#[non_exhaustive]pub struct SdJwtCredentialValidator<V>(/* private fields */)
where
V: JwsVerifier;
Expand description
A type for decoding and validating SdJwt
s.
Implementations§
source§impl<V> SdJwtCredentialValidator<V>where
V: JwsVerifier,
impl<V> SdJwtCredentialValidator<V>where
V: JwsVerifier,
sourcepub fn with_signature_verifier(
signature_verifier: V,
sd_decoder: SdObjectDecoder
) -> SdJwtCredentialValidator<V>
pub fn with_signature_verifier( signature_verifier: V, sd_decoder: SdObjectDecoder ) -> SdJwtCredentialValidator<V>
Creates a new [SdJwtValidator
]that delegates cryptographic signature verification to the given
signature_verifier
.
sourcepub fn validate_credential<DOC, T>(
&self,
sd_jwt: &SdJwt,
issuer: &DOC,
options: &JwtCredentialValidationOptions,
fail_fast: FailFast
) -> Result<DecodedJwtCredential<T>, CompoundCredentialValidationError>
pub fn validate_credential<DOC, T>( &self, sd_jwt: &SdJwt, issuer: &DOC, options: &JwtCredentialValidationOptions, fail_fast: FailFast ) -> Result<DecodedJwtCredential<T>, CompoundCredentialValidationError>
Decodes and validates a [Credential
] issued as an SD-JWT. A DecodedJwtCredential
is returned upon success.
The credential is constructed by replacing disclosures following the
Selective Disclosure for JWTs (SD-JWT)
standard.
The following properties are validated according to options
:
- the issuer’s signature on the JWS,
- the expiration date,
- the issuance date,
- the semantic structure.
§Warning
- The key binding JWT is not validated. If needed, it must be validated separately using
SdJwtValidator::validate_key_binding_jwt
. - The lack of an error returned from this method is in of itself not enough to conclude that the credential can be trusted. This section contains more information on additional checks that should be carried out before and after calling this method.
§The state of the issuer’s DID Document
The caller must ensure that issuer
represents an up-to-date DID Document.
§Properties that are not validated
There are many properties defined in The Verifiable Credentials Data Model that are not validated, such as:
proof
, credentialStatus
, type
, credentialSchema
, refreshService
and more.
These should be manually checked after validation, according to your requirements.
§Errors
An error is returned whenever a validated condition is not satisfied.
sourcepub fn verify_signature<DOC, T>(
&self,
credential: &SdJwt,
trusted_issuers: &[DOC],
options: &JwsVerificationOptions
) -> Result<DecodedJwtCredential<T>, JwtValidationError>
pub fn verify_signature<DOC, T>( &self, credential: &SdJwt, trusted_issuers: &[DOC], options: &JwsVerificationOptions ) -> Result<DecodedJwtCredential<T>, JwtValidationError>
Decode and verify the JWS signature of a [Credential
] issued as an SD-JWT using the DID Document of a trusted
issuer and replaces the disclosures.
A DecodedJwtCredential
is returned upon success.
§Warning
The caller must ensure that the DID Documents of the trusted issuers are up-to-date.
§Proofs
Only the JWS signature is verified. If the [Credential
] contains a proof
property this will not be verified
by this method.
§Errors
- If the issuer’ URL cannot be parsed.
- If Signature verification fails.
- If SD decoding fails.
sourcepub fn validate_key_binding_jwt<DOC>(
&self,
sd_jwt: &SdJwt,
holder: &DOC,
options: &KeyBindingJWTValidationOptions
) -> Result<KeyBindingJwtClaims, KeyBindingJwtError>where
DOC: AsRef<CoreDocument>,
pub fn validate_key_binding_jwt<DOC>(
&self,
sd_jwt: &SdJwt,
holder: &DOC,
options: &KeyBindingJWTValidationOptions
) -> Result<KeyBindingJwtClaims, KeyBindingJwtError>where
DOC: AsRef<CoreDocument>,
Validates a Key Binding JWT (KB-JWT) according to https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-07.html#name-key-binding-jwt
.
The Validation process includes:
- Signature validation using public key materials defined in the
holder
document. typ
value in KB-JWT header.sd_hash
claim value in the KB-JWT claim.- Optional
nonce
,aud
and issuance date validation.