European identity schemes each have unique metadata containing their identity providers and public keys. Every metadata file is signed with a country-specific key which allows metadata consumers to trust its authenticity.
We collect certificates for connected European countries into one place and sign them all together with a Verify key.
Our relying parties can trust the collection of certificates because of the GOV.UK Verify certificate, and then trust individual metadata files by using the collection. This signed collection is called the ‘signed trust anchor’.
GOV.UK Verify expresses these anchors as JSON Web Keys (JWK) and serves them signed in compact JSON Web Signature (JWS) format.
This tool can:
- generate trust anchors from a country's certificate
- aggregate many trust anchors together
- sign the aggregated anchors into a full signed trust anchor
Build the tool using gradle.
# For Unix:
./gradlew build
# For Windows:
.\gradlew.bat build
If you make changes, run the tests.
./gradlew test
The build process will produce a JAR artifact which accepts multiple commands. All of the following commands are assumed to be prefixed with:
java -jar verify-trust-anchor.jar ...
All commands by default will output to standard out. You can pass the --output <file> or -o <file> option to output to a file instead.
Generates a country's trust anchor by supplying the location of its metadata and its certificate or multiple certificates if the country has a certificate chain.
... import "https://metadata.example.com/example-country.xml" path/to/signing.crt [path/to/signing_ca.crt [...]]
Aggregates and signs a collection of trust anchors by using a RSA private key supplied by a file. You can specify as many trust anchors as desired, including none.
... sign-with-file --key path/to/private-key.pk8 --cert path/to/public-cert.crt [country1.jwk [country2.jwk [...]]]
Aggregates and signs a collection of trust anchors by using a smartcard (such as a Yubikey) that can be accessed using PKCS11.
... sign-with-smartcard \
--config pkcs11_config.txt \
--key "Private Key alias" \
--cert "Public Certificate alias" \
--password 12345
This requires an external native library, such as OpenSC. The config gile will passed to the PKCS11 provider as configuration. For OpenSC, the correct config file might be:
library = /usr/local/lib/opensc-pkcs11.so
name = opensc
If you think you have discovered a security issue in this code please email disclosure@digital.cabinet-office.gov.uk with details.
For non-security related bugs and feature requests please raise an issue in the GitHub issue tracker.
Licensed under the MIT Licence.