search

panzi / verify-ehc

Simple Python script to decode and verify an European Health Certificate QR-code
60 stars 17 forks source link

--strip-revoked seems not to be working #31

Closed bluepuma77 closed 2 years ago

bluepuma77 commented 2 years ago

When trying to use --strip-revoked I see a lot of errors, the cert file has the same size as the one without the flag.

./verify_ehc.py --save-certs /data/certs.json
./verify_ehc.py --save-certs /data/certs2.json --strip-revoked

Is it possible that every supported country has changed the revoked certificate access?

python ./verify_ehc.py --save-certs /data/certs2.json --strip-revoked
ERROR: loading revokation list https://e-certs.gouv.tg/crl/hcert/covid19 https://e-certs.gouv.tg/crl/hcert/covid19 401 Unauthorized
ERROR: loading revokation list http://greenca.diia.gov.ua/download/crls/CA-7904C820-Full.crl http://greenca.diia.gov.ua/download/crls/CA-7904C820-Full.crl 502 Bad Gateway
ERROR: loading revokation list http://crl.exampledomain.example/CRL/CSCA.crl HTTPConnectionPool(host='crl.exampledomain.example', port=80): Max retries exceeded with url: /CRL/CSCA.crl (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f160781e890>: Failed to establish a new connection: [Errno -2] Name or service not known'))
ERROR: loading revokation list http://crl.cra.ge/dgccountrysigningca.crl http://crl.cra.ge/dgccountrysigningca.crl 404 Not Found
ERROR: loading revokation list http://crl.cra.ge/dgccountrysigningca.crl http://crl.cra.ge/dgccountrysigningca.crl 404 Not Found
ERROR: loading revokation list http://www.tuntrust.tn/cscatndgc.crl http://www.tuntrust.tn/cscatndgc.crl 404 Not Found
ERROR: loading revokation list http://crl.his.bg/csca1.crl HTTPConnectionPool(host='crl.his.bg', port=80): Max retries exceeded with url: /csca1.crl (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f1607866560>: Failed to establish a new connection: [Errno -5] No address associated with hostname'))
ERROR: loading revokation list http://crl.his.bg/csca1.crl HTTPConnectionPool(host='crl.his.bg', port=80): Max retries exceeded with url: /csca1.crl (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f1607866e60>: Failed to establish a new connection: [Errno -5] No address associated with hostname'))
ERROR: loading revokation list http://NBMorocco.ma/CRLs/MA-Health.crl HTTPSConnectionPool(host='nbmorocco.ma', port=443): Max retries exceeded with url: /CRLs/MA-Health.crl (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:997)')))
ERROR: loading revokation list http://ants.gouv.fr/csca_crl http://ants.gouv.fr/csca_crl 404 Not Found
.....
ERROR: loading revokation list http://ants.gouv.fr/csca_crl http://ants.gouv.fr/csca_crl 404 Not Found
ERROR: loading revokation list http://cdp.health.gov.il/crl/CSCA-Health-DCG-IL-01.crl http://cdp.health.gov.il/crl/CSCA-Health-DCG-IL-01.crl 404 Not Found
ERROR: loading revokation list https://csca-mco.gouv.mc/MCO.crl error parsing asn1 value: ParseError { kind: UnexpectedTag { actual: 60 } }
ERROR: loading revokation list https://csca-mco.gouv.mc/MCO.crl https://csca-mco.gouv.mc/MCO.crl 200 OK
ERROR: loading revokation list https://csca-mco.gouv.mc/MCO.crl https://csca-mco.gouv.mc/MCO.crl 200 OK
ERROR: loading revokation list http://cert.gov.ie/CRL/CSCA.crl HTTPConnectionPool(host='cert.gov.ie', port=80): Max retries exceeded with url: /CRL/CSCA.crl (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f16076c6530>: Failed to establish a new connection: [Errno -2] Name or service not known'))
ERROR: loading revokation list https://gen.digitalcovidcertificates.gov.ie/api/CSCA.crl https://gen.digitalcovidcertificates.gov.ie/api/CSCA.crl 404 Not Found
ERROR: loading revokation list http://empty HTTPConnectionPool(host='empty', port=80): Max retries exceeded with url: / (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f16076c7460>: Failed to establish a new connection: [Errno -2] Name or service not known'))
ERROR: loading revokation list http://mju.gov.me/cert/CRL/CSCA.crl http://mju.gov.me/cert/CRL/CSCA.crl 404 Not Found
ERROR: loading revokation list http://www.smdcc.sm/CRL/CSCA.crl error parsing asn1 value: ParseError { kind: UnexpectedTag { actual: 60 } }
ERROR: loading revokation list http://crl.eudcc.gov.cy/dsc.crl HTTPConnectionPool(host='crl.eudcc.gov.cy', port=80): Max retries exceeded with url: /dsc.crl (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f16076d5cf0>: Failed to establish a new connection: [Errno -2] Name or service not known'))
ERROR: loading revokation list https://hca.mohw.gov.tw/download/CSCA/CRL/complete.crl HTTPSConnectionPool(host='hca.mohw.gov.tw', port=443): Max retries exceeded with url: /download/CSCA/CRL/complete.crl (Caused by ConnectTimeoutError(<urllib3.connection.HTTPSConnection object at 0x7f16076e0460>, 'Connection to hca.mohw.gov.tw timed out. (connect timeout=None)'))
