I have received multiple SHC QR codes from my users which were issued by CVS Health with "iss": "https://api.cvshealth.com/public" and "kid": "h0MD1WZcbX37spRMaNkLGt4uzyOqzgU8DtXVLw1YmpI". My app is failing to verify those SHCs because that key does not appear in vci_snapshot.json. It's worth noting that the official Commons Project Verifier app also rejects those SHCs, presumably for the same reason.
That key appears in https://api.cvshealth.com/public/jwks.json and in daily_log.json:
SHALL have "kty": "EC", "use": "sig", and "alg": "ES256"
Does VCI have contact information for CVS Health that can be used to get them to add the missing properties to that key?
If not, would it be possible to relax that validation in the audit script that generates the snapshot?
I've set up my app so that when signature verification fails with the JWKS from the snapshot it fetches the JWKS from the issuer itself and validates the keys with a slightly relaxed validation: it accepts keys where use and alg are correctly set or where they're missing, but not keys with incorrect values for those parameters.
I have received multiple SHC QR codes from my users which were issued by CVS Health with
"iss": "https://api.cvshealth.com/public"
and"kid": "h0MD1WZcbX37spRMaNkLGt4uzyOqzgU8DtXVLw1YmpI"
. My app is failing to verify those SHCs because that key does not appear invci_snapshot.json
. It's worth noting that the official Commons Project Verifier app also rejects those SHCs, presumably for the same reason.That key appears in
https://api.cvshealth.com/public/jwks.json
and indaily_log.json
:It's being excluded from
vci_snapshot.json
because it's missing theuse
andalg
properties.That is clearly invalid according to the section of the SHC standard incorporated by reference into the policy in the README:
Does VCI have contact information for CVS Health that can be used to get them to add the missing properties to that key?
If not, would it be possible to relax that validation in the audit script that generates the snapshot?
I've set up my app so that when signature verification fails with the JWKS from the snapshot it fetches the JWKS from the issuer itself and validates the keys with a slightly relaxed validation: it accepts keys where
use
andalg
are correctly set or where they're missing, but not keys with incorrect values for those parameters.