-
Notifications
You must be signed in to change notification settings - Fork 7
/
eutl_qwacs.go
333 lines (289 loc) · 20.8 KB
/
eutl_qwacs.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
package main
import (
"crypto/tls"
"encoding/xml"
"fmt"
"io"
"log"
"net/http"
"strings"
"time"
)
type TrustServiceStatusList struct {
XMLName xml.Name `xml:"TrustServiceStatusList"`
SchemeInformation SchemeInformation
TrustServiceProviderList TrustServiceProviderList
}
type SchemeInformation struct {
SchemeTerritory string
PointersToOtherTSL PointersToOtherTSL
ListIssueDateTime time.Time
NextUpdate NextUpdate
}
type PointersToOtherTSL struct {
OtherTSLPointer []OtherTSLPointer
}
type OtherTSLPointer struct {
TSLLocation string
AdditionalInformation AdditionalInformation
}
type AdditionalInformation struct {
OtherInformation OtherInformation
}
type OtherInformation struct {
TSLType string
SchemeTerritory string
Ns3MimeType string `xml:"MimeType"`
}
type NextUpdate struct {
DateTime *time.Time `xml:"dateTime"`
}
type TrustServiceProviderList struct {
TrustServiceProvider []TrustServiceProvider
}
type TrustServiceProvider struct {
TSPInformation TSPInformation
TSPServices TSPServices
}
type TSPInformation struct {
TSPName Name
}
type Name struct {
Name string
}
type TSPServices struct {
TSPService []TSPService
}
type TSPService struct {
ServiceInformation ServiceInformation
}
type ServiceInformation struct {
ServiceTypeIdentifier string
ServiceName Name
ServiceDigitalIdentity ServiceDigitalIdentity
ServiceStatus string
StatusStartingTime time.Time
ServiceInformationExtensions ServiceInformationExtensions
}
type ServiceDigitalIdentity struct {
DigitalId DigitalId
}
type DigitalId struct {
X509Certificate string
X509SubjectName string
}
type ServiceInformationExtensions struct {
Extension []Extension
}
type Extension struct {
AdditionalServiceInformation AdditionalServiceInformation
}
type AdditionalServiceInformation struct {
URI string
}
var http_client *http.Client
func init() {
http_client = &http.Client{
Timeout: 10 * time.Second,
Transport: &http.Transport{
DisableKeepAlives: true,
TLSClientConfig: &tls.Config{
InsecureSkipVerify: true,
},
},
}
}
func downloadTrustList(tlurl string) (TrustServiceStatusList, error) {
var body []byte
var tssl TrustServiceStatusList
req, err := http.NewRequest("GET", tlurl, nil)
if err != nil {
return tssl, fmt.Errorf("%s: Failed to create request [%s]", tlurl, err)
}
req.Header.Set("User-Agent", "crt.sh")
var resp *http.Response
for i := 0; i < 10; i++ {
if resp, err = http_client.Do(req); err != nil {
log.Printf("%s: Failed to send request [%s]", tlurl, err)
} else if body, err = io.ReadAll(resp.Body); err != nil {
log.Printf("%s: Failed to read response body [%s]", tlurl, err)
} else if err = xml.Unmarshal(body, &tssl); err != nil {
log.Printf("%s: Failed to unmarshal XML [%s]", tlurl, err)
} else {
return tssl, nil
}
}
return tssl, err
}
func processTrustList(tl TrustServiceStatusList, tlurl string) error {
log.Printf("Downloaded %s: %s\n", tl.SchemeInformation.SchemeTerritory, tlurl)
log.Printf(" - thisUpdate: %v\n", tl.SchemeInformation.ListIssueDateTime)
log.Printf(" - nextUpdate: %v\n", tl.SchemeInformation.NextUpdate.DateTime)
log.Printf(" - TSPs:\n")
for _, tsp := range tl.TrustServiceProviderList.TrustServiceProvider {
log.Printf(" - %s\n", tsp.TSPInformation.TSPName.Name)
fmt.Printf("\n-- TSP: %s\n", tsp.TSPInformation.TSPName.Name)
for _, tsps := range tsp.TSPServices.TSPService {
log.Printf(" - %s\n", tsps.ServiceInformation.ServiceName.Name)
log.Printf(" - Service Status: %s\n", tsps.ServiceInformation.ServiceStatus)
// Check the Service Status.
