{"id":30754137,"url":"https://github.com/eclipse-xfsc/crypto-provider-service","last_synced_at":"2026-06-04T18:31:25.737Z","repository":{"id":289999730,"uuid":"963958390","full_name":"eclipse-xfsc/crypto-provider-service","owner":"eclipse-xfsc","description":"Crypto Provider service provides REST APIs for creating Verifiable Credentials (VC) and Verifiable Presentations (VP) in the W3C credential format. It also provides more generic endpoints for signing arbitrary data, for adding cryptographic proofs to existing VC/VP and for fetching public keys necessary for signature verification.","archived":false,"fork":false,"pushed_at":"2025-08-19T14:38:41.000Z","size":12911,"stargazers_count":0,"open_issues_count":7,"forks_count":0,"subscribers_count":7,"default_branch":"main","last_synced_at":"2025-08-19T14:43:46.119Z","etag":null,"topics":["crypto","decryption","did","did-configuration","did-document","ec-dsa","encryption","golang","jwks","jwt","pem","random","rsa","signing","tsa","vc","verification","vp","x509"],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/eclipse-xfsc.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-04-10T13:25:25.000Z","updated_at":"2025-08-19T14:25:36.000Z","dependencies_parsed_at":"2025-04-26T08:41:14.151Z","dependency_job_id":null,"html_url":"https://github.com/eclipse-xfsc/crypto-provider-service","commit_stats":null,"previous_names":["eclipse-xfsc/crypto-provider-service"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/eclipse-xfsc/crypto-provider-service","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eclipse-xfsc%2Fcrypto-provider-service","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eclipse-xfsc%2Fcrypto-provider-service/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eclipse-xfsc%2Fcrypto-provider-service/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eclipse-xfsc%2Fcrypto-provider-service/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/eclipse-xfsc","download_url":"https://codeload.github.com/eclipse-xfsc/crypto-provider-service/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eclipse-xfsc%2Fcrypto-provider-service/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":273581215,"owners_count":25131393,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-04T02:00:08.968Z","response_time":61,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["crypto","decryption","did","did-configuration","did-document","ec-dsa","encryption","golang","jwks","jwt","pem","random","rsa","signing","tsa","vc","verification","vp","x509"],"created_at":"2025-09-04T09:05:48.962Z","updated_at":"2026-06-04T18:31:25.732Z","avatar_url":"https://github.com/eclipse-xfsc.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![pipeline status](https://github.com/eclipse-xfsc/crypto-provider-service/badges/main/pipeline.svg)](https://github.com/eclipse-xfsc/crypto-provider-service/-/commits/main)\n[![coverage report](https://github.com/eclipse-xfsc/crypto-provider-service/badges/main/coverage.svg)](https://github.com/eclipse-xfsc/crypto-provider-service/-/commits/main)\n\n# signer\n\nSigner service provides REST API for creating Verifiable Credentials (VC) and\nVerifiable Presentations (VP) in the [W3C 1.0 credential format](https://www.w3.org/TR/vc-data-model/).\nIt also provides more generic endpoints for signing arbitrary data, for adding\ncryptographic proofs to existing VC/VP and for fetching public keys necessary \nfor signature verification.\n\nIt is developed using the [Goa v3](https://goa.design/) framework.\n\n\u003e A helper script named `goagen.sh` can be found inside the root directory of \n\u003e the service. It can be used to generate the transport layer code from the \n\u003e Goa DSL definitions in the [design](./design) directory. The script should \n\u003e be executed everytime the design definitions are updated. It also generates\n\u003e updated OpenAPI documentation from the DSL.\n\n### OpenAPI Documentation\n\n[Swagger Web UI](./gen/http/openapi3.json)\n\nIn the local docker-compose environment a live Swagger UI is exposed at http://localhost:8085/swagger-ui/.\n\n### High-level Overview\n\n```mermaid  \nflowchart LR\n\tA([client]) -- HTTP --\u003e B[crypto service API] \n\tsubgraph crypto service \n\t\tB --GRPC--\u003e  C[GRPC Crypto Engine] \n    C --\u003e D[Vault\\nTransit API] \n\t\tD --\u003e E[(Vault)] \n    C --\u003e F[Local Crypto API] \n    C --\u003e G[HSM API] \n    G --\u003e H[(HSM)]\n\tend\n```\n### Formats\n\nThe signer supports linked data proofs and optionally sd-jwt(experimental). Sd-JWT is not yet finally standardized, so the implementation is just an experimental demonstration how to do it. SD- Jwt used the sd-jwt service (https://gitlab.eclipse.org/eclipse/xfsc/common-services/sd-jwt-service). It support also just did:jwk as proof signature.\n\n### Engine Configuration\n\nA engine can be set in the helm chart like: \n\n```\n  engine:\n    image: node-654e3bca7fbeeed18f81d7c7.ps-xaas.io/tsa/crypto-provider-hashicorp-vault-plugin:v2.0.3\n    address: 0.0.0.0:50051\n    pullPolicy: Always\n    env:\n      VAULT_ADRESS: http://vault.vault.svc.cluster.local:8200\n    secretEnv:\n      VAULT_TOKEN: \n        name: vault\n        key: token\n```\n\nIn general the Crypto Engine is configurable over setting the CRYPTO_GRPC_ADDR env for instance to 127.0.0.1:50051.\n\n#### 1. Linked Data Proofs\n\ncan be created by using credential proof route: \n\n```\n{\n    \"namespace\" :\"xyz\",\n    \"group\" : \"xyz\",\n    \"key\":\"test\",\n    \"format\":\"ldp_vc\",\n    \"credential\":{\n  \"@context\": [\n\t\"https://www.w3.org/2018/credentials/v1\",\n\t\"https://w3id.org/security/suites/jws-2020/v1\",\n\t\"https://schema.org\"\n  ],\n  \"credentialSubject\": {\n    \"id\":\"did:jwk:eyJhbGciOiJFUzI1NiIsImNydiI6IlAtMjU2Iiwia3R5IjoiRUMiLCJ4IjoibE01NDNya2xwUUV3T2oyMFowRmdnMUhjMHlkZlhJRU05ckEzRzNSNXdFVSIsInkiOiJvVERYTVNuOWxlMGhrMC1pemFHRUF5OFBxT2pncWUtNWpVMldzbEZBcUw0In0\",\n\t\"testdata\": {\"hello\":\"world\", \"testXY\":\"1234\"}\n  },\n  \"issuanceDate\": \"2022-06-02T17:24:05.032533+03:00\",\n  \"issuer\": \"https://example.com\",\n  \"type\": \"VerifiableCredential\"\n}\n}\n\n```\n\n#### 2. SD-JWT Proof\n\ncan be created by the following structure.DisclosureFrame describes what to be disclosed.  \n\n``` \n{\n    \"namespace\" :\"xyz\",\n    \"group\" : \"xyz\",\n    \"key\":\"test\",\n    \"format\":\"vc+sd-jwt\",\n    \"credential\":{\n  \"@context\": [\n\t\"https://www.w3.org/2018/credentials/v1\",\n\t\"https://w3id.org/security/suites/jws-2020/v1\",\n\t\"https://schema.org\"\n  ],\n  \"credentialSubject\": {\n    \"id\":\"did:jwk:eyJhbGciOiJFUzI1NiIsImNydiI6IlAtMjU2Iiwia3R5IjoiRUMiLCJ4IjoibE01NDNya2xwUUV3T2oyMFowRmdnMUhjMHlkZlhJRU05ckEzRzNSNXdFVSIsInkiOiJvVERYTVNuOWxlMGhrMC1pemFHRUF5OFBxT2pncWUtNWpVMldzbEZBcUw0In0\",\n\t\"testdata\": {\"hello\":\"world\", \"testXY\":\"1234\"}\n  },\n  \"issuanceDate\": \"2022-06-02T17:24:05.032533+03:00\",\n  \"issuer\": \"https://example.com\",\n  \"type\": \"VerifiableCredential\"\n},\n\"DisclosureFrame\": [\"testdata\"]\n}\n\n```\n\n#### Crypto Engines\n\nThe current signer supports multiple crypto engines, which can be loaded from the internal image by setting the var ENGINE_PATH to the availble engine. \n\n### Configuration\n\nThe signer service is configured using the [Configuration File](./internal/config/config.go).\nAll configurations are expected as Environment variables specified in the\nconfiguration file. For managing the configuration data from ENV variables,\n[envconfig library](https://github.com/kelseyhightower/envconfig) is used.\n\n### Hashicorp Vault\n\nThe service uses Hashicorp Vault for crypto operations and storage of key material. The\nVault client is defined as Go interface, so an implementer can provide different \ncrypto engine implementations for crypto operations and key storage.\n\nVault setup is described [here](https://developer.hashicorp.com/vault/docs/install). \nWhen it's up and running, the [Vault Transit Engine](https://developer.hashicorp.com/vault/docs/secrets/transit) \nmust be enabled and at least one asymmetric key should be created inside for use \nby the Signer service. The Vault provides Web UI interface and a terminal CLI \napplication which can be used to manage Vault Engines and keys.\n\n### Signing Key\n\nWhen a client requests a proof or creates a VC, it must specify the name of the transit \nengine, (optionall engine type if no transit engine e.g. kv or transit;kv) and signing key to be used. The key must be of a supported type, as not all key types can be used for generating signatures.