nodh
commented
2 years ago What certificates and code exactly are you using to build up the verification chain?
Closed lazka closed 2 years ago
nodh
commented
2 years ago What certificates and code exactly are you using to build up the verification chain?
eiksch
commented
2 years ago I got the same error.
You can reproduce trying this code:
const hcert = require('./lib/hcert/hcert-node'); //your hcert path
const qr =
'HC1:NCFTW2H:7*I06R3W/J:O6:P4QB3+7RKFVJWV66UBCE//UXDT:*ML-4D.NBXR+SRHMNIY6EB8I595+6UY9-+0DPIO6C5%0SBHN-OWKCJ6BLC2M.M/NPKZ4F3WNHEIE6IO26LB8:F4:JVUGVY8*EKCLQ..QCSTS+F$:0PON:.MND4Z0I9:GU.LBJQ7/2IJPR:PAJFO80NN0TRO1IB:44:N2336-:KC6M*2N*41C42CA5KCD555O/A46F6ST1JJ9D0:.MMLH2/G9A7ZX4DCL*010LGDFI$MUD82QXSVH6R.CLIL:T4Q3129HXB8WZI8RASDE1LL9:9NQDC/O3X3G+A:2U5VP:IE+EMG40R53CG9J3JE1KB KJA5*$4GW54%LJBIWKE*HBX+4MNEIAD$3NR E228Z9SS4E R3HUMH3J%-B6DRO3T7GJBU6O URY858P0TR8MDJ$6VL8+7B5$G CIKIPS2CPVDK%K6+N0GUG+TG+RB5JGOU55HXDR.TL-N75Y0NHQTZ3XNQMTF/ZHYBQ$8IR9MIQHOSV%9K5-7%ZQ/.15I0*-J8AVD0N0/0USH.3';
const pemCert =
'-----BEGIN CERTIFICATE-----\n' +
'MIIB1DCCAXmgAwIBAgIKAYDcOWBmNxlPgDAKBggqhkjOPQQDAjBEMQswCQYDVQQG\n' +
'EwJBVDEPMA0GA1UECgwGQk1TR1BLMQwwCgYDVQQFEwMwMDIxFjAUBgNVBAMMDUFU\n' +
'IERHQyBDU0NBIDIwHhcNMjIwNTE5MTIwOTQ5WhcNMjMwNjE5MTIwOTQ5WjBFMQsw\n' +
'CQYDVQQGEwJBVDEPMA0GA1UECgwGQk1TR1BLMQ8wDQYDVQQFEwYwMDIwMDIxFDAS\n' +
'BgNVBAMMC0FUIERHQyBUTCAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEl2tm\n' +
'd16CBHXwcBN0r1Uy+CmNW/b2V0BNP85y5N3JZeo/8l9ey/jIe5mol9fFcGTk9bCk\n' +
'8zphVo0SreHa5aWrQKNSMFAwDgYDVR0PAQH/BAQDAgeAMB0GA1UdDgQWBBRTwp6d\n' +
'cDGcPUB6IwdDja/a3ncM0TAfBgNVHSMEGDAWgBQvWRbxO3tS9HatiMTvp8sD9Rwy\n' +
'wTAKBggqhkjOPQQDAgNJADBGAiEAleZ8CcLG4FK4kty+sN0APZmT6LfEE2kzznyV\n' +
'yEepU0gCIQCGaqJpOwPXBmgoOsehnJkA0+TZX8V2p1Bg/nqnuYqXFg==\n' +
'-----END CERTIFICATE-----';
const verifier = new hcert.VerifierDirect([pemCert]);
console.debug(verifier.verify(qr));cert is from https://github.com/Federal-Ministry-of-Health-AT/green-pass-overview#details-on-trust-listsbusiness-rulesvalue-sets
lazka
commented
2 years ago Here is a minimal version of the javascript code I'm using: https://gist.github.com/lazka/a73748f8a6bad49bcdee4b2dd149c192
lazka
commented
2 years ago Looks like the API now returns data signed with the right KID again, so this "fixed itself".
Not the smoothest transition, but at least it works again :)
Feel free to close this
The trust anchor was recently updated because the old one will soon expire: https://github.com/Federal-Ministry-of-Health-AT/green-pass-overview/commit/cae10ee4c332c0bd01bc4c8f82afa06654429f27
I'm now facing the problem that hcert-kotlin doesn't like the new cert and fails with "KEY_NOT_IN_TRUST_LIST" when loading the official trust data from https://dgc-trust.qr.gv.at/ (can be reproduced using demo.html)
Am I missing something?
thanks