Add-skew time (#293)

Signed-off-by: Mirko Mollik <mirko.mollik@eudi.sprind.org>
Signed-off-by: Mirko Mollik <mirkomollik@gmail.com>
Co-authored-by: Timo Glastra <timo@animo.id>

Author: cre8

packages/core/src/index.ts

@@ -4,7 +4,7 @@ import {
   SDJWTException,
   uint8ArrayToBase64Url,
 } from '@sd-jwt/utils';
-import { Jwt } from './jwt';
+import { Jwt, type VerifierOptions } from './jwt';
 import { KBJwt } from './kbjwt';
 import { SDJwt, pack } from './sdjwt';
 import {
@@ -86,11 +86,11 @@ export class SDJwtInstance<ExtendedPayload extends SdJwtPayload> {
     return jwt;
   }
 
-  private async VerifyJwt(jwt: Jwt, currentDate: number) {
+  private async VerifyJwt(jwt: Jwt, options?: VerifierOptions) {
     if (!this.userConfig.verifier) {
       throw new SDJWTException('Verifier not found');
     }
-    return jwt.verify(this.userConfig.verifier, currentDate);
+    return jwt.verify(this.userConfig.verifier, options);
   }
 
   public async issue<Payload extends ExtendedPayload>(
@@ -277,13 +277,10 @@ export class SDJwtInstance<ExtendedPayload extends SdJwtPayload> {
    * This function is for validating the SD JWT
    * Checking signature, if provided the iat and exp when provided and return its the claims
    * @param encodedSDJwt
-   * @param currentDate
+   * @param options
    * @returns
    */
-  public async validate(
-    encodedSDJwt: string,
-    currentDate: number = Math.floor(Date.now() / 1000),
-  ) {
+  public async validate(encodedSDJwt: string, options?: VerifierOptions) {
     if (!this.userConfig.hasher) {
       throw new SDJWTException('Hasher not found');
     }
@@ -294,7 +291,7 @@ export class SDJwtInstance<ExtendedPayload extends SdJwtPayload> {
       throw new SDJWTException('Invalid SD JWT');
     }
 
-    const verifiedPayloads = await this.VerifyJwt(sdjwt.jwt, currentDate);
+    const verifiedPayloads = await this.VerifyJwt(sdjwt.jwt, options);
     const claims = await sdjwt.getClaims(hasher);
     return { payload: claims, header: verifiedPayloads.header };
   }

packages/core/src/jwt.ts

@@ -12,6 +12,21 @@ export type JwtData<
   encoded?: string;
 };
 
+/**
+ * Options for the JWT verifier
+ */
+export type VerifierOptions = {
+  /**
+   * current time in seconds since epoch
+   */
+  currentDate?: number;
+
+  /**
+   * allowed skew for the current time in seconds. Positive value that will lower the iat and nbf checks, and increase the exp check.
+   */
+  skewSeconds?: number;
+};
+
 // This class is used to create and verify JWT
 // Contains header, payload, and signature
 export class Jwt<
@@ -117,21 +132,29 @@ export class Jwt<
    * Verify the JWT using the provided verifier function.
    * It checks the signature and validates the iat, nbf, and exp claims if they are present.
    * @param verifier
-   * @param currentDate
+   * @param options - Options for verification, such as current date and skew seconds
    * @returns
    */
-  public async verify(
-    verifier: Verifier,
-    currentDate = Math.floor(Date.now() / 1000),
-  ) {
-    if (this.payload?.iat && (this.payload.iat as number) > currentDate) {
+  public async verify(verifier: Verifier, options?: VerifierOptions) {
+    const skew = options?.skewSeconds ? options.skewSeconds : 0;
+    const currentDate = options?.currentDate ?? Math.floor(Date.now() / 1000);
+    if (
+      this.payload?.iat &&
+      (this.payload.iat as number) - skew > currentDate
+    ) {
       throw new SDJWTException('Verify Error: JWT is not yet valid');
     }
 
