This repo contains an implementation of an eIDAS Bridge Library in Python with a demo and unit tests.
An eIDAS Bridge links the european Trust and Legal Framework, named eIDAS (electronic IDentification, Authentication and trust Services), with the Self-Sovereign Identification (SSI) global trust framework, based on Decentralized IDentifers, or DIDs.
- Run eIDAS Bridge Web Docker Demo
- Other Running and Test Methods
- eIDAS Bridge Library Calls
- Requisites
Move to the base directory (example: test-eidas-bridge
)
$ cd test-eidas-bridge
Clone the repository and move to the project directory
$ git clone https://github.com/validatedid/eidas-bridge
$ cd eidas-bridge
Execute a script to build and run the dockerized eIDAS Bridge library:
- In *nix style computers:
$ ./scripts/build_and_run_docker
- In Windows style computers, from a Powershell:
PS ~\eidas-bridge> bash .\scripts\build_and_run_docker
This docker demo exposes a web server to run web demo and also another server to work directly with the eIDAS Bridge Swagger API:
- eIDAS Bridge Web demo on
http://localhost:8080/university_backend/
- eIDAS Bridge Swagger API on
http://localhost:5002/
Open your browser and access to http://localhost:8080/university_backend/
to interact with eIDAS Bridge Web Demo.
Or open your browser and access to http://localhost:5002/
to interact with the eIDAS Bridge Swagger API.
To stop the demo and docker container, just press Ctrl^C
on the same terminal your executed the script.
In case you want to use the demo again, there is no need to rebuild the docker, just execute another script to start the already built docker:
$ ./scripts/start_docker
Move to the base directory (example: test-eidas-bridge
)
$ cd test-eidas-bridge
Clone the repository and move to the project directory
$ git clone https://github.com/validatedid/eidas-bridge
$ cd eidas-bridge
Create and activate python virtual environment:
$ python3 -m venv env
$ source env/bin/activate
Install dependencies and the library into the virtual environment:
$ pip install -e .
If you want to test the demo, install required requests
library and execute eidas_demo.py
:
$ pip install requests
$ python demo/eidas_demo.py
Following previous instructions, we should have the project github repo and be placed on eidas-bridge
directory.
- Pytest
- Requests
$ pip install pytest requests
$ pytest
Implementation of a demo that exposes a RESTFUL Open API / Swagger style to call eIDAS Bridge Library in Python.
Following previous instructions, we should have the project github repo and be placed on eidas-bridge
directory.
This demo launches two localhost servers:
- eIDAS Link local data repository on
http://localhost:8000
- eIDAS Bridge Swagger API on
http://localhost:5002/
- Flask
- Flask_RestPLus
$ pip install install flask flask-restplus
Execute eidas_bridge_api.py
:
$ python demo/eidas_bridge_api.py
SWAGGER API calls will be located at http://localhost:5002
and will expose:
/eidas/load-qec
/eidas/service-endpoint
/eidas/get-pubkey
/eidas/sign-credential
/eidas/verify-credential
def eidas_load_qec(did, qec, password = none):
Imports an eIDAS Qualified Electronic Certificate (QEC) with its correspondent private key to be used in further digital signature operations.
QEC currently supported format is only Secp256k1.
def eidas_get_service_endpoint(did, service_endpoint) -> str:
Contructs the JSON structure that needs to be added to the Issuer's DID Document Service Endpoint Section.
Receives a did and a service endpoint where it is stored the issuer's eIDAS Certificate.
Returns the correspondent JSON to be added to the Service Endpoint Section of the Issuer's DID Document.
{
"id": "did:sov:55GkHamhTU1ZbTbV2ab9DE#eidas",
"type": "EidasService",
"serviceEndpoint": "http://service_endpoint.sample/did:sov:55GkHamhTU1ZbTbV2ab9DE/eidas"
}
def eidas_get_pubkey(did) -> str:
From a given DID, returns the correspondent public key in a json struct.
Cryptographic keys currently supported format are only Secp256k1.
{
"publicKeyPem" : "-----BEGIN PUBLIC KEY...END PUBLIC KEY-----\n"
}
def eidas_sign_credential(credential) -> str:
Adds a digital signature to the given credential, generated with an eIDAS private key.
Returns the correspondent Verifiable Credential.
Cryptographic keys currently supported format are only Secp256k1.
def eidas_verify_credential(credential, json_did_document):
Verifies that the credential issuer had a valid eIDAS certificate at the moment of issuing the passed credential.
Throws EIDASProofException
on signarure not valid.
The current implementation does NOT support for DID resolution.
The algorithm executes the following procedure:
- Get DID from the
credential
and fromdid_document
and check they are the same - Get
EidasService
service endpoint fromdid_document
to be able to access the Issuer's Identity Hub - Retrieve QEC from the Issuer's Identity Hub, check the certificate validity and extract its public key
- Verify credential signature with the extracted eIDAS public key
- Return
VALID
or throwEIDASProofException
on signature not valid
- DID Document needs to be updated with a new public key and service endpoint
- An agent MUST have a storage repository with the capability of exposing a public web service endpoint with access control management (i.e. an Identity Hub)
- The issuer backoffice MUST have an eIDAS certificate generated with the following elliptic curve: Secp256k1.