ministero-salute / it-dgc-verificaC19-android

VerificaC19 is the official Italian customization of the EU Digital COVID Certificate Verifier App for the Android Operating System
https://www.dgc.gov.it
Apache License 2.0
101 stars 54 forks source link

Invalid QR code gets validated #185

Closed denysvitali closed 3 years ago

denysvitali commented 3 years ago

Describe the bug

Scanning the following QR code (sorry for the profanity included, it's how I found it from here) results in a positive result.

HC1:NCFOXN%TSMAHN-H/RCMPQ5GE5I00H9GBH3QNAD6.LQLX85ZS GJTSJ4NKP1HCV4*XUA2PSGH.+H$NI4L6F$S-N1FYBRR1$Q1+GOF+P$HQPHQHTQ.SQ6$PUKRN95404.W7UX4795L*KDYPWGO+9AZDOHCRL35IWMSDOP7OQ+M70AK$8 96XY4SBLU96:/6N9R%EPL8RY9DOA60-K.IA.C8KRDL4O54O4IGUJKJGI0JAXD15IAXMFU*GSHGRKMXGG6DBYCBMQN:HG5PAHGG8KES/F-1JW-K%B3A9ENO4B-S-*O4-G1FD/U47HAE1MI4OE0G1:HHD4AB874MM-6B:HKJSQ.TAG3CR1638W9AV88G64PB4VHRY2EK03NFJL4M10KP3AT2VK LT5GGFV85I0*10W2ZXJSBTMFW*+KM2T8-CXR32BMF7RAEAYKMWHE/NH UP4SNGENEWUY97 -3YM0.HAM:D:00ZY35XRT1100MFKWEWYHKCZIZJ0CAQYIKOZIZJ0DAQCDQGAE62ORR7HL0POYQCGMGBBEQFCBCDCT4VYFQZEPYFXK69ZRV9T8IY6NWAYEJF0VXVKNFCG/X9UIG5HFWRPEDW2EPW00S1K83I3900:919FUCKYOUALLGPSUPPORTERS9IKM24N21AW7ZUR2L013300EUISGOEINGDOWNNAZZYFUCKERS666I3AK96XYR01300STOREMYCODEMUTHERFUCKERANDGOTOHELLI5340XRT09SHUZVB33IR0IPUTAVIRUSHERE83H73KFI280I23KL0YRZT91Y0WITHLOVEFROMHA1*PWEOXCI/QXRLOZKN0LM*03I2RWT0Z

Expected behaviour

QR Code isn't validated

Steps to reproduce the issue

  1. Scan QR code from above
  2. Pass is validated, even though the QR Code doesn't represent a valid certificate (not even a valid base45 message, AFAIK)

Technical details

Probably a parsing issue. Only happens w/ VerificaC19 (Swiss Covid App + corona-decoder) are fine with this specific QR.

One user reports that with a slightly modified QR the Swiss Covid app is affected too.

Possible Fix

Validation must be checked + tested

Additional context

Found on https://github.com/ehn-dcc-development/hcert-spec/discussions/105#discussioncomment-1573490.

MollerAndre commented 3 years ago

I don't have Covid19 app installed but if it recognizes such a certificate as valid it really has a serious security vulnerability!

TheNewHEROBRINEX commented 3 years ago

I think the problem is that the app doesn't do any schema validation before trying to access the fields in the json

Jakub-KK commented 3 years ago

The certificate given in bug report contains a valid (as in, the signature is ok) certificate base45 at the beginning, then some gibberish spiked with profanities appended. The app is right showing positive result for this certificate.

The complete certificate text in base45 is in first 478 characters HC1:NCFOXN%TSMAHN-H/RCMPQ5GE5I00H9GBH3QNAD6.LQLX85ZS GJTSJ4NKP1HCV4*XUA2PSGH.+H$NI4L6F$S-N1FYBRR1$Q1+GOF+P$HQPHQHTQ.SQ6$PUKRN95404.W7UX4795L*KDYPWGO+9AZDOHCRL35IWMSDOP7OQ+M70AK$8 96XY4SBLU96:/6N9R%EPL8RY9DOA60-K.IA.C8KRDL4O54O4IGUJKJGI0JAXD15IAXMFU*GSHGRKMXGG6DBYCBMQN:HG5PAHGG8KES/F-1JW-K%B3A9ENO4B-S-*O4-G1FD/U47HAE1MI4OE0G1:HHD4AB874MM-6B:HKJSQ.TAG3CR1638W9AV88G64PB4VHRY2EK03NFJL4M10KP3AT2VK LT5GGFV85I0*10W2ZXJSBTMFW*+KM2T8-CXR32BMF7RAEAYKMWHE/NH UP4SNGENEWUY97 -3YM0.HAM:D

The problems with app behavior on this certificate is displaying "NULL NULL" instead of value from "fnt" field, caused by lack of full person info in "nam" section, which is not required by schema. There is also a suspicion that the certificate itself is issued fraudulently.

denysvitali commented 3 years ago

Can you please also check this one? https://github.com/denysvitali/covid-cert-analysis/issues/8#issue-1042474710

I'm not in front of my PC now and I don't have enough time to do a comprehensive analysis

rawmain commented 3 years ago

Hello @denysvitali

Scanning the following QR code (sorry for the profanity included, it's how I found it from here) results in a positive result.

