All Certificates are Valid for 1 year when generated using the dgca-issuance-web about dgca-issuance-web HOT 22 CLOSED

Hi psavva,

for Vaccination and Test the dates were set in backend.
So maybe it is possible to adjust your Cyprus issuance service regarding that?

Best regards, Gordon

from dgca-issuance-web.

Hi @ggrund-tsi,

The Vaccination and Test Dates are set in the FrontEnd.
Only 2 Http Requests are set to the backend. First to get the DGCI (No Dates)
Second is to supply the Hash (No Dates either here)

All Dates are defined in the FrontEnd when using the DGCA-Issuance-Web.

Please see the code here:

const expiredSeconds = 60 * 60 * 24 * 364;

const encodeCBOR = (certData: any, certMetaData: CertificateMetaData): Buffer => {

    const cborMap = new cbor.Map();
    const issuedAtSec = Date.now() / 1000 | 0;

    // expiration
    cborMap.set((4 as number), issuedAtSec + expiredSeconds);
    // issued at
    cborMap.set((6 as number), issuedAtSec);
    // issuer country code
    cborMap.set((1 as number), certMetaData.countryCode);
    const v1 = new cbor.Map();
    v1.set((1 as number), certData)
    cborMap.set((-260 as number), v1);

    return cbor.encode(cborMap);
}

The Expiration and Issued At Dates are here:

 // expiration
    cborMap.set((4 as number), issuedAtSec + expiredSeconds);
    // issued at
    cborMap.set((6 as number), issuedAtSec);

from dgca-issuance-web.

@ggrund-tsi Please also see related: eu-digital-green-certificates/dgca-issuance-service#73

from dgca-issuance-web.

Hi @psavva,

you are right. This fact was not present for me.

regards

from dgca-issuance-web.

@daniel-eder I think this issue is critical and needs some attention how to proceed with some urgency.
Any member state that produces for example a Covid Test Certificate, will result in having a certificate valid for 1 year, when they may need to have it only valid for 3 days.
I can of course fix this for Cyprus, but I think this requires attention, and the dates expected is not what is coded here.

Same applies for the Recovery for the WEb and the Issuance Service. Please see the linked issue .
eu-digital-green-certificates/dgca-issuance-service#73

from dgca-issuance-web.

@SchulzeStTSI can you comment on this?

from dgca-issuance-web.

@psavva please check out this branch before we merge it https://github.com/eu-digital-green-certificates/dgca-issuance-web/tree/fix/cert-expiration

from dgca-issuance-web.

This is definitely in the right direction.
I would not hard code the periods, as each country has the option to configure the validity period.

Tests are still valid for a full year.

This PR will fix the Recovery Cert with the limitation of the duration.

from dgca-issuance-web.

@psavva now issuance service provide 3 days expiration for test certificate

from dgca-issuance-web.

Hi @ggrund-tsi

The expiration for the Test and Vaccination is set on the web when issuing a cert using this interface.

The issuance service does not control the issued and expiration dates at all.

The expiration is now set using your function
const getExpiration = (certData: EUDGC, certMetaData: CertificateMetaData) => { let result = certMetaData.expired;
if (certData && certData.r && certData.r[0]) { result = new Date(certData.r[0].du).getTime() / 1000 | 0; }
return result;}

However, it's only handling the expiration of the recovery. It must handle for all 3 types of certs.

ie: r,t,v collections

from dgca-issuance-web.

@ggrund-tsi @SchulzeStTSI Do you agree with my analysis here?
How shall we proceed?

from dgca-issuance-web.

Hi @psavva,

for me this issue is finished. I don't understand what you mean.
Maybe I miss something?

I try to show my point of view.

recovery case:
only in this case you have the possibility to have influence on expiration in frontend.
The values 'Certificate Valid From - To*' calculate the expiration (now until 'Valid To').
This calculated value is entered in cose header.

vaccination and test case:
for these cases in frontend is no datepicker to choose expiration date. (no need for fulfill JSON Schema)
But for cose header you need an expiration date. This expirations are set in issuance service: line 51 in https://github.com/eu-digital-green-certificates/dgca-issuance-service/blob/main/src/main/resources/application.yml.
You get this expiration value as response from '/dgca-issuance-service/dgci/issue'.

I'm open for any other proposals and will discuss those things with achitecture lead but for the moment I see no real issue.

best regards, Gordon

from dgca-issuance-web.

