In my certificate prints this:

Cryptographic signature successfully verified from: CN=grnet.gr,C=GR

COVID certificate: Issued: 2021-06-01 05:13:41 -0400 EDT Expiration: 2023-05-24 11:35:24 -0400 EDT Contents: (coronaqr.CovidCert) { Version: (string) (len=5) "1.0.0", PersonalName: (coronaqr.Name) { FamilyName: (string) (len=18) "...", FamilyNameStd: (string) (len=10) "...", GivenName: (string) (len=12) "...", GivenNameStd: (string) (len=7) "..." }, DateOfBirth: (string) (len=10) "...", VaccineRecords: ([]coronaqr.VaccineRecord) , TestRecords: ([]coronaqr.TestRecord) , RecoveryRecords: ([]coronaqr.RecoveryRecord) (len=1 cap=1) { (coronaqr.RecoveryRecord) { Target: (string) (len=9) "840539006", Country: (string) (len=2) "GR", Issuer: (string) (len=43) "Ministries of Health and Digital Governance", CertificateID: (string) (len=43) "URN:UVCI:01:GR:HFR6ZMD6GJDON7UQZI4FTKNDHY#M" } } }

However there must be an expiration of the RecoveryRecord. The "Expiration" is the certificate's expiration, not the recovery record expiration.

Also, what's the "target" string?

I 'd be grateful if you can take a look.

…Translate IDs to display names for TestResult, TestType and Target (type of DiseaseTargeted)

What does this implement?

It completes TestRecord structure by adding attributes TestType, TestResult and SampleDatetime, accordingly to ehn-dcc-development/ehn-dcc-schema/DCC.Types.schema.json.

In addition, attributes Target, TestType and TestResult use custom string types implementing UnmarshalCBOR() interface. As a result, IDs are translated into display values according to data at ehn-dcc-development/ehn-dcc-schema/valuesets/.

Example

Before:

# curl -Ls https://raw.githubusercontent.com/eu-digital-green-certificates/dgc-testdata/main/FR/png/test-pcr_ok.png | zbarimg --raw --quiet - | go run cmd/coronadecode/coronadecode.go
Cryptographic signature check skipped (use -verify)

COVID certificate:
Issued:     2021-06-03 09:54:22 +0200 CEST
Expiration: 2021-06-05 09:54:22 +0200 CEST
Contents:   (coronaqr.CovidCert) {
 Version: (string) (len=5) "1.0.0",
 PersonalName: (coronaqr.Name) {
  FamilyName: (string) (len=6) "Dupond",
  FamilyNameStd: (string) (len=6) "DUPOND",
  GivenName: (string) (len=5) "Marie",
  GivenNameStd: (string) (len=5) "MARIE"
 },
 DateOfBirth: (string) (len=10) "1962-07-01",
 VaccineRecords: ([]coronaqr.VaccineRecord) <nil>,
 TestRecords: ([]coronaqr.TestRecord) (len=1 cap=1) {
  (coronaqr.TestRecord) {
   Target: (string) (len=9) "840539006",
   Name: (string) (len=17) "2019-nCoV RT-qPCR",
   Manufacturer: (string) (len=4) "1232",
   TestingCentre: (string) (len=14) "Testing Centre",
   Country: (string) (len=2) "FR",
   Issuer: (string) (len=10) "Laboratory",
   CertificateID: (string) (len=41) "URN:UVCI:V1:FR:P50E914L54CIP5J0K4EHSCXOS:"
  }
 },
 RecoveryRecords: ([]coronaqr.RecoveryRecord) <nil>
}

After:

# curl -Ls https://raw.githubusercontent.com/eu-digital-green-certificates/dgc-testdata/main/FR/png/test-pcr_ok.png | zbarimg --raw --quiet - | go run cmd/coronadecode/coronadecode.go
Cryptographic signature check skipped (use -verify)

COVID certificate:
Issued:     2021-06-03 09:54:22 +0200 CEST
Expiration: 2021-06-05 09:54:22 +0200 CEST
Contents:   (coronaqr.CovidCert) {
 Version: (string) (len=5) "1.0.0",
 PersonalName: (coronaqr.Name) {
  FamilyName: (string) (len=6) "Dupond",
  FamilyNameStd: (string) (len=6) "DUPOND",
  GivenName: (string) (len=5) "Marie",
  GivenNameStd: (string) (len=5) "MARIE"
 },
 DateOfBirth: (string) (len=10) "1962-07-01",
 VaccineRecords: ([]coronaqr.VaccineRecord) <nil>,
 TestRecords: ([]coronaqr.TestRecord) (len=1 cap=1) {
  (coronaqr.TestRecord) {
   Target: (coronaqr.DiseaseTargeted) (len=8) "COVID-19",
   TestType: (coronaqr.TestType) (len=47) "Nucleic acid amplification with probe detection",
   Name: (string) (len=17) "2019-nCoV RT-qPCR",
   Manufacturer: (string) (len=4) "1232",
   SampleDatetime: (time.Time) 2021-05-16 14:34:56 +0000 UTC,
   TestResult: (coronaqr.TestResult) (len=12) "Not detected",
   TestingCentre: (string) (len=14) "Testing Centre",
   Country: (string) (len=2) "FR",
   Issuer: (string) (len=10) "Laboratory",
   CertificateID: (string) (len=41) "URN:UVCI:V1:FR:P50E914L54CIP5J0K4EHSCXOS:"
  }
 },
 RecoveryRecords: ([]coronaqr.RecoveryRecord) <nil>
}

