diff --git a/internal/verifier/staticembed/presentation-definition.js b/internal/verifier/staticembed/presentation-definition.js
index 7b4179ae5..7cd78a611 100644
--- a/internal/verifier/staticembed/presentation-definition.js
+++ b/internal/verifier/staticembed/presentation-definition.js
@@ -8,11 +8,66 @@ const credentialAttributesSchema = v.object({
v.string(),
v.record(
v.string(),
- v.array(v.string()),
+ v.array(v.nullable(v.string())),
),
),
});
+/**
+ * @typedef {{ label: string; path: (string|null)[]; children: ClaimNode[] }} ClaimNode
+ */
+
+/**
+ * Build a tree of claim nodes from a flat claims map.
+ * Groups nested claims (path.length > 1) under their parent object.
+ * @param {Record
} claims - label → path mapping
+ * @returns {ClaimNode[]}
+ */
+function buildClaimTree(claims) {
+ /** @type {ClaimNode[]} */
+ const roots = [];
+ /** @type {Map} */
+ const parentMap = new Map();
+
+ // First pass: identify parent nodes (path.length === 1 that have children)
+ const entries = Object.entries(claims);
+ const childEntries = entries.filter(([, path]) => path.length > 1);
+ const parentKeys = new Set(childEntries.map(([, path]) => path[0]).filter(k => k !== null));
+
+ for (const [label, path] of entries) {
+ if (path.length === 1 && path[0] !== null && parentKeys.has(path[0])) {
+ // This is a parent node (object or array) that has children.
+ // If a synthetic parent was already created (child iterated first),
+ // upgrade it in place rather than creating a duplicate.
+ const existing = parentMap.get(path[0]);
+ if (existing) {
+ existing.label = label;
+ existing.path = path;
+ } else {
+ const node = { label, path, children: [] };
+ parentMap.set(path[0], node);
+ roots.push(node);
+ }
+ } else if (path.length > 1 && path[0] !== null) {
+ // This is a child — attach to parent
+ const parentKey = path[0];
+ let parent = parentMap.get(parentKey);
+ if (!parent) {
+ // Parent has no display entry; create a synthetic one
+ parent = { label: parentKey, path: [parentKey], children: [] };
+ parentMap.set(parentKey, parent);
+ roots.push(parent);
+ }
+ parent.children.push({ label, path, children: [] });
+ } else {
+ // Simple top-level claim
+ roots.push({ label, path, children: [] });
+ }
+ }
+
+ return roots;
+}
+
/** @typedef {v.InferOutput} CredentialsList */
const credentialsList = v.record(
v.string(),
@@ -32,7 +87,7 @@ const metadataResponseSchema = v.object({
vct_values: v.array(v.string()),
}),
claims: v.optional(v.array(v.object({
- path: v.array(v.string()),
+ path: v.array(v.nullable(v.string())),
}))),
validations: v.optional(v.array(v.object({
rule: v.string(),
@@ -54,7 +109,7 @@ const dcqlQueryCredentialSchema = v.object({
v.record(v.string(), v.union([v.string(), v.array(v.string())])),
]),
claims: v.optional(v.array(v.object({
- path: v.array(v.string()),
+ path: v.array(v.nullable(v.string())),
}))),
});
@@ -146,7 +201,7 @@ Alpine.data("app", () => ({
/** @type {Record | null} */
walletInstances: null,
- /** @type {{ id: string; vct: string; claims: Record; } | null} */
+ /** @type {{ id: string; vct: string; claims: Record; claimTree: ClaimNode[]; } | null} */
credentialAttributes: null,
/**
@@ -273,7 +328,7 @@ Alpine.data("app", () => ({
const chosenCredential = this.credentialsList[credential];
- /** @type {Record} */
+ /** @type {Record} */
const claims = {}
for (const [label, path] of Object.entries(chosenCredential.attributes['en-US'])) {
claims[label] = path;
@@ -283,6 +338,7 @@ Alpine.data("app", () => ({
id: credential,
vct: chosenCredential.vct,
claims,
+ claimTree: buildClaimTree(claims),
}
this.loading = false;
diff --git a/internal/verifier/staticembed/styles.css b/internal/verifier/staticembed/styles.css
index a0b99edee..3c3eb703d 100644
--- a/internal/verifier/staticembed/styles.css
+++ b/internal/verifier/staticembed/styles.css
@@ -48,8 +48,44 @@
padding: var(--bulma-box-padding);
border-radius: var(--bulma-box-radius);
background-color: var(--bulma-pre-background);
+ overflow: hidden;
+ min-width: 0;
> pre {
padding: 1rem 0 0 0;
+ max-width: 100%;
+ overflow-x: auto;
}
+}
+
+.vc-claim-group {
+ margin: 0.25rem 0;
+}
+
+.vc-claim-group-summary {
+ cursor: pointer;
+ list-style: none;
+ padding: 0.1rem 0;
+}
+
+.vc-claim-group-summary::-webkit-details-marker {
+ display: none;
+}
+
+.vc-claim-group-summary::before {
+ content: "▶ ";
+ font-size: 0.7em;
+ display: inline-block;
+ transition: transform 0.15s;
+}
+
+.vc-claim-group[open] > .vc-claim-group-summary::before {
+ transform: rotate(90deg);
+}
+
+.vc-claim-children {
+ padding-left: 1.25rem;
+ border-left: 2px solid var(--bulma-border, #ddd);
+ margin-left: 0.5rem;
+ margin-top: 0.15rem;
}
\ No newline at end of file
diff --git a/pkg/model/config.go b/pkg/model/config.go
index 1f2956f16..fffbc53fc 100644
--- a/pkg/model/config.go
+++ b/pkg/model/config.go
@@ -1074,7 +1074,7 @@ type CredentialMetadata struct {
// Format is the credential format to issue
Format string `yaml:"format" json:"format" validate:"required" default:"dc+sd-jwt" doc_example:"\"dc+sd-jwt\""`
// Attributes maps claim names to their source fields and transformation rules for credential issuance
- Attributes map[string]map[string][]string `yaml:"attributes" json:"attributes_v2" validate:"omitempty,dive,required"`
+ Attributes map[string]map[string][]*string `yaml:"attributes" json:"attributes_v2" validate:"omitempty,dive,required"`
// VCTMRaw holds the raw JSON bytes of the VCTM document for serving
// via /type-metadata/:scope. Only populated for local VCTMs (VCTMFilePath).
@@ -1174,7 +1174,7 @@ func (c *CredentialMetadata) GetVCTMRaw() []byte {
}
// GetAttributes returns the derived attributes under a read lock.
-func (c *CredentialMetadata) GetAttributes() map[string]map[string][]string {
+func (c *CredentialMetadata) GetAttributes() map[string]map[string][]*string {
c.mu.RLock()
defer c.mu.RUnlock()
return c.Attributes
diff --git a/pkg/openid4vp/dcql.go b/pkg/openid4vp/dcql.go
index d17a67e1e..a39c9c1bf 100644
--- a/pkg/openid4vp/dcql.go
+++ b/pkg/openid4vp/dcql.go
@@ -1,6 +1,10 @@
package openid4vp
-import "slices"
+import (
+ "encoding/json"
+ "fmt"
+ "slices"
+)
type DCQL struct {
// Credentials REQUIRED. A non-empty array of Credential Queries as defined in Section 6.1 that specify the requested Credentials.
@@ -134,8 +138,97 @@ type TrustedAuthority struct {
}
type ClaimQuery struct {
- // Path REQUIRED The value MUST be a non-empty array representing a claims path pointer that specifies the path to a claim within the Credential, as defined in Section 7.
- Path []string `json:"path" yaml:"path" validate:"required,min=1,dive,required"`
+ // Path REQUIRED The value MUST be a non-empty array representing a claims path pointer
+ // that specifies the path to a claim within the Credential, as defined in Section 7.
+ // Elements are strings (object keys) or nil (representing null for array element access).
+ Path []*string `json:"-" yaml:"-" validate:"required,min=1"`
+}
+
+// MarshalJSON implements custom JSON marshaling for ClaimQuery.
+// Nil path elements are serialized as JSON null (for DCQL array element access).
+func (cq ClaimQuery) MarshalJSON() ([]byte, error) {
+ path := make([]any, len(cq.Path))
+ for i, p := range cq.Path {
+ if p == nil {
+ path[i] = nil
+ } else {
+ path[i] = *p
+ }
+ }
+ return json.Marshal(struct {
+ Path []any `json:"path"`
+ }{Path: path})
+}
+
+// UnmarshalJSON implements custom JSON unmarshaling for ClaimQuery.
+// JSON null path elements are deserialized as nil pointers; non-string/non-null
+// elements cause an unmarshal error (Go's json package rejects them for *string).
+func (cq *ClaimQuery) UnmarshalJSON(data []byte) error {
+ var raw struct {
+ Path []*string `json:"path"`
+ }
+ if err := json.Unmarshal(data, &raw); err != nil {
+ return err
+ }
+ if err := validateClaimPath(raw.Path); err != nil {
+ return err
+ }
+ cq.Path = raw.Path
+ return nil
+}
+
+// UnmarshalYAML implements custom YAML unmarshaling for ClaimQuery.
+// YAML null path elements are deserialized as nil pointers; non-string/non-null
+// elements cause an unmarshal error.
+func (cq *ClaimQuery) UnmarshalYAML(unmarshal func(any) error) error {
+ var raw struct {
+ Path []*string `yaml:"path"`
+ }
+ if err := unmarshal(&raw); err != nil {
+ return err
+ }
+ if err := validateClaimPath(raw.Path); err != nil {
+ return err
+ }
+ cq.Path = raw.Path
+ return nil
+}
+
+// validateClaimPath checks that the path is non-empty and that non-nil elements are not empty strings.
+// Nil elements are valid (they represent JSON null for array element access).
+func validateClaimPath(path []*string) error {
+ if len(path) == 0 {
+ return fmt.Errorf("claim path must not be empty")
+ }
+ for i, p := range path {
+ if p != nil && *p == "" {
+ return fmt.Errorf("claim path element at index %d must not be empty", i)
+ }
+ }
+ return nil
+}
+
+// StringPath creates a []*string path from string arguments.
+// This is a convenience for constructing ClaimQuery paths.
+func StringPath(parts ...string) []*string {
+ path := make([]*string, len(parts))
+ for i := range parts {
+ s := parts[i]
+ path[i] = &s
+ }
+ return path
+}
+
+// ArrayElementPath creates a []*string path ending with nil (null) for array element access.
