eu-digital-green-certificates / dgc-certlogic-android Goto Github PK

Current Implementation

Verifiers that would like to integrate the CertLogic RuleEngine as a library currently need to reference the source code directly, or compile it locally and reference their own build.

Suggested Enhancement

By publishing the compiled artefact to a public repository (e.g. as a Github Action pushing the jar to Maven Central), consumers can include the latest version without manual effort.

Expected Benefits

By using a public maven repo, it's easy for downstream dependencies to keep up to date with new feature and bugfixes without manual intervention.

Describe the bug

There is currently no check for the value of the Engine attribute of a rule:

Expected behaviour

If a rule has the attribute Engine with a value other than CERTLOGIC, the rule is not evaluated but reported as open.

Steps to reproduce the issue

see code

Technical details

n/a

Possible Fix

add if statement

Additional context

related to eu-digital-green-certificates/dgc-certlogic-ios#26

The current implementation contains dependencies to room, retrofit and other dependencies which can result in conflicts in other apps by using this module. To reduce this dependencies the used componentens should be abstracted by interfaces, and the implementation of the interfaces should be passed to the verifier/wallet app. This should reduce the used dependencies by the module. After this refactoring, the module can be released as seperate package.

Describe the bug

A date/date-time value like 2021-02-04T00:00:00 without a time zone designator, when used in a DCC and checked by a corresponding rule, leads to open on Android instead of pass or fail. This is the case for many DCCs from Bulgaria.

Expected behaviour

The date-time format is correctly parsed because it is a valid ISO 8601 date-time representation, see https://en.wikipedia.org/wiki/ISO_8601#Times

Steps to reproduce the issue

Create a vaccination certificate with dt set to 2021-02-04T00:00:00 and check against the German rule set.

Technical details

n/a

Possible Fix

n/a

Additional context

• works on iOS

Currently the External Parameters contain filterparameters like countryCode , Region, Certtype etc. Please seperate the Filterparameters in a seperate class "Filterparameter" which are added to the validate method. The external parameters should contain just fields which are passed to the JSON for logic execution.

Describe the bug

Rule BNR-DE-4161 is validated as OPEN when we validate a Vaccination certificate
Exception: java.lang.RuntimeException: date argument of "plusTime" must be a string

All Rules are validated as OPEN when we validate a Recovery certificate
Exception: java.lang.RuntimeException: date argument of "plusTime" must be a string

Expected behaviour

Rule should be validated as FAIL

Vaccination certificate
dataJsonNode:
{"external":{"validationClock":"2022-01-15T10:51:03.857+01:00","valueSets":{},"countryCode":"de","exp":"2022-07-30T15:01:59Z","iat":"2021-07-30T15:01:59Z","issuerCountryCode":"de","kid":"","region":""},"payload":{"issuer":"DE","validFrom":1627657319,"validUntil":1659193319,"nam":{"gn":"AstraZeneca","fn":"Vaccine","gnt":"ASTRAZENECA","fnt":"VACCINE"},"dob":"1921-08-21","v":[{"tg":"840539006","vp":"1119305005","mp":"EU/1/21/1529","ma":"ORG-100001417","dn":2,"sd":2,"dt":"2021-08-02","co":"DE","is":"Robert Koch-Institut","ci":"URN:UVCI:01DE/IBMT102/3CU9LYH1VHUMMDF86T7X3S#L"}],"t":[],"r":[],"ver":"1.3.0","dateTimeSeparator":"T","empty":0,"yearCount":4,"yearMonthCount":7,"yearMonthDayCount":10}}

Recovery certificate
dataJsonNode:
{"external":{"validationClock":"2022-01-15T10:48:01.219+01:00","valueSets":{},"countryCode":"de","exp":"2022-07-30T15:02:01Z","iat":"2021-07-30T15:02:01Z","issuerCountryCode":"de","kid":"","region":""},"payload":{"issuer":"DE","validFrom":1627657321,"validUntil":1659193321,"nam":{"gn":"Recovery","fn":"RichyThree","gnt":"RECOVERY","fnt":"RICHYTHREE"},"dob":"1921-08-21","v":[],"t":[],"r":[{"tg":"840539006","fr":"2021-08-02","df":"2021-08-30","du":"2022-02-01","co":"DE","is":"Robert Koch-Institut","ci":"URN:UVCI:01DE/IBMT102/51VONE4URYN03AO7ID2N91#S"}],"ver":"1.3.0","dateTimeSeparator":"T","empty":0,"yearCount":4,"yearMonthCount":7,"yearMonthDayCount":10}}

BoosterNotification rules:
bnr.txt

Describe the bug

The current implementation is comparing the ver attribute of the DCC/hcert with the Version attribute of the rule:

That's like comparing cars and apples.

Expected behaviour

Compare ver against SchemaVersion

Steps to reproduce the issue

look at the code

Technical details

n/a

Possible Fix

Compare ver against SchemaVersion

Additional context

n/a

• Source File: https://github.com/eu-digital-green-certificates/dgc-certlogic-android/tree/main/engine/src/test/resources
• Line(s): 16
• Question: The CertLogic expression in the Logic field is not according to specification, doesn't validate, and doesn't execute (at least not in CertLogic's JS and Kotlin implementations). Check out this link.

