digitaler-impfnachweis / certification-apis Goto Github PK

Due to the fact that the code of the apps isn't open sourced, this issue resides here.
The computation of the time for "total protection at" defers between iOS and Android by 1 day. It looks like the iOS app takes the vaccination date + n weeks and the Android the vaccination date + n weeks + 1

Running against hc1_verify.py gives:

$ python hc1_verify.py demo-dsc.crt <01_example.txt
Traceback (most recent call last):
  File "hc1_verify.py", line 134, in <module>
    raise Exception(
Exception: KeyID is unknown (expected b'e848f3ca13651834', got b'8ede3316d4da418181f0753affc6a3a3') -- cannot verify.

Trying to side step this by ignoring the KID gives:

$ python hc1_verify.py --ignore-kid demo-dsc.crt <01_example.txt
Traceback (most recent call last):
  File "hc1_verify.py", line 149, in <module>
    raise Exception("faulty sig")
Exception: faulty sig

The data itself seems fine:

$ python hc1_verify.py --ignore-signature demo-dsc.crt <01_example.txt
Issuer              : DE
Experation time     : 1651928945
Issued At           : 1620392945
Health payload      : {"v": [{"ci": "01DE/00000/1119349007/BW1DDJEZX2B0VGVYII1QN7DDU#S", "co": "DE", "dn": 2, "dt": "2021-05-07", "is": "Bundesministerium f\u00fcr Gesundheit", "ma": "ORG-100030215", "mp": "EU/1/20/1528", "sd": 2, "tg": "840539006", "vp": "1119349007"}], "dob": "1970-01-01", "nam": {"fn": "Die\u00dfner Musterfrau", "gn": "Erika D\u00f6rte", "fnt": "DIESSNER<MUSTERFRAU", "gnt": "ERIKA<DOERTE"}, "ver": "1.0.0"}

Durch den aktuellen Beschluss der Ministerpräsidenten vom 02.12.21 sollen zukünftig auch Zahnärzte Impfungen durchführen.

Die Zahnarztpraxen sind ebenso wie die Arztpraxen an die TI angeschlossen und verwenden eigene SMC-Bs zur Authentifizierung. Die öffentlichen Zertifikate dieser SMC-Bs enthalten jedoch nicht den notwendigen Eintrag "Betriebsstätte Arzt".

Hier sollte das Backend kurzfristig auch den Eintrag "Zahnarztpraxis" mit der ProfessionOID "1.2.276.0.76.4.51" akzeptieren, um die Ausstellung von Impfnachweisen in den Zahnarztpraxen zu ermöglichen.

I am implementing this API for a customer.
This morning the CURL example from the documentation was working fine.
But since the afternoon it returns the following error:
Sorry, the incoming cose object is invalid.

Can someone explain what I'm doing wrong?
What is "cose object"?

curl \                     
  --location \
  --request POST 'https://api.certify.demo.ubirch.com/api/certify/v2/issue' \
  --cert-type p12 \
  --cert demo.pfx:$(cat demo.pwd) \
  --header 'Accept: application/cbor+base45' \
  --header 'Content-Type: application/json' \
  --data-raw '{
      "nam": {
        "fn": "Musterfrau",
        "gn": "Erika"
      },
      "dob": "1979-04-14",
      "v": [{
        "id": "IZ999999X",
        "tg": "840539006",
        "vp": "1119305005",
        "mp": "EU/1/20/1528",
        "ma": "ORG-100001699",
        "dn": 1,
        "sd": 2,
        "dt": "2021-04-14"
      }]
    }'

HTTP/1.1 406 Not Acceptable
Content-Length: 43
Content-Type: application/cbor;charset=utf-8
Date: Thu, 20 May 2021 20:35:29 GMT
Connection: close

Sorry, the incoming cose object is invalid.

Hello,

are there plans to handle compromised certificates? Is there a way to invalidate them without needing to revoke the signing authority?

Hallo zusammen,

wir entwickeln eine Software für eine Arztpraxis. Wir möchten uns via Zertifikat authentifizieren, das RKI oder die KV weiß leider nicht wo wir dieses Zertifikat anfordern können.

Kann uns hier jemand weiterhelfen?

Vielen Dank

Will the Biontech and Moderna BA.1 vaccines also see changes?
According to the press, no vaccination certificates can be generated for this: https://www.berliner-zeitung.de/news/neue-impfstoffe-derzeit-kein-digitales-impfzertifikat-moeglich-li.266826

So far we have assumed that the previous value sets will remain in place.

Hi. I already have a base45 decoder working with the text examples of https://datatracker.ietf.org/doc/draft-faltstrom-base45/
How do I decode the QR-Code to the CBOR-Object. I have tried to put the :6BF[...] into various zlib-deflaters after decoding it with base45 as told in paragraph 2.2 of the https://ec.europa.eu/health/sites/default/files/ehealth/docs/digital-green-certificates_v3_en.pdf but I dont get the CBOR-Object.

Hello @thinkberg ,

is it possible to generate certificates for the new vaccine Valneva? If so, what are the values for vp, mp and ma?

Greetings

So sir can you please make a video tutorial for me, because i don't understand it perfectly.
I live in the Netherlands so it would be very nice if you can show how to make that vaccination qr code.

See: corona-warn-app/cwa-app-android#4468

When creating certificates on the official Robert Koch Institut Portal it is possible to select a german date time format and to add some additional information like boost or recov.

Here is a screenshot of the correspondig part:

I was not able to find any information about how to do this with the DGC REST interface. Is this also possible with the given REST interface?

Will the SMB-C authentication flow also work with the ProfessionOID 1.2.276.0.76.4.54 for pharmacies?

The field length for the surname or last name of a patient is insufficient. The last name on the certificate has to be precisely the same as the last name in the passport/identification card the patient uses for international travel, otherwise foreign travel authorities will have issues verifying the identity of the passport holder with the name on the certificate, especially if the name has to be abbreviated. Not every travel authority is familiar with German or Spanish name rules for aristocratic names for example, where a last name can easily be 40 or even 50 to 60 characters long. I therefore suggest to define the field length for the Last Name to at least 60 characters, otherwise the certificate will be useless for patients with names that do not reflect the name in the official identification papers when travelling internationally.

Hi,

we are a software development company with a product for COVID19 test- and vaccination centers. For this use case we create both, vaccination certificates over ubirch/ibm api and test certificates over the cwa endpoint. Today I found a miss match between these two certificates for the same input.

I think this bug is located in the ubirch/ibm api because i think the dot char "." is not specified for a machine readable string and gets replaced by nothing and not with an "<" char. If it is defined this is a bug in the reference implementation of the cwa. I'll open these requests in both github repositorys and link each other. Could someone clarify which implementation is correct?

Example for Vaccination certificates with Ubirch/IBM API:
"fn": "Dr. Mustermann",
"gn": "Max",
"fnt": "DR<<MUSTERMANN",
"gnt": "MAX"

Example for Test over CWA API
"fn": "Dr. Mustermann",
"gn": "Max",
"fnt": "DR<MUSTERMANN",
"gnt": "MAX"

Regards, Tobias

corona-warn-app/cwa-quicktest-onboarding#68

Your LICENSE is modified, see the issue Digitaler-Impfnachweis/covpass-android#140 for further information.

The change which was done in line 189 should be reverted.

We are currently implementing our own validation service for DCC within a commercial application for access systems. Can we use the public endpoint for Ubirch's trustlist (https://de.dscg.ubirch.com/trustList/DSC/)? Are there any future restrictions in this context? Will this endpoint be secured with dedicated access data in the future?

The first line of the Trust List is a signature, but in order to verify that I'd need the public key (to the private key with which the signature was created). Where can I find that?

Actually the links “DCC Certificate of Recovery“, ”DCC Test Certificate“ and “DCC Vaccination Certificate” in README.md under https://github.com/Digitaler-Impfnachweis/certification-apis/tree/master/templates are wrong: error 404.

Please respond to the request to publish the source code of the apps, which was made in Digitaler-Impfnachweis/documentation#6.

It would also be good to have a general clarification whether you plan to respond to issues in https://github.com/Digitaler-Impfnachweis/documentation or not, so that the community doesn't invest time into issues which aren't looked at.

I understand that you are quite busy at the moment, but just a little sign that somebody saw the issue and is on it would be great!

Thank you!

Hallo!

Seit dem 19.05.2023 sind uns Störungen des Workflow SMC-B Arztpraxis gemeldet. Am 16.05.2023 funktionierte es noch. Der Fehler ist 400 Bad Request.

