import "github.com/privacybydesign/irmago"
Package irma contains generic IRMA strucs and logic of use to all IRMA participants. It parses irma_configuration folders to scheme managers, issuers, credential types and public keys; it contains various messages from the IRMA protocol; it parses IRMA metadata attributes; and it contains attribute and credential verification logic.
attributes.go credinfo.go descriptions.go identifiers.go irma_signature.go irmaconfig.go keyring.go legacy.go messages.go requests.go revocation.go revocation_db.go schemes.go timestamp.go transport.go verify.go version.go
const (
MinVersionHeader = "X-IRMA-MinProtocolVersion"
MaxVersionHeader = "X-IRMA-MaxProtocolVersion"
)const (
StatusConnected = Status("connected")
StatusCommunicating = Status("communicating")
StatusManualStarted = Status("manualStarted")
)Statuses
const (
ActionDisclosing = Action("disclosing")
ActionSigning = Action("signing")
ActionIssuing = Action("issuing")
ActionRedirect = Action("redirect")
ActionRevoking = Action("revoking")
ActionUnknown = Action("unknown")
)Actions
const (
// Protocol version not supported
ErrorProtocolVersionNotSupported = ErrorType("protocolVersionNotSupported")
// Error in HTTP communication
ErrorTransport = ErrorType("transport")
// HTTPS required
ErrorHTTPS = ErrorType("https")
// Invalid client JWT in first IRMA message
ErrorInvalidJWT = ErrorType("invalidJwt")
// Unkown session type (not disclosing, signing, or issuing)
ErrorUnknownAction = ErrorType("unknownAction")
// Crypto error during calculation of our response (second IRMA message)
ErrorCrypto = ErrorType("crypto")
// Error involving revocation or nonrevocation proofs
ErrorRevocation = ErrorType("revocation")
// Server rejected our response (second IRMA message)
ErrorRejected = ErrorType("rejected")
// (De)serializing of a message failed
ErrorSerialization = ErrorType("serialization")
// Error in keyshare protocol
= ErrorType("keyshare")
// The user is not enrolled at one of the keyshare servers needed for the request
= ErrorType("keyshareUnenrolled")
// API server error
ErrorApi = ErrorType("api")
// Server returned unexpected or malformed response
ErrorServerResponse = ErrorType("serverResponse")
// Credential type not present in our Configuration
ErrorUnknownIdentifier = ErrorType("unknownIdentifier")
// Non-optional attribute not present in credential
ErrorRequiredAttributeMissing = ErrorType("requiredAttributeMissing")
// Error during downloading of credential type, issuer, or public keys
ErrorConfigurationDownload = ErrorType("configurationDownload")
// IRMA requests refers to unknown scheme manager
ErrorUnknownSchemeManager = ErrorType("unknownSchemeManager")
// A session is requested involving a scheme manager that has some problem
ErrorInvalidSchemeManager = ErrorType("invalidSchemeManager")
// Invalid session request
ErrorInvalidRequest = ErrorType("invalidRequest")
// Recovered panic
ErrorPanic = ErrorType("panic")
// Error involving random blind attributes
ErrorRandomBlind = ErrorType("randomblind")
)Protocol errors
const (
LDContextDisclosureRequest = "https://irma.app/ld/request/disclosure/v2"
LDContextSignatureRequest = "https://irma.app/ld/request/signature/v2"
LDContextIssuanceRequest = "https://irma.app/ld/request/issuance/v2"
LDContextRevocationRequest = "https://irma.app/ld/request/revocation/v1"
DefaultJwtValidity = 120
)const (
SchemeManagerStatusValid = SchemeManagerStatus("Valid")
SchemeManagerStatusUnprocessed = SchemeManagerStatus("Unprocessed")
SchemeManagerStatusInvalidIndex = SchemeManagerStatus("InvalidIndex")
SchemeManagerStatusInvalidSignature = SchemeManagerStatus("InvalidSignature")
SchemeManagerStatusParsingError = SchemeManagerStatus("ParsingError")
SchemeManagerStatusContentParsingError = SchemeManagerStatus("ContentParsingError")
SchemeTypeIssuer = SchemeType("issuer")
SchemeTypeRequestor = SchemeType("requestor")
)const (
ProofStatusValid = ProofStatus("VALID") // Proof is valid
ProofStatusInvalid = ProofStatus("INVALID") // Proof is invalid
ProofStatusInvalidTimestamp = ProofStatus("INVALID_TIMESTAMP") // Attribute-based signature had invalid timestamp
ProofStatusUnmatchedRequest = ProofStatus("UNMATCHED_REQUEST") // Proof does not correspond to a specified request
ProofStatusMissingAttributes = ProofStatus("MISSING_ATTRIBUTES") // Proof does not contain all requested attributes
ProofStatusExpired = ProofStatus("EXPIRED") // Attributes were expired at proof creation time (now, or according to timestamp in case of abs)
AttributeProofStatusPresent = AttributeProofStatus("PRESENT") // Attribute is disclosed and matches the value
AttributeProofStatusExtra = AttributeProofStatus("EXTRA") // Attribute is disclosed, but wasn't requested in request
AttributeProofStatusNull = AttributeProofStatus("NULL") // Attribute is disclosed but is null
)const (
// ExpiryFactor is the precision for the expiry attribute. Value is one week.
ExpiryFactor = 60 * 60 * 24 * 7
)const LDContextSignedMessage = "https://irma.app/ld/signature/v2"const Version = "0.6.1"Version of the IRMA command line and libraries
var (
ErrRevocationStateNotFound = errors.New("revocation state not found")
ErrUnknownRevocationKey = errors.New("unknown revocationKey")
ErrorUnknownCredentialType = errors.New("unknown credential type")
)var DefaultSchemes = [2]SchemePointer{ { URL: "https://privacybydesign.foundation/schememanager/irma-demo", Publickey: []byte("" /* 179 byte string literal not displayed */), }, { URL: "https://privacybydesign.foundation/schememanager/pbdf", Publickey: []byte("" /* 179 byte string literal not displayed */), }, }
var (
ErrMissingPrivateKey = fmt.Errorf("issuer private key not found: %w", os.ErrNotExist)
)Logger is used for logging. If not set, init() will initialize it to logrus.StandardLogger().
var RevocationParameters = struct { // DefaultUpdateEventCount specifies how many revocation events are attached to session requests // for the client to update its revocation state. DefaultUpdateEventCount uint64 // RequestorUpdateInterval is the time period in minutes for requestor servers // updating their revocation state at th RA. RequestorUpdateInterval uint64 // DefaultTolerance is the default tolerance in seconds: nonrevocation should be proved // by clients up to maximally this amount of seconds ago at verification time. If not, the // server will report the time up until nonrevocation of the attribute is guaranteed to the requestor. DefaultTolerance uint64 // If server mode is enabled for a credential type, then once every so many seconds // the timestamp in each accumulator is updated to now. AccumulatorUpdateInterval uint64 // DELETE issuance records of expired credential every so many minutes DeleteIssuanceRecordsInterval uint64 // ClientUpdateInterval is the time interval with which the irmaclient periodically // retrieves a revocation update from the RA and updates its revocation state with a small but // increasing probability. ClientUpdateInterval uint64 // ClientDefaultUpdateSpeed is the amount of time in hours after which it becomes very likely // that the app will update its witness, quickly after it has been opened. ClientDefaultUpdateSpeed uint64 // ClientUpdateTimeout is the amount of time in milliseconds that the irmaclient waits // for nonrevocation witness updating to complete, before it continues with the session even // if updating is not yet done (in which case the candidate set computed by the client // may contain credentials that were revoked by one of the requestor's update messages). ClientUpdateTimeout uint64 // Cache-control: max-age HTTP return header (in seconds) EventsCacheMaxAge uint64 UpdateMinCount uint64 UpdateMaxCount uint64 UpdateMinCountPower int UpdateMaxCountPower int }{ RequestorUpdateInterval: 10, DefaultTolerance: 10 * 60, AccumulatorUpdateInterval: 60, DeleteIssuanceRecordsInterval: 5 * 60, ClientUpdateInterval: 10, ClientDefaultUpdateSpeed: 7 * 24, ClientUpdateTimeout: 1000, UpdateMinCountPower: 4, UpdateMaxCountPower: 9, EventsCacheMaxAge: 60 * 60, }
RevocationParameters contains global revocation constants and default values.
