openwallet-foundation · lukasjhan · Sep 18, 2025 · Sep 21, 2025 · Copilot · Sep 21, 2025
@@ -0,0 +1,39 @@
+![License](https://img.shields.io/github/license/openwallet-foundation-labs/sd-jwt-js.svg)
+![NPM](https://img.shields.io/npm/v/%40sd-jwt%2Fvcld)
+![Release](https://img.shields.io/github/v/release/openwallet-foundation-labs/sd-jwt-js)
+![Stars](https://img.shields.io/github/stars/openwallet-foundation-labs/sd-jwt-js)
+
+# SD-JWT Implementation in JavaScript (TypeScript)
+
+## SD-JWT VCLD
+
+### About
+
+SD-JWT VCLD
+
+Check the detail description in our github [repo](https://github.com/openwallet-foundation-labs/sd-jwt-js).
+
+### Installation
+
+To install this project, run the following command:
+
+```bash
+# using npm
+npm install @sd-jwt/vcld
+
+# using yarn
+yarn add @sd-jwt/vcld
+
+# using pnpm
+pnpm install @sd-jwt/vcld
+```
+
+Ensure you have Node.js installed as a prerequisite.
+
+### Usage
+
+Check out more details in our [documentation](https://github.com/openwallet-foundation-labs/sd-jwt-js/tree/main/docs) or [examples](https://github.com/openwallet-foundation-labs/sd-jwt-js/tree/main/examples)
+
+### Dependencies
+
+None
@@ -0,0 +1,67 @@
+{
+  "name": "@sd-jwt/vcld",
+  "version": "0.15.0",
+  "description": "sd-jwt draft 7 implementation in typescript",
+  "main": "dist/index.js",
+  "module": "dist/index.mjs",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/index.mjs",
+      "require": "./dist/index.js"
+    }
+  },
+  "scripts": {
+    "build": "rm -rf **/dist && tsup",
+    "lint": "biome lint ./src",
+    "test": "pnpm run test:node && pnpm run test:browser && pnpm run test:cov",
+    "test:node": "vitest run ./src/test/*.spec.ts",
+    "test:browser": "vitest run ./src/test/*.spec.ts --environment jsdom",
+    "test:cov": "vitest run --coverage"
+  },
+  "keywords": [
+    "sd-jwt",
+    "sdjwt",
+    "sd-jwt-vc"
+  ],
+  "engines": {
+    "node": ">=18"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/openwallet-foundation-labs/sd-jwt-js"
+  },
+  "author": "Lukas.J.Han <[email protected]>",
+  "homepage": "https://github.com/openwallet-foundation-labs/sd-jwt-js/wiki",
+  "bugs": {
+    "url": "https://github.com/openwallet-foundation-labs/sd-jwt-js/issues"
+  },
+  "license": "Apache-2.0",
+  "publishConfig": {
+    "access": "public"
+  },
+  "tsup": {
+    "entry": [
+      "./src/index.ts"
+    ],
+    "sourceMap": true,
+    "splitting": false,
+    "clean": true,
+    "dts": true,
+    "format": [
+      "cjs",
+      "esm"
+    ]
+  },
+  "dependencies": {
+    "@sd-jwt/core": "workspace:*",
+    "@sd-jwt/crypto-nodejs": "workspace:*",
+    "@sd-jwt/decode": "workspace:*",
+    "@sd-jwt/hash": "workspace:*",
+    "@sd-jwt/sd-jwt-vc": "workspace:*",
+    "@sd-jwt/types": "workspace:*",
+    "@types/jsonld": "^1.5.15",
+    "jsonld": "^8.3.3"
+  },
+  "gitHead": "ded40e4551bde7ae93083181bf26bd1b38bbfcfb"
+}
@@ -0,0 +1,51 @@
+/**
+ * B.3.7. SD-JWT VCLD
+
+SD-JWT VCLD (SD-JWT Verifiable Credentials with JSON-LD) extends the IETF SD-JWT VC [I-D.ietf-oauth-sd-jwt-vc] Credential format and allows to incorporate existing data models that use Linked Data, e.g., W3C VCDM [VC_DATA], while enabling a consistent and uncomplicated approach to selective disclosure.
+Information contained in SD-JWT VCLD Credentials can be processed using a JSON-LD [JSON-LD] processor after the SD-JWT VC processing.When IETF SD-JWT VC is mentioned in this specification, SD-JWT VCLD defined in this section MAY be used.
+
+B.3.7.1. Format
+
+SD-JWT VCLD Credentials are valid SD-JWT VCs and all requirements from [I-D.ietf-oauth-sd-jwt-vc] apply. Additionally, the requirements listed in this section apply.