Hi @ggrund-tsi

I might have a misunderstand here, but I don't believe the endpoint 'dgca-issuance-service/dgci/issue' for Vaccination and Recovery are using the overload which accepts the data as per hcert-schema, but it's using the overloads as such:

1. return api.post('/dgca-issuance-service/dgci/issue', certInit)
   where certInit only contains one value of
   enum CertType { Vaccination = 'Vaccination', Recovery = 'Recovery', Test = 'Test'}

2. Generate the QR code internal to the WEB implementation via
   createCertificateQRData(edgcPayload, certMetaData, (hash)
   And last, call the signerCall function which only accepts there Id and hash in order to get the TAN.

const signerCall = (id: string, hash: string): Promise<SigResponse> => { return api.put('/dgca-issuance-service/dgci/issue/' + id, { hash: hash }) .then(res => { const sigResponse: SigResponse = res.data; return sigResponse; });}

At no point in the Web Issuance code is it calling the api which creates the QR Code from the DGCA-Issuance-Service.

Please let me know if I've missed something here.

Best Regards
Panayiotis Savva

from dgca-issuance-web.

Here is an example for Vaccination:

First Call from dgca-issuance-web to dgca-issuance-service

:method: POST
:path: /dgci/issue
:scheme: https
Status Code: 200 

Payload
{"greenCertificateType":"Vaccination"}

Response:

{"id":"389033_Ucgf0B-uf4XZuZSdiohmkyW3mqj-jvovNA2wPkI1mc0","dgci":"URN:UVCI:V1:CY:PFYWAIPL1N598MNO1WQ7C3X83E","kid":"H6KcgU3y0DY=","algId":-7,"countryCode":"CY","expired":1654690103,"additionalProperties":{}}

Second Call:

:method: PUT
:path: /dgci/issue/389033_Ucgf0B-uf4XZuZSdiohmkyW3mqj-jvovNA2wPkI1mc0
:scheme: https
Status Code: 200 

Payload:
{"hash":"jWIMtYfHPdu4BBVGvAVo8XQ45RTUWE5ZnNbHClBtIfs="}

Response: 

{"tan":"MDJB8AEV","signature":"Wq//IPQU3TD9q6J725WXsMRsz/vrIIkooBHyIrCp5wR+gkU+U7Jo+8BBMnOvg8XYuqdz7aBPham0d9CC8sf7fw==","additionalProperties":{}}

From the whole process, you will notice that we are never sending any information to the issuance service via the PUT to the dgci/issue endpoint, which requires a payout of eudgc type which would be required if you wanted the issuance-service to generate the actual QR Code for Test and Vaccination...

ver* 
-- | --
nam* 
dob* 
v | [...]
t | [...]
r | [...]

The configuration for the expiry periods (as in the issuance-service) must also be replicated to the dgc web, if we are to keep the current implementation of the web (ie: generate QR code internally, without personal data transmission over the wire)

from dgca-issuance-web.

At no point in the Web Issuance code is it calling the api which creates the QR Code from the DGCA-Issuance-Service.

Please let me know if I've missed something here.

Hi @psavva,

for dataprivacy reasons (in germany) almost the complete QR-Code will be created in frontend. --> No personal data leaves frontend until wallet or verifier scan.
Only hash signing will be made by issuance-service.
Because of the need of other/backend implementations issuance-service also provides the creating functionality.

I hope this will clarify the issue and maybe we will hear us later.

best regards, Gordon

from dgca-issuance-web.

Hi @ggrund-tsi

We are on the same page here :)

But now you can see the implementation in the WEB Frontend is missing the expiry date handing for Vaccination and Tests?

const getExpiration = (certData: EUDGC, certMetaData: CertificateMetaData) => {
    let result = certMetaData.expired;

    if (certData && certData.r && certData.r[0]) {
        result = new Date(certData.r[0].du).getTime() / 1000 | 0;
    }

    return result;
}

The above function must handle for certData.v and certData.t

from dgca-issuance-web.

Hi @psavva ,

in first line of getExpiration method the default-expiration from issance service is set.
let result = certMetaData.expired;

certMetaData is the response from /dgca-issuance-service/dgci/issue - I mentioned.

getExpiration Method will override the issuance-service expiration only for recovery case.

regards.

from dgca-issuance-web.

The above function must handle for certData.v and certData.t

it's handled implicite in /dgca-issuance-service/dgci/issue - you mentioned

return api.post('/dgca-issuance-service/dgci/issue', certInit)
where certInit only contains one value of
enum CertType { Vaccination = 'Vaccination', Recovery = 'Recovery', Test = 'Test'}

from dgca-issuance-web.

Let's discuss in our call in 20 mins with @SchulzeStTSI

from dgca-issuance-web.

please see possible fix:
https://github.com/eu-digital-green-certificates/dgca-issuance-web/tree/fix/expiration-for-vac-and-tst

from dgca-issuance-web.

This branch https://github.com/eu-digital-green-certificates/dgca-issuance-web/tree/fix/expiration-for-vac-and-tst
will be merge to main?

from dgca-issuance-web.

Hi @lexin10,

we've needed to adjust issuance service before.
Now it is able to merge (#93).

regards, Gordon

from dgca-issuance-web.