Documentation
¶
Overview ¶
Package webeid implements the framework-agnostic core of the Web eID authentication-token validation and eID-card signing-operations back end.
It is wire-compatible with the unmodified Web eID client components (web-eid.js, the browser extension and the native application) and mirrors the public API of the official Java reference library so existing RIA documentation maps directly onto it.
The core depends only on the Go standard library and golang.org/x/crypto; the Azugo HTTP integration lives in the sub-package github.com/gmb-sig/go-web-eid/azugo.
Index ¶
- Constants
- type AuthToken
- type AuthTokenValidator
- type AuthTokenValidatorBuilder
- func (b *AuthTokenValidatorBuilder) Build() (AuthTokenValidator, error)
- func (b *AuthTokenValidatorBuilder) WithAllowInsecureLocalhostOrigin() *AuthTokenValidatorBuilder
- func (b *AuthTokenValidatorBuilder) WithAllowedOcspResponderURLs(urls ...string) *AuthTokenValidatorBuilder
- func (b *AuthTokenValidatorBuilder) WithAllowedOcspResponseTimeSkew(d time.Duration) *AuthTokenValidatorBuilder
- func (b *AuthTokenValidatorBuilder) WithDesignatedOcspServiceConfiguration(cfg *ocsp.DesignatedServiceConfiguration) *AuthTokenValidatorBuilder
- func (b *AuthTokenValidatorBuilder) WithDisallowedCertificatePolicies(oids ...asn1.ObjectIdentifier) *AuthTokenValidatorBuilder
- func (b *AuthTokenValidatorBuilder) WithMaxOcspResponseThisUpdateAge(d time.Duration) *AuthTokenValidatorBuilder
- func (b *AuthTokenValidatorBuilder) WithNonceDisabledOcspUrls(urls ...string) *AuthTokenValidatorBuilder
- func (b *AuthTokenValidatorBuilder) WithOcspClient(c ocsp.Client) *AuthTokenValidatorBuilder
- func (b *AuthTokenValidatorBuilder) WithOcspRequestTimeout(d time.Duration) *AuthTokenValidatorBuilder
- func (b *AuthTokenValidatorBuilder) WithSiteOrigin(origin string) *AuthTokenValidatorBuilder
- func (b *AuthTokenValidatorBuilder) WithTrustedCertificateAuthorities(cas ...*x509.Certificate) *AuthTokenValidatorBuilder
- func (b *AuthTokenValidatorBuilder) WithoutUserCertificateRevocationCheckWithOcsp() *AuthTokenValidatorBuilder
- type ChallengeNonce
- type ChallengeNonceGenerator
- type ChallengeNonceGeneratorBuilder
- func (b *ChallengeNonceGeneratorBuilder) Build() (ChallengeNonceGenerator, error)
- func (b *ChallengeNonceGeneratorBuilder) WithChallengeNonceStore(store ChallengeNonceStore) *ChallengeNonceGeneratorBuilder
- func (b *ChallengeNonceGeneratorBuilder) WithNonceSize(bytes int) *ChallengeNonceGeneratorBuilder
- func (b *ChallengeNonceGeneratorBuilder) WithNonceTTL(ttl time.Duration) *ChallengeNonceGeneratorBuilder
- func (b *ChallengeNonceGeneratorBuilder) WithSecureRandom(r io.Reader) *ChallengeNonceGeneratorBuilder
- type ChallengeNonceStore
- type InMemoryStore
- type SessionKeyFunc
Constants ¶
const ( // DefaultNonceTTL is the default challenge-nonce lifetime. DefaultNonceTTL = 5 * time.Minute )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AuthToken ¶
type AuthToken struct {
// UnverifiedCertificate is the base64-encoded DER authentication
// certificate. It is UNTRUSTED until validated.
UnverifiedCertificate string `json:"unverifiedCertificate"`
// Algorithm is the JWA signature algorithm: one of
// ES256/384/512, PS256/384/512, RS256/384/512.
Algorithm string `json:"algorithm"`
// Signature is the base64-encoded signature over hash(origin)+hash(challenge).
Signature string `json:"signature"`
// Format is the token type and version, e.g. "web-eid:1.0".
Format string `json:"format"`
// AppVersion is the informational URL of the issuing app.
AppVersion string `json:"appVersion"`
}
AuthToken is the Web eID authentication token as received from web-eid.js.
