTs that support selective disclosure of claims, in accordance with emerging IETF drafts: Selective Disclosure for JWTs (SD-JWT) & SD-JWT-based Verifiable Credentials (SD-JWT VC).

§Details

The main components of this crate are the following.

issuer – Constructs and signs JWTs with standard and custom claims.
holder – Imports, manages, and presents SD-JWT credentials with selective disclosure.
verifier – Validates JWT signatures, claim integrity, and key binding challenges.
lookup – Provides different methods of retrieving an issuer’s public key.

The bh-sd-jwt repository contains the full examples, so you should take a look there to see how things fit together.

holder: The module provides the Holder type for managing and presenting SD-JWTs.
issuer: Provides the Issuer type for issuing JWTs.
lookup: Contains implementations for public key lookup strategies.
verifier: This module provides the Verifier type for verifying SD-JWT+KB presentations.

json_object: Helper macro with the same syntax as serde_json::json specialized for constructing JSON objects.
path: Utility macro for writing path literals more ergonomically.

CnfClaim: The cnf claim of the SD-JWT, containing the public key to bind with the credential.
Disclosure: A disclosure for a JSON node in the VC, in both parsed form and the original serialized form.
DisplayWrapper: Wrapper struct implementing std::fmt::Display for JsonNodePath.
IssuedSdJwt: SD-JWT in parsed form created by the issuer to be handed to the holder.
KeyBindingChallenge: The challenge to be sent to the holder. The purpose of the challenge is to ensure the freshness of the key binding signature, as well as the proper audience.
Map: Represents a JSON key/value type.
SdJwtKB: A struct representing an SD-JWT+KB.
Sha256: A Hasher implementation for the SHA-256 hash function.
Uri: Uniform Resource Identifier (URI).

DisclosureData: Parsed form of a disclosure.
Error: Top-level error type for the SD-JWT crate.
FormatError: Format error related to parsing and validating SD-JWTs and VCs (Verifiable Credentials).
HashingAlgorithm: An identifier of the algorithm used for hashing. All the algorithm variants are deemed secure for the SD-JWT purposes.
JsonNodePathSegment: A path segment, either an object key or an array index.
SignatureError: Error type for signature-related issues in SD-JWTs.
Value: Represents any valid JSON value.

Hasher: The trait used for calculating hash digest.
IssuerPublicKeyLookup: Look up the issuer’s public key for the purpose of signature verification based on the alleged iss identifier and the JWT header (both obviously not yet verified).

Digest: Base64url encoded hash value.
JsonNodePath: Type of JSON node paths, represented as a list of segments to follow starting from the root of the JWT.
JsonObject: A JSON object, i.e. a mapping from String to Value.
Result: Result type used across the crate.
Salt: Base64url encoded disclosure hash salt.
SecondsSinceEpoch