-    if (this.payload?.nbf && (this.payload.nbf as number) > currentDate) {
+    if (
+      this.payload?.nbf &&
+      (this.payload.nbf as number) - skew > currentDate
+    ) {
       throw new SDJWTException('Verify Error: JWT is not yet valid');
     }
-    if (this.payload?.exp && (this.payload.exp as number) < currentDate) {
+    if (
+      this.payload?.exp &&
+      (this.payload.exp as number) + skew < currentDate
+    ) {
       throw new SDJWTException('Verify Error: JWT is expired');
     }
 

packages/core/src/test/jwt.spec.ts

@@ -269,12 +269,39 @@ describe('JWT', () => {
     });
 
     try {
-      await jwt.verify(testVerifier, Math.floor(Date.now() / 1000) + 100);
+      await jwt.verify(testVerifier, {
+        currentDate: Math.floor(Date.now() / 1000) + 100,
+      });
     } catch (e: unknown) {
       expect(e).toBeInstanceOf(SDJWTException);
       expect((e as SDJWTException).message).toBe(
         'Verify Error: JWT is expired',
       );
     }
   });
+
+  test('verify with skew', async () => {
+    const { privateKey, publicKey } = Crypto.generateKeyPairSync('ed25519');
+    const testVerifier: Verifier = async (data: string, sig: string) => {
+      return Crypto.verify(
+        null,
+        Buffer.from(data),
+        publicKey,
+        Buffer.from(sig, 'base64url'),
+      );
+    };
+
+    const jwt = new Jwt({
+      header: { alg: 'EdDSA' },
+      payload: { exp: Math.floor(Date.now() / 1000) - 1 },
+    });
+
+    const testSigner: Signer = async (data: string) => {
+      const sig = Crypto.sign(null, Buffer.from(data), privateKey);
+      return Buffer.from(sig).toString('base64url');
+    };
+
+    await jwt.sign(testSigner);
+    await jwt.verify(testVerifier, { skewSeconds: 2 });
+  });
 });

packages/sd-jwt-vc/src/sd-jwt-vc-instance.ts

@@ -1,4 +1,4 @@
-import { Jwt, SDJwt, SDJwtInstance } from '@sd-jwt/core';
+import { Jwt, SDJwt, SDJwtInstance, type VerifierOptions } from '@sd-jwt/core';
 import type { DisclosureFrame, Hasher, Verifier } from '@sd-jwt/types';
 import { SDJWTException } from '@sd-jwt/utils';
 import type { SdJwtVcPayload } from './sd-jwt-vc-payload';
@@ -110,9 +110,10 @@ export class SDJwtVcInstance extends SDJwtInstance<SdJwtVcPayload> {
    */
   async verify(
     encodedSDJwt: string,
+    //TODO: we need to move these values in options, causing a breaking change
     requiredClaimKeys?: string[],
     requireKeyBindings?: boolean,
-    currentDate: number = Math.floor(Date.now() / 1000),
+    options?: VerifierOptions,
   ) {
     // Call the parent class's verify method
     const result: VerificationResult = await super
@@ -125,7 +126,7 @@ export class SDJwtVcInstance extends SDJwtInstance<SdJwtVcPayload> {
         };
       });
 
-    await this.verifyStatus(result, currentDate);
+    await this.verifyStatus(result, options);
     if (this.userConfig.loadTypeMetadataFormat) {
       await this.verifyVct(result);
     }
@@ -302,11 +303,11 @@ export class SDJwtVcInstance extends SDJwtInstance<SdJwtVcPayload> {
   /**
    * Verifies the status of the SD-JWT-VC.
    * @param result
-   * @param currentDate current time in seconds
+   * @param options
    */
   private async verifyStatus(
     result: VerificationResult,
-    currentDate: number,
+    options?: VerifierOptions,
   ): Promise<void> {
     if (result.payload.status) {
       //checks if a status field is present in the payload based on https://www.ietf.org/archive/id/draft-ietf-oauth-status-list-02.html
@@ -325,8 +326,10 @@ export class SDJwtVcInstance extends SDJwtInstance<SdJwtVcPayload> {
           StatusListJWTPayload
         >(statusListJWT);
         // check if the status list has a valid signature. The presence of the verifier is checked in the parent class.
-        await slJWT.verify(this.userConfig.verifier as Verifier, currentDate);
+        await slJWT.verify(this.userConfig.verifier as Verifier, options);
 
+        const currentDate =
+          options?.currentDate ?? Math.floor(Date.now() / 1000);
         //check if the status list is expired
         if (slJWT.payload?.exp && (slJWT.payload.exp as number) < currentDate) {
           throw new SDJWTException('Status list is expired');