search

rust-italia / dgc

A parser and validator for the EU Digital Green Certificate (dgc) a.k.a. greenpass
https://github.com/rust-italia/dgc
MIT License
26 stars 11 forks source link

Add support to verify RSA signatures #2

Closed lmammino closed 2 years ago

lmammino commented 2 years ago

The current implementation only supports EC P-256 signatures.

Some test certs use RSA (example data CH/2DCode/raw/1.json).

Specification is scattered a bit around, but this is probably the best i could find: https://ec.europa.eu/health/sites/default/files/ehealth/docs/digital-green-certificates_v1_en.pdf

Pagg 5-6 say:

The Signature Algorithm (alg) parameter indicates what algorithm is used for the creating the signature. It must meet or exceed current SOG-IT guidelines. One primary and one secondary algorithm is defined. The secondary algorithm should only be used if the primary algorithm is not acceptable within the rules and regulations imposed on the implementor. However, it is essential and of utmost importance for the security of the system that all implementations incorporate the secondary algorithm. For this reason, both the primary and the secondary algorithm MUST be implemented. For this version of the specification, the SOG-IT set levels for the primary and secondary algorithms are:

  • Primary Algorithm: The primary algorithm is Elliptic Curve Digital Signature Algorithm (ECDSA) as defined in (ISO/IEC 14888–3:2006) section 2.3, using the P–256 parameters as defined in appendix D (D.1.2.3) of (FIPS PUB 186–4) in combination the SHA–256 hash algorithm as defined in (ISO/IEC 10118–3:2004) function 4.

This corresponds to the COSE algorithm parameter ES256.

  • Secondary Algorithm: The secondary algorithm is RSASSA-PSS as defined in (RFC 8230) with a modulus of 2048 bits in combination with the SHA–256 hash algorithm as defined in (ISO/IEC 10118–3:2004) function 4.

This corresponds to the COSE algorithm parameter: PS256

dodomorandi commented 2 years ago

@lmammino I think that @lu-zero is already doing something related to this issue in #14.

lu-zero commented 2 years ago

I started at least. Can you link the specification in the issue so hopefully later I can continue?

lmammino commented 2 years ago

@lu-zero added some references to the spec in the issue description (sorry i missed your comment above when you posted it :/ )