diff --git a/README.md b/README.md index 166c0da..6365df2 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# Nuts UZI Server Certificaat Issuer +# Nuts X509 Certificate Issuer [![Maintainability](https://api.codeclimate.com/v1/badges/f92496250890e40900aa/maintainability)](https://codeclimate.com/github/nuts-foundation/uzi-did-x509-issuer/maintainability) [![Test Coverage](https://api.codeclimate.com/v1/badges/f92496250890e40900aa/test_coverage)](https://codeclimate.com/github/nuts-foundation/uzi-did-x509-issuer/test_coverage) @@ -7,23 +7,25 @@ > This repository contains experimental code and is not suitable for production usage! ## Description -The UZI Server Certificaat Issuer is a Go-based tool designed for issuing Verifiable Credentials signed by a UZI Server Certificaat. The issuer creates a did:x509 based on the PKI certificate chain. + +The X509 certificate Issuer is a Go-based tool designed for issuing Verifiable Credentials signed by a X509 certificate. The issuer creates a did:x509 based on the PKI certificate chain. +Its main purspose is to create verificable credentials form certificates issued by the [UZI certificate chain from the CIBG registry](https://www.zorgcsp.nl/ca-certificaten). ## Features -The UZI Server Certificaat Issuer generated a Verifiable Credential of type UziServerCertificateCredential with the following features: +The X509 certificate Issuer generated a Verifiable Credential of type X509Credential with the following features: - The DID method is a customized did:x509 DID pointing to the x5c header. - The x5c filled with the certificate chain. The chain is built from: - - The provided UZI server (Test) Certificate + - The provided UZI server (Test) certificate - All the required certificates from the [UZI register](https://www.zorgcsp.nl/certificate-revocation-lists-crl-s). - If the test mode is enabled, the [Test UZI register](https://acceptatie.zorgcsp.nl/ca-certificaten) -- Signed by the private key of the UZI Server Certificaat. +- Signed by the private key of the X509 certificate. - The VC issued to the provided DID and name. ## Note on security, trust, and secrecy -The VC that is signed by this application are cryptographic proofs, signed by the private key used in the UZI Server Certificate process. Note that: +The VC that is signed by this application are cryptographic proofs, signed by the private key used in the X509 certificate process. Note that: - This private key is supposed to be kept very secret. - The Subject DID of the signed credential is mandated with cryptographic proof to act on behalf of the owner of the private key on the NUTS network. @@ -56,10 +58,11 @@ Follow these steps to set up the project: ```sh go build -ldflags="-w -s " -o ./issuer ``` - or + or ```shell make build ``` + ## Usage 1. **Run the application:** @@ -105,9 +108,9 @@ The following command converts .cer files to PEM: openssl x509 -inform der -in certificate.cer -out certificate.pem ``` -## Validating a UziServerCertificateCredential +## Validating a X509Credential -The logic on Validating a UziServerCertificateCredential is described in the [VC_VALIDATION.md](VC_VALIDATION.md) file. +The logic on Validating a X509Credential is described in the [VC_VALIDATION.md](VC_VALIDATION.md) file. ## Contributing diff --git a/VC_VALIDATION.md b/VC_VALIDATION.md index b4ffdae..b033fbf 100644 --- a/VC_VALIDATION.md +++ b/VC_VALIDATION.md @@ -1,37 +1,40 @@ -# Validating a UziServerCertificateCredential +# Validating a X509Credential This specification explains how to validate a Verifiable Credential of this type. ## About the UZI Server Certificate -UZI Server Certificates contain the URA number in the `san:otherName` field encoded in a compound string: + +UZI Server Certificates contain the URA number in the `san:otherName` field encoded in a compound string: + ``` ------ ``` -After 8 nov 2023 the UZI Server Certificates also has the URA number in the `san:otherName.permanentIdentifier` field. + +After 8 nov 2023 the UZI Server Certificates also has the URA number in the `san:otherName.permanentIdentifier` field. ## Structure of the Verifiable Credential The Verifiable Credential has the following structure: -1. The credential has a type `UziServerCertificateCredential`. +1. The credential has a type `X509Credential`. 2. The `subject.id` points to the holder of the credential, typically a `did:nuts` or `did:web`. 3. The credential is issued by a `did:x509`, with changes defined in the section [Changes to the did:x509 Method Specification](#changes-to-the-didx509-method-specification), as part of this specification: - 1. The `x5c` header contains the UZI Server Certificate with the full certificate chain. - 2. The `x5t` header contains the sha1 hash of the UZI Server Certificate. - 3. The policy string of the `did:x509` contains either a `san:otherName.permanentIdentifier:` or - `san:otherName:` policy. - 4. If the `san:otherName:` is present, the URA number should be found as part of the `san:otherName` - field. - 5. If the `san:otherName.permanentIdentifier:` is present, the URA number should be found as part of the - `san:otherName.permanentIdentifier` field. + 1. The `x5c` header contains the UZI Server Certificate with the full certificate chain. + 2. The `x5t` header contains the sha1 hash of the UZI Server Certificate. + 3. The policy string of the `did:x509` contains either a `san:otherName.permanentIdentifier:` or + `san:otherName:` policy. + 4. If the `san:otherName:` is present, the URA number should be found as part of the `san:otherName` + field. + 5. If the `san:otherName.permanentIdentifier:` is present, the URA number should be found as part of the + `san:otherName.permanentIdentifier` field. -## Validating a UziServerCertificateCredential Verifiable Credential +## Validating a X509Credential Verifiable Credential -A UziServerCertificateCredential is valid when: +A X509Credential is valid when: -1. The credential MUST be of type `UziServerCertificateCredential`. +1. The credential MUST be of type `X509Credential`. 2. The `x5c` header MUST contain the UZI Server Certificate with the full certificate chain. 3. The `x5t` header MUST contain the sha1 hash of the UZI Server Certificate. 4. The signature of the Verifiable Credential MUST validate against the public key of the UZI Server Certificate. @@ -48,12 +51,14 @@ A UziServerCertificateCredential is valid when: ## Changes to the did:x509 Method Specification -The UziServerCertificateCredential makes use of an additional otherName san-type. This +The X509Credential makes use of an additional otherName san-type. This san-type is currently not part of the x509 standard. The suggested policy definition will look like this: + ``` policy-name = "san" policy-value = san-type ":" san-value san-type = "email" / "dns" / "uri" / "otherName" san-value = 1*idchar ``` -A request to support this will be + +A request to support this will be diff --git a/uzi_vc_issuer/ura_issuer.go b/uzi_vc_issuer/ura_issuer.go index ad02e61..80732bd 100644 --- a/uzi_vc_issuer/ura_issuer.go +++ b/uzi_vc_issuer/ura_issuer.go @@ -6,6 +6,7 @@ import ( "crypto/sha1" "crypto/x509" "encoding/base64" + "encoding/pem" "errors" "fmt" "os" @@ -24,6 +25,9 @@ import ( "github.com/nuts-foundation/uzi-did-x509-issuer/x509_cert" ) +// CredentialType holds the name of the X.509 credential type. +const CredentialType = "X509Credential" + // filename represents a valid file name. The file must exist. type fileName string @@ -414,7 +418,7 @@ func uraCredential(issuer string, expirationDate time.Time, otherNameValues []*x return &vc.VerifiableCredential{ Issuer: ssi.MustParseURI(issuer), Context: []ssi.URI{ssi.MustParseURI("https://www.w3.org/2018/credentials/v1")}, - Type: []ssi.URI{ssi.MustParseURI("VerifiableCredential"), ssi.MustParseURI("UziServerCertificateCredential")}, + Type: []ssi.URI{ssi.MustParseURI("VerifiableCredential"), ssi.MustParseURI(CredentialType)}, ID: &id, IssuanceDate: iat, ExpirationDate: &expirationDate, diff --git a/uzi_vc_issuer/ura_issuer_test.go b/uzi_vc_issuer/ura_issuer_test.go index 2aba303..3f94349 100644 --- a/uzi_vc_issuer/ura_issuer_test.go +++ b/uzi_vc_issuer/ura_issuer_test.go @@ -7,6 +7,7 @@ import ( "os" "testing" + ssi "github.com/nuts-foundation/go-did" "github.com/nuts-foundation/uzi-did-x509-issuer/x509_cert" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" @@ -184,8 +185,8 @@ func TestIssue(t *testing.T) { require.NotNil(t, vc, "verifiable credential is nil") assert.Equal(t, "https://www.w3.org/2018/credentials/v1", vc.Context[0].String()) - assert.Equal(t, "VerifiableCredential", vc.Type[0].String()) - assert.Equal(t, "UziServerCertificateCredential", vc.Type[1].String()) + assert.True(t, vc.IsType(ssi.MustParseURI("VerifiableCredential"))) + assert.True(t, vc.IsType(ssi.MustParseURI("X509Credential"))) assert.Equal(t, "did:x509:0:sha512:0OXDVLevEnf_sE-Ayopm0Yof_gmBwxwKZmzbDhKeAwj9vcsI_Q14TBArYsCftQTABLM-Vx9BB6zI05Me2aksaA::san:otherName:2.16.528.1.1007.99.2110-1-1111111-S-2222222-00.000-333333::subject:O:FauxCare", vc.Issuer.String()) expectedCredentialSubject := []interface{}([]interface{}{map[string]interface{}{