Describe the bug

I am generating the QR Code using the WEB frontend template application. Upon scanning the QR Code with the Verifier App, I am consistently getting an error "Verification failed: failed to load certificate"

Expected behaviour

Verification should be successfull.

Steps to reproduce the issue

1. Installed DGC Issuer Service, DGC Verifier Service.
2. Uploaded all required certificates, including the signed DSC and configured them accordingly in the services layer.
3. Modified the BASE_URL in the Android application : File: NetworkModule.kt as to point to my verifier service
4. Compiled and run on Android
5. Scan the QR Code as generated by the Web Frontend Template application
6. Displays invalid on screen, and Android Studio Logs shows D/VerificationViewModel$decode: Verification failed: failed to load certificate

Upon some debugging, I have found a discrepancy which might/might not be the cause of the invalid result.

In the file: VerificationViewModel.kt

Notice the 2 bold Debug Lines I've added.

                schemaValidator.validate(coseData.cbor, verificationResult)
                greenCertificate = cborService.decode(coseData.cbor, verificationResult)
                **Timber.d("DEBUG Verification Result: %s", verificationResult)**
                val certificate = verifierRepository.getCertificate(kid.toBase64())
                **Timber.d("DEBUG KID: %s" ,kid.toBase64())**
                if (certificate == null) {
                    Timber.d("Verification failed: failed to load certificate")
                    return@withContext
                }

and their output:

D/VerificationViewModel$decode: DEBUG Verification Result: VerificationResult: 
    base45Decoded: true 
    valSuitePrefix: HC1: 
    zlibDecoded: true 
    coseVerified: false 
    cborDecoded: true 
    isSchemaValid: true

D/VerificationViewModel$decode: DEBUG KID: 2Ga7nn3--CU=

Firstly, notice that coseVerified = false , Looking into the android core library, file: DefaultCoseSerivce.kt, I noticed that the verificationResult.Verified is hard coded to false, without any opporunity to set it to true within the decode function

    override fun decode(input: ByteArray, verificationResult: VerificationResult): CoseData? {
        **verificationResult.coseVerified = false**
        return try {
            val messageObject = CBORObject.DecodeFromBytes(input)
            val content = messageObject[2].GetByteString()
            val rgbProtected = messageObject[0].GetByteString()
            val key = HeaderKeys.KID.AsCBOR()
            var kid = CBORObject.DecodeFromBytes(rgbProtected).get(key)
            // Kid in unprotected header
            if (kid == null) {
                kid = messageObject[1].get(key)
            }
            val kidByteString = kid.GetByteString()
            CoseData(content, kidByteString)

        } catch (e: Throwable) {
            null
        }
    }

Secondly ,the KID

I have noticed that the KID is presented in the debug log as follows: 2Ga7nn3--CU=

however, in the verifier service, it's presented like this: 2Ga7nn3++CU=

notice the "--" vs "++" difference.

and for completeness sake, the DSC follows:

	{
		"kid": "2Ga7nn3++CU=",
		"timestamp": "2021-05-12T12:28:38+02:00",
		"country": "CY",
		"certificateType": "DSC",
		"thumbprint": "d866bb9e7dfef8255345678cb5722057084424331c7efd8c0eced9b52739c09f",
		"signature": "MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCAMIICbDCCAhKgAwIBAgIURWuo6N0RLfrkJ/DaZO0KYr6fRu0wCgYIKoZIzj0EAwIwgZMxCzAJBgNVBAYTAkNZMRAwDgYDVQQIDAdOaWNvc2lhMRAwDgYDVQQHDAdOaWNvc2lhMS0wKwYDVQQKDCROYXRpb25hbCBlSGVhbHRoIEF1dGhvcml0eSBvZiBDeXBydXMxFjAUBgNVBAsMDUlUIERlcGFydG1lbnQxGTAXBgNVBAMMEFVQTE9BRF9ER0NfQ1lfMDEwHhcNMjEwNTEwMDcwMzI3WhcNMjMwNTEwMDcwMzI3WjCBkzELMAkGA1UEBhMCQ1kxEDAOBgNVBAgMB05pY29zaWExEDAOBgNVBAcMB05pY29zaWExLTArBgNVBAoMJE5hdGlvbmFsIGVIZWFsdGggQXV0aG9yaXR5IG9mIEN5cHJ1czEWMBQGA1UECwwNSVQgRGVwYXJ0bWVudDEZMBcGA1UEAwwQVVBMT0FEX0RHQ19DWV8wMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCFf0s8yXh7oSXaZKrGFEp8M6Jf8r/EjgLtNmZ07wJuCYDtnlDSJme43ERrsC5gzGQ491N5kPT65vDl1qylqO7GjQjBAMA8GA1UdEwEB/wQFMAMCAQAwDgYDVR0PAQH/BAQDAgeAMB0GA1UdDgQWBBQ/y+7LCYF6CqZGkM/ecYc10XB14zAKBggqhkjOPQQDAgNIADBFAiB+N59qtZwkqmWc/3Dl5gZMpbVrr8+u0+FY9MEQgBUsDAIhAL+NzoJpvG+waRjAN2eZ7d+TB6OlhuRrPp2Ed1LN94iWAAAxggH+MIIB+gIBATCBrDCBkzELMAkGA1UEBhMCQ1kxEDAOBgNVBAgMB05pY29zaWExEDAOBgNVBAcMB05pY29zaWExLTArBgNVBAoMJE5hdGlvbmFsIGVIZWFsdGggQXV0aG9yaXR5IG9mIEN5cHJ1czEWMBQGA1UECwwNSVQgRGVwYXJ0bWVudDEZMBcGA1UEAwwQVVBMT0FEX0RHQ19DWV8wMQIURWuo6N0RLfrkJ/DaZO0KYr6fRu0wCwYJYIZIAWUDBAIBoIHkMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTIxMDUxMjEwMjQ1N1owLwYJKoZIhvcNAQkEMSIEINhmu559/vglU0VnjLVyIFcIRCQzHH79jA7O2bUnOcCfMHkGCSqGSIb3DQEJDzFsMGowCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMAoGCCqGSM49BAMCBEYwRAIgCb+nI9Prsvylmsmdfn8n2ySopLnCVLbKd38900PZO/MCIHF2lA4OEyFBiCoHqzW8pY5a7FaSi8ZMzcOKh3bGgdjEAAAAAAAA",
		"rawData": "MIICHjCCAcQCFDtxKq28G7KiGukkC62ELU4BBvBbMAoGCCqGSM49BAMCMIGRMQswCQYDVQQGEwJDWTEQMA4GA1UECAwHTmljb3NpYTEQMA4GA1UEBwwHTmljb3NpYTEtMCsGA1UECgwkTmF0aW9uYWwgZUhlYWx0aCBBdXRob3JpdHkgb2YgQ3lwcnVzMRYwFAYDVQQLDA1JVCBEZXBhcnRtZW50MRcwFQYDVQQDDA5DU0NBX0RHQ19DWV8wMTAeFw0yMTA1MTIxMDIzMDZaFw0yMzA1MDIxMDIzMDZaMIGQMQswCQYDVQQGEwJDWTEQMA4GA1UECAwHTmljb3NpYTEQMA4GA1UEBwwHTmljb3NpYTEtMCsGA1UECgwkTmF0aW9uYWwgZUhlYWx0aCBBdXRob3JpdHkgb2YgQ3lwcnVzMRYwFAYDVQQLDA1JVCBEZXBhcnRtZW50MRYwFAYDVQQDDA1EU0NfREdDX0NZXzAxMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEPybvhD4bGNlyPCpz9aiIpnB09ceGEc4z1l5Q8CoQ3sMvXHM3n7+3zX4K7V16VNI09bH1rmCttVRtO8cN/JpG/TAKBggqhkjOPQQDAgNIADBFAiAufANVRuChmYz8oMJgjlFuNMlT3C5zys/gESMgrbdS8AIhAPLA6P1SJL7TdkbjtyRIqpvz1M+m9NJP919tcZ7xoJjP"
	},

Technical details

Hosted on Kubernetes, using Nginx Ingress Reverse Proxy, Centos 7

Describe the bug

QR-Code of type TEST with TEST Result = Detected are evaluated as cryptographically invalid.

Expected behaviour

QR-Code of type TEST with TEST Result = Detected should evaluate to invalid with reason "Test result positive" and the affected part of the dataset incl. "test result = DETECTED" should be shown.

Steps to reproduce the issue

Scan a QR-Code of Type Test with TEST RESULT = DETECTED

Technical details

Galaxy XCover 4, Modellnummer: SM-G390F, Android-Version: 9,

Possible Fix

Additional context

Describe the bug

If an optional field is omitted (it is NULL value) the issuer app generates a QR-Code which is always shown as invalid by the verifier app.

For example, a test certificate with negative result and a valid signature, but the name has been left blank.

A sample QR Code and the data to generate it is attached,

Expected behaviour

A valid certificate should be shown as valid also when optional fields are left empty.