switch tsps.ServiceInformation.ServiceStatus {
case "http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/granted":
case "http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/withdrawn":
case "http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/recognisedatnationallevel":
case "http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/deprecatedatnationallevel":
default:
return fmt.Errorf("Unrecognised Service Status: %s\n", tsps.ServiceInformation.ServiceStatus)
}
switch tsps.ServiceInformation.ServiceTypeIdentifier {
// Process these.
case "http://uri.etsi.org/TrstSvc/Svctype/CA/PKC":
// Description: A certificate generation service, not qualified, creating and signing non-qualified public key certificates based on the identity and other attributes verified by the relevant registration services.
// Requirements: When applicable, this service type shall be further specified through the use of an additionalServiceInformation extension (clause 5.5.9.4) within a Service information extension (clause 5.5.9) by using the appropriate identifiers indicating the nature of the public key certificates for which the status has been granted, i.e. certificates for electronic signatures, certificates for electronic seals, and/or certificates for website authentication (as specified in clause 5.5.9.4).
// When the certificate validity status information (e.g. CRLs, OCSP responses) related to the certificates issued by the listed "CA/PKC" identified service are not signed by the private key corresponding to the listed public key and when no certificate chain/path exists from the related certificate validity status information services (either CRL issuing entities or OCSP responders) to the listed "CA/PKC" identified service public key, those certificate validity status information services shall be listed separately.
for _, ext := range tsps.ServiceInformation.ServiceInformationExtensions.Extension {
switch ext.AdditionalServiceInformation.URI {
case "http://uri.etsi.org/TrstSvc/TrustedList/SvcInfoExt/ForeSeals":
case "http://uri.etsi.org/TrstSvc/TrustedList/SvcInfoExt/ForeSignatures":
case "http://uri.etsi.org/TrstSvc/TrustedList/SvcInfoExt/ForWebSiteAuthentication":
case "http://www.nmhh.hu/tl/ServiceStatus/QualifiedatNationalLevel": // Hungary!
case "http://uri.etsi.org/TrstSvc/Svctype/TSA/TSS-AdESQCandQES": // Hungary!
case "":
default:
log.Fatalf("Unexpected Service Information extension: '%s'", ext.AdditionalServiceInformation.URI)
}
}
case "http://uri.etsi.org/TrstSvc/Svctype/CA/QC":
// Description: A qualified certificate issuing trust service creating and signing qualified certificates based on the identity and other attributes verified by the relevant registration services, and under which are provided the relevant and related revocation and certificate validity status information services (e.g. CRLs, OCSP responses) in accordance with EU Directive 1999/93/EC [i.3] or with Regulation (EU) No 910/2014 [i.10] whichever is in force at the time of provision. This may also include generation and/or management of the associated private keys on behalf of the certified entity.
// Requirements: When the listed service is a "root" certificate generation service issuing certificates to one or more subordinates certificate generation services and from which a certification path can be established down to a certificate generation service issuing end-entity qualified certificates, this service type shall be further identified by using the "http://uri.etsi.org/TrstSvc/TrustedList/SvcInfoExt/RootCA-QC" identifier (described in clause D.4) which is included in the additionalServiceInformation extension (clause 5.5.9.4) within a Service information extension (clause 5.5.9).
// When applicable, this service type shall be further specified through the use of an additionalServiceInformation extension (clause 5.5.9.4) within a Service information extension (clause 5.5.9) by using the appropriate identifiers indicating the nature of the qualified certificates for which the qualified status has been granted, i.e. qualified certificates for electronic signatures, qualified certificates for electronic seals, and/or qualified certificates for website authentication (as specified in clause 5.5.9.4).
