Skip to content

Commit

Permalink
Merge pull request #29 from niscy-eudiw/branch-preprod
Browse files Browse the repository at this point in the history 
Update to latest preprod version
  • Loading branch information
@pinamiranda
pinamiranda authored Jun 28, 2024
2 parents 40ffe02 + 67a102a commit a9b1047
Show file tree
Hide file tree
Showing 119 changed files with 6,545 additions and 13,557 deletions.
1 change: 0 additions & 1 deletion .github/CODEOWNERS
View file

This file was deleted.

29 changes: 0 additions & 29 deletions .github/workflows/dependencycheck.yml
View file

This file was deleted.

27 changes: 0 additions & 27 deletions .github/workflows/gitleaks.yml
View file

This file was deleted.

62 changes: 0 additions & 62 deletions .github/workflows/sonar.yml
View file

This file was deleted.

1 change: 1 addition & 0 deletions .gitignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ app/certs/PID-DS-0001_EE.pem
app/certs/PID-DS-0001_EU.pem
app/certs/PID-DS-0001_PT.pem
app/certs/PID-DS-0001_UT.pem
app/app_config/config_secrets.py
flask_session/
nohup.out

Expand Down
86 changes: 42 additions & 44 deletions README.md
View file
Original file line number Diff line number Diff line change
@@ -1,72 +1,70 @@
# EUDIW issuer

:heavy_exclamation_mark: **Important!** Before you proceed, please read
the [EUDI Wallet Reference Implementation project description](https://github.com/eu-digital-identity-wallet/.github/blob/main/profile/reference-implementation.md)
# EUDIW Issuer

[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://www.apache.org/licenses/LICENSE-2.0)


The EUDIW issuer implements the PID and mDL provider backend (as defined in the issuing-mdl and issuing-pid repositories) and includes the functionalities of the following components:
### Overview

The EUDIW Issuer is an implementation of the PID and (Q)EAA Provider service, supporting the OpenId4VCI (draft 13) protocol.

| Component | API Documentation |
|----------|-------------|
| PID/mDL OID4VCI with dynamic registration | [API](api_docs/pid_oidc_auth.md) |
| PID/mDL OID4VCI without dynamic registration | [API](api_docs/pid_oidc_no_auth.md) |
| CBOR Formatter | [API](api_docs/cbor_formatter.md) |
| SD-JWT VC Formatter | |
| Document Signer | |
The service provides, by default, support for `mso_mdoc` and `SD-JWT-VC`formats, for the following credentials:


## 1. Installation
| Credential/Attestation | Format |
|------------------------|-----------|
| PID | mso_mdoc |
| PID | SD-JWT-VC |
| mDL | mso_mdoc |
| mDL | SD-JWT-VC |
| (Q)EAA age-over-18 pseudonym | mso_mdoc |
| (Q)EAA loyalty card | mso_mdoc |

Pre-requisites:
For authenticating the user, it requires the use of eIDAS node, OAUTH2 server or a simple form (for testing purposes).

+ Python v. 3.10 or higher
+ Flask v. 2.3 or higher

Click [here](install.md) for detailed installation instructions.
### OpenId4VCI coverage

This version of the EUDIW Issuer supports the [OpenId for Verifiable Credential Issuance (draft 13)](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html) protocol with the following coverage:

## 2. Run

After installation, on the root directory of the clone repository, insert the following command line to run the eudiw-issuer application.
Examples:
| Feature | Coverage |
|-------------------------------------------------------------------|-----------------------------------------------------------------|
| [Authorization Code flow](api_docs/authorization.md) | ✅ Support for PAR, PKCE, credential configuration id, scope |
| [Pre-authorized code flow](api_docs/pre-authorized.md) ||
| Dynamic Credential Request ||
| mso_mdoc format ||
| SD-JWT-VC format ||
| W3C VC DM ||
| [Token Endpoint](api_docs/token.md) ||
| [Credential Offer](api_docs/credential_offer.md) |`authorization_code` , ✅ `pre-authorized_code` |
| [Credential Endpoint](api_docs/credential.md) | ✅ Including proofs and repeatable invocations |
| Credential Issuer MetaData ||
| [Batch Endpoint](api_docs/batch_credential.md) ||
| [Deferred Endpoint](api_docs/deferred.md) ||
| Proof | ✅ JWT, ✅ CWT |
| [Notification Endpoint](api_docs/notification.md) ||

+ Linux/macOS/Windows (on <http://127.0.0.1:5000>)

```
flask --app app run
```
You can use the EUDIW Issuer at https://issuer.eudiw.dev/, or install it locally.

