Skip to content

nuts-foundation/uzi-did-x509-issuer

Repository files navigation

Nuts X509 Certificate Issuer

Maintainability Test Coverage

Caution

This repository contains experimental code and is not suitable for production usage!

Description

The X509 certificate Issuer is a Go-based tool designed for issuing Verifiable Credentials signed by a X509 certificate. The issuer creates a did:x509 based on the PKI certificate chain. Its main purspose is to create verificable credentials form certificates issued by the UZI certificate chain from the CIBG registry.

Features

The X509 certificate Issuer generated a Verifiable Credential of type X509Credential with the following features:

  • The DID method is a customized did:x509 DID pointing to the x5c header.
  • The x5c filled with the certificate chain. The chain is built from:
    • The provided UZI server (Test) certificate
    • All the required certificates from the UZI register.
    • If the test mode is enabled, the Test UZI register
  • Signed by the private key of the X509 certificate.
  • The VC issued to the provided DID and name.

Note on security, trust, and secrecy

The VC that is signed by this application are cryptographic proofs, signed by the private key used in the X509 certificate process. Note that:

  • This private key is supposed to be kept very secret.
  • The Subject DID of the signed credential is mandated with cryptographic proof to act on behalf of the owner of the private key on the NUTS network.

Prerequisites

Before you begin, ensure you have met the following requirements:

  • You have installed Go SDK 1.23.1 or compatible version.
  • You are using a Unix-based operating system like macOS or Linux.
  • You have the necessary permissions to install software and manage certificates.

Installation

Follow these steps to set up the project:

  1. Clone the repository:
    git clone https://github.com/nuts-foundation/uzi-did-x509-issuer
  2. Change to the project directory:
    cd uzi-did-x509-issuer
  3. Download dependencies:
    go mod download && go mod verify
  4. Build the project:
    go build -ldflags="-w -s " -o ./issuer
    or
    make build

Usage

  1. Run the application:

    ./issuer
  2. Getting command line help:

    • Use the CLI options provided by the application to generate new certificates. Refer to the help command for more details:
    ./issuer --help
  3. Call for generating a VC:

    • The following parameters are required:
      • certificate_file, the PEM file of the URA server certificate
      • signing_key ,the unencrypted PEM file of the private key used for signing.
      • subject_did and subject_name, the vc.subject.id and vc.subject.name of the generated verifiable credential.

Examples

  • Example call with a TEST certificate
    ./issuer vc cert.pem key.key did:web:example.com:example --test
    
  • Example call with a production certificate
    ./issuer vc cert.pem key.key did:web:example.com:example
    

Project UZI CA and Intermediate CA files

This project downloads the relevant CA certs from:

Converting to PEM files:

The following command converts .cer files to PEM:

 openssl x509 -inform der -in certificate.cer -out certificate.pem

Validating a X509Credential

The logic on Validating a X509Credential is described in the VC_VALIDATION.md file.

Contributing

We welcome contributions! To contribute:

  1. Fork the repository.
  2. Create a new branch (git checkout -b feature-branch).
  3. Make your changes.
  4. Commit your changes (git commit -am 'Add new feature').
  5. Push to the branch (git push origin feature-branch).
  6. Create a new Pull Request.

Please ensure your code follows the project's coding conventions and passes all tests.

License

This project is licensed under the MIT License. See the LICENSE file for details.

Contact

If you have any questions or suggestions, feel free to open an issue or contact the project maintainers at roland@headease.nl.