Daniel 417 Posted January 29, 2022 Well, this is a private research-project about the EU Covid-certificates. I wanted to know how that stuff works and how the pieces are glued together. After a wild mixture of very interesting and also some nasty hours, I got it working. I also learned about new data formats that were previously unknown to me (hello "cbor"). Many different techniques come together here: decoding the data from Base45 (yes, forty-five) decompressing the result using the zlib-classes downloading external supplementary files using the http-components hopping from the formats "COSE" to "CBOR" to "JSON" using OpenSSL to extract and validate the digital signature against the official public keys All of this is now integrated in a small and fluffy Delphi program. This client reads the personal/medical data from the certificate displays the specific information for "vaccinated"-certificates "tested"-certificates "recovered"-certificates reads the digital signature from the certificate verifys that signature using the public keys from the official trust-list to detect fraud is clearly not an official application ready for production use anywhere Important: Some, but not all code ist from me. The unit "cbor.pas" comes from "https://github.com/mikerabat/DelphiCBOR", the interface to openssl comes from "https://github.com/Arvur/OpenSSL-Delphi". Just in case you're interested and want to try it: Download attached zip-archive. It contains the complete Delphi-project as well as the value-sets and trust-list (see #3). You need to get your hands on the openssl-libraries "libeay32.dll" and "ssleay32.dll" (not included in the downloads). These libraries must be located in the same directory as the executable. By default "Win32-Debug" is the output-path for this project. If you decide to switch to 64bit, you should provide the matching libraries. This program reads the trust-list and the so-called value-sets from external json-files. These files can be downloaded using the button "Download supplementary data" (button starts download, gives no feedback, you must restart the program afterwards). The trust-list contains the list of currently valid public-certificates. The value-sets contain the translations from IDs (values) to readable strings. All the json-files must be in the same directory as the executable - and that directory must be writable. The json-files from today are included in the download. You need - of course - an EU Covid-19 health certificate (vaccinated, tested or recovered). Take any barcode-scanner to translate the barcode into textual representation: You should get a string starting with "HC1:". Paste that code into the windows that opened after pressing "Scan certificate". CovDemo_06-Feb-2022.zip 4 3 Share this post Link to post
mausmb 13 Posted January 29, 2022 (edited) It's working 🙂 HowEver result is "certificate invalid" 😞 regards, Marjan Edited January 29, 2022 by mausmb Share this post Link to post
Daniel 417 Posted January 29, 2022 Interesting - thanks for the feedback. Most likely the program calculated the wrong signature to compare against the signature provided in the certificate. hm. Next week I will have access to more certificates to test with. Share this post Link to post
Josep 8 Posted February 1, 2022 Many thanks for your project. My test also says "certificate invalid". Share this post Link to post
Daniel 417 Posted February 1, 2022 Thanks - I nailed it down to the code that generates the digital signature. I am still looking for a health-certificate around me that generates this error. It is a lot easier, having one of them inside the IDE.... Share this post Link to post
Daniel 417 Posted February 3, 2022 I did not expect this - but sometimes reading the manual (aka specification) indeed helps. Hardcoding the algorithm SHA-256 while the certificates could also use SHA-384 or SHA-512 is not helpful either. I suspect that the failed examples here failed at this very point. May I ask you both to take another look at the updated code (see first post). I assume that you will see another algorithm used than "SHA-256". Share this post Link to post
Josep 8 Posted February 4, 2022 (edited) Hi, In my case the algorithm shown is "SHA-256". If you need my certificate data for further testing, please feel free to tell me (in private). Edited February 4, 2022 by Josep syntax error Share this post Link to post
mausmb 13 Posted February 6, 2022 Hi, Certificate invalid .. regards, Marjan Share this post Link to post
Daniel 417 Posted February 6, 2022 Thanks. Yes, this is the case for all certificates using the algorithm "ECDSA w/ SHA256" for the signature. So far I only can verify the certificates using the algorithm "RSASSA-PSS". This is a little bit tricky right now... Share this post Link to post
Daniel 417 Posted February 6, 2022 Thanks for the support - I am a step further. Actually OpenSSL handles all these algorithm-stuff by itself. It was just my code that was writing a superfluous zero-byte to a stream. And when it comes to cryptography, a single byte can destroy everything. 😉 Share this post Link to post
aehimself 396 Posted February 6, 2022 2 hours ago, Daniel said: Thanks for the support - I am a step further. Actually OpenSSL handles all these algorithm-stuff by itself. It was just my code that was writing a superfluous zero-byte to a stream. And when it comes to cryptography, a single byte can destroy everything. 😉 Oooooh, how many of sleepless nights I caused myself when due to encoding issues I changed some string routines to TBytes... I can feel the satisfaction of your "oh, damn it" moment when you realized what went wrong 🙂 Share this post Link to post
Thijs van Dien 9 Posted February 7, 2022 Offtopic perhaps, but I'd advise you not to put such personal information on the internet like this. 1 Share this post Link to post
Daniel 417 Posted February 7, 2022 5 hours ago, Thijs van Dien said: Offtopic perhaps, but I'd advise you not to put such personal information on the internet like this. I agree with you that one should be careful what information one posts about oneself. In this particular case, however, I do not feel that I have published sensitive or new data. My real name is known and I do not make a secret of the fact that I have been vaccinated. In none of the screenshots published so far was there enough information to allow misuse of the certificates - and that is of course good and right (and should stay that way). Share this post Link to post
mausmb 13 Posted February 7, 2022 Now everything is ok ! regards, Marjan 1 Share this post Link to post
Josep 8 Posted February 8, 2022 Also mine is valid! Congratulations Daniel! 1 Share this post Link to post