The certificate and claims contained in the token are UNTRUSTED until the token has been processed by AuthTokenValidator.Validate. The structure is a special-purpose JSON document and deliberately not a JWT — its fields must never be trusted on their own.
func Parse ¶
Parse decodes and structurally validates an authentication-token JSON document. It rejects empty mandatory fields, unknown algorithms and unsupported format major versions, but performs no cryptographic checks — those are the responsibility of AuthTokenValidator.Validate.
Unknown JSON fields are tolerated by design: the token format's MINOR version exists so official clients can add new (ignorable) fields without a breaking change — a "web-eid:1.x" token with extra fields is spec-valid and must not be rejected. Only the known fields are validated.
type AuthTokenValidator ¶
type AuthTokenValidator interface {
// Validate runs the full validation pipeline against the token using the
// expected challenge nonce. On success it returns the trusted user
// certificate.
//
// The caller is responsible for retrieving currentChallengeNonce from the
// ChallengeNonceStore (single-use GetAndRemove) and for enforcing nonce
// expiry before calling Validate.
Validate(ctx context.Context, token *AuthToken, currentChallengeNonce string) (*x509.Certificate, error)
}
AuthTokenValidator validates Web eID authentication tokens.
type AuthTokenValidatorBuilder ¶
type AuthTokenValidatorBuilder struct {
// contains filtered or unexported fields
}
AuthTokenValidatorBuilder builds an AuthTokenValidator. It mirrors the Java AuthTokenValidatorBuilder so existing RIA documentation maps onto it.
func NewAuthTokenValidatorBuilder ¶
func NewAuthTokenValidatorBuilder() *AuthTokenValidatorBuilder
NewAuthTokenValidatorBuilder returns a builder with reference-matching defaults (OCSP enabled, Mobile-ID policies disallowed).
func (*AuthTokenValidatorBuilder) Build ¶
func (b *AuthTokenValidatorBuilder) Build() (AuthTokenValidator, error)
Build validates configuration and constructs the validator.
func (*AuthTokenValidatorBuilder) WithAllowInsecureLocalhostOrigin ¶
func (b *AuthTokenValidatorBuilder) WithAllowInsecureLocalhostOrigin() *AuthTokenValidatorBuilder
WithAllowInsecureLocalhostOrigin additionally accepts an http:// origin for localhost loopback hosts — development only, mirroring the official extension's localhost allowance. Never enable in production.
func (*AuthTokenValidatorBuilder) WithAllowedOcspResponderURLs ¶
func (b *AuthTokenValidatorBuilder) WithAllowedOcspResponderURLs(urls ...string) *AuthTokenValidatorBuilder
WithAllowedOcspResponderURLs restricts AIA-derived OCSP responder URLs to an allowlist (full URL or host entries) — an SSRF guard, since the responder URL originates from the user-supplied certificate. Empty = unrestricted.
func (*AuthTokenValidatorBuilder) WithAllowedOcspResponseTimeSkew ¶
func (b *AuthTokenValidatorBuilder) WithAllowedOcspResponseTimeSkew(d time.Duration) *AuthTokenValidatorBuilder
WithAllowedOcspResponseTimeSkew sets the allowed thisUpdate/nextUpdate skew.
func (*AuthTokenValidatorBuilder) WithDesignatedOcspServiceConfiguration ¶
func (b *AuthTokenValidatorBuilder) WithDesignatedOcspServiceConfiguration(cfg *ocsp.DesignatedServiceConfiguration) *AuthTokenValidatorBuilder
WithDesignatedOcspServiceConfiguration sets a designated OCSP responder.
func (*AuthTokenValidatorBuilder) WithDisallowedCertificatePolicies ¶
func (b *AuthTokenValidatorBuilder) WithDisallowedCertificatePolicies(oids ...asn1.ObjectIdentifier) *AuthTokenValidatorBuilder
WithDisallowedCertificatePolicies sets the disallowed certificate policy OIDs, replacing the default Mobile-ID set.
func (*AuthTokenValidatorBuilder) WithMaxOcspResponseThisUpdateAge ¶
func (b *AuthTokenValidatorBuilder) WithMaxOcspResponseThisUpdateAge(d time.Duration) *AuthTokenValidatorBuilder
WithMaxOcspResponseThisUpdateAge sets the maximum thisUpdate age.
