Where to get country-specific information for extensions?

[axunonb]

Looking especially for information about implementing TrustListProviders and ValidatorRules usable for Germany.
Can't even figure out the CertUpdateUrlor CertStatusUrl...

[DevTrevi]

Hi @axunonb , thank you for your contribution to the readme, I just have accepted your pull request.
I just looked for some info about the official German app and I found the link to its GitHub repository (Digitaler-Impfnachweis/covpass-android) on the official website https://www.digitaler-impfnachweis-app.de/en/technical-details/.

Looking at the implementation, I found 3 urls containing both the public certificates and the validation rules:
https://de.dscg.ubirch.com/trustList/DSC/ : the trustlist
https://distribution.dcc-rules.de/rules/ : list of the available rules
https://distribution.dcc-rules.de/rules/{country code}/{rule hash} : rule data

The interesting thing is that the german endpoint contains validation rules for multiple countries, not only Germany, allowing the development of a rules validator provider that supports multiple countries.

I can make a draft implementation of both the TrustList provider and the rules validator, and I think that I should also change a little bit the interface of the methods, allowing to specify the desired country code for rules validation in order to better support these scenarios.

I will also support the injection of N rule validators to the DgcReaderService in order to register all the validators needed and use the service as a validator for multiple countries.
In this way you can use at the same time the Germany rules validator (supporting "DE", "CH", "FR", "IE" etc. countries) and the DgcItalianRulesValidator, supporting rules for Italy (that are not supported by the German endpoint)
I think that this will help a lot also with this issue #5 (Verify DGC for any country)

I can not guarantee about implementation timings, maybe you could take a look at my draft and contribute to its completion, I would appreciate it very much

[axunonb]

Excellent, Davide, thanks for providing the missing links, and also for sharing this repo.
Supporting more countries would nicely improve the out-of-the-box usability of the repo. Great idea.
Although I'm pretty new to this subject, but very interested in the implementation details, I'll stay tuned, willing to contribute.

[DevTrevi]

Hi @axunonb , as you may have noticed, now the library supports multiple acceptance countries, starting from version 2.0.0.

I have also implemented an unofficial rule validator using German endpoint rules and valuesets.
The implementation is a partial porting from the official sdk found in GitHub repository (Digitaler-Impfnachweis/covpass-android), and only validates "3G" rules, while 2G+, booster check and other features are not implemented

[axunonb]

Ciao @DevTrevi , yes, I was already starting to play around with the new version. It took a me a while to figure out how to make it work. May I ask you 2 questions:

• Using the DgcGermanRulesValidator the DgcReader.GetSupportedCountries method returns 19 country codes, but does not include Italy. Is this by your design, or because DgcGermanRulesValidator doesn't include it?
• The DgcItalianRulesValidator.GetBlacklist method returns 1996 entries, while DgcGermanRulesValidator does not seem to contain blacklist information. Is this, because a blacklist is not available or not implemented?

Really excellent job, Davide. Thanks a lot!

[rawmain]

Hello @axunonb & @DevTrevi

the DgcReader.GetSupportedCountries method returns 19 country codes, but does not include Italy. Is this by your design, or because DgcGermanRulesValidator doesn't include it?

Such method gets indeed the CountryList, that German backend services (as other national ones) retrieve from the Business Rules service/controller of the EU DCC Gateway. Therefore you'll find only the countries that have published Business Rules entries & shared with EU DGCG.

Italy isn't among such countries yet, as you can also see from Corona-Warn App - by performing Validation for travel check & choosing Italy as destination = in such case you get indeed the note prompting that "There are currently no entry rules for the selected country".

Besides, keep in mind that Business Rules (for travel / cross-border validation) don't always match National Rules (for internal-only validation), since they can include additional policies for the validation of travellers' DGC. For instance, Business Rules may include a delay from arrival date for DGC full valid start Date, according to specific countries' quarantine policies for incoming travellers.

• The DgcItalianRulesValidator.GetBlacklist method returns 1996 entries, while DgcGermanRulesValidator does not seem to contain blacklist information. Is this, because a blacklist is not available or not implemented?

The Italian Validator checks against the black_list_uvci list (perm blocked UVCI - counterfeit/fraudulent + some leaked) - retrieved/synced from the Italian Validation Rules JSON.

Besides, DGC Reader is fully aligned with the official Android/Kotlin DGC-SDK features. Therefore, since release 2.0.0 the blacklist checks include also those against the consolidated entries from the CRL/DRL fetch/sync (some perm blocked UVCI leaked + temp block after positive PCR/RAT test record into Italian healthcare platform).

The German Validator is based upon CovPass implementation. At the present time current CovPass prodreleases only support blacklist checks for DSC/signer entities. Revocation support for single/batch DGC is still in progress = it will be added through CRL/DRL support.

[axunonb]

@rawmain Very interesting and enlightening insights, thanks!

[DevTrevi]

Hi @axunonb , thank you :)

• The supported countries list returned by the DgcGermanRulesValidator is downloaded from the German api, it is not a static list.
  Italy is not included in the list, because Italian rules are implemented in a different way compared to other countries, and there aren't CertLogic rules available from the German backend for Italy, so this is not my design decision.
• I don't know exactly if there is an available blacklist for Germany, I didn't find it in the German sdk, so actually the only blacklists that I have implemented are the Italian ones.
  DgcItalianRulesValidator is primarily a rules validator, but it does implement also the IBlacklistProvider interface, because part of the blacklist entries are included in the rules file downloaded from the Italian backend.
  Italy has recently introduced a second "blacklist" that mainly contains identifiers temporarily revoked to people positive to Covid-19 and that should be used in addition, not as replacement, to the blacklist contained in the DgcItalianRulesValidator.
  This secondary list contains a lot more entries (about 200k at the moment), for this reason it is stored on a DB (Sqllite by default, but you can configure another one, like SqlServer) rather than a json file.

In order to add Italy to the supported countries, you can simply register both the rule validators. In this way, the DgcService will use the appropriate provider, based on the required acceptance country.
You can also add the Italian Drl blacklist provider in order to check the extended list of revoked certificates:

// Register all the required services:
services.AddDgcReader()                 // Add the DgcReaderService as singleton
              .AddItalianTrustListProvider()       // Certificates downlaoded from Italian backend
              .AddGermanTrustListProvider()        // Certificates downlaoded from German backend (optional, one trustlist provider should be enough)
              .AddItalianDrlBlacklistProvider()    // The Drl blacklist provider (~200k entries)
              .AddItalianRulesValidator()          // Italian rules validator + blacklist (~2k entries)
              .AddGermanRulesValidator();          // (UNOFFICIAL) German rules validator for Germany + other countries (19 at the moment)
//...

// Check countries:
var germanRulesValidator = ServiceProvider.GetService<DgcGermanRulesValidator>();
var germanSupportedCountries = await germanRulesValidator.GetSupportedCountries(); // Dynamically downloaded, should return 19 countries

var italianRulesValidator = ServiceProvider.GetService<DgcItalianRulesValidator>();
var italianSupportedCountries = await italianRulesValidator.GetSupportedCountries(); // Static, will return only "IT"

var dgcReaderService = ServiceProvider.GetRequiredService<DgcReaderService>();
var supportedCountries = dgcReaderService.GetSupportedCountries();  // Sum of all supported countries from registered rules validator (20 entries including IT)

// So you can do this:
var resultForItaly = await dgcReaderService.GetValidationResult(data, "IT");
var resultForGermany = await dgcReaderService.GetValidationResult(data, "DE");
var resultForAustria = await dgcReaderService.GetValidationResult(data, "AT");
//...