VerificaC19 uses the default implementation of EU DGC core decoder for such operations.

The latest EU DGC core decoder updates fix some base45decoder issues (bugfix commit).

By using the updated core decoder, the first QR code - based on AD 1.0.0 Full Vaccination testdata signed with keys from the DCC ACC environment (check here) - gets detected as NOT VALID.


I've built a test-release 1.1.6 of VerificaC19 with the current updates (available here) if you want to use it for your checks.


The second QR code (BRANDENBURGTEST BERND 01/01/1950) gets detected instead as valid using the current code for verifier-app + DGC-SDK (develop branches) & EU DGC core + certlogic.

popolla commented 3 years ago

@Jakub-KK hello, could you please explain how the extra gibberish gets ignored? Personally, I'd rather reject any QR that contains extra characters, if possible... though not a security issue and also fun to be able to personalize the GC QR :)

Jakub-KK commented 3 years ago

Hi @popolla, this is possible if base45 decoder allows it, basically the decoder stops ingesting new data on first error and returns the data already decoded. If this data contains valid compressed stream of COSE message (or just the message without compression) than it will be further processed and result in verificator working correctly. As @rawmain said, the base45 decoder is stricter in latest EU DGC core code, this causes it to no longer accept such malformed texts as input. All in all this behavior doesn't allow for any visible personalization of QR codes, as the decoded base45 text is not displayed anywhere by the usual verificator apps. For visible personalization one could put a small custom image/icon over part of the QR code, provided that the QR code has sufficient amount of error correction, there are multiple examples of such QRs on the web.

denysvitali commented 3 years ago

Hey @rawmain !

I'm sorry, but the issue is not solved yet. Whilst the app you published might have fixed the issue with the QR data I published, it doesn't solve another issue which I didn't noticed at the beginning because I re-generated the QR code.

So basically the issue is that this QR code still passes the verification on the app you posted above: QR Valid

IMG_20211104_200715_001.jpg

But this does not: QR Invalid

IMG_20211104_200906_081.jpg

Despite they both contain the same data.

rawmain commented 3 years ago

Hello @denysvitali

I'm sorry, but the issue is not solved yet. Whilst the app you published might have fixed the issue with the QR data I published, it doesn't solve another issue which I didn't noticed at the beginning because I re-generated the QR code.

So basically the issue is that this QR code still passes the verification on the app you posted above: QR Valid [...] But this does not: QR Invalid

Thanks for the feedbacks.

The second QR code gets already rejected even with former EU DGC decoder code arrangement - before latest B45 bugfix commit of 3 days ago.

As you can check with the official 1.1.6 Android release form Google Play Store / AppGallery, it triggers indeed a decoding error with explicit entry in logcat.

D DecoderThread: Found barcode in 528 ms
[...]
D VerificationViewModel: Verification failed: COSE not decoded

The first one isn't triggering instead any explicit notice/entry during decoding stages.

Neither by those verifier-apps, which rely on the default EU DGC decoder-module (such as IT VerificaC19 and FR TAC Verif), nor by other apps with a slightly different implementation for the decoder (such as CH CovidCertificate Check).

I'll perform some debug-checks - by also re-arranging some settings for the decoder Zxing dependencies (now using ZXing Android Embedded 4.2.0) - in order to see which commits may be eventually suggested through a related PR on EU DGC Core Decoder repo.

denysvitali commented 3 years ago

Sorry, ignore my last message. That QR code is supposed to be valid and it's used as part of EU quality assurance tests:

https://github.com/eu-digital-green-certificates/dcc-quality-assurance/blob/main/AD/1.0.0/VAC-1-Pauta_Completa.png

Sorry :(

rawmain commented 3 years ago

Hello @denysvitali

Sorry, ignore my last message. That QR code is supposed to be valid and it's used as part of EU quality assurance tests

No problem, don't worry ;) .

I was just performing further checks since alterations of the original AD full VAC QR test-code have been used anyway to test B45->CBOR triggers.

By the rest, AD/1.0.0 directory's deletion+revocation have already been requested (as you can check from closed/open PRs in the quality-assurance repo). Therefore - once approved - the related UVCI of such AD case-samples will be added into production blacklist/revoke lists.

lcimaglia commented 3 years ago

Hi we have already released VerificaC19 1.1.7 which integrates a EU core lib fix : https://github.com/eu-digital-green-certificates/dgca-app-core-android/commit/8c2872b77efb98c61c4f13fb5bdc6a1edff99716

thank you for your support