baseid_vc/

lifecycle.rs

//! W3C VC JWT implementation of the unified credential lifecycle traits.
//!
//! `VcJwtLifecycle` implements `CredentialIssuer`, `CredentialVerifier`, and
//! `CredentialPresenter` for the W3C VC 2.0 JWT format. Predicates are not
//! supported and return `UnsupportedPredicate`. Selective disclosure is not
//! natively supported by JWT-VC — `Reveal` includes all claims, `Hide` is
//! a no-op (the full JWT is always included in the presentation).

use baseid_core::claims::{ClaimSet, DisclosureSelection};
use baseid_core::error::CredentialError;
use baseid_core::lifecycle::{
    CredentialIssuer, CredentialPresenter, CredentialVerifier, IssuanceOptions, IssuedCredential,
    PresentationOptions, PresentedCredential, RevocationStatus, VerificationOutcome,
};
use baseid_core::types::CredentialFormat;
use baseid_crypto::signer::{Signer, Verifier};

use crate::credential::{Issuer, VerifiableCredential};
use crate::presentation::VerifiablePresentation;
use crate::signing;

/// W3C VC JWT credential lifecycle implementation.
///
/// Issues, verifies, and presents W3C Verifiable Credentials as JWTs.
/// JWT-VC does not support selective disclosure — the full credential is
/// always included. For selective disclosure, use SD-JWT or BBS+.
pub struct VcJwtLifecycle<'a> {
    signer: &'a dyn Signer,
    verifier: &'a dyn Verifier,
    kid: String,
}

impl<'a> VcJwtLifecycle<'a> {
    /// Create a new VC-JWT lifecycle handler.
    pub fn new(signer: &'a dyn Signer, verifier: &'a dyn Verifier, kid: &str) -> Self {
        Self {
            signer,
            verifier,
            kid: kid.to_string(),
        }
    }
}

impl CredentialIssuer for VcJwtLifecycle<'_> {
    fn format(&self) -> CredentialFormat {
        CredentialFormat::W3cVc
    }

    fn issue(
        &self,
        issuer_did: &str,
        subject_did: Option<&str>,
        claims: &ClaimSet,
        options: &IssuanceOptions,
    ) -> baseid_core::Result<IssuedCredential> {
        // Build credential subject from claims
        let mut subject = serde_json::Map::new();
        if let Some(sub) = subject_did {
            subject.insert("id".to_string(), serde_json::json!(sub));
        }
        if let Some(ns_claims) = claims.namespace("") {
            for (name, value) in ns_claims {
                subject.insert(name.clone(), value.clone());
            }
        }

        let mut types = vec!["VerifiableCredential".to_string()];
        types.extend(options.types.iter().cloned());

        let vc = VerifiableCredential {
            context: vec!["https://www.w3.org/ns/credentials/v2".to_string()],
            id: options.credential_id.clone(),
            r#type: types,
            issuer: Issuer::Uri(issuer_did.to_string()),
            valid_from: options.valid_from.clone(),
            valid_until: options.valid_until.clone(),
            credential_subject: serde_json::Value::Object(subject),
            credential_status: options.status.clone(),
            proof: None,
        };

        let jwt = signing::sign_credential_jwt(&vc, self.signer, &self.kid)?;

        Ok(IssuedCredential {
            data: jwt.into_bytes(),
            format: CredentialFormat::W3cVc,
            id: options.credential_id.clone(),
            issuer: issuer_did.to_string(),
            subject: subject_did.map(|s| s.to_string()),
        })
    }
}

impl CredentialVerifier for VcJwtLifecycle<'_> {
    fn format(&self) -> CredentialFormat {
        CredentialFormat::W3cVc
    }

    fn verify(&self, credential_data: &[u8]) -> baseid_core::Result<VerificationOutcome> {
        let jwt_str =
            std::str::from_utf8(credential_data).map_err(|_| CredentialError::InvalidCredential)?;

        let vc = signing::verify_credential_jwt(jwt_str, self.verifier)?;

        let issuer = match &vc.issuer {
            Issuer::Uri(uri) => uri.clone(),
            Issuer::Object { id, .. } => id.clone(),
        };

        let subject = vc
            .credential_subject
            .get("id")
            .and_then(|v| v.as_str())
            .map(|s| s.to_string());

        // Build ClaimSet from credential subject (excluding "id")
        let mut claim_set = ClaimSet::new();
        if let Some(obj) = vc.credential_subject.as_object() {
            for (k, v) in obj {
                if k != "id" {
                    claim_set.insert("", k, v.clone());
                }
            }
        }

        Ok(VerificationOutcome {
            valid: true,
            format: CredentialFormat::W3cVc,
            issuer,
            subject,
            claims: claim_set,
            unlinkable: false,
            predicates_verified: vec![],
            valid_until: vc.valid_until,
            revocation_status: RevocationStatus::NotChecked,
        })
    }
}

impl CredentialPresenter for VcJwtLifecycle<'_> {
    fn format(&self) -> CredentialFormat {
        CredentialFormat::W3cVc
    }

    fn present(
        &self,
        credential_data: &[u8],
        disclosure: &DisclosureSelection,
        options: &PresentationOptions,
    ) -> baseid_core::Result<PresentedCredential> {
        // JWT-VC does not support predicates
        if disclosure.has_predicates() {
            return Err(CredentialError::UnsupportedPredicate.into());
        }

        let jwt_str =
            std::str::from_utf8(credential_data).map_err(|_| CredentialError::InvalidCredential)?;

        // JWT-VC doesn't support selective disclosure — the full credential
        // JWT is wrapped in a Verifiable Presentation JWT.
        let vc = signing::verify_credential_jwt(jwt_str, self.verifier)?;

        let vp = VerifiablePresentation {
            context: vec!["https://www.w3.org/ns/credentials/v2".to_string()],
            r#type: vec!["VerifiablePresentation".to_string()],
            verifiable_credential: vec![vc],
            holder: options.holder_did.clone(),
            proof: None,
        };

        let nonce = options.nonce.as_deref().unwrap_or("default-nonce");
        let audience = options.audience.as_deref().unwrap_or("");

        let vp_jwt = signing::sign_presentation_jwt(&vp, self.signer, &self.kid, nonce, audience)?;

        Ok(PresentedCredential {
            data: vp_jwt.into_bytes(),
            format: CredentialFormat::W3cVc,
            unlinkable: false,
        })
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use baseid_core::claims::PredicateType;
    use baseid_core::types::KeyType;
    use baseid_crypto::KeyPair;
    use serde_json::json;

    fn setup() -> (KeyPair, ClaimSet) {
        let kp = KeyPair::generate(KeyType::Ed25519).unwrap();
        let mut claims = ClaimSet::new();
        claims.insert("", "given_name", json!("Alice"));
        claims.insert("", "family_name", json!("Smith"));
        claims.insert("", "birth_date", json!("1990-01-15"));
        (kp, claims)
    }

    #[test]
    fn issue_and_verify() {
        let (kp, claims) = setup();
        let lifecycle = VcJwtLifecycle::new(&kp, &kp.public, "did:key:issuer#key-0");

        let opts = IssuanceOptions {
            types: vec!["IdentityCredential".to_string()],
            ..Default::default()
        };

        let issued = lifecycle
            .issue("did:key:issuer", Some("did:key:holder"), &claims, &opts)
            .unwrap();

        assert_eq!(issued.format, CredentialFormat::W3cVc);
        assert_eq!(issued.issuer, "did:key:issuer");

        let outcome = lifecycle.verify(&issued.data).unwrap();
        assert!(outcome.valid);
        assert_eq!(outcome.issuer, "did:key:issuer");
        assert_eq!(outcome.subject, Some("did:key:holder".to_string()));
        assert_eq!(outcome.claims.get("", "given_name"), Some(&json!("Alice")));
        assert_eq!(outcome.claims.get("", "family_name"), Some(&json!("Smith")));
        assert!(!outcome.unlinkable);
    }

