Loading packages

The QR Code

What's actually in there?

Ok, lets remove the prefix (HC1:)

Is this base64?

No, not really...

It's base45!

WTF is base45?

Qr and Aztec code have a specific, highly efficient, method for storing alphanumeric characters ...

For this reason, the industry generally encodes these in base45. A document for this de-facto standard is in progress:

Source: https://github.com/ehn-dcc-development/hcert-spec#base45

Industry standard?

Other oipinions

Note that this encoding isn't of the same efficiency as QR binary mode, as it converts 3 bytes into 2 base45 characters. So it's more like 'base41 using the base45' charset.

...

For the Dutch variant of the green pass using unlinkable signatures, we need all the space we can get, so we use a base45 encoding that uses the exact same method as base58, and which has the exact same efficiency as QR binary mode.

Source: https://news.ycombinator.com/item?id=27603173

Ok, still looks garbage

Encryption?

No, just compression (ZLib)

Much better

Next step: Removing the signatur

Yeah, less binary blobs

Ok, thats no json, but seems kinda similar...

It's CBOR!

WTF is CBOR?

Enhance!

{
    "expiration Time": 1624458597,
    "issued at": 1624285797,
    "issuer": "AT",
    "health certificate": {
        "EU digital covid certificate v1": {
            "vaccination": [
                {
                    "doses received": 1,
                    "manufacture": "ORG-100030215",
                    "product type": "1119349007", // Vaccine or prophylaxis
                    "date of vaccination": "2021-02-18",
                    "country": "AT",
                    "certificate id": "URN:UVCI:01:AT:10807843F94AEE0EE5093FBC254BD813#B",
                    "product id": "EU/1/20/1528",
                    "issuer": "Ministry of Health, Austria",
                    "total number of doses": 2,
                    "targeted disease": "840539006"
                }
            ],
            "name": {
                "family name (standardized)": "MUSTERFRAU<GOESSINGER",
                "family name": "Musterfrau-G\u00f6\u00dfinger",
                "given name (standardized)": "GABRIELE",
                "given name": "Gabriele"
            },
            "version": "1.2.1",
            "date of birth": "1998-02-26"
        }
    }
}

Enhance!

{
    "expiration time": "2023-06-23",
    "issued at": "2021-06-21",
    "issuer": "AT",
    "health certificate": {
        "EU digital covid certificate v1": {
            "vaccination": [
                {
                    "doses received": 1,
                    "manufacture": "ORG-100030215",   //TODO:
                    "product type": "1119349007", // Vaccine or prophylaxis
                    "date of vaccination": "2021-02-18",
                    "country": "AT",
                    "certificate id": "URN:UVCI:01:AT:10807843F94AEE0EE5093FBC254BD813#B",
                    "product id": "EU/1/20/1528",  //TODO:
                    "issuer": "Ministry of Health, Austria",
                    "total number of doses": 2,
                    "targeted disease": "COVID-19"
                }
            ],
            "name": {
                "family name (standardized)": "MUSTERFRAU<GOESSINGER",
                "family name": "Musterfrau-Gößinger",
                "given name (standardized)": "GABRIELE",
                "given name": "Gabriele"
            },
            "version": "1.2.1",
            "date of birth": "1998-02-26"
        }
    }
}

Sources:

Verification of validity

Download trustlist

Decode from cbor

Validating the signature of the qr code

Download the trustlist signature

Validate the signature

It's CBOR again. Yeah!

Enhance!

Validate trustlist

What about the Rules?

Enhance! (and filter)