Documentation
¶
Index ¶
- Constants
- Variables
- func SignJWT(signer crypto.Signer, claims map[string]interface{}, ...) (sig string, err error)
- type CertificateProfile
- type Client
- type Crypto
- func (client *Crypto) CalculateExternalId(subject string, actor string, key types.KeyIdentifier) ([]byte, error)
- func (client *Crypto) Configure() error
- func (client *Crypto) DecryptKeyAndCipherText(cipherText types.DoubleEncryptedCipherText, key types.KeyIdentifier) ([]byte, error)
- func (client *Crypto) EncryptKeyAndPlainText(plainText []byte, keys []jwk.Key) (types.DoubleEncryptedCipherText, error)
- func (client *Crypto) GenerateKeyPair(key types.KeyIdentifier, overwrite bool) (crypto.PublicKey, error)
- func (client *Crypto) GenerateVendorCACSR(name string) ([]byte, error)
- func (client *Crypto) GetPrivateKey(key types.KeyIdentifier) (crypto.Signer, error)
- func (client *Crypto) GetPublicKeyAsJWK(key types.KeyIdentifier) (jwk.Key, error)
- func (client *Crypto) GetPublicKeyAsPEM(key types.KeyIdentifier) (string, error)
- func (client *Crypto) GetSigningCertificate(entity types.LegalEntity) (*x509.Certificate, crypto.PrivateKey, error)
- func (client *Crypto) GetTLSCertificate(entity types.LegalEntity) (*x509.Certificate, crypto.PrivateKey, error)
- func (client *Crypto) PrivateKeyExists(key types.KeyIdentifier) bool
- func (client *Crypto) RenewSigningCertificate(entity types.LegalEntity) (*x509.Certificate, crypto.PrivateKey, error)
- func (client *Crypto) RenewTLSCertificate(entity types.LegalEntity) (*x509.Certificate, crypto.PrivateKey, error)
- func (client *Crypto) SelfSignVendorCACertificate(name string) (*x509.Certificate, error)
- func (client *Crypto) Shutdown() error
- func (client *Crypto) Sign(data []byte, key types.KeyIdentifier) ([]byte, error)
- func (client *Crypto) SignCertificate(subjectKey types.KeyIdentifier, caKey types.KeyIdentifier, pkcs10 []byte, ...) ([]byte, error)
- func (client Crypto) SignJWS(payload []byte, key types.KeyIdentifier) ([]byte, error)
- func (client Crypto) SignJWSEphemeral(payload []byte, caKey types.KeyIdentifier, csr x509.CertificateRequest, ...) ([]byte, error)
- func (client *Crypto) SignJWT(claims map[string]interface{}, key types.KeyIdentifier) (token string, err error)
- func (client *Crypto) SignJWTRFC003(claims map[string]interface{}) (token string, err error)
- func (client *Crypto) SignTLSCertificate(key crypto.PublicKey) (*x509.Certificate, error)
- func (client *Crypto) Start() error
- func (client *Crypto) StoreVendorCACertificate(certificate *x509.Certificate) error
- func (client Crypto) TrustStore() cert.TrustStore
- func (client *Crypto) VerifyJWS(signature []byte, signingTime time.Time, certVerifier cert.Verifier) ([]byte, error)
- func (client *Crypto) VerifyWith(data []byte, sig []byte, key jwk.Key) (bool, error)
- type CryptoConfig
Constants ¶
View Source
const CACertificateQualifier = "CA"
View Source
const MinECKeySize = 256
MinECKeySize defines the minimum EC key size
View Source
const MinRSAKeySize = 2048
MinRSAKeySize defines the minimum RSA key size
View Source
const OAuthCertificateQualifier = "oauth"
View Source
const SigningCertificateQualifier = "sign"
View Source
const SigningCertificateValidityInDays = 365
SigningCertificateValidityInDays holds the number of days issued signing certificates are valid
View Source
const TLSCertificateQualifier = "tls"
View Source
const TLSCertificateValidityInDays = 365
TLSCertificateValidityInDays holds the number of days issued TLS certificates are valid
Variables ¶
View Source
var ErrCSRSignatureInvalid = core.NewError("CSR signature is invalid", false)
ErrCSRSignatureInvalid indicates the signature on the CSR (Proof of Possesion) is invalid
View Source
var ErrCertificateNotTrusted = errors.New("X.509 certificate not trusted")
