Forged Certificate gets validated #306
Comments
|
Thanks for reporting, we'll look into it! |
|
About the first QR code passing: About the encoding issue in the second QR code: This is probably also why decoding (and hence verification) of the second QR code fails with the "D|B45" error -- '\n' is not a valid base45 character. |
|
Oh, you're right, that could very much be the case since I strip newlines in my reader. Duh! |
|
Maybe this is a wrong report. I just realized this QR is supposed to be valid and it's part of eu-digital-green-certificates/dcc-quality-assurance and it's thus supposed to be valid. It's just a weird certificate. I guess we can close this issue, sorry! |
|
No worries and thanks for your efforts! |
This certificate, despite being weird and being signed by a production key of AD, is in fact genuine and used as part of the EU DGC Quality Assurance tests. This is very unfortunate as these certificates should have never been signed with a productive key to begin with. For this reason, this certificate isn't forged and thus it is now removed with this commit. References: - #9 - ministero-salute/it-dgc-verificaC19-android#185 - admin-ch/CovidCertificate-App-Android#306 - eu-digital-green-certificates/dcc-quality-assurance#183
Due to a bug in the QR decoder, forged QR Certificates get validated.
This bug is similar (if not equal) to ministero-salute/it-dgc-verificaC19-android#185 and it can be reproduced as follows.
Valid Certificate
This QR code has the same data as the one below. Sadly it gets validated in the Swiss Covid Checker app.
Invalid Certificate
Note that, when decoded with
zbar, both QR codes have the same data contained.Hypothesis
This feels like a QR Decoding issue. We're discussing it at denysvitali/covid-cert-analysis#9 and at ministero-salute/it-dgc-verificaC19-android#185
The text was updated successfully, but these errors were encountered: