Skip to content

Commit

Permalink
Rename credentialType to X509Credential
Browse files Browse the repository at this point in the history
  • Loading branch information
stevenvegt committed Dec 13, 2024
1 parent 1843487 commit 09dc524
Show file tree
Hide file tree
Showing 4 changed files with 36 additions and 24 deletions.
10 changes: 6 additions & 4 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,11 +7,12 @@
> This repository contains experimental code and is not suitable for production usage!
## Description

The UZI Server Certificaat Issuer is a Go-based tool designed for issuing Verifiable Credentials signed by a UZI Server Certificaat. The issuer creates a did:x509 based on the PKI certificate chain.

## Features

The UZI Server Certificaat Issuer generated a Verifiable Credential of type UziServerCertificateCredential with the following features:
The UZI Server Certificaat Issuer generated a Verifiable Credential of type X509Credential with the following features:

- The DID method is a customized did:x509 DID pointing to the x5c header.
- The x5c filled with the certificate chain. The chain is built from:
Expand Down Expand Up @@ -56,10 +57,11 @@ Follow these steps to set up the project:
```sh
go build -ldflags="-w -s " -o ./issuer
```
or
or
```shell
make build
```

## Usage

1. **Run the application:**
Expand Down Expand Up @@ -105,9 +107,9 @@ The following command converts .cer files to PEM:
openssl x509 -inform der -in certificate.cer -out certificate.pem
```

## Validating a UziServerCertificateCredential
## Validating a X509Credential

The logic on Validating a UziServerCertificateCredential is described in the [VC_VALIDATION.md](VC_VALIDATION.md) file.
The logic on Validating a X509Credential is described in the [VC_VALIDATION.md](VC_VALIDATION.md) file.

## Contributing

Expand Down
39 changes: 22 additions & 17 deletions VC_VALIDATION.md
Original file line number Diff line number Diff line change
@@ -1,37 +1,40 @@
# Validating a UziServerCertificateCredential
# Validating a X509Credential

This specification explains how to validate a Verifiable Credential of this type.

## About the UZI Server Certificate
UZI Server Certificates contain the URA number in the `san:otherName` field encoded in a compound string:

UZI Server Certificates contain the URA number in the `san:otherName` field encoded in a compound string:

```
<OID CA>-<versie-nr>-<UZI-nr>-<pastype>-<Abonnee-nr>-<rol>-<AGB-code>
```
After 8 nov 2023 the UZI Server Certificates also has the URA number in the `san:otherName.permanentIdentifier` field.

After 8 nov 2023 the UZI Server Certificates also has the URA number in the `san:otherName.permanentIdentifier` field.

## Structure of the Verifiable Credential

The Verifiable Credential has the following structure:

1. The credential has a type `UziServerCertificateCredential`.
1. The credential has a type `X509Credential`.
2. The `subject.id` points to the holder of the credential, typically a `did:nuts` or `did:web`.
3. The credential is issued by a `did:x509`, with changes defined in the
section [Changes to the did:x509 Method Specification](#changes-to-the-didx509-method-specification), as part of
this specification:
1. The `x5c` header contains the UZI Server Certificate with the full certificate chain.
2. The `x5t` header contains the sha1 hash of the UZI Server Certificate.
3. The policy string of the `did:x509` contains either a `san:otherName.permanentIdentifier:<ura-number>` or
`san:otherName:<ura-number>` policy.
4. If the `san:otherName:<ura-number>` is present, the URA number should be found as part of the `san:otherName`
field.
5. If the `san:otherName.permanentIdentifier:<ura-number>` is present, the URA number should be found as part of the
`san:otherName.permanentIdentifier` field.
1. The `x5c` header contains the UZI Server Certificate with the full certificate chain.
2. The `x5t` header contains the sha1 hash of the UZI Server Certificate.
3. The policy string of the `did:x509` contains either a `san:otherName.permanentIdentifier:<ura-number>` or
`san:otherName:<ura-number>` policy.
4. If the `san:otherName:<ura-number>` is present, the URA number should be found as part of the `san:otherName`
field.
5. If the `san:otherName.permanentIdentifier:<ura-number>` is present, the URA number should be found as part of the
`san:otherName.permanentIdentifier` field.

## Validating a UziServerCertificateCredential Verifiable Credential
## Validating a X509Credential Verifiable Credential

A UziServerCertificateCredential is valid when:
A X509Credential is valid when:

1. The credential MUST be of type `UziServerCertificateCredential`.
1. The credential MUST be of type `X509Credential`.
2. The `x5c` header MUST contain the UZI Server Certificate with the full certificate chain.
3. The `x5t` header MUST contain the sha1 hash of the UZI Server Certificate.
4. The signature of the Verifiable Credential MUST validate against the public key of the UZI Server Certificate.
Expand All @@ -48,12 +51,14 @@ A UziServerCertificateCredential is valid when:

## Changes to the did:x509 Method Specification

The UziServerCertificateCredential makes use of an additional otherName san-type. This
The X509Credential makes use of an additional otherName san-type. This
san-type is currently not part of the x509 standard. The suggested policy definition will look like this:

