Help for decoding spongebob pass...

[jumpjack]

I wrote an app to view what's written in my qrcode: https://github.com/jumpjack/greenpass http://jumpjack.altervista.org/greenpass/

It works fine with my greenpass and with some fake ones, but it fails with spongebob and other; the ones not working are the bigger ones. Any idea why my app fails with some qrcodes and works with others? The algorithm should be the same for all.

This is the decoding process I am using:

BASE45 = raw.value.replace("HC1:","");
COMPRESSED = decode(BASE45).raw
COSEbin =  pako.inflate(COMPRESSED);
COSE = buf2hex(COSEbin);
typedArray = new Uint8Array(COSE.match(/[\da-f]{2}/gi).map(function (h) {  return parseInt(h, 16)}))
unzipped = typedArray.buffer
[headers1, headers2, cbor_data, signature] = CBOR.decode(unzipped)

I admit I just copied/pasted some snippets of code, I don't understand very well what's going on here...

The decoding process for spongebob and mama joe QRcodes fails at unzipping step: COSEbin = pako.inflate(COMPRESSED);

 TypeError: i.subarray is not a function
    at Object.inflate (pako.min.js:2)
    at Xe.push (pako.min.js:2)
    at Object.We (pako.min.js:2)

"COMPRESSED" is 776 bytes long, vs. 348 bytes of a QR code which works with my app.

I also tried processing the data without unzipping them (just in case), but CBOR.decode(COMPRESSED) results in "Error: remaining bytes".

[berdav]

Spongebob's greenpass is signed with PS256 algorithm (screenshots got using https://github.com/berdav/greenpass)

In your repository it seems that you have only ES256 certifications, you need to verify also RSA certification, not only Elliptic curve based ones. Are you checking these?

[jumpjack]

I don't want to verify/check, I just would like to view (what's inside the QRcode). But I don't know/understand python. I would like to understand if I can identify if the various fake certificates were created by same signing party.