feat: add experimental vcld implementation#317
Conversation
Signed-off-by: Lukas.J.Han <lukas.j.han@gmail.com>
lukasjhan
requested review from
aceshim,
berendsliedrecht,
cre8 and
zustkeeper
as code owners
There was a problem hiding this comment.
Pull Request Overview
This PR introduces an experimental implementation of SD-JWT VCLD (Verifiable Credentials with JSON-LD), which extends IETF SD-JWT VC to incorporate Linked Data models while enabling selective disclosure capabilities.
- Implements a complete SD-JWT VCLD library including signing, verification, presentation, and decoding functionality
- Provides support for multiple cryptographic algorithms (RSA, ECDSA, EdDSA) with proper signature verification
- Includes comprehensive test coverage for the signing and decoding operations
Reviewed Changes
Copilot reviewed 11 out of 12 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| packages/vcld/package.json | Package configuration with dependencies and build scripts |
| packages/vcld/README.md | Documentation and installation instructions |
| packages/vcld/tsconfig.json | TypeScript configuration extending project defaults |
| packages/vcld/vitest.config.mts | Test configuration setup |
| packages/vcld/src/index.ts | Main entry point exporting the VCld API with detailed specification comments |
| packages/vcld/src/type.ts | Algorithm definitions and type declarations for supported cryptographic algorithms |
| packages/vcld/src/sign.ts | Core signing functionality with Signer class and JWT creation logic |
| packages/vcld/src/verify.ts | JWT verification implementation with x5c certificate chain validation |
| packages/vcld/src/present.ts | Presentation functionality for selective disclosure |
| packages/vcld/src/test/index.spec.ts | Basic test placeholder |
| packages/vcld/src/test/sign.spec.ts | Comprehensive tests for signing and decoding functionality |
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| @@ -0,0 +1,4 @@ | |||
| // vite.config.ts | |||
There was a problem hiding this comment.
The comment refers to 'vite.config.ts' but the file is named 'vitest.config.mts'. This should be corrected to match the actual filename.
| // vite.config.ts | |
| // vitest.config.mts |
| createEdDSASignature( | ||
| signingInput: string, | ||
| privateKey: KeyObject, | ||
| options: { curves: string[] }, | ||
| ) { | ||
| const signer = createSign(options.curves[0]); | ||
| signer.update(signingInput); | ||
| const signature = signer.sign({ | ||
| key: privateKey, | ||
| }); | ||
| return signature.toString('base64url'); | ||
| }, |
There was a problem hiding this comment.
The EdDSA signature creation incorrectly uses options.curves[0] as the hash algorithm in createSign(). For EdDSA, the algorithm should be 'ed25519' or 'ed448' directly, not used as a hash. EdDSA doesn't use a separate hash algorithm parameter.
| ): boolean { | ||
| try { | ||
| if (!x5c || x5c.length === 0) { | ||
| console.error('x5c certificate chain is missing'); |
There was a problem hiding this comment.
Using console.error for error logging in a library is not recommended. Consider using a proper logging framework or throwing an error that can be handled by the consuming application.
There was a problem hiding this comment.
@lukasjhan I agree with copilot here, console output should be avoided
|
|
||
| return verifier.verify(publicKey, signatureUint8Array); | ||
| } catch (error) { | ||
| console.error('JWT verification error:', error); |
There was a problem hiding this comment.
Using console.error for error logging in a library is not recommended. Consider using a proper logging framework or throwing an error that can be handled by the consuming application.
|
@lukasjhan do you know if there is still a need for the vcld package? I haven't checked the spec if it is still aligned. But in general it would be fine for me to add it to this repo when the spec is stable about it. |
No description provided.