fix: integrity check (#339)

Signed-off-by: Timo Glastra <timo@animo.id>

Author: TimoGlastra

packages/sd-jwt-vc/src/sd-jwt-vc-instance.ts

@@ -128,6 +128,9 @@ export class SDJwtVcInstance extends SDJwtInstance<SdJwtVcPayload> {
 
   /**
    * Gets VCT Metadata of the raw SD-JWT-VC. Returns the type metadata format. If the SD-JWT-VC is invalid or does not contain a vct claim, an error is thrown.
+   *
+   * It may return `undefined` if the fetcher returned an undefined value (instead of throwing an error).
+   *
    * @param encodedSDJwt
    * @returns
    */
@@ -222,6 +225,7 @@ export class SDJwtVcInstance extends SDJwtInstance<SdJwtVcPayload> {
       // implement based on https://www.ietf.org/archive/id/draft-ietf-oauth-sd-jwt-vc-08.html#name-extending-type-metadata
       //TODO: needs to be implemented. Unclear at this point which values will overwrite the values from the extended type metadata format
     }
+
     return typeMetadataFormat;
   }
 
@@ -244,7 +248,7 @@ export class SDJwtVcInstance extends SDJwtInstance<SdJwtVcPayload> {
     const fetcher: VcTFetcher =
       this.userConfig.vctFetcher ??
       ((uri, integrity) => this.fetch(uri, integrity));
-    return fetcher(result.payload.vct, result.payload['vct#Integrity']);
+    return fetcher(result.payload.vct, result.payload['vct#integrity']);
   }
 
   /**

packages/sd-jwt-vc/src/sd-jwt-vc-payload.ts

@@ -13,7 +13,7 @@ export interface SdJwtVcPayload extends SdJwtPayload {
   // REQUIRED. The type of the Verifiable Credential, e.g., https://credentials.example.com/identity_credential, as defined in Section 3.2.2.1.1.
   vct: string;
   // OPTIONAL. If passed, the loaded type metadata format has to be validated according to https://www.w3.org/TR/SRI/
-  'vct#Integrity'?: string;
+  'vct#integrity'?: string;
   // OPTIONAL. The information on how to read the status of the Verifiable Credential. See [https://www.ietf.org/archive/id/draft-ietf-oauth-status-list-02.html] for more information.
   status?: SDJWTVCStatusReference;
   // OPTIONAL. The identifier of the Subject of the Verifiable Credential. The Issuer MAY use it to provide the Subject identifier known by the Issuer. There is no requirement for a binding to exist between sub and cnf claims.

packages/sd-jwt-vc/src/sd-jwt-vc-type-metadata-format.ts

@@ -136,7 +136,7 @@ export type TypeMetadataFormat = {
   /** OPTIONAL. URI of another type that this one extends. */
   extends?: string;
   /** OPTIONAL. Integrity metadata for the 'extends' field. */
-  'extends#Integrity'?: string;
+  'extends#integrity'?: string;
   /** OPTIONAL. Array of localized display metadata for the type. */
   display?: Display[];
   /** OPTIONAL. Array of claim metadata. */

packages/sd-jwt-vc/src/test/vct.spec.ts

@@ -4,7 +4,7 @@ import { digest, generateSalt } from '@sd-jwt/crypto-nodejs';
 import type { DisclosureFrame, Signer, Verifier } from '@sd-jwt/types';
 import { HttpResponse, http } from 'msw';
 import { setupServer } from 'msw/node';
-import { afterAll, beforeAll, describe, expect, test } from 'vitest';
+import { afterAll, beforeAll, describe, expect, test, vitest } from 'vitest';
 import { SDJwtVcInstance } from '..';
 import type { SdJwtVcPayload } from '../sd-jwt-vc-payload';
 import type { TypeMetadataFormat } from '../sd-jwt-vc-type-metadata-format';
@@ -85,19 +85,31 @@ describe('App', () => {
   afterEach(() => server.resetHandlers());
 
   test('VCT Validation', async () => {
+    // The method is private, so TS complains, but you can use spies on private method just fine.
+    // @ts-expect-error
+    const validateIntegritySpy = vitest.spyOn(sdjwt, 'validateIntegrity');
+
     const expectedPayload: SdJwtVcPayload = {
       iat,
       iss,
       vct,
-      'vct#Integrity': vctIntegrity,
+      'vct#integrity': vctIntegrity,
       ...claims,
     };
+
     const encodedSdjwt = await sdjwt.issue(
       expectedPayload,
       disclosureFrame as unknown as DisclosureFrame<SdJwtVcPayload>,
     );
 
     await sdjwt.verify(encodedSdjwt);
+
+    // Ensure validateIntegrity method was called
+    expect(validateIntegritySpy).toHaveBeenCalledWith(
+      expect.any(Response),
+      vct,
+      vctIntegrity,
+    );
   });
 
   test('VCT from JWT header Validation', async () => {
@@ -133,7 +145,7 @@ describe('App', () => {
       disclosureFrame as unknown as DisclosureFrame<SdJwtVcPayload>,
     );
 
-    expect(sdjwt.verify(encodedSdjwt)).rejects.toThrowError(
+    await expect(sdjwt.verify(encodedSdjwt)).rejects.toThrowError(
       `Request to ${vct} timed out`,
     );
   });