To automate the generation and validation tests of COSE/CBOR Codes and it's base45/2D Code representations

Last update: Jul 25, 2022

Related tags

Overview

EU Digital COVID Certificate: Test Data Repository for Test Automation

About • Testing & Status • 2D Code • How to Contribute • Licensing

About

To automate the generation and validation tests of COSE/CBOR Codes and it's base45/2D Code representations, a lot of data has to be collected to ensure the variance of the tests. This respository was established to collect a lot of different test data and related test cases of different member states in a standardized manner. Each member state can generate a folder in this section.

Testing & Status

If you found any problems, please create an Issue.
Please make sure to review the issues to see if any other members states found issues with your provided test data.

2D Code

Test Procedure

The test procedure has the following steps:

Load RAW Data File X
Apply all test and validation rules to File X (from all countries).
If one rule fails, the RAW Data File X is highlighted with the related Validation Rule/TestName Fail Status.

Note: If some of the "EXPTECEDRESULT" values are not present, the steps in the tests run can be skipped. The related data can be removed then as well. E.g. if just a "Expireing" test is constructed, the "EXPECTEDEXPIRATIONCHECK" value can be set together with an "COSE" and "VALIDATIONCLOCK" raw object. All other fields are then not necessary.

Field	Definition
JSON	The JSON-encoding of the Digital Green Certificate payload
CBOR	The CBOR-encoding of the Digital Green Certificate payload
COSE	The CWT defined by the hCert Spec.
COMPRESSED	A CWT compressed by zLib
BASE45	The base45 encoding of the compression.
PREFIX	The base45 string concatenated with the Prefix (HC1 etc.)
2DCODE	The base64 encoded PNG of a QR Code.
TESTCTX	Testcontext with context information of the raw data.
EXPECTEDRESULTS	A list of expected results to the testdata.

Possible boolean variables set in EXPECTEDRESULTS:

EXPECTEDSCHEMAVALIDATION: Decoded data is valid according to dgc-schema
EXPECTEDDECODE: Data from input in CBOR can be decoded, and the contents match input from JSON
EXPECTEDVERIFY: Data from input in COSE can be cryptographically verified, with signer's certificate from TESTCTX.CERTIFICATE
EXPECTEDUNPREFIX: Data from input in PREFIX can be decoded, i.e. contains a valid prefix (e.g. HC1: for now), and is equal to input in BASE45
EXPECTEDVALIDJSON: Data from input (i.e. 2DCODE or PREFIX) can be decoded (whole chain), and the contents match input from JSON
EXPECTEDCOMPRESSION: Data from input in COMPRESSED can be decompressed (with ZLIB), and matches input in COSE
EXPECTEDB45DECODE: Data from input in BASE45 can be decoded (from Base45), and matches input in COMPRESSED
EXPECTEDPICTUREDECODE: Data from input in 2DCODE can be decoded (from Base64-encoded PNG), and matches input in PREFIX
EXPECTEDEXPIRATIONCHECK: Data from input is valid when verifying at the moment defined in TESTCTX.VALIDATIONCLOCK
EXPECTEDKEYUSAGE: Data from input in COSE can be verified, and the key usage (defined by the OIDs) from TESTCTX.CERTIFICATE matches the content (i.e. it is a test statement, vaccination statement, or recovery statement)

For all variables above:

When not set, this specific validation step is not tested in this input file
When set to true, this validation step should succeed
When set to false, this validation step should fail

Gateway

To indidcate which gateway environment is available, the test data context should contain: GATEWAY-ENV:Array

Example:

GATEWAY-ENV:["ACC", "TST"]

Note: Prod Keys should not be uploaded.

Code Generation

Test Number	Test	Mandatory Fields	Mandatory Test Context Fields	Variable
1	Load RAW File and load JSON Object, validate against the referenced JSON schema in the test context(SCHEMA field).	JSON	SCHEMA	EXPECTEDVALIDOBJECT
2	Create CBOR from JSON Object. Validate against the CBOR content in the RAW File. See note 2 below.	JSON, CBOR		EXPECTEDENCODE

NOTE: DESCRIPTION, VERSION are mandatory for all tests.