+// Example: ArrayElementPath("nationalities") → ["nationalities", null]
+func ArrayElementPath(parts ...string) []*string {
+ path := make([]*string, len(parts)+1)
+ for i := range parts {
+ s := parts[i]
+ path[i] = &s
+ }
+ path[len(parts)] = nil // null for array element access
+ return path
}
//type ClaimQuery struct {
diff --git a/pkg/openid4vp/dcql_functions_test.go b/pkg/openid4vp/dcql_functions_test.go
index 4d9876cca..885985e2a 100644
--- a/pkg/openid4vp/dcql_functions_test.go
+++ b/pkg/openid4vp/dcql_functions_test.go
@@ -511,7 +511,7 @@ func TestDCQLValidationError(t *testing.T) {
func TestNewVC20CredentialQuery(t *testing.T) {
id := "my_credential"
typeValues := [][]string{{"VerifiableCredential", "PersonalID"}}
- claims := []ClaimQuery{{Path: []string{"given_name"}}}
+ claims := []ClaimQuery{{Path: StringPath("given_name")}}
query := NewVC20CredentialQuery(id, typeValues, claims)
diff --git a/pkg/openid4vp/dcql_resolve.go b/pkg/openid4vp/dcql_resolve.go
new file mode 100644
index 000000000..d91e727f3
--- /dev/null
+++ b/pkg/openid4vp/dcql_resolve.go
@@ -0,0 +1,53 @@
+package openid4vp
+
+import "strconv"
+
+// ResolveDCQLPath resolves a DCQL claim path against a credential value.
+// Per DCQL Section 7.1:
+// - string segments navigate object keys
+// - nil means "all array elements" (returns []any of resolved values)
+// - numeric strings are array indices
+func ResolveDCQLPath(data any, path []*string) any {
+ if len(path) == 0 {
+ return data
+ }
+
+ seg := path[0]
+ rest := path[1:]
+
+ if seg == nil {
+ // null = iterate all array elements
+ arr, ok := data.([]any)
+ if !ok {
+ return nil
+ }
+ results := make([]any, 0, len(arr))
+ for _, elem := range arr {
+ results = append(results, ResolveDCQLPath(elem, rest))
+ }
+ return results
+ }
+
+ // Try as array index only when the current node is actually an array.
+ // Numeric object keys (e.g. "14" in age_equal_or_over) must not be
+ // misinterpreted as array indices.
+ if arr, ok := data.([]any); ok {
+ if idx, err := strconv.Atoi(*seg); err == nil {
+ if idx < 0 || idx >= len(arr) {
+ return nil
+ }
+ return ResolveDCQLPath(arr[idx], rest)
+ }
+ }
+
+ // Object key
+ obj, ok := data.(map[string]any)
+ if !ok {
+ return nil
+ }
+ val, exists := obj[*seg]
+ if !exists {
+ return nil
+ }
+ return ResolveDCQLPath(val, rest)
+}
diff --git a/pkg/openid4vp/dcql_test.go b/pkg/openid4vp/dcql_test.go
index efadc4ce0..b8dfdf71b 100644
--- a/pkg/openid4vp/dcql_test.go
+++ b/pkg/openid4vp/dcql_test.go
@@ -99,9 +99,9 @@ func TestExample(t *testing.T) {
VCTValues: []string{"https://credentials.example.com/identity_credential"},
},
Claims: []ClaimQuery{
- {Path: []string{"last_name"}},
- {Path: []string{"first_name"}},
- {Path: []string{"address", "street_address"}},
+ {Path: StringPath("last_name")},
+ {Path: StringPath("first_name")},
+ {Path: StringPath("address", "street_address")},
},
},
},
@@ -125,40 +125,40 @@ func TestExample(t *testing.T) {
VCTValues: []string{"urn:eudi:pid:1"},
},
Claims: []ClaimQuery{
- {Path: []string{"given_name"}},
- {Path: []string{"birth_given_name"}},
- {Path: []string{"family_name"}},
- {Path: []string{"birth_family_name"}},
- {Path: []string{"birthdate"}},
- {Path: []string{"place_of_birth", "country"}},
- {Path: []string{"place_of_birth", "region"}},
- {Path: []string{"place_of_birth", "locality"}},
- {Path: []string{"nationalities"}},
- {Path: []string{"personal_administrative_number"}},
- {Path: []string{"sex"}},
- {Path: []string{"address", "formatted"}},
- {Path: []string{"address", "street_address"}},
- {Path: []string{"address", "house_number"}},
- {Path: []string{"address", "postal_code"}},
- {Path: []string{"address", "locality"}},
- {Path: []string{"address", "region"}},
- {Path: []string{"address", "country"}},
- {Path: []string{"age_equal_or_over", "14"}},
- {Path: []string{"age_equal_or_over", "16"}},
- {Path: []string{"age_equal_or_over", "18"}},
- {Path: []string{"age_equal_or_over", "21"}},
- {Path: []string{"age_equal_or_over", "65"}},
- {Path: []string{"age_in_years"}},
- {Path: []string{"age_birth_year"}},
- {Path: []string{"email"}},
- {Path: []string{"phone_number"}},
- {Path: []string{"issuing_authority"}},
- {Path: []string{"issuing_country"}},
- {Path: []string{"issuing_jurisdiction"}},
- {Path: []string{"date_of_expiry"}},
- {Path: []string{"date_of_issuance"}},
- {Path: []string{"document_number"}},
- {Path: []string{"picture"}},
+ {Path: StringPath("given_name")},
+ {Path: StringPath("birth_given_name")},
+ {Path: StringPath("family_name")},
+ {Path: StringPath("birth_family_name")},
+ {Path: StringPath("birthdate")},
+ {Path: StringPath("place_of_birth", "country")},
+ {Path: StringPath("place_of_birth", "region")},
+ {Path: StringPath("place_of_birth", "locality")},
+ {Path: StringPath("nationalities")},
+ {Path: StringPath("personal_administrative_number")},
+ {Path: StringPath("sex")},
+ {Path: StringPath("address", "formatted")},
+ {Path: StringPath("address", "street_address")},
+ {Path: StringPath("address", "house_number")},
+ {Path: StringPath("address", "postal_code")},
+ {Path: StringPath("address", "locality")},
+ {Path: StringPath("address", "region")},
+ {Path: StringPath("address", "country")},
+ {Path: StringPath("age_equal_or_over", "14")},
+ {Path: StringPath("age_equal_or_over", "16")},
+ {Path: StringPath("age_equal_or_over", "18")},
+ {Path: StringPath("age_equal_or_over", "21")},
+ {Path: StringPath("age_equal_or_over", "65")},
+ {Path: StringPath("age_in_years")},
+ {Path: StringPath("age_birth_year")},
+ {Path: StringPath("email")},
+ {Path: StringPath("phone_number")},
+ {Path: StringPath("issuing_authority")},
+ {Path: StringPath("issuing_country")},
+ {Path: StringPath("issuing_jurisdiction")},
+ {Path: StringPath("date_of_expiry")},
+ {Path: StringPath("date_of_issuance")},
+ {Path: StringPath("document_number")},
+ {Path: StringPath("picture")},
},
},
},
diff --git a/pkg/openid4vp/dcql_vc20_test.go b/pkg/openid4vp/dcql_vc20_test.go
index 81f9c1345..b63639b66 100644
--- a/pkg/openid4vp/dcql_vc20_test.go
+++ b/pkg/openid4vp/dcql_vc20_test.go
@@ -60,9 +60,9 @@ func TestDCQLQueryExample(t *testing.T) {
TypeValues: [][]string{{"VerifiableCredential", "PersonalID"}},
},
Claims: []ClaimQuery{
- {Path: []string{"given_name"}},
- {Path: []string{"family_name"}},
- {Path: []string{"birth_date"}},
+ {Path: StringPath("given_name")},
+ {Path: StringPath("family_name")},
+ {Path: StringPath("birth_date")},
},
},
},
diff --git a/pkg/openid4vp/presentation_builder.go b/pkg/openid4vp/presentation_builder.go
index 6c606fc7f..09d755833 100644
--- a/pkg/openid4vp/presentation_builder.go
+++ b/pkg/openid4vp/presentation_builder.go
@@ -179,8 +179,15 @@ func copyDCQL(src *DCQL) *DCQL {
if len(cred.Claims) > 0 {
dst.Credentials[i].Claims = make([]ClaimQuery, len(cred.Claims))
for j, claim := range cred.Claims {
+ pathCopy := make([]*string, len(claim.Path))
+ for k, p := range claim.Path {
+ if p != nil {
+ s := *p
+ pathCopy[k] = &s
+ }
+ }
dst.Credentials[i].Claims[j] = ClaimQuery{
- Path: append([]string{}, claim.Path...),
+ Path: pathCopy,
}
}
}
diff --git a/pkg/openid4vp/response_parameters.go b/pkg/openid4vp/response_parameters.go
index 79542fc34..780123299 100644
--- a/pkg/openid4vp/response_parameters.go
+++ b/pkg/openid4vp/response_parameters.go
@@ -12,6 +12,62 @@ type VPResponse struct {
State string `json:"state,omitempty" bson:"state" validate:"required"`
}
+// UnmarshalJSON implements custom JSON unmarshaling for VPResponse.
+// Handles the different vp_token formats wallets may send:
+// - DCQL object: {"credential_id": "token"} or {"credential_id": ["token1", "token2"]}
+// - Single string: "token" (mapped to first scope or "_default" key)
+func (v *VPResponse) UnmarshalJSON(data []byte) error {
+ // Use a raw intermediary to handle flexible vp_token types
+ var raw struct {
+ VPToken json.RawMessage `json:"vp_token"`
+ State string `json:"state"`
+ }
+ if err := json.Unmarshal(data, &raw); err != nil {
+ return err
+ }
+
+ if raw.State == "" {
+ return fmt.Errorf("state: missing or empty")
+ }
+ v.State = raw.State
+
+ if len(raw.VPToken) == 0 {
+ return fmt.Errorf("vp_token: missing or empty")
+ }
+
+ v.VPToken = make(map[string][]string)
+
+ // Try as object (DCQL format): {"id": "token"} or {"id": ["token1","token2"]}
+ var obj map[string]json.RawMessage
+ if err := json.Unmarshal(raw.VPToken, &obj); err == nil {
+ for key, val := range obj {
+ // Try as string first
+ var s string
+ if err := json.Unmarshal(val, &s); err == nil {
+ v.VPToken[key] = []string{s}
+ continue
+ }
+ // Try as array of strings
+ var arr []string
+ if err := json.Unmarshal(val, &arr); err == nil {
+ v.VPToken[key] = arr
+ continue
+ }
+ return fmt.Errorf("vp_token[%q]: expected string or array of strings", key)
+ }
+ return nil
+ }
+
+ // Try as plain string (single VP token)
+ var s string
+ if err := json.Unmarshal(raw.VPToken, &s); err == nil {
+ v.VPToken["_default"] = []string{s}
+ return nil
+ }
+
+ return fmt.Errorf("vp_token: expected JSON object (map of credential ID to token) or a plain string, got unsupported type")
+}
+
type ResponseParameters struct {
// VPToken REQUIRED. The structure of this parameter depends on the query language used to request the presentations in the Authorization Request:
VPToken string `json:"vp_token,omitempty" bson:"vp_token" validate:"omitempty,required_if=ResponseType vp_token"`
diff --git a/pkg/sdjwtvc/example_test.go b/pkg/sdjwtvc/example_test.go
index 53870e3ec..cc6e8ea4a 100644
--- a/pkg/sdjwtvc/example_test.go
+++ b/pkg/sdjwtvc/example_test.go
@@ -123,11 +123,20 @@ func ExampleVCTM_Attributes() {
}
attrs := vctm.Attributes()
- fmt.Println("en-US Given Name path:", attrs["en-US"]["Given Name"])
- fmt.Println("sv-SE Förnamn path:", attrs["sv-SE"]["Förnamn"])
+ // Print dereferenced path values
+ for _, p := range attrs["en-US"]["Given Name"] {
+ if p != nil {
+ fmt.Printf("en-US Given Name path: %s\n", *p)
+ }
+ }
+ for _, p := range attrs["sv-SE"]["Förnamn"] {
+ if p != nil {
+ fmt.Printf("sv-SE Förnamn path: %s\n", *p)
+ }
+ }
// Output:
- // en-US Given Name path: [given_name]
- // sv-SE Förnamn path: [given_name]
+ // en-US Given Name path: given_name
+ // sv-SE Förnamn path: given_name
}
func ExampleVCTM_SRIIntegrity() {
diff --git a/pkg/sdjwtvc/types.go b/pkg/sdjwtvc/types.go
index 140097e43..28f1a89e5 100644
--- a/pkg/sdjwtvc/types.go
+++ b/pkg/sdjwtvc/types.go
@@ -56,6 +56,7 @@ func (d *Discloser) Hash(hasher hash.Hash) (string, string, []any, error) {
// CredentialCache holds credential claims and data
type CredentialCache struct {
+ Scope string `json:"scope"`
Claims []Discloser `json:"claims"`
Credential map[string]any `json:"credential"`
}
diff --git a/pkg/sdjwtvc/types_coverage_test.go b/pkg/sdjwtvc/types_coverage_test.go
index ee6866232..d33041148 100644
--- a/pkg/sdjwtvc/types_coverage_test.go
+++ b/pkg/sdjwtvc/types_coverage_test.go
@@ -4,7 +4,6 @@ import (
"encoding/json"
"os"
"path/filepath"
- "slices"
"testing"
"github.com/stretchr/testify/assert"
@@ -52,11 +51,14 @@ func TestVCTM_Attributes(t *testing.T) {
assert.Contains(t, attrs["en"], label1)
assert.Contains(t, attrs["en"], label2)
- assert.Equal(t, []string{"name"}, attrs["en"][label1])
- assert.Equal(t, []string{"email"}, attrs["en"][label2])
+ require.Len(t, attrs["en"][label1], 1)
+ assert.Equal(t, "name", *attrs["en"][label1][0])
+ require.Len(t, attrs["en"][label2], 1)
+ assert.Equal(t, "email", *attrs["en"][label2][0])
assert.Contains(t, attrs["fr"], "Nom")
- assert.Equal(t, []string{"name"}, attrs["fr"]["Nom"])
+ require.Len(t, attrs["fr"]["Nom"], 1)
+ assert.Equal(t, "name", *attrs["fr"]["Nom"][0])
}
func TestVCTM_Attributes_RealMetadata(t *testing.T) {
@@ -72,13 +74,12 @@ func TestVCTM_Attributes_RealMetadata(t *testing.T) {
filename: "vctm_pid.json",
expectedLangs: []string{"en-US"},
expectedLabels: map[string][]string{
- "en-US": {"Last name", "First name", "Date of birth", "Nationality"},
+ "en-US": {"Last name", "First name", "Date of birth", "Nationalities"},
},
samplePathCheck: map[string]string{
"Last name": "family_name",
"First name": "given_name",
"Date of birth": "birthdate",
- // Nationality uses path ["nationalities", null] so we can't check a single string path
},
},
{
@@ -129,7 +130,13 @@ func TestVCTM_Attributes_RealMetadata(t *testing.T) {
if paths, ok := attrs[lang][label]; ok {
assert.NotEmpty(t, paths, "Label '%s' should have paths", label)
// Check if the expected path is in the paths slice
- found := slices.Contains(paths, expectedPath)
+ found := false
+ for _, p := range paths {
+ if p != nil && *p == expectedPath {
+ found = true
+ break
+ }
+ }
assert.True(t, found, "Expected path '%s' not found for label '%s'", expectedPath, label)
}
}
@@ -232,9 +239,12 @@ func TestVCTM_AttributesWithoutObjects(t *testing.T) {
assert.Contains(t, attrs["en"], "Name")
assert.Contains(t, attrs["en"], "Email")
assert.Contains(t, attrs["en"], "Age")
- assert.Equal(t, []string{"name"}, attrs["en"]["Name"])
- assert.Equal(t, []string{"email"}, attrs["en"]["Email"])
- assert.Equal(t, []string{"age"}, attrs["en"]["Age"])
+ require.Len(t, attrs["en"]["Name"], 1)
+ assert.Equal(t, "name", *attrs["en"]["Name"][0])
+ require.Len(t, attrs["en"]["Email"], 1)
+ assert.Equal(t, "email", *attrs["en"]["Email"][0])
+ require.Len(t, attrs["en"]["Age"], 1)
+ assert.Equal(t, "age", *attrs["en"]["Age"][0])
// Check that object attributes are excluded
assert.NotContains(t, attrs["en"], "Street Address")
@@ -242,7 +252,8 @@ func TestVCTM_AttributesWithoutObjects(t *testing.T) {
// Check French language
assert.Contains(t, attrs["fr"], "Nom")
- assert.Equal(t, []string{"name"}, attrs["fr"]["Nom"])
+ require.Len(t, attrs["fr"]["Nom"], 1)
+ assert.Equal(t, "name", *attrs["fr"]["Nom"][0])
assert.NotContains(t, attrs["fr"], "Numéro de téléphone")
}
diff --git a/pkg/sdjwtvc/utils.go b/pkg/sdjwtvc/utils.go
index b46258d49..97e9176a7 100644
--- a/pkg/sdjwtvc/utils.go
+++ b/pkg/sdjwtvc/utils.go
@@ -1,7 +1,6 @@
package sdjwtvc
import (
- "crypto/sha256"
"encoding/base64"
"encoding/json"
"errors"
@@ -57,62 +56,204 @@ func (t Token) Parse() (*ParsedCredential, error) {
return nil, fmt.Errorf("failed to unmarshal claims: %w", err)
}
- // Get the _sd array for hash comparison
- var sdHashes []string
- if sdField, ok := claims["_sd"]; ok {
+ // Resolve all selective disclosures recursively (handles nested _sd arrays)
+ if err := resolveDisclosuresRecursive(claims, disclosures); err != nil {
+ return nil, err
+ }
+
+ // Remove any unresolved array element markers {"...": hash} left behind
+ // when the wallet omits element disclosures from the token.
+ cleanUnresolvedMarkers(claims)
+
+ return &ParsedCredential{
+ Claims: claims,
+ Disclosures: disclosures,
+ Header: headerMap,
+ Signature: signature,
+ KeyBinding: keyBinding,
+ }, nil
+}
+
+// sdParsedDisclosure holds a parsed selective disclosure for resolution.
+type sdParsedDisclosure struct {
+ claimName string
+ claimValue any
+ isArray bool // true for array element disclosures [salt, value]
+}
+
+// resolveDisclosuresRecursive resolves selective disclosures at all levels of the claims map.
+// It matches disclosure hashes against _sd arrays in nested objects and inserts the disclosed values.
+// After processing, all _sd and _sd_alg keys are removed from the claims tree.
+func resolveDisclosuresRecursive(claims map[string]any, disclosures []string) error {
+ // Determine hash algorithm from _sd_alg claim (default: sha-256 per spec)
+ sdAlg, _ := claims["_sd_alg"].(string)
+ if sdAlg == "" {
+ sdAlg = "sha-256"
+ }
+ hashMethod, err := getHashFromAlgorithm(sdAlg)
+ if err != nil {
+ return fmt.Errorf("unsupported _sd_alg %q: %w", sdAlg, err)
+ }
+
+ // Build a map of disclosure hash -> parsed disclosure for efficient lookup
+ disclosureMap := make(map[string]*sdParsedDisclosure, len(disclosures))
+ for _, disclosure := range disclosures {
+ hashMethod.Reset()
+ hashMethod.Write([]byte(disclosure))
+ hashB64 := base64.RawURLEncoding.EncodeToString(hashMethod.Sum(nil))
+
+ disclosureBytes, err := base64.RawURLEncoding.DecodeString(disclosure)
+ if err != nil {
+ return fmt.Errorf("failed to base64url-decode disclosure: %w", err)
+ }
+
+ var disclosureArray []any
+ if err := json.Unmarshal(disclosureBytes, &disclosureArray); err != nil {
+ return fmt.Errorf("failed to unmarshal disclosure JSON: %w", err)
+ }
+
+ switch len(disclosureArray) {
+ case 2:
+ // Array element disclosure: [salt, value]
+ disclosureMap[hashB64] = &sdParsedDisclosure{
+ claimValue: disclosureArray[1],
+ isArray: true,
+ }
+ case 3:
+ // Object property disclosure: [salt, claim_name, claim_value]
+ claimName, ok := disclosureArray[1].(string)
+ if !ok {
+ return fmt.Errorf("invalid disclosure: claim name must be a string, got %T", disclosureArray[1])
+ }
+ disclosureMap[hashB64] = &sdParsedDisclosure{
+ claimName: claimName,
+ claimValue: disclosureArray[2],
+ }
+ default:
+ return fmt.Errorf("invalid disclosure format: expected 2 or 3 elements, got %d", len(disclosureArray))
+ }
+ }
+
+ // Recursively resolve _sd arrays in the claims tree
+ resolveNode(claims, disclosureMap)
+ return nil
+}
+
+// resolveNode processes a single map node, resolving its _sd array and recursing into nested maps.