ErrCertificateNotTrusted indicates that the X.509 certificate is not trusted noinspection GoErrorStringFormat
View Source
var ErrIllegalNonce = core.NewError("illegal nonce given", false)
ErrIllegalNonce indicates an incorrect nonce
View Source
var ErrInvalidAlgorithm = core.NewError("invalid algorithm for public key", false)
ErrInvalidAlgorithm indicates an invalid public key was used
View Source
var ErrInvalidCertChain = errors.New("X.509 certificate chain is invalid")
ErrInvalidCertChain indicates that the provided X.509 certificate chain is invalid noinspection GoErrorStringFormat
View Source
var ErrInvalidKeyIdentifier = core.NewError("invalid key identifier", false)
ErrInvalidKeyIdentifier is returned when the provided key identifier isn't valid
View Source
var ErrInvalidKeySize = core.NewError(fmt.Sprintf("invalid keySize, needs to be at least %d bits for RSA and %d bits for EC", MinRSAKeySize, MinECKeySize), false)
ErrInvalidKeySize is returned when the keySize for new keys is too short
View Source
var ErrKeyAlreadyExists = errors.New("key already exists")
ErrKeyAlreadyExists indicates that the key already exists.
View Source
var ErrMissingActor = core.NewError("missing actor", false)
ErrMissingActor indicates the actor is missing
View Source
var ErrMissingSubject = core.NewError("missing subject", false)
ErrMissingSubject indicates the Subject is missing
View Source
var ErrUnableToParseCSR = core.NewError("unable to parse CSR", false)
ErrUnableToParseCSR indicates the CSR is invalid
View Source
var ErrUnknownCA = core.NewError("unknown CA", false)
ErrUnknownCA indicates that the signing CA is unknown (e.g. its keys are unavailable for signing)
View Source
var ErrUnsupportedSigningKey = errors.New("signing key algorithm not supported")
ErrUnsupportedSigningKey is returned when an unsupported private key is used to sign. Currently only ecdsa and rsa keys are supported
Functions ¶
Types ¶
type CertificateProfile ¶
type CertificateProfile struct {
KeyUsage x509.KeyUsage
ExtKeyUsage []x509.ExtKeyUsage
IsCA bool
// MaxPathLen is ignored when IsCa = false
MaxPathLen int
// NumDaysValid is the number of days the certificate is valid, starting today
NumDaysValid int
// contains filtered or unexported fields
}
CertificateProfile is used to specify input parameters for certificate issuance.
type Client ¶
type Client interface {
// DecryptKeyAndCipherText decrypts a cipherText using the given key (private key must be present).
DecryptKeyAndCipherText(cipherText types.DoubleEncryptedCipherText, key types.KeyIdentifier) ([]byte, error)
// EncryptKeyAndPlainText encrypts a piece of data for the given public keys
EncryptKeyAndPlainText(plainText []byte, keys []jwk.Key) (types.DoubleEncryptedCipherText, error)
// CalculateExternalId calculates an externalId for a (custodian, subject, actor) triple using the given key (private key must be present).
CalculateExternalId(subject string, actor string, key types.KeyIdentifier) ([]byte, error)
// GenerateVendorCACSR generates a Certificate Signing Request (CSR) for a Vendor CA Certificate for the current vendor.
// If successful it returns the CSR as DER-encoded PKCS10.
GenerateVendorCACSR(name string) ([]byte, error)
// SelfSignVendorCACertificate self-signs a Vendor CA Certificate for the current vendor. This is the self-signed
// counterpart of the GenerateVendorCACSR function.
// If there is a key pair present for the vendor it's reused, otherwise a new key pair is generated.
SelfSignVendorCACertificate(name string) (*x509.Certificate, error)
// StoreVendorCACertificate stores the Vendor CA certificate (for the configured vendor). This certificate issued
// by the Network Authority based on the CSR generated by GenerateVendorCACSR. Therefore the private key must be
// present and correspond to the given certificate. If there's an existing certificate entry, it will be overwritten.
