The Procivis One Open Core library is a subset of our Procivis One Core including specific services and protocols.
Decentralized digital identities and credentials is an approach to identity that relocates digital credentials from the possession and control of centralized authorities to the digital wallet of the credentials holder. This architecture eliminates the need for the user to "phone home" to use their credentials as well as the verifier to communicate to the issuer via back-channels, keeping the wallet holder's interactions private between only those parties directly involved in each interaction.
The Procivis One Open Core was developed with funding from the U.S. Department of Homeland Security's (DHS) Silicon Valley Innovation Program (SVIP) and provides cryptographic and metadata management tools for issuers, holders, and verifiers:
- OSL (A): Cryptographic Tools SDK for Issuers, Digital Wallets, and Verifiers
- OSL (B): Sealed Storage SDK for Issuers, Digital Wallets, and Verifiers
- OSL (C): Metadata Management SDK for Issuers, Digital Wallets, and Verifiers
- Additional modules
See the section on repository structure for a description of how these functions are divided and the different ways in which this library can be used.
Format and parse digital credentials according to W3C Verifiable Credentials Data Model v2.0, for issuing, presenting, and verifying.
The following proofs are supported:
| Securing mechanism | Supported representations | Supported proof/signature types |
|---|---|---|
| W3C Data Integrity Proofs (embedded) | JSON-LD in Compacted Document Form | |
| W3C VC-JOSE-COSE (enveloping) |
* CRYSTALS-DILITHIUM is a post-quantum resistant signature scheme, selected by NIST for Post-Quantum Cryptography Standardization. Support for the recently published FIPS-204 is planned for the near future.
When provided with the necessary ingredients (e.g. public keys, authentication function for signing, cryptographic operations for calculating hash comparisons, etc.), this module can sign and verify proofs. These ingredients can be delivered by the other providers, or they can be provided independently.
Additionally, the provider can be used for other data models. For the technologies supported by the complete Procivis One solution, see our docs.
- Sign and verify raw bytes, including necessary hashing, using the curves listed above
- Generate cryptographic key pairs for use with the following algorithms
- EdDSA
- ECDSA
- BBS+
- ML-DSA
- Serialize keys, converting to and from different structures (multibase, jwk, bytes, DER)
Store and safely use keys via:
- Azure Key Vault hardware security module (HSM)
- Internal encrypted database
Manage credential status with the following revocation methods:
For issuers: suspend, reactivate and revoke credentials.
For holders and verifiers: check the status of credentials.
Uses W3C Decentralized Identifiers (DIDs) v1.0-based architecture and data model to manage identifiers
- Create DIDs and publish metadata
- Resolve DIDs directly or with the supported Universal DID resolver
- Retrieve metadata, returning DID Documents and associated public keys
- Update DIDs (if supported by the method)
Exchange credentials and presentations:
- Issue credentials using OpenID4VCI (draft 12)
- Receive credentials and make verifiable presentations using OpenID4VC
- Verify credentials using OpenID4VP (draft 20)
- Selective disclosure: holders control information using
- JSON-LD credentials signed with BBS+
- SD-JWT credentials
- Caching for mobile devices: In-memory caching for mobile devices with intermittent internet connectivity
- DID documents for metadata retrieval (DID method provider)
- Status lists for credentials issued with W3C Bitstring Status List v1.0 (Revocation method provider)
- JSON-LD contexts for credential structures and calculation of proofs (Credential format provider)
- Schemas
- Structure credentials for issuance with customizable credential schemas
- Structure verification requests with customizable credential and proof schemas
- Interoperability
- We actively support standards-based interoperability
- We are participating in interop testing soon, and will update this section as results come in
A stable version of Rust ≥ 1.75 is recommended.
cargo install --git https://github.com/procivis/one-open-coreThe library consists of three crates:
- Providers
- Credential formatter provider
- Key algorithm provider
- Key storage provider
- Revocation provider
- DID method provider
- Exchange protocol provider
- Crypto: This provider is delimited in its own directory to enable future certification
of the cryptographic components of this library, e.g. in the NIST Cryptographic Module Validation Program (CMVP).
- Crypto provider
- Core
- Services
The Providers (including Crypto provider) are modular implementations of the complete range of functionality. Developers can use providers — or implementations of individual technologies from within a provider — for modular functionality.
The Core is a service layer that offers developer APIs for orchestrating the whole suite of providers for simplified workflows in issuing, holding, or verifying. Services return provider implementations.
The Providers and Crypto crates contain the actual implementations of technologies, in a modular format. Implementations or providers can be used modularly. The library can be extended (e.g. with a new DID method or key signing algorithm) by adding additional implementations in the relevant provider.
See the docs for details on each provider and related implementations.
See the examples for a few iterations of using the providers.
Each provider is structured in a similar pattern, each containing some subset of:
imp: Implements the functionality. Within this directory, each technology (e.g. each credential format, each key algorithm, each DID method) is implemented within its own directory.error: Enumerates errors of the provider.mod: Provides the traits used in the implementation.model:structs andenums of the provider.provider: The provider implementation.
Some providers may include additional elements of implementation.
There are additional modules in the Providers crate containing, for example, shared resources such as DTOs as well as utilities such as bitstring list handling and key verification of DIDs.
The Core provides developer APIs for simple and easy-to-use functionalities of the library and its supported technologies. As an orchestration layer, it provides the simplest access to related functions with the least amount of effort. Services currently available:
To get started, initialize the core:
/// `None` initializes the Core with the default configuration
let core = OneOpenCore::new(None).unwrap();Then start using the services, e.g.:
let key_pair = core
.signature_service
.get_key_pair(&KeyAlgorithmType::Es256)
.expect("Key pair creation failed");Some examples of using the Core are provided in the /examples directory of the repository. More examples will be added in the future. Examples include:
- Signing for issuing, presenting and verifying: Signing for issuance, signing for a presentation, and verifying a credential, via the credential service
- Signing and verifying: Signing and verifying via the signature service
- DID Resolution: Resolving DIDs via the DID service or using the implementations directly
See the library documentation for details on this repository. The library documentation provides further descriptions of crates, modules, and traits.
See the Procivis One documentation for:
- The complete list of Procivis One supported technologies
- Trial access to the full solution
- APIs and SDK documentation
- Conceptual topics
This work is funded in part by the U.S Department of Homeland Security Science and Technology Directorate (DHS S&T) Silicon Valley Innovation Program (SVIP) under contract 70RSAT24T00000012. Any opinions contained herein are those of the performer and do not necessarily reflect those of DHS.
Some rights reserved. This library is published under the Apache License Version 2.0.
© Procivis AG, https://www.procivis.ch.