What is in my COVID-19 vaccination certificate?
Published:
Updated:
Manually inspecting the content of a French COVID-19 vaccination certificate QR code. The main intent is to show with a concrete example which data is actually included in the certificate.
All's right with the world!
Table of content
Overview
European COVID-19 certificates are defined in the following documents:
- Digital Covid Certificate Schema which describes the core data model;
- Electronic Health Certificates which specifies how the core data is signed by a signing authority using the CBOR Web token (CWT) format as well as the QR code based storage;
- Technical Specifications for Digital Green Certificates Volume 1
- Technical Specifications for Digital Green Certificates Volume 3, Interoperable 2D Code;
- Technical Specifications for EU Digital COVID Certificates JSON Schema Specification;
- Value Sets for Digital Green Certificates.
Payload
The information present on the european COVID-19 vaccination certificate is roughly made of:
- name (given name, surname);
- date of birth;
- number of doses and total number of doses;
- type of vaccination (manufacturer, product);
- date of vaccination;
- a unique identifier for the vaccination certificate (UVCI).
Security
All the information in the certificate is easily available to anyone scanning the QR code. No encryption is used. Moreover, the specification is publicly available. Decoding the content of the QR code can be done in a few lines of code.
A digital signature (ECDSA with P-256 and SHA-256) is used to protect against forgery. Each european signing authority has its own key pair(s).
Structure
The structure of the QR code is summarized in a diagram accompanying the Electronic Health Certificates Digital Covid Certificate (EHC DCC) specification:
- the content of the certificate is represented a JSON-compatible CBOR object;
- this is included (as a claim) in a CWT which includes a digital signature from a european signing authority;
- this CWT is compressed with zlib;
- this is then encoded in base-45 (a encoding designed to encapsulate arbitrary binary data in QR codes);
- a prefix is then prepended;
- this is then encoded in QR code.
Layer | Content |
---|---|
EHC-DCC | name, date of birth, vaccinations (or tests, recoveries), etc. |
CWT | issuers, validity period, digital signature, etc. |
zlib compression | |
base-45 encoding | |
prefix (HC1:) | |
QR code encoding |
Example
In this section, we will describe the different steps for decoding an example QR code. This example is a censored version of a real COVID-19 certificate. It is signed with a locally generated ECDSA key pair using ehn-sign-verify-python-trivial: this means that (of course) it won't be accepted by a validating applications.
Warning: invalid certificate
This certificate it is not signed with a private keys of a signing authority. As a consequence it won't be accepted by a validating application such as TousAntiCovidVerif. Do not try to use it. It won't work.
Note: QR code vs 2D-DOC
The first French vaccination COVID-19 certificates were using 2D-DOC. This is a French format based on Data matrix (instead of QR code). The new French certificates use the european standard (based on QR code) and should be interoperable with other european countries.
QR code decoding
The PDF issued by the French authorities actually contains two QR codes: one QR code which you are supposed to show to other people; one QR code which is used to add the certificate in the TousAntiCovid application. We will focus on the first one for now.
We can extract the content of QR code with zbar for example. I'm actually using the following script for convenience:
#/bin/sh
set -e
file="$(tempfile)"
trap "rm $file" EXIT
xfce4-screenshooter -r -s "$file"
zbarimg "$file"
The content of the QR code is a string starting with "HC1:". This prefix identifies the type of data and version of data (Health Certificate Version 1).
