COVID certificate and other large NDEFs

I presented my COVID certificate to an event organizer for the first time today. Unfortunately, my main concern was confirmed: the NDEF containing an image of the certificate QR code is a stupid solution.

What happens is, when the person scans your implant with their phone, they get the smart poster containing the image of course. But then they can’t do anything with it: there’s no standardized mechanism to handle QR codes from any source. Unlike apps built to handle mimetyped data, apps that deal with QR codes always implement their own custom scanning and decoding code that always grabs images directly from the camera.

So the net result is, you have to scan the NDEF on your own phone, then present your phone to the person’s own phone. In other words, you may as well keep the QR code on your phone in the first place, or on a piece of paper. No implant needed.

In my case though, there was a silver lining: the event dude scanned my implant then scratched his head because he didn’t know what to make of it. But he assumed it looked so “medical” and official that it had to be legit. He literally told me “I didn’t know doctors offered COVID certificate as implants now! My app must be too old to verify it, but it’s okay, you can go through”. I sure didn’t elaborate on where the implant and its content really came from :slight_smile:

So my certificate did its job, just not the way I intended.

3 Likes

What is the byte data contained within the QR code?

Long story short: it’s a base45-encoded zipped encrypted JSON, the public keys of which are published by the EU and used to validate the data without any need to go online. Really clever and secure actually. I like it.

But no app will take the base45 data. They all want to get it from a QR code image, usually grabbed from a camera.

Unless there was a DT app that could read it off of an NDEF. Hint hint :slight_smile:

1 Like

You will be happy to know that I have fixed the NFC code in the EU COVID certificate verifier reference implementation app. It now successfully scans COVID certificates off of NDEF records.

Sooo… I will be submitting a patch to the developers, and since all national COVID apps in all European countries are derivatives of that reference app, all we EU residents will soon have officially the option of presenting our implants for scanning anywhere in Europe.

I’m mighty proud of that one :slight_smile:

19 Likes

What the fuck? Really? This is epic!
Like legit the best usecase after payments right now!

I imagine this will spark some great discussions…

You should be!

1 Like

Yeah, you can try it if you want:

dgca_verifier_app-1.2.4-acc_NFC_FIX.apk (10.0 MB)

The certification keys might not work (i.e. it might tell you your certificate is not valid even though it is) but it scans NFC tags alright.

What you need is stick the QR code string VERBATIM (including spaces and all) on a plain text record in an NDEF. The string starts with “HC1…” usually.

3 Likes

That’s so cool!!

I thought that some of you were doing that to troll people. But I’m in a part of the world where no one is asking for vaccination certificates or test results…

1 Like

Troll people? How so?

If they don’t require at least some form of proof of immunity in your neck of the woods, you must live on the pampa, or in the Atacama, or somewhere really remote. Either that or your elected officials should be shot through the head for utter recklessness.

Even US states issue certificates, even if it’s not well standardized and organized like in Europe. And God knows if there’s one country on Earth that handles the pandemic like a quadriplegic on a trampoline, it’s Uncle Sam. I can’t imagine your own country can do any worse.

1 Like

I’ve never been asked for proof. I don’t get around too much, but seems like you get mostly through without being checked in Berlin :confused:

As in “scan my hand, they are giving away chips with the vaccines” or something along those lines. Needless to say that doing this is an asshole move that can cause harm…

I don’t want to go down the political rabbit hole of how strict covid measures must be, etc… I just said that no one is asking for certificates where I live but we do have them.

2 Likes

Local circumstances differ of course. But at least here in Finland, there are talks of compulsory COVID certificate checking for any public venues like bars and nightclubs and such, as the country is slowly sliding into the red zone. Hence my trying to get this show on the road: I didn’t bother to get implants to have to present loose pieces of paper to have a drink.

In any case, if you fly, you’ll need a certificate to be allowed onboard an airplane without major hassle.

2 Likes

Great work, the NFC communication appears to work.

However, the actual validation of the certificate fails both via QR and NFC - although it is able to read my name. Somehow validation works in other apps (e.g. CovPass (the German one) or VerificiaC19 (the Italian one). I assume thats because the gdca app is only a reference code without any production access? The README states:

The apps are reference implementations that cannot be used in production environments as-is, but rather need to be configured by EU member states to access their national backends. The released APK files are configured to work with the test environments and will not report correct results on “live” DCCs.

Will the NFC support eventually propagate into the local variants of the verifier apps?

images (2)

I hope the EU Covid certificate becomes
the worldwide standard.

One app to rule them all :crossed_fingers:

Yeah it doesn’t have the correct keys. I don’t care about whether it’s able to verify the certificate. I just wanted a test build to debug the NFC bit. It’s not functional - but it does decode your certificate and show your name :slight_smile:

To be fair, the NFC code has always been there. It’s just that everybody sort of decided on doing QR codes instead and disabled the NFC functionality. So it was never tested or developed or anything. All I did was pull the repo, see that the entire NFC functionality was there, corrected what needed correcting and Bob’s your uncle.

More importantly, I’m hoping I contacted the right people to get this officially enabled in the Finnish app. The hope being, if one country enables NFC, other EU countries follow suit. And if they don’t, then it’ll be up to local implantees to pester their local health departments. But that’s for later, when the NFC functionality is officially fixed in the reference implementation.

2 Likes

The certificate I was given matches the descriptions I have heard from others.

It’s a CDC certificate that doesn’t fit into a standard credit card space and is made of light card. I have never been asked for proof, and there is no QR code, bar code, chip,… It’s about as low tech as you can get.

2 Likes

Doesn’t seem to work. :thinking:

Tried to test it but phone only vibrated to notify it scanned something but nothing happens after that.

Silly question, but you did set it to NFC scan right?

If it doesn’t react, probably you copy-pasted the content of the QR code wrong onto the tag. What can happen is that you copied the content from a window or popup with broken lines, and whatever you pasted it into reassembled the line zapping spaces or adding spaces where the line breaks were. Base45 is really annoying that way because the space character actually encodes something, unlike base64.

I would suggest you convert your certificate’s QR code image using a desktop application, lile qtqr on Linux, to extract the string verbatim, and then even better, use a text-based certificate decoder like vacdec to confirm that the string you have has the correct number of spaces and the correct length.

It took me a few tries to extract mine without extra spaces.

Hmm, maybe it would be simpler if I pasted a sample string in here. Hang on a minute…

1 Like

I’ll try qtqr and vacdec I copied that from Google lens scan and pasted it straight to the record.