Crate claim169_core

Crate claim169_core 

Source
Expand description

§claim169-core

A Rust library for encoding and decoding MOSIP Claim 169 QR codes.

§Overview

MOSIP Claim 169 defines a standard for encoding identity data in QR codes, designed for offline verification of digital identity credentials. The format uses a compact binary encoding optimized for QR code capacity constraints.

The encoding pipeline:

Claim169 → CBOR → CWT → COSE_Sign1 → [COSE_Encrypt0] → zlib → Base45 → QR Code

Key technologies:

  • CBOR: Compact binary encoding with numeric keys for minimal size
  • CWT: CBOR Web Token for standard claims (issuer, expiration, etc.)
  • COSE_Sign1: Digital signature for authenticity (Ed25519 or ECDSA P-256)
  • COSE_Encrypt0: Optional encryption layer (AES-GCM)
  • zlib + Base45: Compression and alphanumeric encoding for QR efficiency

§Quick Start

§Encoding (Creating QR Codes)

use claim169_core::{Encoder, Claim169, CwtMeta};

let claim169 = Claim169 {
    id: Some("123456789".to_string()),
    full_name: Some("John Doe".to_string()),
    ..Default::default()
};

let cwt_meta = CwtMeta::new()
    .with_issuer("https://issuer.example.com")
    .with_expires_at(1800000000);

// Ed25519 signed (recommended)
let qr_data = Encoder::new(claim169, cwt_meta)
    .sign_with_ed25519(&private_key)?
    .encode()?;

// Signed and encrypted
let qr_data = Encoder::new(claim169, cwt_meta)
    .sign_with_ed25519(&private_key)?
    .encrypt_with_aes256(&aes_key)?
    .encode()?;

// Unsigned (testing only - requires explicit opt-in)
let qr_data = Encoder::new(claim169, cwt_meta)
    .allow_unsigned()
    .encode()?;

§Decoding (Reading QR Codes)

use claim169_core::Decoder;

// With Ed25519 verification (recommended)
let result = Decoder::new(qr_content)
    .verify_with_ed25519(&public_key)?
    .decode()?;

println!("ID: {:?}", result.claim169.id);
println!("Name: {:?}", result.claim169.full_name);
println!("Issuer: {:?}", result.cwt_meta.issuer);

// Decrypting encrypted credentials
let result = Decoder::new(qr_content)
    .decrypt_with_aes256(&aes_key)?
    .verify_with_ed25519(&public_key)?
    .decode()?;

// Without verification (testing only - requires explicit opt-in)
let result = Decoder::new(qr_content)
    .allow_unverified()
    .decode()?;

§Using Custom Cryptography (HSM Integration)

For hardware security modules or custom cryptographic backends:

use claim169_core::{Encoder, Decoder, Signer, SignatureVerifier};

// Implement the Signer trait for your HSM
struct HsmSigner { /* ... */ }
impl Signer for HsmSigner { /* ... */ }

// Encoding with HSM
let qr_data = Encoder::new(claim169, cwt_meta)
    .sign_with(hsm_signer, iana::Algorithm::EdDSA)
    .encode()?;

// Decoding with HSM
let result = Decoder::new(qr_content)
    .verify_with(hsm_verifier)
    .decode()?;

§Security Considerations

  • Always verify signatures in production - use .verify_with_*() methods
  • Always sign credentials in production - use .sign_with_*() methods
  • Unsigned/unverified requires explicit opt-in with .allow_unsigned()/.allow_unverified()
  • Decompression is limited to prevent zip bomb attacks (default: 64KB)
  • Timestamps are validated by default; use .without_timestamp_validation() to disable
  • Weak cryptographic keys (all-zeros, small-order points) are automatically rejected

§Features

FeatureDefaultDescription
software-cryptoSoftware implementations of Ed25519, ECDSA P-256, and AES-GCM

Disable default features to integrate with HSMs or custom cryptographic backends:

[dependencies]
claim169-core = { version = "0.1", default-features = false }

Then implement the Signer, SignatureVerifier, Encryptor, or Decryptor traits.

§Modules

  • crypto: Cryptographic traits and implementations
  • error: Error types for encoding, decoding, and crypto operations
  • model: Data structures for Claim 169 identity data
  • pipeline: Low-level encoding/decoding pipeline functions

Re-exports§

pub use decode::Decoder;
pub use encode::Encoder;
pub use encode::generate_random_nonce;
pub use crypto::traits::Decryptor;
pub use crypto::traits::Encryptor;
pub use crypto::traits::KeyResolver;
pub use crypto::traits::SignatureVerifier;
pub use crypto::traits::Signer;
pub use error::Claim169Error;
pub use error::CryptoError;
pub use error::CryptoResult;
pub use error::Result;
pub use model::Biometric;
pub use model::BiometricFormat;
pub use model::BiometricSubFormat;
pub use model::Claim169;
pub use model::CwtMeta;
pub use model::Gender;
pub use model::MaritalStatus;
pub use model::PhotoFormat;
pub use model::VerificationStatus;
pub use crypto::AesGcmDecryptor;
pub use crypto::AesGcmEncryptor;
pub use crypto::EcdsaP256Signer;
pub use crypto::EcdsaP256Verifier;
pub use crypto::Ed25519Signer;
pub use crypto::Ed25519Verifier;

Modules§

crypto
Cryptographic traits and implementations for Claim 169.
decode
Decoder builder for parsing Claim 169 QR codes.
encode
Encoder builder for creating Claim 169 QR codes.
error
Error types for Claim 169 decoding and cryptographic operations.
model
Data models for Claim 169 identity credentials.
pipeline

Structs§

DecodeResult
Result of successfully decoding a Claim 169 QR code.
Warning
A warning generated during the decoding process.

Enums§

WarningCode
Types of warnings that can be generated during decoding.