+func resolveNode(node map[string]any, disclosureMap map[string]*sdParsedDisclosure) {
+ // Resolve _sd array at this level
+ if sdField, ok := node["_sd"]; ok {
if sdArray, ok := sdField.([]any); ok {
for _, h := range sdArray {
- if hash, ok := h.(string); ok {
- sdHashes = append(sdHashes, hash)
+ hashStr, ok := h.(string)
+ if !ok {
+ continue
+ }
+ if pd, found := disclosureMap[hashStr]; found && !pd.isArray {
+ node[pd.claimName] = pd.claimValue
}
}
}
}
- // Process disclosures and add disclosed claims to the claims map
- for _, disclosure := range disclosures {
- // Calculate hash of disclosure
- hash := sha256.Sum256([]byte(disclosure))
- hashB64 := base64.RawURLEncoding.EncodeToString(hash[:])
-
- // Check if this disclosure hash is in the _sd array
- if slices.Contains(sdHashes, hashB64) {
- // Decode the disclosure
- disclosureBytes, err := base64.RawURLEncoding.DecodeString(disclosure)
- if err != nil {
- return nil, fmt.Errorf("failed to decode disclosure: %w", err)
- }
+ // Remove _sd and _sd_alg from this level
+ delete(node, "_sd")
+ delete(node, "_sd_alg")
- // Parse disclosure array [salt, claim_name, claim_value]
- var disclosureArray []any
- if err := json.Unmarshal(disclosureBytes, &disclosureArray); err != nil {
- return nil, fmt.Errorf("failed to unmarshal disclosure: %w", err)
- }
+ // Collect keys first to avoid issues with map iteration after modification.
+ // New keys added during _sd resolution above must be included.
+ keys := make([]string, 0, len(node))
+ for k := range node {
+ keys = append(keys, k)
+ }
- if len(disclosureArray) >= 3 {
- claimName, ok := disclosureArray[1].(string)
- if !ok {
- return nil, fmt.Errorf("invalid claim name in disclosure")
- }
- claimValue := disclosureArray[2]
+ // Recurse into nested maps and resolve array elements
+ for _, key := range keys {
+ value := node[key]
+ switch v := value.(type) {
+ case map[string]any:
+ resolveNode(v, disclosureMap)
+ case []any:
+ node[key] = resolveArrayNode(v, disclosureMap)
+ }
+ }
+}
- // Add disclosed claim to claims map
- claims[claimName] = claimValue
+// resolveArrayNode processes an array, resolving any SD-JWT array element disclosures
+// (objects with a single "..." key containing a hash) and recursing into nested maps.
+func resolveArrayNode(arr []any, disclosureMap map[string]*sdParsedDisclosure) []any {
+ result := make([]any, 0, len(arr))
+ for _, elem := range arr {
+ switch v := elem.(type) {
+ case map[string]any:
+ // Check if this is an array element disclosure marker {"...": ""}
+ if len(v) == 1 {
+ if hashVal, ok := v["..."]; ok {
+ if hashStr, ok := hashVal.(string); ok {
+ if pd, found := disclosureMap[hashStr]; found && pd.isArray {
+ // Recurse into the disclosed value in case it
+ // contains nested _sd or array markers.
+ switch dv := pd.claimValue.(type) {
+ case map[string]any:
+ resolveNode(dv, disclosureMap)
+ result = append(result, dv)
+ case []any:
+ result = append(result, resolveArrayNode(dv, disclosureMap))
+ default:
+ result = append(result, pd.claimValue)
+ }
+ continue
+ }
+ }
+ }
}
+ // Regular nested object — recurse
+ resolveNode(v, disclosureMap)
+ result = append(result, v)
+ case []any:
+ result = append(result, resolveArrayNode(v, disclosureMap))
+ default:
+ result = append(result, elem)
}
}
+ return result
+}
- // Remove _sd and _sd_alg from final claims (they're internal to SD-JWT)
- delete(claims, "_sd")
- delete(claims, "_sd_alg")
+// cleanUnresolvedMarkers removes leftover {"...": hash} array element markers
+// from the claims tree. These remain when the wallet discloses a claim whose
+// value contains array element markers but doesn't include the corresponding
+// element disclosures in the token.
+func cleanUnresolvedMarkers(node map[string]any) {
+ for key, value := range node {
+ switch v := value.(type) {
+ case map[string]any:
+ cleanUnresolvedMarkers(v)
+ case []any:
+ node[key] = cleanArrayMarkers(v)
+ }
+ }
+}
- return &ParsedCredential{
- Claims: claims,
- Disclosures: disclosures,
- Header: headerMap,
- Signature: signature,
- KeyBinding: keyBinding,
- }, nil
+func cleanArrayMarkers(arr []any) []any {
+ result := make([]any, 0, len(arr))
+ for _, elem := range arr {
+ switch v := elem.(type) {
+ case map[string]any:
+ if len(v) == 1 {
+ if _, isMarker := v["..."]; isMarker {
+ // Skip unresolved marker
+ continue
+ }
+ }
+ cleanUnresolvedMarkers(v)
+ result = append(result, v)
+ case []any:
+ result = append(result, cleanArrayMarkers(v))
+ default:
+ result = append(result, elem)
+ }
+ }
+ return result
}
// Split splits the token into header, body, signature, selective disclosure, keybinding, or error
diff --git a/pkg/sdjwtvc/utils_test.go b/pkg/sdjwtvc/utils_test.go
index bb3fe09ba..5f9913329 100644
--- a/pkg/sdjwtvc/utils_test.go
+++ b/pkg/sdjwtvc/utils_test.go
@@ -4,6 +4,9 @@ import (
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
+ "crypto/sha256"
+ "encoding/base64"
+ "encoding/json"
"strings"
"testing"
)
@@ -129,8 +132,8 @@ func TestToken_Parse(t *testing.T) {
}{
{ // #nosec G101
name: "valid SD-JWT with disclosures",
- // This is a sample token - in real usage, this would be a valid SD-JWT
- token: "eyJhbGciOiJFUzI1NiIsInR5cCI6ImRjK3NkLWp3dCJ9.eyJfc2QiOlsiaGFzaDEiLCJoYXNoMiJdLCJpc3MiOiJodHRwczovL2V4YW1wbGUuY29tIiwidmN0IjoidXJuOmV4YW1wbGU6cGlkIn0.c2lnbmF0dXJl~disclosure1~disclosure2~",
+ // Valid SD-JWT with two properly-encoded disclosures and matching _sd hashes
+ token: "eyJhbGciOiAiRVMyNTYiLCAidHlwIjogImRjK3NkLWp3dCJ9.eyJfc2QiOiBbInpzMlZlaktUdWJRNHdlVHVBcUVmLUlmV1hGaHRTMXA0aFlIdE1VU183YmMiLCAiMEZYYjh2azRDSXJVN3EyaFpsUFhLdnlRaUs5N00ycUw4V3NieTEyMFl2VSJdLCAiaXNzIjogImh0dHBzOi8vZXhhbXBsZS5jb20iLCAidmN0IjogInVybjpleGFtcGxlOnBpZCJ9.c2lnbmF0dXJl~WyJzYWx0MSIsICJnaXZlbl9uYW1lIiwgIkpvaG4iXQ~WyJzYWx0MiIsICJmYW1pbHlfbmFtZSIsICJEb2UiXQ~",
wantErr: false,
expectedDiscCount: 2,
},
@@ -578,3 +581,521 @@ func TestToken_Split(t *testing.T) {
})
}
}
+
+// makeDisclosure creates a base64url-encoded disclosure and its hash for testing.
+func makeDisclosure(t *testing.T, parts ...any) (string, string) {
+ t.Helper()
+ raw, err := json.Marshal(parts)
+ if err != nil {
+ t.Fatalf("failed to marshal disclosure: %v", err)
+ }
+ encoded := base64.RawURLEncoding.EncodeToString(raw)
+ hash := sha256.Sum256([]byte(encoded))
+ hashB64 := base64.RawURLEncoding.EncodeToString(hash[:])
+ return encoded, hashB64
+}
+
+func TestResolveDisclosuresRecursive_Nested(t *testing.T) {
+ // Simulate place_of_birth with nested _sd
+ discLocality, hashLocality := makeDisclosure(t, "salt1", "locality", "Stockholm")
+ discRegion, hashRegion := makeDisclosure(t, "salt2", "region", "Stockholm")
+ discPOB, hashPOB := makeDisclosure(t, "salt3", "place_of_birth", map[string]any{
+ "_sd": []any{hashLocality, hashRegion},
+ })
+
+ claims := map[string]any{
+ "iss": "https://issuer.example.com",
+ "_sd": []any{hashPOB},
+ "_sd_alg": "sha-256",
+ }
+
+ disclosures := []string{discLocality, discRegion, discPOB}
+
+ err := resolveDisclosuresRecursive(claims, disclosures)
+ if err != nil {
+ t.Fatalf("resolveDisclosuresRecursive() error = %v", err)
+ }
+
+ // _sd removed at top level
+ if _, ok := claims["_sd"]; ok {
+ t.Error("Expected _sd to be removed from top level")
+ }
+ if _, ok := claims["_sd_alg"]; ok {
+ t.Error("Expected _sd_alg to be removed from top level")
+ }
+
+ // place_of_birth resolved
+ pob, ok := claims["place_of_birth"].(map[string]any)
+ if !ok {
+ t.Fatalf("Expected place_of_birth to be a map, got %T: %v", claims["place_of_birth"], claims["place_of_birth"])
+ }
+
+ if pob["locality"] != "Stockholm" {
+ t.Errorf("Expected place_of_birth.locality = Stockholm, got %v", pob["locality"])
+ }
+ if pob["region"] != "Stockholm" {
+ t.Errorf("Expected place_of_birth.region = Stockholm, got %v", pob["region"])
+ }
+ if _, ok := pob["_sd"]; ok {
+ t.Error("Expected _sd to be removed from place_of_birth")
+ }
+}
+
+func TestResolveDisclosuresRecursive_NestedAddress(t *testing.T) {
+ // Address already present in JWT body but with _sd for sub-fields
+ discStreet, hashStreet := makeDisclosure(t, "s1", "street_address", "Tulegatan")
+ discPostal, hashPostal := makeDisclosure(t, "s2", "postal_code", "11353")
+ discCountry, hashCountry := makeDisclosure(t, "s3", "country", "SE")
+
+ claims := map[string]any{
+ "iss": "https://issuer.example.com",
+ "address": map[string]any{
+ "_sd": []any{hashStreet, hashPostal, hashCountry},
+ },
+ }
+
+ disclosures := []string{discStreet, discPostal, discCountry}
+
+ err := resolveDisclosuresRecursive(claims, disclosures)
+ if err != nil {
+ t.Fatalf("resolveDisclosuresRecursive() error = %v", err)
+ }
+
+ addr, ok := claims["address"].(map[string]any)
+ if !ok {
+ t.Fatalf("Expected address to be a map, got %T", claims["address"])
+ }
+ if addr["street_address"] != "Tulegatan" {
