VC_HC_CWT_NO_ISS at DCC Result

[juergenroesch]

my hex is:

846A5369676E61747572653143A1012640590115A401624445041A60F1F9A5061A60EF56A5390103A101A4617481A9626369782955524E3A555643493A56313A44453A49495938423657513938344A4A3849554C304838564B5255444E62636F62444562697374526F62657274204B6F63682D496E737469747574626D61643133333362736374323032312D30372D31345431383A31383A30345A627463744A75657267656E7320546573747A656E7472756D62746769383430353339303036627472693236303431353030306274746A4C503231373139382D3363646F626A313938302D30312D3031636E616DA462666E6A4D75737465726D616E6E62676E654572696B6163666E746A4D55535445524D414E4E63676E74654552494B416376657265312E332E30

what is the CBOR: {1: "DE", 4: 1626470821, 6: 1626298021, -260: {1: {"t": [{"ci": "URN:UVCI:V1:DE:IIY8B6WQ984JJ8IUL0H8VKRUDN", "co": "DE", "is": "Robert Koch-Institut", "ma": "1333", "sc": "2021-07-14T18:18:04Z", "tc": "Juergens Testzentrum", "tg": "840539006", "tr": "260415000", "tt": "LP217198-3"}], "dob": "1980-01-01", "nam": {"fn": "Mustermann", "gn": "Erika", "fnt": "MUSTERMANN", "gnt": "ERIKA"}, "ver": "1.3.0"}}}

If I send that to the WRU-Server i get valid response but if I check that on the IOS Testflight App I get the error "Dieser QR-Code ist kein gültiges Impfzertifikat (VC_HC_CWT_NO_ISS)".

For my understanding, Encryption and everything is fine but there might be a error in the DCC because the app tries to use that as a Vaccine-certifiate instead of a DCC?

Any hints?

[hmontazeri]

Same issue here

[juergenroesch]

i think, the problem is the encryption and a very bad documentation. for the sha256 hash you need to use the cbor with the Signature1.... but encrypted will be the hcert container with 1:DE... But then, if I use a online aes encrypter i get an RSA decryption error on the phone, and with my C#-Class i get the ISS-Error.

anyhow, I never got that working since days even with online encryption and so on... that's really horrible...

[hmontazeri]

@juergenroesch I'm not sure about that. I tried to encrypt a random string instead of the CBOR object inside the AES function. Then I got a new ERR Code VC_HC_CBOR_DECODING_FAILED which tells me that the encryption should be fine.

I'm guessing its some kind of encoding issue... not sure but UTF-8 and ASCII-8BIT seems to be an issue with the hex dumps of CBOR

[Ein-Tim]

Which version of the iOS app are you using btw? Version 2.6.0.3?

[juergenroesch]

2.4.0 (12) - i dont get a newer one from the TestFlight

[hmontazeri]

Which version of the iOS app are you using btw? Version 2.6.0.3?

2.4.0 latest on testflight

[Ein-Tim]

Mh, that's strange. We are on 2.5.1 released and version 2.6 is in development. But no idea what exactly TestFlight is used for here, I don't have access, but IHMO it's strange that you're not even on a pre-release version of 2.5...

Anyways I don't think version 2.5 would fix your issue, didn't see a PR for this.

[hmontazeri]

It has to be something on the server side. The lab simulator python script here works. So... Is there any way we can get in touch with the server team on that? To be at least sure if the problem is caused by encryption or not?

[Ein-Tim]

@hmontazeri

@daniel-eder already assigned @MartinKonrad to this issue, so I'm sure you'll get feedback soon.

@dsarkar Do you want to mirror this to JIRA? Maybe EXPOSUREBACK?

[MartinKonrad]

@hmontazeri we need to have a closer look on this topic. Please describe your problem in detail and send it via email to [email protected] . Thank you.

[hmontazeri]

I was able to fix my implementation with some help from @mdf-dths.

# my ruby code
cipher.iv = ["00000000000000000000000000000000"].pack("H*")
cipher.key = [SecureRandom.bytes(64)].pack("H*")

These two lines got it working for me. It is the IV and KEY for the AES encryption. It's mandatory that they are hex values.

[KDederichs]

Yeah I am having the same problems getting it running in PHP tbh. (if anyone has a working implementation already I'd be grateful ;) ) It does not help that the documentation clearly is written for people that use Java as well so everyone else has to figure out the correct encryption parameters for their respective programing language.

But yeah what would be REALLY nice is if the server didn't accept certificates it can not decode from the start cause I and I assume many other people would assume that when the request is accepted it's good to go....

[hmontazeri]

@KDederichs there is a PHP implementation I got from @mdf-dths. PHP DCC

[KDederichs]

Thanks! Looks like I was almost there, just got the wrong setMGFHash parameter and the wrong IV Funny, when I set setMGFHash to sha256 the CWA got into a crash loop....

[kev-andrews]

OK guys, i have been at this for three days. My problem was that the docs -DO- mention that the AES IV is {0...0} However, they do NOT mention that in that case prepending the IV is not necessary or expected. Maybe this is the default way of doing it when using a zeroed iv vector, but please write that into the docs explicitly. Prepending the IV, as i always do when i use AES, causes all kinds of VC_HC_CWT_NO_ISS and VC_HC_CBOR_DECODING_FAILED errors... Have a working .NET 5 implementation now though...