Implement signature verification (not rule-based validity of codes yet) - Githubissues

stapelberg / coronaqr

Go decoder and verifier for EU Digital COVID Certificate (EUDCC) QR code data

Apache License 2.0

169 stars 15 forks source link

Implement signature verification (not rule-based validity of codes yet) #1

Closed stapelberg closed 3 years ago

stapelberg commented 3 years ago

https://www.cc-d.bit.admin.ch/trust/v1/keys/updates\?certFormat\=ANDROID seems to be the dev environment URL to obtain the keys.

The prod version gives a 403 Forbidden, not sure what sort of authentication is required.

https://github.com/admin-ch/CovidCertificate-SDK-Android/commit/414887526a78969d1860e6d863b221cd4cc94f06 might be a good pointer for how to do verification.

stapelberg commented 3 years ago

Status update: cryptographic verification is now implemented, but providing the keys is up to the user.

Maybe we can also provide a helper to use the common key sources, though it’s not quite clear yet to me what those sources are.

Edit: Looks like there are the following sources:

https://dgc.a-sit.at/ehn/cert/listv2 (AT, public, Trust List V2 CBOR format)
https://www.cc-d.bit.admin.ch/trust/v1/keys/updates (CH, public, JSON web key set format)
https://test-dgcg-ws.tech.ec.europa.eu/trustlist (EU, not meant to be accessed directly)
https://github.com/eu-digital-green-certificates/dgc-participating-countries/issues/10 has discussion and overview, and links to other trustlist sources

stapelberg commented 3 years ago

The coronadecode tool now displays details about the signature and they are available programmatically. Calling this done :)

We can always add more trustlist implementations later.