Steps to reproduce the issue

Technical details

Possible Fix

Additional context

Describe the bug

Despite a failed verification, the verifier app shows the certificate data set and no reason for failure is shown.

Expected behaviour

In case of a failed verification (RED), the app should only display the reason for the fail.

Steps to reproduce the issue

1. Open verifier app;
2. Scan a QR-Code for an invalid certificate.

Technical details

Galaxy XCover 4, Modellnummer: SM-G390F, Android-Version: 9, Verifier App 1.0.0

Possible Fix

Additional context

Describe the bug

The endpoint https://dgca-businessrule-service-eu-acc.cfapps.eu10.hana.ondemand.com/rules is returning 404 error. The endpoint are declared in file dgca-verifier-app-android/app/src/acc/assets/verifier-context.jsonc The APP is not working because it hasn't the certificates.

Expected behaviour

Return the json response with all the country rules

Steps to reproduce the issue

Open the browser Navigate to https://dgca-businessrule-service-eu-acc.cfapps.eu10.hana.ondemand.com/rules

Technical details

Any

Possible Fix

Fix the endpoint

Describe the bug

In order to check, that when the signing certificate expiration datetime supersedes the expiration datetime in the Green certificate, the app returns INVALID we have created the following QR-Code with chronologically valid certificate but with an expired DSC Certificate.

Attached JSON file and QR Code.

Nevertheless, scanning this QR Code with the Verifier app returns VALID.

Expected behaviour

Expected is a RED screen saying the Certificate is INVALID.

Steps to reproduce the issue

Technical details

Verifier 1.1.5-tst

Galaxy XCover 4, Android 9

Possible Fix

Additional context

Describe the bug

Scanning real QR code from valid certificates issued by Czech Republic just beeps and does not display anything useful

Expected behaviour

Green checkmark and/or some details that the certificate is OK or is not OK should be displayed.

Steps to reproduce the issue

Get any valid certificate either from antigen, PCR test or vaccination from ocko.uzis.cz in PDF format and scan the QR code.

Technical details

• Host Machine OS (Windows/Linux/Mac): Android 10 / MIUI

Additional context

Xiaomi RedMi Note 8T, Android 10, dark mode activated, version 1.0.3-acc

Local Delete Workflow for Expired Revocations on Verifier App does not start automatically even after more than 24 hours offline (internet switched off) although according to the specification ( (Verfier Workflow, Spec. Chapter 1.3 "Delete expired revocation entries") it should take place.

Describe the bug

1. Verifier was newly installed on 28.02.2022 at 11:40 -> Then, we scanned and the following certificate was shown correctly as revoked;
2. 28.02.2022 at 11:41 we switched OFF the internet on the verifier device;
3. We waited 24 hours and in the meantime the revocation entry for the given certificate has already expired. ( 'expires': '2022-03-01T09:30:00Z')
4. Then (after more than 24 hours) 01.03.2022 at 12:40 (internet still switched OFF) we scanned again the same certificate --> certificate was incorrectly still shown as revoked. (Expectation was that it would be shown valid).

Expected behaviour:

Verifier should locally recognize certificate as valid within 24 hours (Verfier Workflow, Spec. Chapter 1.3 "Delete expired revocation entries")

Technical Details:

Verifier for Android, Version 1.2.4-tst (36)

https://user-images.githubusercontent.com/76050122/156176141-723fd181-360b-4b65-ae39-c5ab2b8ea4cd.mp4

Describe the bug

I scanned two certificates issued by the Austrian health portal https://gesundheit.gv.at

• One for a rapid-test I took 2 hours ago and
• one for a vaccination done two weeks ago.

Yes I know, the cert for the vaccination is still invalid, because it was only two weeks ago. But the validation does not fail because of the date, but because the signature can't be verfied.

The validation of the test-certificate also failed with the errormessage "Verification Failed"

I did a bit of debugging. I can see, that the QR code is correctly decoded, ie information like my Name and information about the test/vaccine are correct. But the following lines of code return an error (VerifcationViewModel.kt, line 109)

val certificates = verifierRepository.getCertificatesBy(kid.toBase64())
if (certificates.isEmpty()) {
    Timber.d("Verification failed: failed to load certificate")
    return@withContext
}

Ie, getCertificatesBy(kid) does return an empty collection.

Expected behaviour

• The rapid-test should be accepted (it shows up ok on the official austrian verification webapps https://qr.gv.at and https://greencheck.gv.at)

• The vaccination should be marked as invalid, but not because of a signature failure, but because of the date.