// When, in accordance with Annex II of Regulation (EU) No 910/2014 [i.10], the above described service includes the management of the electronic signature creation data on behalf of the signatory for qualified electronic signatures as part of the provision of qualified electronic signature creation device, and/or includes the management of the electronic seal creation data on behalf of the seal creator for qualified electronic seals as part of the provision of qualified electronic seal creation device, then the qualified certificates for which the private key resides in such a device shall be further identified and specified through the use of a Qualifications extension (clause 5.5.9.2) within a Service information extension (clause 5.5.9) by using the appropriate criteria and qualifiers (clause 5.5.9.2.3).
// When the certificate validity status information (e.g. CRLs, OCSP responses) related to the qualified certificates issued by the listed "CA/QC" identified service are not signed by the private key corresponding to the listed public key and when no certificate chain/path exists from the related certificate validity status information services (either CRL issuing entities or OCSP responders) to the listed "CA/QC" identified service public key, those certificate validity status information services shall be listed separately.
disabledFrom := ""
for _, ext := range tsps.ServiceInformation.ServiceInformationExtensions.Extension {
switch ext.AdditionalServiceInformation.URI {
case "http://uri.etsi.org/TrstSvc/TrustedList/SvcInfoExt/ForeSeals":
case "http://uri.etsi.org/TrstSvc/TrustedList/SvcInfoExt/ForeSignatures":
case "http://uri.etsi.org/TrstSvc/TrustedList/SvcInfoExt/ForWebSiteAuthentication":
switch tsps.ServiceInformation.ServiceStatus {
case "http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/granted":
disabledFrom = "NULL"
case "http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/withdrawn":
disabledFrom = "'" + tsps.ServiceInformation.StatusStartingTime.Format(time.RFC3339) + "'"
default:
log.Fatalf("Unexpected Service Status for a QWAC Issuer: %s\n", tsps.ServiceInformation.ServiceStatus)
}
if tsps.ServiceInformation.ServiceDigitalIdentity.DigitalId.X509SubjectName != "" {
fmt.Printf("-- Subject Name: %s\n", tsps.ServiceInformation.ServiceDigitalIdentity.DigitalId.X509SubjectName)
} else {
fmt.Printf("-- Service Name: %s\n", tsps.ServiceInformation.ServiceName.Name)
}
fmt.Printf("INSERT INTO root_trust_purpose (CERTIFICATE_ID, TRUST_CONTEXT_ID, TRUST_PURPOSE_ID, DISABLED_FROM) SELECT import_cert(decode('%s', 'base64')), 27, 1000, %s;\n", strings.ReplaceAll(tsps.ServiceInformation.ServiceDigitalIdentity.DigitalId.X509Certificate, "\n", ""), disabledFrom)
case "http://uri.etsi.org/TrstSvc/TrustedList/SvcInfoExt/RootCA-QC":
case "http://uri.etsi.org/TrstSvc/TrustedList/SvcInfoExt/RootCA-":
case "":
default:
log.Fatalf("Unexpected Service Information extension: '%s'", ext.AdditionalServiceInformation.URI)
}
}
case "http://uri.etsi.org/TrstSvc/Svctype/TSA/TSS-QC":
// A time-stamping service, not qualified, as part of a service from a trust service provider issuing qualified certificates that issues time-stamp tokens that can be used in the validation process of qualified signatures/seals or advanced signatures/seals supported by qualified certificates to ascertain and extend the signature/seal validity when the qualified certificate is (will be) revoked or expired (will expire).
// TODO: Process this.
// Ignore these.
case "http://uri.etsi.org/TrstSvc/Svctype/ACA",
// An attribute certificate generation service creating and signing attribute certificates based on the identity and other attributes verified by the relevant registration services.
"http://uri.etsi.org/TrstSvc/Svctype/AdESGeneration",
// Description: A not qualified generation service for advanced electronic signatures and/or advanced electronic seals.
// Requirements: When applicable, this service type shall be further specified through the use of an additionalServiceInformation extension (clause 5.5.9.4) within a Service information extension (clause 5.5.9) by using the appropriate identifiers indicating whether it is provided for electronic signatures and/or for electronic seals (as specified in clause 5.5.9.4).
"http://uri.etsi.org/TrstSvc/Svctype/Archiv",
// An Archival service.
"http://uri.etsi.org/TrstSvc/Svctype/Certstatus/CRL",
// A certificate validity status service, not qualified, issuing CRLs.
