ehn-dcc-development / ehn-sign-verify-javascript-trivial Goto Github PK

Trivial eHN-Simple implementation in plain/simplified javascript

License: European Union Public License 1.2

JavaScript 69.00% Shell 31.00%

ehn-sign-verify-javascript-trivial's Introduction

Trivial/rudimentary eHN-simplified implementation

Brought in line with 1.00 of https://github.com/ehn-digital-green-development/hcert-spec/blob/main/hcert_spec.md

For round-trip testing of cose_sign.js and cose_verify.js take some JSON, e.g. { "Foo" : "Bar }, CBOR package, COSE sign, compress and base45 convert it for use in a QR:

COSE sign
1. compact the JSOn into CBOR
2. sign and package as a COSE message
3. ZLIB compress
4. Base45 encode
COSE verify
1. Base45 decode
2. ZLIB decompress
3. check the signature on the COSE message
4. unpack the CBOR into JSON

Test Steps

Generate the CSCA and DSC with ./gen-csca-dsc.sh
Ensure the dependencies are installed: npm install
Run the command: echo "{'A': 1234}" | npm run sign | npm run verify
You should see the output: {"A": 1234}

Or the larger example:

    echo '{ "Foo":1, "Bar":{ "Field1": "a value",   "integer":1212112121 }}' |  npm --silent run sign > barcode
    cat barcode | | npm run verify

Which should output:

{
    "Foo": 1, 
    "Bar": {
        "Field1": "a value", 
        "integer": 1212112121
   }
}

ehn-sign-verify-javascript-trivial's People

Contributors

Stargazers

Watchers

Forkers

ministry-of-health-bulgaria m3kh panzi majirosstefan akosbalazs mssalvo guillaumecisco matko238 bos198828 skounis cesce

ehn-sign-verify-javascript-trivial's Issues

Issue with npm run verify

Hi,

I followed the steps described in your README and could installed the project successfully on Linux:

$ npm install

> [email protected] preinstall /home/lallement/Projects/ehn-sign-verify-javascript-trivial/node_modules/cbor
> node .checkVersion

> [email protected] preinstall /home/lallement/Projects/ehn-sign-verify-javascript-trivial/node_modules/aes-ccm
> true

> [email protected] install /home/lallement/Projects/ehn-sign-verify-javascript-trivial/node_modules/aes-ccm
> node-pre-gyp install --fallback-to-build

node-pre-gyp WARN Using request for node-pre-gyp https download 
[aes-ccm] Success: "/home/lallement/Projects/ehn-sign-verify-javascript-trivial/node_modules/aes-ccm/build/Release/aes_ccm.node" is installed via remote
npm WARN [email protected] No repository field.
npm WARN [email protected] license should be a valid SPDX license expression

added 160 packages from 76 contributors and audited 160 packages in 3.561s

29 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

I generated the CSCA and DSC with ./gen-csca-dsc.sh:

$ ./gen-csca-dsc.sh
Signature ok
subject=CN = DSC number 1 of Friesland, C = FR
Getting CA Private Key
Signature ok
subject=CN = DSC number 2 of Friesland, C = FR
Getting CA Private Key
Signature ok
subject=CN = DSC number 3 of Friesland, C = FR
Getting CA Private Key
Signature ok
subject=CN = DSC number 4 of Friesland, C = FR
Getting CA Private Key
Signature ok
subject=CN = DSC number worker of Friesland, C = FR
Getting CA Private Key

But when I run the command echo "{'A': 1234}" | npm run sign | npm run verify I got the following issue:

$ echo '{"A": 1234}' | npm run sign | npm run verify

> [email protected] verify /home/lallement/Projects/ehn-sign-verify-javascript-trivial
> node cose_verify.js

/home/lallement/Projects/ehn-sign-verify-javascript-trivial/node_modules/base45-js/lib/base45-js.js:46
              throw new Error('Base45 decode: unknown character');
              ^

Please note that npm run sign gives the following result:

$ echo '{"A": 1234}' | npm run sign

> [email protected] sign /home/lallement/Projects/ehn-sign-verify-javascript-trivial
> node cose_sign.js

