Currently we verify VC's only on the cryptographic signature, but we have a set of semantic verifications which must be true for verification to pass. For inspiration, see all the set of if conditions in web5-jslinked here.
Verifies the integrity and authenticity of a Verifiable Credential (VC) encoded as a JSON Web Token (JWT).
This function performs several crucial validation steps to ensure the trustworthiness of the provided VC:
Parses and validates the structure of the JWT.
Ensures the presence of critical header elements alg and kid in the JWT header.
Resolves the Decentralized Identifier (DID) and retrieves the associated DID Document.
Validates the DID and establishes a set of valid verification method IDs.
Identifies the correct Verification Method from the DID Document based on the kid parameter.
Verifies the JWT's signature using the public key associated with the Verification Method.
If any of these steps fail, the function will throw a [Error] with a message indicating the nature of the failure:
exp MUST represent the expirationDate property, encoded as a UNIX timestamp (NumericDate).
iss MUST represent the issuer property of a verifiable credential or the holder property of a verifiable presentation.
nbf MUST represent issuanceDate, encoded as a UNIX timestamp (NumericDate).
jti MUST represent the id property of the verifiable credential or verifiable presentation.
sub MUST represent the id property contained in the credentialSubject.
Once the verifications are successful, when recreating the VC data model object, this function will:
If exp is present, the UNIX timestamp MUST be converted to an [XMLSCHEMA11-2] date-time, and MUST be used to set the value of the expirationDate property of credentialSubject of the new JSON object.
If iss is present, the value MUST be used to set the issuer property of the new credential JSON object or the holder property of the new presentation JSON object.
If nbf is present, the UNIX timestamp MUST be converted to an [XMLSCHEMA11-2] date-time, and MUST be used to set the value of the issuanceDate property of the new JSON object.
If sub is present, the value MUST be used to set the value of the id property of credentialSubject of the new credential JSON object.
If jti is present, the value MUST be used to set the value of the id property of the new JSON object.
This work should hold off until the ticket here is closed https://github.com/TBD54566975/web5-rs/issues/150
Currently we verify VC's only on the cryptographic signature, but we have a set of semantic verifications which must be true for verification to pass. For inspiration, see all the set of
if
conditions inweb5-js
linked here.