func (*AuthTokenValidatorBuilder) WithNonceDisabledOcspUrls ¶
func (b *AuthTokenValidatorBuilder) WithNonceDisabledOcspUrls(urls ...string) *AuthTokenValidatorBuilder
WithNonceDisabledOcspUrls lists OCSP responders that lack nonce support.
func (*AuthTokenValidatorBuilder) WithOcspClient ¶
func (b *AuthTokenValidatorBuilder) WithOcspClient(c ocsp.Client) *AuthTokenValidatorBuilder
WithOcspClient injects a custom OCSP transport.
func (*AuthTokenValidatorBuilder) WithOcspRequestTimeout ¶
func (b *AuthTokenValidatorBuilder) WithOcspRequestTimeout(d time.Duration) *AuthTokenValidatorBuilder
WithOcspRequestTimeout sets the per-request OCSP timeout.
func (*AuthTokenValidatorBuilder) WithSiteOrigin ¶
func (b *AuthTokenValidatorBuilder) WithSiteOrigin(origin string) *AuthTokenValidatorBuilder
WithSiteOrigin sets the origin the token is bound to, in the form https://host[:port] with no trailing slash (required).
func (*AuthTokenValidatorBuilder) WithTrustedCertificateAuthorities ¶
func (b *AuthTokenValidatorBuilder) WithTrustedCertificateAuthorities(cas ...*x509.Certificate) *AuthTokenValidatorBuilder
WithTrustedCertificateAuthorities sets the intermediate CA trust anchors (required).
func (*AuthTokenValidatorBuilder) WithoutUserCertificateRevocationCheckWithOcsp ¶
func (b *AuthTokenValidatorBuilder) WithoutUserCertificateRevocationCheckWithOcsp() *AuthTokenValidatorBuilder
WithoutUserCertificateRevocationCheckWithOcsp disables OCSP revocation checks.
type ChallengeNonce ¶
type ChallengeNonce struct {
// Base64EncodedNonce is the standard-base64 encoding of the random nonce.
Base64EncodedNonce string
// IssuedAt is when the nonce was generated.
IssuedAt time.Time
}
ChallengeNonce is a generated, time-stamped challenge nonce.
type ChallengeNonceGenerator ¶
type ChallengeNonceGenerator interface {
// GenerateAndStoreNonce creates a >=256-bit nonce, stores it via the
// configured store and returns it.
GenerateAndStoreNonce(ctx context.Context) (*ChallengeNonce, error)
}
ChallengeNonceGenerator creates and stores challenge nonces.
type ChallengeNonceGeneratorBuilder ¶
type ChallengeNonceGeneratorBuilder struct {
// contains filtered or unexported fields
}
ChallengeNonceGeneratorBuilder builds a ChallengeNonceGenerator. It mirrors the Java ChallengeNonceGeneratorBuilder.
func NewChallengeNonceGeneratorBuilder ¶
func NewChallengeNonceGeneratorBuilder() *ChallengeNonceGeneratorBuilder
NewChallengeNonceGeneratorBuilder returns a builder with default settings.
func (*ChallengeNonceGeneratorBuilder) Build ¶
func (b *ChallengeNonceGeneratorBuilder) Build() (ChallengeNonceGenerator, error)
Build validates the configuration and returns the generator.
func (*ChallengeNonceGeneratorBuilder) WithChallengeNonceStore ¶
func (b *ChallengeNonceGeneratorBuilder) WithChallengeNonceStore(store ChallengeNonceStore) *ChallengeNonceGeneratorBuilder
WithChallengeNonceStore sets the store used to persist nonces (required).
func (*ChallengeNonceGeneratorBuilder) WithNonceSize ¶
func (b *ChallengeNonceGeneratorBuilder) WithNonceSize(bytes int) *ChallengeNonceGeneratorBuilder
WithNonceSize overrides the nonce size in bytes. Values below 32 (256 bits) are clamped to 32.
func (*ChallengeNonceGeneratorBuilder) WithNonceTTL ¶
func (b *ChallengeNonceGeneratorBuilder) WithNonceTTL(ttl time.Duration) *ChallengeNonceGeneratorBuilder
WithNonceTTL sets the nonce lifetime. Expiry is enforced by the store and the login handler using this TTL; the generator only records IssuedAt.
func (*ChallengeNonceGeneratorBuilder) WithSecureRandom ¶
func (b *ChallengeNonceGeneratorBuilder) WithSecureRandom(r io.Reader) *ChallengeNonceGeneratorBuilder
WithSecureRandom overrides the entropy source (primarily for testing).
type ChallengeNonceStore ¶
type ChallengeNonceStore interface {
// Put stores the nonce for the current session, replacing any existing one.
