denysvitali / covid-cert-analysis Goto Github PK

License: Other

Shell 79.23% Makefile 20.77%

covid-cert-analysis's Introduction

covid-cert-analysis

This repository contains the analysis performed on the leaked forged COVID-19 Certificates. The certificates, contained in string format in the samples/ directory, have been collected from the 4Chan and Raid Forums posts.

The results are in the RESULTS.md file and can be generated using ./verify.sh.

Please - stay safe and get vaccinated!

The situation

On 2021-10-27 @emanuelelaface created an issue on ehn-dcc-development/hcert-spec to report a possible private key leakage of French and Polish governments.

The issue reports that (online and on Telegram) some forged COVID-19 Certificates are circulating and are still marked as valid.

The two certificates mentioned in the post are associated with "Adolf Hitler" with two different dates of birth.

My Opinion

Although the private key leakage isn't unlikely, especially due to nonce reuse or the possibility of a non-TRNGs being used (e.g: Sony hack), chances that this is what's happening are low.

The reason for that is that most governments (if not all) are most probably using an HSM to perform the signing, and thus even the owners of such systems are likely to not have access to the underlying private key.

What's more plausible is that someone broke the chain of trust between the government and the doctors / pharmacies / hospitals or installed malware on their computers and is now able to generate certificates as if they were generated by a trusted party.

To be able to prove that who claims to have access to a signing key rather than a signing system (e.g: COVID Certificate signing portal), one could maybe sign a certificate using an issuing date preceding COVID-19.
Since the chances of the portals allowing a similar mistake are low, this could be the only reliable proof (other than having the key itself) to confirm that the key has been indeed leaked.

Several screenshots on 4Chan seem to confirm my theory, an EU portal is shown where the user signing the certificates with the North Macedonian key is able to choose the country of the certificate too. This results in the weird certificates signed by North Macedonian's key but reporting the country to be e g: UK.

Here you can find my first and second comment on the topic.

Disclaimers

This is a collection of forged COVID-19 Certificates that are:

valid
clearly forged
leaked

I do not generate these certificates, nor I'll provide you with any contact to where you can get these. If you want a valid COVID-19 Certificate, get vaccinated or take a rapid test.

The samples have been collected by multiple sources and they're freely available on the internet (e.g: 4Chan and Raid Forums)

Requirements

Bash
corona-decoder
zbarimg (to decode a QR code into text)

Generate Results

./verify.sh > RESULTS.md

Analyze a single certificate

corona-decoder -v -f ./samples/mickeymouse.txt

covid-cert-analysis's People

Contributors

Stargazers

Watchers

covid-cert-analysis's Issues

Díez Fernandez Iker

VR 0: C=DE,ID=URN:UVCI:01DE/IZ14482A/2BYU1VFE8L2JDQJHY1QVSK#E,ISS=Iker Díez Fernandez
KID: dhSzPDr4G2M=
Issued At: 2021-07-25 11:29:31 UTC
Signed By: SERIALNUMBER=CSM026164168,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,POSTALCODE=13353,STREET=Nordufer 20,L=Berlin,ST=Berlin,C=DE,2.5.4.97=#131044543a44452d33303233353331343435 (issued by: CN=D-TRUST CA 2-2 2019,O=D-Trust GmbH,C=DE,2.5.4.97=#130e4e545244452d4852423734333436)
Expiration: 2022-05-26 11:29:31 UTC
Personal Name: Iker Díez Fernandez
DOB: 1950-01-01

How to put signature into readable format?

Any idea how to process the results for "signature" coming from this javascript line?

[headers1, headers2, cbor_data, signature] = CBOR.decode(unzipped)

For signature of Mickey Mouse I get:
d6bfd4244c5f5c532ed4229de23f683a471173c1a8940dbe853186ecce576d7c263f09c91ad5b9c072455dc4ebdda222b27c2bb75c118357ebe85d3286a52654

How do I turn it into something like this?

kid: 53FOjX/4aJs=
key: <EllipticCurvePublicNumbers(curve=secp256r1, x=59224424711316661084877973301841821584140021680113528472675651838972371380627, y=54841068689176540860306147861276004028606373898471432794562118907413910993957>

I decode cbor_data using:

	cbor_dataArr = typedArrayToBuffer(cbor_data);
	greenpassData  = CBOR.decode(cbor_dataArr);

But it does not work for signature.

RangeError: Offset is outside the bounds of the DataView

Need help with qr

If someone can help me pleas text me.

Help for decoding spongebob pass...

I wrote an app to view what's written in my qrcode:
https://github.com/jumpjack/greenpass
http://jumpjack.altervista.org/greenpass/

It works fine with my greenpass and with some fake ones, but it fails with spongebob and other; the ones not working are the bigger ones.
Any idea why my app fails with some qrcodes and works with others? The algorithm should be the same for all.

This is the decoding process I am using:

BASE45 = raw.value.replace("HC1:","");
COMPRESSED = decode(BASE45).raw
COSEbin =  pako.inflate(COMPRESSED);
COSE = buf2hex(COSEbin);
typedArray = new Uint8Array(COSE.match(/[\da-f]{2}/gi).map(function (h) {  return parseInt(h, 16)}))
unzipped = typedArray.buffer
[headers1, headers2, cbor_data, signature] = CBOR.decode(unzipped)

I admit I just copied/pasted some snippets of code, I don't understand very well what's going on here...

The decoding process for spongebob and mama joe QRcodes fails at unzipping step:
COSEbin = pako.inflate(COMPRESSED);

 TypeError: i.subarray is not a function
    at Object.inflate (pako.min.js:2)
    at Xe.push (pako.min.js:2)
    at Object.We (pako.min.js:2)

"COMPRESSED" is 776 bytes long, vs. 348 bytes of a QR code which works with my app.

I also tried processing the data without unzipping them (just in case), but CBOR.decode(COMPRESSED) results in "Error: remaining bytes".