Rename credentialType to X509Credential (#35)

* Rename credentialType to X509Credential * Update README Less UZI specific
nuts-foundation · Dec 13, 2024 · a1a5eb1 · a1a5eb1
1 parent 9ad9b8c
commit a1a5eb1
Show file tree

Hide file tree

Showing 4 changed files with 41 additions and 29 deletions.
diff --git a/README.md b/README.md
@@ -1,4 +1,4 @@
-# Nuts UZI Server Certificaat Issuer
+# Nuts X509 Certificate Issuer
 
 [![Maintainability](https://api.codeclimate.com/v1/badges/f92496250890e40900aa/maintainability)](https://codeclimate.com/github/nuts-foundation/uzi-did-x509-issuer/maintainability)
 [![Test Coverage](https://api.codeclimate.com/v1/badges/f92496250890e40900aa/test_coverage)](https://codeclimate.com/github/nuts-foundation/uzi-did-x509-issuer/test_coverage)
@@ -7,23 +7,25 @@
 > This repository contains experimental code and is not suitable for production usage!
 
 ## Description
-The UZI Server Certificaat Issuer is a Go-based tool designed for issuing Verifiable Credentials signed by a UZI Server Certificaat. The issuer creates a did:x509 based on the PKI certificate chain.
+
+The X509 certificate Issuer is a Go-based tool designed for issuing Verifiable Credentials signed by a X509 certificate. The issuer creates a did:x509 based on the PKI certificate chain.
+Its main purspose is to create verificable credentials form certificates issued by the [UZI certificate chain from the CIBG registry](https://www.zorgcsp.nl/ca-certificaten).
 
 ## Features
 
-The UZI Server Certificaat Issuer generated a Verifiable Credential of type UziServerCertificateCredential with the following features:
+The X509 certificate Issuer generated a Verifiable Credential of type X509Credential with the following features:
 
 - The DID method is a customized did:x509 DID pointing to the x5c header.
 - The x5c filled with the certificate chain. The chain is built from:
-  - The provided UZI server (Test) Certificate
+  - The provided UZI server (Test) certificate
   - All the required certificates from the [UZI register](https://www.zorgcsp.nl/certificate-revocation-lists-crl-s).
   - If the test mode is enabled, the [Test UZI register](https://acceptatie.zorgcsp.nl/ca-certificaten)
-- Signed by the private key of the UZI Server Certificaat.
+- Signed by the private key of the X509 certificate.
 - The VC issued to the provided DID and name.
 
 ## Note on security, trust, and secrecy
 
-The VC that is signed by this application are cryptographic proofs, signed by the private key used in the UZI Server Certificate process. Note that:
+The VC that is signed by this application are cryptographic proofs, signed by the private key used in the X509 certificate process. Note that:
 
 - This private key is supposed to be kept very secret.
 - The Subject DID of the signed credential is mandated with cryptographic proof to act on behalf of the owner of the private key on the NUTS network.
@@ -56,10 +58,11 @@ Follow these steps to set up the project:
    ```sh
    go build -ldflags="-w -s " -o ./issuer
    ```
-    or
+   or
    ```shell
    make build
    ```
+
 ## Usage
 