```
policy-name = "san"
policy-value = san-type ":" san-value
san-type = "email" / "dns" / "uri" / "otherName"
san-value = 1*idchar
```
A request to support this will be

A request to support this will be
6 changes: 5 additions & 1 deletion uzi_vc_issuer/ura_issuer.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ import (
"crypto/sha1"
"crypto/x509"
"encoding/base64"
"encoding/pem"
"errors"
"fmt"
"os"
Expand All @@ -24,6 +25,9 @@ import (
"github.com/nuts-foundation/uzi-did-x509-issuer/x509_cert"
)

// CredentialType holds the name of the X.509 credential type.
const CredentialType = "X509Credential"

// filename represents a valid file name. The file must exist.
type fileName string

Expand Down Expand Up @@ -414,7 +418,7 @@ func uraCredential(issuer string, expirationDate time.Time, otherNameValues []*x
return &vc.VerifiableCredential{
Issuer: ssi.MustParseURI(issuer),
Context: []ssi.URI{ssi.MustParseURI("https://www.w3.org/2018/credentials/v1")},
Type: []ssi.URI{ssi.MustParseURI("VerifiableCredential"), ssi.MustParseURI("UziServerCertificateCredential")},
Type: []ssi.URI{ssi.MustParseURI("VerifiableCredential"), ssi.MustParseURI(CredentialType)},
ID: &id,
IssuanceDate: iat,
ExpirationDate: &expirationDate,
Expand Down
5 changes: 3 additions & 2 deletions uzi_vc_issuer/ura_issuer_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ import (
"os"
"testing"

ssi "github.com/nuts-foundation/go-did"
"github.com/nuts-foundation/uzi-did-x509-issuer/x509_cert"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
Expand Down Expand Up @@ -184,8 +185,8 @@ func TestIssue(t *testing.T) {
require.NotNil(t, vc, "verifiable credential is nil")

assert.Equal(t, "https://www.w3.org/2018/credentials/v1", vc.Context[0].String())
assert.Equal(t, "VerifiableCredential", vc.Type[0].String())
assert.Equal(t, "UziServerCertificateCredential", vc.Type[1].String())
assert.True(t, vc.IsType(ssi.MustParseURI("VerifiableCredential")))
assert.True(t, vc.IsType(ssi.MustParseURI("X509Credential")))
assert.Equal(t, "did:x509:0:sha512:0OXDVLevEnf_sE-Ayopm0Yof_gmBwxwKZmzbDhKeAwj9vcsI_Q14TBArYsCftQTABLM-Vx9BB6zI05Me2aksaA::san:otherName:2.16.528.1.1007.99.2110-1-1111111-S-2222222-00.000-333333::subject:O:FauxCare", vc.Issuer.String())

expectedCredentialSubject := []interface{}([]interface{}{map[string]interface{}{
Expand Down

0 comments on commit 09dc524

Please sign in to comment.