NOTE 2: CBOR objects that are maps (i.e., the Digital Green Certificate), have an undefined order. This means that the actual encodings between two objects containing the same elements may differ since the ordering may be different. Therefore the validation can not be as simple as comparing two byte arrays against each other. The best method is to decode both elements that are to be compared with the same decoder, encode both objects with the same encoder, and then compare.

Code Validation

Test Number	Test	Mandatory Fields	Mandatory Test Context Fields	Variable
1	Load the picture and extract the prefixed BASE45content.	PREFIX , 2DCode		EXPECTEDPICTUREDECODE
2	Load Prefix Object from RAW Content and remove the prefix. Validate against the BASE45 raw content.	PREFIX, BASE45		EXPECTEDUNPREFIX
3	Decode the BASE45 RAW Content and validate the COSE content against the RAW content.	BASE45, COSE		EXPECTEDB45DECODE
4	Check the EXP Field for expiring against the VALIDATIONCLOCK time.	COSE	VALIDATIONCLOCK	EXPECTEDEXPIRATIONCHECK
5	Verify the signature of the COSE Object against the JWK Public Key.	COSE	JWK	EXPECTEDVERIFY
6	Extract the CBOR content and validate the CBOR content against the RAW CBOR content field. See note 2 below.	COSE,CBOR		EXPECTEDDECODE
7	Transform CBOR into JSON and validate against the RAW JSON content. See note 3 below.	CBOR,JSON		EXPECTEDVALIDJSON
8	Validate the extracted JSON against the schema defined in the test context.	CBOR,JSON	SCHEMA	EXPECTEDSCHEMAVALIDATION
9	The value given in COMPRESSED has to be decompressed by zlib and must match to the value given in COSE	COSE,COMPRESSED		EXPECTEDCOMPRESSION

NOTE: DESCRIPTION, VERSION are mandatory for all tests.

NOTE 3: As CBOR objects, JSON objects are not ordered, and a plain string comparison of two objects can not be performed.

File Structure

/schema/[semver].json
/COMMON/2DCode/raw/[Number].json
[COUNTRY]/2DCode/raw/[Number].json

Variables

COUNTRY is defined as the country code by ISO 3166.

Number must be a unique number by country/type.

JSON Schema

A number which identifies the used schema (used in the RAW Data).

RAW Content

The JSON Content under RAW is defined as:

{
   "JSON": **JSON OBJECT**,
   "CBOR": **CBOR (hex encoded)**,
   "COSE": **COSE (hex encoded)**,
   "COMPRESSED": **COMPRESSED (hex encoded)**,
   "BASE45": **BASE45 Encoded compressed COSE**,
   "PREFIX": **BASE45 Encoded compressed COSE with Prefix HC(x):**,
   "2DCODE": **BASE64 Encoded PNG**,
   "TESTCTX":{
       "VERSION": **integer**,
       "SCHEMA": **string (USED SCHEMA, semver)**,
       "CERTIFICATE": **BASE64** ,
       "VALIDATIONCLOCK": **Timestamp**, (https://docs.jsonata.org/date-time-functions ISO8601)
       "DESCRIPTION": **string**,
       "GATEWAY-ENV":**Array**
   },
   "EXPECTEDRESULTS": {
       "EXPECTEDVALIDOBJECT": **boolean**,
       "EXPECTEDSCHEMAVALIDATION": **boolean**,
       "EXPECTEDENCODE": **boolean**,
       "EXPECTEDDECODE": **boolean**,
       "EXPECTEDVERIFY": **boolean**,
       "EXPECTEDCOMPRESSION": **boolean**,
       "EXPECTEDKEYUSAGE": **boolean**,
       "EXPECTEDUNPREFIX": **boolean**,
       "EXPECTEDVALIDJSON": **boolean**,
       "EXPECTEDB45DECODE": **boolean**,
       "EXPECTEDPICTUREDECODE": **boolean**,
       "EXPECTEDEXPIRATIONCHECK": **boolean**,
    }
}

Example:

{
    "JSON": {
        "ver": "1.0.0",
        "nam": {
            "fn": "Musterfrau-Gößinger",
            "fnt": "MUSTERFRAU



Validation Content (TBD)
Javascript validation rules which must be passed during the testing of a 2D Code of the country. Each rule is applied on the decoded JSON Content. The function body is defined as

function [name] ([Decoded JSON Object]) {
    return [boolean]
}



Image Content
Contains images of the generated base45 contents(PNG).

Certificate Content
The public key to validate the data structure. This is defined as base64 encoded datastructure (PEM).

How to contribute
Contribution and feedback is encouraged and always welcome. For more information about how to contribute, the project structure, as well as additional contribution information, see our Contribution Guidelines. By participating in this project, you agree to abide by its Code of Conduct at all times.

Licensing
Copyright (C) 2021 T-Systems International GmbH and all other contributors
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.
You may obtain a copy of the License at https://www.apache.org/licenses/LICENSE-2.0.
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the LICENSE for the specific language governing permissions and limitations under the License.






Comments













Automation of dgc testdata verification




Dear Team
We have developed scripts to run dgc testdata verification of all test JSON files against expected rules. It uses GitHub CI/CD to run tests automatically whenever a country adds/updates their test files. This would help identify all test data issues in an automated manner and help everyone comply with expected rules.
An example of current test reports available under fork
@ https://github.com/bhavin-qryptal/dgc-testdata/runs/2628926632?check_suite_focus=true
and https://github.com/bhavin-qryptal/dgc-testdata/runs/2628942292?check_suite_focus=true
Would like to contribute this for wider benefits.
Would appreciate your feedback / suggestions for further enhancement / refinement and assistance to accept this pull request and make it a part of the process.
Regards
Bhavin Sanghvi
Qryptal Pte Ltd, Singapore



opened by bhavin-qryptal  25














How to get access to Document Signing Certificates ?




Hello,
I wrote an opensource privacy-preserving verification application for the certificates that are currently being emitted in France (in the 2D-DOC format): https://sanipasse.fr
I would like to add support for digital green certificates, but there is one point in the implementation that is still not clear to me: where do I get access to the public keys needed to check the certificates ? Are they to be retrieved from my national backend ? I am interested by the french national backend in particular. @adelourme, maybe you can point me to resources about it ? Or should I get them from the secretariat mentioned in Volume 1 ?
The specification states that

there are no confidentiality requirements for the lists of CSCAs and DSCs.

However, I cannot seem to get a hold on the these lists.
If this is not the right place for this kind of question, or if there is something I misunderstood, I'm sorry (and I would love if you could point me in the right direction).
@M3kH, @AlexConnat, I'm tagging you so that you can follow the discussion.
general duplicate 



opened by lovasoa  21














Clarification Needed: A single DGC with multiple certificates of different types




Issue Description
Question: Is it legit to have a single DGC with multiple certificates of different types (e.g. One or more Vaccination Record(s) , Recovery Report(s) and/or Test Report(s)) ?
I recall having read somewhere (could not find that reference anymore) which mentioned that a single DGC could have one more certificates of same types. e.g. Two Vaccination Records (for 1st dose and 2nd dose), however, It could not contain a combination of Vaccination Report and Recovery Report. Now, I am having a doubt whether this understanding is correct or not. Please help with some reference, if you could. I have noticed quite a few examples (an example) in test data repository which contains more than one types of the certificates under single DGC.
Also, if certificates of different types are allowed in single DGC, I believe, we would need to ensure that given DSC is eligible (extended Key Usage ) to sign all underlying types of the certificates. Please do opine on this.
Proposed Solution
Seeking clarification with some references to the documents.
general 



opened by bhavin-qryptal  16














ES: Broken test files




Files 1201, 1202 and 1203 has wrapped JSON object within ". Should be a JSON-object
Files 2001 and 2002 has a } in the wrong place (after 2DCODE).
Please fix.
A question to @SchulzeStTSI: When you approve the PR, don't you check that the files are valid with some sort of tool?
member state data issue 



opened by martin-lindstrom  16














RO: PL: AT: IS: Issues with expired certificates.




