SDisclosure.parse() rejects array element disclosures
Describe the bug
SDisclosure.parse() throws Invalid selective disclosure for any 2-element disclosure array, making it impossible to process selectively disclosable array elements in an SD-JWT.
To Reproduce
- Issue an SD-JWT with a selectively disclosable array element (e.g.
nationalities: ["DE", "FR"] where "FR" is SD)
- The resulting disclosure for
"FR" is a 2-element array: [salt, value] — no claim name, as required by RFC 9901 §4.2.2
- Attempt to parse/verify the SD-JWT using
SDisclosure.parse()
- See
Exception("Invalid selective disclosure") thrown
Expected behavior
SDisclosure.parse() should accept both:
- 3-element arrays
[salt, claimName, claimValue] — object property disclosures
- 2-element arrays
[salt, claimValue] — array element disclosures (no claim name)
Actual behavior
SDisclosure.parse() rejects any disclosure that is not exactly 3 elements, throwing Invalid selective disclosure. It always attempts to read it[1] as a claim name, which is incorrect for array element disclosures.
|
throw Exception("Invalid selective disclosure") |
Environment
- os version: N/A (library bug, not environment-specific)
- docker version: N/A
- compose version: N/A
- java version: N/A
Screenshots
N/A
Additional context
RFC 9901 §4.2.2 explicitly defines array element disclosures as 2-element arrays with no claim name:
https://www.ietf.org/rfc/rfc9901.html#name-disclosures-for-array-eleme
The EUDI SD-JWT library (eudi-lib-jvm-sdjwt-kt) handles this correctly by branching on array size — size 2 yields an ArrayElement disclosure with a null claim name:
https://github.com/eu-digital-identity-wallet/eudi-lib-jvm-sdjwt-kt/blob/9e6575cb849942e337ab765903be94cd11f33528/src/main/kotlin/eu/europa/ec/eudi/sdjwt/Disclosure.kt#L92-L94
Fix: parse() should branch on array size — size 3 → object property (current behaviour), size 2 → array element (key absent or null), otherwise → error.
SDisclosure.parse()rejects array element disclosuresDescribe the bug
SDisclosure.parse()throwsInvalid selective disclosurefor any 2-element disclosure array, making it impossible to process selectively disclosable array elements in an SD-JWT.To Reproduce
nationalities: ["DE", "FR"]where"FR"is SD)"FR"is a 2-element array:[salt, value]— no claim name, as required by RFC 9901 §4.2.2SDisclosure.parse()Exception("Invalid selective disclosure")thrownExpected behavior
SDisclosure.parse()should accept both:[salt, claimName, claimValue]— object property disclosures[salt, claimValue]— array element disclosures (no claim name)Actual behavior
SDisclosure.parse()rejects any disclosure that is not exactly 3 elements, throwingInvalid selective disclosure. It always attempts to readit[1]as a claim name, which is incorrect for array element disclosures.waltid-identity/waltid-libraries/sdjwt/waltid-sdjwt/src/commonMain/kotlin/id/walt/sdjwt/SDisclosure.kt
Line 34 in c4a4ff2
Environment
Screenshots
N/A
Additional context
RFC 9901 §4.2.2 explicitly defines array element disclosures as 2-element arrays with no claim name:
https://www.ietf.org/rfc/rfc9901.html#name-disclosures-for-array-eleme
The EUDI SD-JWT library (
eudi-lib-jvm-sdjwt-kt) handles this correctly by branching on array size — size 2 yields anArrayElementdisclosure with a null claim name:https://github.com/eu-digital-identity-wallet/eudi-lib-jvm-sdjwt-kt/blob/9e6575cb849942e337ab765903be94cd11f33528/src/main/kotlin/eu/europa/ec/eudi/sdjwt/Disclosure.kt#L92-L94
Fix:
parse()should branch on array size — size 3 → object property (current behaviour), size 2 → array element (key absent or null), otherwise → error.