"http://uri.etsi.org/TrstSvc/Svctype/Certstatus/OCSP/QC",
// A certificate validity status information service issuing Online Certificate Status Protocol (OCSP) signed responses and operating an OCSP-server as part of a service from a (qualified) trust service provider issuing qualified certificates, in accordance with the applicable national legislation in the territory identified by the TL Scheme territory (see clause 5.3.10) or with Regulation (EU) No 910/2014 [i.10] whichever is in force at the time of provision.
"http://uri.etsi.org/TrstSvc/Svctype/Certstatus/OCSP",
// A certificate validity status service, not qualified, issuing Online Certificate Status Protocol (OCSP) signed responses.
"http://uri.etsi.org/TrstSvc/Svctype/EDS/REM/Q",
// A qualified electronic registered mail delivery service providing qualified electronic registered mail deliveries in accordance with the applicable national legislation in the territory identified by the TL Scheme territory (see clause 5.3.10) or with Regulation (EU) No 910/2014 [i.10] whichever is in force at the time of provision.
"http://uri.etsi.org/TrstSvc/Svctype/EDS/Q",
// A qualified electronic delivery service providing qualified electronic deliveries in accordance with the applicable national legislation in the territory identified by the TL Scheme territory (see clause 5.3.10) or with Regulation (EU) No 910/2014 [i.10] whichever is in force at the time of provision.
"http://uri.etsi.org/TrstSvc/Svctype/IdV",
// An Identity verification service.
"http://uri.etsi.org/TrstSvc/Svctype/IdV/nothavingPKIid",
// An Identity verification service that cannot be identified by a specific PKI-based public key.
"http://uri.etsi.org/TrstSvc/Svctype/NationalRootCA-QC",
// A national root signing CA issuing root-signing or qualified certificates to trust service providers and related certification or trust services that are accredited against a national voluntary accreditation scheme or supervised under national law in accordance with the applicable European legislation.
// TODO: Maybe process this.
"http://uri.etsi.org/TrstSvc/Svctype/PSES/Q",
// Description: A qualified preservation service for qualified electronic signatures and/or qualified electronic seals in accordance with the applicable national legislation in the territory identified by the TL Scheme territory (see clause 5.3.10) or with Regulation (EU) No 910/2014 [i.10] whichever is in force at the time of provision.
// Requirements: When applicable, this service type shall be further specified through the use of an additionalServiceInformation extension (clause 5.5.9.4) within a Service information extension (clause 5.5.9) by using the appropriate identifiers indicating whether it is provided for electronic signatures and/or for electronic seals (as specified in clause 5.5.9.4).
"http://uri.etsi.org/TrstSvc/Svctype/QESValidation/Q",
// Description: A qualified validation service for qualified electronic signatures and/or qualified electronic seals in accordance with the applicable national legislation in the territory identified by the TL Scheme territory (see clause 5.3.10) or with Regulation (EU) No 910/2014 [i.10] whichever is in force at the time of provision.
// Requirements: When applicable, this service type shall be further specified through the use of an additionalServiceInformation extension (clause 5.5.9.4) within a Service information extension (clause 5.5.9) by using the appropriate identifiers indicating whether it is provided for electronic signatures and/or for electronic seals (as specified in clause 5.5.9.4).
"http://uri.etsi.org/TrstSvc/Svctype/RA",
// A registration service that verifies the identity and, if applicable, any specific attributes of a subject for which a certificate is applied for, and whose results are passed to the relevant certificate generation service.
"http://uri.etsi.org/TrstSvc/Svctype/RA/nothavingPKIid",
// A registration service
// - that verifies the identity and, if applicable, any specific attributes of a subject for which a certificate is applied for, and whose results are passed to the relevant certificate generation service, and
// - that cannot be identified by a specific PKI-based public key.
"http://uri.etsi.org/TrstSvc/Svctype/SignaturePolicyAuthority",
// A service responsible for issuing, publishing or maintenance of signature policies.
"http://uri.etsi.org/TrstSvd/Svctype/TLIssuer",
// HTTP 404.
"http://uri.etsi.org/TrstSvc/Svctype/TSA",
// A time-stamping generation service, not qualified, creating and signing time-stamps tokens.