ERROR: loading revokation list http://dgc1.dgc.hr/croatia-dgc-csca.crl HTTPConnectionPool(host='dgc1.dgc.hr', port=80): Max retries exceeded with url: /croatia-dgc-csca.crl (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f16076d4370>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution'))
ERROR: loading revokation list http://dgc2.dgc.hr/croatia-dgc-csca.crl HTTPConnectionPool(host='dgc2.dgc.hr', port=80): Max retries exceeded with url: /croatia-dgc-csca.crl (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f16076c7d60>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution'))
ERROR: loading revokation list http://dgc1.dgc.hr/croatia-dgc-csca.crl HTTPConnectionPool(host='dgc1.dgc.hr', port=80): Max retries exceeded with url: /croatia-dgc-csca.crl (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f16076e1c00>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution'))
ERROR: loading revokation list http://dgc2.dgc.hr/croatia-dgc-csca.crl HTTPConnectionPool(host='dgc2.dgc.hr', port=80): Max retries exceeded with url: /croatia-dgc-csca.crl (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f16076e1cf0>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution'))
ERROR: Parsing CRL distribution points: error parsing asn1 value: ParseError { kind: EncodedDefault, location: ["BasicConstraints::ca"] }
ERROR: loading revokation list http://pki.nhsx.nhs.uk/CRL/ENG_CSCA.crl http://pki.nhsx.nhs.uk/CRL/ENG_CSCA.crl 404 Not Found
ERROR: loading revokation list http://covid-status.service.nhsx.nhs.uk/CRL/ENG_CSCA.crl http://covid-status.service.nhsx.nhs.uk/CRL/ENG_CSCA.crl 403 Forbidden
ERROR: loading revokation list http://pki.nhsx.nhs.uk/CRL/ENG_CSCA.crl http://pki.nhsx.nhs.uk/CRL/ENG_CSCA.crl 404 Not Found
ERROR: loading revokation list http://covid-status.service.nhsx.nhs.uk/CRL/ENG_CSCA.crl http://covid-status.service.nhsx.nhs.uk/CRL/ENG_CSCA.crl 403 Forbidden
ERROR: loading revokation list http://pki.nhsx.nhs.uk/CRL/ENG_CSCA.crl http://pki.nhsx.nhs.uk/CRL/ENG_CSCA.crl 404 Not Found
ERROR: loading revokation list http://covid-status.service.nhsx.nhs.uk/CRL/ENG_CSCA.crl http://covid-status.service.nhsx.nhs.uk/CRL/ENG_CSCA.crl 403 Forbidden
ERROR: loading revokation list http://pki.nhsx.nhs.uk/CRL/ENG_CSCA.crl http://pki.nhsx.nhs.uk/CRL/ENG_CSCA.crl 404 Not Found
ERROR: loading revokation list http://covid-status.service.nhsx.nhs.uk/CRL/ENG_CSCA.crl http://covid-status.service.nhsx.nhs.uk/CRL/ENG_CSCA.crl 403 Forbidden
ERROR: loading revokation list https://crl.nosi.cv/crls/nosica-g2.crl ('Connection aborted.', ConnectionResetError(104, 'Connection reset by peer'))
ERROR: loading revokation list http://crl.exampledomain.example/CRL/CSCA.crl HTTPConnectionPool(host='crl.exampledomain.example', port=80): Max retries exceeded with url: /CRL/CSCA.crl (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f160771e950>: Failed to establish a new connection: [Errno -2] Name or service not known'))
ERROR: loading revokation list http://pki.nhsx.nhs.uk/CRL/SCO_CSCA.crl http://pki.nhsx.nhs.uk/CRL/SCO_CSCA.crl 404 Not Found
ERROR: loading revokation list http://covid-status.service.nhsx.nhs.uk/CRL/SCO_CSCA.crl http://covid-status.service.nhsx.nhs.uk/CRL/SCO_CSCA.crl 403 Forbidden
ERROR: Parsing CRL distribution points: error parsing asn1 value: ParseError { kind: EncodedDefault, location: ["BasicConstraints::ca"] }
ERROR: loading revokation list https://www.notarise.gov.sg/csca.crl error parsing asn1 value: ParseError { kind: ShortData }
ERROR: loading revokation list https://www.notarise.gov.sg/csca.crl https://www.notarise.gov.sg/csca.crl 200 OK
ERROR: loading revokation list http://crl.exampledomain.example/CRL/CSCA.crl HTTPConnectionPool(host='crl.exampledomain.example', port=80): Max retries exceeded with url: /CRL/CSCA.crl (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f160774c3d0>: Failed to establish a new connection: [Errno -2] Name or service not known'))
ERROR: loading revokation list http://crldes.izenpe.com/cgi-bin/crlbcizenpe http://crldes.izenpe.com/cgi-bin/crlbcizenpe 404 Not Found
ERROR: Parsing extended key usage: error parsing asn1 value: ParseError { kind: EncodedDefault, location: ["BasicConstraints::ca"] }
ERROR: Parsing extended key usage: error parsing asn1 value: ParseError { kind: EncodedDefault, location: ["BasicConstraints::ca"] }
panzi commented 2 years ago

Many of the certificates have revocation list entries, but a lot of those revocation lists are broken. That means it isn't my script that is broken here, but the revocation list URIs included in the certificates point to non-existing or broken endpoints. I should probably mention that in the README.

panzi commented 2 years ago

Added something about that to --help.