+ t.Errorf("Expected address.street_address = Tulegatan, got %v", addr["street_address"])
+ }
+ if addr["postal_code"] != "11353" {
+ t.Errorf("Expected address.postal_code = 11353, got %v", addr["postal_code"])
+ }
+ if addr["country"] != "SE" {
+ t.Errorf("Expected address.country = SE, got %v", addr["country"])
+ }
+ if _, ok := addr["_sd"]; ok {
+ t.Error("Expected _sd to be removed from address")
+ }
+}
+
+func TestResolveDisclosuresRecursive_ArrayElements(t *testing.T) {
+ // Array element disclosures use {"...": hash} markers
+ discElem1, hashElem1 := makeDisclosure(t, "s1", "SE")
+ discElem2, hashElem2 := makeDisclosure(t, "s2", "EU")
+
+ claims := map[string]any{
+ "iss": "https://issuer.example.com",
+ "nationalities": []any{
+ map[string]any{"...": hashElem1},
+ map[string]any{"...": hashElem2},
+ },
+ }
+
+ disclosures := []string{discElem1, discElem2}
+
+ err := resolveDisclosuresRecursive(claims, disclosures)
+ if err != nil {
+ t.Fatalf("resolveDisclosuresRecursive() error = %v", err)
+ }
+
+ nats, ok := claims["nationalities"].([]any)
+ if !ok {
+ t.Fatalf("Expected nationalities to be a slice, got %T", claims["nationalities"])
+ }
+ if len(nats) != 2 {
+ t.Fatalf("Expected 2 elements, got %d", len(nats))
+ }
+ if nats[0] != "SE" {
+ t.Errorf("Expected nationalities[0] = SE, got %v", nats[0])
+ }
+ if nats[1] != "EU" {
+ t.Errorf("Expected nationalities[1] = EU, got %v", nats[1])
+ }
+}
+
+func TestResolveDisclosuresRecursive_ArrayDisclosedViaParentSD(t *testing.T) {
+ // This tests the real-world scenario where:
+ // - "nationalities" is itself selectively disclosed at the top level (_sd)
+ // - Its VALUE is an array containing element disclosure markers: [{"...": hash}]
+ // - The element disclosures are also in the token
+ // The resolution must:
+ // 1. Resolve "nationalities" from top-level _sd
+ // 2. Then resolve the array element markers inside its value
+
+ // Create element disclosures first
+ discElem1, hashElem1 := makeDisclosure(t, "elem_salt_1", "SE")
+ discElem2, hashElem2 := makeDisclosure(t, "elem_salt_2", "FI")
+
+ // Create the nationalities disclosure whose value contains element markers
+ discNats, hashNats := makeDisclosure(t, "nats_salt", "nationalities", []any{
+ map[string]any{"...": hashElem1},
+ map[string]any{"...": hashElem2},
+ })
+
+ claims := map[string]any{
+ "iss": "https://issuer.example.com",
+ "_sd": []any{hashNats},
+ "_sd_alg": "sha-256",
+ }
+
+ disclosures := []string{discNats, discElem1, discElem2}
+
+ err := resolveDisclosuresRecursive(claims, disclosures)
+ if err != nil {
+ t.Fatalf("resolveDisclosuresRecursive() error = %v", err)
+ }
+
+ // nationalities should be resolved with element values
+ nats, ok := claims["nationalities"].([]any)
+ if !ok {
+ t.Fatalf("Expected nationalities to be []any, got %T: %v", claims["nationalities"], claims["nationalities"])
+ }
+ if len(nats) != 2 {
+ t.Fatalf("Expected 2 elements, got %d: %v", len(nats), nats)
+ }
+ if nats[0] != "SE" {
+ t.Errorf("Expected nationalities[0] = SE, got %v", nats[0])
+ }
+ if nats[1] != "FI" {
+ t.Errorf("Expected nationalities[1] = FI, got %v", nats[1])
+ }
+}
+
+func TestResolveDisclosuresRecursive_DecoyHashes(t *testing.T) {
+ // Decoy hashes are random hashes in _sd that don't correspond to any disclosure.
+ // They exist to hide the number of actual selective disclosures.
+ // These should be silently ignored.
+ discName, hashName := makeDisclosure(t, "salt1", "given_name", "Helen")
+
+ claims := map[string]any{
+ "iss": "https://issuer.example.com",
+ "_sd": []any{
+ hashName,
+ "decoy_hash_aaaaaaaaaaaaaaaaaaaaaaaaaaa",
+ "decoy_hash_bbbbbbbbbbbbbbbbbbbbbbbbbbb",
+ "decoy_hash_ccccccccccccccccccccccccccc",
+ },
+ "_sd_alg": "sha-256",
+ }
+
+ disclosures := []string{discName}
+
+ err := resolveDisclosuresRecursive(claims, disclosures)
+ if err != nil {
+ t.Fatalf("resolveDisclosuresRecursive() error = %v", err)
+ }
+
+ // Only the real disclosure should be resolved
+ if claims["given_name"] != "Helen" {
+ t.Errorf("Expected given_name = Helen, got %v", claims["given_name"])
+ }
+
+ // No extra claims should appear from decoys
+ for key := range claims {
+ if key == "iss" || key == "given_name" {
+ continue
+ }
+ t.Errorf("Unexpected claim %q in result (possible decoy leak)", key)
+ }
+}
+
+func TestResolveDisclosuresRecursive_AttackerInjectedDisclosure(t *testing.T) {
+ // Security test: An attacker appends their own disclosure to the SD-JWT token.
+ // The injected disclosure's hash is NOT in the signed _sd array.
+ // It MUST NOT appear in the resolved claims.
+ discName, hashName := makeDisclosure(t, "legit_salt", "given_name", "Helen")
+
+ // Attacker-crafted disclosure trying to inject "is_admin: true"
+ attackerDisc, _ := makeDisclosure(t, "evil_salt", "is_admin", true)
+ // Attacker also tries to inject an email override
+ attackerDisc2, _ := makeDisclosure(t, "evil_salt2", "email", "attacker@evil.com")
+
+ // The signed credential only has hashName in its _sd array
+ claims := map[string]any{
+ "iss": "https://issuer.example.com",
+ "_sd": []any{hashName},
+ "_sd_alg": "sha-256",
+ }
+
+ // Attacker appends their disclosures to the token
+ disclosures := []string{discName, attackerDisc, attackerDisc2}
+
+ err := resolveDisclosuresRecursive(claims, disclosures)
+ if err != nil {
+ t.Fatalf("resolveDisclosuresRecursive() error = %v", err)
+ }
+
+ // Legitimate disclosure should be resolved
+ if claims["given_name"] != "Helen" {
+ t.Errorf("Expected given_name = Helen, got %v", claims["given_name"])
+ }
+
+ // Attacker's injected claims MUST NOT appear
+ if _, ok := claims["is_admin"]; ok {
+ t.Error("SECURITY: attacker-injected 'is_admin' claim was resolved - disclosure hash not in signed _sd array")
+ }
+ if _, ok := claims["email"]; ok {
+ t.Error("SECURITY: attacker-injected 'email' claim was resolved - disclosure hash not in signed _sd array")
+ }
+}
+
+func TestResolveDisclosuresRecursive_AttackerInjectedNestedDisclosure(t *testing.T) {
+ // Security test: Attacker injects a disclosure targeting a nested _sd array.
+ // The nested _sd only contains the legitimate hash, not the attacker's.
+ discStreet, hashStreet := makeDisclosure(t, "legit", "street_address", "Tulegatan")
+ attackerDisc, _ := makeDisclosure(t, "evil", "admin_note", "pwned")
+
+ claims := map[string]any{
+ "iss": "https://issuer.example.com",
+ "address": map[string]any{
+ "_sd": []any{hashStreet}, // Only legitimate hash in signed payload
+ },
+ }
+
+ // Attacker appends their disclosure
+ disclosures := []string{discStreet, attackerDisc}
+
+ err := resolveDisclosuresRecursive(claims, disclosures)
+ if err != nil {
+ t.Fatalf("resolveDisclosuresRecursive() error = %v", err)
+ }
+
+ addr, ok := claims["address"].(map[string]any)
+ if !ok {
+ t.Fatalf("Expected address to be a map, got %T", claims["address"])
+ }
+
+ // Legitimate claim present
+ if addr["street_address"] != "Tulegatan" {
+ t.Errorf("Expected address.street_address = Tulegatan, got %v", addr["street_address"])
+ }
+
+ // Attacker's claim MUST NOT appear
+ if _, ok := addr["admin_note"]; ok {
+ t.Error("SECURITY: attacker-injected 'admin_note' in nested object was resolved")
+ }
+}
+
+func TestResolveDisclosuresRecursive_AttackerInjectedArrayElement(t *testing.T) {
+ // Security test: Attacker tries to inject an extra array element disclosure.
+ // Only markers in the signed array with valid hashes should be resolved.
+ discElem1, hashElem1 := makeDisclosure(t, "legit_salt", "SE")
+ attackerElem, attackerHash := makeDisclosure(t, "evil_salt", "ATTACKER_COUNTRY")
+
+ claims := map[string]any{
+ "iss": "https://issuer.example.com",
+ "nationalities": []any{
+ map[string]any{"...": hashElem1},
+ // Note: no marker for attackerHash - the signed array doesn't include it
+ },
+ }
+
+ // Attacker appends their disclosure
+ disclosures := []string{discElem1, attackerElem}
+ _ = attackerHash // not used in claims - that's the point
+
+ err := resolveDisclosuresRecursive(claims, disclosures)
+ if err != nil {
+ t.Fatalf("resolveDisclosuresRecursive() error = %v", err)
+ }
+
+ nats, ok := claims["nationalities"].([]any)
+ if !ok {
+ t.Fatalf("Expected nationalities to be a slice, got %T", claims["nationalities"])
+ }
+
+ // Only 1 legitimate element
+ if len(nats) != 1 {
+ t.Errorf("Expected 1 element, got %d: %v", len(nats), nats)
+ }
+ if nats[0] != "SE" {
+ t.Errorf("Expected nationalities[0] = SE, got %v", nats[0])
+ }
+
+ // Attacker's value MUST NOT appear anywhere
+ for i, v := range nats {
+ if v == "ATTACKER_COUNTRY" {
+ t.Errorf("SECURITY: attacker-injected array element at index %d", i)
+ }
+ }
+}
+
+func TestTokenParse_AttackerAppendsUnsignedDisclosure(t *testing.T) {
+ // End-to-end security test simulating the real attack:
+ //
+ // SD-JWT structure: ~~~
+ //
+ // The disclosures after ~ are NOT signed. They are just base64url strings.
