Security News
Maven Central Adds Sigstore Signature Validation
Maven Central now validates Sigstore signatures, making it easier for developers to verify the provenance of Java packages.
@sd-jwt/decode
Advanced tools
This library does not provide any of the cryptographic primitives required for encryption, decryption, signing, verification and hashing. It is expected that the user of this library provides this. The main reason for this is that most libraries have their own library and KMS. Providing private keys to this library adds another layer of insecurity which should be avoided. Hashing has not been added for platform compatibility between node,js, browser and React Native. In the future a platform-independent sha2-256 may be provided.
Since these specifications are in early drafts, no time will be spend in supporting earlier versions of the specifications. This library may work for older versions, e.g. the addition of selectively disclosable items in an array does not break previous implementations. Once a non-draft specification is released it will stay up-to-date with that version.
This library only has one dependency on buffer
which makes sure this library
works in Node.js, the browser and React Native. Buffer is used internally for
base64-url-no-pad
encoding.
I'd highly recommend to check out the examples folder to see how this library can be leveraged.
The issuance API takes an object called a disclosureFrame
. This
disclosureFrame
is a Boolean Map of the payload which allows you to specify
which attributes of the payload may be selectively disclosed. If an attribute is not provided in the disclosureFrame
, it will be included in the clear-text payload. For example:
// The payload
{
"iss": "https://example.org/issuer",
"is_age_over_21": true,
"is_age_over_24": true,
"is_age_over_65": false,
"date_of_birth": "1990-01-01",
"address": {
"street": "some street",
"house_number": 200,
"zipcode": "2344GH"
}
}
// The disclosure frame
{
"is_age_over_21": true,
"is_age_over_24": true,
"is_age_over_65": true,
"date_of_birth": true,
"address": {
"street": true,
"house_number": true,
"zipcode": true
}
}
// or to only disclose the address as a group
{
"is_age_over_21": true,
"is_age_over_24": true,
"is_age_over_65": true,
"date_of_birth": true,
"address": true
}
Since there is officially standardized way to request and present a presentation, High Assurance Interoperability Profile may be used, the API is defined in a way which works in a primitive manner for now. For example, to present you can provide a list of indices of the disclosures which will be included. Examples of this can be found in the examples folder. For verification a list of keys or required claims can be provided. It does not matter whether these are selectively disclosable claims, or if they are included inside the payload.
FAQs
sd-jwt draft 7 implementation in typescript
The npm package @sd-jwt/decode receives a total of 5,963 weekly downloads. As such, @sd-jwt/decode popularity was classified as popular.
We found that @sd-jwt/decode demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Maven Central now validates Sigstore signatures, making it easier for developers to verify the provenance of Java packages.
Security News
CISOs are racing to adopt AI for cybersecurity, but hurdles in budgets and governance may leave some falling behind in the fight against cyber threats.
Research
Security News
Socket researchers uncovered a backdoored typosquat of BoltDB in the Go ecosystem, exploiting Go Module Proxy caching to persist undetected for years.