Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Once a dynamic policy has been saved with a specific name, as explained in the previous section, you can use it to verify Verifiable Credentials.
Please refer to the SSI-Kit setup section to exectute the command successfully.
-p, --policy: Verification policy. Can be specified multiple times. By default, SignaturePolicy is used. To specify a policy argument (if required), use the format PolicyName='{"myParam": "myValue", ...}', to specify the JSON object directly, or PolicyName=path/to/arg.json, to read the argument from a JSON file.
We can verify a credential with the SubjectPolicy and VerifiableId located in src/test/resources/rego/VerifiableId.json, which are provided when cloning the project, so no setup is needed.
Please refer to the SSI-Kit setup section to serve the API.
Body
policies: [array] A list of policy definitions to verify against
policy: [string] The name/id of the policy
argument: [JSON] The argument needed by the policy (optional)
credentials: [array] An array of credentials in JWT, or LD_PROOF format
Static verification policies are predefined for verifying credentials in standard use cases. The following lists out supported static policies by SSI-Kit along with their arguments
SignaturePolicy
Verifies the signature of the W3C Verifiable credential.
None
JsonSchemaPolicy
Verifies against the associated JSON schema. Note that the attribute credentialSchema must be set and the JSON schema must be accessible by the http URL.
None
ValidFromBeforePolicy
Verifies the credentials based on their valid-from date
None
ExpirationDateAfterPolicy
Verifies the credentials based on their expiration date
None
ChallengePolicy
Verifies challenge
ChallengePolicyArg, which contains specific challenges to check against.
VpTokenClaimPolicy
Verify verifiable presentation by OIDC/SIOPv2 VP token claim.
VpTokenClaim
CredentialStatusPolicy
Verifies credentials based on their status
None
EbsiTrustedSchemaRegistryPolicy
Verify by EBSI Trusted Schema Registry. Checks performed:
credential schema id has the correct format
None
EbsiTrustedIssuerDidPolicy
Verify by trusted issuer did. Checks performed:
issuer did is resolvable against EBSI
None
EbsiTrustedIssuerRegistryPolicy
Verify by EBSI Trusted Issuer Registry record. Checks performed:
issuer has any record on trusted registry having an authorization claim matching the VC schema
issuer's TIR record contains a VerifiableId credential
the authorized claim record (from p.1) has the type provided as argument to the policy
issuer's accreditation is valid - verifies against EbsiTrustedIssuerAccreditationPolicy
EbsiTrustedIssuerRegistryPolicyArg
EbsiTrustedSubjectDidPolicy
Verify by trusted subject did. Checks performed:
subject did is resolvable against EBSI
None
EbsiTrustedIssuerAccreditationPolicy
Verify by issuer's authorized claims. Checks performed:
fetches the attribute specified by the termsOfUse property
checks whether the credential stored as the attribute body has the required accreditation claims to match the current VC schema
None
IssuedDateBeforePolicy
Verify by issuance date.
None
GaiaxTrustedPolicy
Verify Gaiax trusted fields.
None
GaiaxSDPolicy
Verify Gaiax SD fields.
None
Please refer to the SSI-Kit setup section to exectute the command successfully.
-n, --name: name of the dynamic policy to remove
Please refer to the SSI-Kit setup section to serve the API.
Path parameters:
policyName: [string] Name of the policy to delete
SSI Kit supports custom policies, written in any of the supported policy engine languages. A dynamic policy can either be executed on the fly (if all required parameters are provided) or saved under a specific name for later reference in the verify command or REST API.
Note: To use dynamic policies with Open Policy Agent, setup of the OPA Engine is required. Refer to the OPA Engine configuration for more details.
Create a dynamic policy - Learn how to create a dynamic policy via CLI or REST
Use a dynamic policy - Learn how to verify a VC using a dynamic policy via CLI or REST
Remove a dynamic policy - Learn how to remove a dynamic policy via CLI or REST
Data classes - Examine data classes used internally.
Some policies may require a parameter or argument for execution. The parameter is indicated in the policy list output, together with the expected data type.
Please refer to the SSI-Kit setup section to exectute the command successfully. Let's verify a credential using the parameterless SignaturePolicy and ChallengePolicy which taks a paramter.
Flags
-p, --policy: Verification policy. Can be specified multiple times. By default, SignaturePolicy is used. To specify a policy argument (if required), use the format PolicyName='{"myParam": "myValue", ...}', to specify the JSON object directly, or PolicyName=path/to/arg.json, to read the argument from a JSON file.
The Challange Policy
It checks that the challenge of the credential is one of the challenges given in the ChallengePolicyArg argument.
Please refer to the SSI-Kit setup section to serve the API.
