x509

package

v1.1.0 Latest Latest Go to latest Published: May 23, 2022 License: GPL-3.0 Imports: 17 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/nuts-foundation/nuts-node

Links

Open Source Insights

Documentation ¶

Index ¶

type JwtX509Token
- func (j JwtX509Token) SubjectAltNameOtherNames() ([]string, error)
type JwtX509Validator
- func NewJwtX509Validator(roots, intermediates []*x509.Certificate, ...) *JwtX509Validator
- func (validator JwtX509Validator) Parse(rawAuthToken string) (*JwtX509Token, error)
- func (validator JwtX509Validator) Verify(x509Token *JwtX509Token) error
type UziEnv
type UziSignedToken
- func (t UziSignedToken) Contract() contract.Contract
- func (t UziSignedToken) SignerAttributes() (map[string]string, error)
type UziValidator
- func NewUziValidator(env UziEnv, contractTemplates *contract.TemplateStore, ...) (validator *UziValidator, err error)
- func (u UziValidator) Parse(rawProofValue string) (services.SignedToken, error)
- func (u UziValidator) Verify(token services.SignedToken) error

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type JwtX509Token ¶

type JwtX509Token struct {
	// contains filtered or unexported fields
}

JwtX509Token contains a parsed JWT signed with a x509 certificate.

func (JwtX509Token) SubjectAltNameOtherNames ¶

func (j JwtX509Token) SubjectAltNameOtherNames() ([]string, error)

SubjectAltNameOtherNames extracts the SANs as string from the certificate which was used to sign the Jwt.

type JwtX509Validator ¶

type JwtX509Validator struct {
	// contains filtered or unexported fields
}

JwtX509Validator contains all logic to parse and verify a JwtX509Token.

func NewJwtX509Validator ¶

func NewJwtX509Validator(roots, intermediates []*x509.Certificate, allowedSigAlgs []jwa.SignatureAlgorithm, crlValidator crl.Validator) *JwtX509Validator

NewJwtX509Validator creates a new NewJwtX509Validator. It accepts root and intermediate certificates to validate the chain. It accepts a list of valid signature algorithms It accepts a CRL database

func (JwtX509Validator) Parse ¶

func (validator JwtX509Validator) Parse(rawAuthToken string) (*JwtX509Token, error)

Parse attempts to parse a string as a jws. It checks if the x5c header contains at least 1 certificate. The signature should be signed with the private key of the leaf certificate. No other validations are performed. Call Verify to verify the auth token.

func (JwtX509Validator) Verify ¶

func (validator JwtX509Validator) Verify(x509Token *JwtX509Token) error

Verify verifies a JwtX509Token. It checks the signature algorithm It verifies if the certificate used to sign the token has a valid chain It checks the signature of the jst against the provided leaf certificate in the x509 header It performs additional JWT checks on optional fields like exp, nbf, iat etc. Note: it does not verifies the extended key usage! This should be performed by hand.

type UziEnv ¶

type UziEnv string

UziEnv is used to indicate which Uzi environment (e.g. production, acceptation) should be used.

const UziAcceptation UziEnv = "acceptation"

UziAcceptation uses the acceptation certificate tree: https://acceptatie.zorgcsp.nl/ca-certificaten

const UziProduction UziEnv = "production"

UziProduction uses the production certificate tree: https://www.zorgcsp.nl/ca-certificaten

type UziSignedToken ¶

type UziSignedToken struct {
	// contains filtered or unexported fields
}

UziSignedToken implements a SignedToken interface for contracts signed by the UZI means in the JwtX509Token form.

func (UziSignedToken) Contract ¶

func (t UziSignedToken) Contract() contract.Contract

Contract returns the Contract signed by the Uzi means

func (UziSignedToken) SignerAttributes ¶

func (t UziSignedToken) SignerAttributes() (map[string]string, error)

SignerAttributes returns the attributes from the Uzi card used in the signature. For more information on these attributes, see table 12 on page 62 of the Certification Practice Statement (CPS) UZI-register v10.x https://zorgcsp.nl/Media/Default/documenten/2020-05-06_RK1%20CPS%20UZI-register%20V10.0.pdf

type UziValidator ¶

type UziValidator struct {
	// contains filtered or unexported fields
}

UziValidator can check Uzi signed JWTs. It can parse and validate a UziSignedToken which implements the SignedToken interface

func NewUziValidator ¶

func NewUziValidator(env UziEnv, contractTemplates *contract.TemplateStore, crlValidator crl.Validator) (validator *UziValidator, err error)

NewUziValidator creates a new UziValidator. It accepts a UziEnv and preloads corresponding certificate tree. It accepts a contract template store which is used to check if the signed contract exists and is valid. It accepts an optional CRL database. If non is given, it will create one based on the root and intermediate certificates.

func (UziValidator) Parse ¶

func (u UziValidator) Parse(rawProofValue string) (services.SignedToken, error)

Parse tries to parse a UZI ProofValue into a UziSignedToken A Uzi ProofValue is encoded as a JWT. The jwt should contain at least one certificate in the x509 header It tries to find the contract in the given contractStore. No other verifications are performed. Make sure to call Verify to perform the actual crypto verifications

func (UziValidator) Verify ¶

func (u UziValidator) Verify(token services.SignedToken) error

Verify performs all the crypto verifications like: Correct hashing algorithm Correct certificate tree Certificates are not revoked Verifies all the extra jwt fields like exp, iat and nbf. Verifies if the signer attributes are valid

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL