baseid_sd_jwt/

lifecycle.rs

//! SD-JWT implementation of the unified credential lifecycle traits.
//!
//! `SdJwtLifecycle` implements `CredentialIssuer`, `CredentialVerifier`, and
//! `CredentialPresenter` for the SD-JWT format. Predicates are not supported
//! and return `UnsupportedPredicate`.

use baseid_core::claims::{ClaimSet, DisclosureSelection};
use baseid_core::error::CredentialError;
use baseid_core::lifecycle::{
    CredentialIssuer, CredentialPresenter, CredentialVerifier, IssuanceOptions, IssuedCredential,
    PresentationOptions, PresentedCredential, RevocationStatus, VerificationOutcome,
};
use baseid_core::types::CredentialFormat;
use baseid_crypto::signer::{Signer, Verifier};

use crate::issuer::SdJwtIssuer;
use crate::verifier::SdJwtVerifier;
use crate::SdJwt;

/// SD-JWT credential lifecycle implementation.
///
/// Wraps the lower-level `SdJwtIssuer` and `SdJwtVerifier` behind the
/// unified lifecycle traits. All claims in the default namespace are issued
/// as selectively-disclosable by default; plain claims (iss, iat, etc.)
/// are added automatically.
pub struct SdJwtLifecycle<'a> {
    signer: &'a dyn Signer,
    verifier: &'a dyn Verifier,
    kid: String,
}

impl<'a> SdJwtLifecycle<'a> {
    /// Create a new SD-JWT lifecycle handler.
    ///
    /// # Arguments
    /// * `signer` - Key for signing (issuance and presentation)
    /// * `verifier` - Key for verification
    /// * `kid` - Key ID for the JWT header
    pub fn new(signer: &'a dyn Signer, verifier: &'a dyn Verifier, kid: &str) -> Self {
        Self {
            signer,
            verifier,
            kid: kid.to_string(),
        }
    }
}

impl CredentialIssuer for SdJwtLifecycle<'_> {
    fn format(&self) -> CredentialFormat {
        CredentialFormat::SdJwtVc
    }

    fn issue(
        &self,
        issuer_did: &str,
        subject_did: Option<&str>,
        claims: &ClaimSet,
        options: &IssuanceOptions,
    ) -> baseid_core::Result<IssuedCredential> {
        let mut builder = SdJwtIssuer::new(self.signer, &self.kid)
            .add_plain_claim("iss", serde_json::json!(issuer_did));

        if let Some(sub) = subject_did {
            builder = builder.add_plain_claim("sub", serde_json::json!(sub));
        }

        if let Some(ref vf) = options.valid_from {
            builder = builder.add_plain_claim("iat", serde_json::json!(vf));
        }

        if let Some(ref vu) = options.valid_until {
            builder = builder.add_plain_claim("exp", serde_json::json!(vu));
        }

        if let Some(ref id) = options.credential_id {
            builder = builder.add_plain_claim("jti", serde_json::json!(id));
        }

        // Add all claims from the default namespace as selectively-disclosable
        if let Some(ns_claims) = claims.namespace("") {
            for (name, value) in ns_claims {
                builder = builder.add_sd_claim(name, value.clone());
            }
        }

        let sd_jwt = builder.build()?;
        let serialized = sd_jwt.serialize();

        Ok(IssuedCredential {
            data: serialized.into_bytes(),
            format: CredentialFormat::SdJwtVc,
            id: options.credential_id.clone(),
            issuer: issuer_did.to_string(),
            subject: subject_did.map(|s| s.to_string()),
        })
    }
}

impl CredentialVerifier for SdJwtLifecycle<'_> {
    fn format(&self) -> CredentialFormat {
        CredentialFormat::SdJwtVc
    }

    fn verify(&self, credential_data: &[u8]) -> baseid_core::Result<VerificationOutcome> {
        let compact =
            std::str::from_utf8(credential_data).map_err(|_| CredentialError::InvalidCredential)?;

        let sd_jwt = SdJwt::parse(compact)?;
        let verifier = SdJwtVerifier::new(self.verifier);
        let claims_value = verifier.verify(&sd_jwt)?;