ASN1ConvertSignatureNonce computes the nonce that is used in the creation of the attribute-based signature:
nonce = SHA256(serverNonce, SHA256(message), timestampSignature)
where serverNonce is the nonce sent by the signature requestor.
DefaultDataPath returns the default storage path for IRMA, using XDG Base Directory Specification https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html:
- %LOCALAPPDATA% (i.e. C:\Users\$user\AppData\Local) if on Windows, - $XDG_DATA_HOME if set, otherwise $HOME/.local/share - $XDG_DATA_DIRS if set, otherwise /usr/local/share/ and /usr/share/ - then the OSes temp dir (os.TempDir()),
returning the first of these that exists or can be created.
DefaultSchemesPath returns the default storage path for irma_configuration, namely DefaultDataPath + "/irma_configuration"
FloorToEpochBoundary returns the greatest time not greater than the argument that falls on the boundary of an epoch for attribute validity or expiry, of which the value is defined by ExpiryFactor (one week).
func GetMetadataVersion(v *ProtocolVersion) byte
GetMetadataVersion maps a chosen protocol version to a metadata version that the server will use.
func GetTimestamp(message string, sigs []*big.Int, disclosed [][]*big.Int, conf *Configuration) (*atum.Timestamp, error)
GetTimestamp GETs a signed timestamp (a signature over the current time and the parameters) over the message to be signed, the randomized signatures over the attributes, and the disclosed attributes, for in attribute-based signature sessions.
func ParseApiServerJwt(inputJwt string, signingKey *rsa.PublicKey) (map[AttributeTypeIdentifier]*DisclosedAttribute, error)
ParseApiServerJwt verifies and parses a JWT as returned by an irma_api_server after a disclosure request into a key-value pair.
func SignRequestorRequest(request RequestorRequest, alg jwt.SigningMethod, key interface{}, name string) (string, error)
func SignSessionRequest(request SessionRequest, alg jwt.SigningMethod, key interface{}, name string) (string, error)
func TimestampRequest(message string, sigs []*big.Int, disclosed [][]*big.Int, new bool, conf *Configuration) ( []byte, string, error)
TimestampRequest computes the nonce to be signed by a timestamp server, given a message to be signed in an attribute-based signature session along with the randomized signatures over the attributes and the disclosed attributes. The url of the timestamp server that should be used to validate the request is returned as the second return value.
UnmarshalValidate json.Unmarshal's data, and validates it using the Validate() method if dest implements the Validator interface.
type AccumulatorRecord struct {
CredType CredentialTypeIdentifier `gorm:"primary_key"`
Data signedMessage
PKCounter *uint `gorm:"primary_key;auto_increment:false"`
}Structs corresponding to SQL table rows, ending in Record
func (a *AccumulatorRecord) Convert(id CredentialTypeIdentifier, sacc *revocation.SignedAccumulator) *AccumulatorRecord
func (a *AccumulatorRecord) SignedAccumulator() *revocation.SignedAccumulator
Action encodes the session type of an IRMA session (e.g., disclosing).
type AttributeCon []AttributeRequest
An AttributeCon is only satisfied if all of its containing attribute requests are satisfied.
func (c AttributeCon) CredentialTypes() []CredentialTypeIdentifier
CredentialTypes returns an array of all credential types occuring in this conjunction.
func (c AttributeCon) Satisfy(proofs gabi.ProofList, indices []*DisclosedAttributeIndex, revocation map[int]*time.Time, conf *Configuration) (bool, []*DisclosedAttribute, error)
Satisfy returns if each of the attributes specified by proofs and indices satisfies each of the contained AttributeRequests's. If so it also returns a list of the disclosed attribute values.
func (c AttributeCon) Validate() error
type AttributeConDisCon []AttributeDisCon
AttributeConDisCon is only satisfied if all of the containing AttributeDisCon are satisfied.
func (cdc AttributeConDisCon) Iterate(f func(attr *AttributeRequest) error) error
func (cdc AttributeConDisCon) Satisfy(disclosure *Disclosure, revocation map[int]*time.Time, conf *Configuration) (bool, [][]*DisclosedAttribute, error)
Satisfy returns true if each of the contained AttributeDisCon is satisfied by the specified disclosure. If so it also returns the disclosed attributes.
func (cdc AttributeConDisCon) Validate(conf *Configuration) error
type AttributeDisCon []AttributeCon
An AttributeDisCon is satisfied if at least one of its containing AttributeCon is satisfied.
func (dc AttributeDisCon) Satisfy(proofs gabi.ProofList, indices []*DisclosedAttributeIndex, revocation map[int]*time.Time, conf *Configuration) (bool, []*DisclosedAttribute, error)
Satisfy returns true if the attributes specified by proofs and indices satisfies any one of the contained AttributeCon's. If so it also returns a list of the disclosed attribute values.
func (dc AttributeDisCon) Validate() error
type AttributeIdentifier struct {
Type AttributeTypeIdentifier
CredentialHash string
}AttributeIdentifier identifies an attribute instance.
func (ai *AttributeIdentifier) CredentialIdentifier() CredentialIdentifier
CredentialIdentifier returns the credential identifier of this attribute.
type AttributeList struct {
*MetadataAttribute `json:"-"`
Ints []*big.Int
Revoked bool `json:",omitempty"`
RevocationSupported bool `json:",omitempty"`
// contains filtered or unexported fields
}AttributeList contains attributes, excluding the secret key, providing convenient access to the metadata attribute.
func NewAttributeListFromInts(ints []*big.Int, conf *Configuration) *AttributeList
NewAttributeListFromInts initializes a new AttributeList from a list of bigints.
func (al *AttributeList) Attribute(identifier AttributeTypeIdentifier) TranslatedString
Attribute returns the content of the specified attribute, or nil if not present in this attribute list.
func (attrs *AttributeList) CredentialInfo() *CredentialInfo
func (al *AttributeList) EqualsExceptMetadata(ol *AttributeList) bool
EqualsExceptMetadata checks whether two AttributeLists have the same attribute values. The attribute containing the metadata information is skipped in this check.
func (al *AttributeList) Hash() string
func (al *AttributeList) Info() *CredentialInfo
func (al *AttributeList) Map() map[AttributeTypeIdentifier]TranslatedString
func (al *AttributeList) Strings() []TranslatedString
Strings converts the current instance to human-readable strings.
func (al *AttributeList) UntranslatedAttribute(identifier AttributeTypeIdentifier) *string
UntranslatedAttribute decodes the bigint corresponding to the specified attribute.
Status is the proof status of a single attribute
type AttributeRequest struct {
Type AttributeTypeIdentifier `json:"type"`
Value *string `json:"value,omitempty"`
NotNull bool `json:"notNull,omitempty"`
}An AttributeRequest asks for an instance of an attribute type, possibly requiring it to have a specified value, in a session request.
func NewAttributeRequest(attr string) AttributeRequest
NewAttributeRequest requests the specified attribute.
func (ar *AttributeRequest) MarshalJSON() ([]byte, error)
func (ar *AttributeRequest) Satisfy(attr AttributeTypeIdentifier, val *string) bool
Satisfy indicates whether the given attribute type and value satisfies this AttributeRequest.
func (ar *AttributeRequest) UnmarshalJSON(bts []byte) error
type AttributeType struct {
ID string `xml:"id,attr"`
Optional string `xml:"optional,attr" json:",omitempty"`
Name TranslatedString
Description TranslatedString
RandomBlind bool `xml:"randomblind,attr,optional" json:",omitempty"`
Index int `xml:"-"`
DisplayIndex *int `xml:"displayIndex,attr" json:",omitempty"`
DisplayHint string `xml:"displayHint,attr" json:",omitempty"`
RevocationAttribute bool `xml:"revocation,attr" json:",omitempty"`
// Taken from containing CredentialType
CredentialTypeID string `xml:"-"`
IssuerID string `xml:"-"`
SchemeManagerID string `xml:"-"`
}AttributeType is a description of an attribute within a credential type.
func (ad AttributeType) GetAttributeTypeIdentifier() AttributeTypeIdentifier
func (ad AttributeType) IsOptional() bool
type AttributeTypeIdentifier struct {
// contains filtered or unexported fields
}AttributeTypeIdentifier identifies an attribute. For example "irma-demo.RU.studentCard.studentID".
func NewAttributeTypeIdentifier(id string) AttributeTypeIdentifier
NewAttributeTypeIdentifier converts the specified identifier to a AttributeTypeIdentifier.
func (id AttributeTypeIdentifier) CredentialTypeIdentifier() CredentialTypeIdentifier
CredentialTypeIdentifier returns the CredentialTypeIdentifier of the attribute identifier.
func (id AttributeTypeIdentifier) IsCredential() bool
IsCredential returns true if this attribute refers to its containing credential (i.e., it consists of only 3 parts).
func (id AttributeTypeIdentifier) MarshalText() ([]byte, error)
MarshalText implements encoding.TextMarshaler.
