[iOS] Signing certifiate expiration date time does not supercede the expiration date time of the green certificate

[RalicaY]

Describe the bug

In order to check, that when the signing certificate expiration datetime supersedes the expiration datetime in the Green certificate, the app returns INVALID we have created the following QR-Code with chronologically valid certificate but with an expired DSC Certificate.

Attached JSON file and QR Code.

Nevertheless, scanning this QR Code with the Verifier app returns VALID.

Expected behaviour

Expected is a RED screen saying the Certificate is INVALID.

Steps to reproduce the issue

Technical details

Verifier 1.1.5-tst

iPhone 8 plus v. Lutz, iOS 14.4

Possible Fix

Additional context

[oleksandrsarapulovgl]

@RalicaY could you please check expiration time of the certificate, it's 2022-07-05T06:42:53Z. Year is - 2022. Probably that's the issue. Certificate is not expired. It expires next year.

FYI @alexchornyi @Hendrik-Schmidt-Schierhorn-TSI

[RalicaY]

The idea is that the Certificate is indeed chronologically valid but the signer's certificate is already expired so that the certificate's epiration time eventually supercedes (is valid longer than ) the signer's.

[TKlauenberg]

So as @RalicaY said the Health Certificate is still valid. The missing data is that the Signing Certificate (DSC) is not valid anymore. The Signing certificate has the kid "9T3aGXtSul0=" and is only valid until "2021-07-07 06:14:17".

So the hcert is valid but the Signing Certificate is not.

I have uploaded the PEM encoded certificate which is also in the TST environment.
dsc.txt

[alexchornyi]

@RalicaY App work as expected. We received this certificate from BE side. Here is the list of valid certificates we are received from server
["0+tvAJnJsPQ=","0C6apRBXqu8=","0NSBDWlaTng=","110WCQIlRgY=","19qvyYakWNI=","1vxpTLgc6ws=","2Ga7nn3++CU=","2Rk3X8HntrI=","2pwTzcIIZUo=","428FOlUxNRM=","6EjzyhNlGDQ=","6jqyJk80bUU=","7JQ83GRvK3A=","8cj7hP1PFt8=","91jyttjJXuQ=","9T3aGXtSul0=","9rayS4z8BBs=","BWANBUcVq6M=","BkMNTz/RKb8=","DEsVUSvpFAE=","DhspllZjSVY=","GZ2cfMLwyK8=","Gt532plhCms=","IAPAel6V04Y=","Jvur7gP5KB8=","KFP4Rwxlab8=","MAOnQ1AiTeM=","MZmKdKXodNA=","NSbroRZKHVQ=","OTAXaM3aBRM=","OTDtSL6sHfA=","OvQ6q5jQ6ys=","Pl2tK5b5Ubs=","RCLmunqODLU=","SnQA8f0kXUs=","Sr45aGku6g4=","TdAfEdSpTWg=","TfwLMHDXIws=","U59MpT2oM1M=","X3SRAZXFzss=","Yd1kEA/PdIs=","arNFjwTIlBs=","d1ZunoZIq1g=","dZl5Qc0tmyE=","drYeMLDIJ08=","ejprUkT1iiw=","f1sfUVIx8CA=","gj24nghwc+g=","jd4FUVxAJjY=","jrN5lgS8Vjo=","k9Bla6IJw9M=","kwL2uX0ViAA=","m6so0I2uIyw=","mkooSvJQkZ0=","mmrfzpMU6xc=","nAj5VPXn/t4=","onphe00laog=","p2yABmeC8Bg=","pgM4dDtABSg=","q16CfHxK02k=","qXRLozKN0lM=","ri1AFZuP96k=","sLgjDFuTktM=","t4pdJoYfDjY=","uTWhkSj2GAo=","v58a8hf49kE=","wDOFD1gh/so=","xAE9ugovQD4=","xKOXcpzMVb0=","y3g27v8r51I=","yLHLNvSl428="]

as you see this key present in this list and we don't removed this key from app.
I think this issue should be fixed on BE side to remove invalid keys from response.
Please look and close this issue.

[ltranvan]

same info analog issue #142

[RalicaY]

Successfully retested with Error Notification "Cryptographoc Signature Invalid".