CVS Health key used to issue SHCs is not included in snapshot

[Elemecca]

I have received multiple SHC QR codes from my users which were issued by CVS Health with "iss": "https://api.cvshealth.com/public" and "kid": "h0MD1WZcbX37spRMaNkLGt4uzyOqzgU8DtXVLw1YmpI". My app is failing to verify those SHCs because that key does not appear in vci_snapshot.json. It's worth noting that the official Commons Project Verifier app also rejects those SHCs, presumably for the same reason.

That key appears in https://api.cvshealth.com/public/jwks.json and in daily_log.json:

{
    "crv": "P-256",
    "x": "TXWmbGcaaK-VCByK8_ziepSXGcwjjRWOZx0vAPUcErQ",
    "y": "ID8SUpjFnwOV-H-eGLIv4xCZzw72nCGeXzLbSUXKDQg",
    "kty": "EC",
    "kid": "h0MD1WZcbX37spRMaNkLGt4uzyOqzgU8DtXVLw1YmpI"
 }

It's being excluded from vci_snapshot.json because it's missing the use and alg properties.

That is clearly invalid according to the section of the SHC standard incorporated by reference into the policy in the README:

SHALL have "kty": "EC", "use": "sig", and "alg": "ES256"

Does VCI have contact information for CVS Health that can be used to get them to add the missing properties to that key?

If not, would it be possible to relax that validation in the audit script that generates the snapshot?

I've set up my app so that when signature verification fails with the JWKS from the snapshot it fetches the JWKS from the issuer itself and validates the keys with a slightly relaxed validation: it accepts keys where use and alg are correctly set or where they're missing, but not keys with incorrect values for those parameters.

[jpp9]

thanks for flagging this, and for the analysis! just wanted to note that we're working to get it resolved.

[edwardjcruz]

CVS has resolved this issue with their keyset. Thanks again for flagging, @Elemecca