Viele Grüße
Dirk Fellenberg | InterData

Host: id.impfnachweis.info
GET /auth/realms/bmg-ti-certify/login-actions/authenticate

400 Bad Request

Dear @thinkberg ,

Ubirch is using an ICAO algorithm to transliterate contents of name fields in vaccination certificates into standardized name fields.
Standardized name fields are used by wallet and check apps to group a series of (different) certificates to a user.

While you are taking care about vaccination certificates, T-Systems is handling ICAO issues in the context of Rapid Antigen Test DCCs.
T-Systems offers a RAT portal, where connected test centers are able to process the whole work flow for registration of testees, entering test results, submission of test results to apps and health authorities (in case of positive result), and issuance of RAT DCCs (in case of a negative test result).
Currently, all medical staff entering data via TSI's RAT portal must enter transliterated standardized names manually(!) which is for obvious reasons prone for errors, and according to reports of test center staff rather time consuming.
Volunteer help to change this situation is offered by @janhoffmann , who proposed a solution to automatically fill standardized name fields with ICAO transliterated names. The PR is here: corona-warn-app/cwa-quick-test-frontend#290
TSI is assessing the PR and signals to use it for the RAT portal, as soon as it is functional and fully compliant to ICAO guidelines.

But there are also 3rd party providers, that are connected to TSI's backend, and that implemented their own ICAO algorithms in the context of issuing RAT DCCs. For 3rd party providers, there are some general links or hints TSI provides for developers, but in the end developers are on their own, and based on my own experiences/discussions with developers, ICAO algorithms are searched across the internet, and what can be found is implemented on their side. It is questionnable whether all 3rd party providers always thoroughly assesed these implemented algorithms for full confomity/compliance with the official ICAO guideline.

Furthermore, even the ICAO guideline itself is a bit fuzzy in some parts of transliteration (see p. 24 for example):

• A diaeresis -> AE or A
• A ring above -> AA or A
• N tilde -> N or NXX

... and so on.

It seems to be obvious, to have the best possible outcome in grouping Test DCCs with Vaccination DCCs, it would be good when all transliterations in this context rely on a single reference ICAO algorithm.

Ubirch was the first entity that implemented an ICAO algorithm for vaccination DCCs. TSI could be second, but for the RAT portal nothing is fixed yet, and for the 3rd party providers we can expect a rather heterologous variety of solutions.

About one month ago I kindly asked you, if someone of your dev department could have a look at the proposed ICAO algorithm in corona-warn-app/cwa-quick-test-frontend#290 to ensure alignment of the future TSI RAT portal algorithm with Ubirch's algorithm.
The resulting algorithm then can be used as THE reference algorithm for all parts in the project.

So, I'm renewing my request to kindly have a look to that proposed algorithm, whether it is in line with Ubirch's.
If you don't find time to evaluate the proposed algorithm, you could also open source the algorithm you used for the vaccination DCCs here in this repository.

Thanks again very much for your support, kind regards,
v.

Yesterday the German Acceptance rules for recovery certificates were updated. The new rule has the same Identifier as the previous rule RR-DE-0002, which does not conform to the eHealth Network specification.

https://ec.europa.eu/health/system/files/2021-06/eu-dcc_validation-rules_en_0.pdf
Section 5.5.1 Rule Identifier Pattern

Expected Result:
The rule identifier should be unique

Your Question

• PR: corona-warn-app/cwa-app-ios#4271
• Question: Why is such a long time storage (1 year) of the generated hash necessary? Could you elaborate what abuse scenario this prevents?

I was asked to open this issue here instead of in corona-warn-app/cwa-documentation#862 by @thomasaugsten.

Discussed in #90

The files demo.key and demo.crt are missing at https://github.com/Digitaler-Impfnachweis/certification-apis/tree/master/examples. Instead there is demo-dsc.crt only.

Liebes Dev Team,

Erstens herzlichen Glückwunsch für dieses Projekt.

Zweitens solle ich bieten, dass Sie mein Deutsch entschuldigen. Ich komme aus Spanien, aber ich wohne in Berlin.

Ich wurde letztes Jahr mit J&J geimpft. Vor 2 Wochen habe ich meinen Moderna Booster gekriegt.

Bei der CovPass App, wenn ich in meinem neuen Zertifikat anschaue, steht es da, auf "Nummer der Impfung/Dose number", "2/1". Ich habe doppelt bekommen, weil ich mit J&J geimpft wurde.