Steps to reproduce the issue

Scan an austrian certificate

Technical details

HTC U11 life running, Android 10, compiled with lastest Android Studio on Windows 10

Additional Information

That should be the certificated used for verification in https://qr.gv.at

-----BEGIN CERTIFICATE-----
MIIB7zCCAZagAwIBAgIKAXnM+L47fmBcezAKBggqhkjOPQQDAjBEMQswCQYDVQQG
EwJBVDEPMA0GA1UECgwGQk1TR1BLMQwwCgYDVQQFEwMwMDExFjAUBgNVBAMMDUFU
IERHQyBDU0NBIDEwHhcNMjEwNjAyMTM0NTI0WhcNMjMwNjAyMTM0NTI0WjBGMQsw
CQYDVQQGEwJBVDEPMA0GA1UECgwGQk1TR1BLMQ8wDQYDVQQFEwYwMDEwMDExFTAT
BgNVBAMMDEFUIERHQyBEU0MgMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABGBN
uKiCpnXH0VlIdk6pJZH2ep8jQaV+FR3izMXxZfK5EPGZLtG3Jx+TmV3JJErfrSrP
hRmfbSidVbTQ5nnZS+ujbjBsMA4GA1UdDwEB/wQEAwIHgDAdBgNVHQ4EFgQUNs2s
mrjBhuR5Bqxl6teE1x1o2ycwHwYDVR0jBBgwFoAUHyKsHGUWKbTBmLNjb7/dCZ27
e3swGgYDVR0QBBMwEYEPMjAyMTEyMTYxNDQ1MjRaMAoGCCqGSM49BAMCA0cAMEQC
IDjXHnyzq3sTisMX1uY8xQ2ZqCRL2xmxtYOPhSZ9ZacYAiAqHUMOC7WNgq4h28n3
1WLc1mMPAYauWslSEwnXC79AGw==
-----END CERTIFICATE-----

I also tested the QR Codes from the testdata repository with the official austrian webapps. They can't be verfied ...

Environment Issuance Web Portal https://issuance-dgca-test.cfapps.eu10.hana.ondemand.com/ Android Phone Verifier App 1.0.3.-tst https://github.com/eu-digital-green-certificates/dgca-wallet-app-android/releases/tag/1.0.3

## Steps to reproduce the issue

1. Click on Record Vaccination Certification

2. Fill out all mandatory fields

3. Dont fill out family and given name

4. Klick on NEXT

5. Scan certificate by Verifier App (app-tst-release-signed-1.0.3.apk)

Actual result: App display NULL NULL in the top left corner

Expected result: App should display nothing or standardised names

Describe the bug

There is no way for Android Verifier App to trigger the manual synchronisation of public key as it is in the iOS Verifier App.

Expected behaviour

The same behaviour should be implemented for both Verifier App versions -- iOS and Android.

Steps to reproduce the issue

Technical details

Galaxy XCover 4, Modellnummer: SM-G390F, Android-Version: 9, Verifier App 1.0.0

Possible Fix

Additional context

Describe the bug

Expected behaviour

Steps to reproduce the issue

Technical details

• Host Machine OS (Windows/Linux/Mac):

Possible Fix

Additional context

I am trying to start the application, I have followed all the steps of the documentation but I am getting this error:

**FAILURE: Build failed with an exception.

• What went wrong: Execution failed for task ':dgc-sdk:compileDebugJavaWithJavac'.

Compilation failed; see the compiler error output for details.

• Try: Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output. Run with --scan to get full insights.

• Get more help at https://help.gradle.org

BUILD FAILED in 8s 67 actionable tasks: 1 executed, 66 up-to-date**

Thanks to those who will help me

Since the technical specification doesn't say that the NFC data should be ZLIB encoded, wouldn't the correct storage that the app reads be the CWT directly binary encoded (no Base45 and zlib)?

See Electronic Health Certificates 2021-04-18 section 4.1 and 4.2. I believe NFC falls under 4.1

Some countries (GR so far) have produced Payloads which include trailing spaces within the json payload values.

eg: space "mp": "EU/1/20/1528 " Notice the empty space after the 1528.

1000s of such certificates are uncovered by foreigners causing invalidations,

Recommendation is to trim all whitespaces when executing business rules validations in the verifier apps

Links do not work after SDK 30

Fix is required to add in the AndroidManifest.xml:

    <queries>
        <intent>
            <action android:name="android.intent.action.VIEW" />
            <data android:scheme="http" />
        </intent>
    </queries>