This is a Golang-based toolkit for creating did:x509 DIDs and X509Credentials.
X509Credentials can be used present the identity information contained in the did:x509 DID as Verifiable Credential.
Its original purpose is to create Verifiable Credentials from certificates issued by the UZI certificate chain from the CIBG registry.
The toolkit creates did:x509 DIDs as specified by https://trustoverip.github.io/tswg-did-x509-method-specification/.
It extends this DID method specification by adding support for the san:otherName field in the certificate (required by the CIBG UZI certificate use case).
The primary use of this toolkit is self-issuing X509Credentials through a did:x509 DID, backed by an X.509 certificate.
To issue an X509Credential, provide the following parameters:
- certificate_file: PEM file containing the full certificate chain.
- ca_fingerprint_dn: the DN of the certificate in the chain that should be used as ca-fingerprint. It must be one of the intermediate CA or root CAs. If invalid, it prints the DNs of the certificates in the chain.
- signing_key_file: the unencrypted PEM file of the private key used for signing.
- credential_subject: the ID of the credential subject, typically a DID.
Usage:
./issuer vc <certificate_file> <signing_key_file> <ca_fingerprint_dn> <credential_subject>Example:
./issuer vc certificate-chain.pem key.pem "CN=Fake Root CA" did:web:example.comUsing Docker (given your PEM files are in a directory called certs):
docker run --rm -v "$(pwd)/certs:/certs" nutsfoundation/go-didx509-toolkit:main \
vc /certs/certificate-chain.pem /certs/key.pem "CN=Fake Root CA" did:web:example.comYou can sign using a key stored in Azure Key Vault by specifying the key URL instead of a local file as signing_key_file.
The URL may include a version, e.g.:
- With version:
https://my-key-vault.vault.azure.net/keys/my-certificate/1234567890abcdef1234567890abcdef - Without version:
https://my-key-vault.vault.azure.net/keys/my-certificate
failed to find path from signingCert to root: This error indicates that the certificate chain provided does not contain a valid path to a root CA. Ensure that the certificate chain is complete and includes all necessary intermediate certificates.
Only RSA keys are supported at the moment.
We welcome contributions! To contribute:
- Fork the repository.
- Create a new branch (
git checkout -b feature-branch). - Make your changes.
- Commit your changes (
git commit -am 'Add new feature'). - Push to the branch (
git push origin feature-branch). - Create a new Pull Request.
Please ensure your code follows the project's coding conventions and passes all tests.
This project is licensed under the GPLv3 License. See the LICENSE file for details.
![@dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=64&v=4){kind=small}
