Multiple KID not working as expected

[psavva]

Describe the bug

I am not exactly sure where the problem lies, but i'm trying to debug and understand further.

During our testing of the testdata reporsitory with Germany (DE) data, we found that not all the Germany Kids are being saved in the Verifier Service Database.

We further inspected the results as returned by the verifier service:

psavva@cs11299:~$ curl -X 'GET' \
>   'https://verifyapi.neha.gov.cy/signercertificateStatus' \
>   -H 'accept: application/json'
["+/bbaA9m0j0=","1vxpTLgc6ws=","2Rk3X8HntrI=","428FOlUxNRM=","6ek0DM8iSCs=","6jqyJk80bUU=","B4BbJQx1lYQ=","CFUoOhVtOgo=","DhspllZjSVY=","GO0rf1TneQQ=","GZ2cfMLwyK8=","Jj+9Dw7DUVU=","Ks/eWTAFo+I=","Ld1KH5MrFsY=","MI7hF0OCF8Y=","NJpCsMLQco4=","OTAXaM3aBRM=","Ol12Ruv8LLo=","Rl7ZUeTLAC4=","STPDGKKF4N8=","TfwLMHDXIws=","Tn6X6w0+iBM=","VjUQ+HzmZm0=","X3SRAZXFzss=","YTA6V2K8xQY=","coWnRsJwd/s=","dsXHUWEsRfA=","eZx0UBq8T1E=","gtsQTR82V6w=","l3DTTvY1/h0=","lHHRhMo9GWg=","m6so0I2uIyw=","nSdp31pPUvQ=","snqSuA/dvgk=","uE7ViYTSegg=","uxvl+dsyrBw=","wGR6OwOYF4k=","wTHYuP2pg1k=","xZ7EcIR8I4Y=","xZUU+IopoVk=","y3g27v8r51I="]psavva@cs11299:~$

and found that the KIDs for DE is not the Full List.

When downloading the TrustList directly from the Gateway (using CURL), I'm able to return the following 7 DSC Entries:

        "kid": "6EjzyhNlGDQ=",
        "timestamp": "2021-05-27T17:02:32+02:00",
        "country": "DE",

        "kid": "7JQ83GRvK3A=",
        "timestamp": "2021-05-27T17:02:31+02:00",
        "country": "DE",

        "kid": "DEsVUSvpFAE=",
        "timestamp": "2021-05-27T17:02:32+02:00",
        "country": "DE",

        "kid": "Ld1KH5MrFsY=",
        "timestamp": "2021-05-11T10:05:38+02:00",
        "country": "DE",

        "kid": "f1sfUVIx8CA=",
        "timestamp": "2021-05-27T17:02:32+02:00",
        "country": "DE",

        "kid": "l3DTTvY1/h0=",
        "timestamp": "2021-05-11T10:05:30+02:00",
        "country": "DE",

You will notice only 2 Entries exist in the Verifier Endpoint. "l3DTTvY1/h0=" and "Ld1KH5MrFsY="

We expect that all 7 entries must exist, hence tests containing other KIDs are failing.

[psavva]

As per the TrustList download, there should be 49 DSC Entries, the Verifier Service is returning only 41

The following is the list of KIDs (DSCs) missing from the Verifier List vs the Gateway TrustList:

kid - country - certificateType
0J/NOaUzCAg= - LT - DSC
6EjzyhNlGDQ= - DE - DSC
7JQ83GRvK3A= - DE - DSC
DEsVUSvpFAE= - DE - DSC
bIwe3F4lAk4= - IS - DSC
f1sfUVIx8CA= - DE - DSC
mRxapyixSJ0= - LU - DSC
u5Tohz8Qb+w= - LU - DSC

[psavva]

Some investigation. In the DGC Library (dgc-lib), when downloading the Trust List from the DGCG, validation occurs for the CSCA and Upload Certificates.

I enabled Debug Logging, and here are some findings: 49 DGC Certificates are downloaded.

2021-05-30 06:36:40.440 DEBUG 6 --- [   scheduling-1] h.i.c.PoolingHttpClientConnectionManager : Connection released: [id: 2][route: {s}->https://acc-dgcg-ws.tech.ec.europa.eu:443][total available: 0; route allocated: 0 of 2; total allocated: 0 of 20]
2021-05-30 06:36:40.440  INFO 6 --- [   scheduling-1] e.e.e.d.g.c.DgcGatewayDownloadConnector  : Got Response from DGCG, **Downloaded Certificates: 49**

We have multiple messages that the Certificate could not be verified as issued by the ca: In fact there are 689 Such cases!

