eu-digital-green-certificates / dgc-cli Goto Github PK

In README.md there is text and link to releases.

Download latest build from Releases ( link to https://github.com/eu-digital-green-certificates/dgc-cli/releases/tag/latest )
Linked releases page does not exist (Giving 404 error from GitHub)

Describe the bug

Signing a String which is saved in a file is not possible with latest version of dgc-cli.

Expected behaviour

String in a file (e.g. example.json) should be loaded properly and signed.

Steps to reproduce the issue

Sign string in file with

dgc signing sign-string -c cert.pem -k key.pem -i example.json -o signed.cms

Will result in java.lang.RuntimeException: Message Builder is not ready

Possible Fix

Bug was introduced with 8192c9a

Additional context

Still works in 0.6.2

Current Implementation

The method to verify a signature currently only outputs the Subject of the signer certificate.

Suggested Enhancement

To clearly identify the signer certificate a unique attribute of the signer certificate is required.
The SHA256-thumbprint of the certificate should be fine.

Also it would be great to provide a certificate-file with a certificate which will be used to compare the thumbprints.

Expected Benefits

Definitive check if signer certificate is correct one.

Describe the bug

While attempting to build the gateway the build fails with unresolved dependency

[WARNING] Could not transfer metadata eu.europa.ec.dgc:dgc-lib:1.0.0-SNAPSHOT/maven-metadata.xml from/to dgc-github (https://maven.pkg.github.com/eu-digital-green-certificates/*): authentication failed for https://maven.pkg.github.com/eu-digital-green-certificates/*/eu/europa/ec/dgc/dgc-lib/1.0.0-SNAPSHOT/maven-metadata.xml, status: 401 Unauthorized
[WARNING] eu.europa.ec.dgc:dgc-lib:1.0.0-SNAPSHOT/maven-metadata.xmlfailed to transfer from https://maven.pkg.github.com/eu-digital-green-certificates/* during a previous attempt. This failure was cached in the local repository and resolution will not be reattempted until the update interval of dgc-github has elapsed or updates are forced. Original error: Could not transfer metadata eu.europa.ec.dgc:dgc-lib:1.0.0-SNAPSHOT/maven-metadata.xml from/to dgc-github (https://maven.pkg.github.com/eu-digital-green-certificates/*): authentication failed for https://maven.pkg.github.com/eu-digital-green-certificates/*/eu/europa/ec/dgc/dgc-lib/1.0.0-SNAPSHOT/maven-metadata.xml, status: 401 Unauthorized
Downloading from dgc-github: https://maven.pkg.github.com/eu-digital-green-certificates/*/eu/europa/ec/dgc/dgc-lib/1.0.0-SNAPSHOT/dgc-lib-1.0.0-SNAPSHOT.pom
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  1.589 s
[INFO] Finished at: 2021-05-11T07:56:41Z
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal on project dgc-cli: Could not resolve dependencies for project eu.europa.ec.dgc.cli:dgc-cli:jar:latest: Failed to collect dependencies at eu.europa.ec.dgc:dgc-lib:jar:1.0.0-SNAPSHOT: Failed to read artifact descriptor for eu.europa.ec.dgc:dgc-lib:jar:1.0.0-SNAPSHOT: Could not transfer artifact eu.europa.ec.dgc:dgc-lib:pom:1.0.0-SNAPSHOT from/to dgc-github (https://maven.pkg.github.com/eu-digital-green-certificates/*): authentication failed for https://maven.pkg.github.com/eu-digital-green-certificates/*/eu/europa/ec/dgc/dgc-lib/1.0.0-SNAPSHOT/dgc-lib-1.0.0-SNAPSHOT.pom, status: 401 Unauthorized -> [Help 1]
[ERROR] 
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR] 
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/DependencyResolutionException

Expected behaviour

Successfull build with mvn clean install

Steps to reproduce the issue

• Clone repo
• docker run --rm -ti -v /sources/dgc/dgc-cli:/source maven:3-adoptopenjdk-11 /bin/bash
• mvn clean install

Technical details

• Host Machine OS (Windows/Linux/Mac): linux with docker container maven: 3-adoptopenjdk-11

Possible Fix

Additional context

Feature description

This command line-tool should be able to parse data obtained directly from any QR code with certificate (starting with HC1:...) either in one step or manually any step at a time to be able to easily reverse engineer the payload of the JSON, the signature etc. without the need to fetch independent base45 python/rust libraries etc. Basically the workflow the validation apps that decode the QR code and parse and interpret it should be accessible for anyone via commandline.