HC1:NCFOXN%TSMAHN-H.SK.SLOCV*$V34UEB2I:IR0L8YV8VVJ59/A184Q-RINWA/6K-MPW$NLEEMJC7ZS2%KYZP5ORK34JWLG56H0API0VN5%54E11%AK8II0 JP$SBZI0PIBZIXJA CG8C5DL$9C.PDS1JQBBJ%6L95OD6%28%%BPHQOGOJ236RD:XIBEIVG395EV3EVCK09D5WCFVA.QO5VA81K0ECM8CXVDC8C90JK.A96UJBC.P2R9CWZJ$7K+ CZEDB2M-9C.PDPOJI7JSTNB95N/55FRFJ6INQ2WRL353X7Q-O-+QZW6+Y5MN0POJZ0KYB0G%5TW5A 6+O67N6F7EIA7HOD%5DC/8NDNC8JT3O:X3G67.*G /IN7LA9T0V468TUCTG17+WLJ/RJBPMOQA+S+QOX97%9O2%6DBVRTMW4H*7696OW%O7$TUZ3VGC16E
expected_prefix = "HC1:"
if not data.startswith(expected_prefix):
raise Exception("Invalid prefix")
data = data[len(expected_prefix):]
The remaining of the string is base-45 encoded. This encoding format is designed to be used for encoding arbitrary binary data in QR code. We can decode it with the base45 Python package but it is quite simple to implement base-45 decoding directly:
digits = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ $%*+-./:"
digit2num = { digit: i for i, digit in enumerate(digits) }
assert len(digits) == 45
def decode_base45(data: str) -> bytes:
ochunks = []
for i in range(0, len(data), 3):
chunk = data[i:i+3]
if len(chunk) == 2:
c = digit2num[chunk[0]]
d = digit2num[chunk[1]]
n = c + d * 45
ochunk = bytes([n])
elif len(chunk) == 3:
c = digit2num[chunk[0]]
d = digit2num[chunk[1]]
e = digit2num[chunk[2]]
n = c + d * 45 + e * 45 * 45
ochunk = bytes([n // 256, n % 256])
else:
raise Exception("invalid length")
ochunks.append(ochunk)
res = b"".join(ochunks)
return res
decoded = decode_base45(data)
We get:
b"x\xda\xbb\xd4\xe2\xbb\x88Q\x8d\xc5\xa3J\xab3\xf7k\xfb\xdf\xee\x05\x11\xcf\x960\xa68\xfb9\xfa\xb2H%\t\xd6\xcef\x93JT\xd1\x9fm\xc9\xc8\xbc\x90qIbY\xe3\xaa\xa4\xe4\xcc\n\xd9\xd0 ?\xab\xd00gO+\x03C+\xb7 \xab\x08$\xa0\x1c\x91\x94\x9c\x9f\xe4\x16\x94\x94\x92\xc7\x94\x94R\x92ed`d\xa8k`\xa6kd\x96\x94Y\x0c67)71\xd7?\xc8]\xd7\xd0\xc0\xc0\xc0\x18(k\x9a\x94[\x90\xe3\x1a\xaao\xa8od\xa0ohjd\x91T\x9c\xc2\x94T\x92\x9eiab`jli``\x96TV\x90\xeee`\xee\x14a`\x9c\x9c\x92\x9f\x94ehin\xaek`\xaakd\x9a\x9c\x97\x98\xbb$)-/3\xd8;2\xdc\xd1\xc7\xdb5()=/\xc5'\xd4\xdb59-\xaf\x04!\x9a\x9c\x9eW\x02\x11.K-J5\xd43\xd63\x88p\x0893k\x1eg\xdcF\xe3\xb8O\x97\xbf\xbe|\x1d\xb48}\x85\x95\x96\x15\xa7o\xe7\x04%\x17\xe6\xd3\xe7\x9f7\x9c\xab\xe5\xdd5\xc7\xc3\xd1\xf8\xe4\x8e\xc2\x929\x15\xbf\x936&\xf73\xb3:\x87M0\xd8\xbe\xef\xc4\xa6\xeb\xed\x1e\x00a\xdbo\xcd"
This content is compressed with zlib. We can decompress it with:
decompressed = zlib.decompress(decoded)
b'\xd2\x84M\xa2\x01&\x04Hz*\x89m\xf5\x87\xfd\x8b\xa0X\xe6\xa4\x01dCNAM\x04\x1ab\x11}\x9b\x06\x1aa$/\x9b9\x01\x03\xa1\x01\xa4av\x81\xaabcix\x1dURN:UVCI:01:FR:XXXXXXXXXXXX#XbcobFRbdn\x02bdtj2021-06-26bisdCNAMbmamORG-100030215bmplEU/1/20/1528bsd\x02btgi840539006bvpgJ07BX03cdobj1977-05-25cnam\xa4bfniSKYWALKERbgndLUKEcfntiSKYWALKERcgntdLUKEcvere1.3.0X@T\xcc\x9a\x9e\t^\xb13^\xf2\xd3\xf5\xe9\xebR\xa3g\xa8:*:\tM\x89\x90"D\x03\xcb\xcf\xe7\x80\xce}\r\xba\x9cHA3\xc9\xb8qt\x9cx\xfbb\xb1c\x8f\x03\x05CV\x900\xb7\xbe\xc8\xb2\xd7\x87H'
CWT
We now have CWT content which can be decoded with:
import cbor
cose = cbor.loads(decompressed)