"http://uri.etsi.org/TrstSvc/Svctype/TSA/QTST",
// A qualified electronic time stamp generation service creating and signing qualified electronic time stamps in accordance with the applicable national legislation in the territory identified by the TL Scheme territory (see clause 5.3.10) or with Regulation (EU) No 910/2014 [i.10] whichever is in force at the time of provision.
// A time-stamping service, not qualified, as part of a service from a trust service provider that issues time-stamp tokens (TST) that can be used in the validation process of qualified signatures/seals or advanced signatures/seals supported by qualified certificates to ascertain and extend the signature/seal validity when the qualified certificate is (will be) revoked or expired (will expire).
"http://uri.etsi.org/TrstSvc/Svctype/TSA/TSS-AdESQCandQES",
// A time-stamping service, not qualified, as part of a service from a trust service provider that issues time-stamp tokens (TST) that can be used in the validation process of qualified signatures/seals or advanced signatures/seals supported by qualified certificates to ascertain and extend the signature/seal validity when the qualified certificate is (will be) revoked or expired (will expire).
"http://uri.etsi.org/TrstSvc/Svctype/unspecified":
// Description: A trust service of an unspecified type.
// Requirements: When the "unspecified" Service type identifier is used, information about the nature and type of the listed service shall be provided in other ways such as through a service level extension (see clauses 5.5.6 or 5.5.9).
// Unrecognised.
default:
log.Fatalf("Unrecognised Service Type: %s", tsps.ServiceInformation.ServiceTypeIdentifier)
}
log.Printf(" - Service Type: %s\n", tsps.ServiceInformation.ServiceTypeIdentifier)
for _, ext := range tsps.ServiceInformation.ServiceInformationExtensions.Extension {
switch ext.AdditionalServiceInformation.URI {
case "http://uri.etsi.org/TrstSvc/TrustedList/SvcInfoExt/ForeSeals":
case "http://uri.etsi.org/TrstSvc/TrustedList/SvcInfoExt/ForeSignatures":
case "http://uri.etsi.org/TrstSvc/TrustedList/SvcInfoExt/ForWebSiteAuthentication":
case "http://uri.etsi.org/TrstSvc/TrustedList/SvcInfoExt/RootCA-QC":
case "http://uri.etsi.org/TrstSvc/TrustedList/SvcInfoExt/RootCA-":
case "http://www.nmhh.hu/tl/ServiceStatus/QualifiedatNationalLevel":
case "":
default:
log.Fatalf("Unrecognised Service Information Extension: %s", ext.AdditionalServiceInformation.URI)
}
log.Printf(" - Additional: %s\n", ext.AdditionalServiceInformation.URI)
}
}
}
return nil
}
func main() {
// Download and parse the EUTL list of lists.
lotlURL := "https://ec.europa.eu/tools/lotl/eu-lotl.xml"
lotl, err := downloadTrustList(lotlURL)
if err != nil {
log.Fatalf("%s: Failed to download LOTL [%s]", lotlURL, err)
}
fmt.Printf("DELETE FROM root_trust_purpose WHERE TRUST_CONTEXT_ID = 27;\n")
// Download, parse, and process the National TLs.
for _, tlp := range lotl.SchemeInformation.PointersToOtherTSL.OtherTSLPointer {
switch tlp.AdditionalInformation.OtherInformation.Ns3MimeType {
case "application/vnd.etsi.tsl+xml":
fmt.Printf("\n\n-- COUNTRY: %s\n", tlp.AdditionalInformation.OtherInformation.SchemeTerritory)
if tl, err := downloadTrustList(tlp.TSLLocation); err != nil {
log.Fatalf("%s: Failed to download TL [%s]", tlp.TSLLocation, err)
} else if err = processTrustList(tl, tlp.TSLLocation); err != nil {
log.Fatalf("%s: Failed to process TL [%s]", tlp.TSLLocation, err)
}
case "application/pdf": // Ignore this.
default:
log.Fatalf("%s: Unsupported MIME type [%s]", tlp.TSLLocation, tlp.AdditionalInformation.OtherInformation.Ns3MimeType)
}
}
}