Put(ctx context.Context, nonce *ChallengeNonce) error
// GetAndRemove returns and atomically removes the nonce for the current
// session. It returns exceptions.ErrChallengeNonceNotFound when absent.
GetAndRemove(ctx context.Context) (*ChallengeNonce, error)
}
ChallengeNonceStore stores challenge nonces keyed by the caller's session.
Implementations must guarantee single use: GetAndRemove atomically returns and deletes the stored nonce. The Azugo integration layer provides session-backed implementations.
type InMemoryStore ¶
type InMemoryStore struct {
// contains filtered or unexported fields
}
InMemoryStore is a thread-safe, in-process ChallengeNonceStore suitable for single-instance deployments and tests. Each session holds at most one nonce.
A background-free lazy sweep removes expired entries on access; callers that need bounded memory under churn should prefer a TTL-aware external store (e.g. Redis) for clustered deployments.
func NewInMemoryStore ¶
func NewInMemoryStore(sessionKey SessionKeyFunc, ttl time.Duration) *InMemoryStore
NewInMemoryStore creates an InMemoryStore. The sessionKey function maps a request context to its session identifier; ttl bounds nonce lifetime for the lazy sweep.
func (*InMemoryStore) GetAndRemove ¶
func (s *InMemoryStore) GetAndRemove(ctx context.Context) (*ChallengeNonce, error)
GetAndRemove returns and atomically removes the nonce for the current session.
func (*InMemoryStore) Put ¶
func (s *InMemoryStore) Put(ctx context.Context, nonce *ChallengeNonce) error
Put stores the nonce for the current session.
Source Files
¶
Directories
¶
| Path | Synopsis |
|---|---|
|
Package assertion implements the trust boundary between the Web eID service and the consuming Identity/Auth service.
|
Package assertion implements the trust boundary between the Web eID service and the consuming Identity/Auth service. |
|
Package webeidazugo provides the Azugo HTTP integration for the go-web-eid core library: configuration, a session-backed challenge-nonce store with pre-auth cookie middleware, an authentication middleware, and the four endpoints the web-eid.js flow expects.
|
Package webeidazugo provides the Azugo HTTP integration for the go-web-eid core library: configuration, a session-backed challenge-nonce store with pre-auth cookie middleware, an authentication middleware, and the four endpoints the web-eid.js flow expects. |
|
Package certificate provides X.509 helpers for the Web eID validation pipeline: trust-anchor loading and chain verification, validity / key-usage / extended-key-usage / certificate-policy checks, and subject-data extraction.
|
Package certificate provides X.509 helpers for the Web eID validation pipeline: trust-anchor loading and chain verification, validity / key-usage / extended-key-usage / certificate-policy checks, and subject-data extraction. |
|
Package exceptions defines the typed error values used throughout the go-web-eid library.
|
Package exceptions defines the typed error values used throughout the go-web-eid library. |
|
Package ocsp implements Web eID OCSP revocation checking: extracting the responder URL from a certificate's Authority Information Access extension, building nonce-protected OCSP requests, and validating responses (status, responder signature, and thisUpdate/nextUpdate freshness).
|
Package ocsp implements Web eID OCSP revocation checking: extracting the responder URL from a certificate's Authority Information Access extension, building nonce-protected OCSP requests, and validating responses (status, responder signature, and thisUpdate/nextUpdate freshness). |
|
Package redisstore provides a Redis-backed webeid.ChallengeNonceStore for clustered Web eID deployments.
|
Package redisstore provides a Redis-backed webeid.ChallengeNonceStore for clustered Web eID deployments. |
|
Package signature implements Web eID signature-algorithm mapping and authentication-token signature verification.
|
Package signature implements Web eID signature-algorithm mapping and authentication-token signature verification. |
|
Package signing implements the Web eID card-operations subsystem: signing certificate validation, signature-algorithm negotiation, configuration-driven hash-function selection, and relaying a caller-supplied digest-to-sign to the card.
|
Package signing implements the Web eID card-operations subsystem: signing certificate validation, signature-algorithm negotiation, configuration-driven hash-function selection, and relaying a caller-supplied digest-to-sign to the card. |