+For compatibility with JWT processors, the following registered Claims from [RFC7519] and [I-D.ietf-oauth-sd-jwt-vc] MUST be used instead of any respective counterpart properties from W3C VCDM or elsewhere:
+
+- vct to represent the type of the Credential.
+- exp and nbf to represent the validity period of SD-JWT VCLD (i.e., cryptographic signature). 
+- iss to represent the Credential Issuer. status to represent the information to obtain the status of the Credential.
+
+IETF SD-JWT VC is extended with the following claim:
+
+- ld: OPTIONAL. Contains a JSON-LD [JSON-LD] object in compact form, e.g., [VC_DATA].
+
+B.3.7.2. Processing
+
+The following outlines a suggested non-normative set of processing steps for SD-JWT VCLD:
+
+B.3.7.2.1. Step 1: SD-JWT VC Processing
+
+- A receiver (holder or verifier) of an SD-JWT VCLD applies the processing rules outlined in Section 4 of [I-D.ietf-oauth-sd-jwt-vc], including verifying signatures, validity periods, status information, etc.
+- If the vct value is associated with any SD-JWT VC Type Metadata, schema validation of the entire SD-JWT VCLD is performed, including the nested ld claim.
+- Additionally, trust framework rules are applied, such as ensuring the Credential Issuer is authorized to issue SD-JWT VCLDs for the specified vct value.
+
+B.3.7.2.2. Step 2: Business Logic Processing
+
+- Once the SD-JWT VC is verified and trusted by the SD-JWT VC processor, and if the ld claim is present, the receiver extracts the JSON-LD object from the ld claim and uses this for the business logic object. 
+  If the ld claim is not present, the entire SD-JWT VC is considered to represent the business logic object.
+- The business logic object is then passed on for further use case-specific processing and validation. 
+  The business logic assumes that all security-critical functions (e.g., signature verification, trusted issuer) have already been performed during the previous step. 
+  Additional schema validation is applied if provided in the ld claim, e.g., to support SHACL schemas. Note that while a vct claim is required, SD-JWT VC type metadata resolution and related schema validation is optional in certain cases. 
+
+ */
+
+import { Present } from './present';
+import { decode, Signer } from './sign';
+import { JWTVerifier } from './verify';
+
+export * from './type';
+
+export const VCld = {
+  Signer,
+  decode,
+  Present,
+  Verify: JWTVerifier,
+};
@@ -0,0 +1,26 @@
+import { SDJwtInstance } from '@sd-jwt/core';
+import { digest, generateSalt } from '@sd-jwt/crypto-nodejs';
+import type { PresentationFrame } from '@sd-jwt/types';
+
+export const Present = {
+  async present<T extends Record<string, unknown>>(
+    credential: string,
+    presentationFrame?: PresentationFrame<T>,
+    options?: Record<string, unknown>,
+  ): Promise<string> {
+    // Initialize the SD JWT instance with proper configuration
+    const sdJwtInstance = new SDJwtInstance({
+      hashAlg: 'sha-256',
+      hasher: digest,
+      saltGenerator: generateSalt,
+    });
+
+    // Use the instance's present method for the core SD-JWT functionality
+    const presentedCredential = await sdJwtInstance.present(
+      credential,
+      presentationFrame,
+    );
+
+    return presentedCredential;
+  },
+};
@@ -0,0 +1,184 @@
+import { decodeSdJwtSync, getClaimsSync } from '@sd-jwt/decode';
+import { hasher } from '@sd-jwt/hash';
+import type { JsonLdDocument } from 'jsonld';
+import { SDJwtInstance } from '@sd-jwt/core';
+import { createSign } from 'node:crypto';
+import type { DisclosureFrame } from '@sd-jwt/types';
+import type { KeyObject } from 'node:crypto';
+import { digest, generateSalt } from '@sd-jwt/crypto-nodejs';
+import { ALGORITHMS, type Alg } from './type';
+
+export class Signer {
+  private doc: JsonLdDocument;
+  private signAlg: Alg;
+  // biome-ignore lint/suspicious/noExplicitAny: use any for disclosureFrame
+  private disclosureFrame: DisclosureFrame<any> | undefined;
+  private header: Record<string, unknown> | undefined;
+
+  private vct: string;
+  private iss: string | undefined;
+  private exp: number | undefined;
+  private nbf: number | undefined;
+
+  constructor(doc: JsonLdDocument, vct: string) {
+    this.doc = doc;