Problem and motivation

IETF draft for base45 has been published only recently (1 July 2021) and apart from Python and Rust libraries and the reference implementation in this github repository no tool to directly base45 decode/encode on the command line or via some online tool exists. Performing the other steps such as decoding and verifying the serialized binary data, uncompressing via zlib could be streamlined as a easy to use command-line toolbox. Even technically savvy people tend to misunderstand how the certificates are cryptographically signed and appear to believe that they can simply be forged.

Is this something you're interested in working on

No, I don't have the programming skills to do so, I just tried (without success) to obtain a linux tool to base45 decode string without success and was surprised such a simple thing (for base64 e.g.) is so difficult right now for base45 as it is so new.

Hi,
I created self signed certificate (openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365)
and trust anchor (keytool -importcert -keystore trustanchor.jks -storepass password -file your-created-trustanchor-cert.pem -alias trustanchor).

I try to sign generated certificate with trust anchor (dgc ta sign -c trustanchor.jks -k trust-anchor-key.pem -i your-cert.crt) and get error message:

java.security.cert.CertificateException: Could not parse certificate: java.io.IOException: Empty input
at java.base/sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:115)
at java.base/java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:355)
at eu.europa.ec.dgc.cli.utils.CliUtils.readCertFromFile(CliUtils.java:67)
at eu.europa.ec.dgc.cli.trustanchor.Sign.call(Sign.java:82)
at eu.europa.ec.dgc.cli.trustanchor.Sign.call(Sign.java:47)
at picocli.CommandLine.executeUserObject(CommandLine.java:1953)
at picocli.CommandLine.access$1300(CommandLine.java:145)
at picocli.CommandLine$RunLast.executeUserObjectOfLastSubcommandWithSameParent(CommandLine.java:2352)
at picocli.CommandLine$RunLast.handle(CommandLine.java:2346)
at picocli.CommandLine$RunLast.handle(CommandLine.java:2311)
at picocli.CommandLine$AbstractParseResultHandler.execute(CommandLine.java:2179)
at picocli.CommandLine.execute(CommandLine.java:2078)
at eu.europa.ec.dgc.cli.Main.main(Main.java:28)
Caused by: java.io.IOException: Empty input
at java.base/sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:111)
... 12 more

Do I have to change the certificate in different format?

Thank you.

Describe the bug

When creating TrustAnchor signatures the CLI currently does not support private keys in PKCS#1 format.
Doing this results in:

org.bouncycastle.openssl.PEMException: problem parsing PRIVATE KEY: java.lang.IllegalArgumentException: unknown object in getInstance: org.bouncycastle.asn1.ASN1Integer
        at org.bouncycastle.openssl.PEMParser$PrivateKeyParser.parseObject(Unknown Source)
        at org.bouncycastle.openssl.PEMParser.readObject(Unknown Source)
        at eu.europa.ec.dgc.cli.utils.CliUtils.readKeyFromFile(CliUtils.java:50)
        at eu.europa.ec.dgc.cli.trustanchor.Sign.call(Sign.java:83)
        at eu.europa.ec.dgc.cli.trustanchor.Sign.call(Sign.java:47)
        at picocli.CommandLine.executeUserObject(CommandLine.java:1953)
        at picocli.CommandLine.access$1300(CommandLine.java:145)
        at picocli.CommandLine$RunLast.executeUserObjectOfLastSubcommandWithSameParent(CommandLine.java:2352)
        at picocli.CommandLine$RunLast.handle(CommandLine.java:2346)
        at picocli.CommandLine$RunLast.handle(CommandLine.java:2311)
        at picocli.CommandLine$AbstractParseResultHandler.execute(CommandLine.java:2179)
        at picocli.CommandLine.execute(CommandLine.java:2078)
        at eu.europa.ec.dgc.cli.Main.main(Main.java:28)
Caused by: java.lang.IllegalArgumentException: unknown object in getInstance: org.bouncycastle.asn1.ASN1Integer
        at org.bouncycastle.asn1.ASN1Sequence.getInstance(Unknown Source)
        at org.bouncycastle.asn1.x509.AlgorithmIdentifier.getInstance(Unknown Source)
        at org.bouncycastle.asn1.pkcs.PrivateKeyInfo.<init>(Unknown Source)
        at org.bouncycastle.asn1.pkcs.PrivateKeyInfo.getInstance(Unknown Source)
        ... 13 more

Expected behaviour

dgc ta sign -c cert_ta.pem -k key_ta-unenc.pem -i cert.pem

with a PKCS#1 PrivateKey should succesfully sign a certificate with TrustAnchor.

Steps to reproduce the issue

1. Create Cert --> openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
2. Create TA --> openssl req -x509 -newkey rsa:4096 -keyout ta-key.pem -out ta-cert.pem -days 365
3. Unencrypt Key --> openssl rsa -in ta-key.pem -out ta-unenc.pem
4. Try to sign -->dgc ta sign -c ta-cert.pem -k ta-unenc.pem -i cert.pem

Workaround

See #4 for a workaround

Possible Fix

The problem is in eu.europa.ec.dgc.cli.utils.CliUtils#readKeyFromFile method. This method only tries to parse content of pem file into PrivateKeyInfo. This should be reworked in order to support other Private Key format.

Getting Error as missing subcommand while running bat file in windows 10

Getting below error while sign with TrustAnchor using dgc-cli. Please help to resolve it.

C:\Users\VVSA\Downloads\dgc-gateway-1.1.2\dgc-gateway-1.1.2\certs>java -version
java version "11.0.10" 2021-01-19 LTS
Java(TM) SE Runtime Environment 18.9 (build 11.0.10+8-LTS-162)
Java HotSpot(TM) 64-Bit Server VM 18.9 (build 11.0.10+8-LTS-162, mixed mode)

C:\Users\VVSA\Downloads\dgc-gateway-1.1.2\dgc-gateway-1.1.2\certs>dgc ta sign -c cert_ta.pem -k key_ta.pem -i cert_auth.pem
java.lang.IllegalArgumentException: unknown object in getInstance: org.bouncycastle.openssl.PEMKeyPair
at org.bouncycastle.asn1.ASN1Sequence.getInstance(Unknown Source)
at org.bouncycastle.asn1.pkcs.PrivateKeyInfo.getInstance(Unknown Source)
at eu.europa.ec.dgc.cli.utils.CliUtils.readKeyFromFile(CliUtils.java:50)
at eu.europa.ec.dgc.cli.trustanchor.Sign.call(Sign.java:83)
at eu.europa.ec.dgc.cli.trustanchor.Sign.call(Sign.java:47)
at picocli.CommandLine.executeUserObject(CommandLine.java:1953)
at picocli.CommandLine.access$1300(CommandLine.java:145)
at picocli.CommandLine$RunLast.executeUserObjectOfLastSubcommandWithSameParent(CommandLine.java:2352)
at picocli.CommandLine$RunLast.handle(CommandLine.java:2346)
at picocli.CommandLine$RunLast.handle(CommandLine.java:2311)
at picocli.CommandLine$AbstractParseResultHandler.execute(CommandLine.java:2179)
at picocli.CommandLine.execute(CommandLine.java:2078)
at eu.europa.ec.dgc.cli.Main.main(Main.java:28)