eidas

package module

v0.0.0-...-cd93de1 Latest Latest Go to latest Published: Nov 14, 2024 License: MIT Imports: 11 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/apple/eidas

Links

Open Source Insights

README ¶

eIDAS

Tools for reading and creating eIDAS certificate signing requests

Generating a Certificate Signing Request (CSR)

With go (requires go 1.22 or higher):

go get github.com/apple/eidas/cmd/cli

go run github.com/apple/eidas/cmd/cli \
  -country-code GB \
  -organization-name "Your Organization Limited" \
  -organization-id PSDGB-FCA-123456 \
  -common-name 0123456789abcdef

Open Banking Flags

-common-name should be the same as the organisation_id field from your entry in the Open Banking Directory.
-organization-id should be in the form of PSD<Regulator Country Code>-<Regulator>-<Unique ID>
-organization-name should be your official company name.
-country-code should be an ISO 3166-1 alpha-2 country code.

Other flags

You can see the available flags with

go run github.com/apple/eidas/cmd/cli -help

By default this will generate two files: out.csr and out.key containing the CSR and the private key, respectively.

It will also print the SHA256 sum of the CSR to stdout.

To print out the details of the CSR for debugging, run:

openssl req -in out.csr -text -noout -nameopt multiline

Notes on CSR format

For both QWAC and QSEAL types the following attributes are required in the CSR:

Subject

Must contain country code, organisation name and common name.
Must also contain the organisation ID. Organisation ID (ITU-T X.520 10/2012 Section 6.4.4) isn't supported by most tools by default (including OpenSSL and go) but this can be added to the subject as a custom name with the ASN.1 OID of 2.5.4.97. Should be something like PSDGB-FCA-123456.
It's not specified in the standards (AFAICT) but these should be in a defined order:
1. Country Code (C=)
2. Organization Name (O=)
3. Organization ID (2.5.4.97=)
4. Common Name (CN=)

Key Parameters

Key should be 2048-bit RSA.
Signature algorithm should be SHA256WithRSA.

Extensions

Key Usage

X509v3 Key Usage extension should be marked as critical.

QWAC	QSEAL
Digital Signature	Digital Signature
Non Repudiation

Extended Key Usage

QWAC	QSEAL
TLS Web Server Authentication
TLS Web Client Authentication

Note: For QSEAL, a CSR is expected to not have an extended key usage section at all, rather than an empty one.

Subject Key Identifier

Should be the 160-bit SHA1 sum of the PKCS1 public key.

This is an extension used by eIDAS as documented here ETSI TS 119 495 Annex A. The required parameters included in this are the Competent Authority's name and ID, e.g. "Financial Conduct Authority" and "GB-FCA", and the roles the TPP requires, e.g. "PSP_AI" (Account Information).

Documentation ¶

Overview ¶

Package eidas provides tools for generating eIDAS OBWAC & OBSEAL certificate signing requests.

Index ¶

Variables
func GenerateCSR(countryCode string, orgName string, orgID string, commonName string, ...) ([]byte, *rsa.PrivateKey, error)
func GenerateCSRWithKey(countryCode string, orgName string, orgID string, commonName string, ...) ([]byte, error)
type CertificateOption
- func WithDNSName(domain string) CertificateOption

Constants ¶

This section is empty.

Variables ¶

View Source

var QCStatementsExt = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 3}

QCStatementsExt represents the qcstatements x509 extension id.

Functions ¶

func GenerateCSR ¶

func GenerateCSR(
	countryCode string, orgName string, orgID string, commonName string, roles []qcstatements.Role, qcType asn1.ObjectIdentifier, opts ...CertificateOption) ([]byte, *rsa.PrivateKey, error)

GenerateCSR generates an RSA key and builds a certificate signing request for an organization. qcType should be one of qcstatements.QSEALType or qcstatements.QWACType.

func GenerateCSRWithKey ¶

func GenerateCSRWithKey(
	countryCode string, orgName string, orgID string, commonName string, roles []qcstatements.Role, qcType asn1.ObjectIdentifier, priv crypto.Signer, opts ...CertificateOption) ([]byte, error)

GenerateCSRWithKey builds a certificate signing request for an organization based on an existing private key. qcType should be one of qcstatements.QSEALType or qcstatements.QWACType.

Types ¶

type CertificateOption ¶

type CertificateOption func(*x509.CertificateRequest)

func WithDNSName ¶

func WithDNSName(domain string) CertificateOption

WithDNSName adds the given domain as a Subject Alternate Name to the CSR.

Source Files ¶

View all Source files

csr.go

Directories ¶

Path	Synopsis
cmd
cli
qcstatements Package qcstatements contains functions for building and extracting qualified statements for PSD2 qualified certificates.	Package qcstatements contains functions for building and extracting qualified statements for PSD2 qualified certificates.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL