h1_verify.py assumes that ECDSA is used for verification, see Digitaler-Impfnachweis/certification-apis#88 (comment) for context.

The CI script used in https://github.com/eu-digital-green-certificates/dgc-testdata shows how RSASSA-PSS can be supported:

        if isinstance(cert.public_key(), rsa.RSAPublicKey):
            e = int_to_bytes(cert.public_key().public_numbers().e)
            n = int_to_bytes(cert.public_key().public_numbers().n)
        elif isinstance(cert.public_key(), ec.EllipticCurvePublicKey):
            x = int_to_bytes(cert.public_key().public_numbers().x)
            y = int_to_bytes(cert.public_key().public_numbers().y)

        # ...

        if x and y:
            key = CoseKey.from_dict(
                {
                    KpKeyOps: [VerifyOp],
                    KpKty: KtyEC2,
                    EC2KpCurve: P256,  # Ought o be pk.curve - but the two libs clash
                    KpAlg: Es256,  # ECDSA using P-256 and SHA-256
                    EC2KpX: x,
                    EC2KpY: y,
                }
            )
        elif e and n:
            key = CoseKey.from_dict(
                {
                    KpKeyOps: [VerifyOp],
                    KpKty: KtyRSA,
                    KpAlg: Ps256,  # RSASSA-PSS using SHA-256 and MGF1 with SHA-256
                    RSAKpE: e,
                    RSAKpN: n,
                }
            )

Source

Trying to execute echo "{'A': 1234}" | python3 hc1_sign.py | python3 hc1_verify.py
this error occurs

Traceback (most recent call last):
  File "/home/pi/ehn-sign-verify-python-trivial/hc1_sign.py", line 13, in <module>
    from cose.curves import P256
ModuleNotFoundError: No module named 'cose.curves'
Traceback (most recent call last):
  File "/home/pi/ehn-sign-verify-python-trivial/hc1_verify.py", line 16, in <module>
    from cose.curves import P256
ModuleNotFoundError: No module named 'cose.curves'

Of course module is installed via pip3 install cose
What is wrong here?

Hi all,
QRDECODE is not present on OSX Big Sur and cannot install with "brew install qrdecode".
Any idea how pass a QRcode image png value to script?
Thanks

Traceback (most recent call last):
File "./hc1_verify.py", line 155, in
if (cin[0] == 0x78):
IndexError: index out of range

When using "--xy" argument to provide X,Y elliptic curve point (public key) for hc1_verify.py to use when verifying signature of DCC, the program outputs an error (in fresh repo without dsc-worker.pem file):

Traceback (most recent call last):
  File "hc1_verify.py", line 203, in <module>
    with open(args.cert, "rb") as file:
FileNotFoundError: [Errno 2] No such file or directory: 'dsc-worker.pem'

What should happen is that instead of trying to load public from certificate located in the file (which doesn't exist in repo and must be manually created to be present, as action not needed for signature validation of DCC generated by official means), the program should accept given argument --xy as public key and use it to verify DCC signature.

Note: using only --xy option to provide public key is not sufficient, per hc1_verify.py usage one must also provide key id (KID) using --kid argument or request that KID is ignored using --ignore-kid. At present using those arguments also results in erroneous behavior described above.

when i run: echo '(my json code)' | python3 hc1_sign.py | python3 hc1_verify.py

I get two errors

Traceback (most recent call last):
File "/Downloads/ehn-sign-verify-python-trivial/hc1_sign.py", line 149, in
out = b'HC1:' + b45encode(out).encode('ascii')
AttributeError: 'bytes' object has no attribute 'encode'

File "/Downloads/ehn-sign-verify-python-trivial/hc1_verify.py", line 153, in
if (cin[0] == 0x78):
IndexError: index out of range

Testing the utility i get the following traceback and error:

echo '{"A": 1234}' | python3 hc1_sign.py | python3 hc1_verify.py

Traceback (most recent call last):
File "hc1_sign.py", line 149, in
out = b'HC1:' + b45encode(out).encode('ascii')
AttributeError: 'bytes' object has no attribute 'encode'
Traceback (most recent call last):
File "hc1_verify.py", line 153, in
if (cin[0] == 0x78):
IndexError: index out of range

python3 -V
Python 3.7.3

Hi,

Pretty sure in the readme.md it is supposed to be
Run the command: echo '{"A": 1234}' | python3.8 hc1_sign.py | python3.8 hc1_verify.py

minor thing, but hey :)

Traceback (most recent call last):
  File "/root/Desktop/ehn-sign-verify-python-trivial/hc1_sign.py", line 85, in <module>
    payload = json.loads(payload.decode("utf-8"))
  File "/usr/lib/python3.9/json/__init__.py", line 346, in loads
    return _default_decoder.decode(s)
  File "/usr/lib/python3.9/json/decoder.py", line 337, in decode
    obj, end = self.raw_decode(s, idx=_w(s, 0).end())
  File "/usr/lib/python3.9/json/decoder.py", line 353, in raw_decode
    obj, end = self.scan_once(s, idx)
json.decoder.JSONDecodeError: Expecting property name enclosed in double quotes: line 1 column 2 (char 1)
Traceback (most recent call last):
  File "/root/Desktop/ehn-sign-verify-python-trivial/hc1_verify.py", line 153, in <module>
    if (cin[0] == 0x78):
IndexError: index out of range

Any idea whats wrong?

when I run: ./pem2json-kid.sh
I get: zsh: permission denied: ./pem2json-kid.sh

Hello @dirkx ,

I am from an airline IT team and we are creating an application to use DGC for retrieving Vaccination information. This information is needed to determine whether traveler is allowed to fly to particular destination based on destination country covid rules. We are able to decode the DGC QR code using the standard libraries but struggling with Verification process. We referred the below official docs, but couldn't figure out how a third party can verify a DGC. Our use case is to accept DGC for all countries.
https://ec.europa.eu/health/sites/default/files/ehealth/docs/digital-green-certificates_v4_en.pdf
https://ec.europa.eu/health/sites/default/files/ehealth/docs/digital-green-certificates_v5_en.pdf