Jump to content
Daniel

Windows desktop client for verification of EU Covid-19 health certificates

Recommended Posts

Well, this is a private research-project about the EU Covid-certificates.

I wanted to know how that stuff works and how the pieces are glued together. After a wild mixture of very interesting and also some nasty hours, I got it working. I also learned about new data formats that were previously unknown to me (hello "cbor").

 

Many different techniques come together here:

  1. decoding the data from Base45 (yes, forty-five)
  2. decompressing the result using the zlib-classes
  3. downloading external supplementary files using the http-components
  4. hopping from the formats "COSE" to "CBOR" to "JSON"
  5. using OpenSSL to extract and validate the digital signature against the official public keys

 

All of this is now integrated in a small and fluffy Delphi program.

 

 

This client

  • reads the personal/medical data from the certificate
  • displays the specific information for
    • "vaccinated"-certificates
    • "tested"-certificates
    • "recovered"-certificates
  • reads the digital signature from the certificate
  • verifys that signature using the public keys from the official trust-list to detect fraud
  • is clearly not an official application ready for production use anywhere

 

 

cov_demo.thumb.png.76d8d3acf9ffd7ac150a53cfd6ac2095.png

 

Important:

Some, but not all code ist from me. The unit "cbor.pas" comes from "https://github.com/mikerabat/DelphiCBOR", the interface to openssl comes from "https://github.com/Arvur/OpenSSL-Delphi".

 

Just in case you're interested and want to try it:

  1. Download attached zip-archive. It contains the complete Delphi-project as well as the value-sets and trust-list (see #3).
  2. You need to get your hands on the openssl-libraries "libeay32.dll" and "ssleay32.dll" (not included in the downloads). These libraries must be located in the same directory as the executable. By default "Win32-Debug" is the output-path for this project. If you decide to switch to 64bit, you should provide the matching libraries.
  3. This program reads the trust-list and the so-called value-sets from external json-files. These files can be downloaded using the button "Download supplementary data" (button starts download, gives no feedback, you must restart the program afterwards). The trust-list contains the list of currently valid public-certificates. The value-sets contain the translations from IDs (values) to readable strings. All the json-files must be in the same directory as the executable - and that directory must be writable. The json-files from today are included in the download.
  4. You need - of course - an EU Covid-19 health certificate (vaccinated, tested or recovered). Take any barcode-scanner to translate the barcode into textual representation: You should get a string starting with "HC1:". Paste that code into the windows that opened after pressing "Scan certificate".

 

 

 

CovDemo_06-Feb-2022.zip

  • Like 4
  • Thanks 3

Share this post


Link to post

It's working 🙂 HowEver result is "certificate invalid" 😞 

 

image.png.a5b9f487a930a670c514929914604c21.png

 

image.png.5eb1ce75f4318db69c536a56017c47c5.png

 

image.thumb.png.0216dc0b969359408fbd3158e302b450.png

 

regards,

Marjan

Edited by mausmb

Share this post


Link to post

Interesting - thanks for the feedback. Most likely the program calculated the wrong signature to compare against the signature provided in the certificate.

hm.

Next week I will have access to more certificates to test with.

Share this post


Link to post

Many thanks for your project.  My test also says  "certificate invalid".

 

image.thumb.png.34f7827af8ef826c96bba013cb2d77a0.png 

 

Share this post


Link to post

Thanks - I nailed it down to the code that generates the digital signature.

I am still looking for a health-certificate around me that generates this error. It is a lot easier, having one of them inside the IDE....

Share this post


Link to post

I did not expect this - but sometimes reading the manual (aka specification) indeed helps.

Hardcoding the algorithm SHA-256 while the certificates could also use SHA-384 or SHA-512 is not helpful either.

 

 911927791_Screenshot2022-02-03at19_00_52.png.4638680c223380f37c8ebae0047f60d7.png

 

I suspect that the failed examples here failed at this very point.
May I ask you both to take another look at the updated code (see first post). I assume that you will see another algorithm used than "SHA-256".

Share this post


Link to post

Hi, In my case the algorithm shown is "SHA-256".

If you need my certificate data for further testing, please feel free to tell me (in private).

 

image.thumb.png.65ea19a640cb2f010fffdfb21299f246.png

Edited by Josep
syntax error

Share this post


Link to post

Thanks.

Yes, this is the case for all certificates using the algorithm "ECDSA w/ SHA256" for the signature.

So far I only can verify the certificates using the algorithm "RSASSA-PSS".

This is a little bit tricky right now...

 

 

Share this post


Link to post

Thanks for the support - I am a step further.

Actually OpenSSL handles all these algorithm-stuff by itself. It was just my code that was writing a superfluous zero-byte to a stream. And when it comes to cryptography, a single byte can destroy everything. 😉

Share this post


Link to post
2 hours ago, Daniel said:

Thanks for the support - I am a step further.

Actually OpenSSL handles all these algorithm-stuff by itself. It was just my code that was writing a superfluous zero-byte to a stream. And when it comes to cryptography, a single byte can destroy everything. 😉

Oooooh, how many of sleepless nights I caused myself when due to encoding issues I changed some string routines to TBytes...

I can feel the satisfaction of your "oh, damn it" moment when you realized what went wrong 🙂

 

Share this post


Link to post
5 hours ago, Thijs van Dien said:

Offtopic perhaps, but I'd advise you not to put such personal information on the internet like this.

I agree with you that one should be careful what information one posts about oneself. In this particular case, however, I do not feel that I have published sensitive or new data.
My real name is known and I do not make a secret of the fact that I have been vaccinated.
In none of the screenshots published so far was there enough information to allow misuse of the certificates - and that is of course good and right (and should stay that way).

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×