search

tibordp / eudcc-validator

Validator app for EU Digital Covid Certificates
https://eudcc.ojdip.net
MIT License
4 stars 1 forks source link

Key identifier not read correctly #1

Closed Henje closed 3 years ago

Henje commented 3 years ago

I tested your validator with my personal certificate and got the error that "The DCC is not in a supported format, so the validity cannot be verified." This issue comes from the fact that your code assumes the kid is located in the protected part of the WebToken. In my case the kid is located in the unprotected part.

The spec says: "The Key Identifier is not a security-critical field. For this reason, it MAY also be placed in an unprotected header if required. Verifiers MUST accept both options. If both options are present, the Key Identifier in the protected header MUST be used."

A simple change to make it work would be:

diff --git a/src/decode.js b/src/decode.js
index 534ce57..512fdc8 100644
--- a/src/decode.js
+++ b/src/decode.js
@@ -59,9 +59,11 @@ export const decodeEudcc = async (data, trustList) => {
       // Try to extract KID from the certificate, if it is not present,
       // we will not be able to validate the signature, but we can still
       // display the data. We only target version 1.3.0+ of the spec.
-      const signatureInfo = cbor.decodeFirstSync(decoded.value[0]);
+      const signatureInfo_protected = cbor.decodeFirstSync(decoded.value[0]);
+      const signatureInfo_unprotected = decoded.value[1];
       kid = Buffer.from(
-        signatureInfo.get(cose.common.HeaderParameters.kid)
+        signatureInfo_protected.get(cose.common.HeaderParameters.kid) ||
+        signatureInfo_unprotected.get(cose.common.HeaderParameters.kid)
       ).toString("base64");
     } catch (e) {
       return { data: hcert, error: "UNSUPPORTED_FORMAT" };
tibordp commented 3 years ago

Hey @Henje, thank you for the bug report. Would you mind sharing which country issued your DCC? I'll try to reproduce this issue with test certs for me to understand it a bit better.

Henje commented 3 years ago

My personal certificate is from Germany. An example which uses the same encoding can be found in https://github.com/Digitaler-Impfnachweis/covpass-ios/blob/ede7190605ec0b2209336d8d5a0624e7ac1547ff/Source/CovPassCommon/Tests/CovPassCommonTests/Helpers/CertificateMock.swift#L12. If need by, I could also send you my personal certificate, but the linked one shows the same behaviour.