search

corona-warn-app / cwa-app-android

Native Android app using the Apple/Google exposure notification API. The CWA development ends on May 31, 2023. You still can warn other users until April 30, 2023. More information:
https://coronawarn.app/en/faq/#ramp_down
Apache License 2.0
2.44k stars 495 forks source link

Date and time when checking certificate status must be entered in UTC and not in local timezone. #3990

Closed wertzui closed 2 years ago

wertzui commented 3 years ago

Avoid duplicates

Might be related to https://github.com/corona-warn-app/cwa-app-android/issues/3562

Technical details

Describe the bug

When checking a certificate, you have to put in a date and a time into the "Datum und Uhrzeit" input box. Under the box it states: "Geben Sie Ihr Einreisedatum und Ihre lokale Uhrzeit ein." However this must be entered in UTC and not in local time (currently Germany ix +2:00).

Steps to reproduce the issue

Vaccinated at 2021-08-01 (time does not matter) Entered 2021-08-16 00:01 => says certificate is invalid Entered 2021-08-16 02:01 => say certificate is valid

Expected behaviour

The input should be in the users local timezone as stated below the input.

MikeMcC399 commented 3 years ago

@wertzui How did you manage to enter "2021-08-16 00:01"? In CWA version 2.7.1 you cannot enter a date in the past for certificate validation. The data time picker doesn't allow it. Or have you been saving up this report since this date?

The input is in any case interpreted as a local time, as the prompt says. If I choose tomorrow 00:00 for instance, the log file shows I/BusinessValidator: Validating invalidation rules of DE at 2021-08-28T00:00:00.000+02:00 including the CEST = UTC+02:00.

Your report should be investigated though, despite what I have written above. There may be a bug in the Business Rules or the way they are interpreted.

wertzui commented 3 years ago

Actually I entered "27.08.2021 00:02" last night. I just thought that it would be easier to spot the problem if I explain it with a date that is the 1st of a month and 15 days after.

I attached a screenshot of the problem photo_2021-08-27_10-28-16

MikeMcC399 commented 3 years ago

@wertzui I understand why you tried to simplify your report with fictitious dates. The screenshot is the best way to describe the problem. That is ideal.

vaubaehn commented 3 years ago

The problem seems to be, that vaccination certificates (at least in Germany) had been issued with a date formatted as "YYYY-MM-DD" without any time zone designator. As long as no time zone is added to these dates, the CertLogic engine (developed by someone who is working for NL health ministry) which checks the validity of a certificate against published business rules of a member state, would need to take into account, in which country the vaccination took place (which would be the field coin the DCC 1.3.0 spec), and then map the correct time zone to the country of vaccination. And this can be a terrible scenario for developement, as time zone changes are more often subject to change than one would expect... In any case, without time zone designator in any 'date' field for a DCC, the CertLogic engine currently always assumes UTC time. So, for the example here it would mean, that CertLogic engine assumes, vaccination took place on that date UTC+0, the local DE time at 00:00 is equivalent to UTC-2, so it is still not valid.

To solve this issue, either a quite complex change of CertLogic engine was needed, or all providers of issuing services in EU should be encouraged to use a time zone designator also for simple 'full day dates'. To also better reflect this in the DCC spec, the related spec descriptions should be extended, which would require a minor spec version update.

Somewhat related issue: https://github.com/eu-digital-green-certificates/dgc-certlogic-android/issues/53

KinNeko-De commented 2 years ago

I do not use the corona warn app. But this issue was mentioned in Digitaler-Impfnachweis/covpass-android#106

Using only UTC timestamp is a common practice to avoid time problems with local time and summer/wintertime. Using "german time" makes everything more complex. And if you deal with internal people, you always get problems.

Assume the following scenario. You (from germany) fly to the west and somebody from another timezone checks it. You can not explain to him that your phone is german and your certificate is valid in your timezone. I would not like that anything is based on german time.

So for me (as a developer) it is okay that the certificate is valid only at 02:00 (or now 01:00)

mtwalli commented 2 years ago

@wertzui UTC is actually used under the hood see https://github.com/corona-warn-app/cwa-app-android/blob/d84d7b537ba92c7577a23f903c882b85e58cd1a9/Corona-Warn-App/src/main/java/de/rki/coronawarnapp/covidcertificate/validation/core/business/wrapper/Mappings.kt#L30-L43

and see https://github.com/eu-digital-green-certificates/dgc-certlogic-android/issues/53#issuecomment-905382384 changes have been included in CWA long time ago. are you still facing this issue?