Support for SD-JWT+KB (#691)

* feat: Convenience impls for JWS types.

* refactor: make clippy happy.

* feat!: Support for SD-JWT+KB.

Author: timothee-haudebourg

crates/claims/crates/jwt/src/claims/mixed/mod.rs

@@ -143,6 +143,10 @@ impl JWTClaimsBuilder {
             })
         }
     }
+
+    pub fn build(self) -> Result<JWTClaims, InvalidJWTClaims> {
+        self.with_private_claims(AnyClaims::default())
+    }
 }
 
 #[derive(Debug, thiserror::Error)]

crates/claims/crates/jwt/src/claims/registered.rs

@@ -1,6 +1,7 @@
 use super::{Claim, InvalidClaimValue, JWTClaims};
 use crate::{CastClaim, ClaimSet, InfallibleClaimSet, NumericDate, StringOrURI};
-use ssi_claims_core::{ClaimsValidity, DateTimeProvider, ValidateClaims};
+use chrono::{DateTime, Utc};
+use ssi_claims_core::{ClaimsValidity, DateTimeProvider, InvalidClaims, ValidateClaims};
 use ssi_core::OneOrMany;
 use ssi_jws::JwsPayload;
 use std::{borrow::Cow, collections::BTreeMap};
@@ -409,3 +410,73 @@ registered_claims! {
 
     "vp": VerifiablePresentation(json_syntax::Value)
 }
+
+pub enum JwtClaimValidationFailed {
+    Premature {
+        now: DateTime<Utc>,
+        valid_from: DateTime<Utc>,
+    },
+    Expired {
+        now: DateTime<Utc>,
+        valid_until: DateTime<Utc>,
+    },
+}
+
+impl From<JwtClaimValidationFailed> for InvalidClaims {
+    fn from(value: JwtClaimValidationFailed) -> Self {
+        match value {
+            JwtClaimValidationFailed::Premature { now, valid_from } => {
+                Self::Premature { now, valid_from }
+            }
+            JwtClaimValidationFailed::Expired { now, valid_until } => {
+                Self::Expired { now, valid_until }
+            }
+        }
+    }
+}
+
+impl ExpirationTime {
+    pub fn verify(&self, now: DateTime<Utc>) -> Result<(), JwtClaimValidationFailed> {
+        let exp: DateTime<Utc> = self.0.into();
+        if exp > now {
+            Ok(())
+        } else {
+            Err(JwtClaimValidationFailed::Expired {
+                now,
+                valid_until: exp,
+            })
+        }
+    }
+}
+
+impl NotBefore {
+    pub fn verify(&self, now: DateTime<Utc>) -> Result<(), JwtClaimValidationFailed> {
+        let nbf: DateTime<Utc> = self.0.into();
+        if nbf <= now {
+            Ok(())
+        } else {
+            Err(JwtClaimValidationFailed::Premature {
+                now,
+                valid_from: nbf,
+            })
+        }
+    }
+}
+
+impl IssuedAt {
+    pub fn now() -> Self {
+        Self(Utc::now().try_into().unwrap())
+    }
+
+    pub fn verify(&self, now: DateTime<Utc>) -> Result<(), JwtClaimValidationFailed> {
+        let iat: DateTime<Utc> = self.0.into();
+        if iat <= now {
+            Ok(())
+        } else {
+            Err(JwtClaimValidationFailed::Premature {
+                now,
+                valid_from: iat,
+            })
+        }
+    }
+}

crates/claims/crates/sd-jwt/src/digest.rs

@@ -5,7 +5,7 @@ use serde::{Deserialize, Serialize};
 use sha2::Digest;
 use ssi_jwt::Claim;
 
-use crate::{disclosure::Disclosure, DecodeError, SD_ALG_CLAIM_NAME};
+use crate::{DecodeError, SD_ALG_CLAIM_NAME};
 
 /// Elements of the _sd_alg claim
 #[non_exhaustive]
@@ -25,15 +25,29 @@ impl SdAlg {
         }
     }
 
-    /// Hash the given disclosure.
-    pub fn hash(&self, disclosure: &Disclosure) -> String {
+    /// Hash the given bytes.
+    pub fn hash(&self, bytes: impl AsRef<[u8]>) -> String {
         match self {
             Self::Sha256 => {
-                let digest = sha2::Sha256::digest(disclosure.as_bytes());
+                let digest = sha2::Sha256::digest(bytes.as_ref());
                 BASE64_URL_SAFE_NO_PAD.encode(digest)
             }
         }
     }
+
+    /// Verifies the given hash.
+    #[allow(deprecated)] // TODO bump the `digest` crate whenever possible.
+    pub fn verify(&self, bytes: impl AsRef<[u8]>, hash: &str) -> bool {
+        match self {
+            Self::Sha256 => {
+                let Ok(rdigest) = BASE64_URL_SAFE_NO_PAD.decode(hash) else {
+                    return false;
+                };
+                let digest = sha2::Sha256::digest(bytes.as_ref());
+                digest.as_slice() == rdigest
+            }
+        }
+    }
 }
 
 impl Claim for SdAlg {
@@ -89,6 +103,8 @@ impl<'de> Deserialize<'de> for SdAlg {
 mod tests {
     use super::*;
 
+    use crate::Disclosure;
+
     #[test]
     fn test_disclosure_hashing() {
         assert_eq!(