 1. **Run the application:**
@@ -105,9 +108,9 @@ The following command converts .cer files to PEM:
  openssl x509 -inform der -in certificate.cer -out certificate.pem
 ```
 
-## Validating a UziServerCertificateCredential
+## Validating a X509Credential
 
-The logic on Validating a UziServerCertificateCredential is described in the [VC_VALIDATION.md](VC_VALIDATION.md) file.
+The logic on Validating a X509Credential is described in the [VC_VALIDATION.md](VC_VALIDATION.md) file.
 
 ## Contributing
 

diff --git a/VC_VALIDATION.md b/VC_VALIDATION.md
@@ -1,37 +1,40 @@
-# Validating a UziServerCertificateCredential
+# Validating a X509Credential
 
 This specification explains how to validate a Verifiable Credential of this type.
 
 ## About the UZI Server Certificate
-UZI Server Certificates contain the URA number in the `san:otherName` field encoded in a compound string: 
+
+UZI Server Certificates contain the URA number in the `san:otherName` field encoded in a compound string:
+
 ```
 <OID CA>-<versie-nr>-<UZI-nr>-<pastype>-<Abonnee-nr>-<rol>-<AGB-code>
 ```
-After 8 nov 2023 the UZI Server Certificates  also has the URA number in the `san:otherName.permanentIdentifier` field. 
+
+After 8 nov 2023 the UZI Server Certificates also has the URA number in the `san:otherName.permanentIdentifier` field.
 
 ## Structure of the Verifiable Credential
 
 The Verifiable Credential has the following structure:
 
-1. The credential has a type `UziServerCertificateCredential`.
+1. The credential has a type `X509Credential`.
 2. The `subject.id` points to the holder of the credential, typically a `did:nuts` or `did:web`.
 3. The credential is issued by a `did:x509`, with changes defined in the
    section [Changes to the did:x509 Method Specification](#changes-to-the-didx509-method-specification), as part of
    this specification:
-    1. The `x5c` header contains the UZI Server Certificate with the full certificate chain.
-    2. The `x5t` header contains the sha1 hash of the UZI Server Certificate.
-    3. The policy string of the `did:x509` contains either a `san:otherName.permanentIdentifier:<ura-number>` or
-       `san:otherName:<ura-number>` policy.
-    4. If the `san:otherName:<ura-number>` is present, the URA number should be found as part of the `san:otherName`
-       field.
-    5. If the `san:otherName.permanentIdentifier:<ura-number>` is present, the URA number should be found as part of the
-       `san:otherName.permanentIdentifier` field.
+   1. The `x5c` header contains the UZI Server Certificate with the full certificate chain.
+   2. The `x5t` header contains the sha1 hash of the UZI Server Certificate.
+   3. The policy string of the `did:x509` contains either a `san:otherName.permanentIdentifier:<ura-number>` or
+      `san:otherName:<ura-number>` policy.
+   4. If the `san:otherName:<ura-number>` is present, the URA number should be found as part of the `san:otherName`
+      field.
+   5. If the `san:otherName.permanentIdentifier:<ura-number>` is present, the URA number should be found as part of the
+      `san:otherName.permanentIdentifier` field.
 
-## Validating a UziServerCertificateCredential Verifiable Credential
+## Validating a X509Credential Verifiable Credential
 
-A UziServerCertificateCredential is valid when:
+A X509Credential is valid when:
 
-1. The credential MUST be of type `UziServerCertificateCredential`.
+1. The credential MUST be of type `X509Credential`.
 2. The `x5c` header MUST contain the UZI Server Certificate with the full certificate chain.
 3. The `x5t` header MUST contain the sha1 hash of the UZI Server Certificate.
 4. The signature of the Verifiable Credential MUST validate against the public key of the UZI Server Certificate.
@@ -48,12 +51,14 @@ A UziServerCertificateCredential is valid when:
 
 ## Changes to the did:x509 Method Specification
 
-The UziServerCertificateCredential makes use of an additional otherName san-type. This 
+The X509Credential makes use of an additional otherName san-type. This
 san-type is currently not part of the x509 standard. The suggested policy definition will look like this:
+
 ```
 policy-name     = "san"
 policy-value    = san-type ":" san-value
 san-type        = "email" / "dns" / "uri" / "otherName"
 san-value       = 1*idchar
 ```
-A request to support this will be 
+
+A request to support this will be
diff --git a/uzi_vc_issuer/ura_issuer.go b/uzi_vc_issuer/ura_issuer.go
@@ -25,6 +25,9 @@ import (
 	"github.com/nuts-foundation/uzi-did-x509-issuer/x509_cert"
 )
 
+// CredentialType holds the name of the X.509 credential type.
+const CredentialType = "X509Credential"
+
 // filename represents a valid file name. The file must exist.
 type fileName string
 
@@ -419,7 +422,7 @@ func uraCredential(issuer string, expirationDate time.Time, otherNameValues []*x
 	return &vc.VerifiableCredential{
 		Issuer:            ssi.MustParseURI(issuer),
 		Context:           []ssi.URI{ssi.MustParseURI("https://www.w3.org/2018/credentials/v1")},
-		Type:              []ssi.URI{ssi.MustParseURI("VerifiableCredential"), ssi.MustParseURI("UziServerCertificateCredential")},
+		Type:              []ssi.URI{ssi.MustParseURI("VerifiableCredential"), ssi.MustParseURI(CredentialType)},
 		ID:                &id,
 		IssuanceDate:      iat,
 		ExpirationDate:    &expirationDate,

diff --git a/uzi_vc_issuer/ura_issuer_test.go b/uzi_vc_issuer/ura_issuer_test.go
@@ -7,6 +7,7 @@ import (
 	"os"
 	"testing"
 
+	ssi "github.com/nuts-foundation/go-did"
 	"github.com/nuts-foundation/uzi-did-x509-issuer/x509_cert"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -184,8 +185,8 @@ func TestIssue(t *testing.T) {
 		require.NotNil(t, vc, "verifiable credential is nil")
 
 		assert.Equal(t, "https://www.w3.org/2018/credentials/v1", vc.Context[0].String())
-		assert.Equal(t, "VerifiableCredential", vc.Type[0].String())
-		assert.Equal(t, "UziServerCertificateCredential", vc.Type[1].String())
+		assert.True(t, vc.IsType(ssi.MustParseURI("VerifiableCredential")))
+		assert.True(t, vc.IsType(ssi.MustParseURI("X509Credential")))
 		assert.Equal(t, "did:x509:0:sha512:0OXDVLevEnf_sE-Ayopm0Yof_gmBwxwKZmzbDhKeAwj9vcsI_Q14TBArYsCftQTABLM-Vx9BB6zI05Me2aksaA::san:otherName:2.16.528.1.1007.99.2110-1-1111111-S-2222222-00.000-333333::subject:O:FauxCare", vc.Issuer.String())
 
 		expectedCredentialSubject := []interface{}([]interface{}{map[string]interface{}{