StoreVendorCACertificate(certificate *x509.Certificate) error
// GenerateKeyPair generates a key pair. If the key already exists and overwrite is true, it is overwritten and associated certificates are removed.
// If it exists and overwrite is false an error is returned.
GenerateKeyPair(key types.KeyIdentifier, overwrite bool) (crypto.PublicKey, error)
// SignFor signs a piece of data using the given key (private key must be present).
Sign(data []byte, key types.KeyIdentifier) ([]byte, error)
// SignCertificate issues a certificate by signing a PKCS10 certificate request. The private key of the specified CA should be available in the key store.
SignCertificate(subjectKey types.KeyIdentifier, caKey types.KeyIdentifier, pkcs10 []byte, profile CertificateProfile) ([]byte, error)
// GetPrivateKey returns the specified private key (for e.g. signing) in non-exportable form.
GetPrivateKey(key types.KeyIdentifier) (crypto.Signer, error)
// VerifyWith verifies a signature for a given jwk
VerifyWith(data []byte, sig []byte, jwk jwk.Key) (bool, error)
// GetTLSCertificate retrieves the current TLS certificate and corresponding private key for the given entity.
// If there's no TLS certificate for the given entity nil is returned. In that case RenewTLSCertificate can be used
// to (re)issue the certificate.
GetTLSCertificate(entity types.LegalEntity) (*x509.Certificate, crypto.PrivateKey, error)
// SignTLSCertificate creates a CSR for the given public key and will sign it with the vendorCA.
// It differs from GetTLSCertificate in the fact that the private key is unknown/external.
SignTLSCertificate(publicKey crypto.PublicKey) (*x509.Certificate, error)
// RenewTLSCertificate issues a TLS certificate and corresponding private key for the given entity. If it already
// exists the existing private key and certificate are overwritten.
// The specified entity MUST have a valid CA certificate with private key, otherwise an error is returned.
// If all goes well the TLS certificate is returned alongside the corresponding private key.
RenewTLSCertificate(entity types.LegalEntity) (*x509.Certificate, crypto.PrivateKey, error)
// GetSigningCertificate retrieves the current signing certificate and corresponding private key for the given entity.
// If there's no signing certificate for the given entity nil is returned. In that case RenewSigningCertificate can be used
// to (re)issue the certificate.
GetSigningCertificate(entity types.LegalEntity) (*x509.Certificate, crypto.PrivateKey, error)
// RenewSigningCertificate issues a signing certificate and corresponding private key for the given entity. If it already
// exists the existing private key and certificate are overwritten.
// The specified entity MUST have a valid CA certificate with private key, otherwise an error is returned.
// If all goes well the signing certificate is returned alongside the corresponding private key.
RenewSigningCertificate(entity types.LegalEntity) (*x509.Certificate, crypto.PrivateKey, error)
// GetPublicKeyAsPEM returns the PEM encoded PublicKey
GetPublicKeyAsPEM(key types.KeyIdentifier) (string, error)
// GetPublicKeyAsJWK returns the JWK encoded PublicKey for a given legal entity
GetPublicKeyAsJWK(key types.KeyIdentifier) (jwk.Key, error)
// SignJWT creates a signed JWT using the given key and map of claims (private key must be present).
SignJWT(claims map[string]interface{}, key types.KeyIdentifier) (string, error)
// SignJWTRFC003 creates a signed JWT according to RFC003 using an ephemeral Vendor signing key and map of claims.
SignJWTRFC003(claims map[string]interface{}) (string, error)
// SignJWS signs payload according to the JWS spec with the specified key. There must be both a private key and
// corresponding certificate be present for the given key, and the certificate must be meant for signing. If any of
// these preconditions fail, an error is returned.
// The certificate is included in the x509chain field of the resulting JWS.
SignJWS(payload []byte, key types.KeyIdentifier) ([]byte, error)
// SignJWSEphemeral signs payload according to the JWS spec with a temporary key and certificate which are generated just for this operation.
