eu-digital-green-certificates / dgca-issuance-service Goto Github PK

Your Question

Hi,
When looking at the pom.xml file, it appears that this release is based on the release 1.0.1 of hcert-kotlin.
However there has been several releases of hcert-kotlin since the 1.0.1, especially the 1.1.1 which is compatible with the JSON schema 1.3.0 (field tc not mandatory).
We tried to change the version of hcert-kotlin in the pom.xml file to a more recent one but we were not able to compile the release.

Do you plan to deliver a new release compatible with the latest hcert-kotlin version? If not, how can we support JSON schema 1.3.0 using this release of the dgca-issuance-service?

Thank for your feeedback,
Regards,

• Source File:
• Line(s):
• Question:

As per the hcert-kotlin library and Web, we have the values populated for fields df:certificateValidFrom, du:certificateValidUntil which is understood that it's the period which the certificate should be valid.

Test Case:
Generate a Recovery QR where the certificateValidTo date is set in the Past.
The QR Code is validated as VALID, which should not be the case.

The Recovery Certificate fields CreatedAt, and ExpiresAt should be set to the certificate ValidFrom and ValidUntil fields respectively.

Please see

I would use the configuration issuance.expiration.recoverty as a validation only. Ie: ValidUntil - ValidFrom should not exceed that recovery expiration configuration.

*Note: we must rename issuance.expiration.recoverty to issuance.expiration.recovery * misspelling.

Feature description

• Refactor key provider to implementation + interface

Problem and motivation

In order to keep the issuance service as platform-independent as possible and to support member states implementing their own providers we introduce an interface for key provider.

Current implementation use only base64. But this need to be url encoded before put into url path.
The change will break the compatibility.
Currently the endpoint is not used by any app

draft example not fully specified yet.
Provided by arch

{
"id": "dgci:V1:DE:23834834834", --> DGCI
"publicKey": [
{
"id": "dgci:V1:DE:23834834834#keys-1",
"type": "ECDSAP-256",
"publicKeyJwk": {
"crv": "secp256k1",
"x": "4xAbUxbGGFPv4qpHlPFAUJdzteUGR1lRK-CELCufU9w",
"y": "EYcgCTsff1qtZjI9_ckZTXDSKAIuM0BknrKgo0BZ_Is",
"kty": "EC",
}
},
{
"id": "dgci:V1:DE:23834834834#keys-2",
"type": "ECDSAP-256",
"publicKeyJwk": {
"crv": "secp256k1",
"x": "445ifkldfg945-234324934",
"y": "-3489348934893494",
"kty": "EC",
}
}
]
}

Feature description

Endpoint for DGCI claiming

• DB to store DGCIs and TANs
• Check all information passed from the frontend
• Mark DGCIs claimed and return corresponding response

only POST /dgci/wallet/claim

fix dependencies to pass dependency check

Error: One or more dependencies were identified with vulnerabilities:
Error:
Error: java-cfenv-boot-2.3.0.jar: CVE-2020-5421, CVE-2018-1272, CVE-2016-9878, CVE-2018-1271, CVE-2018-1270
Error: kotlinx-serialization-core-jvm-1.1.0.jar: CVE-2020-29582, CVE-2019-10102, CVE-2019-10101, CVE-2019-10103

For backend issue computation the library
https://github.com/ehn-digital-green-development/hcert-kotlin
is used.
This is exposed to enpoind
PUT /dgci/issue
Currently the implementation hcert-kotlin will inject fixed country code "AU" and also expiration time of one year.
But this should be configurable

The endpoint is not used by dgc-issuance-web. The frontend because this endpoint requires that all patient data are send to backend.

Dear,
I build & run dgca-issuance-service, when I start maven of this service. The output error like:

I config application.yml file, enable dgc-gateway to upload keystore to DGCG:

Anyone can help with this issue?

Thanks.

Please review to have the version 1.0.0 which is now the first stable version of the hcert-kotlin library implemented in the dgca-issuance-service.

Compilation of the dgca-issuance-service is unreliable as the snapshots are not maintained for the Hcert-Kotlin library.
The SNAPSHOT releases for version 0.2.2.SNAPSHOT is unable to resolve (seems it has now been removed from the maven repo).

The result is that i'm not able to compile the dgca-issuance-service which is the reliance on the snapshot version (rather than the version 1.0.0 which has now also been tagged.

Please see the build issue

#16 107.4 Downloading from ehd-github: https://maven.pkg.github.com/ehn-digital-green-development/*/ehn/techiop/hcert/hcert-kotlin/0.2.2-SNAPSHOT/hcert-kotlin-0.2.2-SNAPSHOT.jar
#16 107.7 [INFO] ------------------------------------------------------------------------
#16 107.7 [INFO] BUILD FAILURE
#16 107.7 [INFO] ------------------------------------------------------------------------
#16 107.8 [INFO] Total time:  01:46 min
#16 107.8 [INFO] Finished at: 2021-06-14T12:04:50Z
#16 107.8 [INFO] ------------------------------------------------------------------------
#16 107.8 [ERROR] Failed to execute goal on project dgca-issuance-service: Could not resolve dependencies for project eu.europa.ec.dgc:dgca-issuance-service:jar:latest: Could not find artifact ehn.techiop.hcert:hcert-kotlin:jar:0.2.2-SNAPSHOT in central (https://repo1.maven.org/maven2) -> [Help 1]
#16 107.8 [ERROR]
#16 107.8 [ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
#16 107.8 [ERROR] Re-run Maven using the -X switch to enable full debug logging.
#16 107.8 [ERROR]
#16 107.8 [ERROR] For more information about the errors and possible solutions, please read the following articles:
#16 107.8 [ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/DependencyResolutionException
------
error: failed to solve: rpc error: code = Unknown desc = executor failed running [/bin/sh -c mvn -f /home/app/pom.xml -s /home/app/settings.xml package -Dhttps.protocols=TLSv1.2]: exit code: 1

Feature description

• send data to backend as JSON
• in backend
  • create CBOR
  • calculate hash
  • sign hash
  • create QR code
• return QR code

Enable/Disable following functionality per configuraiton

• frontend issuing
• bacend issuing
• wallet claim
• get did document
• push public key to gateway

See
https://github.com/SchulzeStTSI/dgca-issuance-service/tree/deployment/controller-separation

Need to be specified first
unclear how this new TAN should be generated

Hello everyone,

I am trying to set up and test the Gateway and Issuance Service. I am using the official docker images, and have a running instance of the gateway at https://mytest.local
I have added an instance of ENVOY in front of the gateway and I am passing the necessary X-SSL-* headers.
I followed the instructions and I am able to to retrieve the trust list using a registered self-signed client certificate.

Now I ma trying to setup Issuance Service and the Gateway Connector; I have created the necessary certificates and have added the properties as explained in eu-digital-green-certificates/dgc-lib through the docker-compose file:

 - DGC_GATEWAY_CONNECTOR_ENABLED=true
  - DGC_GATEWAY_CONNECTOR_ENDPOINT=https://mytest.local
  - DGC_GATEWAY_CONNECTOR_DISABLE-UPLOAD-CERTIFICATE-CHECK=false
  - DGC_GATEWAY_CONNECTOR_PROXY_ENABLED=false
  - DGC_GATEWAY_CONNECTOR_PROXY_HOST=
  - DGC_GATEWAY_CONNECTOR_PROXY_PORT=-1
  - DGC_GATEWAY_CONNECTOR_MAX-CACHE-AGE=300
  - DGC_GATEWAY_CONNECTOR_TLS-TRUST-STORE_PATH=certs/tls-trust.p12
  - DGC_GATEWAY_CONNECTOR_TLS-TRUST-STORE_PASSWORD=secret
  - DGC_GATEWAY_CONNECTOR_TLS-KEY-STORE_PATH=certs/tls-key.p12
  - DGC_GATEWAY_CONNECTOR_TLS-KEY-STORE_PASSWORD=secret
  - DGC_GATEWAY_CONNECTOR_TLS-KEY-STORE_ALIAS=tlskey1
  - DGC_GATEWAY_CONNECTOR_TRUST-ANCHOR_PATH=certs/ta.jks
  - DGC_GATEWAY_CONNECTOR_TRUST-ANCHOR_PASSWORD=secret
  - DGC_GATEWAY_CONNECTOR_TRUST-ANCHOR_ALIAS=anchor