+ Linux/macOS/Windows (on <http://127.0.0.1:5000> with flag debug)
## 1. Installation

```
flask --app app run --debug
```
Pre-requisites:

+ Linux/macOS/Windows (on <http://127.0.0.1:4430> with flag debug, using ssl and defining the port)
+ Python v. 3.10 or higher
+ Flask v. 2.3 or higher

Click [here](install.md) for detailed installation instructions.

```
flask --app app run --debug --cert=app/certs/certHttps.pem --key=app/certs/key.pem --host=127.0.0.1 --port=4430
```

## 2. Run

-----
Click [here](install.md) for detailed instructions.

## Disclaimer

The released software is a initial development release version:
- The initial development release is an early endeavor reflecting the efforts of a short timeboxed period, and by no means can be considered as the final product.
- The initial development release may be changed substantially over time, might introduce new features but also may change or remove existing ones, potentially breaking compatibility with your existing code.
- The initial development release is limited in functional scope.
- The initial development release may contain errors or design flaws and other problems that could cause system or other failures and data loss.
- The initial development release has reduced security, privacy, availability, and reliability standards relative to future releases. This could make the software slower, less reliable, or more vulnerable to attacks than mature software.
- The initial development release is not yet comprehensively documented.
- Users of the software must perform sufficient engineering and additional testing in order to properly evaluate their application and determine whether any of the open-sourced components is suitable for use in that application.
- We strongly recommend to not put this version of the software into production use.
- Only the latest version of the software will be supported
## How to add a new credential to the issuer ?

Please see detailed instructions in [api_docs/add_credential.md](api_docs/add_credential.md)

## How to contribute

Expand Down
87 changes: 54 additions & 33 deletions SECURITY.md
View file
Original file line number Diff line number Diff line change
@@ -1,42 +1,63 @@
# EU Digital Identity Wallet Vulnerability Disclosure Policy (VDP)

At the European Commission, we treat the security of our Communication and Information Systems as a top priority, in line with Commission Decision EC 2017/46. However, vulnerabilities can never be completely eliminated, despite all efforts. If exploited, such vulnerabilities can harm the confidentiality, integrity or availability of the Commission's systems and of the information processed therein. To identify and remediate vulnerabilities as soon as possible, we value the input of external entities acting in good faith, and we encourage responsible vulnerability research and disclosure. This document sets out our definition of good faith in the context of finding and reporting vulnerabilities, as well as what you can expect from us in return.
At the European Commission, we treat the security of our Communication and Information Systems as a
top priority, in line with Commission Decision EC 2017/46. However, vulnerabilities can never be
completely eliminated, despite all efforts. If exploited, such vulnerabilities can harm the
confidentiality, integrity or availability of the Commission's systems and of the information
processed therein. To identify and remediate vulnerabilities as soon as possible, we value the input
of external entities acting in good faith, and we encourage responsible vulnerability research and
disclosure. This document sets out our definition of good faith in the context of finding and
reporting vulnerabilities, as well as what you can expect from us in return.

## Scope

- Architecture and Reference Framework
- Source code in [eu-digital-identity-wallet](https://github.com/eu-digital-identity-wallet) public repositories

## If you have identified a vulnerability, please do the following

- E-mail your findings to <[email protected]>, specifying whether or not you agree to your name or pseudonym being made publicly available as the discoverer of the problem.
- Encrypt your findings using our [PGP key](https://pgp.mit.edu/pks/lookup?op=get&search=0x6773AACDF09F6628) to prevent this critical information from falling into the wrong hands.
- Provide us with sufficient information to reproduce the problem so that we can resolve it as quickly as possible. Usually, the IP address or the URL of the affected system and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation in terms of technical information or potential proof-of-concept code.
- Provide your report in English, preferably, or in any other official language of the European Union.
- Inform us if you agree to make your name/pseudonym publicly available as the discoverer of the vulnerability.
- Source code in [eu-digital-identity-wallet](https://github.com/eu-digital-identity-wallet) public
repositories

## If you have identified a vulnerability, please do the following:

* E-mail your findings to [email protected], specifying whether or not you
agree to your name or pseudonym being made publicly available as the discoverer of the problem.
* Encrypt your findings using
our [PGP key](https://sks.hnet.se/pks/lookup?search=EC-VULNERABILITY-DISCLOSURE%40ec.europa.eu&fingerprint=on&op=index)
to prevent this critical information from falling into the wrong hands.
* Provide us sufficient information to reproduce the problem so that we can resolve it as quickly as
possible. Usually, the IP address or the URL of the affected system and a description of the
vulnerability will be sufficient, but complex vulnerabilities may require further explanation in
terms of technical information or potential proof-of-concept code.
* Provide your report in English, preferably, or in any other official language of the European
Union.
* Inform us if you agree to make your name/pseudonym publicly available as the discoverer of the
vulnerability.

## Please do not do the following

- Do not take advantage of the vulnerability or problem you have discovered, for example, by downloading more data than necessary to demonstrate the vulnerability, deleting, or modifying other people’s data.
- Do not reveal any data downloaded during the discovery to any other parties.
- Do not reveal the problem to others until it has been resolved.
- Do not perform the following actions:
- Placing malware (virus, worm, Trojan horse, etc.) within the system.
- Reading, copying, modifying or deleting data from the system.
- Making changes to the system.
- Repeatedly accessing the system or sharing access with others.
- Using any access obtained to attempt to access other systems.
- Changing access rights for any other users.
- Using automated scanning tools.
- Using the so-called "brute force" of access to the system.
- Using denial-of-service or social engineering (phishing, vishing, spam, etc.).
- Do not use attacks on physical security.

## What we promise

- We will respond to your report within three business days with our evaluation of the report.

- We will handle your report with strict confidentiality.
- Where possible, we will inform you when the vulnerability has been remedied.
- We will process the personal data that you provide (such as your e-mail address and name) in accordance with the applicable data protection legislation and will not pass on your personal details to third parties without your permission.
- In the public information concerning the problem reported, we will publish your name as the discoverer of the problem if you have agreed to this in your initial e-mail
* Do not take advantage of the vulnerability or problem you have discovered, for example by
downloading more data than necessary to demonstrate the vulnerability, deleting, or modifying
other people’s data.
* Do not reveal any data downloaded during the discovery to any other parties.
* Do not reveal the problem to others until it has been resolved.
* Do not perform the following actions:
* Placing malware (virus, worm, Trojan horse, etc.) within the system.
* Reading, copying, modifying or deleting data from the system.
* Making changes to the system.
* Repeatedly accessing the system or sharing access with others.
* Using any access obtained to attempt to access other systems.
* Changing access rights for any other users.
* Using automated scanning tools.
* Using the so-called "brute force" of access to the system.
* Using denial-of-service or social engineering (phishing, vishing, spam etc.).
* Do not use attacks on physical security.

## What we promise:

* We will respond to your report within three business days with our evaluation of the report.
* We will handle your report with strict confidentiality.
* Where possible, we will inform you when the vulnerability has been remedied.
* We will process the personal data that you provide (such as your e-mail address and name) in
accordance with the applicable data protection legislation and will not pass on your personal
details to third parties without your permission.
* In the public information concerning the problem reported, we will publish your name as the
discoverer of the problem if you have agreed to this in your initial e-mail

Loading

0 comments on commit a9b1047

Please sign in to comment.