// In other words, the key and certificate are not stored and cannot be used for any other cryptographic operation.
// The certificate's validity is as short as possible, just spanning the instant of signing.
// payload: data to be signed
// caKey: key of the Certificate Authority which should issue the certificate (private key and certificate must be present).
// csr: Certificate Signing Request which is used for issuing the X.509 certificate which is included in the JWS.
// The CSR indicates which entity (e.g. vendor, organization, etc) is signing the payload.
// signingTime: instant which is checked later when verifying the signature. The certificate will just span this instant.
//
// Deprecated: we're moving away from ephemeral keys for JWS signing, so use SigJWS instead.
SignJWSEphemeral(payload []byte, caKey types.KeyIdentifier, csr x509.CertificateRequest, signingTime time.Time) ([]byte, error)
// VerifyJWS verifies a JWS ("signature"): it parses the JWS, checks if it's been signed with the expected algorithm,
// if it's signed with a certificate supplied in the "x5c" field of the JWS, if the certificate is trusted according
// to the certificate verifier and whether the certificate was valid at the time of signing ("signingTime").
// If the verification succeeds the payload that the JWS protects is returned.
// If any of the verifications fail an error is returned (and no payload).
VerifyJWS(signature []byte, signingTime time.Time, certVerifier cert.Verifier) ([]byte, error)
// PrivateKeyExists returns if the specified private key eixsts.
PrivateKeyExists(key types.KeyIdentifier) bool
// TrustStore returns the trust store backing the crypto module.
TrustStore() cert.TrustStore
}
Client defines the functions than can be called by a Cmd, Direct or via rest call.
type Crypto ¶
type Crypto struct {
Storage storage.Storage
Config CryptoConfig
// contains filtered or unexported fields
}
default implementation for CryptoInstance
func CryptoInstance ¶
func CryptoInstance() *Crypto
func NewCryptoInstance ¶ added in v0.15.0
func NewCryptoInstance(config CryptoConfig) *Crypto
func NewTestCryptoInstance ¶ added in v0.15.0
NewTestCryptoInstance returns a new Crypto instance to be used for integration tests. Any data is stored in the specified test directory.
func (*Crypto) CalculateExternalId ¶ added in v0.14.0
func (client *Crypto) CalculateExternalId(subject string, actor string, key types.KeyIdentifier) ([]byte, error)
CalculateExternalId creates an unique identifier which is repeatable. It uses the legalEntity private key as key. This is not for security but does generate the same unique identifier every time. It should only be used as unique identifier for consent records. Using the private key also ensure the BSN can not be deduced from the externalID.
func (*Crypto) Configure ¶
Configure loads the given configurations in the engine. Any wrong combination will return an error
func (*Crypto) DecryptKeyAndCipherText ¶ added in v0.14.0
func (client *Crypto) DecryptKeyAndCipherText(cipherText types.DoubleEncryptedCipherText, key types.KeyIdentifier) ([]byte, error)
Main decryption function, first the symmetric key will be decrypted using the private key of the legal entity. The resulting symmetric key will then be used to decrypt the given cipherText.
func (*Crypto) EncryptKeyAndPlainText ¶ added in v0.14.0
func (client *Crypto) EncryptKeyAndPlainText(plainText []byte, keys []jwk.Key) (types.DoubleEncryptedCipherText, error)
EncryptKeyAndPlainTextFor encrypts a piece of data for the given public key
func (*Crypto) GenerateKeyPair ¶ added in v0.14.0
func (client *Crypto) GenerateKeyPair(key types.KeyIdentifier, overwrite bool) (crypto.PublicKey, error)
GenerateKeyPair generates a new key pair. If a key pair with the same identifier already exists, it is overwritten.
func (*Crypto) GenerateVendorCACSR ¶ added in v0.15.0
func (*Crypto) GetPrivateKey ¶ added in v0.14.0
GetPrivateKey returns the specified private key. It can be used for signing, but cannot be exported.
