royarisse
commented
2 years ago To generate a Greenpass, the raw data (JSON) is sent to a trusted signing server. This server returns a signature to be added. The result — a CBOR Web Token: CBOR with COSE signature — is returned back to the generating app, Zlib-compressed, Base45 encoded and stored into the QR. The signing process uses asymmetric encryption: the private key can both encrypt en decrypt, but the public key can only decrypt. Therefore, the QR scanner app can only verify if the signature was valid.
So, to answer your question: Yes, if you have a valid private key, you can generate valid Greenpasses. If a private key gets leaked however, they'll get blacklisted. The scanner apps update valid public keys periodically to ensure they don't accept passes generated with blacklisted keys.
Check these pages if you'd like to learn more:
- https://www.perfacilis.com/blog/security/decode-corona-qr-codes-using-php.html
- https://gir.st/blog/greenpass.html
- https://www.bartwolff.com/Blog/2021/08/08/decoding-the-eu-digital-covid-certificate-qr-code
To be honest, Im currently still researching, since I don't know the exact encryption algorithm used, nor do I know how the signing server knows it can trust the request from the generating app(s).
Hope this helps :)
Hi I saw your program on the generation of the green pass and I was very interested in cryptography and how they are encrypted and encoded, I would like to ask you for more information on how it works, if a person has a private key it is possible to generate a green pass valid with this script? And how and in what form should the private key be inserted into the code? thanks in advance for the reply.