search

panzi / verify-ehc

Simple Python script to decode and verify an European Health Certificate QR-code
60 stars 17 forks source link

Key ID not found in trust list? #19

Closed josephthlee closed 3 years ago

josephthlee commented 3 years ago

The at_vaccine.jpg sample is from https://github.com/eu-digital-green-certificates/dgc-testdata/blob/main/AT/png/1.png and its iOS app can scan and verify the picture as a valid one (see picture on bottom of this message).

However...

./verify_ehc.py --image ./sample/at_vaccine.png Expires At : 2021-11-02T18:00:00 Issued At : 2021-05-06T18:00:00 Issuer : AT Is Expired : False COSE Sig. Algo.: ES256 Signature : WBL85ny4TDkR144/YfiQ0MgOuWdYBq6+1mqi0NDJHR/JjXvLgL8A4YGAapUC4RsHEyWQG9DSwbZDh0e4zFD1IQ== Traceback (most recent call last): File "./verify_ehc.py", line 2379, in main() File "./verify_ehc.py", line 2370, in main verify_ehc(ehc_msg, issued_at, certs, args.print_exts) File "./verify_ehc.py", line 1639, in verify_ehc raise KeyError(f'Key ID not found in trust list: {key_id.hex()}') KeyError: 'Key ID not found in trust list: d919375fc1e7b6b2'

Why the Key ID not found and how can I solve it? Thank you!

12731631791170_ pic

panzi commented 3 years ago

This is test data and doesn't use a production certificate. The certificate that that test data uses can be found in this JSON file: https://github.com/eu-digital-green-certificates/dgc-testdata/blob/main/AT/2DCode/raw/1.json

It also happens to be that that testing certificate is included in the Austrian test trust list:

$ ./verify_ehc.py --certs-from AT-TEST --image ./sample/at_vaccine.png
Expires At     : 2021-11-02T18:00:00
Issued At      : 2021-05-06T18:00:00
Issuer         : AT
Is Expired     : False
COSE Sig. Algo.: ES256
Signature      : WBL85ny4TDkR144/YfiQ0MgOuWdYBq6+1mqi0NDJHR/JjXvLgL8A4YGAapUC4RsHEyWQG9DSwbZDh0e4zFD1IQ==
X.509 Certificate:
  Key ID          : d919375fc1e7b6b2 / 2Rk3X8HntrI=
  Serial Nr.      : 00:00:00:00:00:00:00:00:00:00:01:79:3c:8b:cf:0e:95:e2:ec:b9
  Issuer          : O=BMSGPK,C=AT,CN=AT DGC CSCA 1
  Subject         : 2.5.4.5=1,O=BMSGPK,C=AT,CN=AT DSC 1
  Valid Date Range: 2021-05-05T12:41:06 - 2023-05-05T12:41:06
  Version         : v3
  Ext. Key Usage  : recovery, test, vaccination
  Key Type        : EllipticCurvePublicKey
  Curve           : secp256r1
  Signature Algo. : oid=1.2.840.10045.4.3.2, name=ecdsa-with-SHA256
  Signature       : MEUCIQDG2opotWG8tJXN84ZZqT6wUBz9KF8D+z9NukYvnUEQ3QIgdBLFSTSiDt0UJaDF6St2bkUQuVHW6fQbONd731/M4nc=
  Cert Expired    : False
Valid Key Usage: True
Signature Valid: True
Payload        :
{
    "dob": "1998-02-26",
    "nam": {
        "fn": "Musterfrau-G\u00f6\u00dfinger",
        "fnt": "MUSTERFRAU<GOESSINGER",
        "gn": "Gabriele",
        "gnt": "GABRIELE"
    },
    "v": [
        {
            "ci": "URN:UVCI:01:AT:10807843F94AEE0EE5093FBC254BD813#B",
            "co": "AT",
            "dn": 1,
            "dt": "2021-02-18",
            "is": "Ministry of Health, Austria",
            "ma": "ORG-100030215",
            "mp": "EU/1/20/1528",
            "sd": 2,
            "tg": "840539006",
            "vp": "1119349007"
        }
    ],
    "ver": "1.0.0"
}