When starting the service I get the following error:

///-----
ConfigServletWebServerApplicationContext : Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'certPublisherController' defined in URL [jar:file:/app/app.jar!/BOOT-INF/classes!/eu/europa/ec/dgc/issuance/restapi/controller/CertPublisherController.class]: Unsatisfied dependency expressed through constructor parameter 0; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'certKeyPublisherServiceImpl' defined in URL [jar:file:/app/app.jar!/BOOT-INF/classes!/eu/europa/ec/dgc/issuance/service/CertKeyPublisherServiceImpl.class]: Unsatisfied dependency expressed through constructor parameter 1; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'dgcGatewayUploadConnector' defined in URL [jar:file:/app/app.jar!/BOOT-INF/lib/dgc-lib-0.4.0.jar!/eu/europa/ec/dgc/gateway/connector/DgcGatewayUploadConnector.class]: Unsatisfied dependency expressed through constructor parameter 0; nested exception is org.springframework.beans.factory.NoSuchBeanDefinitionException: No qualifying bean of type 'eu.europa.ec.dgc.gateway.connector.client.DgcGatewayConnectorRestClient' available: expected at least 1 bean which qualifies as autowire candidate. Dependency annotations: {}

APPLICATION FAILED TO START

Description:
Parameter 0 of constructor in eu.europa.ec.dgc.gateway.connector.DgcGatewayUploadConnector required a bean of type 'eu.europa.ec.dgc.gateway.connector.client.DgcGatewayConnectorRestClient' that could not be found.
///-----

All containers are running inside the same Debian 10 virtual machine.

Thank you in advance for your comments and suggestions.
Eric.

The length of the DGCI was limited to 50 (or less) in the JSON Schema. Please ensure the uniqueness of the ID.

Example:

urn:uvci:01:SE:EHM/100000024GI5HMGZKSMS

Feature description

• Implement connection to DGC gateway
• Publish public keys to gateway

Feature description

Implement connection to gateway from BTP using destination service.

Describe the bug

After removing the comments in the application.yml file, and even though the gateway.connector.enabled is set to false, the application fails to start with an error message.

dgc:
  gateway:
    connector:
      enabled: false
#      endpoint: https://dgc-gateway.example.com
#      proxy:
#        enabled: false
#      max-cache-age: 300
#      tls-trust-store:
#        password: dgcg-p4ssw0rd
#        path: classpath:tls_trust_store.p12
#      tls-key-store:
#        alias: 1
#        password: dgcg-p4ssw0rd
#        path: classpath:tls_key_store.p12
#      trust-anchor:
#        alias: ta
#        password: dgcg-p4ssw0rd
#        path: classpath:trust_anchor.jks

Error:

2021-05-07 20:01:20.431 ERROR 6 --- [           main] o.s.boot.SpringApplication               : Application run failed

