Integrate the SD-JWT

[lukasjhan]

Hi I'm currently developing sd-jwt typescript library in Open Wallet Foundation with @cre8. I want to continuously contribute to Veramo by working on sd-jwt-related integration.

Related Issue: #1276

This is my first time contributing to Veramo. If there is anything you would like to change, please let me know. I'm open to any changes :)

What issue is this PR fixing

Example:
closes #123
fixes #456

Linking to an issue provides some context and a reason for the PR to be reviewed, as well as simplifying the release
notes and changelogs that get generated automatically. If an issue is linked like this it will be automatically closed
when the PR is merged.

What is being changed

Add SD-JWT features in Veramo

Quality

Check all that apply:

• I want these changes to be integrated
• I successfully ran pnpm i, pnpm build, pnpm test, pnpm test:browser locally.
• I allow my PR to be updated by the reviewers (to speed up the review process).
• I added unit tests.
• I added integration tests.
• I did not add automated tests because I had difficulty setting up the test agent, and I am aware that a PR without tests will likely get rejected.

Details

sd-jwt package has 4 main features

• create sd-jwt-vc
• create sd-jwt-vc presentation
• verify sd-jwt-vc
• verify sd-jwt-vc presentation

About Testing

This is the sample of tests, but

I failed setup the agent in test file in this way

const context = {
  agent: {
    execute: jest.fn(),
    availableMethods: jest.fn(),
    getSchema: jest.fn(),
    emit: jest.fn(),
  },
} as IAgentContext<any>

If there is a guide on how to set up this context, please let me know and I will add it.

Or, this is the original test file in cre8's repo. https://github.com/cre8/sd-jwt-veramo/blob/main/src/agent-plugin/sd-jwt-plugin.spec.ts
If it's okay to add it like this, then I'll add it like this.

Please take a look and let me know about the test.
Thank you.

[cre8]

At this point I don't feel well opening the PR to the veramo repo yet. Linting is based on biome and not prettier, testing on vitest and not jest.

[lukasjhan]

At this point I don't feel well opening the PR to the veramo repo yet. Linting is based on biome and not prettier, testing on vitest and not jest.

Okay, I'll make it draft and keep working on here. :)

[lukasjhan]

@cre8 I added test and fixed the schema generation :)

[nickreynolds]

mostly very good! thanks again for this!

in addition to the other comments, could you add a test inside the test-react-app package that exercises this functionality?

[nickreynolds]

this function should work even if just an issuer DID is provided and then it can check for managed keys for the DID and see if any appropriate ones can be used. of course, a specific key can also be specified

[lukasjhan]

I removed the constraint

[nickreynolds]

feel free to change author/contributors to yourself

[nickreynolds]

these first 2 dependencies imported in this file could present problems. I know this is only a test, but we try to only use dependencies that work across all supported platforms. Is it not possible to use one of the other crypto libraries already used elsewhere for this?

[lukasjhan]

I think we can, It's just the verify function

[lukasjhan]

Have you ever written a verify function that is platform-independent? I tried to use the @noble package, but it doesn’t work.

[nickreynolds]

do all of these sd-jwt packages support browser and react native (except for crypto-nodejs)?

[lukasjhan]

I'll check on them and let you know :)

[lukasjhan]

Yeah, It works regardless of platform except crypto-nodejs

[lukasjhan]

Good I'll definitely add this module test-react-app :)
I'll do it after I resolved all comments.

[vadimchilinciuc]

Hi @lukasjhan and @cre8 :) maybe this is not the thread but i want to try to ask you a question maybe you can help me .
To bee compliant in the European (EUDI) the format is SD-JWT with OpenID4VC ;
do you think at this moment its possible realize something with OpenID4VC?
Cause i see something like https://github.com/IDunion/OpenIDIDComm
but they dont support SD-JWT ? :( (under the hood they use sphereon sdk but they dont support SD_JWT) )did you guys use with OpenID4VC or without it .
Thanks a lot for your reply .