Tag(18, [b'\xa2\x01&\x04Hz*\x89m\xf5\x87\xfd\x8b', {}, b'\xa4\x01dCNAM\x04\x1ab\x11}\x9b\x06\x1aa$/\x9b9\x01\x03\xa1\x01\xa4av\x81\xaabcix\x1dURN:UVCI:01:FR:XXXXXXXXXXXX#XbcobFRbdn\x02bdtj2021-06-26bisdCNAMbmamORG-100030215bmplEU/1/20/1528bsd\x02btgi840539006bvpgJ07BX03cdobj1977-05-25cnam\xa4bfniSKYWALKERbgndLUKEcfntiSKYWALKERcgntdLUKEcvere1.3.0', b'T\xcc\x9a\x9e\t^\xb13^\xf2\xd3\xf5\xe9\xebR\xa3g\xa8:*:\tM\x89\x90"D\x03\xcb\xcf\xe7\x80\xce}\r\xba\x9cHA3\xc9\xb8qt\x9cx\xfbb\xb1c\x8f\x03\x05CV\x900\xb7\xbe\xc8\xb2\xd7\x87H'])
The content is wrapped using the CBOR tag 18. According to the CBOR IANA registry, this is the tag for COSE_Sign1
which contains an array of four elements:
protected
, informations about the COSE (such as the signature alogrithm);unprotected
, is not used in our case and it an empty CBOR map;payload
, contains the CWT claims;signature
, signature for both the claims and the protected field.
assert cose.tag == 18
protected, unprotected, payload, signature = cose.value
The protected header is CBOR encoded:
cbor.loads(protected)
{1: -7, 4: b'z*\x89m\xf5\x87\xfd\x8b'}
We can find the meaning of the fields in the COSE registry:
- The
1
entry describes the cryptographic algorithm used to secure the CWT. For european COVID-19 certificates, ECDSA with SHA-256 signature is used. This protects the certificate against forgery. - The
4
entry defines the identifier of the key used for the digital signature. This key identifier is supposed to reference a public key in a list of public signing keys of trusted signing authorities.
Warning: signature verification
This post does not include any the code for verifying the validity of the certificate (digital signature, expiration, etc.).
Claims
The payload
is encoded in CBOR and is a set of CWT claims.
claims = cbor.loads(payload)
{1: 'CNAM', 4: 1645313435, 6: 1629761435, -260: {1: {'v': [{'ci': 'URN:UVCI:01:FR:XXXXXXXXXXXX#X', 'co': 'FR', 'dn': 2, 'dt': '2021-06-26', 'is': 'CNAM', 'ma': 'ORG-100030215', 'mp': 'EU/1/20/1528', 'sd': 2, 'tg': '840539006', 'vp': 'J07BX03'}], 'dob': '1977-05-25', 'nam': {'fn': 'SKYWALKER', 'gn': 'LUKE', 'fnt': 'SKYWALKER', 'gnt': 'LUKE'}, 'ver': '1.3.0'}}}
The meaning of the claims can be found in the CWT registry:
1
, issuer;4
expiration time (for my real certificate, this is 2023-06-04);6
, issued at;-260
, Health Certificate, described below.
Health Certificate content
The health certificate content is a JSON-compatible CBOR map. All the actual information is included in the field 1
, for EU Digital Covid Certificate v1.
print(json.dumps(claims[-260]))
{
"1": {
"v": [
{
"ci": "URN:UVCI:01:FR:XXXXXXXXXXXX#X",
"co": "FR",
"dn": 2,
"dt": "2021-06-26",
"is": "CNAM",
"ma": "ORG-100030215",
"mp": "EU/1/20/1528",
"sd": 2,
"tg": "840539006",
"vp": "J07BX03"
}
],
"dob": "1977-05-25",
"nam": {
"fn": "SKYWALKER",
"gn": "LUKE",
"fnt": "SKYWALKER",
"gnt": "LUKE"
},
"ver": "1.3.0"
}
}
The content is defined in the EU Digital COVID Certificates JSON spec:
v
, a list of vaccination doses;dob
, date of birth;nam
, person names;ver
, schema version.