org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'client' defined in class path resource [eu/europa/ec/dgc/gateway/connector/client/DgcGatewayConnectorRestClientConfig.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [feign.Client]: Factory method 'client' threw exception; nested exception is java.io.FileNotFoundException: class path resource [tls_trust_store.p12] cannot be resolved to absolute file path because it does not exist
        at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:658) ~[spring-beans-5.3.5.jar!/:5.3.5]
        at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:486) ~[spring-beans-5.3.5.jar!/:5.3.5]
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1334) ~[spring-beans-5.3.5.jar!/:5.3.5]
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1177) ~[spring-beans-5.3.5.jar!/:5.3.5]
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:564) ~[spring-beans-5.3.5.jar!/:5.3.5]
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:524) ~[spring-beans-5.3.5.jar!/:5.3.5]
        at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:335) ~[spring-beans-5.3.5.jar!/:5.3.5]
        at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:234) ~[spring-beans-5.3.5.jar!/:5.3.5]
        at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:333) ~[spring-beans-5.3.5.jar!/:5.3.5]
        at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:208) ~[spring-beans-5.3.5.jar!/:5.3.5]
        at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:944) ~[spring-beans-5.3.5.jar!/:5.3.5]
        at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:918) ~[spring-context-5.3.5.jar!/:5.3.5]
        at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:583) ~[spring-context-5.3.5.jar!/:5.3.5]
        at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:144) ~[spring-boot-2.4.4.jar!/:2.4.4]
        at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:769) ~[spring-boot-2.4.4.jar!/:2.4.4]
        at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:761) ~[spring-boot-2.4.4.jar!/:2.4.4]
        at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:426) ~[spring-boot-2.4.4.jar!/:2.4.4]
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:326) ~[spring-boot-2.4.4.jar!/:2.4.4]
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:1313) ~[spring-boot-2.4.4.jar!/:2.4.4]
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:1302) ~[spring-boot-2.4.4.jar!/:2.4.4]
        at eu.europa.ec.dgc.issuance.DgcIssuanceApplication.main(DgcIssuanceApplication.java:45) ~[classes!/:na]
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:na]
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) ~[na:na]
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) ~[na:na]
        at java.base/java.lang.reflect.Method.invoke(Unknown Source) ~[na:na]
        at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:49) ~[app.jar:na]
        at org.springframework.boot.loader.Launcher.launch(Launcher.java:107) ~[app.jar:na]
        at org.springframework.boot.loader.Launcher.launch(Launcher.java:58) ~[app.jar:na]
        at org.springframework.boot.loader.JarLauncher.main(JarLauncher.java:88) ~[app.jar:na]
Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [feign.Client]: Factory method 'client' threw exception; nested exception is java.io.FileNotFoundException: class path resource [tls_trust_store.p12] cannot be resolved to absolute file path because it does not exist
        at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:185) ~[spring-beans-5.3.5.jar!/:5.3.5]
        at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653) ~[spring-beans-5.3.5.jar!/:5.3.5]
        ... 28 common frames omitted
Caused by: java.io.FileNotFoundException: class path resource [tls_trust_store.p12] cannot be resolved to absolute file path because it does not exist
        at org.springframework.util.ResourceUtils.getFile(ResourceUtils.java:177) ~[spring-core-5.3.5.jar!/:5.3.5]
        at eu.europa.ec.dgc.gateway.connector.client.DgcGatewayConnectorRestClientConfig.getSslContext(DgcGatewayConnectorRestClientConfig.java:83) ~[dgc-lib-0.4.0.jar!/:na]
        at eu.europa.ec.dgc.gateway.connector.client.DgcGatewayConnectorRestClientConfig.client(DgcGatewayConnectorRestClientConfig.java:66) ~[dgc-lib-0.4.0.jar!/:na]
        at eu.europa.ec.dgc.gateway.connector.client.DgcGatewayConnectorRestClientConfig$$EnhancerBySpringCGLIB$$2d78b7dc.CGLIB$client$0(<generated>) ~[dgc-lib-0.4.0.jar!/:na]
        at eu.europa.ec.dgc.gateway.connector.client.DgcGatewayConnectorRestClientConfig$$EnhancerBySpringCGLIB$$2d78b7dc$$FastClassBySpringCGLIB$$9d2e4602.invoke(<generated>) ~[dgc-lib-0.4.0.jar!/:na]
        at org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:244) ~[spring-core-5.3.5.jar!/:5.3.5]
        at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:331) ~[spring-context-5.3.5.jar!/:5.3.5]
        at eu.europa.ec.dgc.gateway.connector.client.DgcGatewayConnectorRestClientConfig$$EnhancerBySpringCGLIB$$2d78b7dc.client(<generated>) ~[dgc-lib-0.4.0.jar!/:na]
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:na]
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) ~[na:na]
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) ~[na:na]
        at java.base/java.lang.reflect.Method.invoke(Unknown Source) ~[na:na]
        at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:154) ~[spring-beans-5.3.5.jar!/:5.3.5]

Expected behaviour

Application should be able to run without errors

Steps to reproduce the issue

Uncomment the dgc.gateway.connector section in application.yml
Compile and run.

