Merge branch 'main' into feat/identity-rebased-alpha

Author: wulfraem

.github/workflows/rust-deploy-docs.yml

@@ -1,9 +1,6 @@
 name: Rust deploy crate docs
 
 on:
-  release:
-    types: [published]
-
   workflow_dispatch:
     inputs:
       branch:
@@ -36,6 +33,10 @@ jobs:
           path: ./target/doc
   deploy:
     if: ${{ !inputs.dry-run }}
+    # Grant GITHUB_TOKEN the permissions required to make a Pages deployment
+    permissions:
+      pages: write      # to deploy to Pages
+      id-token: write   # to verify the deployment originates from an appropriate source
     environment:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}

.github/workflows/shared-release.yml

@@ -155,6 +155,9 @@ jobs:
         if: ${{env.IS_RELEASE && inputs.create-github-release}}
         uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5
         with:
+          # Token expires Jan 16, 2026
+          # This is needed because of https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/triggering-a-workflow#triggering-a-workflow-from-a-workflow
+          token: ${{ secrets.GH_RELEASE_PUBLISH_PAT }}
           body_path: RELEASE_CHANGELOG.md
           prerelease: ${{env.IS_PRE_RELEASE}}
           tag_name: ${{env.CURRENT_VERSION}}

.github/workflows/upload-docs.yml

@@ -9,6 +9,9 @@ on:
         description: 'Version to publish docs under (e.g. `v1.2.3-dev.1`)'
         required: true
 
+env:
+  GH_TOKEN: ${{ github.token }}
+
 permissions:
   actions: 'write'
 

CHANGELOG.md

@@ -8,22 +8,35 @@ This release is targeting IOTA Rebased networks and is meant for early testing.
 
 Identities created on IOTA Stardust networks can be migrated via the [Stardust package](https://docs.iota.org/developer/stardust/stardust-migration)
 
+## [v1.5.0](https://github.com/iotaledger/identity.rs/tree/v1.5.0) (2025-01-20)
+
+[Full Changelog](https://github.com/iotaledger/identity.rs/compare/v1.4.0...v1.5.0)
+
+### Added
+
+- SD-JWT VC implementation [\#1413](https://github.com/iotaledger/identity.rs/pull/1413)
+
+### Patch
+
+- Support %-encoded characters in DID URL [\#1496](https://github.com/iotaledger/identity.rs/pull/1496)
+- fix: serialization of status list [\#1423](https://github.com/iotaledger/identity.rs/pull/1423)
+
 ## [v1.4.0](https://github.com/iotaledger/identity.rs/tree/v1.4.0) (2024-09-23)
 
 [Full Changelog](https://github.com/iotaledger/identity.rs/compare/v1.3.1...v1.4.0)
 
 ### Added
 
-- Add feature to support custom `now_utc` implementations [\#1397](https://github.com/iotaledger/identity.rs/pull/1397)
+- Add support for custom JWS algorithms [\#1410](https://github.com/iotaledger/identity.rs/pull/1410)
 - Add support for `did:jwk` resolution [\#1404](https://github.com/iotaledger/identity.rs/pull/1404)
 - Linked Verifiable Presentations [\#1398](https://github.com/iotaledger/identity.rs/pull/1398)
-- Add support for custom JWS algorithms [\#1410](https://github.com/iotaledger/identity.rs/pull/1410)
+- Add feature to support custom `now_utc` implementations [\#1397](https://github.com/iotaledger/identity.rs/pull/1397)
 
 ### Patch
 
-- Make `bls12_381_plus` dependency more flexible again [\#1393](https://github.com/iotaledger/identity.rs/pull/1393)
-- Mark `js-sys` as optional for identity_core [\#1405](https://github.com/iotaledger/identity.rs/pull/1405)
 - Remove dependency on `identity_core` default features [\#1408](https://github.com/iotaledger/identity.rs/pull/1408)
+- Mark `js-sys` as optional for identity\_core [\#1405](https://github.com/iotaledger/identity.rs/pull/1405)
+- Make `bls12_381_plus` dependency more flexible again [\#1393](https://github.com/iotaledger/identity.rs/pull/1393)
 
