1. Providing DVR Retrieval API

The Proof Verifier must also define a mechanism through which users can retrieve the DVR token. The retrieval could be accomplished through various means, such as QR code scanning, a RESTful API, or other methods. zkPass SDK provides the flexibility to choose a retrieval mechanism most appropriate to the application's architectural design.

Signing the DVR data

The Proof Verifier is the entity responsible for defining the Data Verification Request (DVR) against which user data is verified. To accurately create DVR queries, the verifier must have an in-depth understanding of the user data format as provided by the Data Issuer. Utilizing zkPass Query Language, the verifier can reference specific fields within the user data using the notion of 'Variable'.

Upon receipt of a Zero-Knowledge Proof (ZKP) from the user, the verifier invokes zkPass.verifyProof function to authenticate the proof. A successful verification indicates that the user's data complies with all conditions stipulated in the DVR query.

The Proof Verifier is responsible for generating tokens for the DVR content. To achieve this, it must manage a public/private key pair specifically for digital signing. Additionally, the Proof Verifier should expose a standard JWKS (JSON Web Key Set) endpoint through a RESTful API for signature verification purposes. This endpoint serves as the source for obtaining the public key required to validate the DVR token's signature.

To facilitate the zkPass flow, the verifier must tokenize the DVR object into a JWT (JSON Web Token). In the inner token’s JWT header, the following parameters will be included by the verifier:

• jku The URL where the public verification key can be retrieved.

• kid The Key ID, is a unique identifier for the specific verification key in use.

zkpass-client Integration

In the implementation of the DVR retrieval codes, the Proof Verifier needs to digitally sign the DVR. This is done using the zkpass-client SDK library as illustrated here.

...

//
//  Step 1: Instantiate the zkpass_client object.
//
let zkpass_client = ZkPassClient::new(
    "", // This is the zkPass service URL, we don't provide the value because it's not needed on signing DVR flow
    ZkPassApiKey {
        api_key: "".to_string(),
        secret_api_key: "".to_string(),
    },
);

//
//  Step 2: Call zkpass_client.get_query_engine_version_info.
//          The version info is needed for DVR object creation.
//
let query_engine_version_info = zkpass_client.get_query_engine_version_info();

//
// Step 3: Create the DVR object
//
let dvr = DataVerificationRequest {
    zkvm: String::from(zkvm),
    dvr_title: String::from("My DVR"),
    dvr_id: Uuid::new_v4().to_string(),
    query_engine_ver: query_engine_version_info.0,
    query_method_ver: query_engine_version_info.1,
    query: serde_json::to_string(&query).unwrap(),
    user_data_requests: wrap_single_user_data_input(UserDataRequest {
        user_data_url: Some(String::from("https://hostname/api/user_data/")),
        user_data_verifying_key: PublicKeyOption::PublicKey(issuer_pubkey()),
    }),
    dvr_verifying_key: Some(PublicKeyOption::PublicKey(verifier_pubkey())),
};

//
//  Step 4: Call zkpass_client.sign_data_to_jws_token.
//          to digitally-sign the dvr data.
//
let dvr_token = zkpass_client
    .sign_data_to_jws_token(
        VERIFIER_PRIVKEY, 
        json!(dvr.clone()),
        Some(ep))
    .unwrap();
    
...