Comments

Tests have been successfully run against eu-digital-green-certificates/dgc-testdata (same errors has before this commit).

I'm newbie to Go.

What should I install/setup before using instructions?

P.S. apt-get install golang and adding $GOPATH/$GOLANG wasn't enough.

root:~#  go get -u github.com/stapelberg/coronaqr/cmd/coronadecode
package context: unrecognized import path "context" (import path does not begin with hostname)
package flag: unrecognized import path "flag" (import path does not begin with hostname)
package fmt: unrecognized import path "fmt" (import path does not begin with hostname)
...

Hi Michael!

Thanks for creating this, I received my certificate yesterday and I am eager to see what information is encoded there! Sadly, coronadecode (commit 4d67a18) fails to parse it:

$ zbarimg --quiet --raw ~/Covid_cert.png | bin/coronadecode
2021/07/15 16:11:55 could not decode certificate QR code: cbor.Unmarshal(v.Payload): cbor: cannot unmarshal primitives into Go struct field coronaqr.claims.-260 of type int

I can’t find a spec, but here’s what I know so far:

Light certificates start with LT1 instead of HC1.

The CBOR payload for light certificates is:

{1: "CH BAG", 6: 1625658361, -250: {1: {"dob": "1943-02-01", "nam": {"fn": "M\u00fcller", "gn": "C\u00e9line", "fnt": "MUELLER", "gnt": "CELINE"}, "ver": "1.0.0"}}}

Notably, the -250 is listed as unassigned in https://www.iana.org/assignments/cwt/cwt.xhtml currently :-/

https://www.cc-d.bit.admin.ch/trust/v1/keys/updates?certFormat=ANDROID seems to be the dev environment URL to obtain the keys.

The prod version gives a 403 Forbidden, not sure what sort of authentication is required.

https://github.com/admin-ch/CovidCertificate-SDK-Android/commit/414887526a78969d1860e6d863b221cd4cc94f06 might be a good pointer for how to do verification.

When wanting to inspect a certificate that is perfectly valid but unfortunately expired, I'm not given any output. This PR makes it possible to view the cert regardless (without changing the source code every time 🙈)

I tried it on few QR-codes.

All of them failed because of the prefix.

zbarimg qr.jpeg returns QR-Code:HC1:...

Then your utility fails until I manually remove the QR-Code: prefix. After the removal, it works (thanks).

Reference PRs

Subpart of the PR #5 (without the erroneous IDs translation).

What does this implement?

Complete TestRecord structure with attributes TestType, TestResult and SampleDatetime, according to test_entry specification from ehn-dcc-development/ehn-dcc-schema/DCC.Types.schema.json.

Test

gofmt and go test : PASS

We currently pass positive tests, but don’t run negative tests:

https://github.com/stapelberg/coronaqr/blob/5924b762bd6da43c33c52dad0971d19d8769f148/coronaqr_test.go#L212

There’s also a separate test data repository at https://github.com/eu-digital-green-certificates/dcc-quality-assurance which we should use in addition or instead of dgc-testdata.

This is blocked on https://github.com/section42/hcert-trustlist-mirror/issues/11 so that we can plug into multiple revocation lists, just like we do for trust lists right now.

I have a pending commit which passes all the test cases.

What’s missing is a good source for country rules. I asked around regarding sources in https://github.com/eu-digital-green-certificates/dgc-participating-countries/issues/10#issuecomment-891236663

Enhancement proposal in the idea of submitting a pull request:

Some fields in the certificate are identifiers that refer to elements declared at https://github.com/ehn-dcc-development/ehn-dcc-schema/blob/release/1.3.0/valuesets/. These elements have a display name in a human readable sentence.

With the certificate decoded, it would be nice to print display names instead of (or in addition to) identifiers. For example, display :

TestType:   Nucleic acid amplification with probe detection
TestResult: Not detected

Instead of:

TestType: (string) (len=8) "LP6464-4",
TestResult: (string) (len=9) "260415000",