Skip to content
This repository has been archived by the owner on Nov 10, 2022. It is now read-only.

Issues in verification API #1

Open
hendersonweb opened this issue Mar 9, 2021 · 5 comments
Open

Issues in verification API #1

hendersonweb opened this issue Mar 9, 2021 · 5 comments

Comments

@hendersonweb
Copy link

Hallo,

I have received this error,

{"timestamp":"2021-03-09T11:56:52.740+0000","status":500,"error":"Internal Server Error","message":"eu/lightest/verifier/model/report/Report","path":"/atvapi/api/v1/addInstance"}

How can this error be rectified?. Although log files have been created.

Do we need to do instantiate something after uploading the .war files?
@stefan2904
Copy link
Member

stefan2904 commented Mar 11, 2021
edited
Loading

Hi Isaac!

I cannot reproduce your error. Please attach what you did and a logfile.

This worked for me:

build and start API:

(this uses Tomcat into a simple docker container -- should also work with your own Tomcat, though)

mvn build
docker build -t atvapi .
docker run -p 80:8080 atvapi

... API/ATV running at http://localhost/atvpi (open http://localhost/atvapi/api/v1/ to verify)

... this also displays the log of the ATV for diagnostics in case something goes wrong.

run a demo/test:

cd src/test/python

# make sure BASE envvar is correct (e.g. BASE = 'http://localhost/atvapi')
python XAdESdemo.py

output of the python script:

    OK: LIGHTest ATV 1.9.9-SNAPSHOT
    OK: 3 pre-checks passed!
    OK: TPL Interpreter initialized!
    OK: xades extraction successful.
    OK: Signer certificate: Trusted List 6
    OK: eIDAS_qualified_certificate extraction successful.
    OK: XAdES Signature Verification successful.
    OK: No Trust Scheme Membership Claim found in certificate, using default: eIDAS_qualified_claim
    OK: Claimed Signer: test-scheme.lightest.nlnetlabs.nl
    OK: Trust Status List discovered & loaded.
    OK: Trust Status List Signature validation successful.
    OK: Claimed Scheme matches Trusted Scheme: eidas.lightest.nlnetlabs.nl
    OK: Issuer found on Trust Status List: RTR Services 4
    OK: trustlist_entry extraction successful.
    OK: Signer Verification successful.

(reminder: this demos will stop working if @partim stops our demo DNS servers, or similar things happen.)

HTH!

@hendersonweb
Copy link
Author

hendersonweb commented Mar 12, 2021
edited
Loading

Hii stefan, Thanks a lot for your immediate reply. I figured out the problem, it was a problem with jar compatibility. And now i don't get this error anymore.

But I have another doubt, I'm trying to setup the ATV from a server which is not DNSSEC protected. Will the system still work ?.

Because i have disabled DNSSEC and DANE verification in atv.properties and generated the .war file. And then I deployed it in a server, but i get the following error.

OK: LIGHTest ATV 
        OK: 3 pre-checks passed!
        OK: TPL Interpreter initialized!
        OK: xades extraction successful.
        OK: Signer certificate: Trusted List 6
        OK: eIDAS_qualified_certificate extraction successful.
        OK: XAdES Signature Verification successful.
        OK: No Trust Scheme Membership Claim found in certificate, using default: eIDAS_qualified_claim
        OK: Claimed Signer: test-scheme.lightest.nlnetlabs.nl
    FAILED: Error discovering Trust Scheme: No AD flag. (Host not using DNSSec?)
    FAILED: Trust Scheme discovery failed for claim test-scheme.lightest.nlnetlabs.nl!

Do you know the reason for it?

PS: The server which i deployed is not DNSSEC protected.

@stefan2904
Copy link
Member

stefan2904 commented Mar 15, 2021
edited
Loading

The DNS/DNSSEC setup of the server on which you host the ATV should not matter (it also works on localhost), so I am not sure what's the issue with your attempt. If you let me know what test script this is I can run it and have a look.