Extract for C=DE

I cannot understand why we would check if DE Certificate is signed by All other countries. Doesn't make much sense.

In fact it seems the issue may lie here! I have disabled the check for UPLOAD certificate, and only evidence I find that any sort of failure occurs is with the Verfication against the CSCA

Could not verify that certificate was issued by ca. Certificate: C=DE,O=Ubirch GmbH,CN=Ubirch GmbH,L=Köln,PostalCode=50670,STREET=Im Mediapark 5,organizationIdentifier=DT:DE-UGNOTPROVIDED,SERIALNUMBER=CSM017254371,ST=NRW, CA: C=CY,ST=Nicosia,L=Nicosia,O=Ministry of Health,OU=National eHealth Authority,CN=CSCA_DGC_CY_01
Could not verify that certificate was issued by ca. Certificate: C=DE,O=Ubirch GmbH,CN=Ubirch GmbH,L=Köln,PostalCode=50670,STREET=Im Mediapark 5,organizationIdentifier=DT:DE-UGNOTPROVIDED,SERIALNUMBER=CSM017254371,ST=NRW, CA: C=SI,O=National institute of public Health,OU=Digital Green Certificate Services,CN=Slovenian Acceptance Digital Green Certificate CSCA
Could not verify that certificate was issued by ca. Certificate: C=DE,O=Ubirch GmbH,CN=Ubirch GmbH,L=Köln,PostalCode=50670,STREET=Im Mediapark 5,organizationIdentifier=DT:DE-UGNOTPROVIDED,SERIALNUMBER=CSM017254371,ST=NRW, CA: C=BE,O=eHealth - Belgium,CN=Belgium Covid19 Country Signing CA ACC 01
Could not verify that certificate was issued by ca. Certificate: C=DE,O=Ubirch GmbH,CN=Ubirch GmbH,L=Köln,PostalCode=50670,STREET=Im Mediapark 5,organizationIdentifier=DT:DE-UGNOTPROVIDED,SERIALNUMBER=CSM017254371,ST=NRW, CA: C=IT,O=Ministero della Salute,CN=Italy DGC CSCA TEST 1
Could not verify that certificate was issued by ca. Certificate: C=DE,O=Ubirch GmbH,CN=Ubirch GmbH,L=Köln,PostalCode=50670,STREET=Im Mediapark 5,organizationIdentifier=DT:DE-UGNOTPROVIDED,SERIALNUMBER=CSM017254371,ST=NRW, CA: CN=CSCA Health NL,SERIALNUMBER=2,OU=Ministry of Health Welfare and Sport,O=Kingdom of the Netherlands,C=NL
Could not verify that certificate was issued by ca. Certificate: C=DE,O=Ubirch GmbH,CN=Ubirch GmbH,L=Köln,PostalCode=50670,STREET=Im Mediapark 5,organizationIdentifier=DT:DE-UGNOTPROVIDED,SERIALNUMBER=CSM017254371,ST=NRW, CA: C=IT,O=Ministero della Salute,CN=Italy DGC CSCA 1
Could not verify that certificate was issued by ca. Certificate: C=DE,O=Ubirch GmbH,CN=Ubirch GmbH,L=Köln,PostalCode=50670,STREET=Im Mediapark 5,organizationIdentifier=DT:DE-UGNOTPROVIDED,SERIALNUMBER=CSM017254371,ST=NRW, CA: C=ZZ,ST=Hessen,L=Frankfurt am Main,O=T-Systems International GmbH,OU=Digital Solutions,CN=Pen Testers ACC (CSCA)
Could not verify that certificate was issued by ca. Certificate: C=DE,O=Ubirch GmbH,CN=Ubirch GmbH,L=Köln,PostalCode=50670,STREET=Im Mediapark 5,organizationIdentifier=DT:DE-UGNOTPROVIDED,SERIALNUMBER=CSM017254371,ST=NRW, CA: C=BG,O=Ministry of Health,OU=Health Information System,CN=Bulgaria DGC CSCA 1
Could not verify that certificate was issued by ca. Certificate: C=DE,O=Ubirch GmbH,CN=Ubirch GmbH,L=Köln,PostalCode=50670,STREET=Im Mediapark 5,organizationIdentifier=DT:DE-UGNOTPROVIDED,SERIALNUMBER=CSM017254371,ST=NRW, CA: C=LI,L=Vaduz,O=Liechtensteinische Landesverwaltung,CN=DGC-NB-CSCA-ACC-20210528,E=webmaster@llv.li
Could not verify that certificate was issued by ca. Certificate: C=DE,O=Ubirch GmbH,CN=Ubirch GmbH,L=Köln,PostalCode=50670,STREET=Im Mediapark 5,organizationIdentifier=DT:DE-UGNOTPROVIDED,SERIALNUMBER=CSM017254371,ST=NRW, CA: C=LU,O=INCERT public agency,CN=Grand Duchy of Luxembourg CSCA TEST
Could not verify that certificate was issued by ca. Certificate: C=DE,O=Ubirch GmbH,CN=Ubirch GmbH,L=Köln,PostalCode=50670,STREET=Im Mediapark 5,organizationIdentifier=DT:DE-UGNOTPROVIDED,SERIALNUMBER=CSM017254371,ST=NRW, CA: C=HR,O=AKD d.o.o.,CN=TEST-DGC-CSCA Croatia
Could not verify that certificate was issued by ca. Certificate: C=DE,O=Ubirch GmbH,CN=Ubirch GmbH,L=Köln,PostalCode=50670,STREET=Im Mediapark 5,organizationIdentifier=DT:DE-UGNOTPROVIDED,SERIALNUMBER=CSM017254371,ST=NRW, CA: C=EE,ST=Harjumaa,L=Tallinn,O=Health and Welfare Information Systems Center,CN=DGC_CSCA_ACC_EE_01
Could not verify that certificate was issued by ca. Certificate: C=DE,O=Ubirch GmbH,CN=Ubirch GmbH,L=Köln,PostalCode=50670,STREET=Im Mediapark 5,organizationIdentifier=DT:DE-UGNOTPROVIDED,SERIALNUMBER=CSM017254371,ST=NRW, CA: CN=(CERT) Digital Green Certificate 001,OU=DGC,O=Republica Portuguesa-Portuguese Republic,C=PT
Could not verify that certificate was issued by ca. Certificate: C=DE,O=Ubirch GmbH,CN=Ubirch GmbH,L=Köln,PostalCode=50670,STREET=Im Mediapark 5,organizationIdentifier=DT:DE-UGNOTPROVIDED,SERIALNUMBER=CSM017254371,ST=NRW, CA: C=DX,ST=Hessen,L=Frankfurt am Main,O=T-Systems International GmbH,OU=Digital Solutions,CN=Test Team Country DX (Auth)
Could not verify that certificate was issued by ca. Certificate: C=DE,O=Ubirch GmbH,CN=Ubirch GmbH,L=Köln,PostalCode=50670,STREET=Im Mediapark 5,organizationIdentifier=DT:DE-UGNOTPROVIDED,SERIALNUMBER=CSM017254371,ST=NRW, CA: C=MT,O=Government of Malta,CN=Malta DCC CSCA (Testing)
Could not verify that certificate was issued by ca. Certificate: C=DE,O=Ubirch GmbH,CN=Ubirch GmbH,L=Köln,PostalCode=50670,STREET=Im Mediapark 5,organizationIdentifier=DT:DE-UGNOTPROVIDED,SERIALNUMBER=CSM017254371,ST=NRW, CA: CN=EADTrust ECC 256 SubCA For Qualified Certificates 2019,O=European Agency of Digital Trust\, S.L.,C=ES,organizationIdentifier=VATES-B85626240,OU=Legal Person
Could not verify that certificate was issued by ca. Certificate: C=DE,O=Ubirch GmbH,CN=Ubirch GmbH,L=Köln,PostalCode=50670,STREET=Im Mediapark 5,organizationIdentifier=DT:DE-UGNOTPROVIDED,SERIALNUMBER=CSM017254371,ST=NRW, CA: C=YB,ST=European Union,L=Brussels,O=Radically Open Security,OU=Pen Testing YB,CN=Pen Testers YB ACC (CSCA)
Could not verify that certificate was issued by ca. Certificate: C=DE,O=Ubirch GmbH,CN=Ubirch GmbH,L=Köln,PostalCode=50670,STREET=Im Mediapark 5,organizationIdentifier=DT:DE-UGNOTPROVIDED,SERIALNUMBER=CSM017254371,ST=NRW, CA: C=YY,ST=European Union,L=Brussels,O=Radically Open Security,OU=Pen Testing,CN=Pen Testers ACC (CSCA)
Could not verify that certificate was issued by ca. Certificate: C=DE,O=Ubirch GmbH,CN=Ubirch GmbH,L=Köln,PostalCode=50670,STREET=Im Mediapark 5,organizationIdentifier=DT:DE-UGNOTPROVIDED,SERIALNUMBER=CSM017254371,ST=NRW, CA: C=LV,O=Nacionālais VeselÄ«bas dienests,OU=CSCA,CN=CSCA DGC LV Test
Could not verify that certificate was issued by ca. Certificate: C=DE,O=Ubirch GmbH,CN=Ubirch GmbH,L=Köln,PostalCode=50670,STREET=Im Mediapark 5,organizationIdentifier=DT:DE-UGNOTPROVIDED,SERIALNUMBER=CSM017254371,ST=NRW, CA: C=SK,ST=SK,L=Bratislava,O=NCZI,OU=DGCOperations,CN=CSCA_DGC_SK_TEST_01
Could not verify that certificate was issued by ca. Certificate: C=DE,O=Ubirch GmbH,CN=Ubirch GmbH,L=Köln,PostalCode=50670,STREET=Im Mediapark 5,organizationIdentifier=DT:DE-UGNOTPROVIDED,SERIALNUMBER=CSM017254371,ST=NRW, CA: C=YA,ST=European Union,L=Brussels,O=Radically Open Security,OU=Pen Testing YA,CN=Pen Testers YA ACC (CSCA)
Could not verify that certificate was issued by ca. Certificate: C=DE,O=Ubirch GmbH,CN=Ubirch GmbH,L=Köln,PostalCode=50670,STREET=Im Mediapark 5,organizationIdentifier=DT:DE-UGNOTPROVIDED,SERIALNUMBER=CSM017254371,ST=NRW, CA: C=RO,O=Ministerul Sanatatii,CN=AC Ministerul Sanatatii
Could not verify that certificate was issued by ca. Certificate: C=DE,O=Ubirch GmbH,CN=Ubirch GmbH,L=Köln,PostalCode=50670,STREET=Im Mediapark 5,organizationIdentifier=DT:DE-UGNOTPROVIDED,SERIALNUMBER=CSM017254371,ST=NRW, CA: C=CZ,O=MZCR,CN=CZ DSC CSCA 1
Could not verify that certificate was issued by ca. Certificate: C=DE,O=Ubirch GmbH,CN=Ubirch GmbH,L=Köln,PostalCode=50670,STREET=Im Mediapark 5,organizationIdentifier=DT:DE-UGNOTPROVIDED,SERIALNUMBER=CSM017254371,ST=NRW, CA: CN=AT DGC CSCA 1,C=AT,O=BMSGPK
Could not verify that certificate was issued by ca. Certificate: C=DE,O=Ubirch GmbH,CN=Ubirch GmbH,L=Köln,PostalCode=50670,STREET=Im Mediapark 5,organizationIdentifier=DT:DE-UGNOTPROVIDED,SERIALNUMBER=CSM017254371,ST=NRW, CA: C=LT,O=State Enterprise Centre of Registers,CN=LT_DGC_CSCA_1
Could not verify that certificate was issued by ca. Certificate: C=DE,O=Ubirch GmbH,CN=Ubirch GmbH,L=Köln,PostalCode=50670,STREET=Im Mediapark 5,organizationIdentifier=DT:DE-UGNOTPROVIDED,SERIALNUMBER=CSM017254371,ST=NRW, CA: C=DE,ST=Hessen,L=Frankfurt am Main,O=T-Systems International GmbH,OU=Digital Solutions,CN=Test Team (CSCA)
Could not verify that certificate was issued by ca. Certificate: C=DE,O=Ubirch GmbH,CN=Ubirch GmbH,L=Köln,PostalCode=50670,STREET=Im Mediapark 5,organizationIdentifier=DT:DE-UGNOTPROVIDED,SERIALNUMBER=CSM017254371,ST=NRW, CA: C=DK,O=The Danish Health Data Authority,OU=The Danish Health Data Authority,CN=TEST_CSCA_DGC_DK_01,E=kontakt@sundhedsdata.dk
Could not verify that certificate was issued by ca. Certificate: C=DE,O=Ubirch GmbH,CN=Ubirch GmbH,L=Köln,PostalCode=50670,STREET=Im Mediapark 5,organizationIdentifier=DT:DE-UGNOTPROVIDED,SERIALNUMBER=CSM017254371,ST=NRW, CA: C=WW,ST=WW,L=WW,O=MinistryOfTest,OU=DGCOperations,CN=WW01
Could not verify that certificate was issued by ca. Certificate: C=DE,O=Ubirch GmbH,CN=Ubirch GmbH,L=Köln,PostalCode=50670,STREET=Im Mediapark 5,organizationIdentifier=DT:DE-UGNOTPROVIDED,SERIALNUMBER=CSM017254371,ST=NRW, CA: C=XX,ST=European Commison,L=Brussels,O=DIGIT,OU=Pen Testing,CN=Pen Testers ACC (CSCA)
Could not verify that certificate was issued by ca. Certificate: C=DE,O=Ubirch GmbH,CN=Ubirch GmbH,L=Köln,PostalCode=50670,STREET=Im Mediapark 5,organizationIdentifier=DT:DE-UGNOTPROVIDED,SERIALNUMBER=CSM017254371,ST=NRW, CA: C=DE,O=D-Trust GmbH,CN=D-TRUST Test CA 2-2 2019,organizationIdentifier=NTRDE-HRB74346
Could not verify that certificate was issued by ca. Certificate: C=DE,O=Ubirch GmbH,CN=Ubirch GmbH,L=Köln,PostalCode=50670,STREET=Im Mediapark 5,organizationIdentifier=DT:DE-UGNOTPROVIDED,SERIALNUMBER=CSM017254371,ST=NRW, CA: C=IE,O=HSE,CN=HSE-CSCA
Could not verify that certificate was issued by ca. Certificate: C=DE,O=Ubirch GmbH,CN=Ubirch GmbH,L=Köln,PostalCode=50670,STREET=Im Mediapark 5,organizationIdentifier=DT:DE-UGNOTPROVIDED,SERIALNUMBER=CSM017254371,ST=NRW, CA: C=IS,O=Thjodskra Islands,OU=Country Signing CA TEST,SURNAME=6503760649,CN=Ferdaskilriki - Islands - G3-TEST
Could not verify that certificate was issued by ca. Certificate: C=DE,O=Ubirch GmbH,CN=Ubirch GmbH,L=Köln,PostalCode=50670,STREET=Im Mediapark 5,organizationIdentifier=DT:DE-UGNOTPROVIDED,SERIALNUMBER=CSM017254371,ST=NRW, CA: C=FR,O=IMPRIMERIE NATIONALE,OU=FOR TEST PURPOSE ONLY,CN=INGROUPE DSc CA
Could not verify that certificate was issued by ca. Certificate: C=DE,O=Ubirch GmbH,CN=Ubirch GmbH,L=Köln,PostalCode=50670,STREET=Im Mediapark 5,organizationIdentifier=DT:DE-UGNOTPROVIDED,SERIALNUMBER=CSM017254371,ST=NRW, CA: CN=Poland DGC RootCSCA 1 ACC S,O=Ministry of Health,C=PL
Could not verify that certificate was issued by ca. Certificate: C=DE,O=Ubirch GmbH,CN=Ubirch GmbH,L=Köln,PostalCode=50670,STREET=Im Mediapark 5,organizationIdentifier=DT:DE-UGNOTPROVIDED,SERIALNUMBER=CSM017254371,ST=NRW, CA: C=GR,CN=grnet.gr
Could not verify that certificate was issued by ca. Certificate: C=DE,O=Ubirch GmbH,CN=Ubirch GmbH,L=Köln,PostalCode=50670,STREET=Im Mediapark 5,organizationIdentifier=DT:DE-UGNOTPROVIDED,SERIALNUMBER=CSM017254371,ST=NRW, CA: C=SE,O=Myndigheten för digital förvaltning,OU=Digital Green Certificate Services,organizationIdentifier=202100-6883,CN=Swedish Test Digital Green Certificate CSCA

