Skip to content

feat: Add Token Status List support for SDJWT VC #2326

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 12 commits into
base: main
Choose a base branch
from
Open

feat: Add Token Status List support for SDJWT VC #2326

wants to merge 12 commits into from

Conversation

DaevMithran
Copy link
Contributor

@DaevMithran DaevMithran commented Jul 2, 2025
edited
Loading

This PR adds support for Token Status Lists in SD-JWT VC credentials, based on the specification ([spec link]).

Features:

  • Token Status List integration: Enables status management for SD-JWT VCs using the Token Status List mechanism defined in the spec.
  • Pluggable registry system:
    The approach to configuring Token Status List registries follows the same pattern used for registrars and resolvers. This ensures flexibility and consistency within the framework.

Default Behavior:

  • By default, the module uses the HttpTokenStatusListRegistry to publish and manage status lists via HTTP endpoints.

Custom Registry Support:

  • Consumers can override the default behavior by implementing the TokenStatusListRegistryInterface and configuring custom registries at module startup.

  • Example:

    sdJwtVc: new SdJwtVcModule({
  registries: [new CheqdTokenStatusListRegistry()],
})

@DaevMithran DaevMithran requested a review from a team as a code owner July 2, 2025 07:56
@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Jul 2, 2025
edited
Loading

⚠️ No Changeset found

Latest commit: fbeda86

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@DaevMithran
feat: Add TokenStatusListService
5c2a9bb 
Signed-off-by: DaevMithran <daevmithran1999@gmail.com>
@DaevMithran DaevMithran marked this pull request as draft July 2, 2025 08:39
@DaevMithran DaevMithran marked this pull request as ready for review July 4, 2025 08:10
@DaevMithran
feat: Add TokenStatusListRegistry service
c91f53f 
Signed-off-by: DaevMithran <daevmithran1999@gmail.com>
@DaevMithran DaevMithran mentioned this pull request Jul 4, 2025
Closed
@DaevMithran
feat(cheqd): Add CheqdTokenStatusListRegistry and tests
a5c37fd 
Signed-off-by: DaevMithran <daevmithran1999@gmail.com>
DaevMithran and others added 3 commits July 8, 2025 10:32
@DaevMithran
Merge branch 'main' into token-status
0c742c0
@DaevMithran
feat: Add statusListFetcher
2900601 
Signed-off-by: DaevMithran <daevmithran1999@gmail.com>
@DaevMithran
feat: expose token status apis
8d12eb0 
Signed-off-by: DaevMithran <daevmithran1999@gmail.com>
@DaevMithran DaevMithran changed the title feat: Add TokenStatusListService feat: Add Token Status List support for SDJWT VC Jul 8, 2025
@DaevMithran
fix: Add default registry
3a81cf0 
Signed-off-by: DaevMithran <daevmithran1999@gmail.com>
@DaevMithran
fix unit tests
6ddffb7 
Signed-off-by: DaevMithran <daevmithran1999@gmail.com>
@DaevMithran
fix: FindRegistry using uri then issuer
778d96e 
Signed-off-by: DaevMithran <daevmithran1999@gmail.com>
@tweeddalex
Copy link

Hey @TimoGlastra I think this is ready for your review if you get capacity! Would be awesome to have this added, and can be consumed directly by Paradym

TimoGlastra
TimoGlastra reviewed Jul 22, 2025
View reviewed changes
packages/core/src/modules/sd-jwt-vc/credential-status/token-status-list/TokenStatusList.ts Outdated
Comment on lines 216 to 234
issuer.method === 'did'
? async ({ protectedHeader: { alg, kid } }) => {
if (!kid || typeof kid !== 'string') throw new CredoError('Missing kid in protected header.')

const { did } = parseDid(issuer.didUrl)
const didUrl = `${did}${kid}`
const didsApi = agentContext.dependencyManager.resolve(DidsApi)
const didDocument = await didsApi.resolveDidDocument(did)
const verificationMethod = didDocument.dereferenceKey(didUrl)
const publicJwk = getPublicJwkFromVerificationMethod(verificationMethod)

return {
alg,
method: issuer.method,
didUrl,
jwk: publicJwk,
}
}
: undefined,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the jwt is now signed with something else than did we don't check if it's actually signed by the SdJwtVcIssuer.

I think we should use jwsSigner instead and provide it beforehand.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@TimoGlastra Could you share some references for jwsSigner

TimoGlastra
TimoGlastra reviewed Jul 22, 2025
View reviewed changes
packages/core/src/modules/sd-jwt-vc/credential-status/token-status-list/TokenStatusList.ts Outdated
Comment on lines 194 to 206
if (uri) {
if (isDid(uri)) {
method = parseDid(uri).method
} else if (isURL(uri)) {
method = 'http'
} else {
throw new TokenStatusListError('Status List Uri is not supported')
}
} else if (issuer && issuer.method === 'did') {
method = parseDid(issuer.didUrl).method
} else {
throw new TokenStatusListError('Status List Uri is not provided')
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adding this logic here, makes the registry not really extendable by nature.

I think it would make more sense to provide an uri to the registry and match based on regex (like we do with anoncreds). Both the iss/uri values can be passed to it.

Copy link
Contributor Author

@DaevMithran DaevMithran Jul 22, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There could be multiple handlers for each uri according to regex is it?

I was thinking for all http uri's they would be consistent and followed a pattern similar to did registrar, anyone can register a custom HTTPTokenStatusListRegistry and the different DID methods it can support.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@TimoGlastra Made the changes

TimoGlastra
TimoGlastra reviewed Jul 22, 2025
View reviewed changes
packages/core/src/modules/sd-jwt-vc/credential-status/token-status-list/TokenStatusList.ts Outdated
protectedHeaderOptions: {
alg: issuerKey.alg,
typ: header.typ,
kid: issuerKey.kid,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In case the status list is signed by a did, this should be the did key reference, not the KMS key reference. Is that the case when a did is used?

TimoGlastra
TimoGlastra reviewed Jul 22, 2025
View reviewed changes
packages/core/src/modules/sd-jwt-vc/credential-status/token-status-list/TokenStatusList.ts Outdated
* @internal
*/
@injectable()
export class TokenStatusListService {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thinking whether we should make this an external module, and not depend it on SD-jWT VC, but for now it's fine i think.

TimoGlastra
TimoGlastra reviewed Jul 22, 2025
View reviewed changes
TimoGlastra
TimoGlastra reviewed Jul 22, 2025
View reviewed changes
TimoGlastra
TimoGlastra reviewed Jul 22, 2025
View reviewed changes
DaevMithran and others added 3 commits July 28, 2025 13:13
@DaevMithran
Address PR comments
4703a34 
Signed-off-by: DaevMithran <daevmithran1999@gmail.com>
@DaevMithran
Merge branch 'main' into token-status
f022376
@DaevMithran
Route based on regex
fbeda86 
Signed-off-by: DaevMithran <daevmithran1999@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@TimoGlastra TimoGlastra TimoGlastra left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@DaevMithran @tweeddalex @TimoGlastra