Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type JwtX509Token ¶
type JwtX509Token struct {
// contains filtered or unexported fields
}
JwtX509Token contains a parsed JWT signed with a x509 certificate.
func (JwtX509Token) SubjectAltNameOtherNames ¶
func (j JwtX509Token) SubjectAltNameOtherNames() ([]string, error)
SubjectAltNameOtherNames extracts the SANs as string from the certificate which was used to sign the Jwt.
type JwtX509Validator ¶
type JwtX509Validator struct {
// contains filtered or unexported fields
}
JwtX509Validator contains all logic to parse and verify a JwtX509Token.
func NewJwtX509Validator ¶
func NewJwtX509Validator(roots, intermediates []*x509.Certificate, allowedSigAlgs []jwa.SignatureAlgorithm, crlValidator crl.Validator) *JwtX509Validator
NewJwtX509Validator creates a new NewJwtX509Validator. It accepts root and intermediate certificates to validate the chain. It accepts a list of valid signature algorithms It accepts a CRL database
func (JwtX509Validator) Parse ¶
func (validator JwtX509Validator) Parse(rawAuthToken string) (*JwtX509Token, error)
Parse attempts to parse a string as a jws. It checks if the x5c header contains at least 1 certificate. The signature should be signed with the private key of the leaf certificate. No other validations are performed. Call Verify to verify the auth token.
func (JwtX509Validator) Verify ¶
func (validator JwtX509Validator) Verify(x509Token *JwtX509Token) error
Verify verifies a JwtX509Token. It checks the signature algorithm It verifies if the certificate used to sign the token has a valid chain It checks the signature of the jst against the provided leaf certificate in the x509 header It performs additional JWT checks on optional fields like exp, nbf, iat etc. Note: it does not verifies the extended key usage! This should be performed by hand.
type UziEnv ¶
type UziEnv string
UziEnv is used to indicate which Uzi environment (e.g. production, acceptation) should be used.
const UziAcceptation UziEnv = "acceptation"
UziAcceptation uses the acceptation certificate tree: https://acceptatie.zorgcsp.nl/ca-certificaten
const UziProduction UziEnv = "production"
UziProduction uses the production certificate tree: https://www.zorgcsp.nl/ca-certificaten
type UziSignedToken ¶
type UziSignedToken struct {
// contains filtered or unexported fields
}
UziSignedToken implements a SignedToken interface for contracts signed by the UZI means in the JwtX509Token form.
func (UziSignedToken) Contract ¶
func (t UziSignedToken) Contract() contract.Contract
Contract returns the Contract signed by the Uzi means
func (UziSignedToken) SignerAttributes ¶
func (t UziSignedToken) SignerAttributes() (map[string]string, error)
SignerAttributes returns the attributes from the Uzi card used in the signature. For more information on these attributes, see table 12 on page 62 of the Certification Practice Statement (CPS) UZI-register v10.x https://zorgcsp.nl/Media/Default/documenten/2020-05-06_RK1%20CPS%20UZI-register%20V10.0.pdf
type UziValidator ¶
type UziValidator struct {
// contains filtered or unexported fields
}
UziValidator can check Uzi signed JWTs. It can parse and validate a UziSignedToken which implements the SignedToken interface
func NewUziValidator ¶
func NewUziValidator(env UziEnv, contractTemplates *contract.TemplateStore, crlValidator crl.Validator) (validator *UziValidator, err error)
NewUziValidator creates a new UziValidator. It accepts a UziEnv and preloads corresponding certificate tree. It accepts a contract template store which is used to check if the signed contract exists and is valid. It accepts an optional CRL database. If non is given, it will create one based on the root and intermediate certificates.
func (UziValidator) Parse ¶
func (u UziValidator) Parse(rawProofValue string) (services.SignedToken, error)
Parse tries to parse a UZI ProofValue into a UziSignedToken A Uzi ProofValue is encoded as a JWT. The jwt should contain at least one certificate in the x509 header It tries to find the contract in the given contractStore. No other verifications are performed. Make sure to call Verify to perform the actual crypto verifications
func (UziValidator) Verify ¶
func (u UziValidator) Verify(token services.SignedToken) error
Verify performs all the crypto verifications like: Correct hashing algorithm Correct certificate tree Certificates are not revoked Verifies all the extra jwt fields like exp, iat and nbf. Verifies if the signer attributes are valid
Source Files