[psavva]

Further Investigation shows that the CSCA from Germany is using a Signature Algorithm rsassaPss, also same with the DSC Signature Algorithm with KID f1sfUVIx8CA= (investigating the specific item).

This may be the root cause of the issue we are seeing, and specific to this algorithm. As per the documentation: https://github.com/eu-digital-green-certificates/dgc-overview/blob/main/guides/certificate-governance.md#requirements-on-the-dsc

Requirements on the DSC The requirements from [2, Section 3.3.2] apply. Hence, it is strongly RECOMMENDED that Document Signers use the Elliptic Curve Digital Signature Algorithm (ECDSA) with NIST-p-256 (as defined in appendix D of FIPS PUB 186-4). Other elliptic curves are not supported. Due to the space restrictions of the digital green certificate, member states SHOULD NOT use RSA-PSS, even if it is allowed as a fallback algorithm. In case that member states use RSA-PSS, they SHOULD use a modulus size of 2048 or max. 3072 bit. SHA-256 SHALL be used as cryptographic hash function (see ISO/IEC 10118-3:2004).

The Key Size I can see for Germany is 4096 bits, and not 2048/3072 as requested by the governance for this specific key.

[SchulzeStTSI]

@psavva please see here the fix for it https://github.com/eu-digital-green-certificates/dgc-testdata/issues/242

[psavva]

@SchulzeStTSI This Repo must be updated to use the fixed version

[psavva]

Fixed and Working.

Thank you, I can confirm that I now receive all 49 KIDs.

Best Regards Panayiotis Savva