| Safe Haskell | None |
|---|---|
| Language | Haskell2010 |
SDJWT.Verifier
Description
Convenience module for SD-JWT verifiers.
This module provides everything needed to verify SD-JWT presentations and extract claims. It exports a focused API for the verifier role, excluding modules that verifiers don't need (like Issuance and Presentation).
Usage
For verifiers, import this module:
import SDJWT.Verifier
This gives you access to:
- Core data types (HashAlgorithm, SDJWTPresentation, ProcessedSDJWTPayload, etc.)
- Serialization functions (
deserializePresentation) - Verification functions (
verifySDJWT)
Verifying SD-JWTs
The main function for verifying SD-JWT presentations is verifySDJWT:
-- Verify SD-JWT presentation (includes signature, disclosures, and key binding verification)
result <- verifySDJWT issuerPublicKey presentation Nothing
case result of
Right processedPayload -> do
let claims = processedClaims processedPayload
-- Use verified claims...
-- If key binding was present, access the holder's public key:
case keyBindingInfo processedPayload of
Just kbInfo ->
let holderPublicKey = kbPublicKey kbInfo
-- Use holder's public key for subsequent operations...
Nothing -> -- No key binding present
Left err -> -- Handle error
For advanced use cases (e.g., verifying key binding separately or parsing payloads),
import Verification to access additional low-level functions.
Example
>>>:set -XOverloadedStrings>>>import SDJWT.Verifier>>>import qualified Data.Text as T>>>-- Deserialize presentation received from holder>>>-- let presentationText = "eyJhbGciOiJSUzI1NiJ9...">>>-- case deserializePresentation (T.pack presentationText) of>>>-- Right presentation -> do>>>-- issuerPublicKeyJWK <- loadPublicKeyJWK>>>-- verifySDJWT issuerPublicKeyJWK presentation Nothing>>>-- Left err -> Left err>>>-- Extract claims (includes both regular claims and disclosed claims)>>>-- let claims = processedClaims processedPayload
Synopsis
- module SDJWT.Internal.Types
- module SDJWT.Internal.Serialization
- verifySDJWT :: JWKLike jwk => jwk -> SDJWTPresentation -> Maybe Text -> IO (Either SDJWTError ProcessedSDJWTPayload)
Core Types
module SDJWT.Internal.Types
Serialization
module SDJWT.Internal.Serialization
Verification
Functions for verifying SD-JWT presentations.
Arguments
| :: JWKLike jwk | |
| => jwk | Issuer public key (Text or jose JWK object) |
| -> SDJWTPresentation | |
| -> Maybe Text | Required typ header value (Nothing = allow any/none, Just "sd-jwt" = require exactly "sd-jwt") |
| -> IO (Either SDJWTError ProcessedSDJWTPayload) |
Complete SD-JWT verification.
This function performs all verification steps:
- Parses the presentation
- Verifies issuer signature (required)
- Validates standard JWT claims (if present):
exp(expiration time),nbf(not before), etc. - Extracts hash algorithm
- Verifies disclosures match digests
- Verifies key binding (if present)
- Processes payload to reconstruct claims
Returns the processed payload with all claims (both regular non-selectively-disclosable
claims and disclosed selectively-disclosable claims). If a KB-JWT was present and verified,
the keyBindingInfo field will contain the holder's public key extracted from the
cnf claim, allowing the verifier to use it for subsequent operations.
Standard JWT Claims Validation
Standard JWT claims (RFC 7519) included in the issuer-signed JWT are automatically validated:
exp(expiration time): Token is rejected if expirednbf(not before): Token is rejected if not yet valid- Other standard claims are preserved but not validated by this library
For testing or debugging purposes where signature verification should be skipped,
use verifySDJWTWithoutSignature instead.