Using the /v1/verify enpoint in the Auditor API to verify a credential
Body
policies: [array] A list of policy definitions to verify against
policy: [string] The name/id of the policy
argument: [JSON] The argument needed by the policy (if required)
credentials: [array] An array of credentials in JWT, or LD_PROOF format
Example of a Rego policy
A simple Rego policy that takes a credential subject as input and verifies the subject DID against a given parameter would look like this:
This policy file is located in the SSIKit test resources: src/test/resources/rego/subject-policy.rego
Please refer to the SSI-Kit setup section to exectute the command successfully.
You can save the policy by name, which simplifies its usage in future verifications.
Please refer to the SSI-Kit setup section to exectute the command successfully. Example
Flags:
-n, --name: Policy name, must not conflict with existing policies
-D, --description: Optional policy description
-p, --policy: Path or URL to policy definition. e.g.: rego file for OPA policy engine
-i, --input: Input JSON object for rego query, which can be overridden/extended on verification. Can be a JSON string or JSON file
-d, --data-path: JSON path to the data in the credential which should be verified, default: "$" (whole credential object)
-s, --save-policy: Downloads and/or saves the policy definition locally, rather than keeping the reference to the original URL
-f, --force: Override existing policy with that name (static policies cannot be overridden!)
-e, --policy-engine: Policy engine type, default: OPA. Options, OPA
--vc / --no-vc: Apply/Don't apply to verifiable credentials (default: apply)
--vp / --no-vp: Apply/Don't apply to verifiable presentations (default: don't apply)
Please refer to the SSI-Kit setup section to serve the API.
Path parameters:
policyName: [string] Name of the policy, e.g. MyCustomPolicy
Query parameters:
update: [boolean] Specifies if existing policy with same name should be overridden (if mutable)
downloadPolicy: [boolean] When using an URL to reference the to created policy. Downloads and/or saves the policy definition locally, rather than keeping the reference to the original URL
Body
name: [string] Policy name, must not conflict with existing policies
description: [string] Optional policy description
input: [JSON] Input JSON object for rego query, which can be overridden/extended on verification. Can be a JSON string or JSON file
policy: [URL, REGO] Whole Policy or URL to policy definition.
dataPath: [JSON path] JSON path to the data in the credential which should be verified, default: "$" (whole credential object)
policyQuery: [string] The query string in the policy engine language. Defaults to
"data.system.main".
policyEngine: [string] Policy engine type, default: OPA. Options, OPA
applyToVC: [boolean] Apply/Don't apply to verifiable credentials (default: apply)
applyToVP: [boolean] Apply/Don't apply to verifiable presentaion (default: don't apply)
For verification of verifiable credentials, the SSI-Kit offers a wide range of predefined static and parameterized verification policies, which are ready-to-use and are designed for common use cases. For more complex verification, the creation of custom policies using a policy execution engine such as the Open Policy Agent can be used.
Predefined and covering a variety of common use cases, enabling developers to verify credentials without having to dive into dynamic or custom policy creation and scripting languages. Some of these policies include SignaturePolicy, JsonSchemaPolicy, ValidFromBeforePolicy, ExpirationDateAfterPolicy, and more.
Learn more about Static Verification Policies.
Parameterized policies are a type of policy that requires certain parameters or arguments for their execution.
Learn more about Parameterized Verification Polices.
Dynamic policies offer a more customized approach to credential verification, enabling even the most complex of use-cases. Policies can be created based on different policy engine languages.
A dynamic policy requires an argument of the DynamicPolicyArg type, defined as follows:
The properties are as follows:
name: The policy name. Defaults to "DynamicPolicy".
description: An optional description of the policy.
input: A generic map (JSON object) holding the input data required by the policy. If no input is required, this can be an empty map.
policy: The policy definition. Can be a file path, URL, JSON Path (if policy is defined in a credential property), or the policy script directly.
dataPath: The path to the credential data to be verified. Defaults to the entire credential object ($). If you want to use only the credential subject as verification data, specify the JSON path like this: $.credentialSubject.
policyQuery: The query string in the policy engine language. Defaults to "data.system.main".
policyEngine: The engine used for policy execution. Defaults to OPA (Open Policy Agent).
applyToVC: Determines whether this policy should apply to verifiable credentials. Defaults to true.
applyToVP: Determines whether this policy should apply to verifiable presentations. Defaults to false.
The policy is executed by the specified policy engine, with the Open Policy Agent currently being the only supported engine. OPA receives an input object containing the dynamic policy's input parameter and the credential data configured in the policy argument.
The input object for the policy engine is structured as follows:
This structure allows the REGO policy definition to access the input properties as follows:
input.parameter: The input object defined in the DynamicPolicyArg's input property.
input.credentialData: The credential data selected by the JSON path provided in the DynamicPolicyArg's dataPath property.