## NL Wallet App Simulator
- Execute each cell with Crtl+Enter
- Two cells will ask for an input. Make sure the respective QR (init, DCC) is readily a hand for cut and paste


Install libraries if you run this notebook for the first time

In [1]:
!pip install pyjwt cryptography protobuf pycryptodome ecdsa


Looking in indexes: https://pypi.org/simple, https://us-python.pkg.dev/colab-wheels/public/simple/
Collecting pyjwt
  Downloading PyJWT-2.4.0-py3-none-any.whl (18 kB)
Collecting cryptography
  Downloading cryptography-37.0.2-cp36-abi3-manylinux_2_24_x86_64.whl (4.0 MB)
[K     |████████████████████████████████| 4.0 MB 4.7 MB/s 
Collecting pycryptodome
  Downloading pycryptodome-3.14.1-cp35-abi3-manylinux2010_x86_64.whl (2.0 MB)
[K     |████████████████████████████████| 2.0 MB 52.9 MB/s 
[?25hCollecting ecdsa
  Downloading ecdsa-0.17.0-py2.py3-none-any.whl (119 kB)
[K     |████████████████████████████████| 119 kB 45.3 MB/s 
Installing collected packages: pyjwt, pycryptodome, ecdsa, cryptography
Successfully installed cryptography-37.0.2 ecdsa-0.17.0 pycryptodome-3.14.1 pyjwt-2.4.0


### Ingest an invitation

Identify yourself at an airline (e.g. https://pinggg.mywire.org/static-v2) to obtain an invitation for validation. 

Grab the invitation string from url to wallet and paste in input-box. <br>
Or alternative: Open QR-code in Google-lens and "copy text" to capture the invitation string.

### Init QR code handling by wallet app
The wallet app processes the invitation:

1.   The wallet gets airline identity document to learn airline endpoints and validation service location
2.   The wallet determines location of validation service ((from airline identity document)). A choice is presented in case multiple validation services are offered.

In [8]:
import requests
import json
import jwt
import base64

invite = input('Paste Invitation string contents here: ')

#base64_message = invite
#base64_bytes = base64_message.encode('ascii')
#message_bytes = base64.b64decode(base64_bytes)
#qr_code = message_bytes.decode('ascii')
qr_code = invite
qr_code_data =  json.loads(qr_code)
print(f"QR-Code data: {json.dumps(qr_code_data, indent=4)}")

token_info = jwt.decode(qr_code_data['token'], options={"verify_signature":False})
print(f"Invitation-token: {token_info}")

import ecdsa
import base64
from Crypto.Hash import SHA256
from ecdsa.curves import NIST256p

# Load the airline identity document 
serviceIdentity = requests.get( qr_code_data['serviceIdentity'] ).json()

# Get the information from the identity document. Identity contents
## services, i.e. airline endpoint to get validation access token and to return confirmation token, and (list of) providers that offer validation
## verification methods, public keys to validate signatures or for use in encryption 




Paste Invitation string contents here:  {"protocol":"DCCVALIDATION","protocolVersion":"2.00","serviceIdentity":"https://tvairline.mywire.org/identity","privacyUrl":"privacy policy url...","token":"eyJraWQiOiJMNlRjam5iWmdlND0iLCJhbGciOiJSUzI1NiJ9.eyJpc3N1ZXIiOiJodHRwOi8va2VsbGFpci5jb20iLCJpYXQiOjE2NTUyNDA4ODQsImV4cCI6MTY2Mzg4MDg4NCwic3ViIjoiNjlENUVCMUZBMTExNDA5M0FGOEY4MDg2MzQwRUZBMDYifQ.OMJVU17-aszU6EmK2kFCNqq63ezJC2rfeCfzoUMJUJ-z_8KgL_RAiNi8h1LAkxCrc6VaS84LgHOu56H6KGxriNDEBFZx2SlPAPAkK9mGTZ3OdnsZsNCFXeThExv-4xxztysvdiTxU6NpQ29-2Bw_N6AjKkzZilH2aE-ulpSuRv7yWERST6bqZ0ZUg0OIa6ot88lTDe10FsnK-mNV34y2ueN7wuLpN7Ac0KTElcKuZ-LPfrRH5R4C1muyarudi_3kQRhaG6akqwA-0Qxu4mRAkEKJSdyZ2F6d7ZJu6QDXydOb6ZHnunjTBQiDgxcB28rMANXCKQ9fjnWfBpicqLY5GJaTgA_yt0mLIKTYx-mXJTCJmw71Y0Q9dtIB1_kOc1r9L-a_N-6N1Vym1gEa8U3HYV2JL3CDTFxuWo7vN0UX_cdI-jZkUnSTldS_AJ0RFCR1HFl3XhX3zIhJ9eCEHz6j7uT21dYMseoNZeLC6EKBi6Y8zPsg-cQN5Zpl-W-0xYcUUtG8HTGTYajxYG8obr8ulYyPYeD-dfMyF5v5aKrd5frtybFK-yf1N_Xq5jJ8iESmTyMme1_-Ud0Hyl5n6DS4Yu9FuJmaaMlmMtC

