Trust DSL Examples

This document demonstrates the trust registry DSL and issuer trust composition during verification. Issuer allowlists/blocklists use org.trustweave.credential.trust.TrustEvaluator; infix and, or, and not for composing evaluators live in org.trustweave.trust.dsl.

Infix Operators for Trust Relationships

Adding Trust Anchors

Before (Traditional):

1
2
3
4
5
6

trustWeave.trust {
    addAnchor("did:key:university") {
        credentialTypes("EducationCredential")
        description("Trusted university")
    }
}

After (Infix DSL):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

trustWeave.trust {
    addAnchor(universityDid, universityDid trusts "EducationCredential" because {
        description("Trusted university")
    })
    
    // Or for multiple types
    addAnchor(universityDid, universityDid trusts listOf("EducationCredential", "DegreeCredential") because {
        description("Trusted university")
    })
    
    // Or for all types
    addAnchor(caDid, caDid trustsAll because {
        description("Root CA - trusts all credential types")
    })
}

Finding Trust Paths

Before (Traditional):

1
2
3
4
5
6

trustWeave.trust {
    val path = findTrustPath(
        from = VerifierIdentity(Did("did:key:verifier")),
        to = IssuerIdentity("did:key:issuer")
    )
}

After (Infix DSL):

1
2
3
4
5
6
7
8
9
10
11
12
13

trustWeave.trust {
    val path = resolve(verifierDid trustsPath issuerDid)
    
    when (path) {
        is TrustPath.Verified -> {
            println("Trusted via path: ${path.anchors.map { it.did }}")
            println("Path length: ${path.length}")
        }
        is TrustPath.NotFound -> {
            println("No trust path found")
        }
    }
}

Issuer trust composition (TrustEvaluator)

Import the credential API type and the DSL extensions:

1
2
3
4

import org.trustweave.credential.trust.TrustEvaluator
import org.trustweave.trust.dsl.and
import org.trustweave.trust.dsl.or
import org.trustweave.trust.dsl.not

Combining evaluators with AND 

1

val evaluator = TrustEvaluator.allowlist(trustedIssuers) and TrustEvaluator.blocklist(blockedIssuers)

Combining evaluators with OR

Either evaluator can accept the issuer:

1

val evaluator = TrustEvaluator.allowlist(teamAIssuers) or TrustEvaluator.allowlist(teamBIssuers)

Negating an evaluator 

1

val evaluator = !TrustEvaluator.blocklist(blockedIssuers)

Nested composition 

1
2
3
4

val evaluator = (
    TrustEvaluator.allowlist(trustedIssuers)
        and TrustEvaluator.blocklist(blockedIssuers)
    )

Complete Example 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55

import org.trustweave.credential.results.VerificationResult
import org.trustweave.credential.trust.TrustEvaluator
import org.trustweave.trust.TrustWeave
import org.trustweave.trust.types.TrustPath
import org.trustweave.trust.dsl.and
import org.trustweave.trust.dsl.not
import org.trustweave.trust.dsl.credential.KmsProviders
import org.trustweave.trust.dsl.credential.TrustProviders
import org.trustweave.trust.dsl.credential.KeyAlgorithms.ED25519
import org.trustweave.trust.dsl.credential.DidMethods.KEY

val trustWeave = TrustWeave.build {
    keys { provider(KmsProviders.IN_MEMORY); algorithm(ED25519) }
    did { method(KEY) { algorithm(ED25519) } }
    trust { provider(TrustProviders.IN_MEMORY) }
}

// Create DIDs
val universityDid = trustWeave.createDid { method(KEY) }.getOrThrowDid()
val caDid = trustWeave.createDid { method(KEY) }.getOrThrowDid()
val verifierDid = trustWeave.createDid { method(KEY) }.getOrThrowDid()
val issuerDid = trustWeave.createDid { method(KEY) }.getOrThrowDid()

// Add trust anchors using infix DSL
trustWeave.trust {
    addAnchor(universityDid, universityDid trusts "EducationCredential" because {
        description("Trusted university")
    })
    
    addAnchor(caDid, caDid trustsAll because {
        description("Root CA")
    })
    
    val path = resolve(verifierDid trustsPath issuerDid)
    when (path) {
        is TrustPath.Verified -> println("Path found: ${path.length} hops")
        is TrustPath.NotFound -> println("No path found")
    }
}

// Issuer trust during credential verification (TrustEvaluator + composition)
val trustEvaluator = (
    TrustEvaluator.allowlist(setOf(universityDid, caDid))
        and !TrustEvaluator.blocklist(emptySet())
    )

val verification = trustWeave.verify {
    credential(credential)
    withTrustPolicy(trustEvaluator)
}

when (verification) {
    is VerificationResult.Valid -> println("OK")
    is VerificationResult.Invalid -> println(verification.allErrors.joinToString())
}
This site uses Just the Docs, a documentation theme for Jekyll.