Technical details

• Host Machine OS

- uname -a
Linux FLATRO 3.10.0-1160.6.1.el7.x86_64 #1 SMP Tue Nov 17 13:59:11 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

Additional context

Versions:
https://github.com/eu-digital-green-certificates/dgca-issuance-service/tree/0.0.13
https://github.com/eu-digital-green-certificates/dgc-lib/tree/0.4.0

Feature description

New implementation of CertificatePrivateKeyProvider for SAP Credential Store on BTP

see descripion
https://github.com/ehn-digital-green-development/ehn-dgc-schema/wiki/FAQ#uvci-checksum
and
https://github.com/ehn-digital-green-development/ehn-dgc-schema/tree/next/examples/Luhn-Mod-N

Feature description

• Refactor signing to implementation + interface

Problem and motivation

In order to keep the issuance service as platform-independent as possible and to support member states implementing their own key providers we introduce an interface to encapsulate the signing logic.

https://ec.europa.eu/health/sites/health/files/ehealth/docs/digital-green-certificates_v4_en.pdf
Version 1.3
2021-04-21

In der Spec wurden die Endpoints noch umbenannt, wie ich grad gesehen habe. Könnt ihr das noch nachziehen? Im Falle von /dgci/{hash} können wir uns das Leben einfacher machen einen hash nehmen, der auf die DGCI referenziert. Dann brauchen wir das /V1 usw Zeug nicht.

Describe the bug

When generating a DGC, one option is to input the Positive Result of a Covid Test.
Hence, the person was tested Positive for Covid.

I am able to proceed to produce the DGC, and get a Green and Valid verification.

Expected behaviour

Digital Green certificate should not be issued to anyone with a Positive Covid Test Result.

Steps to reproduce the issue

See Screenshot

Possible Fix

Implement Validation as to which values in the value sets should produce a DGC and which should not.

See also original report in eu-digital-green-certificates/dgc-overview#47

The current issuer service contains a cert controller for testing. Please modify it with the correct configuration (https://github.com/ehn-digital-green-development/hcert-kotlin#configuration) and modify it so, that can it be used within a normal issuing process (included TAN/DGCI etc.)

Currently the edgc expire time is computed
as currenttime+1 year.
1 year is fix in code as static variable (constant).

Make this as spring configurable and dependend from edgc type

Dear Team,

Please may I request for you to supply the Swagger API documentation for the dgca-issuance-service as soon as possible?

We are in the the process of integrating our country's databases for the vaccinations, Covid tests, and recovered patients, which we need to implement the integration with the DGC Issuance Service.

Thank you and Best Regards
Panayiotis Savva
Cyprus

Please implement the /dgci/status route which should return just a 200 (OK) code, 404 (NOT FOUND) or 423 (LOCKED) to a given DGCI (given in header parameter)

The route must check the dgci status "locked" in the database, return 423 if true. 404 if not available and 200 if existing in the db and unlocked.

please ad docs director and doc files and link to them from readme (see other project as
https://github.com/eu-digital-green-certificates/dgc-gateway as example)

The context endpoint contains important configurations for the app. The context route must contain a structure with the following format (static JSON file):

{
"Origin":"ES", (country)
"claimEndpoints": [
{
"co":"DE", (country)
"claimDomain":"http://ibm.claimendpoint.de" , (url)
"pubKey":"MIIj234ksedfioweikseipo234jk234jksdfkl" (PEM, b64 Encoded)
}
]
}