Class: JwtCredentialValidator
identity_wasm.JwtCredentialValidator
A type for decoding and validating Credential.
Table of contents
Constructors
Methods
- validate
- verifySignature
- checkExpiresOnOrAfter
- checkIssuedOnOrBefore
- checkSubjectHolderRelationship
- checkStatus
- checkStatusWithStatusList2021
- extractIssuer
- extractIssuerFromJwt
Constructors
constructor
• new JwtCredentialValidator(signatureVerifier?)
Creates a new JwtCredentialValidator. If a signatureVerifier is provided it will be used when
verifying decoded JWS signatures, otherwise a default verifier capable of handling the EdDSA, ES256, ES256K
algorithms will be used.
Parameters
| Name | Type |
|---|---|
signatureVerifier? | null | IJwsVerifier |
Methods
validate
▸ validate(credential_jwt, issuer, options, fail_fast): DecodedJwtCredential
Decodes and validates a Credential issued as a JWS. A DecodedJwtCredential is returned upon success.
The following properties are validated according to options:
- the issuer's signature on the JWS,
- the expiration date,
- the issuance date,
- the semantic structure.
Warning
The lack of an error returned from this method is in of itself not enough to conclude that the credential can be trusted. This section contains more information on additional checks that should be carried out before and after calling this method.
The state of the issuer's DID Document
The caller must ensure that issuer represents an up-to-date DID Document.
Properties that are not validated
There are many properties defined in The Verifiable Credentials Data Model that are not validated, such as:
proof, credentialStatus, type, credentialSchema, refreshService and more.
These should be manually checked after validation, according to your requirements.
Errors
An error is returned whenever a validated condition is not satisfied.
Parameters
| Name | Type |
|---|---|
credential_jwt | Jwt |
issuer | IToCoreDocument | CoreDocument |
options | JwtCredentialValidationOptions |
fail_fast | FailFast |
Returns
verifySignature
▸ verifySignature(credential, trustedIssuers, options): DecodedJwtCredential
Decode and verify the JWS signature of a Credential issued as a JWT using the DID Document of a trusted issuer.
A DecodedJwtCredential is returned upon success.
Warning
The caller must ensure that the DID Documents of the trusted issuers are up-to-date.
Proofs
Only the JWS signature is verified. If the Credential contains a proof property this will not be
verified by this method.
Errors
This method immediately returns an error if the credential issuer' url cannot be parsed to a DID belonging to one of the trusted issuers. Otherwise an attempt to verify the credential's signature will be made and an error is returned upon failure.
Parameters
| Name | Type |
|---|---|
credential | Jwt |
trustedIssuers | (IToCoreDocument | CoreDocument)[] |
options | JwsVerificationOptions |
Returns
checkExpiresOnOrAfter
▸ Static checkExpiresOnOrAfter(credential, timestamp): void
Validate that the credential expires on or after the specified timestamp.
Parameters
| Name | Type |
|---|---|
credential | Credential |
timestamp | Timestamp |
Returns
void
checkIssuedOnOrBefore
▸ Static checkIssuedOnOrBefore(credential, timestamp): void
Validate that the credential is issued on or before the specified timestamp.
Parameters
| Name | Type |
|---|---|
credential | Credential |
timestamp | Timestamp |
Returns
void
checkSubjectHolderRelationship
▸ Static checkSubjectHolderRelationship(credential, holder, relationship): void
Validate that the relationship between the holder and the credential subjects is in accordance with
relationship. The holder parameter is expected to be the URL of the holder.
Parameters
| Name | Type |
|---|---|
credential | Credential |
holder | string |
relationship | SubjectHolderRelationship |
Returns
void
checkStatus
▸ Static checkStatus(credential, trustedIssuers, statusCheck): void
Checks whether the credential status has been revoked.
Only supports RevocationBitmap2022.
Parameters
| Name | Type |
|---|---|
credential | Credential |
trustedIssuers | (IToCoreDocument | CoreDocument)[] |
statusCheck | StatusCheck |
Returns
void
checkStatusWithStatusList2021
▸ Static checkStatusWithStatusList2021(credential, status_list, status_check): void
Checks whether the credential status has been revoked using StatusList2021.
Parameters
| Name | Type |
|---|---|
credential | Credential |
status_list | StatusList2021Credential |
status_check | StatusCheck |
Returns
void
extractIssuer
▸ Static extractIssuer(credential): CoreDID
Utility for extracting the issuer field of a Credential as a DID.
Errors
Fails if the issuer field is not a valid DID.
Parameters
| Name | Type |
|---|---|
credential | Credential |
Returns
extractIssuerFromJwt
▸ Static extractIssuerFromJwt(credential): CoreDID
Utility for extracting the issuer field of a credential in JWT representation as DID.
Errors
If the JWT decoding fails or the issuer field is not a valid DID.
Parameters
| Name | Type |
|---|---|
credential | Jwt |