Each vaccination dose is made of:
ci
, unique vaccination certificate identifier (UVCI);co
, country;dn
, current dose number;dt
, date of vaccination;is
, certificate issuer;ma
, manufacturer (in our example Biontech Manufacturing GmbH);mp
, vaccine product (in our example Comirnaty);sd
, total number of doses;tg
, disease (this is the SNOMED-CT code for COVID-19);vp
, type of vaccine (in our example this is "covid-19 vaccines").
Some values are described in Value Sets for Digital Green Certificates.
See the appendix of the guidelines on verifiable vaccination certificates for the structure of the UVCI.
Second French QR code
The second QR code in the french PDF is a deep link to the TousAntiCovid application with the same HC1 data included as a URI fragment:
https://bonjour.tousanticovid.gouv.fr/app/walletdcc#HC1:NCFOXN…
Conclusion
The French verification application only displays a limited set of information: given name, surname, birth date and validity. However, all the other information can be ontabined very easily from the QR code. In particular, you can know if the subject has been vaccinated ("v"
), has been tested ("t"
) or has recovered from the virus ("r"
). For vaccinations, it is moreover possible to know how many doses have been injected and which vaccine has been used: this information may be used to infer whether the subject has a comorbidity.
Appendix, French revocation list
The (French) TousAntiCodeVerif application includes a revocation list for revoking health certificates. This is implemented by downloading the revocation list from a remote server as part of a synchronization procedure. The applications does not query a remote server each time a certificate is scanned. The publication of revocation lists still creates privacy concerns.
val configurationService = WSConf.getConfigurationService(context)
configurationService.callSync(WSConf.getConfigurationBaseUrl() + URI_SYNC).enqueue(
object : Callback<SyncResult> {
// [...]
override fun onResponse(
call: Call<SyncResult>,
response: Response<SyncResult>
) {
// [...]
when (response.code()) {
200 -> {
Log.d(tag, "OK :")
val syncResult = response.body()
view.saveResult(syncResult)
}
else -> {
// [...]
}
}
}
}
)
The revocation list is apparently a list of SHA-256 hashes of the certificate identifier (ci
) and country code (co
):
val hash = getHashDcc(ci, co)
val isHashBlacklisted = Blacklist.isBlacklisted(context, Blacklist.BlacklistType.BLACKLIST_DCC, hash)
private fun getHashDcc(ci: String, co: String): String {
val toHash = co.trim().uppercase()+ci.trim()
return toSha256(toHash)
}
One intended usage of this revocation list is to reject certificates which have fraudulently used (i.e. by someone which is not the intended user of the certificate). This is problematic since you need to show your QR code and let other people scan it in order to use it: when you present your certificate to someone, you cannot prevent this person (or a bystander) from (maliciously) copying your certificate for his own usage.
Appendix, trusted signing keys
We can extract the list of authorities recognized by the TousAntiCovidVerif application. This is the list of all entities which can emit COVID-19 certificates which will be recognized by the TousAntiCovidVerif application.
