Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Example doesn't verify with hc1_verify.py -- invalid signature? #88

Closed
curiousleo opened this issue Jun 12, 2021 · 3 comments
Closed

Example doesn't verify with hc1_verify.py -- invalid signature? #88

curiousleo opened this issue Jun 12, 2021 · 3 comments

Comments

@curiousleo
Copy link

Running against hc1_verify.py gives:

$ python hc1_verify.py demo-dsc.crt <01_example.txt
Traceback (most recent call last):
  File "hc1_verify.py", line 134, in <module>
    raise Exception(
Exception: KeyID is unknown (expected b'e848f3ca13651834', got b'8ede3316d4da418181f0753affc6a3a3') -- cannot verify.

Trying to side step this by ignoring the KID gives:

$ python hc1_verify.py --ignore-kid demo-dsc.crt <01_example.txt
Traceback (most recent call last):
  File "hc1_verify.py", line 149, in <module>
    raise Exception("faulty sig")
Exception: faulty sig

The data itself seems fine:

$ python hc1_verify.py --ignore-signature demo-dsc.crt <01_example.txt
Issuer              : DE
Experation time     : 1651928945
Issued At           : 1620392945
Health payload      : {"v": [{"ci": "01DE/00000/1119349007/BW1DDJEZX2B0VGVYII1QN7DDU#S", "co": "DE", "dn": 2, "dt": "2021-05-07", "is": "Bundesministerium f\u00fcr Gesundheit", "ma": "ORG-100030215", "mp": "EU/1/20/1528", "sd": 2, "tg": "840539006", "vp": "1119349007"}], "dob": "1970-01-01", "nam": {"fn": "Die\u00dfner Musterfrau", "gn": "Erika D\u00f6rte", "fnt": "DIESSNER<MUSTERFRAU", "gnt": "ERIKA<DOERTE"}, "ver": "1.0.0"}
@curiousleo
Copy link
Author

Hm, I tried to use the same script to check one of the QR codes in https://github.com/eu-digital-green-certificates/dgc-testdata against the relevant test certificate there and that failed in the same way. It is definitely possible that hc1_verify.py is outdated.

https://github.com/eu-digital-green-certificates/dgc-testdata/blob/main/tests/test_ehealth_certs.py is used in CI for dgc-testdata, so I guess that's the better implementation to test against?

@curiousleo
Copy link
Author

Mystery solved. demo-dsc.crt uses RSASSA-PSS:

$ openssl x509 -in demo-dsc.crt -text
Certificate:
[...]
    Signature Algorithm: rsassaPss
         Hash Algorithm: sha512
         Mask Algorithm: mgf1 with sha512
[...]

But hc1_verify.py assumes ECDSA.

test_ehealth_certs.py can deal with either.

@curiousleo curiousleo mentioned this issue Jun 12, 2021
Open
@curiousleo
Copy link
Author

Sorry about the spam. Closing in favour of ehn-dcc-development/ehn-sign-verify-python-trivial#5.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@curiousleo @oliver-steinbrecher