Name returns the last part of this identifier.
Parent returns the parent object of this identifier.
String returns this identifier as a string.
func (id *AttributeTypeIdentifier) UnmarshalText(text []byte) error
UnmarshalText implements encoding.TextUnmarshaler.
type BaseRequest struct {
LDContext string `json:"@context,omitempty"`
// Set by the IRMA server during the session
Context *big.Int `json:"context,omitempty"`
Nonce *big.Int `json:"nonce,omitempty"`
ProtocolVersion *ProtocolVersion `json:"protocolVersion,omitempty"`
// Revocation is set by the requestor to indicate that it requires nonrevocation proofs for the
// specified credential types.
Revocation NonRevocationParameters `json:"revocation,omitempty"`
Type Action `json:"type,omitempty"` // Session type, only used in legacy code
DevelopmentMode bool `json:"devMode,omitempty"`
ClientReturnURL string `json:"clientReturnUrl,omitempty"` // URL to proceed to when IRMA session is completed
// contains filtered or unexported fields
}BaseRequest contains information used by all IRMA session types, such the context and nonce, and revocation information.
func (b *BaseRequest) GetContext() *big.Int
func (b *BaseRequest) Legacy() bool
func (b *BaseRequest) RequestsRevocation(id CredentialTypeIdentifier) bool
RequestsRevocation indicates whether or not the requestor requires a nonrevocation proof for the given credential type; that is, whether or not it included revocation update messages.
func (b *BaseRequest) RevocationSupported() bool
func (b *BaseRequest) Validate(conf *Configuration) error
type Configuration struct {
SchemeManagers map[SchemeManagerIdentifier]*SchemeManager
Issuers map[IssuerIdentifier]*Issuer
CredentialTypes map[CredentialTypeIdentifier]*CredentialType
AttributeTypes map[AttributeTypeIdentifier]*AttributeType
// RequestorScheme data of the currently loaded requestorscheme
RequestorSchemes map[RequestorSchemeIdentifier]*RequestorScheme
Requestors map[string]*RequestorInfo
// DisabledRequestorSchemes keeps track of any error of the requestorscheme if it
// did not parse successfully
DisabledRequestorSchemes map[RequestorSchemeIdentifier]*SchemeManagerError
// DisabledSchemeManagers keeps track of schemes that did not parse succesfully
// (i.e., invalid signature, parsing error), and the problem that occurred when parsing them
DisabledSchemeManagers map[SchemeManagerIdentifier]*SchemeManagerError
// Path to the irma_configuration folder that this instance represents
Path string
PrivateKeys PrivateKeyRing
Revocation *RevocationStorage `json:"-"`
Scheduler *gocron.Scheduler
Warnings []string `json:"-"`
// contains filtered or unexported fields
}Configuration keeps track of schemes, issuers, credential types and public keys, dezerializing them from an irma_configuration folder, and downloads and saves new ones on demand.
func NewConfiguration(path string, opts ConfigurationOptions) (conf *Configuration, err error)
NewConfiguration returns a new configuration. After this ParseFolder() should be called to parse the specified path.
func (conf *Configuration) AddPrivateKeyRing(ring PrivateKeyRing) error
func (conf *Configuration) AutoUpdateSchemes(interval uint)
func (conf *Configuration) ContainsAttributeType(attr AttributeTypeIdentifier) bool
func (conf *Configuration) ContainsCredentialType(cred CredentialTypeIdentifier) bool
ContainsCredentialType checks if the configuration contains the specified credential type.
func (conf *Configuration) DangerousTOFUInstallScheme(url string) error
DangerousTOFUInstallScheme downloads and adds the specified scheme to this Configuration, downloading and trusting its public key from the scheme's remote URL.
func (conf *Configuration) Download(session SessionRequest) (downloaded *IrmaIdentifierSet, err error)
Download downloads the issuers, credential types and public keys specified in set if the current Configuration does not already have them, and checks their authenticity using the scheme index.
func (conf *Configuration) DownloadDefaultSchemes() error
func (conf *Configuration) InstallScheme(url string, publickey []byte) error
InstallSchemeManager downloads and adds the specified scheme to this Configuration, provided its signature is valid against the specified key.
func (conf *Configuration) IsInitialized() bool
IsInitialized indicates whether this instance has successfully been initialized.
func (conf *Configuration) KeyshareServerKeyFunc(scheme SchemeManagerIdentifier) func(t *jwt.Token) (interface{}, error)
KeyshareServerKeyFunc returns a function that returns the public key with which to verify a keyshare server JWT, suitable for passing to jwt.Parse() and jwt.ParseWithClaims().
func (conf *Configuration) KeyshareServerPublicKey(schemeid SchemeManagerIdentifier, i int) (*rsa.PublicKey, error)
KeyshareServerPublicKey returns the i'th public key of the specified scheme.
func (conf *Configuration) ParseFolder() (err error)
ParseFolder populates the current Configuration by parsing the storage path, listing the containing schemes, issuers and credential types.
func (conf *Configuration) ParseOrRestoreFolder() (rerr error)
ParseOrRestoreFolder parses the irma_configuration folder, and when possible attempts to restore any broken schemes from their remote. Any error encountered during parsing is considered recoverable only if it is of type *SchemeManagerError; In this case the scheme in which it occured is downloaded from its remote and re-parsed. If any other error is encountered at any time, it is returned immediately. If no error is returned, parsing and possibly restoring has been succesfull, and there should be no disabled schemes.
func (conf *Configuration) ParseSchemeFolder(dir string) (scheme Scheme, serr error)
func (conf *Configuration) PublicKey(id IssuerIdentifier, counter uint) (*gabi.PublicKey, error)
PublicKey returns the specified public key, or nil if not present in the Configuration.
func (conf *Configuration) PublicKeyIndices(issuerid IssuerIdentifier) (i []uint, err error)
func (conf *Configuration) PublicKeyLatest(id IssuerIdentifier) (*gabi.PublicKey, error)
PublicKeyLatest returns the latest private key of the specified issuer.
func (conf *Configuration) UpdateScheme(scheme Scheme, downloaded *IrmaIdentifierSet) error
UpdateScheme syncs the stored version within the irma_configuration directory with the remote version at the scheme's URL, downloading and storing new and modified files, according to the index files of both versions. It stores the identifiers of new or updated entities in the second parameter.
func (conf *Configuration) UpdateSchemes() error
func (conf *Configuration) ValidateKeys() error
type ConfigurationOptions struct {
Assets string
ReadOnly bool
IgnorePrivateKeys bool
RevocationDBConnStr string
RevocationDBType string
RevocationSettings RevocationSettings
}type CredentialIdentifier struct {
Type CredentialTypeIdentifier
Hash string
}CredentialIdentifier identifies a credential instance.
type CredentialInfo struct {
ID string // e.g., "studentCard"
IssuerID string // e.g., "RU"
SchemeManagerID string // e.g., "irma-demo"
SignedOn Timestamp // Unix timestamp
Expires Timestamp // Unix timestamp
Attributes map[AttributeTypeIdentifier]TranslatedString // Human-readable rendered attributes
Hash string // SHA256 hash over the attributes
Revoked bool // If the credential has been revoked
RevocationSupported bool // If the credential supports creating nonrevocation proofs
}CredentialInfo contains all information of an IRMA credential.
func (ci CredentialInfo) GetCredentialType(conf *Configuration) *CredentialType
func (ci CredentialInfo) IsExpired() bool
Returns true if credential is expired at moment of calling this function
type CredentialInfoList []*CredentialInfo
A CredentialInfoList is a list of credentials (implements sort.Interface).
func (cl CredentialInfoList) Len() int
Len implements sort.Interface.
func (cl CredentialInfoList) Less(i, j int) bool
Less implements sort.Interface.
func (cl CredentialInfoList) Swap(i, j int)
Swap implements sort.Interface.
type CredentialRequest struct {
Validity *Timestamp `json:"validity,omitempty"`
KeyCounter uint `json:"keyCounter,omitempty"`
CredentialTypeID CredentialTypeIdentifier `json:"credential"`
Attributes map[string]string `json:"attributes"`
RevocationKey string `json:"revocationKey,omitempty"`
RevocationSupported bool `json:"revocationSupported,omitempty"`
RandomBlindAttributeTypeIDs []string `json:"randomblindIDs,omitempty"`
}A CredentialRequest contains the attributes and metadata of a credential that will be issued in an IssuanceRequest.
func (cr *CredentialRequest) AttributeList( conf *Configuration, metadataVersion byte, revocationAttr *big.Int, issuedAt time.Time, ) (*AttributeList, error)
AttributeList returns the list of attributes from this credential request.
func (cr *CredentialRequest) Info(conf *Configuration, metadataVersion byte, issuedAt time.Time) (*CredentialInfo, error)
func (cr *CredentialRequest) Validate(conf *Configuration) error
Validate checks that this credential request is consistent with the specified Configuration: the credential type is known, all required attributes are present and no unknown attributes are given.
type CredentialType struct {
ID string `xml:"CredentialID"`
Name TranslatedString `xml:"Name"`
IssuerID string `xml:"IssuerID"`
SchemeManagerID string `xml:"SchemeManager"`
IsSingleton bool `xml:"ShouldBeSingleton"`
DisallowDelete bool `xml:"DisallowDelete"`
Description TranslatedString
AttributeTypes []*AttributeType `xml:"Attributes>Attribute" json:"-"`
RevocationServers []string `xml:"RevocationServers>RevocationServer"`
RevocationUpdateCount uint64
RevocationUpdateSpeed uint64
RevocationIndex int `xml:"-"`
XMLVersion int `xml:"version,attr"`
XMLName xml.Name `xml:"IssueSpecification"`
IssueURL TranslatedString `xml:"IssueURL"`
IsULIssueURL bool `xml:"IsULIssueURL"`
DeprecatedSince Timestamp
ForegroundColor string
BackgroundGradientStart string
BackgroundGradientEnd string
IsInCredentialStore bool
Category TranslatedString
FAQIntro TranslatedString
FAQPurpose TranslatedString
FAQContent TranslatedString
FAQHowto TranslatedString
}CredentialType is a description of a credential type, specifying (a.o.) its name, issuer, and attributes.
func (ct CredentialType) AttributeType(ai AttributeTypeIdentifier) *AttributeType
func (ct *CredentialType) ContainsAttribute(ai AttributeTypeIdentifier) bool
ContainsAttribute tests whether the specified attribute is contained in this credentialtype.
func (ct *CredentialType) Identifier() CredentialTypeIdentifier
Identifier returns the identifier of the specified credential type.
func (ct CredentialType) IndexOf(ai AttributeTypeIdentifier) (int, error)
IndexOf returns the index of the specified attribute if present, or an error (and -1) if not present.
func (ct *CredentialType) IssuerIdentifier() IssuerIdentifier
IssuerIdentifier returns the issuer identifier of the specified credential type.
func (ct *CredentialType) Logo(conf *Configuration) string
func (ct *CredentialType) RandomBlindAttributeIndices() []int
Returns indices of random blind attributes within this credentialtype The indices coincide with indices of an AttributeList (metadataAttribute at index 0)
func (ct *CredentialType) RandomBlindAttributeNames() []string
func (ct *CredentialType) RevocationSupported() bool
func (ct *CredentialType) SchemeManagerIdentifier() SchemeManagerIdentifier
type CredentialTypeIdentifier struct {
// contains filtered or unexported fields
}CredentialTypeIdentifier identifies a credentialtype. For example "irma-demo.RU.studentCard".
func NewCredentialTypeIdentifier(id string) CredentialTypeIdentifier
NewCredentialTypeIdentifier converts the specified identifier to a CredentialTypeIdentifier.
func (id CredentialTypeIdentifier) IssuerIdentifier() IssuerIdentifier
IssuerIdentifier returns the IssuerIdentifier of the credential identifier.
func (id CredentialTypeIdentifier) MarshalText() ([]byte, error)
MarshalText implements encoding.TextMarshaler.
Name returns the last part of this identifier.
Parent returns the parent object of this identifier.
String returns this identifier as a string.
func (id *CredentialTypeIdentifier) UnmarshalText(text []byte) error
UnmarshalText implements encoding.TextUnmarshaler.
type DisclosedAttribute struct {
RawValue *string `json:"rawvalue"`
Value TranslatedString `json:"value"` // Value of the disclosed attribute
Identifier AttributeTypeIdentifier `json:"id"`
Status AttributeProofStatus `json:"status"`
IssuanceTime Timestamp `json:"issuancetime"`
NotRevoked bool `json:"notrevoked,omitempty"`
NotRevokedBefore *Timestamp `json:"notrevokedbefore,omitempty"`
}DisclosedAttribute represents a disclosed attribute.
type DisclosedAttributeIndex struct {
CredentialIndex int `json:"cred"`
AttributeIndex int `json:"attr"`
Identifier CredentialIdentifier `json:"-"` // credential from which this attribute was disclosed
}DisclosedAttributeIndex points to a specific attribute in a gabi.ProofList.
type DisclosedAttributeIndices [][]*DisclosedAttributeIndex
DisclosedAttributeIndices contains, for each conjunction of an attribute disclosure request, a list of attribute indices, pointing to where the disclosed attributes for that conjunction can be found within a gabi.ProofList.
type Disclosure struct {
Proofs gabi.ProofList `json:"proofs"`
Indices DisclosedAttributeIndices `json:"indices"`
}func (d *Disclosure) DisclosedAttributes(configuration *Configuration, condiscon AttributeConDisCon, revtimes map[int]*time.Time) (bool, [][]*DisclosedAttribute, error)
DisclosedAttributes returns a slice containing for each item in the conjunction the disclosed attributes that are present in the proof list. If a non-empty and non-nil AttributeDisjunctionList is included, then the first attributes in the returned slice match with the disjunction list in the disjunction list. The first return parameter of this function indicates whether or not all disjunctions (if present) are satisfied.
func (d *Disclosure) Verify(configuration *Configuration, request *DisclosureRequest) ([][]*DisclosedAttribute, ProofStatus, error)
func (d *Disclosure) VerifyAgainstRequest( configuration *Configuration, request SessionRequest, context, nonce *big.Int, publickeys []*gabi.PublicKey, validAt *time.Time, issig bool, ) ([][]*DisclosedAttribute, ProofStatus, error)
type DisclosureChoice struct {
Attributes [][]*AttributeIdentifier
}A DisclosureChoice contains the attributes chosen to be disclosed.
func (choice *DisclosureChoice) Validate() error
type DisclosureRequest struct {
BaseRequest
Disclose AttributeConDisCon `json:"disclose,omitempty"`
Labels map[int]TranslatedString `json:"labels,omitempty"`
}A DisclosureRequest is a request to disclose certain attributes. Construct new instances using NewDisclosureRequest().
func NewDisclosureRequest(attrs ...AttributeTypeIdentifier) *DisclosureRequest
func (dr *DisclosureRequest) Action() Action
func (dr *DisclosureRequest) AddSingle(attr AttributeTypeIdentifier, value *string, label TranslatedString)
func (dr *DisclosureRequest) Base() *BaseRequest
func (dr *DisclosureRequest) Disclosure() *DisclosureRequest
func (dr *DisclosureRequest) Identifiers() *IrmaIdentifierSet
func (dr *DisclosureRequest) IsDisclosureRequest() bool
func (dr *DisclosureRequest) Legacy() (SessionRequest, error)
func (dr *DisclosureRequest) UnmarshalJSON(bts []byte) (err error)
func (dr *DisclosureRequest) Validate() error
ErrorType are session errors.
type EventRecord struct {
Index *uint64 `gorm:"primary_key;column:eventindex;auto_increment:false"`
CredType CredentialTypeIdentifier `gorm:"primary_key"`
PKCounter *uint `gorm:"primary_key;auto_increment:false"`
E *RevocationAttribute
ParentHash eventHash
}Structs corresponding to SQL table rows, ending in Record
func (e *EventRecord) Convert(id CredentialTypeIdentifier, pkcounter uint, event *revocation.Event) *EventRecord
func (e *EventRecord) Event() *revocation.Event
ExpiredError indicates that something (e.g. a JWT) has expired.
func (e ExpiredError) Error() string
type HTTPTransport struct {
Server string
Binary bool
ForceHTTPS bool
// contains filtered or unexported fields
}HTTPTransport sends and receives JSON messages to a HTTP server.
func NewHTTPTransport(serverURL string, forceHTTPS bool) *HTTPTransport
NewHTTPTransport returns a new HTTPTransport.
func (transport *HTTPTransport) Delete()
Delete performs a DELETE.
func (transport *HTTPTransport) Get(url string, result interface{}) error
Get performs a GET request and parses the server's response into result.
func (transport *HTTPTransport) GetBytes(url string) ([]byte, error)
func (transport *HTTPTransport) Post(url string, result interface{}, object interface{}) error
Post sends the object to the server and parses its response into result.
func (transport *HTTPTransport) SetHeader(name, val string)
SetHeader sets a header to be sent in requests.
type IdentityProviderJwt struct {
ServerJwt
Request *IdentityProviderRequest `json:"iprequest"`
}IdentityProviderJwt is a requestor JWT for issuance session.
func NewIdentityProviderJwt(servername string, ir *IssuanceRequest) *IdentityProviderJwt
NewIdentityProviderJwt returns a new IdentityProviderJwt.
func (claims *IdentityProviderJwt) Action() Action
func (claims *IdentityProviderJwt) RequestorRequest() RequestorRequest
func (claims *IdentityProviderJwt) SessionRequest() SessionRequest
SessionRequest returns an IRMA session object.
func (claims *IdentityProviderJwt) Sign(method jwt.SigningMethod, key interface{}) (string, error)
func (claims *IdentityProviderJwt) Valid() error
type IdentityProviderRequest struct {
RequestorBaseRequest
Request *IssuanceRequest `json:"request"`
}An IdentityProviderRequest contains an issuance request.
func (r *IdentityProviderRequest) Base() *RequestorBaseRequest
func (r *IdentityProviderRequest) SessionRequest() SessionRequest
func (r *IdentityProviderRequest) Validate() error
type IrmaIdentifierSet struct {
SchemeManagers map[SchemeManagerIdentifier]struct{}
Issuers map[IssuerIdentifier]struct{}
CredentialTypes map[CredentialTypeIdentifier]struct{}
PublicKeys map[IssuerIdentifier][]uint
AttributeTypes map[AttributeTypeIdentifier]struct{}
RequestorSchemes map[RequestorSchemeIdentifier]struct{}
}IrmaIdentifierSet contains a set (ensured by using map[...]struct{}) of all scheme managers, all issuers, all credential types, all public keys and all attribute types that are involved in an IRMA session.
func (set *IrmaIdentifierSet) Distributed(conf *Configuration) bool
func (set *IrmaIdentifierSet) Empty() bool
func (set *IrmaIdentifierSet) String() string
type IssuanceRecord struct {
Key string `gorm:"primary_key;column:revocationkey"`
CredType CredentialTypeIdentifier `gorm:"primary_key"`
Issued int64 `gorm:"primary_key;auto_increment:false"`
PKCounter *uint
Attr *RevocationAttribute
ValidUntil int64
RevokedAt int64 `json:",omitempty"` // 0 if not currently revoked
}IssuanceRecord contains information generated during issuance, needed for later revocation.
type IssuanceRequest struct {
DisclosureRequest
Credentials []*CredentialRequest `json:"credentials"`
// Derived data
CredentialInfoList CredentialInfoList `json:",omitempty"`
RemovalCredentialInfoList CredentialInfoList `json:",omitempty"`
}An IssuanceRequest is a request to issue certain credentials, optionally also asking for certain attributes to be simultaneously disclosed. Construct new instances using NewIssuanceRequest().
func NewIssuanceRequest(creds []*CredentialRequest, attrs ...AttributeTypeIdentifier) *IssuanceRequest
func (ir *IssuanceRequest) Action() Action
func (ir *IssuanceRequest) GetCredentialInfoList( conf *Configuration, version *ProtocolVersion, issuedAt time.Time, ) (CredentialInfoList, error)
func (ir *IssuanceRequest) Identifiers() *IrmaIdentifierSet
func (ir *IssuanceRequest) Legacy() (SessionRequest, error)
func (ir *IssuanceRequest) UnmarshalJSON(bts []byte) (err error)
func (ir *IssuanceRequest) Validate() error
type IssueCommitmentMessage struct {
*gabi.IssueCommitmentMessage
Indices DisclosedAttributeIndices `json:"indices,omitempty"`
}func (i *IssueCommitmentMessage) Disclosure() *Disclosure
type Issuer struct {
ID string `xml:"ID"`
Name TranslatedString `xml:"Name"`
SchemeManagerID string `xml:"SchemeManager"`
ContactAddress string
ContactEMail string
DeprecatedSince Timestamp
XMLVersion int `xml:"version,attr"`
}Issuer describes an issuer.
func (id *Issuer) Identifier() IssuerIdentifier
Identifier returns the identifier of the specified issuer description.
func (id *Issuer) SchemeManagerIdentifier() SchemeManagerIdentifier
type IssuerIdentifier struct {
// contains filtered or unexported fields
}IssuerIdentifier identifies an issuer. For example "irma-demo.RU".
func NewIssuerIdentifier(id string) IssuerIdentifier
NewIssuerIdentifier converts the specified identifier to a IssuerIdentifier.
func (id IssuerIdentifier) MarshalText() ([]byte, error)
MarshalText implements encoding.TextMarshaler.
Name returns the last part of this identifier.
Parent returns the parent object of this identifier.
func (id IssuerIdentifier) SchemeManagerIdentifier() SchemeManagerIdentifier
SchemeManagerIdentifier returns the scheme manager identifer of the issuer.
String returns this identifier as a string.
func (id *IssuerIdentifier) UnmarshalText(text []byte) error
UnmarshalText implements encoding.TextUnmarshaler.
type LegacyDisclosureRequest struct {
BaseRequest
Content []LegacyLabeledDisjunction `json:"content"`
}func (dr *LegacyDisclosureRequest) Action() Action
func (dr *LegacyDisclosureRequest) Base() *BaseRequest
func (dr *LegacyDisclosureRequest) Disclosure() *DisclosureRequest
func (dr *LegacyDisclosureRequest) Identifiers() *IrmaIdentifierSet
func (dr *LegacyDisclosureRequest) Legacy() (SessionRequest, error)
func (dr *LegacyDisclosureRequest) Validate() error
type LegacyDisjunction []AttributeRequest
LegacyDisjunction is a disjunction of attributes from before the condiscon feature, representing a list of attribute types one of which must be given by the user, possibly requiring specific values. (C.f. AttributeCon, also defined as []AttributeRequest, which is only satisfied if all listed attributes are given by the user.)
func (l *LegacyDisjunction) MarshalJSON() ([]byte, error)
func (l *LegacyDisjunction) UnmarshalJSON(bts []byte) error
type LegacyIssuanceRequest struct {
BaseRequest
Credentials []*CredentialRequest `json:"credentials"`
Disclose []LegacyLabeledDisjunction `json:"disclose"`
}func (ir *LegacyIssuanceRequest) Action() Action
func (ir *LegacyIssuanceRequest) Base() *BaseRequest
func (ir *LegacyIssuanceRequest) Disclosure() *DisclosureRequest
func (ir *LegacyIssuanceRequest) Identifiers() *IrmaIdentifierSet
func (ir *LegacyIssuanceRequest) Legacy() (SessionRequest, error)
func (ir *LegacyIssuanceRequest) Validate() error
type LegacyLabeledDisjunction struct {
Label string `json:"label"`
Attributes LegacyDisjunction `json:"attributes"`
}type LegacySignatureRequest struct {
LegacyDisclosureRequest
Message string `json:"message"`
}func (ir *LegacySignatureRequest) Action() Action
type MetadataAttribute struct {
Int *big.Int
Conf *Configuration
// contains filtered or unexported fields
}metadataAttribute represents a metadata attribute. Contains the credential type, signing date, validity, and the public key counter.
func MetadataFromInt(i *big.Int, conf *Configuration) *MetadataAttribute
MetadataFromInt wraps the given Int
func NewMetadataAttribute(version byte) *MetadataAttribute
NewMetadataAttribute constructs a new instance containing the default values: provided version as versionField now as signing date 0 as keycounter ValidityDefault (half a year) as default validity.
func (attr *MetadataAttribute) Bytes() []byte
Bytes returns this metadata attribute as a byte slice. Bigint's Bytes() method returns a big-endian byte slice, so add padding at begin.
func (attr *MetadataAttribute) CredentialType() *CredentialType
CredentialType returns the credential type of the current instance using the Configuration.
func (attr *MetadataAttribute) CredentialTypeHash() []byte
func (attr *MetadataAttribute) Expiry() time.Time
Expiry returns the expiry date of this instance
func (attr *MetadataAttribute) IsValid() bool
IsValid returns whether this instance is valid.
func (attr *MetadataAttribute) IsValidOn(t time.Time) bool
IsValidOn returns whether this instance is still valid at the given time
func (attr *MetadataAttribute) KeyCounter() uint
KeyCounter return the public key counter of the metadata attribute
func (attr *MetadataAttribute) PublicKey() (*gabi.PublicKey, error)
PublicKey extracts identifier of the Idemix public key with which this instance was signed, and returns this public key.
func (attr *MetadataAttribute) SigningDate() time.Time
SigningDate returns the time at which this instance was signed
func (attr *MetadataAttribute) ValidityDuration() int
ValidityDuration returns the amount of epochs during which this instance is valid
func (attr *MetadataAttribute) Version() byte
Version returns the metadata version of this instance
type NonRevocationParameters map[CredentialTypeIdentifier]*NonRevocationRequest
func (n *NonRevocationParameters) MarshalJSON() ([]byte, error)
func (n *NonRevocationParameters) UnmarshalJSON(bts []byte) error
type NonRevocationRequest struct {
Tolerance uint64 `json:"tolerance,omitempty"`
Updates map[uint]*revocation.Update `json:"updates,omitempty"`
}type PrivateKeyRing interface {
// Latest returns the private key with the highest counter for the specified issuer, if any,
// or an error.
Latest(id IssuerIdentifier) (*gabi.PrivateKey, error)
// Get returns the specified private key, or an error.
Get(id IssuerIdentifier, counter uint) (*gabi.PrivateKey, error)
// Iterate executes the specified function on each private key of the specified issuer
// present in the ring. The private keys are offered to the function in no particular order,
// and the same key may be offered multiple times. Returns on the first error returned
// by the function.
Iterate(id IssuerIdentifier, f func(sk *gabi.PrivateKey) error) error
}PrivateKeyRing provides access to a set of private keys.
type PrivateKeyRingFolder struct {
// contains filtered or unexported fields
}PrivateKeyRingFolder represents a folder on disk containing private keys with filenames of the form scheme.issuer.xml and scheme.issuer.counter.xml.
func NewPrivateKeyRingFolder(path string, conf *Configuration) (*PrivateKeyRingFolder, error)
func (p *PrivateKeyRingFolder) Get(id IssuerIdentifier, counter uint) (*gabi.PrivateKey, error)
func (p *PrivateKeyRingFolder) Iterate(id IssuerIdentifier, f func(sk *gabi.PrivateKey) error) error
func (p *PrivateKeyRingFolder) Latest(id IssuerIdentifier) (*gabi.PrivateKey, error)
ProofList is a gabi.ProofList with some extra methods.
Expired returns true if any of the contained disclosure proofs is specified at the specified time, or now, when the specified time is nil.
ExtractPublicKeys returns the public keys of each proof in the proofList, in the same order, for later use in verification of the proofList. If one of the proofs is not a ProofD an error is returned.
func (pl ProofList) VerifyProofs( configuration *Configuration, request SessionRequest, context *big.Int, nonce *big.Int, publickeys []*gabi.PublicKey, validAt *time.Time, isSig bool, ) (bool, map[int]*time.Time, error)
VerifyProofs verifies the proofs cryptographically.
ProofStatus is the status of the complete proof
ProtocolVersion encodes the IRMA protocol version of an IRMA session.
func NewVersion(major, minor int) *ProtocolVersion
func (v *ProtocolVersion) Above(major, minor int) bool
func (v *ProtocolVersion) AboveVersion(other *ProtocolVersion) bool
func (v *ProtocolVersion) Below(major, minor int) bool
Returns true if v is below the given version.
func (v *ProtocolVersion) BelowVersion(other *ProtocolVersion) bool
func (v *ProtocolVersion) MarshalJSON() ([]byte, error)
func (v *ProtocolVersion) String() string
func (v *ProtocolVersion) UnmarshalJSON(b []byte) (err error)
type Qr struct {
// Server with which to perform the session
URL string `json:"u"`
// Session type (disclosing, signing, issuing)
Type Action `json:"irmaqr"`
}Qr contains the data of an IRMA session QR (as generated by irma_js), suitable for NewSession().
type RemoteError struct {
Status int `json:"status,omitempty"`
ErrorName string `json:"error,omitempty"`
Description string `json:"description,omitempty"`
Message string `json:"message,omitempty"`
Stacktrace string `json:"stacktrace,omitempty"`
}RemoteError is an error message returned by the API server on errors.
func (err *RemoteError) Error() string
type RequestorBaseRequest struct {
ResultJwtValidity int `json:"validity,omitempty"` // Validity of session result JWT in seconds
ClientTimeout int `json:"timeout,omitempty"` // Wait this many seconds for the IRMA app to connect before the session times out
CallbackURL string `json:"callbackUrl,omitempty"` // URL to post session result to
}RequestorBaseRequest contains fields present in all RequestorRequest types with which the requestor configures an IRMA session.
func (r *RequestorBaseRequest) SetDefaultsIfNecessary()
type RequestorChunk []*RequestorInfo
RequestorChunk is a number of verified requestors stored together. The RequestorScheme can consist of multiple such chunks
type RequestorInfo struct {
Scheme RequestorSchemeIdentifier `json:"scheme"`
Name TranslatedString `json:"name"`
Industry *TranslatedString `json:"industry"`
Hostnames []string `json:"hostnames"`
Logo *string `json:"logo"`
ValidUntil *Timestamp `json:"valid_until"`
}RequestorInfo describes a single verified requestor
func NewRequestorInfo(hostname string) *RequestorInfo
NewRequestorInfo returns a Requestor with just the given hostname
type RequestorJwt interface {
Action() Action
RequestorRequest() RequestorRequest
SessionRequest() SessionRequest
Requestor() string
Valid() error
Sign(jwt.SigningMethod, interface{}) (string, error)
}A RequestorJwt contains an IRMA session object.
func ParseRequestorJwt(action string, requestorJwt string) (RequestorJwt, error)
ParseRequestorJwt parses the specified JWT and returns the contents. Note: this function does not verify the signature! Do that elsewhere.
type RequestorRequest interface {
Validator
SessionRequest() SessionRequest
Base() *RequestorBaseRequest
}RequestorRequest is the message with which requestors start an IRMA session. It contains a SessionRequest instance for the irmaclient along with extra fields in a RequestorBaseRequest.
type RequestorScheme struct {
ID RequestorSchemeIdentifier `json:"id"`
URL string `json:"url"`
Status SchemeManagerStatus `json:"-"`
Timestamp Timestamp `json:"-"`
// contains filtered or unexported fields
}RequestorScheme describes verified requestors
type RequestorSchemeIdentifier struct {
// contains filtered or unexported fields
}RequestorSchemeIdentifier identifies a requestor scheme. Equal to its ID. For example "pbdf-requestors"
func NewRequestorSchemeIdentifier(id string) RequestorSchemeIdentifier
NewRequestorIdentifier converts the specified identifier to a RequestorSchemeIdentifier.
func (id RequestorSchemeIdentifier) MarshalText() ([]byte, error)
Name returns the last part of this identifier.
Parent returns the parent object of this identifier.
