COVID certificate and other large NDEFs

Great work, the NFC communication appears to work.

However, the actual validation of the certificate fails both via QR and NFC - although it is able to read my name. Somehow validation works in other apps (e.g. CovPass (the German one) or VerificiaC19 (the Italian one). I assume thats because the gdca app is only a reference code without any production access? The README states:

The apps are reference implementations that cannot be used in production environments as-is, but rather need to be configured by EU member states to access their national backends. The released APK files are configured to work with the test environments and will not report correct results on “live” DCCs.

Will the NFC support eventually propagate into the local variants of the verifier apps?

images (2)

I hope the EU Covid certificate becomes
the worldwide standard.

One app to rule them all :crossed_fingers:

Yeah it doesn’t have the correct keys. I don’t care about whether it’s able to verify the certificate. I just wanted a test build to debug the NFC bit. It’s not functional - but it does decode your certificate and show your name :slight_smile:

To be fair, the NFC code has always been there. It’s just that everybody sort of decided on doing QR codes instead and disabled the NFC functionality. So it was never tested or developed or anything. All I did was pull the repo, see that the entire NFC functionality was there, corrected what needed correcting and Bob’s your uncle.

More importantly, I’m hoping I contacted the right people to get this officially enabled in the Finnish app. The hope being, if one country enables NFC, other EU countries follow suit. And if they don’t, then it’ll be up to local implantees to pester their local health departments. But that’s for later, when the NFC functionality is officially fixed in the reference implementation.

2 Likes

The certificate I was given matches the descriptions I have heard from others.

It’s a CDC certificate that doesn’t fit into a standard credit card space and is made of light card. I have never been asked for proof, and there is no QR code, bar code, chip,… It’s about as low tech as you can get.

2 Likes

Doesn’t seem to work. :thinking:

Tried to test it but phone only vibrated to notify it scanned something but nothing happens after that.

Silly question, but you did set it to NFC scan right?

If it doesn’t react, probably you copy-pasted the content of the QR code wrong onto the tag. What can happen is that you copied the content from a window or popup with broken lines, and whatever you pasted it into reassembled the line zapping spaces or adding spaces where the line breaks were. Base45 is really annoying that way because the space character actually encodes something, unlike base64.

I would suggest you convert your certificate’s QR code image using a desktop application, lile qtqr on Linux, to extract the string verbatim, and then even better, use a text-based certificate decoder like vacdec to confirm that the string you have has the correct number of spaces and the correct length.

It took me a few tries to extract mine without extra spaces.

Hmm, maybe it would be simpler if I pasted a sample string in here. Hang on a minute…

1 Like

I’ll try qtqr and vacdec I copied that from Google lens scan and pasted it straight to the record.

Here, I put the string for a valid test certificate in a file so you have the exact content:

test_certificate_data.txt (584 Bytes)

This is what vacdec spews out if you do vacdec --raw-string "$(cat test_certificate_data.txt)":

2021-11-04 22:52:24,635 [INFO ]  COVID certificate signed with X.509 certificate.
2021-11-04 22:52:24,635 [INFO ]  X.509 in DER form has SHA-256 beginning with: c4a397729ccc55bd
2021-11-04 22:52:24,636 [INFO ]  Skip verify as no key found from database
2021-11-04 22:52:24,636 [INFO ]  Certificate as JSON: {
  "1": "FI",
  "4": 1655240399,
  "6": 1623675280,
  "-260": {
    "1": {
      "v": [
        {
          "ci": "URN:UVCI:01:FI:41EPCEEXEDR3TZV5RW9XQIR15#2",
          "co": "FI",
          "dn": 2,
          "dt": "2021-03-05",
          "is": "The Social Insurance Institution of Finland",
          "ma": "ORG-100030215",
          "mp": "EU/1/20/1528",
          "sd": 2,
          "tg": "840539006",
          "vp": "J07BX03"
        }
      ],
      "dob": "1995-05-20",
      "nam": {
        "fn": "Testaaja",
        "gn": "Matti Kari",
        "fnt": "TESTAAJA",
        "gnt": "MATTI<KARI"
      },
      "ver": "1.0.0"
    }
  }
}

Got it now working. Yeah you were right about the formating. Got it extracted with pyzbar manually because qtqr didn’t want to use it correctly at first. Now I got to the point that I can scan it as right as I can with the reference software. :smiley:

Well how appropriate: I just came back from the fridge with a brewsky in my hand. So hurray and I’ll drink to that :slight_smile:

3 Likes

I shall do that too. Now I just need a implant just for that so I can rick roll people and use the certificate at the same time :laughing:

1 Like

Speaking of that - and more seriously - unfortunately the reference implementation only supports NDEFs with a single message containing a single plain text record. Anything other than that and it won’t decode the certificate.

So at the moment, you do need a dedicated implant for your COVID certificate.

However, it doesn’t have to be that way. I could in fact have contributed a larger patch with support for multi-record NDEFs. But here’s what I thought: the most important is to make as little change as possible to the existing code, and get that approved and rolled out on the basis that the changes are not dangerous or scary to the policymakers, and don’t require massive amounts of testing (therefore resources) to be validated.

So that’s what I did. Phase one is to submit a very small bugfix (what I did today) and convince the right people to bring the feature to the reference app, then to the national apps. Once that’s done, there will be time enough to suggest a cleverer NFC decoder that can extract COVID certificate data from tags that contain other things.

Hopefully my careful plan will pan out.

The ideal situation of course would be a COVID applet in the Apex, and the Apex handling the person’s identification (which is the other part of the COVID certificate checking that isn’t handled by any implant at the moment). But the Apex is… not here yet, and its integration into the Finnish ID system nowhere in sight. But that would be ideal :slight_smile:

3 Likes

Yeah. I figured that was the case so there’s a hope but I won’t hold my breath. If that doesn’t happen before I get my hands on flexNT2 and installed that would be my dedicated device for the certificate.

That apex applet would be awesome

1 Like

Well go ahead with implanting several implants, because who doesn’t need several implants eh? :slight_smile: There’s always use for more.

1 Like

Seems like this has become my current expensive hobby but it’s fine :joy:

The implants aren’t the expensive part. Just wait until you get to buying locks and readers and useful devices to go with em. I must have close to 4,000 euros in locks and readers on various doors and computers that don’t even belong to me. It’s really, really a fucking expensive hobby if you go all the way.

Oh boy :joy: yeah I’m not going that deep yet because where I currently live but maybe in the next couple of years.

Oh back to the certificate. Did the iPhone app also have the nfc thing disabled or was it just in the android one? :thinking:

Oh someone else will have to dig into that one. I don’t have an iPhone, I know nobody who has an iPhone, and quite frankly I gave up on the iPhone long ago. It’s kind of a hopeless platform for interesting implant use cases. And I admire those who do try to bring stuff to the platform who are willing to go through Apple’s vetting process.

In short, I don’t know.

1 Like