定制 k2gl/sd-jwt-vc 二次开发

按需修改功能、优化性能、对接业务系统,提供一站式技术支持

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

k2gl/sd-jwt-vc

Composer 安装命令:

composer require k2gl/sd-jwt-vc

包简介

SD-JWT-based Verifiable Credentials (SD-JWT VC) in pure PHP: issue and verify dc+sd-jwt credentials.

README 文档

README

CI Latest Stable Version Total Downloads PHPStan License

SD-JWT-based Verifiable Credentials (draft-ietf-oauth-sd-jwt-vc) in pure PHP: issue and verify dc+sd-jwt credentials — the format HAIP and the EU Digital Identity Wallet build on. RFC 9901 processing is provided by k2gl/sd-jwt; this package adds the credential layer: the typ/vct rules, the protected-claims rules, and Issuer key discovery.

Tracks draft -17 (at the IESG for publication). The test suite verifies the draft's own worked examples byte for byte. The most churn-prone surface across draft revisions has been the media type; the verifier accepts both dc+sd-jwt and the pre-2024 vc+sd-jwt (switchable off).

Install

composer require k2gl/sd-jwt-vc

Requires PHP 8.1+. The JWT VC Issuer Metadata resolver speaks PSR-18/PSR-17, so bring any HTTP client (or none, if you pin keys or use x5c).

Usage

Verify a presentation (Verifier / relying party)

use K2gl\SdJwt\KeyBinding;
use K2gl\SdJwtVc\JwtVcIssuerMetadata;
use K2gl\SdJwtVc\SdJwtVcVerifier;

$verifier = new SdJwtVcVerifier;

$credential = $verifier->verifyPresentation(
    $compact,
    new JwtVcIssuerMetadata($psr18Client, $psr17RequestFactory), // resolves /.well-known/jwt-vc-issuer
    KeyBinding::required(audience: 'https://verifier.example.org', nonce: $nonce),
);

$credential->vct();      // "https://credentials.example.com/identity_credential"
$credential->claims();   // the Processed SD-JWT Payload
$credential->status();   // the status claim, if any (e.g. Token Status List reference)

Key discovery mechanisms (Section 2.5), all pluggable via IssuerKeyResolver:

  • JwtVcIssuerMetadata — web-based resolution from /.well-known/jwt-vc-issuer, jwks or jwks_uri, kid-aware, issueriss identity enforced.
  • X5cIssuerKeys — the x5c header chain, validated against your trust anchors (signatures, validity windows, anchor membership; revocation is out of scope).
  • StaticIssuerKeys — keys pinned in configuration.
  • Any k2gl/dsse Verifier directly, when there is exactly one trusted key.

Issue a credential

use K2gl\SdJwt\Jws\JwsSigner;
use K2gl\SdJwt\Sd;
use K2gl\SdJwtVc\SdJwtVcIssuer;

$issuer = new SdJwtVcIssuer(JwsSigner::es256FromPem($pem));

$credential = $issuer->issue([
    'vct' => 'https://credentials.example.com/identity_credential',
    'iss' => 'https://issuer.example.com',
    'iat' => time(),
    'cnf' => ['jwk' => $holderJwk],
    'given_name' => Sd::hide('John'),
    'birthdate' => Sd::hide('1983-07-29'),
]);

$compact = $credential->toCompact();

The typ header is always dc+sd-jwt; vct is required; the claims that the draft forbids disclosing selectively (iss, nbf, exp, cnf, vct, vct#integrity, status) are rejected if wrapped in Sd::hide() — and rejected again at verification time if a foreign issuer tried it.

Presentation building (selecting disclosures, Key Binding) is the Holder side and lives in k2gl/sd-jwt's Presentation.

Scope

  • dc+sd-jwt issuance and verification per draft -17, compact serialization.
  • Key discovery: JWT VC Issuer Metadata (PSR-18), x5c chains, pinned keys.
  • status claim surfaced for a status-mechanism check by the application; a Token Status List implementation is a separate concern.
  • Type Metadata (Section 4: display, claim metadata, vct#integrity) is not implemented — it is wallet-display machinery, not needed to issue or verify.

License

MIT © Nick Harin

统计信息

  • 总下载量: 0
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 0
  • 点击次数: 3
  • 依赖项目数: 0
  • 推荐数: 0

GitHub 信息

  • Stars: 0
  • Watchers: 0
  • Forks: 0
  • 开发语言: PHP

其他信息

  • 授权协议: MIT
  • 更新时间: 2026-07-07

承接程序开发

PHP开发

VUE

Vue开发

前端开发

小程序开发

公众号开发

系统定制

数据库设计

云部署

网站建设

安全加固