6BFV70U30FFWTWGSLKC 4BA9R-29B7.3KC-7 -8CDCE73SQQC58YZF*+MKK7HZU0:7Y1J:4OZ MCZSC8W8DPLVHOEL*3HM/LG:HN7DJMO+3NT2I24P2GW8FPR$7JE6KL2L/60F1UCG87D%+F+%ENX845

Does not work for some keys: Error: red works only with positives

This code does not seem to work with some official keys. I.e. this key issued by the german authorities:

{
          kty: 'EC',
          'x5t#S256': 'XkVWZqUeeFc0suP6qTJGG-C723_K_z2geLisE5wmluI',
          use: 'sig',
          crv: 'P-256',
          kid: 'XkVWZqUeeFc=',
          x5c: [
            'MIIHUTCCBQmgAwIBAgIQUIKkn9dGJ+Fvw2iuEU4tejA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQCA6EaMBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgOiAwIBQDBbMQswCQYDVQQGEwJERTEVMBMGA1UEChMMRC1UcnVzdCBHbWJIMRwwGgYDVQQDExNELVRSVVNUIENBIDItMiAyMDE5MRcwFQYDVQRhEw5OVFJERS1IUkI3NDM0NjAeFw0yMTA2MTExNDUwMjFaFw0yMzA2MTUxNDUwMjFaMIHrMQswCQYDVQQGEwJERTEdMBsGA1UEChMUUm9iZXJ0IEtvY2gtSW5zdGl0dXQxJDAiBgNVBAsTG0VsZWt0cm9uaXNjaGVyIEltcGZuYWNod2VpczEdMBsGA1UEAxMUUm9iZXJ0IEtvY2gtSW5zdGl0dXQxDzANBgNVBAcTBkJlcmxpbjEOMAwGA1UEEQwFMTMzNTMxFDASBgNVBAkTC05vcmR1ZmVyIDIwMRkwFwYDVQRhExBEVDpERS0zMDIzNTMxNDQ1MRUwEwYDVQQFEwxDU00wMjY0NjAwMjYxDzANBgNVBAgTBkJlcmxpbjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABIfd+CIjArF6fe+6Q3hu1otdUvrhhqHpup0jW7QiC3Ek+PvxahpSzgSbyGT0od4Ux8dle1fty86oukdnWoTp6P6jggLpMIIC5TAfBgNVHSMEGDAWgBRxEDKudHF7VI7x1qtiVK78PsC7FjAtBggrBgEFBQcBAwQhMB8wCAYGBACORgEBMBMGBgQAjkYBBjAJBgcEAI5GAQYCMIH+BggrBgEFBQcBAQSB8TCB7jA3BggrBgEFBQcwAYYraHR0cDovL2QtdHJ1c3QtY2EtMi0yLTIwMTkub2NzcC5kLXRydXN0Lm5ldDBCBggrBgEFBQcwAoY2aHR0cDovL3d3dy5kLXRydXN0Lm5ldC9jZ2ktYmluL0QtVFJVU1RfQ0FfMi0yXzIwMTkuY3J0MG8GCCsGAQUFBzAChmNsZGFwOi8vZGlyZWN0b3J5LmQtdHJ1c3QubmV0L0NOPUQtVFJVU1QlMjBDQSUyMDItMiUyMDIwMTksTz1ELVRydXN0JTIwR21iSCxDPURFP2NBQ2VydGlmaWNhdGU/YmFzZT8wcAYDVR0gBGkwZzAJBgcEAIvsQAEBMFoGCysGAQQBpTQCgRYFMEswSQYIKwYBBQUHAgEWPWh0dHA6Ly93d3cuZC10cnVzdC5uZXQvaW50ZXJuZXQvZmlsZXMvRC1UUlVTVF9DU01fUEtJX0NQUy5wZGYwgfAGA1UdHwSB6DCB5TCB4qCB36CB3IZpbGRhcDovL2RpcmVjdG9yeS5kLXRydXN0Lm5ldC9DTj1ELVRSVVNUJTIwQ0ElMjAyLTIlMjAyMDE5LE89RC1UcnVzdCUyMEdtYkgsQz1ERT9jZXJ0aWZpY2F0ZXJldm9jYXRpb25saXN0hjJodHRwOi8vY3JsLmQtdHJ1c3QubmV0L2NybC9kLXRydXN0X2NhXzItMl8yMDE5LmNybIY7aHR0cDovL2Nkbi5kLXRydXN0LWNsb3VkY3JsLm5ldC9jcmwvZC10cnVzdF9jYV8yLTJfMjAxOS5jcmwwHQYDVR0OBBYEFPdFwMQGQturw7wXqRcebaB+nz6vMA4GA1UdDwEB/wQEAwIGwDA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQCA6EaMBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgOiAwIBQAOCAgEA0XRsfatBY5BT/HfWbUQvQXtisS0xp2qxVXZkgejDV2r90KsxGAAM9MZIw3eebywbg7ygwhdKwu4ZYGdFpr/cYH+j5pRPCjYoJOsjCEDA7GDtdWenQruM0JcKI4KGgtm01LZGT1L3rBHKh0Dg9fOrAS3L05ZR+cQ1oDKrMUuGm57CDTgcPXmxawmxadjLKOagfPpOkMmZabNMDd3+06gIQ7KfH3BWwZHYbqkg5dHHyb6cvdwQarfLjPKlcWrACWX6KyvYYv8Aj3fxu9w1RYCA1HqOGfIWl0in1LoCJhYLNb4GcS3feqhvnUAKL0BZN+5oSgMbQfi4hqGcwhBKNH4UVfnL47f7dsJxr3ob9U+VLkCUJ7yC6FPjY0pefGgsgQl+9rabBjNaSLwjxoOmEx7PbnjU5xmxipYa7LK+gLuLfZysu+VAFUXAxSFljz5cKWn80sqgSchzOlJRobCI/xTrziQc74pRGV+eWBXpybRu6bvZ8Y96EHpbdyWsG9sDPCeJgiq5XdWfR3JUprVsQzaEBDzBGq1Y0fWxOOoi+gQIQXPvx9sBjc9fdOvnFEODI1NXotab2LlKztNTQU3eEBhbsHjg30a1pIVwiL/nmxsMLxxiNJAZ/9t0D71llbrSBS665BTkmObNnr1xHoS94wg4L9UfinLFsSkHpTer+cQhrA4='
          ],
          x: 'h934IiMCsXp977pDeG7Wi11S-uGGoem6nSNbtCILcSQ',
          y: '-PvxahpSzgSbyGT0od4Ux8dle1fty86oukdnWoTp6P4'
        }

