panzi
commented
2 years ago That revocation feature is about the revocation of X509 certificates. The DCC infrastructure isn't even meant to use that feature and as such most certificates don't have a revocation list URL and for some that do the URL doesn't work. The way "revocation" of trust list entries is meant to happen is that you just frequently download the trust list, and only certificates in the trust list are valid. If a certificate disappears from the trust list it was "revoked".
Revocation of single wrongly issued digital covid certificates (aka European health certificates) is I think not standardized yet (I haven't been keeping close attention). I know Germany has 2 (two) IDs of faked certificates hard coded in their app (at least last time when I checked, which is probably a few weeks ago).
About fetch_certificates.js: Oh wow, that is the most inefficient way I've ever seen to fetch a list of certificates! One HTTP request per certificate, and there are 250 certificates in that list.
PS: If you want to post multiline code preserving newlines enclose the code in triple backticks (```) instead of just single backticks.
trasgu82
Hello panzi,
Great job!
I'm testing your script and I having an issue to make parameter "--strip-revoked" work. Am I doing something wrong or is it just broken right now? I found some testing fake QR and in most apps few days ago they worked but now they already result as revoked. With your script I was not able to detect them (I think it's also related with the problems downloading revoked certificates lists)
Thanks in advanced
ERROR: loading revokation list https://e-certs.gouv.tg/crl/hcert/covid19 https://e-certs.gouv.tg/crl/hcert/covid19 401 Unauthorized ERROR: loading revokation list http://greenca.diia.gov.ua/download/crls/CA-7904C820-Full.crl http://greenca.diia.gov.ua/download/crls/CA-7904C820-Full.crl 502 Bad Gateway ERROR: loading revokation list http://crl.exampledomain.example/CRL/CSCA.crl HTTPConnectionPool(host='crl.exampledomain.example', port=80): Max retries exceeded with url: /CRL/CSCA.crl (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x000002186877B910>: Failed to establish a new connection: [Errno 11001] getaddrinfo failed')) ERROR: loading revokation list http://crl.cra.ge/dgccountrysigningca.crl http://crl.cra.ge/dgccountrysigningca.crl 404 Not Found ERROR: loading revokation list http://crl.his.bg/csca1.crl HTTPConnectionPool(host='crl.his.bg', port=80): Max retries exceeded with url: /csca1.crl (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x00000218687ADB80>: Failed to establish a new connection: [Errno 11001] getaddrinfo failed')) ERROR: loading revokation list http://NBMorocco.ma/CRLs/MA-Health.crl HTTPSConnectionPool(host='nbmorocco.ma', port=443): Max retries exceeded with url: /CRLs/MA-Health.crl (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)'))) ERROR: loading revokation list http://ants.gouv.fr/csca_crl http://ants.gouv.fr/csca_crl 404 Not Found ERROR: loading revokation list http://cdp.health.gov.il/crl/CSCA-Health-DCG-IL-01.crl http://cdp.health.gov.il/crl/CSCA-Health-DCG-IL-01.crl 404 Not Found ERROR: loading revokation list https://csca-mco.gouv.mc/MCO.crl Unable to load CRL ERROR: loading revokation list https://csca-mco.gouv.mc/MCO.crl https://csca-mco.gouv.mc/MCO.crl 200 OK ERROR: loading revokation list http://cert.gov.ie/CRL/CSCA.crl HTTPConnectionPool(host='cert.gov.ie', port=80): Max retries exceeded with url: /CRL/CSCA.crl (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x00000218687F3DC0>: Failed to establish a new connection: [Errno 11001] getaddrinfo failed')) ERROR: loading revokation list https://gen.digitalcovidcertificates.gov.ie/api/CSCA.crl https://gen.digitalcovidcertificates.gov.ie/api/CSCA.crl 404 Not Found ERROR: loading revokation list