Affected Country: PL, AT, IS, RO
Issue Description
Currently there is a problem in the validation application with PL certificates 4,5/ AT certificates 3 and 4(Also test certificate in onboarding)/ IS certificates 1 and 2/RO test certificate in onboarding. Upon scanning the QR codes, the validation application produces
2021-05-25 19:20:44.862 14909-14968/dgca.verifier.app.android D/CBOR: After expirationTime, expirationTime = 2021-05-25T10:38:52Z
2021-05-25 19:20:44.863 14909-14968/dgca.verifier.app.android E/CBOR: Error while decoding cbor
java.lang.IllegalArgumentException: Expiration not correct: 2021-05-25T10:38:52Z
at dgca.verifier.app.decoder.cbor.DefaultCborService.decode(DefaultCborService.kt:46)
at dgca.verifier.app.android.verification.VerificationViewModel$decode$1$1.invokeSuspend(VerificationViewModel.kt:108)
at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33)
at kotlinx.coroutines.DispatchedTask.run(DispatchedTask.kt:106)
at kotlinx.coroutines.scheduling.CoroutineScheduler.runSafely(CoroutineScheduler.kt:571)
at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.executeTask(CoroutineScheduler.kt:738)
at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.runWorker(CoroutineScheduler.kt:678)
at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.run(CoroutineScheduler.kt:665)
The screen after scanning:

Steps to reproduce:

Scan the certificates mentioned above.

Expected result: Proper display of information and validity/invalidity of the certificate
Actual result: No information is being displayed and the certificate is invalid.
Proposed Solution
Estonia is planning to use our own solution for scanning and verification and our developers have said that this is mostly an implementation question. But it seems that several countries are experiencing issues with this in testing right now in the mobile verification application.
member state data issue 



opened by Mark-Selezenev  15














DE: LU: IS: Public keys do not pass validity check against CSCA. (Acceptance)




Affected Country: DE: LU: IS:
Issue Description
Your public keys do not verify against CSCA so they are not trusted and although they are in the acceptance test, we can't accept them according to the reference materials.
Proposed Solution
I am not sure, technically we can drop the check but that will make the solution less secure. And if it was part of the reference materials then we should do it.
I thought about adding KIDS here but everyone should know their KID.
member state data issue 



opened by Mark-Selezenev  14














Who would help me and teach me how to create a Covid certificate (I will pay)




hey i'm new here. I understand a lot about it, what's going on and how, but I can't connect it all.
if someone invested some time to explain, I would be grateful.
End of course I will pay for this help.
I speak 3 languages: German, Polish and English, but a bit weaker
general 



opened by zielony666  10














LV: Schema failed too many miliseconds.




Affected Country: LV:
Issue Description
Currently the test certificate in onboarding is giving isSchemaValid: false
Reason:
error: string "2021-05-25T18:33:59.7315849+03:00" is invalid against requested date format(s) [yyyy-MM-dd'T'HH:mm:ssZ, yyyy-MM-dd'T'HH:mm:ss.SSSZ]
level: "error"
schema: {"loadingURI":"#","pointer":"/$defs/test_entry/properties/dr"}
instance: {"pointer":"/t/0/dr"}
domain: "validation"
keyword: "format"
attribute: "date-time"
value: "2021-05-25T18:33:59.7315849+03:00"
expected: ["yyyy-MM-dd'T'HH:mm:ssZ","yyyy-MM-dd'T'HH:mm:ss.SSSZ"]
error: string "2021-05-24T18:33:59.7247166+03:00" is invalid against requested date format(s) [yyyy-MM-dd'T'HH:mm:ssZ, yyyy-MM-dd'T'HH:mm:ss.SSSZ]
level: "error"
schema: {"loadingURI":"#","pointer":"/$defs/test_entry/properties/sc"}
instance: {"pointer":"/t/0/sc"}
domain: "validation"
keyword: "format"
attribute: "date-time"
value: "2021-05-24T18:33:59.7247166+03:00"
expected: ["yyyy-MM-dd'T'HH:mm:ssZ","yyyy-MM-dd'T'HH:mm:ss.SSSZ"]
You have too many miliseconds added.
Proposed Solution
Send sc and dr in proper format.
member state data issue 