+ // An attacker who intercepts the token can trivially append:
+ // ~~
+ // before the trailing key-binding JWT (or at the end if no KB).
+ //
+ // The ONLY protection is that the signed JWT body contains _sd hashes.
+ // Only disclosures whose sha256 hash appears in the signed _sd array
+ // should be accepted.
+
+ client := New()
+
+ // Generate issuer key
+ privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+ if err != nil {
+ t.Fatalf("Failed to generate key: %v", err)
+ }
+
+ holderJWK := map[string]any{
+ "kty": "EC",
+ "crv": "P-256",
+ "x": "test_x",
+ "y": "test_y",
+ "kid": "holder-1",
+ }
+
+ vctm := &VCTM{
+ VCT: "urn:example:pid:1",
+ Name: "PID Credential",
+ }
+
+ documentData := []byte(`{
+ "given_name": "Helen",
+ "family_name": "Mirren"
+ }`)
+
+ vctmRaw, integrity := marshalVCTM(t, vctm)
+ signer := newTestSigner(privateKey, "issuer-key-1")
+ token, err := client.BuildCredentialWithSigner(
+ t.Context(),
+ "https://issuer.example.com",
+ signer,
+ vctmRaw,
+ documentData,
+ holderJWK,
+ &CredentialOptions{Integrity: integrity},
+ )
+ if err != nil {
+ t.Fatalf("Failed to build credential: %v", err)
+ }
+
+ // Verify the legitimate token first
+ parsed, err := Token(token).Parse()
+ if err != nil {
+ t.Fatalf("Token.Parse() failed on legitimate token: %v", err)
+ }
+ if parsed.Claims["given_name"] != "Helen" {
+ t.Fatalf("Expected given_name=Helen in legitimate parse, got %v", parsed.Claims["given_name"])
+ }
+
+ // --- ATTACK: Append unsigned disclosure to the token ---
+ // Craft a malicious disclosure: ["evil_salt", "is_admin", true]
+ evilDisclosure, _ := json.Marshal([]any{"evil_salt_value", "is_admin", true})
+ evilDiscB64 := base64.RawURLEncoding.EncodeToString(evilDisclosure)
+
+ // Also try to override an existing claim
+ overrideDisclosure, _ := json.Marshal([]any{"override_salt", "given_name", "ATTACKER"})
+ overrideDiscB64 := base64.RawURLEncoding.EncodeToString(overrideDisclosure)
+
+ // Append attacker disclosures to token.
+ // Token format: ~~...~~ (trailing ~ means no key binding)
+ // We insert before the final empty segment
+ attackerToken := strings.TrimSuffix(token, "~") + "~" + evilDiscB64 + "~" + overrideDiscB64 + "~"
+
+ // Parse the tampered token
+ parsedAttacked, err := Token(attackerToken).Parse()
+ if err != nil {
+ t.Fatalf("Token.Parse() error on attacked token: %v", err)
+ }
+
+ // SECURITY: Attacker's injected claim MUST NOT appear
+ if _, ok := parsedAttacked.Claims["is_admin"]; ok {
+ t.Error("SECURITY FAILURE: attacker-injected 'is_admin' claim was accepted from unsigned disclosure")
+ }
+
+ // SECURITY: Attacker cannot override legitimate claims
+ if parsedAttacked.Claims["given_name"] == "ATTACKER" {
+ t.Error("SECURITY FAILURE: attacker overrode 'given_name' via unsigned disclosure")
+ }
+
+ // Legitimate claims should still be present and correct
+ if parsedAttacked.Claims["given_name"] != "Helen" {
+ t.Errorf("Expected given_name=Helen after attack, got %v", parsedAttacked.Claims["given_name"])
+ }
+ if parsedAttacked.Claims["family_name"] != "Mirren" {
+ t.Errorf("Expected family_name=Mirren after attack, got %v", parsedAttacked.Claims["family_name"])
+ }
+
+ t.Logf("Security check passed: %d disclosures in attacked token, none injected into claims",
+ len(parsedAttacked.Disclosures))
+}
+
+func TestTokenParse_NationalitiesWithElementDisclosures(t *testing.T) {
+ // Simulates the real-world scenario:
+ // - JWT body has _sd containing hash of nationalities disclosure
+ // - nationalities disclosure value = [{"...": elem_hash}]
+ // - element disclosure = ["salt", "SE"]
+ // - Both disclosures are in the token after ~
+ // Token.Parse() must resolve both levels.
+
+ // Step 1: Create element disclosure
+ elemParts := []any{"elem_salt_1", "SE"}
+ elemJSON, _ := json.Marshal(elemParts)
+ elemB64 := base64.RawURLEncoding.EncodeToString(elemJSON)
+ elemHash := sha256.Sum256([]byte(elemB64))
+ elemHashB64 := base64.RawURLEncoding.EncodeToString(elemHash[:])
+
+ // Step 2: Create nationalities disclosure with array marker
+ natsParts := []any{"nats_salt", "nationalities", []any{
+ map[string]any{"...": elemHashB64},
+ }}
+ natsJSON, _ := json.Marshal(natsParts)
+ natsB64 := base64.RawURLEncoding.EncodeToString(natsJSON)
+ natsHash := sha256.Sum256([]byte(natsB64))
+ natsHashB64 := base64.RawURLEncoding.EncodeToString(natsHash[:])
+
+ // Step 3: Create JWT body with _sd containing nationalities hash
+ jwtBody := map[string]any{
+ "iss": "https://issuer.example.com",
+ "vct": "urn:eudi:pid:1",
+ "_sd": []any{natsHashB64},
+ "_sd_alg": "sha-256",
+ }
+ bodyJSON, _ := json.Marshal(jwtBody)
+ bodyB64 := base64.RawURLEncoding.EncodeToString(bodyJSON)
+
+ // Step 4: Create a minimal JWT header
+ header := map[string]any{"alg": "ES256", "typ": "dc+sd-jwt"}
+ headerJSON, _ := json.Marshal(header)
+ headerB64 := base64.RawURLEncoding.EncodeToString(headerJSON)
+
+ // Step 5: Assemble the token: header.body.sig~nats_disc~elem_disc~
+ token := headerB64 + "." + bodyB64 + ".fake_sig~" + natsB64 + "~" + elemB64 + "~"
+
+ // Step 6: Parse
+ parsed, err := Token(token).Parse()
+ if err != nil {
+ t.Fatalf("Token.Parse() error = %v", err)
+ }
+
+ // Verify nationalities is resolved to ["SE"]
+ nats, ok := parsed.Claims["nationalities"].([]any)
+ if !ok {
+ t.Fatalf("Expected nationalities to be []any, got %T: %v",
+ parsed.Claims["nationalities"], parsed.Claims["nationalities"])
+ }
+ if len(nats) != 1 {
+ t.Fatalf("Expected 1 element in nationalities, got %d: %v", len(nats), nats)
+ }
+ if nats[0] != "SE" {
+ t.Errorf("Expected nationalities[0] = SE, got %v (type %T)", nats[0], nats[0])
+ }
+
+ // Verify no unresolved markers remain
+ for _, elem := range nats {
+ if m, ok := elem.(map[string]any); ok {
+ if _, hasMarker := m["..."]; hasMarker {
+ t.Error("Unresolved array element marker found in nationalities")
+ }
+ }
+ }
+
+ t.Logf("nationalities resolved: %v", nats)
+}
diff --git a/pkg/sdjwtvc/vctm_methods.go b/pkg/sdjwtvc/vctm_methods.go
index 53cb6a4b3..91d8823f9 100644
--- a/pkg/sdjwtvc/vctm_methods.go
+++ b/pkg/sdjwtvc/vctm_methods.go
@@ -35,23 +35,21 @@ func (v *VCTM) SRIIntegrity(rawBytes []byte) (string, error) {
return "sha256-" + encoded, nil
}
-// Attributes parse vctm claims and return a map of labels and their paths for each locale
-func (v *VCTM) Attributes() map[string]map[string][]string {
- reply := map[string]map[string][]string{}
+// Attributes parse vctm claims and return a map of labels and their paths for each locale.
+// Path elements may be nil, representing JSON null (array element access per DCQL Section 7.1).
