oxirs-did
W3C DID and Verifiable Credentials implementation with Signed RDF Graphs
Full implementation of W3C Decentralized Identifiers (DID) and Verifiable Credentials (VC) specifications, with support for cryptographically signed RDF graphs.
Features
- DID Core 1.0: W3C Recommendation compliant
- VC Data Model 2.0: Verifiable Credentials with Ed25519 proofs
- DID Methods:
did:key(default, no network),did:web(featuredid-web),did:ethr(default, ERC-1056),did:ion(default, Sidetree/ION),did:pkh(CAIP-10 blockchain accounts) - RDFC-1.0: RDF Dataset Canonicalization for graph signing
- Proof Suites: Ed25519Signature2020, JWS (
JsonWebSignature2020), BBS+ signatures (featurebbs-plus, default) - Key Management: Key rotation and lifecycle tracking, ECDH key agreement
- Revocation: W3C
StatusList2021andRevocationList2020 - Trust & Presentation: Trust chain verification, Verifiable Presentation builder/presenter
- Selective Disclosure: ZKP-based Pedersen commitments (feature
zkp, default)
Standards Compliance
- ✅ W3C DID Core 1.0
- ✅ W3C VC Data Model 2.0
- ✅ Ed25519Signature2020
- ✅ RDFC-1.0
- ✅ Multicodec
- ✅ Multibase
Quick Start
DID Creation and Resolution
use ;
use Ed25519Signer;
async
Issue Verifiable Credential
use ;
use Arc;
async
Verify Credential
use ;
use Arc;
async
Sign RDF Graph
use ;
use Ed25519Signer;
use ;
async
DID Methods
did:key (Default)
No network required, deterministic from public key:
did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK
└─ Base58btc(0xed01 + Ed25519_public_key)
did:web (Optional, feature = "did-web")
HTTPS-based resolution:
did:web:example.com
→ https://example.com/.well-known/did.json
did:web:example.com:users:alice
→ https://example.com/users/alice/did.json
did:web:example.com%3A8080
→ https://example.com:8080/.well-known/did.json
Additional Methods (Default)
- did:ethr —
did:ethr:[network:]<ethereum-address>, based on the ERC-1056 Ethereum DID Registry contract - did:ion —
did:ion:<unique-suffix>, Sidetree-anchored DIDs on the ION network (Bitcoin-anchored PKI) - did:pkh —
did:pkh:<CAIP-2 chain namespace>:<account address>, wraps an existing blockchain account (Ethereum, Solana, Bitcoin, ...) as a DID with no separate registration step
Feature Flags
[]
= { = "0.3.2", = ["did-web", "signed-graphs"] }
Available features:
did-key(default) - did:key methoddid-web- did:web method (requires reqwest)did-ebsi- European Blockchain Services Infrastructure (requires reqwest)did-ethr(default) - did:ethr method (ERC-1056)did-ion(default) - did:ion method (Sidetree/ION)vc-data-model-2(default) - W3C VC 2.0signed-graphs- RDF graph signing/verificationkey-management- Key storagebbs-plus(default) - BBS+ signatures for selective disclosurezkp(default) - ZKP-based selective disclosure (Pedersen commitments)zkp-ristretto- Hardened Pedersen commitments over the Ristretto255 groupkeygen- RSA key-pair generation helpersfips- FIPS 140-2 cryptographic boundary marker (seedocs/policies/fips-boundary.md)
Use Cases
- Trustworthy AI: Sign training datasets for provenance tracking
- IoT Identity: Decentralized identity for edge devices
- Supply Chain: Verifiable product certifications
- Research Data: Signed datasets for reproducibility
- Federated Systems: Self-sovereign identity across systems
Dependencies
ed25519-dalek- Ed25519 signaturesp256,bls12_381_plus,rsa- Additional signature suites (ECDSA P-256, BLS12-381/BBS+, RSA)sha2,sha3,hmac- Cryptographic hashingbs58- Multiformat (multibase) encodingscirs2-core- Secure random number generation
License
Licensed under the Apache License, Version 2.0.