Invalid QR code gets validated #185
Comments
|
I don't have Covid19 app installed but if it recognizes such a certificate as valid it really has a serious security vulnerability! |
|
I think the problem is that the app doesn't do any schema validation before trying to access the fields in the json |
|
The certificate given in bug report contains a valid (as in, the signature is ok) certificate base45 at the beginning, then some gibberish spiked with profanities appended. The app is right showing positive result for this certificate. The complete certificate text in base45 is in first 478 characters The problems with app behavior on this certificate is displaying "NULL NULL" instead of value from "fnt" field, caused by lack of full person info in "nam" section, which is not required by schema. |
|
Can you please also check this one? I'm not in front of my PC now and I don't have enough time to do a comprehensive analysis |
|
Hello @denysvitali
VerificaC19 uses the default implementation of EU DGC core decoder for such operations. The latest EU DGC core decoder updates fix some base45decoder issues (bugfix commit). By using the updated core decoder, the first QR code - based on AD 1.0.0 Full Vaccination testdata signed with keys from the DCC ACC environment (check here) - gets detected as NOT VALID. I've built a test-release 1.1.6 of VerificaC19 with the current updates (available here) if you want to use it for your checks. The second QR code (BRANDENBURGTEST BERND 01/01/1950) gets detected instead as valid using the current code for verifier-app + DGC-SDK (develop branches) & EU DGC core + certlogic. |
|
@Jakub-KK hello, could you please explain how the extra gibberish gets ignored? Personally, I'd rather reject any QR that contains extra characters, if possible... though not a security issue and also fun to be able to personalize the GC QR :) |
|
Hi @popolla, this is possible if base45 decoder allows it, basically the decoder stops ingesting new data on first error and returns the data already decoded. If this data contains valid compressed stream of COSE message (or just the message without compression) than it will be further processed and result in verificator working correctly. As @rawmain said, the base45 decoder is stricter in latest EU DGC core code, this causes it to no longer accept such malformed texts as input. |
|
Hey @rawmain ! I'm sorry, but the issue is not solved yet. Whilst the app you published might have fixed the issue with the QR data I published, it doesn't solve another issue which I didn't noticed at the beginning because I re-generated the QR code. So basically the issue is that this QR code still passes the verification on the app you posted above:
But this does not:
Despite they both contain the same data. |
|
Hello @denysvitali
Thanks for the feedbacks. The second QR code gets already rejected even with former EU DGC decoder code arrangement - before latest B45 bugfix commit of 3 days ago. As you can check with the official 1.1.6 Android release form Google Play Store / AppGallery, it triggers indeed a decoding error with explicit entry in logcat. The first one isn't triggering instead any explicit notice/entry during decoding stages. Neither by those verifier-apps, which rely on the default EU DGC decoder-module (such as IT VerificaC19 and FR TAC Verif), nor by other apps with a slightly different implementation for the decoder (such as CH CovidCertificate Check). I'll perform some debug-checks - by also re-arranging some settings for the decoder Zxing dependencies (now using ZXing Android Embedded 4.2.0) - in order to see which commits may be eventually suggested through a related PR on EU DGC Core Decoder repo. |
|
Sorry, ignore my last message. That QR code is supposed to be valid and it's used as part of EU quality assurance tests: Sorry :( |
|
Hello @denysvitali
No problem, don't worry ;) . I was just performing further checks since alterations of the original AD full VAC QR test-code have been used anyway to test B45->CBOR triggers. By the rest, AD/1.0.0 directory's deletion+revocation have already been requested (as you can check from closed/open PRs in the quality-assurance repo). Therefore - once approved - the related UVCI of such AD case-samples will be added into production blacklist/revoke lists. |
This certificate, despite being weird and being signed by a production key of AD, is in fact genuine and used as part of the EU DGC Quality Assurance tests. This is very unfortunate as these certificates should have never been signed with a productive key to begin with. For this reason, this certificate isn't forged and thus it is now removed with this commit. References: - #9 - ministero-salute/it-dgc-verificaC19-android#185 - admin-ch/CovidCertificate-App-Android#306 - eu-digital-green-certificates/dcc-quality-assurance#183
|
Hi thank you for your support |
Describe the bug
Scanning the following QR code (sorry for the profanity included, it's how I found it from here) results in a positive result.
Expected behaviour
QR Code isn't validated
Steps to reproduce the issue
Technical details
Probably a parsing issue. Only happens w/ VerificaC19 (Swiss Covid App + corona-decoder) are fine with this specific QR.
One user reports that with a slightly modified QR the Swiss Covid app is affected too.
Possible Fix
Validation must be checked + tested
Additional context
Found on https://github.com/ehn-dcc-development/hcert-spec/discussions/105#discussioncomment-1573490.
The text was updated successfully, but these errors were encountered: