sd-jwt-js icon indicating copy to clipboard operation
sd-jwt-js copied to clipboard
verified publisher icon openwallet-foundation-labs

feat: Examples / Implementations for key request

Open cre8 opened this issue 1 year ago • 6 comments

Section 3.5 lists 3 options to receive the key of an issuer:

  • JWT VC Issuer Metadata
  • X.509 Certificates
  • DID Document resolution

Right now the library defines "bring your own crypto". Meaning the the user has to implement the getVerifier(publicKeyJWK: object): Promise<(data: string, signatureBase64url: string) => Promise<boolean>>; by himself. The data field includes the encoded header and payload field, therefore all three options can be implemented.

@lukasjhan do you think it makes sense? We can not implement to resolve all did elements, but we could give some examples for this.

cre8 avatar Mar 14 '24 08:03 cre8

Yeah we could give them examples or implementations.

We already provide implementation for crypto. An example is the ES256 algorithm available in nodejs and broswer. And also we plan to support React Native env.

I think it's better to provide simple implemenation in our package.

lukasjhan avatar Mar 14 '24 08:03 lukasjhan

I think we can make them by platform(nodejs, web etc.) or we can make pass the signer or verifier as a param. Which way do you prefer? @cre8

lukasjhan avatar Mar 16 '24 16:03 lukasjhan

maybe it's enough to mention it in a readme, since the demanded implementation can be different: some are fine with the universal resolver, others want to resolve it locally. So we tell them how to implement it to give some hints.

cre8 avatar Mar 16 '24 17:03 cre8

maybe it's enough to mention it in a readme, since the demanded implementation can be different: some are fine with the universal resolver, others want to resolve it locally. So we tell them how to implement it to give some hints.

Okay I'll write a brief explanation on docs. Then Let's talk about more with the PR

lukasjhan avatar Mar 16 '24 22:03 lukasjhan

Hi. I was also looking for the JWT VC Issuer Metadata functionality.

Just as a side note, I looked at this implementation https://github.com/cre8/credhub/blob/72d1cf974af085fbecdd7537e5053e7de287ce86/apps/verifier-backend/src/app/resolver/resolver.service.ts#L60 and it seems that the vc-issuer-metadata is not taking into account the case where iss has a path.

From the docs:

The following is a non-normative example of a HTTP request for the JWT VC Issuer Metadata configuration when iss is set to https://example.com/tenant/1234

  GET /.well-known/jwt-vc-issuer/tenant/1234 HTTP/1.1
  Host: example.com

fabrii avatar Jul 08 '25 20:07 fabrii

Hi @fabrii ,

this library will not auto resolve the the public key, it has to be implemented by the getVerifier like:

import { ES256, digest, generateSalt } from '@sd-jwt/crypto-nodejs';
export { digest, generateSalt, ES256 };

export const createSignerVerifier = async () => {
  const { privateKey, publicKey } = await ES256.generateKeyPair();
  return {
    signer: await ES256.getSigner(privateKey),
    verifier: await ES256.getVerifier(publicKey),
  };
};

It can be implemented as in the reference you shared, so when you think it should be added as a helper, feel free to open a pull request.

cre8 avatar Jul 09 '25 13:07 cre8