+func (v *VCTM) Attributes() map[string]map[string][]*string {
+ reply := map[string]map[string][]*string{}
for _, c := range v.Claims {
for _, d := range c.Display {
if _, ok := reply[d.Locale]; !ok {
- reply[d.Locale] = map[string][]string{}
+ reply[d.Locale] = map[string][]*string{}
}
label := d.Label
-
- for _, p := range c.Path {
- if p != nil {
- reply[d.Locale][label] = append(reply[d.Locale][label], *p)
- }
- }
+ path := make([]*string, len(c.Path))
+ copy(path, c.Path)
+ reply[d.Locale][label] = path
}
}
@@ -60,8 +58,8 @@ func (v *VCTM) Attributes() map[string]map[string][]string {
// AttributesWithoutObjects parse vctm claims and return a map of labels and their paths for each locale,
// excluding claims that represent objects (claims with nested paths)
-func (v *VCTM) AttributesWithoutObjects() map[string]map[string][]string {
- reply := map[string]map[string][]string{}
+func (v *VCTM) AttributesWithoutObjects() map[string]map[string][]*string {
+ reply := map[string]map[string][]*string{}
for _, c := range v.Claims {
// Skip claims that are objects (have more than one path element)
@@ -76,16 +74,13 @@ func (v *VCTM) AttributesWithoutObjects() map[string]map[string][]string {
for _, d := range c.Display {
if _, ok := reply[d.Locale]; !ok {
- reply[d.Locale] = map[string][]string{}
+ reply[d.Locale] = map[string][]*string{}
}
label := d.Label
-
- for _, p := range c.Path {
- if p != nil {
- reply[d.Locale][label] = append(reply[d.Locale][label], *p)
- }
- }
+ path := make([]*string, len(c.Path))
+ copy(path, c.Path)
+ reply[d.Locale][label] = path
}
}
diff --git a/pkg/sdjwtvc/vctm_test.go b/pkg/sdjwtvc/vctm_test.go
index a2f31bdf3..47fa49998 100644
--- a/pkg/sdjwtvc/vctm_test.go
+++ b/pkg/sdjwtvc/vctm_test.go
@@ -4,6 +4,7 @@ import (
"testing"
"github.com/stretchr/testify/assert"
+ "github.com/stretchr/testify/require"
)
func TestClaimJSONPath(t *testing.T) {
@@ -103,14 +104,19 @@ func TestVCTMAttributes(t *testing.T) {
t.Run("english locale", func(t *testing.T) {
en := attrs["en"]
- assert.Equal(t, []string{"given_name"}, en["First Name"])
- assert.Equal(t, []string{"family_name"}, en["Last Name"])
- assert.Equal(t, []string{"address", "country"}, en["Country"])
+ require.Len(t, en["First Name"], 1)
+ assert.Equal(t, "given_name", *en["First Name"][0])
+ require.Len(t, en["Last Name"], 1)
+ assert.Equal(t, "family_name", *en["Last Name"][0])
+ require.Len(t, en["Country"], 2)
+ assert.Equal(t, "address", *en["Country"][0])
+ assert.Equal(t, "country", *en["Country"][1])
})
t.Run("swedish locale", func(t *testing.T) {
sv := attrs["sv"]
- assert.Equal(t, []string{"family_name"}, sv["Efternamn"])
+ require.Len(t, sv["Efternamn"], 1)
+ assert.Equal(t, "family_name", *sv["Efternamn"][0])
})
t.Run("claims without display are excluded", func(t *testing.T) {
@@ -143,7 +149,8 @@ func TestVCTMAttributesWithoutObjects(t *testing.T) {
attrs := v.AttributesWithoutObjects()
t.Run("single-path claims included", func(t *testing.T) {
- assert.Equal(t, []string{"given_name"}, attrs["en"]["First Name"])
+ require.Len(t, attrs["en"]["First Name"], 1)
+ assert.Equal(t, "given_name", *attrs["en"]["First Name"][0])
})
t.Run("multi-path claims excluded", func(t *testing.T) {
diff --git a/pkg/sdjwtvc/verification.go b/pkg/sdjwtvc/verification.go
index 094c5e077..d33fdc283 100644
--- a/pkg/sdjwtvc/verification.go
+++ b/pkg/sdjwtvc/verification.go
@@ -252,11 +252,19 @@ func (c *Client) ParseAndVerify(sdJWT string, publicKey any, opts *VerificationO
}
result.Disclosures = append(result.Disclosures, *disclosure)
- result.DisclosedClaims[disclosure.Claim] = disclosure.Value
+ if disclosure.Claim != "" {
+ result.DisclosedClaims[disclosure.Claim] = disclosure.Value
+ }
+ }
- // Verify disclosure hash is in _sd array
- if err := c.verifyDisclosureHash(claims, disclosure.Hash); err != nil {
- result.Errors = append(result.Errors, err)
+ // Verify disclosure hashes: only hashes reachable from the issuer-signed
+ // claims tree (transitively, via values of already-anchored disclosures)
+ // are considered valid. This prevents mutually-referencing attacker-controlled
+ // disclosures from passing verification.
+ anchoredHashes := collectAnchoredHashes(map[string]any(claims), result.Disclosures)
+ for i := range result.Disclosures {
+ if !anchoredHashes[result.Disclosures[i].Hash] {
+ result.Errors = append(result.Errors, fmt.Errorf("disclosure hash %s not found in _sd array", result.Disclosures[i].Hash))
}
}
@@ -363,7 +371,8 @@ func (c *Client) validateSDJWTVCStructure(header map[string]any, claims jwt.MapC
}
// parseDisclosure parses a disclosure string into a Disclosure struct
-// Per draft-22 §4.2: Disclosure format is [, , ]
+// Per draft-22 §4.2: Object property disclosures have format [, , ]
+// Per draft-22 §4.2.2: Array element disclosures have format [, ]
func (c *Client) parseDisclosure(disclosureStr string, hashMethod hash.Hash) (*Disclosure, error) {
// Base64url decode
decoded, err := base64.RawURLEncoding.DecodeString(disclosureStr)
@@ -377,22 +386,35 @@ func (c *Client) parseDisclosure(disclosureStr string, hashMethod hash.Hash) (*D
return nil, fmt.Errorf("failed to unmarshal disclosure: %w", err)
}
- if len(parts) != 3 {
- return nil, fmt.Errorf("invalid disclosure format: expected 3 elements, got %d", len(parts))
- }
+ var salt, claim string
+ var value any
- salt, ok := parts[0].(string)
- if !ok {
- return nil, fmt.Errorf("invalid disclosure: salt must be string")
- }
-
- claim, ok := parts[1].(string)
- if !ok {
- return nil, fmt.Errorf("invalid disclosure: claim name must be string")
+ switch len(parts) {
+ case 3:
+ // Object property disclosure: [salt, claim_name, claim_value]
+ s, ok := parts[0].(string)
+ if !ok {
+ return nil, fmt.Errorf("invalid disclosure: salt must be string")
+ }
+ salt = s
+ c, ok := parts[1].(string)
+ if !ok {
+ return nil, fmt.Errorf("invalid disclosure: claim name must be string")
+ }
+ claim = c
+ value = parts[2]
+ case 2:
+ // Array element disclosure: [salt, value]
+ s, ok := parts[0].(string)
+ if !ok {
+ return nil, fmt.Errorf("invalid disclosure: salt must be string")
+ }
+ salt = s
+ value = parts[1]
+ default:
+ return nil, fmt.Errorf("invalid disclosure format: expected 2 or 3 elements, got %d", len(parts))
}
- value := parts[2]
-
// Calculate hash
hashMethod.Reset()
hashMethod.Write([]byte(disclosureStr))
@@ -407,35 +429,203 @@ func (c *Client) parseDisclosure(disclosureStr string, hashMethod hash.Hash) (*D
}, nil
}
-// verifyDisclosureHash verifies that a disclosure hash exists in the _sd array
-func (c *Client) verifyDisclosureHash(claims jwt.MapClaims, hash string) error {
- // Check top-level _sd array
- if sd, ok := claims["_sd"].([]any); ok {
- for _, h := range sd {
- if hashStr, ok := h.(string); ok && hashStr == hash {
- return nil // Found
+// collectAnchoredHashes returns the set of disclosure hashes that are
+// transitively reachable from the issuer-signed claims tree. A hash is
+// anchored if it appears in an _sd array or as an array-element marker
+// ({"...": hash}) in the signed claims, OR in the value of a disclosure
+// whose own hash is already anchored. This prevents mutually-referencing
+// attacker-crafted disclosures from being accepted.
+func collectAnchoredHashes(claims map[string]any, disclosures []Disclosure) map[string]bool {
+ // Build hash -> disclosure lookup
+ byHash := make(map[string]*Disclosure, len(disclosures))
+ for i := range disclosures {
+ byHash[disclosures[i].Hash] = &disclosures[i]
+ }
+
+ anchored := make(map[string]bool, len(disclosures))
+
+ // Collect all hashes directly referenced in the issuer-signed claims tree
+ directHashes := collectHashesFromNode(claims)
+
+ // BFS/iterative expansion: anchor direct hashes, then transitively
+ // anchor hashes found inside anchored disclosure values.
+ queue := make([]string, 0, len(directHashes))
+ for h := range directHashes {
+ anchored[h] = true
+ queue = append(queue, h)
+ }
+
+ for len(queue) > 0 {
+ h := queue[0]
+ queue = queue[1:]
+
+ d, ok := byHash[h]
+ if !ok {
+ continue
+ }
+ // Find hashes inside this disclosure's value
+ childHashes := collectHashesFromValue(d.Value)
+ for ch := range childHashes {
+ if !anchored[ch] {
+ anchored[ch] = true
+ queue = append(queue, ch)
}
}
}
- // TODO: Also check nested _sd arrays in objects
- // For now, we accept if found at top level
- return fmt.Errorf("disclosure hash %s not found in _sd array", hash)
+ return anchored
}
-// reconstructClaims adds disclosed claims back into the claims map
-func (c *Client) reconstructClaims(claims map[string]any, disclosures []Disclosure) error {
- for _, disclosure := range disclosures {
- claims[disclosure.Claim] = disclosure.Value
+// collectHashesFromNode collects all disclosure hashes referenced in _sd arrays
+// and array-element markers ({"...": hash}) throughout a claims tree.
+func collectHashesFromNode(node map[string]any) map[string]bool {
+ hashes := make(map[string]bool)
+ collectHashesFromNodeInto(node, hashes)
+ return hashes
+}
+
+func collectHashesFromNodeInto(node map[string]any, hashes map[string]bool) {
+ // Collect from _sd array
+ if sdField, ok := node["_sd"]; ok {
+ if sdArray, ok := sdField.([]any); ok {
+ for _, h := range sdArray {
+ if hashStr, ok := h.(string); ok {
+ hashes[hashStr] = true
+ }
+ }
+ }
+ }
+
+ // Recurse into nested objects and arrays
+ for k, v := range node {
+ if k == "_sd" {
+ continue
+ }
+ switch val := v.(type) {
+ case map[string]any:
+ collectHashesFromNodeInto(val, hashes)
+ case []any:
+ collectHashesFromArrayInto(val, hashes)
+ }
+ }
+}
+
+func collectHashesFromArrayInto(arr []any, hashes map[string]bool) {
+ for _, elem := range arr {
+ switch v := elem.(type) {
+ case map[string]any:
+ if len(v) == 1 {
+ if hashVal, ok := v["..."]; ok {
+ if hashStr, ok := hashVal.(string); ok {
+ hashes[hashStr] = true
+ continue
+ }
+ }
+ }
+ collectHashesFromNodeInto(v, hashes)
+ case []any:
+ collectHashesFromArrayInto(v, hashes)
+ }
+ }
+}
+
+// collectHashesFromValue collects disclosure hashes from a disclosure's value.
+func collectHashesFromValue(value any) map[string]bool {
+ hashes := make(map[string]bool)
+ switch v := value.(type) {
+ case []any:
+ collectHashesFromArrayInto(v, hashes)
+ case map[string]any:
+ collectHashesFromNodeInto(v, hashes)
}
+ return hashes
+}
- // Remove _sd and _sd_alg from final claims
- delete(claims, "_sd")
- delete(claims, "_sd_alg")
+// reconstructClaims adds disclosed claims back into the claims map, including nested _sd arrays.
+func (c *Client) reconstructClaims(claims map[string]any, disclosures []Disclosure) error {
+ // Build a hash -> Disclosure lookup
+ disclosureMap := make(map[string]*Disclosure, len(disclosures))
+ for i := range disclosures {
+ disclosureMap[disclosures[i].Hash] = &disclosures[i]
+ }
+ reconstructNode(claims, disclosureMap)
return nil
}
+// reconstructNode resolves _sd arrays at this level and recurses into nested maps.
