search

yuvadm / greenpass

Signature verification for the Green Pass (התו הירוק)
GNU General Public License v3.0
38 stars 12 forks source link

Vaccination certificate JSON different than in verify.py #4

Closed salty-horse closed 3 years ago

salty-horse commented 3 years ago

The JSON in verify.py has this format:

{
  "id": "01/IL/ABCD1234ABCD1234ABCD1234ABCD1234#ABCD1234",
  "et": 1,
  "ct": 1,
  "c": "IL MOH",
  "cn": null,
  "fn": null,
  "g": null,
  "f": null,
  "gl": null,
  "fl": null,
  "idp": null,
  "idl": null,
  "b": "0001-01-01",
  "e": "0001-01-01",
  "a": "0001-01-01",
  "p": [
    {
      "idl": "0123456789",
      "e": "2021-01-01"
    }
  ]
}

The end of the script tries to print idl and p from inside a p list, that as of now is not in the Ramzor documentation.

My certificate has this format:

{
  "id": "01/IL/ABCD1234ABCD1234ABCD1234ABCD1234#ABCD1234",
  "et": 1,
  "ct": 1,
  "c": "IL MOH",
  "cn": null,
  "fn": null,
  "g": null,
  "f": null,
  "gl": null,
  "fl": null,
  "idp": null,
  "idl": "0123456789",
  "b": "0001-01-01",
  "e": "0001-01-01",
  "a": "0001-01-01",
  "d1": {
    ...
  },
  "d2": {
    ...
  }
}
yuvadm commented 3 years ago

@salty-horse Interesting! Can you describe the process of how you created your certificate so we can attempt to reproduce it successfully?

salty-horse commented 3 years ago

I didn't "create" anything. This JSON (before I removed personal info from it) was in the QR code that I got from Clalit.

yuvadm commented 3 years ago

Right :) how did you get it?

salty-horse commented 3 years ago

I logged on to Clalit's wesite and downloaded the PDF with my vaccination certificate. Note that this isn't the "green passport" (I understand people are having trouble accessing that website...?) but it includes a QR code with the same signed message.

DM me on Twitter if you want the full signed certificate.

yuvadm commented 3 years ago

No need for the full cert with your PII, it seems MOH (Ramzor) and Clalit have two separate and possibly incompatible implementations. We'll fix the script accordingly to support both, regardless.

salty-horse commented 3 years ago

Sorry, I seem to have scrubbed out an important detail. As I said, this was based on the vaccination certificate, and not the green pass. The real value of ct in my certificate is 2 (Vaccination), not 1 (GreenPass).

yuvadm commented 3 years ago

@salty-horse Can you confirm the rest of the payload is the same?

salty-horse commented 3 years ago

Looks like it. Here's the data again, with less redacted fields. It matches the Ramzor documentation.

{
  "id": "...",
  "et": 1,
  "c": "IL MOH",
  "ct": 2,
  "cn": null,
  "fn": null,
  "g": "..",
  "f": "..",
  "gl": "..",
  "fl": "..",
  "idl": "..",
  "idp": "..",
  "b": "YYYY-MM-DD",
  "e": "YYYY-MM-DD",
  "a": "YYYY-MM-DD",
  "d1": {
    "d": "YYYY-MM-DD",
    "vv": "Pfizer",
    "vt": "BNT162b2",
    "vb": "..",
    "vc": null,
    "o": "Clalit",
    "ol": "כללית",
    "oc": null,
    "c": null
  },
  "d2": {
    "d": "YYYY-MM-DD",
    "vv": "Pfizer",
    "vt": "BNT162b2",
    "vb": "..",
    "vc": null,
    "o": "Clalit",
    "ol": "כללית",
    "oc": null,
    "c": null
  }
}
salty-horse commented 3 years ago

Now I downloaded a real "green pass" and can confirm the p exists.

elisherer commented 3 years ago

Green pass has an array of passes "p". While a vaccination certificate (which is for 1 person only) contains the 2 doses given "d1" and "d2".

yuvadm commented 3 years ago

Updated version should now support both implementations.