func (*Crypto) GetPublicKeyAsJWK ¶ added in v0.14.0
PublicKeyInJWK loads the key from storage and wraps it in a Key format. Supports RSA, ECDSA and Symmetric style keys
func (*Crypto) GetPublicKeyAsPEM ¶ added in v0.14.0
func (client *Crypto) GetPublicKeyAsPEM(key types.KeyIdentifier) (string, error)
PublicKeyInPEM loads the key from storage and returns it as PEM encoded. Only supports RSA style keys
func (*Crypto) GetSigningCertificate ¶ added in v0.15.0
func (client *Crypto) GetSigningCertificate(entity types.LegalEntity) (*x509.Certificate, crypto.PrivateKey, error)
func (*Crypto) GetTLSCertificate ¶ added in v0.14.0
func (client *Crypto) GetTLSCertificate(entity types.LegalEntity) (*x509.Certificate, crypto.PrivateKey, error)
func (*Crypto) PrivateKeyExists ¶ added in v0.14.0
func (client *Crypto) PrivateKeyExists(key types.KeyIdentifier) bool
PrivateKeyExists checks storage for an entry for the given legal entity and returns true if it exists
func (*Crypto) RenewSigningCertificate ¶ added in v0.15.0
func (client *Crypto) RenewSigningCertificate(entity types.LegalEntity) (*x509.Certificate, crypto.PrivateKey, error)
func (*Crypto) RenewTLSCertificate ¶ added in v0.15.0
func (client *Crypto) RenewTLSCertificate(entity types.LegalEntity) (*x509.Certificate, crypto.PrivateKey, error)
func (*Crypto) SelfSignVendorCACertificate ¶ added in v0.15.0
func (client *Crypto) SelfSignVendorCACertificate(name string) (*x509.Certificate, error)
func (*Crypto) Sign ¶ added in v0.14.0
SignFor signs a piece of data using the given key. It is expected that the plain data is given, and it uses the SHA256 hashing function.
func (*Crypto) SignCertificate ¶
func (client *Crypto) SignCertificate(subjectKey types.KeyIdentifier, caKey types.KeyIdentifier, pkcs10 []byte, profile CertificateProfile) ([]byte, error)
SignCertificate issues a certificate by signing a PKCS10 certificate request. The private key of the specified CA should be available in the key store.
func (Crypto) SignJWSEphemeral ¶ added in v0.14.0
func (client Crypto) SignJWSEphemeral(payload []byte, caKey types.KeyIdentifier, csr x509.CertificateRequest, signingTime time.Time) ([]byte, error)
func (*Crypto) SignJWT ¶ added in v0.14.0
func (client *Crypto) SignJWT(claims map[string]interface{}, key types.KeyIdentifier) (token string, err error)
SignJwtFor creates a signed JWT given a legalEntity and map of claims
func (*Crypto) SignJWTRFC003 ¶ added in v0.16.0
SignJWTRFC003 signs a JWT according to Nuts RFC003. This func is only for signing the bearer token of the oauth flow.
func (*Crypto) SignTLSCertificate ¶ added in v0.16.0
SignTLSCertificate creates a TLS Client certificate. It uses the Vendor CA to sign. the resulting certificate is valid for 4 days.
func (*Crypto) StoreVendorCACertificate ¶ added in v0.15.0
func (client *Crypto) StoreVendorCACertificate(certificate *x509.Certificate) error
func (Crypto) TrustStore ¶ added in v0.14.0
func (client Crypto) TrustStore() cert.TrustStore
type CryptoConfig ¶
type CryptoConfig struct {
Mode string
Address string
ClientTimeout int
Keysize int
Storage string
Fspath string
}
func DefaultCryptoConfig ¶ added in v0.15.0
func DefaultCryptoConfig() CryptoConfig
func TestCryptoConfig ¶ added in v0.15.0
func TestCryptoConfig(testDirectory string) CryptoConfig
TestCryptoConfig returns CryptoConfig to be used in integration/unit tests.
Source Files
¶
Directories
¶
| Path | Synopsis |
|---|---|
|
The backend package contains the various options for storing the actual private keys.
|
The backend package contains the various options for storing the actual private keys. |
|
types and interfaces used by all other packages
|
types and interfaces used by all other packages |
Click to show internal directories.
Click to hide internal directories.