Do you get the error also with dnssec_verification_enabled etc. set to true?

About the flags: As far as I remember the flags disable those checks; maybe we missed one (but I remember that we tested the ATV without DNSSEC in the beginning) -- you could verify that in the ATV sourcecode.
By the way, I think we print the configuration to the log, so you can check if your manual change actually had an effect or if you need to re-build the ATV before re-deploying the API.

@hendersonweb
Copy link
Author

Hii stefan , Thanks for the reply. I tried deploying in the following server BASE = 'https://essif.iao.fraunhofer.de/atvapi_essif/' with PAdesdemo.py file. The following was the result

REPORT: ######
        OK: LIGHTest ATV 
        OK: 3 pre-checks passed!
        OK: TPL Interpreter initialized!
        OK: pades extraction successful.
        OK: Signer certificate: LATORRE ANTIN GERMAN - 25180855H
        OK: eIDAS_qualified_certificate extraction successful.
        OK: PAdES Signature Verification successful.
        OK: No Trust Scheme Membership Claim found in certificate, using default: eIDAS_qualified_claim
        OK: Claimed Signer: test-scheme.lightest.nlnetlabs.nl
    FAILED: Error discovering Trust Scheme: No AD flag. (Host not using DNSSec?)
    FAILED: Trust Scheme discovery failed for claim test-scheme.lightest.nlnetlabs.nl!

@stefan2904
Copy link
Member

stefan2904 commented Mar 19, 2021
edited
Loading

if I run it with my local ATV (via the Docker setup described above) I get the following:

###### REPORT: ######
        OK: LIGHTest ATV 1.9.9-SNAPSHOT
        OK: 3 pre-checks passed!
        OK: TPL Interpreter initialized!
        OK: pades extraction successful.
        OK: Signer certificate: LATORRE ANTIN GERMAN - 25180855H
        OK: eIDAS_qualified_certificate extraction successful.
        OK: PAdES Signature Verification successful.
        OK: No Trust Scheme Membership Claim found in certificate, using default: eIDAS_qualified_claim
        OK: Claimed Signer: test-scheme.lightest.nlnetlabs.nl
        OK: Trust Status List discovered & loaded.
        OK: Trust Status List Signature validation successful.
        OK: Claimed Scheme matches Trusted Scheme: eidas.lightest.nlnetlabs.nl
        OK: Issuer found on Trust Status List: Qualified certificates for individuals issued by AC FNMT Usuarios
        OK: trustlist_entry extraction successful.
        OK: Signer Verification successful.

You could check the log of the ATV (on the server) to figure out what's wrong.

For example, it prints the config during initialization, so you can verify it's the one you expect:

Config initialized / reset done:
 * dane_verification_enabled          : true
 * dnssec_verification_enabled        : true
 * dnssec_root_key                    : get-trust-anchor/ksk-as-dnskey.txt
 * dns_nameserver                     : 8.8.8.8
 * http_timeout                       : 15
 * precheck.simpleHTTPCheck.url       : https://c01.netztest.at/RMBTControlServer/testRequest
 * tpl_main_predicate                 : accept(Form).
 * tpl_main_predicate_variable        : Form
 * tpl_recordRPxTranscript            : false
 * tpl_recordRPxTranscript_path       : /tmp/lightest_rpx
 * trustscheme_claim_default          : eIDAS_qualified_claim
 * trustscheme_claim.eIDAS_qualified_claim: _scheme._trust.test-scheme.lightest.nlnetlabs.nl.
 * trustscheme_claim.eIDAS_qualified  : eidas.lightest.nlnetlabs.nl
 * trustscheme_claim.eidas_qualified  : eidas.lightest.nlnetlabs.nl

...

Also, can you try with dane_verification_enabled & dnssec_verification_enabled set to true? since this should work for this testdata (as the used DNS records are signed).

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@stefan2904 @hendersonweb