http://www.smdcc.sm/CRL/CSCA.crl Unable to load CRL ERROR: loading revokation list http://crl.eudcc.gov.cy/dsc.crl HTTPConnectionPool(host='crl.eudcc.gov.cy', port=80): Max retries exceeded with url: /dsc.crl (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x0000021868800040>: Failed to establish a new connection: [Errno 11001] getaddrinfo failed')) ERROR: loading revokation list http://dgc1.dgc.hr/croatia-dgc-csca.crl HTTPConnectionPool(host='dgc1.dgc.hr', port=80): Max retries exceeded with url: /croatia-dgc-csca.crl (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x0000021868804760>: Failed to establish a new connection: [Errno 11002] getaddrinfo failed')) ERROR: loading revokation list http://dgc2.dgc.hr/croatia-dgc-csca.crl HTTPConnectionPool(host='dgc2.dgc.hr', port=80): Max retries exceeded with url: /croatia-dgc-csca.crl (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x0000021868804850>: Failed to establish a new connection: [Errno 11002] getaddrinfo failed')) ERROR: loading revokation list http://dgc1.dgc.hr/croatia-dgc-csca.crl HTTPConnectionPool(host='dgc1.dgc.hr', port=80): Max retries exceeded with url: /croatia-dgc-csca.crl (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x0000021868807670>: Failed to establish a new connection: [Errno 11002] getaddrinfo failed')) ERROR: loading revokation list http://dgc2.dgc.hr/croatia-dgc-csca.crl HTTPConnectionPool(host='dgc2.dgc.hr', port=80): Max retries exceeded with url: /croatia-dgc-csca.crl (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x0000021868807760>: Failed to establish a new connection: [Errno 11002] getaddrinfo failed')) ERROR: loading revokation list http://pki.nhsx.nhs.uk/CRL/ENG_CSCA.crl http://pki.nhsx.nhs.uk/CRL/ENG_CSCA.crl 404 Not Found ERROR: loading revokation list http://covid-status.service.nhsx.nhs.uk/CRL/ENG_CSCA.crl http://covid-status.service.nhsx.nhs.uk/CRL/ENG_CSCA.crl 403 Forbidden ERROR: loading revokation list http://pki.nhsx.nhs.uk/CRL/ENG_CSCA.crl http://pki.nhsx.nhs.uk/CRL/ENG_CSCA.crl 404 Not Found ERROR: loading revokation list http://covid-status.service.nhsx.nhs.uk/CRL/ENG_CSCA.crl http://covid-status.service.nhsx.nhs.uk/CRL/ENG_CSCA.crl 403 Forbidden ERROR: loading revokation list http://pki.nhsx.nhs.uk/CRL/ENG_CSCA.crl http://pki.nhsx.nhs.uk/CRL/ENG_CSCA.crl 404 Not Found ERROR: loading revokation list http://covid-status.service.nhsx.nhs.uk/CRL/ENG_CSCA.crl http://covid-status.service.nhsx.nhs.uk/CRL/ENG_CSCA.crl 403 Forbidden ERROR: loading revokation list http://pki.nhsx.nhs.uk/CRL/ENG_CSCA.crl http://pki.nhsx.nhs.uk/CRL/ENG_CSCA.crl 404 Not Found ERROR: loading revokation list http://covid-status.service.nhsx.nhs.uk/CRL/ENG_CSCA.crl http://covid-status.service.nhsx.nhs.uk/CRL/ENG_CSCA.crl 403 Forbidden ERROR: loading revokation list http://pki.nhsx.nhs.uk/CRL/SCO_CSCA.crl http://pki.nhsx.nhs.uk/CRL/SCO_CSCA.crl 404 Not Found ERROR: loading revokation list http://covid-status.service.nhsx.nhs.uk/CRL/SCO_CSCA.crl http://covid-status.service.nhsx.nhs.uk/CRL/SCO_CSCA.crl 403 Forbidden ERROR: loading revokation list https://www.notarise.gov.sg/csca.crl Unable to load CRL ERROR: loading revokation list http://crl.exampledomain.example/CRL/CSCA.crl HTTPConnectionPool(host='crl.exampledomain.example', port=80): Max retries exceeded with url: /CRL/CSCA.crl (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x0000021868865BE0>: Failed to establish a new connection: [Errno 11001] getaddrinfo failed')) ERROR: loading revokation list http://crldes.izenpe.com/cgi-bin/crlbcizenpe http://crldes.izenpe.com/cgi-bin/crlbcizenpe 404 Not FoundJust in case you're interested, I think here you can see how to download Italian certificate list. You may be interested in including it to your script... https://github.com/ministero-salute/dcc-utils/blob/master/examples/fetch_certificates.js