upgrade from 0.17.1 to 0.19.0

[nauni77]

Hello,

you told me, that you describe how to run this software at README.md. Since 0.17.0 there was no change at README.md and I assumed that I just have to checkout the new commits and build the software. But this is not working.

1. the compile still works
2. the start of the server even seems to work
3. but while creating a eprescription I receive: 3.1. profession id from doctor changed - the old is now invalid => solved 3.2. while activting a eprescription I receive now:

{"resourceType":"OperationOutcome","meta":{"profile":["http://hl7.org/fhir/StructureDefinition/OperationOutcome"]},"issue":[{"severity":"error","code":"invalid","details":{"text":"Unable to verify CMS container: Unable to find Issuer Certificate!"}}]}

I already added our certificate to BNetzA-VL-seq24.xml:

                <!-- added manually - BEGIN -->
                <TSPService>
                    <ServiceInformation>
                        <ServiceTypeIdentifier>
                            http://uri.etsi.org/TrstSvc/Svctype/CA/QC2
                        </ServiceTypeIdentifier>
                        <ServiceDigitalIdentity>
                            <DigitalId>
                                <X509Certificate>
                                  <!-- from qes_id.cert in one line -->
                                    MII............................
                                </X509Certificate>
                            </DigitalId>
                        </ServiceDigitalIdentity>
                        <ServiceStatus>
                            http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/granted
                        </ServiceStatus>
                        <StatusStartingTime>
                            2020-01-01T00:00:00Z
                        </StatusStartingTime>
                    </ServiceInformation>
                </TSPService>
                <!-- added manually - END -->

Can you help me to solve this issue? Whats going wrong? Why now this is not working anymore with 0.19.0? If I downgrade to 0.17.1 everything is working as expected.

Thanks in advance and best regards, Oli

[Gematik-Entwicklung]

Hi Oli,

the certificate used to sign the QES container now needs to include the so called admission extension (1.3.36.8.3.3). This extension contains the profession of the issuer. If the certificated does not contain the extension or if the profession is not "Arzt" (1.2.276.0.76.4.30) or "Zahnarzt" ("1.2.276.0.76.4.31") the certificate will not be used to verify the signed data.

Unfortunately openssl does not provide any tool to add this extension. I will try to add these to our tool and update the readme. I will leave you a comment here as soon as I'm done with it.

Best regards, gematik Dev-Team.

[Gematik-Entwicklung]

I've implemented a new subcommand in the tool, to create the certificates and updated the Readme. The changes will be available in the next release. I've dropped you a pre-compiled win64 binary here, so you can create your certificates using the following commands:

$ openssl req -new -key qes_id > cert.csr
$ ./tool x509 \
    --input cert.csr \
    --output qes_id.cert \
    --signkey qes_id \
    --days 1001 \
    --profession 1.2.276.0.76.4.30

But please do not use this certificates in productive environment, because the admission extension is not fully supported. Only the counterpart that is used by the service is implemented!

Best regards, gematik Dev-Team.

[nauni77]

Hello,

thanks for your work.

I have no windows machine and can't use this binary. Can you please send me the patch or commit this without a tag - so I will compile the 'tool' myself cargo build -p tool --release.

Best regards, Oli

[Gematik-Entwicklung]

Sorry, but the code must pass our internal review process first. I will check if we can create a hotfix release for this. But this will at least take until thursday.

[nauni77]

That would be really great! I hope you can provide the hotfix asap. Best regards, Oli

[Gematik-Entwicklung]

Hi Oli,

hotfix release 0.19.1 is online :)

Best regards, gematik Dev-Team.

[nauni77]

Hi,

thanks - now 0.19.1 works for me. :-)

Best regards Oli