opened by Mark-Selezenev  9














CZ: invalid `iat` field




Affected Country: CZ
Issue Description
All json test data provided by CZ contain an iat that is later than the contained VALIDATIONCLOCK
Proposed Solution
Please amend the test data to contain iat field earlier than the VALIDATIONCLOCK
member state data issue 



opened by JChrist  8














Not allowed characters in UVCI for DK entries




@jvitrifork Creating an issue since we don't have a better way of communicating.
The format of the UVCI (ci) used in DK files contains characters outside of the allowed character set. See https://github.com/ehn-digital-green-development/ehn-dgc-schema/wiki/FAQ.



opened by martin-lindstrom  8














Clarify CBOR




There is a bit of confusion about the CBOR-field. SE and RO has added the CBOR-encoding of the payload but BG has added the CBOR-encoding of the entire CWT.
Both are CBOR-encoded, so I blame the test instructions ;-)

Extract the CBOR content and validate the CBOR content against the RAW CBOR content field.

Should be: Extract the CBOR-encoded DGC payload from the CWT and ...
Or something like this.
ping @stamo



opened by martin-lindstrom  8














DE: Update test certificate (2DCode/raw/2.json) data





Affected Country: DE 
Issue Description

COVID-19 specification
COVID-19 JSON example


On raw test data test type is LP217198-3 (Rapid immunoassay COVID-19 antigen test).
For this test type field t.ma (Test device identifier) is required, but missed in json example.


t.dr deprecated.


Order of JSON data is messed up


Proposed Solution

Update JSON example and recalculate all test data (COSE, CBOR etc.)
member state data issue 



opened by jacomogrelli  0














Support for booster vaccinations?




Issue Description
Schema version 1.3.0 (9th June 2021), which is still the latest release, states that a certificate will only contain one vaccination entry:

"Vaccination group, if present, MUST contain exactly 1 (one) entry describing exactly one vaccination event."

How will booster (3rd) jabs, from different manufacturers than the first/second one be represented? Will there be a different Vaccination Certificate altogether, or will this schema be enhanced to support multiple entries (as it was originally before 1.3.0)?
For example: 1st and 2nd jabs were AstraZeneca, but Booster (3rd) jab is Pfizer.
Proposed Solution
Specifications clarification needed and test-data needs to be updated with new examples that demonstrate how boosters will be included.
general 



opened by jbx1  4














DE: Recovery Certificate 3.json not valid




Affected Country: DE
Issue Description
The recovery certificate (see here) is no longer valid or it fails with the current date when checking the business rules with certlogic.
It is very difficult to set the validation clock, so it should be replaced with a newer certificate.
Or is there a way to generate a new one for the ACC environment without having to register somewhere?
Proposed Solution
none
member state data issue 



opened by pascalkania  0














2-SE: The “certificate valid until” field is missing from the QR code





Affected Country: 
Issue Description
In the QR code data structure, the field “Certificate valid until” is missing”. This means if someone want to verify and automate it directly from the QR code it is not possible today.

Proposed Solution
Add valid to field in the data structure.

member state data issue 



opened by lalc  0














Need Help with the Generation of QR Code




Hi there,
You did an amazing work, but wich Software does I need to convert the json to a QRCode? I tried different website with converters but doesn't work.
Can you give me a tip?
Thanks



opened by Spamuser00  5














SG: expiration_time claim is missing (key 4)




Issue Description
During our automated testing, we encountered an issue with the new raws published by SG.
Expiration time claim is missing (see CWT Structure Overview)
Expiration Time (exp, claim key 4)
Proposed Solution
Add the claim
member state data issue 



opened by ikbendewilliam  0