        // Extract standard JWT claims
        let issuer = claims_value
            .get("iss")
            .and_then(|v| v.as_str())
            .unwrap_or("")
            .to_string();

        let subject = claims_value
            .get("sub")
            .and_then(|v| v.as_str())
            .map(|s| s.to_string());

        let valid_until = claims_value
            .get("exp")
            .and_then(|v| v.as_str())
            .map(|s| s.to_string());

        // Build ClaimSet from non-standard claims
        let mut claim_set = ClaimSet::new();
        if let Some(obj) = claims_value.as_object() {
            for (k, v) in obj {
                // Skip standard JWT claims
                match k.as_str() {
                    "iss" | "sub" | "iat" | "exp" | "jti" | "nbf" | "aud" => continue,
                    _ => claim_set.insert("", k, v.clone()),
                }
            }
        }

        Ok(VerificationOutcome {
            valid: true,
            format: CredentialFormat::SdJwtVc,
            issuer,
            subject,
            claims: claim_set,
            unlinkable: false,
            predicates_verified: vec![],
            valid_until,
            revocation_status: RevocationStatus::NotChecked,
        })
    }
}

impl CredentialPresenter for SdJwtLifecycle<'_> {
    fn format(&self) -> CredentialFormat {
        CredentialFormat::SdJwtVc
    }

    fn present(
        &self,
        credential_data: &[u8],
        disclosure: &DisclosureSelection,
        _options: &PresentationOptions,
    ) -> baseid_core::Result<PresentedCredential> {
        // SD-JWT does not support predicates
        if disclosure.has_predicates() {
            return Err(CredentialError::UnsupportedPredicate.into());
        }

        let compact =
            std::str::from_utf8(credential_data).map_err(|_| CredentialError::InvalidCredential)?;

        let sd_jwt = SdJwt::parse(compact)?;

        // Determine which disclosures to include based on revealed claims.
        // We need to decode each disclosure to check its claim name.
        let revealed = disclosure.revealed_claims();
        let mut selected_disclosures = Vec::new();

        for encoded_disc in &sd_jwt.disclosures {
            let disc = crate::disclosure::Disclosure::decode(encoded_disc)?;
            if let Some(ref name) = disc.claim_name {
                // Include this disclosure if the claim is revealed
                // (or if no selection was specified for it — default to include)
                let should_include =
                    revealed.contains(&name.as_str()) || disclosure.get("", name).is_none();
                if should_include {
                    selected_disclosures.push(encoded_disc.clone());
                }
            } else {
                // Array element disclosures: include by default
                selected_disclosures.push(encoded_disc.clone());
            }
        }

        let presented = SdJwt {
            jwt: sd_jwt.jwt,
            disclosures: selected_disclosures,
            key_binding_jwt: sd_jwt.key_binding_jwt,
        };

        Ok(PresentedCredential {
            data: presented.serialize().into_bytes(),
            format: CredentialFormat::SdJwtVc,
            unlinkable: false,
        })
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use baseid_core::claims::PredicateType;
    use baseid_core::types::KeyType;
    use baseid_crypto::KeyPair;
    use serde_json::json;

    fn setup() -> (KeyPair, ClaimSet) {
        let kp = KeyPair::generate(KeyType::Ed25519).unwrap();
        let mut claims = ClaimSet::new();
        claims.insert("", "given_name", json!("Alice"));
        claims.insert("", "family_name", json!("Smith"));
        claims.insert("", "birth_date", json!("1990-01-15"));
        claims.insert("", "email", json!("alice@example.com"));
        (kp, claims)
    }

    #[test]
    fn issue_and_verify() {
        let (kp, claims) = setup();
        let lifecycle = SdJwtLifecycle::new(&kp, &kp.public, "kid-1");

        let issued = lifecycle
            .issue(
                "did:key:issuer",
                Some("did:key:holder"),
                &claims,
                &IssuanceOptions::default(),
            )
            .unwrap();

        assert_eq!(issued.format, CredentialFormat::SdJwtVc);
        assert_eq!(issued.issuer, "did:key:issuer");
        assert_eq!(issued.subject, Some("did:key:holder".to_string()));

        let outcome = lifecycle.verify(&issued.data).unwrap();
        assert!(outcome.valid);
        assert_eq!(outcome.issuer, "did:key:issuer");
        assert_eq!(outcome.subject, Some("did:key:holder".to_string()));
        assert_eq!(outcome.claims.get("", "given_name"), Some(&json!("Alice")));
        assert_eq!(outcome.claims.get("", "family_name"), Some(&json!("Smith")));
        assert!(!outcome.unlinkable);
    }

    #[test]
    fn present_selective_disclosure() {
        let (kp, claims) = setup();
        let lifecycle = SdJwtLifecycle::new(&kp, &kp.public, "kid-1");

        let issued = lifecycle
            .issue(
                "did:key:issuer",
                Some("did:key:holder"),
                &claims,
                &IssuanceOptions::default(),
            )
            .unwrap();

        // Only reveal given_name and family_name, hide the rest
        let disclosure = DisclosureSelection::new()
            .reveal("given_name")
            .reveal("family_name")
            .hide("birth_date")
            .hide("email");

        let presented = lifecycle
            .present(&issued.data, &disclosure, &PresentationOptions::default())
            .unwrap();

        assert_eq!(presented.format, CredentialFormat::SdJwtVc);
        assert!(!presented.unlinkable);

        // Verify the presentation — should only have revealed claims
        let outcome = lifecycle.verify(&presented.data).unwrap();
        assert!(outcome.valid);
        assert_eq!(outcome.claims.get("", "given_name"), Some(&json!("Alice")));
        assert_eq!(outcome.claims.get("", "family_name"), Some(&json!("Smith")));
        assert_eq!(outcome.claims.get("", "birth_date"), None);
        assert_eq!(outcome.claims.get("", "email"), None);
    }

    #[test]
    fn predicate_returns_unsupported() {
        let (kp, claims) = setup();
        let lifecycle = SdJwtLifecycle::new(&kp, &kp.public, "kid-1");

        let issued = lifecycle
            .issue("did:key:issuer", None, &claims, &IssuanceOptions::default())
            .unwrap();

        let disclosure = DisclosureSelection::new()
            .reveal("given_name")
            .predicate("birth_date", PredicateType::LessThan(json!("2008-03-01")));

        let result = lifecycle.present(&issued.data, &disclosure, &PresentationOptions::default());
        assert!(result.is_err());

        let err = result.unwrap_err();
        assert!(
            format!("{err}").contains("Predicate"),
            "Error should mention predicate: {err}"
        );
    }

    #[test]
    fn issuance_with_options() {
        let (kp, claims) = setup();
        let lifecycle = SdJwtLifecycle::new(&kp, &kp.public, "kid-1");

        let opts = IssuanceOptions {
            credential_id: Some("urn:uuid:1234".to_string()),
            types: vec!["IdentityCredential".to_string()],
            valid_from: Some("2024-01-01T00:00:00Z".to_string()),
            valid_until: Some("2025-01-01T00:00:00Z".to_string()),
            status: None,
        };

        let issued = lifecycle
            .issue("did:key:issuer", Some("did:key:holder"), &claims, &opts)
            .unwrap();

        let outcome = lifecycle.verify(&issued.data).unwrap();
        assert_eq!(
            outcome.valid_until,
            Some("2025-01-01T00:00:00Z".to_string())
        );
    }
}