Closed mauimauer closed 3 years ago
dirkx
commented
3 years ago Best to ask the authority in your own country.
And the one Sweden has done is drop dead gorgeous:
https://dgcg.covidbevis.se/tp/The dutch one is at:
https://www.npkd.nl/dsc-health.html
https://verifier-api.coronacheck.nl/v4/verifier/public_keysDw.
EdossProject
commented
3 years ago You should get in touch with the national health authority of the country you are operating your application in. The national backends will allow to verify certificates from other EU member states as well. @EdossProject
There is no e-mail or anything else to contact them!
MA1GitHub
commented
3 years ago You should get in touch with the national health authority of the country you are operating your application in. The national backends will allow to verify certificates from other EU member states as well. @EdossProject
How about other non EU countries? For instance, if the institution is in the US and needs to get all public keys for EU countries, who should we contact?
daniel-eder
commented
3 years ago @MA1GitHub the process is roughly the same. Once a country has been onboarded and can interact with the system, it can also provide access to public keys to private institutions. That means, the first step is always to get in touch with your national health authority and see if they already established contact with the EU.
chrloch
commented
3 years ago Everyone gets everyone's public keys. The gateway only allows authorized access, the participating countries (EU or not) are supposed to run own distribution services for their apps and services which copy the data that they received from the gateway. So if you find one country which allows you to use their distribution service, you have access to all public keys.
ryanbnl
commented
3 years ago Links have already been posted in this thread to various public lists from member states. The subject of publication by the EU of the list is AFAIK still ongoing. That discussion lives by the eHealth Network, there will likely be some kind of update on our GitHub (https://github.com/ehn-dcc-development/) once more is known.
MyCodeEdu
commented
3 years ago Best to ask the authority in your own country. And the one Sweden has done is drop dead gorgeous: https://dgcg.covidbevis.se/tp/ The dutch one is at: https://www.npkd.nl/dsc-health.html https://verifier-api.coronacheck.nl/v4/verifier/public_keys Dw.
Thanks for listing the links. The endpoint (https://verifier-api.coronacheck.nl/v4/verifier/public_keys) returns a signature and a payload, how can we get the public key list from the response?
ryanbnl
commented
3 years ago Best to ask the authority in your own country. And the one Sweden has done is drop dead gorgeous: https://dgcg.covidbevis.se/tp/ The dutch one is at: https://www.npkd.nl/dsc-health.html https://verifier-api.coronacheck.nl/v4/verifier/public_keys Dw.
Thanks for listing the links. The endpoint (https://verifier-api.coronacheck.nl/v4/verifier/public_keys) returns a signature and a payload, how can we get the public key list from the response?
The payload is in base64, if you have access to a POSIX terminal:
curl https://verifier-api.coronacheck.nl/v4/verifier/public_keys -g | jq -r '.payload' | base64 --decode
stapelberg
commented
3 years ago FYI, the links are also collected on https://github.com/section42/hcert-trustlist-mirror.
Example code for loading all of the trustlist mirror lists (for the purpose of verifying certificates): https://pkg.go.dev/github.com/stapelberg/coronaqr/trustlist/trustlistmirror
dirkx
commented
3 years ago Thanks for listing the links. The endpoint (https://verifier-api.coronacheck.nl/v4/verifier/public_keys https://verifier-api.coronacheck.nl/v4/verifier/public_keys) returns a signature and a payload, how can we get the public key list from the response?
https://www.npkd.nl https://www.npkd.nl/ or the standard chain on most operating systems (CA of The Netherlands).
Dw
MyCodeEdu
commented
3 years ago Best to ask the authority in your own country. And the one Sweden has done is drop dead gorgeous: https://dgcg.covidbevis.se/tp/ The dutch one is at: https://www.npkd.nl/dsc-health.html https://verifier-api.coronacheck.nl/v4/verifier/public_keys Dw.
Thanks for listing the links. The endpoint (https://verifier-api.coronacheck.nl/v4/verifier/public_keys) returns a signature and a payload, how can we get the public key list from the response?
The payload is in base64, if you have access to a POSIX terminal:
curl https://verifier-api.coronacheck.nl/v4/verifier/public_keys -g | jq -r '.payload' | base64 --decode
Thanks for the clarification. When I hit the endpoint (https://verifier-api.coronacheck.nl/v4/verifier/public_keys) from the browser or from Postman, it works properly and it returns a response. But when I hit it from the java code, I get the error below:
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Does it mean I have to get a certificate? If so, where can I get it from? https://www.npkd.nl is giving 403 when I try to download the certificate.
panzi
commented
2 years ago This script shows how to get the Italian trust list: https://github.com/ministero-salute/dcc-utils/blob/master/examples/fetch_certificates.js Yes, its really one request per trust list entry! Takes over 11 seconds to retrieve the whole list in sequence for me. Since the resume tokens are just counting up from 1 one could request them all in parallel, I guess.
jbx1
commented
2 years ago Posting this here since a lot of people were actively participating. Is anyone aware of a similar public endpoint for the business rules being applied by each respective EU state?
Some countries are actively changing the expiry periods for vaccination certificates, especially the ones given last year. Looking for some central place from where to get these.
ryanbnl
commented
2 years ago Ours are here: https://verifier-api.coronacheck.nl/v6/dcbs/business_rules
The payload is base64 encoded JSON. Otherwise it's the raw data returned by the gateway.
panzi
commented
2 years ago URLs and descriptions of the Austrian rules can be found here: https://github.com/Federal-Ministry-of-Health-AT/green-pass-overview#details-on-trust-listsbusiness-rulesvalue-sets The rules are embedded in a CBOR format.
dslmeinte
commented
2 years ago @panzi Nice overview! Do you mind if I backlink to this?
panzi
commented
2 years ago It's not my repo, it's an official repo of the federal ministry of health Austria.
dslmeinte
commented
2 years ago @panzi Understood, and I'll take it as a “yes” :)
Why would you put the master trust list behind mTLS auth? Priority should be assigned to distributing a verifiable trustlist to everyone who wishes to validate the contents of DGCs. The certificates/pkeys are not sensitive and should be made accessible to everyone.
If you don't want to serve this via an API at least consider hosting a static daily dump (+ signature) of the trustlist in a publicly accessible location.