String returns this identifier as a string.
func (id *RequestorSchemeIdentifier) UnmarshalText(text []byte) error
type RequiredAttributeMissingError struct {
ErrorType
Missing *IrmaIdentifierSet
}func (e *RequiredAttributeMissingError) Error() string
RevocationAttribute is a big.Int with DB (un)marshaling methods.
func (RevocationAttribute) GormDataType(dialect gorm.Dialect) string
func (i *RevocationAttribute) MarshalCBOR() ([]byte, error)
func (i *RevocationAttribute) Scan(src interface{}) error
Scan implements sql.Scanner, for SQL unmarshaling (from a []byte).
func (i *RevocationAttribute) UnmarshalCBOR(data []byte) error
func (i *RevocationAttribute) Value() (driver.Value, error)
Value implements driver.Valuer, for SQL marshaling (to []byte).
type RevocationClient struct {
Conf *Configuration
Settings RevocationSettings
// contains filtered or unexported fields
}RevocationClient offers an HTTP client to the revocation server endpoints.
func (client RevocationClient) FetchUpdateFrom(id CredentialTypeIdentifier, pkcounter uint, from uint64) (*revocation.Update, error)
func (client RevocationClient) FetchUpdateLatest(id CredentialTypeIdentifier, pkcounter uint, count uint64) (*revocation.Update, error)
func (client RevocationClient) FetchUpdatesLatest(id CredentialTypeIdentifier, count uint64) (map[uint]*revocation.Update, error)
func (client RevocationClient) PostIssuanceRecord(id CredentialTypeIdentifier, sk *revocation.PrivateKey, rec *IssuanceRecord, url string) error
type RevocationJwt struct {
ServerJwt
Request *RevocationRequest `json:"revrequest"`
}func (claims *RevocationJwt) Sign(method jwt.SigningMethod, key interface{}) (string, error)
func (claims *RevocationJwt) Valid() error
type RevocationKeys struct {
Conf *Configuration
}RevocationKeys contains helper functions for retrieving revocation private and public keys from an irma.Configuration instance.
func (rs RevocationKeys) PrivateKey(issid IssuerIdentifier, counter uint) (*revocation.PrivateKey, error)
func (rs RevocationKeys) PrivateKeyLatest(issid IssuerIdentifier) (*revocation.PrivateKey, error)
func (rs RevocationKeys) PublicKey(issid IssuerIdentifier, counter uint) (*revocation.PublicKey, error)
type RevocationRequest struct {
LDContext string `json:"@context,omitempty"`
CredentialType CredentialTypeIdentifier `json:"type"`
Key string `json:"revocationKey,omitempty"`
Issued int64 `json:"issued,omitempty"`
}func (r *RevocationRequest) Validate() error
type RevocationSetting struct {
Server bool `json:"server,omitempty" mapstructure:"server"`
Authority bool `json:"authority,omitempty" mapstructure:"authority"`
RevocationServerURL string `json:"revocation_server_url,omitempty" mapstructure:"revocation_server_url"`
Tolerance uint64 `json:"tolerance,omitempty" mapstructure:"tolerance"` // in seconds, min 30
SSE bool `json:"sse,omitempty" mapstructure:"sse"`
// contains filtered or unexported fields
}RevocationSetting contains revocation settings for a given credential type.
type RevocationSettings map[CredentialTypeIdentifier]*RevocationSetting
func (rs RevocationSettings) Get(id CredentialTypeIdentifier) *RevocationSetting
type RevocationStorage struct {
Keys RevocationKeys
ServerSentEvents *sse.Server
// contains filtered or unexported fields
}RevocationStorage stores and retrieves revocation-related data from and to a SQL database, and offers a revocation API for all other irmago code, including a Revoke() method that revokes an earlier issued credential.
func (rs *RevocationStorage) Accumulator(id CredentialTypeIdentifier, pkcounter uint) ( *revocation.SignedAccumulator, error, )
func (rs *RevocationStorage) AddIssuanceRecord(r *IssuanceRecord) error
func (rs *RevocationStorage) AddUpdate(id CredentialTypeIdentifier, record *revocation.Update) error
func (rs *RevocationStorage) Close() error
func (rs *RevocationStorage) EnableRevocation(id CredentialTypeIdentifier, sk *revocation.PrivateKey) error
EnableRevocation creates an initial accumulator for a given credential type. This function is the only way to create such an initial accumulator and it must be called before anyone can use revocation for this credential type. Requires the issuer private key.
func (rs *RevocationStorage) Events(id CredentialTypeIdentifier, pkcounter uint, from, to uint64) (*revocation.EventList, error)
func (rs *RevocationStorage) Exists(id CredentialTypeIdentifier, counter uint) (bool, error)
Exists returns whether or not an accumulator exists in the database for the given credential type.
func (rs *RevocationStorage) IssuanceRecords(id CredentialTypeIdentifier, key string, issued time.Time) ([]*IssuanceRecord, error)
func (rs *RevocationStorage) Load(debug bool, dbtype, connstr string, settings RevocationSettings) error
func (rs *RevocationStorage) PostUpdate(id CredentialTypeIdentifier, update *revocation.Update)
func (rs *RevocationStorage) Revoke(id CredentialTypeIdentifier, key string, issued time.Time) error
Revoke revokes the credential(s) specified by key and issued, if found within the current database, by updating their revocation time to now, removing their revocation attribute from the current accumulator, and updating the revocation database on disk. If issued is not specified, i.e. passed the zero value, all credentials specified by key are revoked.
func (rs *RevocationStorage) SaveIssuanceRecord(id CredentialTypeIdentifier, rec *IssuanceRecord, sk *gabi.PrivateKey) error
SaveIssuanceRecord either stores the issuance record locally, if we are the revocation server of the crecential type, or it signs and sends it to the remote revocation server.
func (rs *RevocationStorage) SetRevocationUpdates(b *BaseRequest) error
SetRevocationUpdates retrieves the latest revocation records from the database, and attaches them to the request, for each credential type for which a nonrevocation proof is requested in b.Revocation.
func (rs *RevocationStorage) SyncDB(id CredentialTypeIdentifier) error
func (rs *RevocationStorage) SyncIfOld(id CredentialTypeIdentifier, maxage uint64) error
func (rs *RevocationStorage) UpdateLatest(id CredentialTypeIdentifier, count uint64, counter *uint) (map[uint]*revocation.Update, error)
type Scheme interface {
// contains filtered or unexported methods
}SchemeFileHash encodes the SHA256 hash of an authenticated file under a scheme within the configuration folder.
func (hash SchemeFileHash) Equal(other SchemeFileHash) bool
func (hash SchemeFileHash) String() string
type SchemeManager struct {
ID string `xml:"Id"`
Name TranslatedString `xml:"Name"`
URL string `xml:"Url"`
Contact string `xml:"contact"`
Demo bool `xml:"Demo"` // Decides whether to download private keys
Description TranslatedString
MinimumAppVersion SchemeAppVersion
string
string
string
TimestampServer string
XMLVersion int `xml:"version,attr"`
XMLName xml.Name `xml:"SchemeManager"`
Status SchemeManagerStatus `xml:"-"`
Timestamp Timestamp
// contains filtered or unexported fields
}SchemeManager describes a scheme manager.
func (scheme *SchemeManager) Distributed() bool
Distributed indicates if this scheme uses a keyshare server.
func (scheme *SchemeManager) Identifier() SchemeManagerIdentifier
Identifier returns the identifier of the specified scheme.
type SchemeManagerError struct {
Scheme string
Status SchemeManagerStatus
Err error
}func (sme SchemeManagerError) Error() string
type SchemeManagerIdentifier struct {
// contains filtered or unexported fields
}SchemeManagerIdentifier identifies a scheme manager. Equal to its ID. For example "irma-demo".
func NewSchemeManagerIdentifier(id string) SchemeManagerIdentifier
NewSchemeManagerIdentifier converts the specified identifier to a SchemeManagerIdentifier.
func (id SchemeManagerIdentifier) MarshalText() ([]byte, error)
MarshalText implements encoding.TextMarshaler.
Name returns the last part of this identifier.
Parent returns the parent object of this identifier.