    #[test]
    fn present_creates_vp() {
        let (kp, claims) = setup();
        let lifecycle = VcJwtLifecycle::new(&kp, &kp.public, "did:key:issuer#key-0");

        let issued = lifecycle
            .issue(
                "did:key:issuer",
                Some("did:key:holder"),
                &claims,
                &IssuanceOptions::default(),
            )
            .unwrap();

        let disclosure = DisclosureSelection::new()
            .reveal("given_name")
            .reveal("family_name");

        let opts = PresentationOptions {
            nonce: Some("nonce-123".to_string()),
            audience: Some("did:key:verifier".to_string()),
            holder_did: Some("did:key:holder".to_string()),
        };

        let presented = lifecycle.present(&issued.data, &disclosure, &opts).unwrap();
        assert_eq!(presented.format, CredentialFormat::W3cVc);
        assert!(!presented.unlinkable);

        // The presentation is a VP-JWT — verify it decodes
        let vp_jwt = std::str::from_utf8(&presented.data).unwrap();
        let vp = signing::verify_presentation_jwt(
            vp_jwt,
            &kp.public,
            Some("nonce-123"),
            Some("did:key:verifier"),
        )
        .unwrap();
        assert_eq!(vp.holder, Some("did:key:holder".to_string()));
        assert_eq!(vp.verifiable_credential.len(), 1);
    }

    #[test]
    fn predicate_returns_unsupported() {
        let (kp, claims) = setup();
        let lifecycle = VcJwtLifecycle::new(&kp, &kp.public, "did:key:issuer#key-0");

        let issued = lifecycle
            .issue("did:key:issuer", None, &claims, &IssuanceOptions::default())
            .unwrap();

        let disclosure = DisclosureSelection::new()
            .reveal("given_name")
            .predicate("birth_date", PredicateType::LessThan(json!("2008-03-01")));

        let result = lifecycle.present(&issued.data, &disclosure, &PresentationOptions::default());
        assert!(result.is_err());

        let err = result.unwrap_err();
        assert!(
            format!("{err}").contains("Predicate"),
            "Error should mention predicate: {err}"
        );
    }

    #[test]
    fn format_method() {
        let kp = KeyPair::generate(KeyType::Ed25519).unwrap();
        let lifecycle = VcJwtLifecycle::new(&kp, &kp.public, "kid");

        assert_eq!(
            <VcJwtLifecycle as CredentialIssuer>::format(&lifecycle),
            CredentialFormat::W3cVc
        );
        assert_eq!(
            <VcJwtLifecycle as CredentialVerifier>::format(&lifecycle),
            CredentialFormat::W3cVc
        );
        assert_eq!(
            <VcJwtLifecycle as CredentialPresenter>::format(&lifecycle),
            CredentialFormat::W3cVc
        );
    }

    #[test]
    fn issuance_with_options() {
        let (kp, claims) = setup();
        let lifecycle = VcJwtLifecycle::new(&kp, &kp.public, "kid");

        let opts = IssuanceOptions {
            credential_id: Some("urn:uuid:1234".to_string()),
            types: vec!["PersonCredential".to_string()],
            valid_from: Some("2024-01-01T00:00:00Z".to_string()),
            valid_until: Some("2030-01-01T00:00:00Z".to_string()),
            status: None,
        };

        let issued = lifecycle
            .issue("did:key:issuer", Some("did:key:holder"), &claims, &opts)
            .unwrap();

        let outcome = lifecycle.verify(&issued.data).unwrap();
        assert_eq!(
            outcome.valid_until,
            Some("2030-01-01T00:00:00Z".to_string())
        );
    }
}