Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rename credentialType to X509Credential #35

Merged
merged 2 commits into from
Dec 13, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 12 additions & 9 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Nuts UZI Server Certificaat Issuer
# Nuts X509 Certificate Issuer

[![Maintainability](https://api.codeclimate.com/v1/badges/f92496250890e40900aa/maintainability)](https://codeclimate.com/github/nuts-foundation/uzi-did-x509-issuer/maintainability)
[![Test Coverage](https://api.codeclimate.com/v1/badges/f92496250890e40900aa/test_coverage)](https://codeclimate.com/github/nuts-foundation/uzi-did-x509-issuer/test_coverage)
Expand All @@ -7,23 +7,25 @@
> This repository contains experimental code and is not suitable for production usage!

## Description
The UZI Server Certificaat Issuer is a Go-based tool designed for issuing Verifiable Credentials signed by a UZI Server Certificaat. The issuer creates a did:x509 based on the PKI certificate chain.

The X509 certificate Issuer is a Go-based tool designed for issuing Verifiable Credentials signed by a X509 certificate. The issuer creates a did:x509 based on the PKI certificate chain.
Its main purspose is to create verificable credentials form certificates issued by the [UZI certificate chain from the CIBG registry](https://www.zorgcsp.nl/ca-certificaten).

## Features

The UZI Server Certificaat Issuer generated a Verifiable Credential of type UziServerCertificateCredential with the following features:
The X509 certificate Issuer generated a Verifiable Credential of type X509Credential with the following features:

- The DID method is a customized did:x509 DID pointing to the x5c header.
- The x5c filled with the certificate chain. The chain is built from:
- The provided UZI server (Test) Certificate
- The provided UZI server (Test) certificate
- All the required certificates from the [UZI register](https://www.zorgcsp.nl/certificate-revocation-lists-crl-s).
- If the test mode is enabled, the [Test UZI register](https://acceptatie.zorgcsp.nl/ca-certificaten)
- Signed by the private key of the UZI Server Certificaat.
- Signed by the private key of the X509 certificate.
- The VC issued to the provided DID and name.

## Note on security, trust, and secrecy

The VC that is signed by this application are cryptographic proofs, signed by the private key used in the UZI Server Certificate process. Note that:
The VC that is signed by this application are cryptographic proofs, signed by the private key used in the X509 certificate process. Note that:

- This private key is supposed to be kept very secret.
- The Subject DID of the signed credential is mandated with cryptographic proof to act on behalf of the owner of the private key on the NUTS network.
Expand Down Expand Up @@ -56,10 +58,11 @@ Follow these steps to set up the project:
```sh
go build -ldflags="-w -s " -o ./issuer
```
or
or
```shell
make build
```

## Usage

1. **Run the application:**
Expand Down Expand Up @@ -105,9 +108,9 @@ The following command converts .cer files to PEM:
openssl x509 -inform der -in certificate.cer -out certificate.pem
```

## Validating a UziServerCertificateCredential
## Validating a X509Credential

The logic on Validating a UziServerCertificateCredential is described in the [VC_VALIDATION.md](VC_VALIDATION.md) file.
The logic on Validating a X509Credential is described in the [VC_VALIDATION.md](VC_VALIDATION.md) file.

## Contributing

Expand Down
39 changes: 22 additions & 17 deletions VC_VALIDATION.md
Original file line number Diff line number Diff line change
@@ -1,37 +1,40 @@
# Validating a UziServerCertificateCredential
# Validating a X509Credential

This specification explains how to validate a Verifiable Credential of this type.

## About the UZI Server Certificate
UZI Server Certificates contain the URA number in the `san:otherName` field encoded in a compound string:

UZI Server Certificates contain the URA number in the `san:otherName` field encoded in a compound string:

```
<OID CA>-<versie-nr>-<UZI-nr>-<pastype>-<Abonnee-nr>-<rol>-<AGB-code>
```
After 8 nov 2023 the UZI Server Certificates also has the URA number in the `san:otherName.permanentIdentifier` field.

After 8 nov 2023 the UZI Server Certificates also has the URA number in the `san:otherName.permanentIdentifier` field.

## Structure of the Verifiable Credential

The Verifiable Credential has the following structure:

1. The credential has a type `UziServerCertificateCredential`.
1. The credential has a type `X509Credential`.
2. The `subject.id` points to the holder of the credential, typically a `did:nuts` or `did:web`.
3. The credential is issued by a `did:x509`, with changes defined in the
section [Changes to the did:x509 Method Specification](#changes-to-the-didx509-method-specification), as part of
this specification:
1. The `x5c` header contains the UZI Server Certificate with the full certificate chain.
2. The `x5t` header contains the sha1 hash of the UZI Server Certificate.
3. The policy string of the `did:x509` contains either a `san:otherName.permanentIdentifier:<ura-number>` or
`san:otherName:<ura-number>` policy.
4. If the `san:otherName:<ura-number>` is present, the URA number should be found as part of the `san:otherName`
field.
5. If the `san:otherName.permanentIdentifier:<ura-number>` is present, the URA number should be found as part of the
`san:otherName.permanentIdentifier` field.
1. The `x5c` header contains the UZI Server Certificate with the full certificate chain.
2. The `x5t` header contains the sha1 hash of the UZI Server Certificate.
3. The policy string of the `did:x509` contains either a `san:otherName.permanentIdentifier:<ura-number>` or
`san:otherName:<ura-number>` policy.
4. If the `san:otherName:<ura-number>` is present, the URA number should be found as part of the `san:otherName`
field.
5. If the `san:otherName.permanentIdentifier:<ura-number>` is present, the URA number should be found as part of the
`san:otherName.permanentIdentifier` field.

## Validating a UziServerCertificateCredential Verifiable Credential
## Validating a X509Credential Verifiable Credential

A UziServerCertificateCredential is valid when:
A X509Credential is valid when:

1. The credential MUST be of type `UziServerCertificateCredential`.
1. The credential MUST be of type `X509Credential`.
2. The `x5c` header MUST contain the UZI Server Certificate with the full certificate chain.
3. The `x5t` header MUST contain the sha1 hash of the UZI Server Certificate.
4. The signature of the Verifiable Credential MUST validate against the public key of the UZI Server Certificate.
Expand All @@ -48,12 +51,14 @@ A UziServerCertificateCredential is valid when:

## Changes to the did:x509 Method Specification

The UziServerCertificateCredential makes use of an additional otherName san-type. This
The X509Credential makes use of an additional otherName san-type. This
san-type is currently not part of the x509 standard. The suggested policy definition will look like this:

```
policy-name = "san"
policy-value = san-type ":" san-value
san-type = "email" / "dns" / "uri" / "otherName"
san-value = 1*idchar
```
A request to support this will be

A request to support this will be
6 changes: 5 additions & 1 deletion uzi_vc_issuer/ura_issuer.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ import (
"crypto/sha1"
"crypto/x509"
"encoding/base64"
"encoding/pem"
"errors"
"fmt"
"os"
Expand All @@ -24,6 +25,9 @@ import (
"github.com/nuts-foundation/uzi-did-x509-issuer/x509_cert"
)

// CredentialType holds the name of the X.509 credential type.
const CredentialType = "X509Credential"

// filename represents a valid file name. The file must exist.
type fileName string

Expand Down Expand Up @@ -414,7 +418,7 @@ func uraCredential(issuer string, expirationDate time.Time, otherNameValues []*x
return &vc.VerifiableCredential{
Issuer: ssi.MustParseURI(issuer),
Context: []ssi.URI{ssi.MustParseURI("https://www.w3.org/2018/credentials/v1")},
Type: []ssi.URI{ssi.MustParseURI("VerifiableCredential"), ssi.MustParseURI("UziServerCertificateCredential")},
Type: []ssi.URI{ssi.MustParseURI("VerifiableCredential"), ssi.MustParseURI(CredentialType)},
ID: &id,
IssuanceDate: iat,
ExpirationDate: &expirationDate,
Expand Down
5 changes: 3 additions & 2 deletions uzi_vc_issuer/ura_issuer_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ import (
"os"
"testing"

ssi "github.com/nuts-foundation/go-did"
"github.com/nuts-foundation/uzi-did-x509-issuer/x509_cert"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
Expand Down Expand Up @@ -184,8 +185,8 @@ func TestIssue(t *testing.T) {
require.NotNil(t, vc, "verifiable credential is nil")

assert.Equal(t, "https://www.w3.org/2018/credentials/v1", vc.Context[0].String())
assert.Equal(t, "VerifiableCredential", vc.Type[0].String())
assert.Equal(t, "UziServerCertificateCredential", vc.Type[1].String())
assert.True(t, vc.IsType(ssi.MustParseURI("VerifiableCredential")))
assert.True(t, vc.IsType(ssi.MustParseURI("X509Credential")))
assert.Equal(t, "did:x509:0:sha512:0OXDVLevEnf_sE-Ayopm0Yof_gmBwxwKZmzbDhKeAwj9vcsI_Q14TBArYsCftQTABLM-Vx9BB6zI05Me2aksaA::san:otherName:2.16.528.1.1007.99.2110-1-1111111-S-2222222-00.000-333333::subject:O:FauxCare", vc.Issuer.String())

expectedCredentialSubject := []interface{}([]interface{}{map[string]interface{}{
Expand Down
Loading