+    this.signAlg = 'ES256';
+    this.vct = vct;
+  }
+
+  setSignAlg(signAlg: Alg) {
+    this.signAlg = signAlg;
+    return this;
+  }
+
+  // biome-ignore lint/suspicious/noExplicitAny: use any for disclosureFrame
+  setDisclosureFrame(disclosureFrame: DisclosureFrame<any>) {
+    this.disclosureFrame = disclosureFrame;
+    return this;
+  }
+
+  setHeader(header: Record<string, unknown>) {
+    this.header = header;
+    return this;
+  }
+
+  setIss(iss: string) {
+    this.iss = iss;
+    return this;
+  }
+
+  setExp(exp: number) {
+    this.exp = exp;
+    return this;
+  }
+
+  setNbf(nbf: number) {
+    this.nbf = nbf;
+    return this;
+  }
+
+  async sign(key: KeyObject) {
+    if (!this.iss) throw new Error('iss must be set when signing');
+    if (!this.exp) throw new Error('exp must be set when signing');
+    if (!this.nbf) throw new Error('nbf must be set when signing');
+    if (!this.signAlg) throw new Error('alg must be set when signing');
+
+    const sdjwtInstance = new SDJwtInstance({
+      hashAlg: 'sha-256',
+      signAlg: this.signAlg,
+      hasher: digest,
+      saltGenerator: generateSalt,
+      signer: (data: string) => {
+        return JWTSigner.sign(this.signAlg, data, key);
+      },
+    });
+
+    const payload = {
+      vct: this.vct,
+      iss: this.iss,
+      exp: this.exp,
+      nbf: this.nbf,
+      ld: this.doc,
+    };
+    const disclosureFrame = { ld: this.disclosureFrame } as DisclosureFrame<
+      typeof payload
+    >;
+
+    const compact = await sdjwtInstance.issue(payload, disclosureFrame, {
+      header: this.header,
+    });
+
+    return compact;
+  }
+}
+
+export const decode = (compact: string) => {
+  const decodedSdJwt = decodeSdJwtSync(compact, hasher);
+  const claims = getClaimsSync(
+    decodedSdJwt.jwt.payload,
+    decodedSdJwt.disclosures,
+    hasher,
+  ) as Record<string, unknown>;
+
+  if ('ld' in claims) {
+    return { claims, ld: claims.ld };
+  }
+
+  return { claims };
+};
+
+const JWTSigner = {
+  sign(alg: Alg, signingInput: string, privateKey: KeyObject) {
+    const signature = JWTSigner.createSignature(alg, signingInput, privateKey);
+    return signature;
+  },
+
+  createSignature(alg: Alg, signingInput: string, privateKey: KeyObject) {
+    switch (alg) {
+      case 'RS256':
+      case 'RS384':
+      case 'RS512':
+      case 'PS256':
+      case 'PS384':
+      case 'PS512': {
+        const option = ALGORITHMS[alg];
+        return JWTSigner.createRSASignature(signingInput, privateKey, option);
+      }
+      case 'ES256':
+      case 'ES384':
+      case 'ES512': {
+        const option = ALGORITHMS[alg];
+        return JWTSigner.createECDSASignature(signingInput, privateKey, option);
+      }
+      case 'EdDSA': {
+        const option = ALGORITHMS[alg];
+        return JWTSigner.createEdDSASignature(signingInput, privateKey, option);
+      }
+      default:
+    }
+    throw new Error(`Unsupported algorithm: ${alg}`);
+  },
+
+  createRSASignature(
+    signingInput: string,
+    privateKey: KeyObject,
+    options: { hash: string; padding: number },
+  ) {
+    const signer = createSign(options.hash);
+    signer.update(signingInput);
+    const signature = signer.sign({
+      key: privateKey,
+      padding: options.padding,
+    });
+    return signature.toString('base64url');
+  },
+
+  createECDSASignature(
+    signingInput: string,
+    privateKey: KeyObject,
+    options: { hash: string; namedCurve: string },
+  ) {
+    const signer = createSign(options.hash);
+    signer.update(signingInput);
+
+    const signature = signer.sign({
+      key: privateKey,
+      dsaEncoding: 'ieee-p1363',
+    });
+
+    return signature.toString('base64url');
+  },
+
+  createEdDSASignature(
+    signingInput: string,
+    privateKey: KeyObject,
+    options: { curves: string[] },
+  ) {
+    const signer = createSign(options.curves[0]);
+    signer.update(signingInput);
+    const signature = signer.sign({
+      key: privateKey,
+    });
+    return signature.toString('base64url');
+  },
+};
@@ -0,0 +1,7 @@
+import { describe, expect, test } from 'vitest';
+
+describe('Test#1', () => {
+  test('Test#1', () => {
+    expect(1).toBe(1);
+  });
+});