+func reconstructNode(node map[string]any, disclosureMap map[string]*Disclosure) {
+ if sdField, ok := node["_sd"]; ok {
+ if sdArray, ok := sdField.([]any); ok {
+ for _, h := range sdArray {
+ hashStr, ok := h.(string)
+ if !ok {
+ continue
+ }
+ if d, found := disclosureMap[hashStr]; found && d.Claim != "" {
+ node[d.Claim] = d.Value
+ }
+ }
+ }
+ }
+
+ delete(node, "_sd")
+ delete(node, "_sd_alg")
+
+ // Collect keys first to ensure newly-added claims from _sd resolution are included.
+ keys := make([]string, 0, len(node))
+ for k := range node {
+ keys = append(keys, k)
+ }
+
+ for _, key := range keys {
+ value := node[key]
+ switch v := value.(type) {
+ case map[string]any:
+ reconstructNode(v, disclosureMap)
+ case []any:
+ node[key] = reconstructArrayNode(v, disclosureMap)
+ }
+ }
+}
+
+// reconstructArrayNode resolves array element disclosures ({"...": hash}) and recurses.
+func reconstructArrayNode(arr []any, disclosureMap map[string]*Disclosure) []any {
+ result := make([]any, 0, len(arr))
+ for _, elem := range arr {
+ switch v := elem.(type) {
+ case map[string]any:
+ if len(v) == 1 {
+ if hashVal, ok := v["..."]; ok {
+ if hashStr, ok := hashVal.(string); ok {
+ if d, found := disclosureMap[hashStr]; found {
+ // Recurse into the disclosed value in case it
+ // contains nested _sd or array markers.
+ switch dv := d.Value.(type) {
+ case map[string]any:
+ reconstructNode(dv, disclosureMap)
+ result = append(result, dv)
+ case []any:
+ result = append(result, reconstructArrayNode(dv, disclosureMap))
+ default:
+ result = append(result, d.Value)
+ }
+ continue
+ }
+ }
+ }
+ }
+ reconstructNode(v, disclosureMap)
+ result = append(result, v)
+ case []any:
+ result = append(result, reconstructArrayNode(v, disclosureMap))
+ default:
+ result = append(result, elem)
+ }
+ }
+ return result
+}
+
// verifyKeyBindingJWT verifies a Key Binding JWT per draft-22 §4.3
func (c *Client) verifyKeyBindingJWT(
kbJWT string,
diff --git a/pkg/sdjwtvc/verification_test.go b/pkg/sdjwtvc/verification_test.go
index fd72482f5..6dc0db886 100644
--- a/pkg/sdjwtvc/verification_test.go
+++ b/pkg/sdjwtvc/verification_test.go
@@ -334,13 +334,13 @@ func TestParseDisclosure_InvalidFormat(t *testing.T) {
}{
{
name: "Too few elements",
- disclosure: []any{"salt", "claim"},
- expectError: "expected 3 elements",
+ disclosure: []any{"salt"},
+ expectError: "expected 2 or 3 elements",
},
{
name: "Too many elements",
disclosure: []any{"salt", "claim", "value", "extra"},
- expectError: "expected 3 elements",
+ expectError: "expected 2 or 3 elements",
},
{
name: "Invalid salt type",
@@ -466,13 +466,13 @@ func TestReconstructClaims(t *testing.T) {
claims := map[string]any{
"vct": "TestCredential",
"iss": "https://issuer.example.com",
- "_sd": []any{"hash1", "hash2"},
+ "_sd": []any{"hash_name", "hash_age"},
"_sd_alg": "sha-256",
}
disclosures := []Disclosure{
- {Claim: "name", Value: "John Doe"},
- {Claim: "age", Value: float64(30)},
+ {Claim: "name", Value: "John Doe", Hash: "hash_name"},
+ {Claim: "age", Value: float64(30), Hash: "hash_age"},
}
err := client.reconstructClaims(claims, disclosures)
@@ -487,6 +487,140 @@ func TestReconstructClaims(t *testing.T) {
assert.NotContains(t, claims, "_sd_alg")
}
+func TestReconstructClaims_Nested(t *testing.T) {
+ client := New()
+
+ claims := map[string]any{
+ "vct": "TestCredential",
+ "iss": "https://issuer.example.com",
+ "_sd": []any{"hash_pob"},
+ "_sd_alg": "sha-256",
+ "address": map[string]any{
+ "_sd": []any{"hash_street", "hash_city"},
+ },
+ }
+
+ disclosures := []Disclosure{
+ {Claim: "place_of_birth", Value: map[string]any{
+ "_sd": []any{"hash_locality"},
+ }, Hash: "hash_pob"},
+ {Claim: "locality", Value: "Stockholm", Hash: "hash_locality"},
+ {Claim: "street_address", Value: "Tulegatan 11", Hash: "hash_street"},
+ {Claim: "locality", Value: "Stockholm", Hash: "hash_city"},
+ }
+
+ err := client.reconstructClaims(claims, disclosures)
+ require.NoError(t, err)
+
+ // Top-level nested claim should be resolved
+ pob, ok := claims["place_of_birth"].(map[string]any)
+ require.True(t, ok, "place_of_birth should be a map")
+ assert.Equal(t, "Stockholm", pob["locality"])
+ assert.NotContains(t, pob, "_sd")
+
+ // Nested address claims should be resolved
+ addr, ok := claims["address"].(map[string]any)
+ require.True(t, ok, "address should be a map")
+ assert.Equal(t, "Tulegatan 11", addr["street_address"])
+ assert.Equal(t, "Stockholm", addr["locality"])
+ assert.NotContains(t, addr, "_sd")
+
+ // Top-level internal fields removed
+ assert.NotContains(t, claims, "_sd")
+ assert.NotContains(t, claims, "_sd_alg")
+}
+
+func TestReconstructClaims_DecoyHashes(t *testing.T) {
+ // Decoy hashes in _sd that don't match any disclosure should be silently ignored
+ client := New()
+
+ claims := map[string]any{
+ "vct": "TestCredential",
+ "iss": "https://issuer.example.com",
+ "_sd": []any{"hash_name", "decoy_aaaa", "decoy_bbbb", "decoy_cccc"},
+ "_sd_alg": "sha-256",
+ }
+
+ disclosures := []Disclosure{
+ {Claim: "name", Value: "Helen", Hash: "hash_name"},
+ }
+
+ err := client.reconstructClaims(claims, disclosures)
+ require.NoError(t, err)
+
+ assert.Equal(t, "Helen", claims["name"])
+ // No extra claims from decoys
+ assert.NotContains(t, claims, "_sd")
+ assert.NotContains(t, claims, "_sd_alg")
+ // Only expected keys remain
+ for key := range claims {
+ switch key {
+ case "vct", "iss", "name":
+ // expected
+ default:
+ t.Errorf("Unexpected claim %q from decoy hash", key)
+ }
+ }
+}
+
+func TestReconstructClaims_AttackerInjectedDisclosure(t *testing.T) {
+ // Security: An attacker adds a Disclosure whose Hash is NOT in the signed _sd array.
+ // It MUST NOT appear in the resolved claims.
+ client := New()
+
+ claims := map[string]any{
+ "vct": "TestCredential",
+ "iss": "https://issuer.example.com",
+ "_sd": []any{"hash_name"}, // Only legitimate hash
+ "_sd_alg": "sha-256",
+ }
+
+ disclosures := []Disclosure{
+ {Claim: "name", Value: "Helen", Hash: "hash_name"},
+ // Attacker injects these - their hashes are NOT in _sd
+ {Claim: "is_admin", Value: true, Hash: "attacker_hash_1"},
+ {Claim: "role", Value: "superuser", Hash: "attacker_hash_2"},
+ }
+
+ err := client.reconstructClaims(claims, disclosures)
+ require.NoError(t, err)
+
+ // Legitimate claim resolved
+ assert.Equal(t, "Helen", claims["name"])
+
+ // Attacker claims MUST NOT be present
+ assert.NotContains(t, claims, "is_admin", "SECURITY: attacker-injected 'is_admin' resolved without hash in _sd")
+ assert.NotContains(t, claims, "role", "SECURITY: attacker-injected 'role' resolved without hash in _sd")
+}
+
+func TestReconstructClaims_AttackerInjectedNested(t *testing.T) {
+ // Security: Attacker injects disclosure targeting a nested _sd array
+ client := New()
+
+ claims := map[string]any{
+ "vct": "TestCredential",
+ "iss": "https://issuer.example.com",
+ "address": map[string]any{
+ "_sd": []any{"hash_street"}, // Only legitimate hash
+ },
+ }
+
+ disclosures := []Disclosure{
+ {Claim: "street_address", Value: "Tulegatan", Hash: "hash_street"},
+ // Attacker disclosure targeting the nested address object
+ {Claim: "admin_override", Value: "pwned", Hash: "attacker_nested_hash"},
+ }
+
+ err := client.reconstructClaims(claims, disclosures)
+ require.NoError(t, err)
+
+ addr, ok := claims["address"].(map[string]any)
+ require.True(t, ok)
+ assert.Equal(t, "Tulegatan", addr["street_address"])
+ assert.NotContains(t, addr, "admin_override", "SECURITY: attacker-injected nested claim resolved")
+ assert.NotContains(t, addr, "_sd")
+}
+
func TestJWKToPublicKey_ECDSA(t *testing.T) {
// Generate a test key
privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
diff --git a/presentation_requests/eduid.yaml b/presentation_requests/eduid.yaml
index a130762f5..edfb1caf4 100644
--- a/presentation_requests/eduid.yaml
+++ b/presentation_requests/eduid.yaml
@@ -20,7 +20,7 @@ templates:
- path: ["family_name"]
- path: ["birthdate"]
- path: ["email"]
- - path: ["nationalities"]
+ - path: ["nationalities", null]
claim_mappings:
given_name: "given_name"
family_name: "family_name"
@@ -48,7 +48,7 @@ templates:
- path: ["birthdate"]
- path: ["email"]
- path: ["phone_number"]
- - path: ["nationalities"]
+ - path: ["nationalities", null]
- path: ["personal_administrative_number"]
- path: ["address"]
- path: ["place_of_birth"]
diff --git a/presentation_requests/eudi_pid.yaml b/presentation_requests/eudi_pid.yaml
index c1918e185..9fee550da 100644
--- a/presentation_requests/eudi_pid.yaml
+++ b/presentation_requests/eudi_pid.yaml
@@ -24,7 +24,7 @@ templates:
- path: ["given_name"]
- path: ["family_name"]
- path: ["birthdate"]
- - path: ["nationalities"]
+ - path: ["nationalities", null]
claim_mappings:
given_name: "given_name"
family_name: "family_name"
@@ -50,7 +50,7 @@ templates:
- path: ["family_name"]
- path: ["birthdate"]
- path: ["place_of_birth"]
- - path: ["nationalities"]
+ - path: ["nationalities", null]
- path: ["sex"]
- path: ["address"]
- path: ["issuing_country"]
