feat: add saaaanchez test QR, text and result

[Jakub-KK]

Adding a sample created by truncating "pass-valido" that is recognized as valid by apps (base45 decodes without errors).

The sample is suspicious only because of non-official surname "Saaaanchez" and being found as part of problematic "pass-valido". It is possible that this sample is not fraudulent, and was issued for real person, it is impossible to tell for sure.

[denysvitali]

Uhm, did you run ./verify.sh?

[Jakub-KK]

I used ehn-sign-verify-python-trivial to validate signature and get all the information (also openssl x509 ... to get key info), didn't have time to use your tools yet. I tried to put information about sample in correct format.

[denysvitali]

The issue is that certificate is most probably v1.0, whilst nowadays we use v1.3 IIRC

[Jakub-KK]

@denysvitali is it about https://github.com/denysvitali/covid-cert-analysis/commit/061f6ae7b059a64c07bd4b8b1fc902b97be94a29#commitcomment-59268556? If so, the base45 data is the same in both QR codes so the schema is not an issue (I used awesome Cognex android app to verify data on both QR codes) I guess that Polish DCC verifier has a broken QR code reader, or the QR code generator that was used to create new QR code (061f6ae7b059a64c07bd4b8b1fc902b97be94a29) for saaaanchez does something weird. No big deal, just FYI :)

Commit comment https://github.com/denysvitali/covid-cert-analysis/commit/061f6ae7b059a64c07bd4b8b1fc902b97be94a29#commitcomment-59268556 moved here for discussion continuity: I'm getting strange result with Polish DCC verifier app - the QR code from this commit results in "Invalid structure of QR Code" error in the app. I confirmed with generic QR code scanner (Cognex app) that this code contains exactly the same data as the QR code from commit 9124af0a439dacf136822582aed1c44128851315 that it replaced, that was generated using python "qrcode" module (https://github.com/lincolnloop/python-qrcode). Other QRs from RESULTS page scan without problems. Two possibilities: either non-standard encoding of data in new QR added in this commit, or broken QR decoder in Polish DCC verifier app (cannot check unde the hood b/c it's not open source) And BTW, "Personal Name" is missing.

[denysvitali]

That explains it! Wow!

I'm sorry then for re-generating the QR code!

I'm also sorry for replying here to your commit comment, GitHub on Android doesn't show those :(

I'll revert my commit that changes the QR.

[Jakub-KK]

No problem at all. I'll try to raise the issue about this new saaaanchez QR code with the PL authorities, there should be no such problems with QR code that is readable by other apps in the field. Did you verify this new code with VerificaC19 app?

[Jakub-KK]

@denysvitali no need to answer my question, I saw https://github.com/ministero-salute/it-dgc-verificaC19-android/issues/185#issuecomment-961338636 :)

[denysvitali]

@denysvitali no need to answer my question, I saw https://github.com/ministero-salute/it-dgc-verificaC19-android/issues/185#issuecomment-961338636 :)

Sadly both the italian and swiss app are affected. I feel stupid for not checking the QR code itself. I assumed the QR decoder was pretty standard and bug-free.

[Jakub-KK]

They use bog standard zxing component as you can see in https://github.com/ministero-salute/it-dgc-verificaC19-android/blob/develop/app/src/main/java/it/ministerodellasalute/verificaC19/ui/main/codeReader/CodeReaderFragment.kt I wonder what triggers the bug... Maybe you should put an issue about this on https://github.com/zxing/zxing?

[Jakub-KK]

Nice find @denysvitali https://github.com/ministero-salute/it-dgc-verificaC19-android/issues/185#issuecomment-961734029 Sample is not fraudulent (part of test suite) and should be deleted from repo.

[denysvitali]

I've got an external tip 😅.

I'll remove it later :)

[denysvitali]

Took me a while, sorry. I now removed both saaaanchez and pass-valido as they're both valid certificates (one really valid, the other with data added at the end).