Add support for CA/NY/LA/VA/HI/UT/NJ/MN/DE/CT/NV/NM/OK/KY/GU/MP/YT/BC/SK/AB/NT/NS/MB/ON/NL/PE/Cayman Islands vaccine records, other changes #6
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This is in preparation for the ability to handle multiple issuers.
… record We'll need this to detect the issuer.
This will allow us to verify SHCs from multiple issuers. Note that this requires decoding the data before verifying it; this is probably a bad idea (similar to violating Moxie Marlinspike's rule of thumb that MAC verification should come before any other receive-side operations in a protocol [1]), but well, we're stuck with this format ... [1] https://moxie.org/2011/12/13/the-cryptographic-doom-principle.html
Key from https://myvaccinerecord.cdph.ca.gov/creds/.well-known/jwks.json: $ sha256sum jwks.json eb5d4bbea0734c205daf49c03e3013071c9edfd6232d24451fdfc27c6637df5f jwks.json
In particular, try to handle cases where corrupt/invalid SMART health cards, or things that aren't SHCs at all, are scanned.
thardie
reviewed
Jun 21, 2021
| ] | ||
| }, | ||
| { | ||
| id: "us.ca", |
There was a problem hiding this comment.
Can you instead use the iss in the provided QR code and download from there? This will make it work for more than just these 2 states then.
There was a problem hiding this comment.
I thought about this -- it'd certainly be more convenient for debugging and curiosity-driven inspection. But anyone can generate codes according to the spec, so you'd end up accepting things generated by, say, fakes.antivaxxers.dumb ... For actual verification purposes, you need a list of trusted issuers even if you fetch the keys on the fly from the spec-mandated location.
There was a problem hiding this comment.
Yeah, that totally makes sense. Is there anywhere else collecting a list of trusted issuers? This seems like the start of the common root CAs problem with SSL first came along...
There was a problem hiding this comment.
There's something calling itself the Common Trust Network, which unfortunately seems extremely light on details and doesn't seem to have a documented way of fetching the issuers list. (If you pull apart their verifier app, you can find an undocumented API endpoint to get the list, but (1) I don't know if they actually want other people using it and (2) it appears to cover US issuers only.)
There was a problem hiding this comment.
There was a problem hiding this comment.
Oh, that's neat, thanks. (Still seems to cover US issuers only, though.)
steven676
changed the title
|
A number of changes to my pull request:
|
|
Thanks for this. I suppose we should know better than to assume everyone has implemented all of the spec correctly ... Are your current QR codes signed by the same key as we have in the codebase now, or do the different kid values correspond to different signing keys? |
steven676
changed the title
|
I added two more signing keys, for the LA Wallet system used by the state of Louisiana and the Excelsior Pass Plus (NOT the Excelsior Pass!) used by the state of New York. @superay123 can you confirm that it's only the kid that's been changing for the Quebec signing key, not the actual key parameters x/y? If x/y are stable, I'll pick 4d47866 from your branch into my branch. |
|
x/y did not change.
I used the same key (ignoring the changing kid) to verify all our QR
codes that I downloaded.
I downloaded my QR code again today from the gov site and I verified it
successfully with the signing key. The kid and x/y values did not change.
The URL https://covid19.quebec.ca/PreuveVaccinaleApi/issuer/.well-known/jwks.json
still returns a 404.
If they change the kid or x/y values, i.e. change the signing key, they
will have to ask everybody to download their QR code again.
I was a bit worried earlier today when @remi and @babelouest said that their kids
kept changing.
When they downloaded their QR code again, the kid was the one that I
checked in 4d47866
|
|
I cherry-picked the kid and iss URL change from @superay123 (with a whitespace adjustment). Given the instability in Quebec's kid, though, I wonder whether we should go back to my original approach of using the iss URL to identify the signing key (I kept that code around in my verify-by-issuer branch). @superay123 Thanks for the reminder -- I also updated the build at https://steven676.github.io/shc-covid19-decoder/ if anyone wants to test it out. |
|
I scanned our QR codes that were downloaded today with https://steven676.github.io/shc-covid19-decoder/. |
dlh3
reviewed
Sep 8, 2021
Node.js "helpfully" tries to reduce the amount of output when we pass the decoded object to console.log(), so we need to pretty-print it ourselves before displaying. Fixes #2. (Thanks to Dave Hughes for the suggstion to use console.dir() to preserve the color-coding.)
Key from https://ekeys.ny.gov/epass/doh/dvc/2021/.well-known/jwks.json: $ sha256sum jwks.json b1e12070123acae094fd0047ae4d6b2d8aabe2f1c592932a224e83b83c9d6e2e jwks.json
Key from https://healthcardcert.lawallet.com/.well-known/jwks.json: $ sha256sum jwks.json fede561fb56d82e82df8a6e5f5f2679460b7a4051a927ec318decf686199b633 jwks.json
Thanks to Raymond Ménard for these values.
