fix: add the payload that is required

Signed-off-by: Mirko Mollik <[email protected]>

packages/core/src/index.ts

@@ -16,6 +16,29 @@ export * from './kbjwt';
 export * from './jwt';
 export * from './decoy';
 
+export interface SdJwtVcPayload {
+  // The Issuer of the Verifiable Credential. The value of iss MUST be a URI. See [RFC7519] for more information.
+  iss: string;
+  // The time of issuance of the Verifiable Credential. See [RFC7519] for more information.
+  iat: number;
+  // OPTIONAL. The time before which the Verifiable Credential MUST NOT be accepted before validating. See [RFC7519] for more information.
+  nbf?: number;
+  //OPTIONAL. The expiry time of the Verifiable Credential after which the Verifiable Credential is no longer valid. See [RFC7519] for more information.
+  exp?: number;
+  // REQUIRED when Cryptographic Key Binding is to be supported. Contains the confirmation method as defined in [RFC7800]. It is RECOMMENDED that this contains a JWK as defined in Section 3.2 of [RFC7800]. For Cryptographic Key Binding, the Key Binding JWT in the Combined Format for Presentation MUST be signed by the key identified in this claim.
+  cnf?: unknown;
+  //REQUIRED. The type of the Verifiable Credential, e.g., https://credentials.example.com/identity_credential, as defined in Section 3.2.2.1.1.
+  vct: string;
+  // OPTIONAL. The information on how to read the status of the Verifiable Credential. See [I-D.looker-oauth-jwt-cwt-status-list] for more information.
+  status?: unknown;
+
+  //The identifier of the Subject of the Verifiable Credential. The Issuer MAY use it to provide the Subject identifier known by the Issuer. There is no requirement for a binding to exist between sub and cnf claims.
+  sub?: string;
+
+  // more entries
+  [key: string]: unknown;
+}
+
 export class SDJwtInstance {
   public static DEFAULT_hashAlg = 'sha-256';
 
@@ -62,7 +85,7 @@ export class SDJwtInstance {
     return jwt.verify(this.userConfig.verifier);
   }
 
-  public async issue<Payload extends Record<string, unknown>>(
+  public async issue<Payload extends SdJwtVcPayload>(
     payload: Payload,
     disclosureFrame?: DisclosureFrame<Payload>,
     options?: {
@@ -81,6 +104,30 @@ export class SDJwtInstance {
       throw new SDJWTException('sign alogrithm not specified');
     }
 
+    //validate disclosureFrame according to https://www.ietf.org/archive/id/draft-ietf-oauth-sd-jwt-vc-01.html#section-3.2.2.2
+    if (disclosureFrame?._sd) {
+      const reservedNames = [
+        'iss',
+        'iat',
+        'nbf',
+        'exp',
+        'cnf',
+        'vct',
+        'status',
+      ];
+      // check if there is any reserved names in the disclosureFrame._sd array
+      const reservedNamesInDisclosureFrame = Object.keys(
+        disclosureFrame._sd,
+      ).filter((key) => reservedNames.includes(key));
+      if (reservedNamesInDisclosureFrame.length > 0) {
+        throw new SDJWTException(
+          `Invalid disclosureFrame: reserved names in _sd array: ${reservedNamesInDisclosureFrame.join(
+            ', ',
+          )}`,
+        );
+      }
+    }
+
     const hasher = this.userConfig.hasher;
     const hashAlg = this.userConfig.hashAlg ?? SDJwtInstance.DEFAULT_hashAlg;