How to get access to Document Signing Certificates ?

[lovasoa]

Hello,

I wrote an opensource privacy-preserving verification application for the certificates that are currently being emitted in France (in the 2D-DOC format): https://sanipasse.fr

I would like to add support for digital green certificates, but there is one point in the implementation that is still not clear to me: where do I get access to the public keys needed to check the certificates ? Are they to be retrieved from my national backend ? I am interested by the french national backend in particular. @adelourme, maybe you can point me to resources about it ? Or should I get them from the secretariat mentioned in Volume 1 ?

The specification states that

there are no confidentiality requirements for the lists of CSCAs and DSCs.

However, I cannot seem to get a hold on the these lists.

If this is not the right place for this kind of question, or if there is something I misunderstood, I'm sorry (and I would love if you could point me in the right direction).

@M3kH, @AlexConnat, I'm tagging you so that you can follow the discussion.

[M3kH]

For my understanding, each nation should have dgc-gateway and they should be sync trough an European one, would be interesting to know if the European one can be public accessible.

I did find some location that currently seems to point to a temporary test gateway:

• dgca-verifier-app-ios/blob/main/context.jsonc#L10
• eu-digital-green-certificates/dgca-verifier-service/blob/main/src/main/resources/static/context.json#L7

[jbx1]

Did you discover which is the right official URL for the central European one?

I am also interested in getting the verification KIDs and certificates. The one at https://dgca-verifier-service.cfapps.eu10.hana.ondemand.com seems to have missing ones.

[lovasoa]

Yes, https://sanipasse.fr does now support DGC certificate verification. And I set up a github action that automatically updates the certificates by connecting to the french gateway and publishes it.

• The automatically updated list of certificates: https://github.com/lovasoa/sanipasse/blob/master/src/assets/Digital_Green_Certificate_Signing_Keys.json
• The script that connects to the french gateway: https://github.com/lovasoa/sanipasse/blob/master/fetch_certificates.js (you can get the TACV_TOKEN by decompiling the french tousanticovid-verif app)
• The austrian gateway, from which data is freely available without an authentication token: https://greencheck.gv.at/api/masterdata
• Discussion (in french), including links to connect to connect to and get certificates from the austrian gateway: https://github.com/lovasoa/sanipasse/pull/10#issuecomment-869241159

[jbx1]

Thanks for all the details. So there is no official central DGCG yet as far as you know? Only the national backend ones.

[dslmeinte]

Have a look at this doc: https://github.com/eu-digital-green-certificates/dgc-participating-countries/blob/main/gateway/OnboardingChecklist.md (@SchulzeStTSI : that's the correct one, right?)

[jbx1]

@dslmeinte Thanks for that. However, it seems that info is for national backends to connect and be able to upload their own certificates etc. (and the links don't seem to point to anywhere).

I am only interested in having the up to date KID-certificate pairs of all countries to be able to verify digital certificates offline (irrespective of country).

[daniel-eder]

This issue slipped my notice - the DGCG only acts as an "exchange" for the national backends, there is no direct access of validation services to the DGCG. Similarly, there is no global or eu-wide list of certificates, rather each member state as sovereignty over the trustlist their national backend publishes.

To validate a DCC, you need to get access to your member state's trustlist.

See https://github.com/eu-digital-green-certificates/dgc-participating-countries/issues/10 for a related discussion.

[lovasoa]

For anyone who would stumble on this issue now: automatic fetching of the certificates from the french backend is now implemented in sanipasse:

• https://github.com/lovasoa/sanipasse/blob/master/src/assets/Digital_Green_Certificate_Signing_Keys.json
• https://github.com/lovasoa/sanipasse/blob/master/fetch_certificates.js

[philios33]

Perhaps a silly question but...

I'm wondering about the sovereignty thing. Doesn't this architecture open the door for, (e.g.) Romania to dis-trust France if it wanted to and remove all FR certificates from its backend? They would of course be well within their sovereign rights to do so, but this kind of thing makes a big difference to how developers of validating software are programming the synchronization of their apps trust stores.

From a developers perspective, we want to know where should we get the public keys from to validate the VCCs? (Not where can we)

[lovasoa]

You should get it from the state from which your application will be used. If you want your application to work everywhere, you will have to connect to all backends individually.

[arunextasy]

@lovasoa running your https://github.com/lovasoa/sanipasse/ in local will be able automatic fetching of the certificates from the french backend?. If not please let me know the steps for connecting french backend with your sanipasse code deployment in local.

[lovasoa]

The script to fetch the data is here: https://github.com/lovasoa/sanipasse/blob/master/fetch_certificates.js You will need to get a token, either by asking politely, or by decompiling the french smartphone app.

[arunextasy]

@lovasoa yes Kindly share me the token required.

[lovasoa]

I meant ask INgroupe (who maintains the API), not me.

[arunextasy]

@lovasoa thanks. I have one more query the gateway you mentioned is french. Does this gateway also support for EU Pass and Swiss Pass?

[lovasoa]

It contains the list of signing authorities ACCEPTED by France. The list is here: https://github.com/lovasoa/sanipasse/blob/master/src/assets/Digital_Green_Certificate_Signing_Keys.json

I think it contains all the certificates of all countries that use the dgc, although theoretically, France could decide not to accept a given country.

[arunextasy]

@lovasoa I got the working token from https://1101011.xyz/com.ingroupe.verify.anticovid/index.html here. Any Idea whether this token can be used as a opensource. As I don't find any document related to the usage of it.

[arunextasy]

@lovasoa https://github.com/lovasoa/sanipasse/blob/master/src/assets/Digital_Green_Certificate_Signing_Keys.json I tried some sample UK pass from https://github.com/nhsx/covid-pass-verifier/tree/main/Documentation/Examples . Looks like it is not supporting UK Pass. Is there any javascript or any solution to fetch public keys for UK pass verification. Someone Please suggest.

[lovasoa]

I don't think the examples in the repo are not signed with valid keys ! These are examples signed with example keys.

[arunextasy]

@lovasoa No its working when tried with swiss covid verifier android app.

[lovasoa]

Just tried with the french app, and it's not valid in France (so it's not present in sanipasse).

If you want the keys accepted in switzerland: https://github.com/cn-uofbasel/ch-dcc-keys