Is that intentional? People are seeing this, thinking that it's valid. Is rule.json (and rule_with_region.json) used when running tests?

Describe the bug

During the Recovery certificate validation we received an OPEN result for the following rules of Switzerland.
The results are OPEN because the CertLogic throws an exception.

RR-CH-0001
com.fasterxml.jackson.databind.node.TextNode cannot be cast to com.fasterxml.jackson.databind.node.BooleanNode

RR-CH-0002
date argument of "plusTime" must be a string

RR-CH-0003
date argument of "plusTime" must be a string

Expected behaviour

Recovery rules for Switzerland should be validated as PASSED or FAIL.

Describe the bug

During development of an Android App (min SDK 23), everything works fine and all necessary dependencies are found.

However only when creating a release build of the application (even with proguard disabled) the application crashes with the following stacktrace:

java.util.ServiceConfigurationError: com.fasterxml.jackson.databind.Module: Provider com.fasterxml.jackson.datatype.jsr310.JavaTimeModule could not be instantiated at java.util.ServiceLoader.fail(ServiceLoader.java:233) at java.util.ServiceLoader.access$100(ServiceLoader.java:183) at java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:392) at java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:416) at java.util.ServiceLoader$1.next(ServiceLoader.java:494) at com.fasterxml.jackson.databind.ObjectMapper.findModules(ObjectMapper.java:1081) at com.fasterxml.jackson.databind.ObjectMapper.findModules(ObjectMapper.java:1065) at com.fasterxml.jackson.databind.ObjectMapper.findAndRegisterModules(ObjectMapper.java:1115) ..... Suppressed: java.util.ServiceConfigurationError: com.fasterxml.jackson.databind.Module: Provider com.fasterxml.jackson.datatype.jsr310.JavaTimeModule could not be instantiated ... 24 more Caused by: java.lang.NoClassDefFoundError: <clinit> failed for class com.fasterxml.jackson.datatype.jsr310.deser.InstantDeserializer; see exception in other thread at com.fasterxml.jackson.datatype.jsr310.JavaTimeModule.<init>(JavaTimeModule.java:119) at java.lang.Class.newInstance(Native Method) at java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:388) ... 21 more Suppressed: java.util.ServiceConfigurationError: com.fasterxml.jackson.databind.Module: Provider com.fasterxml.jackson.datatype.jsr310.JavaTimeModule could not be instantiated ... 24 more Caused by: java.lang.NoClassDefFoundError: <clinit> failed for class com.fasterxml.jackson.datatype.jsr310.deser.InstantDeserializer; see exception in other thread at com.fasterxml.jackson.datatype.jsr310.JavaTimeModule.<init>(JavaTimeModule.java:119) at java.lang.Class.newInstance(Native Method) at java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:388) ... 21 more Caused by: java.lang.NoSuchFieldError: No field ISO_ZONED_DATE_TIME of type Lj$/time/format/DateTimeFormatter; in class Lj$/time/format/DateTimeFormatter; or its superclasses (declaration of 'j$.time.format.DateTimeFormatter' appears in /data/app/-3AsahYi2BhLBw_E80LXboQ==/base.apk!classes2.dex) at com.fasterxml.jackson.datatype.jsr310.deser.InstantDeserializer.<clinit>(InstantDeserializer.java:80) at com.fasterxml.jackson.datatype.jsr310.JavaTimeModule.<init>(JavaTimeModule.java:119) at java.lang.Class.newInstance(Native Method) 2021-07-27 19:41:07.096 27839-27839/? E/AndroidRuntime: at java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:388) ... 21 more

The project has core library desugaring configured and enabled.

Do you know of anybody who uses this library and has similar issues and found a way to resolve or investigate them?

I found several reports, stack overflow entries and mentions of issues with com.fasterxml.jackson.datatype:jackson-datatype-jsr310 on Android but unfortunately all without information about how to resolve them.

To differentiate different app versions within the rule, an additional parameter should be added to external parameters. This would be a nice feature if any kind of rule execution logic has a "bug" or any other problem in a special app version. The rule can then differentiate between different apps inside the rule.

Describe the bug

With the current implementation, rules evaluate to either pass or fail but not to open:

Expected behaviour

• Determine open based on the EngineVersion (see also eu-digital-green-certificates/dgc-certlogic-ios#6)
• use open is the validation fails for technical reason (see also eu-digital-green-certificates/dgc-certlogic-ios#5)

Steps to reproduce the issue

look at the code

Technical details

n/a

Possible Fix

see expected behavior

Additional context

n/a

Test ConverterTest.testConverter() fails locally:

junit.framework.AssertionFailedError: expected:<2021-06-30T14:54:51.748565Z> but was:<2021-06-30T14:54:51.748Z>
Expected :2021-06-30T14:54:51.748565Z
Actual   :2021-06-30T14:54:51.748Z

Code was a checkout of the current main branch: bc467af

Run via Android Studio 4.2.3.

To prevent future headache when referencing remoteDataSource/CountriesRemoteDataSource, you may want to correct the typo in the code:

Currently, the RuleLocal class/table doesn't contain a hash field. This means that users of this library have to manually also track the hash of each rule in a separate DB/table (which can cause inconsistency, etc.). It also means that efficiently syncing the backend with the database is more involved. The current DefaultRulesRepository doesn't even do a hash comparison.

With a hash field every RuleLocal could also store the corresponding hash to allow easy comparison and minimal updates.

Our implementation with hash comparison looks like this in case you want to reuse some of the code: https://github.com/Digitaler-Impfnachweis/covpass-android/blob/main/covpass-sdk/src/main/java/de/rki/covpass/sdk/rules/DefaultCovPassRulesRepository.kt

However that's based on an additional database for storing the hashes. We could do away with that extra complexity by simply having that extra field and if you reuse our sync algorithm we could also get rid of that extra code and this lib would be nicely usable out of the box (apart from all the dependencies issue as mentioned in #32 and the missing Maven Central or GitHub Packages publication mentioned in #12).

To support the region in the future, please add to the external parameters a region parameter which is used in the filter critierias for the rules. For the beginning the region parameter can be null, because the app has currently not region selection.

Describe the bug

Private fields of the External Parameter class don't seem to be represented in the JSON-serialized representation of the object and thus not passed to the rule engine to be accessed by the rules.

This particularly includes valueSets, which should definitely be passed to the rules, and other fields.

Expected behaviour

External parameters such as valueSets can be access by the rules.

Steps to reproduce the issue

Run this rule for example:

{
  "and": [
    {
      "if": [
        {
          "var": "external.valueSets.covid-19-lab-result.0"
        },
        true,
        false
      ]
    },
    {
      "reduce": [
        {
          "var": "external.valueSets.covid-19-lab-result"
        },
        {
          "and": [
            {
              "in": [
                {
                  "var": "current"
                },
                [
                  "260415000",
                  "260373001"
                ]
              ]
            },
            {
              "var": "accumulator"
            }
          ]
        },
        true
      ]
    }
  ]
}

Technical details

n/a

Possible Fix

Roll back parts of 75883ec

Additional context

Regression introduced with 75883ec

Describe the bug

There is currently no check for the value of the EngineVersion attribute of a rule:

Expected behaviour

If a rule has the attribute Engine with value CERTLOGIC and EngineVersion has a value other than 1.0.0, the rule is not evaluated but reported as open.

Steps to reproduce the issue

see code

Technical details

n/a

Possible Fix

add if statement

Additional context

related to eu-digital-green-certificates/dgc-certlogic-ios#27

The CertificationType General is missing in the CertificationType
This will cause issues when matching General CertificationType

Describe the bug

Android module included cert logic jar is outdated and should be updated from 0.9.0 -> 0.11.0

Expected behaviour

Support latest certlogic rules schema

Steps to reproduce the issue

Technical details

Possible Fix

Update the included lib to 0.11.0

Additional context

Describe the bug

The parameter issuerCountryCode is missing in ExternalParameter:

Expected behaviour

The parameter issuerCountryCode can be set.

Steps to reproduce the issue

see code

Technical details

n/a

Possible Fix

add the parameter

Additional context

the specification describes this parameter as part of the external parameters

After downloading a business rule/valueset, the hash of the received content must be checked against the hash of the trustlist, to ensure that the file which was downloaded is the correct one. This can be resolved over integrating an interceptor to the http client. If the hash is not correct, the rule should not be updated (if exists) or should be ignored during the download(please show a hint anywhere that there is an problem)

Describe the bug

When a rule fails with a (technical) exception, the exception is populated to the caller:

Expected behaviour

Any exceptions that might be thrown should be caught and mapped to open.

Steps to reproduce the issue

see code

Technical details

n/a

Possible Fix

try-catch statement + map to open

Additional context

n/a

Describe the bug

The minSdk version is currently set to 26 which makes it incompatible with the Corona-Warn-App (CWA).

CWA needs to support Android 6, so we'll need SDK 23.

Expected behaviour

Support Android 6

Steps to reproduce the issue

n/a

Technical details

https://developer.android.com/about/versions/marshmallow/android-6.0

Possible Fix

Adjust minSdk

Additional context

n/a

Currently the country of vaccination or recovery is used as issuer country. This should only be used if the field "iss" is not available in the header. Please use the field from the CWT structure as country of issuer at first.

Describe the bug

If the SchemaVersion field of a rule is greater or equal then the ver field of a DCC (e.g. SchemaVersion=1.3.0 and ver=1.0.0), the rule results in fail:

Expected behaviour

The result should result in open, just like it is implemented on iOS:

https://github.com/eu-digital-green-certificates/dgc-certlogic-ios/blob/8b7f86a2aed4f2c60dd2c7c4f28eb129d9fe379d/Sources/CertLogic/CertLogic.swift#L52-L54

Steps to reproduce the issue

Apply a rule with SchemaVersion set to 1.3.0 (e.g. Netherlands) against a DCC with ver set to 1.0.0 (e.g. most German DCCs)

Technical details

n/a

Possible Fix

map to open instead of fail

Additional context