feat: fetch VCT Metadata from SD JWT header (#288) (#294)

patatoid · web-flow · commit f89ba445aeb5 · 2025-06-25T13:20:49.000+02:00
Signed-off-by: Pascal Knoth &lt;pascal@malach.it&gt;
diff --git a/packages/sd-jwt-vc/src/sd-jwt-vc-instance.ts b/packages/sd-jwt-vc/src/sd-jwt-vc-instance.ts
@@ -1,6 +1,6 @@
 import { Jwt, SDJwt, SDJwtInstance, type VerifierOptions } from '@sd-jwt/core';
 import type { DisclosureFrame, Hasher, Verifier } from '@sd-jwt/types';
-import { SDJWTException } from '@sd-jwt/utils';
+import { base64urlDecode, SDJWTException } from '@sd-jwt/utils';
 import type { SdJwtVcPayload } from './sd-jwt-vc-payload';
 import type {
   SDJWTVCConfig,
@@ -294,12 +294,50 @@ export class SDJwtVcInstance extends SDJwtInstance<SdJwtVcPayload> {
       throw new SDJWTException('vct claim is required');
     }
 
+    if (result.header?.vctm) {
+      return this.fetchVctFromHeader(result.payload.vct, result);
+    }
+
     const fetcher: VcTFetcher =
       this.userConfig.vctFetcher ??
       ((uri, integrity) => this.fetch(uri, integrity));
     return fetcher(result.payload.vct, result.payload['vct#Integrity']);
   }
 
+  /**
+   * Fetches VCT Metadata from the header of the SD-JWT-VC. Returns the type metadata format. If the SD-JWT-VC does not contain a vct claim, an error is thrown.
+   * @param result
+   * @param
+   */
+  private async fetchVctFromHeader(
+    vct: string,
+    result: VerificationResult,
+  ): Promise<TypeMetadataFormat> {
+    const vctmHeader = result.header?.vctm;
+
+    if (!vctmHeader || !Array.isArray(vctmHeader)) {
+      throw new Error('vctm claim in SD JWT header is invalid');
+    }
+
+    const typeMetadataFormat = (vctmHeader as unknown[])
+      .map((vctm) => {
+        if (!(typeof vctm === 'string')) {
+          throw new Error('vctm claim in SD JWT header is invalid');
+        }
+
+        return JSON.parse(base64urlDecode(vctm));
+      })
+      .find((typeMetadataFormat) => {
+        return typeMetadataFormat.vct === vct;
+      });
+
+    if (!typeMetadataFormat) {
+      throw new Error('could not find VCT Metadata in JWT header');
+    }
+
+    return typeMetadataFormat;
+  }
+
   /**
    * Verifies the status of the SD-JWT-VC.
    * @param result
diff --git a/packages/sd-jwt-vc/src/test/vct.spec.ts b/packages/sd-jwt-vc/src/test/vct.spec.ts
@@ -9,6 +9,16 @@ import { HttpResponse, http } from 'msw';
 import { afterEach } from 'node:test';
 import type { TypeMetadataFormat } from '../sd-jwt-vc-type-metadata-format';
 
+const exampleVctm = {
+  vct: 'http://example.com/example',
+  name: 'ExampleCredentialType',
+  description: 'An example credential type',
+  schema_uri: 'http://example.com/schema/example',
+  //this value could be generated on demand to make it easier when changing the values
+  'schema_uri#Integrity':
+    'sha256-48a61b283ded3b55e8d9a9b063327641dc4c53f76bd5daa96c23f232822167ae',
+};
+
 const restHandlers = [
   http.get('http://example.com/schema/example', () => {
     const res = {
@@ -42,15 +52,7 @@ const restHandlers = [
     return HttpResponse.json(res);
   }),
   http.get('http://example.com/example', () => {
-    const res: TypeMetadataFormat = {
-      vct: 'http://example.com/example',
-      name: 'ExampleCredentialType',
-      description: 'An example credential type',
-      schema_uri: 'http://example.com/schema/example',
-      //this value could be generated on demand to make it easier when changing the values
-      'schema_uri#Integrity':
-        'sha256-48a61b283ded3b55e8d9a9b063327641dc4c53f76bd5daa96c23f232822167ae',
-    };
+    const res: TypeMetadataFormat = exampleVctm;
     return HttpResponse.json(res);
   }),
   http.get('http://example.com/timeout', () => {
@@ -133,6 +135,26 @@ describe('App', () => {
     await sdjwt.verify(encodedSdjwt);
   });
 
+  test('VCT from JWT header Validation', async () => {
+    const expectedPayload: SdJwtVcPayload = {
+      iat,
+      iss,
+      vct,
+      'vct#Integrity': vctIntegrity,
+      ...claims,
+    };
+    const header = {
+      vctm: [Buffer.from(JSON.stringify(exampleVctm)).toString('base64url')],
+    };
+    const encodedSdjwt = await sdjwt.issue(
+      expectedPayload,
+      disclosureFrame as unknown as DisclosureFrame<SdJwtVcPayload>,
+      { header },
+    );
+
+    await sdjwt.verify(encodedSdjwt);
+  });
+
   test('VCT Validation with timeout', async () => {
     const vct = 'http://example.com/timeout';
     const expectedPayload: SdJwtVcPayload = {
