corona-warn-app / cwa-quicktest-onboarding

This repository contains the informations about onboarding procedure for rapid antigen test partners of the Corona-Warn-App. Please use our Wiki page for further details (german language only).
22 stars 52 forks source link

VC_HC_CWT_NO_ISS at DCC Result #27

Open juergenroesch opened 3 years ago

juergenroesch commented 3 years ago

my hex is:

846A5369676E61747572653143A1012640590115A401624445041A60F1F9A5061A60EF56A5390103A101A4617481A9626369782955524E3A555643493A56313A44453A49495938423657513938344A4A3849554C304838564B5255444E62636F62444562697374526F62657274204B6F63682D496E737469747574626D61643133333362736374323032312D30372D31345431383A31383A30345A627463744A75657267656E7320546573747A656E7472756D62746769383430353339303036627472693236303431353030306274746A4C503231373139382D3363646F626A313938302D30312D3031636E616DA462666E6A4D75737465726D616E6E62676E654572696B6163666E746A4D55535445524D414E4E63676E74654552494B416376657265312E332E30

what is the CBOR: {1: "DE", 4: 1626470821, 6: 1626298021, -260: {1: {"t": [{"ci": "URN:UVCI:V1:DE:IIY8B6WQ984JJ8IUL0H8VKRUDN", "co": "DE", "is": "Robert Koch-Institut", "ma": "1333", "sc": "2021-07-14T18:18:04Z", "tc": "Juergens Testzentrum", "tg": "840539006", "tr": "260415000", "tt": "LP217198-3"}], "dob": "1980-01-01", "nam": {"fn": "Mustermann", "gn": "Erika", "fnt": "MUSTERMANN", "gnt": "ERIKA"}, "ver": "1.3.0"}}}

If I send that to the WRU-Server i get valid response but if I check that on the IOS Testflight App I get the error "Dieser QR-Code ist kein gültiges Impfzertifikat (VC_HC_CWT_NO_ISS)".

For my understanding, Encryption and everything is fine but there might be a error in the DCC because the app tries to use that as a Vaccine-certifiate instead of a DCC?

Any hints?

hmontazeri commented 3 years ago

Same issue here

juergenroesch commented 3 years ago

i think, the problem is the encryption and a very bad documentation. for the sha256 hash you need to use the cbor with the Signature1.... but encrypted will be the hcert container with 1:DE... But then, if I use a online aes encrypter i get an RSA decryption error on the phone, and with my C#-Class i get the ISS-Error.

anyhow, I never got that working since days even with online encryption and so on... that's really horrible...

hmontazeri commented 3 years ago

@juergenroesch I'm not sure about that. I tried to encrypt a random string instead of the CBOR object inside the AES function. Then I got a new ERR Code VC_HC_CBOR_DECODING_FAILED which tells me that the encryption should be fine.

I'm guessing its some kind of encoding issue... not sure but UTF-8 and ASCII-8BIT seems to be an issue with the hex dumps of CBOR

image

Ein-Tim commented 3 years ago

Which version of the iOS app are you using btw? Version 2.6.0.3?

juergenroesch commented 3 years ago

2.4.0 (12) - i dont get a newer one from the TestFlight

hmontazeri commented 3 years ago

Which version of the iOS app are you using btw? Version 2.6.0.3?

2.4.0 latest on testflight

Ein-Tim commented 3 years ago

Mh, that's strange. We are on 2.5.1 released and version 2.6 is in development. But no idea what exactly TestFlight is used for here, I don't have access, but IHMO it's strange that you're not even on a pre-release version of 2.5...

Anyways I don't think version 2.5 would fix your issue, didn't see a PR for this.

hmontazeri commented 3 years ago

It has to be something on the server side. The lab simulator python script here works. So... Is there any way we can get in touch with the server team on that? To be at least sure if the problem is caused by encryption or not?

Ein-Tim commented 3 years ago

@hmontazeri

@daniel-eder already assigned @MartinKonrad to this issue, so I'm sure you'll get feedback soon.

@dsarkar Do you want to mirror this to JIRA? Maybe EXPOSUREBACK?

MartinKonrad commented 3 years ago

@hmontazeri we need to have a closer look on this topic. Please describe your problem in detail and send it via email to cwa-schnelltest-onboarding@t-systems.com . Thank you.

hmontazeri commented 3 years ago

I was able to fix my implementation with some help from @mdf-dths.

# my ruby code
cipher.iv = ["00000000000000000000000000000000"].pack("H*")
cipher.key = [SecureRandom.bytes(64)].pack("H*")

These two lines got it working for me. It is the IV and KEY for the AES encryption. It's mandatory that they are hex values.

KDederichs commented 3 years ago

Yeah I am having the same problems getting it running in PHP tbh. (if anyone has a working implementation already I'd be grateful ;) ) It does not help that the documentation clearly is written for people that use Java as well so everyone else has to figure out the correct encryption parameters for their respective programing language.

But yeah what would be REALLY nice is if the server didn't accept certificates it can not decode from the start cause I and I assume many other people would assume that when the request is accepted it's good to go....

hmontazeri commented 3 years ago

@KDederichs there is a PHP implementation I got from @mdf-dths. PHP DCC

KDederichs commented 3 years ago

Thanks! Looks like I was almost there, just got the wrong setMGFHash parameter and the wrong IV Funny, when I set setMGFHash to sha256 the CWA got into a crash loop....

kev-andrews commented 3 years ago

OK guys, i have been at this for three days. My problem was that the docs -DO- mention that the AES IV is {0...0} However, they do NOT mention that in that case prepending the IV is not necessary or expected. Maybe this is the default way of doing it when using a zeroed iv vector, but please write that into the docs explicitly. Prepending the IV, as i always do when i use AES, causes all kinds of VC_HC_CWT_NO_ISS and VC_HC_CBOR_DECODING_FAILED errors... Have a working .NET 5 implementation now though...