Key from https://pvc.service.yukon.ca/issuer/.well-known/jwks.json: $ sha256sum jwks.json 22e4ad57812178ed419aab7fcbd2c39d083f043b8e9f109e0654436584647ce8 jwks.json (Found through the-commons-project/vci-directory#60.)
Key from https://smarthealthcard.phsa.ca/v1/issuer/.well-known/jwks.json: $ sha256sum jwks.json dc6c1e25fecbaa4362cd17ede14e862071bc5a0bd74085b7f37a2d369c61e810 jwks.json With thanks to Mitch Brown and Dave Hughes; closes fproulx#14.
steven676
changed the title
[steven@steven676.net: key from https://www.hss.gov.nt.ca/covax/.well-known/jwks.json: $ sha256sum jwks.json cf70c7a7405ebbdc99034bb2304c8b19efbb009e759665f620498a9aa00f5b79 jwks.json]
Verified by disassembling Alberta's verifier Android app [1], as Alberta has yet to publish its key to the location specified in the standard. Additional thanks to /u/YegThrowawayWasTaken on Reddit. [1] https://play.google.com/store/apps/details?id=ca.ab.gov.covidrecordsverifier
Key from https://pvc.novascotia.ca/issuer/.well-known/jwks.json: $ sha256sum jwks.json 8c78b49846b9f86e66b56c6d3a756c08e4a6bce8ff555f3b6dd7039e49847cc0 jwks.json (Found via the-commons-project/vci-directory#185.)
Utah outsources Covid-19 digital vaccine records to Docket [1]. Key from https://docket.care/ut/.well-known/jwks.json: $ sha256sum jwks.json 15babf40deb6ecd73c9cdf252324eaef34bd042dfafb89dcbbba52dea303b708 jwks.json (Found via the-commons-project/vci-directory#191.) [1] https://immunize.utah.gov/usiis/usiis-parents-individuals/
New Jersey outsources Covid-19 digital vaccine records to Docket [1]. Key from https://docket.care/nj/.well-known/jwks.json: $ sha256sum jwks.json 9705c17aa5a4ceac5493f69b4dc04e703955dc7b690e7534d66231d759179063 jwks.json (Found via the-commons-project/vci-directory#191.) [1] https://covid19.nj.gov/faqs/nj-information/slowing-the-spread/consumer-access-to-covid-19-immunization-records-with-docket-faqs
Key from https://immunizationcard.manitoba.ca/api/national/.well-known/jwks.json: $ sha256sum jwks.json 0a6388ba092f9aa8460769d170157a4af4c5f80e70166c92a005131522a67335 jwks.json (Found via the-commons-project/vci-directory#192.)
Key from https://prd.pkey.dhdp.ontariohealth.ca/.well-known/jwks.json: $ sha256sum jwks.json a9411fca67636f80260d805b2468980a62f2c309cfcf4e5e9386fdc23a94b2e2 jwks.json (Found via billylo1/covidpass@bd2ec1a; with thanks to the grassroots vaccine pass team (@grassroots_team on Twitter)).
…ion records The Cayman Islands appears to use Cerner's electronic medical records system for all health records, including Covid-19 vaccine records [1]. Key from https://fhir-myrecord.cerner.com/r4/QGFlV8qKdgYu-vPpMAoQW5U4Jb7riiI2/.well-known/jwks.json: $ sha256sum jwks.json 276845f41ed6cda6c224350649c46fbb22346325f9e53ff183987236bc68dd96 jwks.json [1] https://www.hsa.ky/our-services/patient-portal-info/
steven676
changed the title
Minnesota outsources Covid-19 digital vaccine records to Docket [1]. Key from https://docket.care/mn/.well-known/jwks.json: $ sha256sum jwks.json d8b09156d15628dfdf411cdba45671b33bd3151eb889aafe0e720919408db44e jwks.json [1] https://www.health.state.mn.us/people/immunize/miic/records.html
|
More signing keys:
|
steven676
changed the title
…cord Key from https://www.gov.nl.ca/covid-19/life-during-covid-19/vaccination-record/prod/.well-known/jwks.json: $ sha256sum jwks.json 66684693005b6f45a1443b53322677e5c385727487f46ebae6a642e3244d1b28 jwks.json With thanks to GitHub user @craftxbox; closes fproulx#17.
steven676
changed the title
|
Hey Awesome code, Works great for my vaccine. |
|
@ShrimpWink if private keys for trusted passport issuers have leaked, that's concerning and certainly undermines the entire system. If you know of specific governments/organizations that have had their private key leaked, I would encourage you to notify them, as it means they should stop accepting passports signed with the leaked key and re-issue new ones. It would also be worth reporting to VCI Commons (https://github.com/the-commons-project/vci-directory) so they can remove those governments/organizations from the trusted issuers list until they re-issue passports signed with a new key. |
|
Hey , just a rumour that I heard on the forums
No proof at all. I’m sure it’s just a rumour
Again , great program
…On Wed, Oct 20, 2021 at 3:37 PM Dave Hughes ***@***.***> wrote:
@ShrimpWink <https://github.com/ShrimpWink> if private keys for trusted
passport issuers have leaked, that's concerning and certainly undermines
the entire system. If you know of specific governments/organizations that
have had their private key leaked, I would encourage you to notify them, as
it means they should stop accepting passports signed with the leaked key
and re-issue new ones.