[cre8]

Hi @lukasjhan and @cre8 :) maybe this is not the thread but i want to try to ask you a question maybe you can help me .
To bee compliant in the European (EUDI) the format is SD-JWT with OpenID4VC ;
do you think at this moment its possible realize something with OpenID4VC?
Cause i see something like https://github.com/IDunion/OpenIDIDComm
but they dont support SD-JWT ? :( did you guys use with OpenID4VC or without it , thanks a lot for your reply in case i'll cancel my comment .

Yes, it's possible, I implemented it here:
https://github.com/openwallet-foundation-labs/credhub
This project comes without using verano, but it should be possible with the verano plugin for oid4vci by sphereon

[nklomp]

Also be aware that sd-jwt is supported by our lower level libraries, including our credential mappers. If you include the sd-jwt veramo plugin into the idunion didcomm project using our SDK it should work including presentation exchange etc

[vadimchilinciuc]

Also be aware that sd-jwt is supported by our lower level libraries, including our credential mappers. If you include the sd-jwt veramo plugin into the idunion didcomm project using our SDK it should work including presentation exchange etc

Thanks a lot @nklomp : I think the problem will bee that the IDunion Project use the @sphereon/ssi-sdk.oid4vci-issuer package,tha is a Veramo Plugin

// Creating a creadential we have this snippet :

        const response = await agent.oid4vciIssueCredential({
            credential: credential,
            credentialIssuer: this.store_id,
            credentialRequest: {
                format: 'jwt_vc_json', **_// allowing formats are those types = 'jwt_vc_json' | 'jwt_vc_json-ld' | 'ldp_vc';_**
                proof: request.proof,
                types: request.types
            }
        })

i think i will get some kind of error passing a sd-jwt type;
cause the allowing formats are only those types = 'jwt_vc_json' | 'jwt_vc_json-ld' | 'ldp_vc'; ?
Thanks a lot for reply

[nklomp]

Since that is using our low-level libs, which have sd-jwt support it should work at that point. Having said that, we are actually integrating sd-jwt into our SDKs, wallets and agents as we speak. So we should have this working probably next week.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[nickreynolds]

@lukasjhan I'm just wondering if there's been any progress on this recently? Is there anything in particular keeping us from moving forward? I know it will need to be refactored to support the new credential-w3c architecture, but that shouldn't be difficult.

[cre8]

@lukasjhan I'm just wondering if there's been any progress on this recently? Is there anything in particular keeping us from moving forward? I know it will need to be refactored to support the new credential-w3c architecture, but that shouldn't be difficult.

Sphereon has published an SD jwt package in the meantime: https://github.com/Sphereon-Opensource/SSI-SDK/tree/develop/packages%2Fsd-jwt

I haven't tested it yet, but when it works it makes no sense to continue the work on a second package from my point of view.

[nklomp]

Please be aware that our one, especially in a feature branch depends on very specific modules from our SDK. We have modules for uniform identifier/key resolution, x.509 support, jwt/jws signatures that the sd-jwt module depends on.

[nklomp]

All of that to say, that our module is more versatile as it does not have some of the errors and assumptions in this plugin (encountering a jwk, doesn't mean a did:jwk perse of course). At the same time since our sdk can work with regular jwks, x5cs etc next to DIDs and since we have our own jose signature service, our plugin depends on multiple of our other modules. So you cannot simply include our module as a single dep into a vanilla Veramo environment

[lukasjhan]

Hi @nickreynolds, sry I've been busy for this summer.

I think I can do test-react-app job this weekends.
Could you please explain in more detail about the new credential-w3c architecture

[nickreynolds]

@lukasjhan great to hear that you can pick this back up!

The best way to understand the new architecture is probably to review this PR: #1395

Basically, credential plugins now implement a new shared interface and each of these is passed as a provider to credential-w3c. Looking at credential-jwt, credential-eip712 and credential-ld should give you examples of how credential providers are now written. I don't think it's too complex, but I can try to provide more info soon (was planning on writing a short blog post explaining this anyways, before we release veramo v7)

[lukasjhan]

Sry for delay. I'll finish this pr by ends of this year.