 ## [v1.3.1](https://github.com/iotaledger/identity.rs/tree/v1.3.1) (2024-06-12)
 

bindings/wasm/identity_wasm/CHANGELOG.md

@@ -1,5 +1,18 @@
 # Changelog
 
+## [wasm-v1.5.0](https://github.com/iotaledger/identity.rs/tree/wasm-v1.5.0) (2025-01-20)
+
+[Full Changelog](https://github.com/iotaledger/identity.rs/compare/wasm-v1.4.0...wasm-v1.5.0)
+
+### Added
+
+- SD-JWT VC implementation [\#1413](https://github.com/iotaledger/identity.rs/pull/1413)
+
+### Patch
+
+- Support %-encoded characters in DID URL [\#1496](https://github.com/iotaledger/identity.rs/pull/1496)
+- fix: serialization of status list [\#1423](https://github.com/iotaledger/identity.rs/pull/1423)
+
 ## [wasm-v1.4.0](https://github.com/iotaledger/identity.rs/tree/wasm-v1.4.0) (2024-09-23)
 
 [Full Changelog](https://github.com/iotaledger/identity.rs/compare/wasm-v1.3.1...wasm-v1.4.0)
@@ -8,7 +21,6 @@
 
 - Add support for `did:jwk` resolution [\#1404](https://github.com/iotaledger/identity.rs/pull/1404)
 - Linked Verifiable Presentations [\#1398](https://github.com/iotaledger/identity.rs/pull/1398)
-- Add WASM bindings for EcDSA JWS Verifier [\#1396](https://github.com/iotaledger/identity.rs/pull/1396)
 
 ## [wasm-v1.3.1](https://github.com/iotaledger/identity.rs/tree/wasm-v1.3.1) (2024-06-28)
 

bindings/wasm/identity_wasm/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "identity_wasm"
-version = "1.4.0"
+version = "1.5.0"
 authors = ["IOTA Stiftung"]
 edition = "2021"
 homepage = "https://www.iota.org"
@@ -47,6 +47,7 @@ features = [
   "resolver",
   "domain-linkage",
   "sd-jwt",
+  "sd-jwt-vc",
   "status-list-2021",
   "jpt-bbs-plus",
 ]