Will lead to the error

Error: red works only with positives
    at assert (//bn.js/lib/bn.js:6:21)
    at BN.toRed (//bn.js/lib/bn.js:2849:5)
    at new Point (//elliptic/lib/elliptic/curve/short.js:268:23)
    at ShortCurve.point (//elliptic/lib/elliptic/curve/short.js:275:10)
    at KeyPair._importPublic (//elliptic/lib/elliptic/ec/key.js:95:30)
    at new KeyPair (//elliptic/lib/elliptic/ec/key.js:16:10)
    at Function.fromPublic (//elliptic/lib/elliptic/ec/key.js:24:10)
    at EC.keyFromPublic (//elliptic/lib/elliptic/ec/index.js:52:18)

This will happen with about every 5th of the covid certificate keys.

Example with RSA

Hi, will it be possible to attach an example of signature and verification with an 'RSA' certificate? 🙏

Error: Unknown tag, 18

Hello,

Thanks for the explainer.

I have created an Observable notebook to spark conversations with people unaware of QR code contents/unable to compare them with their national QR code.

const [, unpreffixed_data] = ehc_data.split('HC1:')
const decoded_data = base45.decode(unpreffixed_data)
const uncompressed_data = zlib.inflate(decoded_data)
const decrypted_data = cose.encrypt.read(uncompressed_data)

Although, the const decrypted_data line triggers an Unknown tag, 18 error.

