feat: add sd-jwt with jades support package

Signed-off-by: Lukas.J Han <[email protected]>

Author: lukasjhan

packages/jades/CHANGELOG.md

@@ -0,0 +1,16 @@
+# Change Log
+
+All notable changes to this project will be documented in this file.
+See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.
+
+## [0.1.2](https://github.com/lukasjhan/sd-jwt-vc-dm-owf/compare/v0.1.1...v0.1.2) (2025-02-09)
+
+**Note:** Version bump only for package sd-jwt-jades
+
+
+
+
+
+## 0.1.1 (2025-02-09)
+
+**Note:** Version bump only for package jades

packages/jades/README.md

@@ -0,0 +1,218 @@
+# SD JWT VCDM Typescript
+
+> ⚠️ **Platform Support**: This package currently supports Node.js environments only.
+
+Typescript implementation of SD JWT VCDM profile.
+
+A library that integrates SD-JWT with W3C Verifiable Credentials Data Model and implements JAdES digital signature standards.
+
+## Features
+
+### SD-JWT VCDM Data Model Profile
+
+This library provides interoperability between SD-JWT (Selective Disclosure JWT) and W3C Verifiable Credentials Data Model:
+
+- Issue Verifiable Digital Credentials in SD-JWT VC format while maintaining W3C VCDM compliance
+- Support for Selective Disclosure capabilities
+- Seamless integration with standard VC verification processes
+
+### JAdES Digital Signature Integration
+
+Implements JAdES (JSON Advanced Electronic Signatures) standard for SD-JWT with support for the following signature profiles:
+
+- **B-B (Basic - Baseline)**: Basic signature format
+- **B-T (Basic with Time)**: Signatures with timestamp
+- **B-LT (Basic Long-Term)**: Signatures with validation data for long-term preservation
+- **B-LTA (Basic Long-Term with Archive timestamps)**: Long-term preservation with periodic timestamp renewal
+
+## Installation
+
+```bash
+pnpm add sd-jwt-vcdm
+```
+
+## Usage
+
+### B-B
+
+```typescript
+import { JAdES, parseCerts, createKidFromCert } from 'sd-jwt-jades';
+import * as fs from 'fs';
+import { createPrivateKey } from 'node:crypto';
+
+(async () => {
+  const jades = new JAdES.Sign({ data: 'data 1', target: 'data 2' });
+
+  const certPem = fs.readFileSync('./fixtures/certificate.crt', 'utf-8');
+  const certs = parseCerts(certPem);
+  const kid = createKidFromCert(certs[0]);
+
+  const keyPem = fs.readFileSync('./fixtures/private.pem', 'utf-8');
+  const privateKey = createPrivateKey(keyPem);
+
+  await jades
+    .setProtectedHeader({
+      alg: 'RS256',
+      typ: 'jades',
+    })
+    .setX5c(certs)
+    .setDisclosureFrame({
+      _sd: ['data'],
+    })
+    .setSignedAt()
+    .sign(privateKey, kid);
+
+  const serialized = jades.toJSON();
+  console.log(serialized);
+})();
+```
+
+### B-T
+
+```typescript
+import { JAdES, parseCerts, createKidFromCert } from 'sd-jwt-jades';
+import * as fs from 'fs';
+import { createPrivateKey } from 'node:crypto';
+
+(async () => {
+  const jades = new JAdES.Sign({ data: 'data 1', target: 'data 2' });
+
+  const certPem = fs.readFileSync('./fixtures/certificate.crt', 'utf-8');
+  const certs = parseCerts(certPem);
+  const kid = createKidFromCert(certs[0]);
+
+  const keyPem = fs.readFileSync('./fixtures/private.pem', 'utf-8');
+  const privateKey = createPrivateKey(keyPem);
+
+  await jades
+    .setProtectedHeader({
+      alg: 'RS256',
+      typ: 'jades',
+    })
+    .setX5c(certs)
+    .setDisclosureFrame({
+      _sd: ['data'],
+    })
+    .setSignedAt()
+    .setUnprotectedHeader({
+      etsiU: [
+        {
+          sigTst: {
+            tstTokens: [
+              {
+                val: 'Base64-encoded RFC 3161 Timestamp Token',
+              },
+            ],
+          },
+        },
+      ],
+    })
+    .sign(privateKey, kid);
+
+  const serialized = jades.toJSON();
+  console.log(serialized);
+})();
+```
+
+### B-LT
+
+```typescript
+import { JAdES, parseCerts, createKidFromCert } from 'sd-jwt-jades';
+import * as fs from 'fs';
+import { createPrivateKey } from 'node:crypto';
+
+(async () => {
+  const jades = new JAdES.Sign({ data: 'data 1', target: 'data 2' });
+
+  const certPem = fs.readFileSync('./fixtures/certificate.crt', 'utf-8');
+  const certs = parseCerts(certPem);
+  const kid = createKidFromCert(certs[0]);
+
+  const keyPem = fs.readFileSync('./fixtures/private.pem', 'utf-8');
+  const privateKey = createPrivateKey(keyPem);
+
+  await jades
+    .setProtectedHeader({
+      alg: 'RS256',
+      typ: 'jades',
+    })
+    .setX5c(certs)
+    .setDisclosureFrame({
+      _sd: ['data'],
+    })
+    .setSignedAt()
+    .setUnprotectedHeader({
+      etsiU: [
+        {
+          sigTst: {
+            tstTokens: [
+              {
+                val: 'Base64-encoded RFC 3161 Timestamp Token',
+              },
+            ],
+          },
+        },
+        {
+          xVals: [
+            { x509Cert: 'Base64-encoded Trust Anchor' },
+            { x509Cert: 'Base64-encoded CA Certificate' },
+          ],
+        },
+        {
+          rVals: {
+            crlVals: ['Base64-encoded CRL'],
+            ocspVals: ['Base64-encoded OCSP Response'],
+          },
+        },
+      ],
+    })
+    .sign(privateKey, kid);
+
+  const serialized = jades.toJSON();
+  console.log(serialized);
+})();
+```
+
+### B-LTA
+
+```typescript
+import { JAdES, parseCerts, createKidFromCert } from 'sd-jwt-jades';
+import * as fs from 'fs';
+import { createPrivateKey } from 'node:crypto';
+
+(async () => {
+  const jades = new JAdES.Sign({ data: 'data 1', target: 'data 2' });
+
+  const certPem = fs.readFileSync('./fixtures/certificate.crt', 'utf-8');
+  const certs = parseCerts(certPem);
+  const kid = createKidFromCert(certs[0]);
+
+  const keyPem = fs.readFileSync('./fixtures/private.pem', 'utf-8');
+  const privateKey = createPrivateKey(keyPem);
+
+  await jades
+    .setProtectedHeader({
+      alg: 'RS256',
+      typ: 'jades',
+    })
+    .setX5c(certs)
+    .setDisclosureFrame({
+      _sd: ['data'],
+    })
+    .setSignedAt()
+    .sign(privateKey, kid);
+
+  const serialized = jades.toJSON();
+  console.log(serialized);
+})();
+```
+
+## License
+
+Apache License 2.0
+
+## References
+
+- [SD-JWT VC Data Model](https://github.com/danielfett/sd-jwt-vc-dm)
+- [OpenID4VC HAIP Profile](https://github.com/openid/oid4vc-haip/pull/147/files#diff-762ef65fd82909517226ac1bb7e8855792bb57021abc1637c15b8557154dbbf1)
+- [ETSI TS 119 182-1 - JAdES Baseline Signatures](https://www.etsi.org/deliver/etsi_ts/119100_119199/11918201/01.02.01_60/ts_11918201v010201p.pdf)

packages/jades/package.json

@@ -0,0 +1,55 @@
+{
+  "name": "sd-jwt-jades",
+  "version": "0.1.2",
+  "description": "JADES implementation in typescript",
+  "main": "dist/index.js",
+  "module": "dist/index.mjs",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/index.mjs",
+      "require": "./dist/index.js"
+    }
+  },
+  "scripts": {
+    "build": "rm -rf **/dist && tsup",
+    "lint": "biome lint ./src",
+    "test": "pnpm run test:node && pnpm run test:browser && pnpm run test:cov",
+    "test:node": "vitest run ./src/test/*.spec.ts",
+    "test:browser": "vitest run ./src/test/*.spec.ts --environment jsdom",
+    "test:cov": "vitest run --coverage"
+  },
+  "keywords": [
+    "jades",
+    "sd-jwt",
+    "jwt"
+  ],
+  "engines": {
+    "node": ">=16"
+  },
+  "author": "Lukas.J.Han <[email protected]>",
+  "license": "Apache-2.0",
+  "publishConfig": {
+    "access": "public"
+  },
+  "tsup": {
+    "entry": [
+      "./src/index.ts"
+    ],
+    "sourceMap": true,
+    "splitting": false,
+    "clean": true,
+    "dts": true,
+    "format": [
+      "cjs",
+      "esm"
+    ]
+  },
+  "dependencies": {
+    "@sd-jwt/core": "workspace:*",
+    "@sd-jwt/crypto-nodejs": "workspace:*",
+    "@sd-jwt/types": "workspace:*",
+    "@sd-jwt/utils": "workspace:*",
+    "asn1js": "^3.0.5"
+  }
+}