It would also be worth reporting to VCI Commons (
https://github.com/the-commons-project/vci-directory) so they can remove
those governments/organizations from the trusted issuers list until they
re-issue passports signed with a new key.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#6 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AWEV4UZZBWP4HLBL4B7G4UDUH4ZANANCNFSM467LOL7A>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
|
Delaware appears to use Envision Technology's WebIZ platform [1] for tracking immunization records. Key from https://smarthealthcard.iisregistry.net/delaware/issuer/.well-known/jwks.json: $ sha256sum jwks.json 1f3e96e5a653a0c7ef5c33b3a6f85282ce2605516bb9db9569e8c48e8d830857 jwks.json (Found via the-commons-project/vci-directory#215.) [1] https://envisiontechnology.com/products/
Connecticut appears to use Envision Technology's WebIZ platform [1] for tracking immunization records. Key from https://smarthealthcard.iisregistry.net/connecticut/issuer/.well-known/jwks.json: $ sha256sum jwks.json 4120c091b645e921943b9cf95285797741e60ae003d0df710fbfa7d861e59a7c jwks.json (Found via the-commons-project/vci-directory#222.) [1] https://envisiontechnology.com/products/
Nevada appears to use Envision Technology's WebIZ platform [1] for tracking immunization records. Key from https://smarthealthcard.iisregistry.net/nevada/issuer/.well-known/jwks.json: $ sha256sum jwks.json 2f503c6a35c59e8426d202a4be136b60f89f00a733b2a976ba548711f964999c jwks.json (Found via the-commons-project/vci-directory#226.) [1] https://envisiontechnology.com/products/
New Mexico appears to use Envision Technology's WebIZ platform [1] for tracking immunization records. Key from https://smarthealthcard.iisregistry.net/newmexico/issuer/.well-known/jwks.json: $ sha256sum jwks.json 29a5fa3373b91bc5154c8939813da6fae3b4ce7ab795e83b0e0b523b882062d0 jwks.json (Found via the-commons-project/vci-directory#227.) [1] https://envisiontechnology.com/products/
…SIIS) records Oklahoma appears to use Envision Technology's WebIZ platform [1] for tracking immunization records. Key from https://smarthealthcard.iisregistry.net/oklahoma/issuer/.well-known/jwks.json: $ sha256sum jwks.json 6e842d2d805b90ec9211594f502f01217c2ddbefc61f9d15056e5043c594e600 jwks.json (Found via the-commons-project/vci-directory#228.) [1] https://envisiontechnology.com/products/
The Northern Mariana Islands appear to use Envision Technology's WebIZ platform [1] for tracking immunization records. Key from https://smarthealthcard.iisregistry.net/cnmi/issuer/.well-known/jwks.json: $ sha256sum jwks.json 9e701b6b4703ed83b36541c51e4317d04e50f3b1ad82344feb907ad6e30ea193 jwks.json (Found via the-commons-project/vci-directory#229.) [1] https://envisiontechnology.com/products/
Guam appears to use Envision Technology's WebIZ platform [1] for tracking immunization records. Key from https://smarthealthcard.iisregistry.net/guam/issuer/.well-known/jwks.json: $ sha256sum jwks.json 225040d69245b29d19ffb762184ce9ac592450042d962252cb810b95827598f4 jwks.json (Found via the-commons-project/vci-directory#230.) [1] https://envisiontechnology.com/products/
Kentucky appears to use Envision Technology's WebIZ platform [1] for tracking immunization records. Keys from https://smarthealthcard.iisregistry.net/kentucky/issuer/.well-known/jwks.json: $ sha256sum jwks.json 7be3f7da7e3b309d238a75c68cad8a4b9c4c835dcdcb56ad5f8624c14dc67e0b jwks.json (Found via the-commons-project/vci-directory#231.) [1] https://envisiontechnology.com/products/
…ion record Keys from https://pvcprod.gov.pe.ca/.well-known/jwks.json: $ sha256sum jwks.json 67ebfe49451fc583c9c92bf9f75d480df5e63a1530a6b88009632c5809732e13 jwks.json (Found via billylo1/covidpass@901c61d; with thanks to the grassroots vaccine pass team (@grassroots_team on Twitter)).
|
More signing keys:
|
steven676
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This patch series makes a number of changes:
Note that this patch series currently (probably) breaks signature verification of Quebec vaccination proofs -- I need to fill in the iss value for Quebec at https://github.com/steven676/shc-covid19-decoder/blob/main/src/issuers.js#L4, which I can't find anywhere public.
Lightly tested with valid California vaccine records, the sample record at https://github.com/dvci/health-cards-walkthrough/blob/main/SMART%20Health%20Cards.ipynb, and a number of non-SHC QR codes.