EU Digital COVID Certificate Revocation Distribution Service

About • Development • Documentation • Support • Contribute • Contributors • Licensing

About

This distribution service distributes the revocation list data gathered by the EU DCC Gateway to the DCCA Verifier Apps to check the revocation status. The Service currently supports two formats of providing the revocation data. Namely, these are the Hashfilter and Bloomfilter implementations. Other distribution formats can be integrated, if wished, by implementing the SliceCalculation interface.

Development

The installation of the revocation service requires an already preinstalled postgres database. The tables, views etc. will than be created via liquibase. If you run the service locally with the provided docker compose file, a pod with a postgres db will be created automatically.

Prerequisites

• OpenJDK 11 (with installed keytool CLI)
• Maven
• Keys to access the DGCG via the DGCG Connector of the DGC-lib
• Authenticate to Github Packages

Needed keys for accessing the DGC Gateway

For accessing the DGC Gateway via the DGC Connector you need the following keys in place:

• The public key of the used Gateway. The public key should be stored in the tls_trust_store. If you use one of the provided gateways, you will get the public key as .pem from DIGIT. This .pem needs to be converted into pkcs12 format:

  openssl pkcs12 -export -in pub_tls.pem -name trust -out tls_trust_store.p12
  

• Your key pair for accessing the Gateway stored in tls_key_store. This needs to be generated by yourself and then whitelisted by operations team (see onboarding manual of the Gateway). To use it in the verifier service this needs to be converted as well into pkcs12 format:

  openssl pkcs12 -export -in tls.pem -inkey tls_private.pem -name 1 -out tls_key_store.p12
  

• The public key of the TrustAnchor of the Gateway. If you use one of the provided Gateways you will get it as well, at onboarding. The key should be stored in a jks file.

For more information on how to generate certificates for DGC Gateway and how to run your own local one, please have a look in the documentation of the Gateway.

Authenticating to GitHub Packages

As some of the required libraries (and/or versions are pinned/available only from GitHub Packages) You need to authenticate to GitHub Packages The following steps need to be followed

• Create PAT with scopes:
• read:packages for downloading packages

GitHub Maven

• Copy/Augment ~/.m2/settings.xml with the contents of settings.xml present in this repository
• Replace ${app.packages.username} with your github username
• Replace ${app.packages.password} with the generated PAT

GitHub Docker Registry

• Run docker login docker.pkg.github.com/eu-digital-green-certificates before running further docker commands.
• Use your GitHub username as username
• Use the generated PAT as password

Build

Whether you cloned or downloaded the 'zipped' sources you will either find the sources in the chosen checkout-directory or get a zip file with the source code, which you can expand to a folder of your choice.

In either case open a terminal pointing to the directory you put the sources in. The local build process is described afterwards depending on the way you choose.

Build with maven

Building this project is done with maven.

• Check settings.xml in the root folder of this git repository as example.
  Copy the servers to your own ~/.m2/settings.xml in order to connect the GitHub repositories we use in our code. Provide your GitHub username and access token (see GitHub Help) under the variables suggested.

• Run the following command from the project root folder

mvn clean install

All required dependencies will be downloaded, the project build and the artifact stored in your local repository.

Run with docker

• Perform maven build as described above
• Place the keys and certificates named above into the certs folder.
• Adjust the values in the docker-compose.yml file to fit the url for the gateway you use and your keys and certificates you have to access it.

  - DGC_GATEWAY_CONNECTOR_ENDPOINT=https://dgc-gateway.example.com
  - DGC_GATEWAY_CONNECTOR_TLSTRUSTSTORE_PATH=file:/ec/prod/app/san/dgc/tls_trust_store.p12
  - DGC_GATEWAY_CONNECTOR_TLSTRUSTSTORE_PASSWORD=dgcg-p4ssw0rd
  - DGC_GATEWAY_CONNECTOR_TLSKEYSTORE_ALIAS=1
  - DGC_GATEWAY_CONNECTOR_TLSKEYSTORE_PATH=file:/ec/prod/app/san/dgc/tls_key_store.p12
  - DGC_GATEWAY_CONNECTOR_TLSKEYSTORE_PASSWORD=dgcg-p4ssw0rd
  - DGC_GATEWAY_CONNECTOR_TRUSTANCHOR_ALIAS=ta
  - DGC_GATEWAY_CONNECTOR_TRUSTANCHOR_PATH=file:/ec/prod/app/san/dgc/trust_anchor.jks
  - DGC_GATEWAY_CONNECTOR_TRUSTANCHOR_PASSWORD=dgcg-p4ssw0rd

Note: Leave the path as is and only change the file names, as the certs folder will be mapped to this folder inside the docker container.

• Run the following command from the project root folder

docker-compose up --build

After all containers have started, you will be able to reach the service on your local machine under port 8080.

Settings

By default the service provides two representations of the revocation data. It is bloom filter and variable hash list. The boom filter is also set as the default representation if no special filter type is set in the request. This behavior can be adjusted by resetting or overwriting the values of the application.yaml The following table describes the parameter and there effect:

Parameter	Description
dgc_revocationListDownload:
timeInterval	Sets the interval of how often the gateway should be checked for new revocation data.
lockLimit	Determines how long the lock download should be kept, before it gets released. The lock ensures, that the data of the gateway is loaded only once at a time. If there are more than one instance.
downloadLimit	This value determines the max download time of one update interval, after this time the calculation of the filters is started.
defaultRevocationDataType	Sets the filter type, that should be returned by default is none is set in the request. Possible values are BLOOMFILTER and VARHASHLIST
bloomFilter:
enabled	Determines if boomfilters should be calculated and available.
probRate	Sets the probability rate of the filter.
varHashList:
enabled	Determines if boomfilters should be calculated and available.
probRate	Sets the probability rate of the filter.
minByteCount	Sets the minimum num of bytes each hash needs to have in the filter.

Documentation

• OpenAPI Spec
• EU DCC Revocation - B2A Communication between the Backend and the Applications

Support and feedback

The following channels are available for discussions, feedback, and support requests:

Type	Channel
Issues
Other requests

How to contribute

Contribution and feedback is encouraged and always welcome. For more information about how to contribute, the project structure, as well as additional contribution information, see our Contribution Guidelines. By participating in this project, you agree to abide by its Code of Conduct at all times.

Contributors

Our commitment to open source means that we are enabling -in fact encouraging- all interested parties to contribute and become part of its developer community.

Licensing

Copyright (C) 2022 T-Systems International GmbH and all other contributors

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.

You may obtain a copy of the License at https://www.apache.org/licenses/LICENSE-2.0.

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the LICENSE for the specific language governing permissions and limitations under the License.