packages/jades/src/constant.ts

@@ -0,0 +1,30 @@
+import { constants } from 'crypto';
+
+export const ALGORITHMS = {
+  // RSA
+  RS256: { hash: 'sha256', padding: constants.RSA_PKCS1_PADDING },
+  RS384: { hash: 'sha384', padding: constants.RSA_PKCS1_PADDING },
+  RS512: { hash: 'sha512', padding: constants.RSA_PKCS1_PADDING },
+
+  // RSA-PSS
+  PS256: { hash: 'sha256', padding: constants.RSA_PKCS1_PSS_PADDING },
+  PS384: { hash: 'sha384', padding: constants.RSA_PKCS1_PSS_PADDING },
+  PS512: { hash: 'sha512', padding: constants.RSA_PKCS1_PSS_PADDING },
+
+  // ECDSA
+  ES256: { hash: 'sha256', namedCurve: 'P-256' },
+  ES384: { hash: 'sha384', namedCurve: 'P-384' },
+  ES512: { hash: 'sha512', namedCurve: 'P-521' },
+
+  // EdDSA
+  EdDSA: { curves: ['ed25519', 'ed448'] },
+};
+
+export enum CommitmentOIDs {
+  proofOfOrigin = '1.2.840.113549.1.9.16.6.1',
+  proofOfReceipt = '1.2.840.113549.1.9.16.6.2',
+  proofOfDelivery = '1.2.840.113549.1.9.16.6.3',
+  proofOfSender = '1.2.840.113549.1.9.16.6.4',
+  proofOfApproval = '1.2.840.113549.1.9.16.6.5',
+  proofOfCreation = '1.2.840.113549.1.9.16.6.6',
+}

packages/jades/src/index.ts

@@ -0,0 +1,12 @@
+import { Sign } from './sign';
+export * from './type';
+export * from './constant';
+export * from './utils';
+import { Present } from './present';
+import { JWTVerifier } from './verify';
+
+export const JAdES = {
+  Sign,
+  Present,
+  Verify: JWTVerifier,
+};

packages/jades/src/present.ts

@@ -0,0 +1,43 @@
+import { SDJwtGeneralJSONInstance } from '@sd-jwt/core';
+import { digest, generateSalt } from '@sd-jwt/crypto-nodejs';
+import { PresentationFrame } from '@sd-jwt/types';
+import { GeneralJWS } from './type';
+import { getGeneralJSONFromJWSToken } from './utils';
+
+export class Present {
+  public static async present<T extends Record<string, unknown>>(
+    credential: GeneralJWS | string,
+    presentationFrame?: PresentationFrame<T>,
+    options?: Record<string, unknown>,
+  ): Promise<GeneralJWS> {
+    // Initialize the SD JWT instance with proper configuration
+    const sdJwtInstance = new SDJwtGeneralJSONInstance({
+      hashAlg: 'sha-256',
+      hasher: digest,
+      saltGenerator: generateSalt,
+    });
+
+    // Convert string to GeneralJSON if needed
+    const generalJsonCredential = getGeneralJSONFromJWSToken(credential);
+
+    // If there are no disclosures, return the credential as is
+    // This prevents errors from the core library when handling credentials without SD claims
+    if (
+      !generalJsonCredential.disclosures ||
+      generalJsonCredential.disclosures.length === 0
+    ) {
+      console.log(
+        'Credential has no selective disclosure claims, returning as is',
+      );
+      return generalJsonCredential.toJson();
+    }
+
+    // Use the instance's present method for the core SD-JWT functionality
+    const presentedCredential = await sdJwtInstance.present(
+      generalJsonCredential,
+      presentationFrame,
+    );
+
+    return presentedCredential.toJson();
+  }
+}