String returns this identifier as a string.
func (id *SchemeManagerIdentifier) UnmarshalText(text []byte) error
UnmarshalText implements encoding.TextUnmarshaler.
type SchemeManagerIndex map[string]SchemeFileHash
SchemeManagerIndex is a (signed) list of files under a scheme along with their SHA266 hash
func (i SchemeManagerIndex) FromString(s string) error
FromString populates this index by parsing the specified string.
func (i SchemeManagerIndex) Scheme() string
func (i SchemeManagerIndex) String() string
type SchemePointer struct {
URL string // URL to download scheme from
Type SchemeType
Publickey []byte // Public key of scheme against which to verify files after they have been downloaded
}SchemePointer points to a remote IRMA scheme, containing information to download the scheme, including its (pinned) public key.
type ServerJwt struct {
Type string `json:"sub"`
ServerName string `json:"iss"`
IssuedAt Timestamp `json:"iat"`
}ServerJwt contains standard JWT fields.
type ServiceProviderJwt struct {
ServerJwt
Request *ServiceProviderRequest `json:"sprequest"`
}ServiceProviderJwt is a requestor JWT for a disclosure session.
func NewServiceProviderJwt(servername string, dr *DisclosureRequest) *ServiceProviderJwt
NewServiceProviderJwt returns a new ServiceProviderJwt.
func (claims *ServiceProviderJwt) Action() Action
func (claims *ServiceProviderJwt) RequestorRequest() RequestorRequest
func (claims *ServiceProviderJwt) SessionRequest() SessionRequest
SessionRequest returns an IRMA session object.
func (claims *ServiceProviderJwt) Sign(method jwt.SigningMethod, key interface{}) (string, error)
func (claims *ServiceProviderJwt) Valid() error
type ServiceProviderRequest struct {
RequestorBaseRequest
Request *DisclosureRequest `json:"request"`
}A ServiceProviderRequest contains a disclosure request.
func (r *ServiceProviderRequest) Base() *RequestorBaseRequest
func (r *ServiceProviderRequest) SessionRequest() SessionRequest
func (r *ServiceProviderRequest) Validate() error
type SessionError struct {
Err error
ErrorType
Info string
RemoteError *RemoteError
RemoteStatus int
}SessionError is a protocol error.
func (e *SessionError) Error() string
func (e *SessionError) Stack() string
func (e *SessionError) WrappedError() string
type SessionRequest interface {
Validator
Base() *BaseRequest
GetNonce(timestamp *atum.Timestamp) *big.Int
Disclosure() *DisclosureRequest
Identifiers() *IrmaIdentifierSet
Action() Action
Legacy() (SessionRequest, error)
}SessionRequest instances contain all information the irmaclient needs to perform an IRMA session.
type SignatureRequest struct {
DisclosureRequest
Message string `json:"message"`
}A SignatureRequest is a a request to sign a message with certain attributes. Construct new instances using NewSignatureRequest().
func NewSignatureRequest(message string, attrs ...AttributeTypeIdentifier) *SignatureRequest
func (sr *SignatureRequest) Action() Action
GetNonce returns the nonce of this signature session (with the message already hashed into it).
func (sr *SignatureRequest) IsSignatureRequest() bool
func (sr *SignatureRequest) Legacy() (SessionRequest, error)
func (sr *SignatureRequest) SignatureFromMessage(message interface{}, timestamp *atum.Timestamp) (*SignedMessage, error)
func (sr *SignatureRequest) UnmarshalJSON(bts []byte) (err error)
func (sr *SignatureRequest) Validate() error
type SignatureRequestorJwt struct {
ServerJwt
Request *SignatureRequestorRequest `json:"absrequest"`
}SignatureRequestorJwt is a requestor JWT for a signing session.
func NewSignatureRequestorJwt(servername string, sr *SignatureRequest) *SignatureRequestorJwt
NewSignatureRequestorJwt returns a new SignatureRequestorJwt.
func (claims *SignatureRequestorJwt) Action() Action
func (claims *SignatureRequestorJwt) RequestorRequest() RequestorRequest
func (claims *SignatureRequestorJwt) SessionRequest() SessionRequest
SessionRequest returns an IRMA session object.
func (claims *SignatureRequestorJwt) Sign(method jwt.SigningMethod, key interface{}) (string, error)
func (claims *SignatureRequestorJwt) Valid() error
type SignatureRequestorRequest struct {
RequestorBaseRequest
Request *SignatureRequest `json:"request"`
}A SignatureRequestorRequest contains a signing request.
func (r *SignatureRequestorRequest) Base() *RequestorBaseRequest
func (r *SignatureRequestorRequest) SessionRequest() SessionRequest
func (r *SignatureRequestorRequest) Validate() error
type SignedMessage struct {
LDContext string `json:"@context"`
Signature gabi.ProofList `json:"signature"`
Indices DisclosedAttributeIndices `json:"indices"`
Nonce *big.Int `json:"nonce"`
Context *big.Int `json:"context"`
Message string `json:"message"`
Timestamp *atum.Timestamp `json:"timestamp"`
}SignedMessage is a message signed with an attribute-based signature The 'realnonce' will be calculated as: SigRequest.GetNonce() = ASN1(nonce, SHA256(message), timestampSignature)
func (sm *SignedMessage) Disclosure() *Disclosure
func (sm *SignedMessage) GetNonce() *big.Int
func (sm *SignedMessage) MatchesNonceAndContext(request *SignatureRequest) bool
func (sm *SignedMessage) Verify(configuration *Configuration, request *SignatureRequest) ([][]*DisclosedAttribute, ProofStatus, error)
Verify the attribute-based signature, optionally against a corresponding signature request. If the request is present (i.e. not nil), then the first attributes in the returned result match with the disjunction list in the request (that is, the i'th attribute in the result should satisfy the i'th disjunction in the request). If the request is not fully satisfied in this fasion, the Status of the result is ProofStatusMissingAttributes. Any remaining attributes (i.e. not asked for by the request) are also included in the result, after the attributes that match disjunctions in the request.
The signature request is optional; if it is nil then the attribute-based signature is still verified, and all containing attributes returned in the result.
func (sm *SignedMessage) VerifyTimestamp(message string, conf *Configuration) error
Given an SignedMessage, verify the timestamp over the signed message, disclosed attributes, and rerandomized CL-signatures.
func (sm *SignedMessage) Version() int
Status encodes the status of an IRMA session (e.g., connected).
Timestamp is a time.Time that marshals to Unix timestamps.
Check if Timestamp is before other Timestamp. Used for checking expiry of attributes
To check whether Timestamp is uninitialized
MarshalJSON marshals a timestamp.
Timestamp implements Stringer.
UnmarshalJSON unmarshals a timestamp.
TranslatedString is a map of translated strings.
func NewTranslatedString(attr *string) TranslatedString
NewTranslatedString returns a TranslatedString containing the specified string for each supported language, or nil when attr is nil.
func (ts *TranslatedString) MarshalXML(e *xml.Encoder, start xml.StartElement) error
MarshalXML implements xml.Marshaler.
func (ts *TranslatedString) UnmarshalXML(d *xml.Decoder, start xml.StartElement) error
UnmarshalXML unmarshals an XML tag containing a string translated to multiple languages, for example: <Foo><en>Hello world</en><nl>Hallo wereld</nl></Foo> into a TranslatedString: { "en": "Hello world" , "nl": "Hallo wereld" }
type UnknownIdentifierError struct {
ErrorType
Missing *IrmaIdentifierSet
}func (e *UnknownIdentifierError) Error() string
| Path | Synopsis |
|---|---|
| internal/common | |
| internal/disable_sigpipe | |
| internal/sessiontest | This package just contains tests. |
| internal/test | Package test contains functionality that should be available to all unit tests (which live in separate packages). |
| irma | |
| irmaclient | Package irmaclient implements an IRMA client, that can manage and use IRMA attributes. |
| irma/cmd | |
| server | |
| server/irmac | Required to be main when building a shared library |
| server/irmaserver | Package irmaserver is a library that allows IRMA verifiers, issuers or attribute-based signature applications to perform IRMA sessions with irmaclient instances (i.e. |
| server/requestorserver | Package requestorserver is a server allowing IRMA verifiers, issuers or attribute-based signature applications (the requestor) to perform IRMA sessions with irmaclient instances (i.e. |
Package irma imports 56 packages (graph) and is imported by 13 packages. Updated 2021-01-22. Refresh now. Tools for package owners.