Giter Club home page Giter Club logo

alphagov.verify-eidas-trust-anchor's Introduction

Verify eIDAS Trust Anchor Generator and Connector Metadata Signer

Build Status

About Trust Anchor

European identity schemes each have unique metadata containing their identity providers and public keys. Every metadata file is signed with a country-specific key which allows metadata consumers to trust its authenticity.

We collect certificates for connected European countries into one place and sign them all together with a Verify key.

Our relying parties can trust the collection of certificates because of the GOV.UK Verify certificate, and then trust individual metadata files by using the collection. This signed collection is called the ‘signed trust anchor’.

GOV.UK Verify expresses these anchors as JSON Web Keys (JWK) and serves them signed in compact JSON Web Signature (JWS) format.

About Connector Metadata Signer

eIDAS specifies that we can only sign with RSASSA-PSS or ECDSA.

However, since xmlsectool does not support either algorithms, we had to create this signer to sign Connector Metadata.

Since RSASSA-PSS didn't work for yubikeys, we decided to go for ECDSA.

This tool

This tool can:

  • Operate on Trust Anchors
    • generate trust anchors from a country's certificate
    • aggregate many trust anchors together
    • sign the aggregated anchors into a full signed trust anchor
    • print a full signed trust anchor to show its constituent keys
  • Operate on Connector Metadata
    • sign the metadata using RSA or ECDSA algorithm and validate the signed signature.

Setup

The trust anchor depends on your system having version 0.17 of Open-SC installed, if you want to use the smart card functionality. More info can be found https://github.com/alphagov/verify-metadata/blob/master/README.md#troubleshooting

Build

Build the tool using gradle.

# With Docker:
docker build . --network host -t verify-eidas-trust-anchor:latest

# For Unix:
./gradlew clean build installDist

# For Windows:
.\gradlew.bat clean build installDist

If you make changes, run the tests.

# With Docker:
docker build --network=host --target build -t verify-eidas-trust-anchor.test:latest .
docker run --network=host verify-eidas-trust-anchor.test:latest gradle test

# For Unix:
./gradlew test

Run

The build process will produce a zip containing the executable (under bin/) under build/distributions.

All commands by default will output to standard out. You can pass the --output <file> or -o <file> option to output to a file instead.

Under Docker, you'll want a volume for accessing files on your machine, so use something like:

docker run --network=host -v /tmp:/host/tmp verify-eidas-trust-anchor:latest <COMMAND> <etc>

Otherwise, use:

./build/install/verify-eidas-trust-anchor/bin/verify-eidas-trust-anchor <COMMAND> <etc>

Use one of the above in place of in the rest of this documentation.

Import Trust Anchor

Generates a country's trust anchor by supplying the location of its metadata and its certificate or multiple certificates if the country has a certificate chain.

<eidas-trust-tool-command> trust-anchor import "https://metadata.example.com/example-country.xml" path/to/signing.crt [path/to/signing_ca.crt [...]]

Sign Trust Anchor with file

Aggregates and signs a collection of trust anchors by using a RSA private key supplied by a file. You can specify as many trust anchors as desired, including none.

<eidas-trust-tool-command> trust-anchor sign-with-file \
  --key path/to/private-key.pk8 \
  --cert path/to/public-cert.crt \
  [country1.jwk [country2.jwk [...]]]

Sign Trust Anchor with smartcard

Aggregates and signs a collection of trust anchors by using a smartcard (such as a Yubikey) that can be accessed using PKCS11.

<eidas-trust-tool-command> trust-anchor sign-with-smartcard \
  --config pkcs11_config.txt \
  --key "Private Key alias" \
  --cert "Public Certificate alias" \
  --password 12345

This requires an external native library, such as OpenSC. The config file will passed to the PKCS11 provider as configuration. For OpenSC, the correct config file might be:

library = /usr/local/lib/opensc-pkcs11.so
name = opensc

To find out the alias's of the certificates and keys you can use this command keytool -list -v -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg pkcs11_config.txt

Print Trust Anchor

Prints the human-readable JSON representation of each signed trust anchor passed, contained in a JSON array. If no signed trust anchors are passed, an empty array is printed.

<eidas-trust-tool-command> trust-anchor print [trust-anchor.jwt [...]]

### Sign Connector Metadata with file

Signs a metadata.xml file by using private key and its corresponding cert supplied by a file. Supported algorithms "RSA" or "ECDSA".

<eidas-trust-tool-command> connector-metadata sign-with-file \
  --key path/to/private-key.pk8 \
  --cert path/to/public-cert.crt \
  --algorithm ECDSA \
  metadata.xml

### Sign Connector Metadata with Smartcard/Yubikey

Signs a metadata.xml file by using a smartcard (such as a yubikey). Supported algorithms "RSA" or "ECDSA".

<eidas-trust-tool-command> connector-metadata sign-with-smartcard \
  --config pkcs11_config.txt \
  --key "Private Key alias" \
  --cert "Public Certificate alias" \
  --password 12345
  --algorithm ECDSA \
  metadata.xml

Support and raising issues

If you think you have discovered a security issue in this code please email [email protected] with details.

For non-security related bugs and feature requests please raise an issue in the GitHub issue tracker.

Licence

Licensed under the MIT Licence.

alphagov.verify-eidas-trust-anchor's People

Contributors

charlesic avatar dbes-gds avatar felixmarcusmillne avatar galund avatar hugh-emerson avatar jhjava avatar kerrr avatar krenair avatar minhngocd avatar philandstuff avatar rhowe-gds avatar richardtowers avatar simonwo avatar tlwr avatar vixus0 avatar wynndow avatar yanco3a avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.