Das Problem is, wenn jemand meinen QR Code scannt, bekommen wir eine rotte Warning. Die sagt: "3G. Vaccinated (2/1). 08.02.2022. 16 days ago".

Ich hoffe, das ist ein Bug. Ich kann nicht mehr geimpft werden, und ich muss auf jeden Fall, ein normales Leben führen.

Ich füge ein Bild bei.

Danke im Voraus.

Hello

i already have the json data . Do you have any idea how can I reverse the process and convert the json to a QR code ?

Hello,

can we try the App as TestFlight Users?

In your FAQs under "Wie lange ist das digitale Impfzertifikat gültig?" you write:

Zum jetzigen Zeitpunkt beträgt die technische Gültigkeit ein Jahr ab dem Zeitpunkt der letzten Impfung (+14 Tage).

However, there are many cases where the "Valid to" date is another one, e.g. on this certificate:

The last vaccination was on the 11.05.2021, so according to the FAQ I would expect a validity until 25.05.2022, but actually, it's valid until the 26.06.2021.

Please clarify how the "Valid to" date is calculated and adjust the FAQ entry if necessary.

Hallo,
wir bekommen in der RU folgenden Fehler beim Anfordern eines neuen Tokens:
Forbidden: Sorry, the credential is invalid:Invalid identity type

Wir haben seit langer Zeit an dem relevanten Quellcode nichts geändert. Was kann die Ursache sein?

We try to use api.impfnachweis.info/api/certify/v2/issue to generate PDF certificates after receiving an an access token following the TI infrastructure authentication workflow.

Using Accept=[application/pdf] we receive a valid response [status=200] including a formally valid pdf file. However, the pdf file appears to be a single blank page: TestCert.pdf

In contrast, if we use Accept=[application/cbor+base45], we receive a QR-code (HC1:6BFOXNTS0BI$ZD8UHE.HMM9Y5S4MJG2.GP1WG%MP8*I5J5:8K-%7.HLIIJS:E...).

Is there any idea, why we receive a blank PDF page, although the cbor QR code seems to be valid?

According to the documentation of the API this endpoint requires a JWT authentication token.

But the CURL examples do not show the use of such a token.
When I test the API, it works fine without an access token.

• Is this a mistake in the documentation?
• If an access token will be required in the future, then where can I find the documentation for that?

Hi

I have successfully imported the QR code provided by the Spanish government. However the QR code was sent as a pdf file, which I had to print and then to scan. It would be convenient, to make a screenshot of the QR code, which is saved in the photo library and then import that QR. Could that be implemented please?

regards

Uwe Brauer

Hallo zusammen, die Zertifikatsausstellung funktioniert leider seit mehreren Tagen nicht mehr. Unsere Kunden erhalten reproduzierbar die Fehlermeldung "realm does not exists" bei folgenden Request:

https://id.impfnachweis.info/auth/realms/bmg-ti-certify/protocol/openid-connect/auth?redirect_uri=connector%3A%2F%2Fauthenticated&response_type=code&scope=openid&client_id=user-access-ti&nonce=

Ist das Problem bekannt oder wird der Dienst nicht weiter gepflegt?

Vielen Dank
Christian Fischer

The EU decided the following:

"In addition, today the Commission has also adapted the rules for the encoding of vaccination certificates. This is necessary to ensure that vaccination certificates showing completion of the primary series can always be distinguished from vaccination certificates issued following a booster dose.

Boosters will be recorded as follows:

• 3/3 for a booster dose following a primary 2-dose vaccination series.
• 2/1 for a booster dose following a single-dose vaccination or a one dose of a 2-dose vaccine administered to a recovered person."

See https://ec.europa.eu/commission/presscorner/detail/en/ip_21_6837

The issuance portal should be adjusted to this new standard.

Hello everyone,

we are building an application in which we need to validate the users 3G certificates..
One way is to validate the qrcode.

Is it possible through your endpoints?
Is it possible in anyway to do it offline? (not checking the expiration data, that can be faked).

Thanks again :)

Regards
Farhad

The RecoveryEntry in the Openapi spec declares the issuer (is) to be a required field. This however, seems to be not true. See discussion #116 .

Hi,

the main Readme links to /dsc-update/dsc-update-api.yaml - but this goes to a 404, the file right now is actually named /dsc-update/dgc-update-api.yaml (dgc vs dsc).

I can't judge whether the link is wrong or the filename :)

According to https://github.com/Digitaler-Impfnachweis/certification-apis/blob/master/dgc-certify-api.yaml#L282, each VaccinationCertificationRequest must contain exaclty one VaccinationCertificateEntry.

What is the process for putting two vaccinations (i.e. first and second one) into one certificate?

Moin @thinkberg

Ich wurde woanders (corona-warn-app/cwa-app-ccl#44 (comment)) darauf hingewiesen, hier ein Issue auf zu machen.

Die Frage ist: wie kann mir ein abgelaufenes Genesenenzertifikat ausgestellt werden?

Zum Hintergrund:

Ich bin:

• März 2021 genesen
• Juli 2021 J&J geimpft
• November 2021 BioNtech geboostert

Die App zeigt mir nur 2G an, da ich kein Genesenenzertifikat bekommen hatte, das die App scannen kann. Lediglich eines von meinem örtlichen Gesunsheitsamt.

Jetzt lässt sich offiziell keines mehr ausstellen, da die Software in den Apotheken nur 180 Tage zurück ausstellen kann.

Es wäre gut, man könnte auch weiter zurückliegende, selbst wenn sie dann abgelaufen sind, ausstellen. Alleine um die Corona-Warn-App (und mich) glücklich zu machen ;)

Aktuell gibt es keine genaueren Informationen über die mTLS-Authentifizierung. Gibt es hierzu schon Dokumentation? Existiert eine Möglichkeit das auf der Staging-/Test-Infrakstuktur zu testen? Anlass ist ggf. die Integration in die Kiebitz Open-Source Software für Impfterminvermittlung. Die zu nutzende API ist ja gut dokumentiert, allerdings sehe ich keine Möglichkeit Test-Credentials zu generieren, übersehe ich da etwas?

Hi,
I am try to implement certification api by using Rest API, right now i am facing above issue when I run php script.
Array ( [curl_error_56] => OpenSSL SSL_read: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate, errno 0 )

Can anyone help me please.

Does the currently released version cover the case, where a person received just one vaccination after >6 months of an Covid infection for full protection under the German guidelines.

Or will this be covered in a future release?

Moin!

Erst mal vorweg vielen Dank für die gute Dokumentation der Syntax. Hat mir sehr weiter geholfen. 👍

Seit kurzem reicht ja eine Johnson & Johnson Impfung nicht mehr aus um den vollständigen Impfstatus zu besitzen.

Gibt es einen Weg mit einem QR Code den Unterschied zwischen Genesen und Johnson als erste Impfung und einer alleinigen Johnson Impfung zu erkennen?

Viele Grüße
Christian

The print-out-template for vac certs is missing the folding instruction, which exist on test and recovery certificate print outs.

Compare https://github.com/Digitaler-Impfnachweis/certification-apis/blob/master/templates/VaccinationCertificateTemplate_v4.1.svg to https://github.com/Digitaler-Impfnachweis/certification-apis/blob/master/templates/RecoveryCertificateTemplate_v4.1.svg.

I recommend to add the folding instructions to the vac cert template too.

Will you publish an example of the EU Digital Covid Vaccination Certificate (DE) / EU digitales COVID-Impfzertifikat (DE) in PDF format here?

Is the layout available in source code anywhere for inspection?

There is a suggestion in corona-warn-app/cwa-documentation#644 to move the QR code so it is less susceptible to printing issues. I couldn't see an appropriate place in the https://github.com/Digitaler-Impfnachweis organization to add this. Perhaps you could advise if you are open to suggestions?

It looks like fn, gn, fnt and gnt fields are not trimmed when creating the certificate.

Decoding a known valid certificate (created using the production path) results in the data:

nam: {
        fn: 'Kleinhenz',
        gn: 'Michael ',
        fnt: 'KLEINHENZ',
        gnt: 'MICHAEL'
      },

(note the extra blank on the gn value). This does not appear on the test data certificates.

Some european countries also provide digital test certificates. However if you want to verify these in the german CovPass Check App, it just states that the certificate is not proving a complete vaccination.

I understand that the scope of the CovPass Check-App is just to verify vaccination, but with assumed increasing travel in Europe and therefore in Germany, this feature impariety may result in confussion and problems for travellers. Thus I would propose that this feature will be included in the roadmap.