\n\n#### Supported key types\n\n\u003e Check out Hashicorp Vault docs for all [supported key types](https://www.vaultproject.io/api-docs/secret/transit#type-1) \n\u003e by Vault Transit Engine. Keep in mind, that not all Vault key types are supported \n\u003e by the Aries framework signature suites and the Signer service (for example RSA). \n\u003e Keys we have tested with are ECDSA and ED25519 for VC/VP, while for signing arbitrary\n\u003e data used for policy bundles signing, all asymmetric key types are supported\n\u003e (including RSA).\n\n### Public Keys\n\nThe service exposes two endpoints for getting public keys - one for getting\na single key by name and the other for getting all possible public keys of\nthe signer service.\n\nThe keys are returned in JWK format and are wrapped in a DID Verification Method\nenvelope, so that the response can be used more easily during DID proofs verification\nprocess. Example key response:\n\n```json\n{\n  \"id\": \"key1\",\n  \"publicKeyJwk\": {\n    \"crv\": \"P-256\",\n    \"kid\": \"key1\",\n    \"kty\": \"EC\",\n    \"x\": \"RTx_2cyYcGVSIRP_826S32BiZxSgnzyXgRYmKP8N2l0\",\n    \"y\": \"unnPzMAnbByBMq2l9WWKsDFE-MDvX6hYhrESsjAaT50\"\n  },\n  \"type\": \"JsonWebKey2020\"\n}\n```\n### Terms of Use\n\nTerms of Use can be appended via Policy. Under the Variable TERMSOFUSE_POLICY can be a policy configured which can return service endpoints which are inserted in the did doc during generation. The policy is called via POST, expects a field tenant and group and must return the following structure: \n\n```\n{\n{\n\t\"result\": [\n\t\t{\n\t\t\t\"id\": \"http://example.com/policies/credential/4\",\n\t\t\t\"profile\": \"http://example.com/profiles/credential\",\n\t\t\t\"type\": \"IssuerPolicy\"\n      ...\n\t\t}\n\t]\n}\n}\n```\n\n\n### DID Document Generation\n\nThe service is able to generate now did documents for a dedicated engine. It lists for a engine all keys in verification methods when the method is called (see open api). The method is [designed](https://github.com/eclipse-xfsc/crypto-provider-service/-/blob/main/design/design.go?ref_type=heads#L156) to be used by load balancer over passing the  X-Headers. Headers: \n\n|Header|Purpose|\n|------|-------|\n|X-namespace| Namespace of the Keys|\n|X-group|Group of the keys, can be empty|\n|X-engine|Type of the Engine, can be kv and/or transit seperated by ; |\n|X-did| DID which shall be used inside of the document as basis id for referencing the keys|\n\nService Endpoint Policy Usage: Under the Variable SERVICE_ENDPOINT can be a policy configured which can return service endpoints which are inserted in the did doc during generation. The policy is called via POST, expects a field did and must return the following structure: \n\n```\n{\n  \"result\":[\n    {\n      \"id\":\"xxxx\",\n      \"type\":\"xxxx\",\n      \"serviceEndpoint\":\"xxxx\"\n    }\n  ]\n}\n```\n\n\n### DID Configuration Generation\n\nThe did configuration is generated according to [W3C Did Configuration Spec](https://identity.foundation/.well-known/resources/did-configuration/) and [designed](https://github.com/eclipse-xfsc/crypto-provider-service/-/blob/main/design/design.go?ref_type=heads#L184) to be used by load balancers over passing the X-Headers. Headers:  \n\n|Header|Purpose|\n|------|-------|\n|X-namespace| Namespace of the Keys|\n|X-group|Group of the keys, can be empty|\n|X-did| DID which shall be used inside of the document as basis id for referencing the keys|\n|X-origin| Origin which shall be proven by the did config e.g. https://example |\n|X-nonce| Nonce for creating the proof on the did config. |\n\n\n### JWKS Document Generation\n\nThe jwks endpoint generates an standard jwk key set output which can be used for open id or other key set purposes. It's also [designed](https://github.com/eclipse-xfsc/crypto-provider-service/-/blob/main/design/design.go?ref_type=heads#L199) to be used over loadbalancers by using x-headers. Headers: \n\n|Header|Purpose|\n|------|-------|\n|X-namespace| Namespace of the Keys|\n|X-group|Group of the keys, can be empty|\n|X-engine|Type of the Engine, can be kv and/or transit seperated by ; |\n\n### Build\n\n#### Goa Build \n\n```\ngoa gen github.com/eclipse-xfsc/crypto-provider-service/design\n```\n\n#### Local binary\nTo make the service binary locally, you can run the following command from the root\ndirectory (you must have [Go](https://go.dev/) installed):\n```shell\ngo build -o signer ./cmd/signer/...\n```\n\n#### Docker image\n\nYou can see the Dockerfile of the service under the [deployment](./deployment) directory.\nThere is one Dockerfile for use during local development with docker-compose and one for\nbuilding an optimized production image: [deployment/docker/Dockerfile](./deployment/docker/Dockerfile).\n\n### Versioning\n\nThere is one global exported variable named `Version` in [`main.go`](https://github.com/eclipse-xfsc/crypto-provider-service/-/blame/main/cmd/signer/main.go?ref_type=heads#L38) \nThis variable is set to the latest tag or commit hash during the build process. You can\nlook in the production Dockerfile to see how the Version is set during build. The version\nis printed in the service log on startup and can be checked to verify which specific version\nof the code is deployed.\n\n\u003e Version should *not* be set or modified manually in the source code.\n\n### VC/VP verification\n\nWhen given a VC/VP for verification, the service checks the validity of the JSON structure\nagainst the included schemas (`context`), and verifies all proofs inside. Additional custom\nverifiers could be written to extend the verification process. Currently, there is one such\nextended verification component named `train`. It can be used as an example for how to write\nmore verifications if needed.\n\n#### [TRAIN](https://gitlab.eclipse.org/eclipse/xfsc/train)\n\nExtended verification modules are enabled by a configuration variable and the corresponding\nimplementation. The ENV variable that specifies extended verifiers is named `CREDENTIAL_VERIFIERS`\nand holds comma-separated strings which denote a particular verifier implementation. Inside the\nservice all listed verifiers are constructed and used during the VC verification process.\n```shell\nCREDENTIAL_VERIFIERS=\"train,mynewverifier\"\n```\n\n\u003e Of course, for `mynewverifier` to be a usable option, it must have been implemented inside\n\u003e the service and created when its name is given in the config.\n\nAll extended verifiers implement a common interface and provide two methods.\n```go\ntype Verifier interface {\n\tVerifyCredential(ctx context.Context, vc *verifiable.Credential) error\n\tVerifyPresentation(ctx context.Context, vp *verifiable.Presentation) error\n}\n```\n\n### Logging\n\nThe service outputs all logs to `stdout` as defined by the best practices in the Cloud Native\ncommunity. See here for more details [12 Factor App](https://12factor.net/logs).\nFrom there logs could be processed as needed in the specific running environment.\nThe standard log levels are `[debug,info,warn,error,fatal`] and `info` is the default level.\nIf you want to set another log level, use the ENV configuration variable `LOG_LEVEL` to set it.\n\n### Dependencies and Vendor\n\nThe project uses Go modules for managing dependencies and we commit the vendor directory.\nWhen you add/change dependencies, be sure to clean and update the vendor directory before\nsubmitting your Merge Request for review.\n\n```shell\ngo mod tidy\ngo mod vendor\n```\n\n### Tests and Linters\n\nTo execute the units tests for the service go to the root project directory and run:\n\n```shell\ngo test -race $(go list ./... | grep -v /integration)\n```\n\nTo run the linters go to the root project directory and run:\n```shell\ngolangci-lint run\n```\n\n### Integration Tests\n\nIntegration tests are inside the [integration](./integration) directory.\nThe only configuration option they need is the base URL of the signer service.\nIt must be specified in the `SIGNER_ADDR` environment variable. \nThe tests can be executed against different environments by setting the\nvalue for `SIGNER_ADDR`.\n\n```shell\nSIGNER_ADDR=https://{{SIGNER_ADDRESS}} go test\n```\n\n\u003e Note: these tests are not executed in the CI pipeline currently.\n\n## Dependencies\n\n[Dependencies](go.mod)\n\n## Deployment\n\n### Helm\n\n[Link to Helm README](deployment/helm/README.md)\n\n## License\n\n[Apache 2.0 license](LICENSE)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Feclipse-xfsc%2Fcrypto-provider-service","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Feclipse-xfsc%2Fcrypto-provider-service","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Feclipse-xfsc%2Fcrypto-provider-service/lists"}