search

openwallet-foundation-labs / sd-jwt-python

A Python implementation of the Selective Disclosure JWT (SD-JWT) spec.
Apache License 2.0
12 stars 10 forks source link

Make the extract sd claims available without verification #7

Open risajef opened 9 months ago

risajef commented 9 months ago

I have the need to get the body of the SD JWT where the hashes are replaced with the disclosed values. Currently, I am doing a workaround.

from sd_jwt.verifier import SDJWTVerifier
from sd_jwt.common import SDJWTCommon

class SDJWT_Unpacker(SDJWTVerifier):
    def __init__(
        self,
        sd_jwt_presentation: str,
        serialization_format: str = "compact",
    ):
        SDJWTCommon.__init__(self, serialization_format=serialization_format)

        self._parse_sd_jwt(sd_jwt_presentation)
        self._create_hash_mappings(self._input_disclosures)
        parsed_input_sd_jwt = JWS()
        parsed_input_sd_jwt.deserialize(self._unverified_input_sd_jwt)
        self._sd_jwt_payload = json.loads(parsed_input_sd_jwt.objects["payload"].decode("utf-8"))

    def extract_sd_claims(self):
        """
        Returns the body of the SDJWT where all the disclosed values are replaced with the actual values
        """
        return self._extract_sd_claims()

SDJWT_Unpacker(sdjwt_presentation).extract_sd_claims()

I would appreciate it if I could do this simpler without reimplement parts of the verifier and without calling a private method.

danielfett commented 9 months ago

Thanks for the input! May I ask what your use case for that is?

risajef commented 9 months ago

Hi Thank you for your swift reply.

I have created a Pydantic class to do SDJWT things. I can feed it a string and I now have all the information about it. Furthermore, I can call .jwt to get the JWT. I can call .body to get the content decrypted. This model is used many times in my project. During issuance of the credential. In the wallet. In the verifier. And I don't always want to also check if the SDJWT is valid. E.g., right after issuing I know it is valid, I just want an easy way to access the data. Or in the wallet I want to display the data. I would rather not do cryptographic checks when displaying my credential. Also, in the wallet when I get the request object I have to match it against my credentials, but this requires a credential without the hashes.