When I inspect the uncompressed_data, I observe some data structure, but I fail to read them with the cose JavaScript library (which I'm a total noob with):

Buffer.from(uncompressed_data, 'hex').toString()
// --> M�\u0004H�\u00197_�網\u0001&�Y\u00013�\u0004\u001a`�Ee\u0006\u001a`Тe\u0001bAT9\u0001\u0003�\u0001�av��bdn\u0001bmamORG-100030215bvpj1119349007bdtj2021-02-18bcobATbcix1URN:UVCI:01:AT:10807843F94AEE0EE5093FBC254BD813#BbmplEU/1/20/1528bisx\u001bMinistry of Health, Austriabsd\u0002btgi840539006cnam�cfntuMUSTERFRAU<GOESSINGERbfnuMusterfrau-GößingercgnthGABRIELEbgnhGabrielecvere1.2.1cdobj1998-02-26X@��\u0001}_���ئFc\
// to be continue (…)

Do you have any pointers?
Let me know if you feel this question should rather be in a different location, or repository.

Thank you in advance for your help, and for the materials you have published online.

I wanted to try out this implementation but I can't generate the certificates. When I run ./gen-csca-dsc.sh it just hangs. I tried to leave it for an hour to see if it is just really slow but nothing happened. The csca.key gets created but then the second openssl command seems to hang.

I've also tried running the command on its own with the same result.

I'm running Mac OS 11.4 with openssl LibreSSL 2.8.3

I don't have much experience with openssl so any help figuring out the problem would be appreciated.

Unable to inflate: incorrect data check

Hello,

Sometimes we encounter an issue when inflating the compressed stream:

for example runing: npm run sign | tail -1 | npm run verify

With the following JSON gives this error:

node_modules\pako\lib\inflate.js:384
  if (inflator.err) throw inflator.msg || msg[inflator.err];

invalid distance too far back

{
    "sub": {
        "gn": "Gabriele",
        "fn": "Musterfrau",
        "id": [
            {
                "t": "PPN",
                "i": "12345ABC-321"
            }
        ],
        "dob": "1998-02-26",
        "gen": "female"
    },
    "vac": [
        {
            "dis": "840539006",
            "vap": "1119305005",
            "mep": "EU\/1\/20\/1528",
            "aut": "ORG-100030215",
            "seq": 1,
            "tot": 2,
            "dat": "2021-02-18",
            "cou": "AT",
            "lot": "C22-862FF-001",
            "adm": "Vaccination centre Vienna 23"
        },
        {
            "dis": "840539006",
            "vap": "1119305005",
            "mep": "EU\/1\/20\/1528",
            "aut": "ORG-100030215",
            "seq": 2,
            "tot": 2,
            "dat": "2021-03-12",
            "cou": "AT",
            "lot": "C22-H62FF-010",
            "adm": "Vaccination centre Vienna 23"
        }
    ],
    "cert": {
        "is": "Ministry of Health, Austria",
        "id": "01AT42196560275230427402470256520250042",
        "vf": "2021-04-04",
        "vu": "2021-10-04",
        "co": "AT",
        "vr": "v1.0"
    }
}

@fidm/asn1 OID parser is flawed

@fidm/asn1 OID parser is naive and has a common implementation bug. It supports second arc decoding up to 39, although only 0.x and 1.x arcs are limited to 39 while the 2.x is unlimited.

The specification, i.e., ITU-T X.690 (08/2015) 8.1.94 has explicit note on this:

This packing of the first two object identifier components recognizes that only three values are allocated from the root node, and at most 39 subsequent values from nodes reached by X = 0 and X = 1.

OIDs are the essential building block of an X509 certificate, and using a flawed parser may lead to unforeseen consequences and bugs.

Test case

Encoded OID: 0603883703
Expected decoded value: 2.999.3
Actual decoded value: 3.16.55.3; NB: the first arc of 3 is invalid

const { ASN1 } = require("@fidm/asn1");
const buf = Buffer.from('0603883703', 'hex');
console.log(ASN1.fromDER(buf).value);

See more:

https://misc.daniel-marschall.de/asn.1/oid_facts.html
https://misc.daniel-marschall.de/asn.1/oid-converter/online.php

Publish to npm

Hello !
I have a health certificate checking website (https://sanipasse.fr) for which I would like to add support for digital green certificates. In order to do so, I would like to use the code from this repo.
Would it be possible to publish this code as a library on NPM ? If you don't want to have to maintain it yourself, then would you mind if I published it myself ?
I know this is work in progress, but I think it would really help to publish a first "alpha" version early.

CC @AlexConnat