k2gl/sd-jwt-vc
Composer 安装命令:
composer require k2gl/sd-jwt-vc
包简介
SD-JWT-based Verifiable Credentials (SD-JWT VC) in pure PHP: issue and verify dc+sd-jwt credentials.
关键字:
README 文档
README
SD-JWT-based Verifiable Credentials
(draft-ietf-oauth-sd-jwt-vc)
in pure PHP: issue and verify dc+sd-jwt credentials — the format HAIP and the EU Digital
Identity Wallet build on. RFC 9901 processing is provided by
k2gl/sd-jwt; this package adds the credential layer:
the typ/vct rules, the protected-claims rules, and Issuer key discovery.
Tracks draft -17 (at the IESG for publication). The test suite verifies the draft's own
worked examples byte for byte. The most churn-prone surface across draft revisions has been
the media type; the verifier accepts both dc+sd-jwt and the pre-2024 vc+sd-jwt
(switchable off).
Install
composer require k2gl/sd-jwt-vc
Requires PHP 8.1+. The JWT VC Issuer Metadata resolver speaks PSR-18/PSR-17, so bring any HTTP client (or none, if you pin keys or use x5c).
Usage
Verify a presentation (Verifier / relying party)
use K2gl\SdJwt\KeyBinding; use K2gl\SdJwtVc\JwtVcIssuerMetadata; use K2gl\SdJwtVc\SdJwtVcVerifier; $verifier = new SdJwtVcVerifier; $credential = $verifier->verifyPresentation( $compact, new JwtVcIssuerMetadata($psr18Client, $psr17RequestFactory), // resolves /.well-known/jwt-vc-issuer KeyBinding::required(audience: 'https://verifier.example.org', nonce: $nonce), ); $credential->vct(); // "https://credentials.example.com/identity_credential" $credential->claims(); // the Processed SD-JWT Payload $credential->status(); // the status claim, if any (e.g. Token Status List reference)
Key discovery mechanisms (Section 2.5), all pluggable via IssuerKeyResolver:
JwtVcIssuerMetadata— web-based resolution from/.well-known/jwt-vc-issuer,jwksorjwks_uri, kid-aware,issuer⇔issidentity enforced.X5cIssuerKeys— thex5cheader chain, validated against your trust anchors (signatures, validity windows, anchor membership; revocation is out of scope).StaticIssuerKeys— keys pinned in configuration.- Any k2gl/dsse
Verifierdirectly, when there is exactly one trusted key.
Issue a credential
use K2gl\SdJwt\Jws\JwsSigner; use K2gl\SdJwt\Sd; use K2gl\SdJwtVc\SdJwtVcIssuer; $issuer = new SdJwtVcIssuer(JwsSigner::es256FromPem($pem)); $credential = $issuer->issue([ 'vct' => 'https://credentials.example.com/identity_credential', 'iss' => 'https://issuer.example.com', 'iat' => time(), 'cnf' => ['jwk' => $holderJwk], 'given_name' => Sd::hide('John'), 'birthdate' => Sd::hide('1983-07-29'), ]); $compact = $credential->toCompact();
The typ header is always dc+sd-jwt; vct is required; the claims that the draft
forbids disclosing selectively (iss, nbf, exp, cnf, vct, vct#integrity,
status) are rejected if wrapped in Sd::hide() — and rejected again at verification
time if a foreign issuer tried it.
Presentation building (selecting disclosures, Key Binding) is the Holder side and lives in
k2gl/sd-jwt's Presentation.
Scope
dc+sd-jwtissuance and verification per draft -17, compact serialization.- Key discovery: JWT VC Issuer Metadata (PSR-18), x5c chains, pinned keys.
statusclaim surfaced for a status-mechanism check by the application; a Token Status List implementation is a separate concern.- Type Metadata (Section 4: display, claim metadata,
vct#integrity) is not implemented — it is wallet-display machinery, not needed to issue or verify.
License
MIT © Nick Harin
统计信息
- 总下载量: 0
- 月度下载量: 0
- 日度下载量: 0
- 收藏数: 0
- 点击次数: 2
- 依赖项目数: 0
- 推荐数: 0
其他信息
- 授权协议: MIT
- 更新时间: 2026-07-07