#Wallet gets the validation access token
which packs travel data and some instructions for type of validation that is expected. 
- The endpoint to get access token is determined from the airline identity document
- The request is authenticated with invitation-token (so links back to booking and passenger)

Under EU-DCC-validation protocol (but not implemented by us)
- The wallet advises its one-time identity, not sure why??
- The airline hands back validation access token and a nonce (nonce, why??)

In [5]:
import ecdsa
import base64
from Crypto.Hash import SHA256
from ecdsa.curves import NIST256p

#create one-time wallet identity(key-pair) to sign the DCC on upload
userkey = ecdsa.SigningKey.generate(curve=NIST256p,hashfunc=SHA256.new) 

# App selects the AccessTokenService in Airline Identity document and requests for Validation Access token. 

for service in serviceIdentity['service']:
    if service['id'].endswith('#AccessTokenService'):
        response = requests.post( service['serviceEndpoint'], 
                    headers={'Authorization': f'Bearer {qr_code_data["token"]}', #initR-token goes here
                             'Content-Type':'application/json', 
                             'X-Version' : '1.0'},
                    json = {"pubKey": userkey.get_verifying_key().to_pem().decode(), 
                                    #advise pub key to validation service for inspection of signature on DCC
                            "alg": "ES256"}
                                  
        )
        # print ("Undecoded Response", response.status_code, response.text, '\n\n')
        
        # This is the access token for the validation service
        validator_token = response.text 
        validation_nonce = response.headers['x-nonce']
        
        token_info = jwt.decode(validator_token, options={"verify_signature":False})
        print(f"Validator_Access_Token: {json.dumps(token_info, indent=4)}")




Validator_Access_Token: {
    "iss": "https://pinggg.mywire.org/wallet/identity/v2",
    "sub": "84bf584c-e678-4b0e-a1ca-8fa35cd27e99",
    "aud": "https://pinggg.mywire.org/wallet/validation-stub/v2/validate",
    "t": 2,
    "v": "1.0",
    "vc": {
        "lang": "en-en",
        "coa": "NL",
        "cod": "BE",
        "poa": "AMS",
        "pod": "BRU",
        "roa": "NL",
        "rod": "BE",
        "type": [
            "r",
            "v",
            "t"
        ],
        "category": [
            "Standard"
        ],
        "validationClock": "2022-06-14T20:48:42.310Z",
        "validFrom": "2022-06-15T20:38:39.679Z",
        "validTo": "2022-06-15T21:38:39.679Z"
    },
    "jti": "3d4335bd-b484-451b-b1e0-71f45efff691",
    "iat": 1655239722,
    "exp": 1655243322
}


# Submit the health certificate
You can enter the health certificate data into an input field. 

Source for DCC: https://eu-dcc-validation.web.app/

Open the QR-code with Google lens (right click option in Chrome) and "copy text" to obtain health sertificate in string format 

Make sure that the name and date-of-birth match the data in the validation access token from above. 

##The wallet app now executes the following steps: 
- choose a random password (32 bytes)
- AES-encrypt the DCC with the password from above and the nonce that was obtained together with the access token 
- encrypt the password with the validation service's public key 
- sign the encrypted AES-encrypted data with the userkey that has been submitted to get the access token
- send JSON data to the validation service:
   - kid of validation server's public key that was used to encrypt password
   - encrypted dcc data
   - signature of encrypted dcc data
   - PKI encrypted password for dcc
   - constants: encScheme = RSAOAEPWithSHA256AESCBC, sigAlg = SHA256withECDSA
   - header: Access token that was previously obtained
- decode the response and print it
  - Private part of result is feedback on evaluation of individual busness rules
  - Public part of result is confirmaion token, which can be made availabe to airline if passenger wishes to do so



In [6]:
hcert = input('Please paste your HCert: ').strip()  # Option 1: Enter the HC1:-String into the input field
#assert hcert.startswith('HC1:')

from base64 import b64decode
from random import randint
from Crypto.Cipher import PKCS1_OAEP
from Crypto.PublicKey import RSA
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad
from ecdsa.util import sigencode_der

# Use real random numbers for production instead!
password = bytearray([randint(0,255) for i in range(32)])

#validation_identity = requests.get(validation_service_endpoint+'/identity').json()


#for verificationMethod in validation_identity['verificationMethod']:
#    if verificationMethod['id'].endswith('ValidationServiceEncKey-1'):
#        validation_service_publickey =  verificationMethod['publicKeyJwk']
#        print("Selected Public Key:", validation_service_publickey )

#validatorkey = RSA.import_key(f'-----BEGIN CERTIFICATE-----\n{validation_service_publickey["x5c"]}\n-----END CERTIFICATE-----')
#aesCipher = AES.new(password, AES.MODE_CBC,iv=b64decode(validation_nonce))

#cipher = PKCS1_OAEP.new(validatorkey,hashAlgo=SHA256)
#cryptKey = cipher.encrypt(password)
#ciphertext= aesCipher.encrypt(pad(bytes(hcert,'utf-8'),AES.block_size))
#signature = userkey.sign(ciphertext,hashfunc=SHA256.new,sigencode=sigencode_der)

#######   initialize  ###### 
headers = {'content-type': 'application/json', "Authorization":"Bearer " + validator_token ,}
body = {
  "pubKey": "aaabbb",
  "alg": "RSA",
  "Nonce" : "argle"
}
txt=token_info['aud']
url = txt.rsplit("/validate")[0]+"/initialize"
response = requests.post(url, data=json.dumps(body), headers=headers)
print ("Initialize Response", response.status_code, response.text, '\n\n')


####### validate   ######
headers = {'content-type': 'application/json', "Authorization":"Bearer " + validator_token }

#body = {"kid":validation_service_publickey["kid"],
#        "dcc":base64.b64encode(ciphertext).decode(),
#        "sig":base64.b64encode(signature).decode(),
#        "encKey":base64.b64encode(cryptKey).decode(),
#        "encScheme":"RSAOAEPWithSHA256AESCBC", 
#        "sigAlg":"SHA256withECDSA"}
body= {
    "hcert": hcert

}

response = requests.post(token_info['aud'], data=json.dumps(body), headers=headers)
print ("Validate Response", response.status_code, response.text, '\n\n')


if response.ok:
  validate_result = jwt.decode(response.content, options={"verify_signature":False})  # weak knees, no sign check
  print(f'Validate result message: {json.dumps(validate_result, indent=4)}')

Please paste your HCert: HC1:6BFOXN%TSMAHN-HOO4M/MG7HG7HDX9:D43:O-36LOVAOMQV4TP5I9CQL9+9D*XD/GPWBILC9FF9 RPR-SPGA.N8E6KZ1WJ9OF00SI1V:4CP6C324RC2%K:XF03LP+POF4$0AQCQYCIW49W3GZS0N1B+4K77II*N/ME.ZJ1NGC QAT0PI0QQ9LV7U*V:+GWUSN*O0%KL$S8J4+J46YBAN8ORC4126NA6H0554-G97E9M9IDB9M%5N11NJPLEP9XA7KQSF6HX6BGUZ+L..P9PPTW5G0A+E93ZM$96PZ6+Q6X46%E5EPPQF67460R6646O59WC5OFU946+967KQ1C9AKPCPP7ZM-O6QW6:%0GIII7JSTNB957/5%77P1R6ZQZ.QR95.16 K5 96P/5CA7T5M7+5:ZJ83BO8TGVTCET6NJF0JEYI1DLZZL162J863:QVANSMNV4G- GNSDO5KZDP6UCI2RA9UQYH 6OYCN%MR*Y883E5%F6GWFSIUNT7.2D$QE-RUSERNT/21/0FL6O-1SI59BUR%48B40HAQW2
Initialize Response 404 <!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Error</title>
</head>
<body>
<pre>Cannot POST /wallet/validation-stub/v2/initialize</pre>
</body>
</html>
 




KeyboardInterrupt: ignored

#completion, push confirmation
Wallet offers to push confirmation to airline, as final step. Under consent.

On "yes", wallet identifies endpoint from airline identity document and POSTs the confirmation token under authentication with invitation token. In final message traeler is advised to go back to airline site

In [None]:
ahum = input('Enter yes to push token to arline: ').strip()
  # App selects the ConfirmationService in Airline Identity document and posts the confirmation token.
for service in serviceIdentity['service']:
    if service['id'].endswith('#ConfirmationService-1'):
      response = requests.post( service['serviceEndpoint'],
                               headers={'Authorization': f'Bearer {qr_code_data["token"]}', #initR-token goes here
                               'Content-Type':'application/json', 'X-Version' : '1.0'},
                               json = {"confirmation": validate_result["confirmation"]})
print ("Undecoded Response", response.status_code, response.text, '\n\n')
        
print('Please navigate back to airline website')

Enter yes to push token to arline: 
Undecoded Response 200  


Please navigate back to airline website