bindings/wasm/identity_wasm/examples/src/1_advanced/10_sd_jwt_vc.ts

@@ -0,0 +1,167 @@
+// Copyright 2020-2024 IOTA Stiftung
+// SPDX-License-Identifier: Apache-2.0
+
+import {
+    IJwk,
+    IJwkParams,
+    IResolver,
+    IssuerMetadata,
+    Jwk,
+    JwkType,
+    JwsVerificationOptions,
+    KeyBindingJwtBuilder,
+    KeyBindingJWTValidationOptions,
+    SdJwtVcBuilder,
+    Sha256Hasher,
+    Timestamp,
+    TypeMetadataHelper,
+} from "@iota/identity-wasm/node";
+import { exportJWK, generateKeyPair, JWK, JWTHeaderParameters, JWTPayload, SignJWT } from "jose";
+
+const vc_metadata: TypeMetadataHelper = JSON.parse(`{
+  "vct": "https://example.com/education_credential",
+  "name": "Betelgeuse Education Credential - Preliminary Version",
+  "description": "This is our development version of the education credential. Don't panic.",
+  "claims": [
+    {
+      "path": ["name"],
+      "display": [
+        {
+          "lang": "de-DE",
+          "label": "Vor- und Nachname",
+          "description": "Der Name des Studenten"
+        },
+        {
+          "lang": "en-US",
+          "label": "Name",
+          "description": "The name of the student"
+        }
+      ],
+      "sd": "allowed"
+    },
+    {
+      "path": ["address"],
+      "display": [
+        {
+          "lang": "de-DE",
+          "label": "Adresse",
+          "description": "Adresse zum Zeitpunkt des Abschlusses"
+        },
+        {
+          "lang": "en-US",
+          "label": "Address",
+          "description": "Address at the time of graduation"
+        }
+      ],
+      "sd": "always"
+    },
+    {
+      "path": ["address", "street_address"],
+      "display": [
+        {
+          "lang": "de-DE",
+          "label": "Straße"
+        },
+        {
+          "lang": "en-US",
+          "label": "Street Address"
+        }
+      ],
+      "sd": "always",
+      "svg_id": "address_street_address"
+    },
+    {
+      "path": ["degrees", null],
+      "display": [
+        {
+          "lang": "de-DE",
+          "label": "Abschluss",
+          "description": "Der Abschluss des Studenten"
+        },
+        {
+          "lang": "en-US",
+          "label": "Degree",
+          "description": "Degree earned by the student"
+        }
+      ],
+      "sd": "allowed"
+    }
+  ]
+}`);
+
+const keypair_jwk = async (): Promise<[JWK, JWK]> => {
+    const [sk, pk] = await generateKeyPair("ES256").then(res => [res.privateKey, res.publicKey]);
+    const sk_jwk = await exportJWK(sk);
+    const pk_jwk = await exportJWK(pk);
+
+    return [sk_jwk, pk_jwk];
+};
+
+const signer = async (header: object, payload: object, sk_jwk: JWK) => {
+    return new SignJWT(payload as JWTPayload)
+        .setProtectedHeader(header as JWTHeaderParameters)
+        .sign(sk_jwk)
+        .then(jws => new TextEncoder().encode(jws));
+};
+
+export async function sdJwtVc() {
+    const hasher = new Sha256Hasher();
+    const issuer = "https://example.com/";
+    const [sk_jwk, pk_jwk] = await keypair_jwk();
+    const issuer_public_jwk = { ...pk_jwk, kty: JwkType.Ec, kid: "key1" } as IJwk;
+    const issuer_signer = (header: object, payload: object) => signer(header, payload, sk_jwk);
+    const issuer_metadata = new IssuerMetadata(issuer, { jwks: { keys: [issuer_public_jwk] } });
+    const dummy_resolver = {
+        resolve: async (input: string) => {
+            if (input == "https://example.com/.well-known/jwt-vc-issuer/") {
+                return new TextEncoder().encode(JSON.stringify(issuer_metadata.toJSON()));
+            }
+            if (input == "https://example.com/.well-known/vct/education_credential") {
+                return new TextEncoder().encode(JSON.stringify(vc_metadata));
+            }
+        },
+    } as IResolver<string, Uint8Array>;
+    const [holder_sk, holder_pk] = await keypair_jwk();
+    const holder_public_jwk = { ...holder_pk, kty: JwkType.Ec, kid: "key2" } as IJwk;
+    const holder_signer = (header: object, payload: object) => signer(header, payload, holder_sk);
+
+    /// Issuer creates an SD-JWT VC.
+    let sd_jwt_vc = await new SdJwtVcBuilder({
+        name: "John Doe",
+        address: {
+            street_address: "A random street",
+            number: "3a",
+        },
+        degree: [],
+    }, hasher)
+        .header({ kid: "key1" })
+        .vct("https://example.com/education_credential")
+        .iat(Timestamp.nowUTC())
+        .iss(issuer)
+        .requireKeyBinding({ kid: holder_public_jwk.kid })
+        .makeConcealable("/address/street_address")
+        .makeConcealable("/address")
+        .finish({ sign: issuer_signer }, "ES256");
+
+    console.log(`issued SD-JWT VC: ${sd_jwt_vc.toString()}`);
+
+    // Holder receives its SD-JWT VC and attaches its keybinding JWT.
+    const kb_jwt = await new KeyBindingJwtBuilder()
+        .iat(Timestamp.nowUTC())
+        .header({ kid: holder_public_jwk.kid })
+        .nonce("abcdefghi")
+        .aud("https://example.com/verify")
+        .finish(sd_jwt_vc.asSdJwt(), "ES256", { sign: holder_signer });
+    const { disclosures, sdJwtVc } = sd_jwt_vc.intoPresentation(hasher).attachKeyBindingJwt(kb_jwt).finish();
+    console.log(`presented SD-JWT VC: ${sdJwtVc}`);
+
+    // Verifier checks the presented sdJwtVc.
+    await sdJwtVc.validate(dummy_resolver, hasher);
+    sdJwtVc.validateKeyBinding(
+        new Jwk(holder_public_jwk as IJwkParams),
+        hasher,
+        new KeyBindingJWTValidationOptions({ nonce: "abcdefghi", jwsOptions: new JwsVerificationOptions() }),
+    );
+
+    console.log("The presented SdJwtVc is valid!");
+}

bindings/wasm/identity_wasm/examples/src/main.ts

@@ -8,6 +8,7 @@ import { deactivateIdentity } from "./0_basic/3_deactivate_did";
 import { createVC } from "./0_basic/5_create_vc";
 import { createVP } from "./0_basic/6_create_vp";
 import { revokeVC } from "./0_basic/7_revoke_vc";
+import { sdJwtVc } from "./1_advanced/10_sd_jwt_vc";
 import { customResolution } from "./1_advanced/4_custom_resolution";
 import { domainLinkage } from "./1_advanced/5_domain_linkage";
 import { sdJwt } from "./1_advanced/6_sd_jwt";
@@ -49,6 +50,8 @@ async function main() {
             return await zkp();
         case "9_zkp_revocation":
             return await zkp_revocation();
+        case "10_sd_jwt_vc":
+            return await sdJwtVc();
         default:
             throw "Unknown example name: '" + argument + "'";
     }