import base64
import requests
import cryptography.x509
url = "https://gitlab.inria.fr/tousanticovid-verif/tousanticovid-verif-ios/-/raw/master/Anticovid%20Verify/resources/prod/certs.json?inline=false"
for value in requests.get(url).json()["certificatesDCC"].values():
cert = cryptography.x509.load_der_x509_certificate(base64.b64decode(base64.b64decode(value)))
sub = cert.subject.rfc4514_string()
print(sub)
ST=Berlin,2.5.4.5=CSM026414197,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE CN=DSC AN EU 4,O=Norwegian Institute of Public Health,C=NO C=ES,O=Consellería de Sanidad,2.5.4.97=VATES-S1511001H,OU=SELLO ELECTRONICO,2.5.4.5=S1511001H,CN=ConselleriadeSanidade.XuntadeGalicia ST=Berlin,2.5.4.5=CSM026413994,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE ST=Berlin,2.5.4.5=CSM026413231,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE ST=Berlin,2.5.4.5=CSM026414212,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE ST=Berlin,2.5.4.5=CSM026382791,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE CN=Croatia DGC DS 001,O=AKD d.o.o.,C=HR CN=DSC_FR_001,OU=26750045200011,O=APHP,C=FR C=ES,O=Servicio Cántabro de Salud,2.5.4.97=VATES-Q3900738J,OU=SELLO ELECTRONICO,2.5.4.5=Q3900738J,CN=Servicio Cántabro de Salud ST=Berlin,2.5.4.5=CSM026413286,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE ST=Berlin,2.5.4.5=CSM026382931,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE CN=DGC DSC 1,OU=Health Information System,O=Ministry of Health,L=Sofia,C=BG CN=Belgium Covid19 DSC 01,O=eHealth - Belgium,C=BE ST=Berlin,2.5.4.5=CSM026383125,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE CN=DSC_FR_017,OU=120036017,O=DGS,C=FR ST=Berlin,2.5.4.5=CSM026382843,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE ST=Berlin,2.5.4.5=CSM026382898,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE C=ES,O=COMUNIDAD AUTONOMA DE LA REGION DE MURCIA,2.5.4.97=VATES- S3011001l,OU=DIRECCION GENERAL INFORMATICA CORPORATIVA,OU=SELLO ELECTRONICO,2.5.4.5=S3011001l,CN=DIRECCIÓN GENERAL DE SALUD PÚBLICA Y ADICCIONES C=ES,O=SERVICIO ANDALUZ DE SALUD,2.5.4.97=VATES-Q9150013B,OU=SERVICIO ANDALUZ DE SALUD,OU=SELLO ELECTRONICO,2.5.4.5=Q9150013B,CN=SELLO SAS PARA CERTIFICADO COVID DE LA UE ST=Berlin,2.5.4.5=CSM026414115,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE ST=Berlin,2.5.4.5=CSM026460071,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE CN=DSC_FR_004,OU=26750045200011,O=APHP,C=FR CN=Italy DGC DSC 1,O=Ministero della Salute,C=IT CN=AT DGC DSC 1,2.5.4.5=001001,O=BMSGPK,C=AT CN=DSC AN EU 5,O=Norwegian Institute of Public Health,C=NO CN=DSC_FR_020,OU=180035024,O=CNAM,C=FR CN=DSC_FR_025,OU=180035024,O=CNAM,C=FR ST=Berlin,2.5.4.5=CSM026164168,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE 1.2.840.113549.1.9.1=webmaster@llv.li,CN=DGC-NB-DSC-TEST-PROD-20210608,O=Liechtensteinische Landesverwaltung,L=Vaduz,C=LI ST=Berlin,2.5.4.5=CSM026413213,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE C=ES,O=Departament de Salut de la Generalitat de Catalunya,2.5.4.97=VATES-S0811001G,OU=Departament de Salut,OU=SELLO ELECTRONICO,2.5.4.5=S0811001G,CN=CERT-GENCAT-1S-21 C=ES,O=SERVICIO MADRILEÑO DE SALUD,2.5.4.97=VATES-Q2801221I,OU=DG SISTEMAS DE INFORMACION Y EQUIPAMIENTOS SANITARIOS,OU=SELLO ELECTRONICO,2.5.4.5=Q2801221I,CN=FIRMA CERTIFICADO COVID DIGITAL UE 1 1.2.840.113549.1.9.1=webmaster@llv.li,CN=DGC-NB-DSC-VACCINATION-PROD-20210608,O=Liechtensteinische Landesverwaltung,L=Vaduz,C=LI C=ES,O=CIUDAD AUTONOMA DE CEUTA,2.5.4.97=VATES-S6100007A,OU=CIUDAD AUTONOMA DE CEUTA,OU=SELLO ELECTRONICO,2.5.4.5=S6100007A,CN=CEUTA ST=Berlin,2.5.4.5=CSM026383019,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE C=ES,O=DIRECCION GENERAL DE SALUD PUBLICA\, CONSUMO Y CUIDADOS,2.5.4.97=VATES-S2633001I,OU=DIRECCIÓN GENERAL DE SALUD PUBLICA\, CONSUMO Y CUIDADOS,OU=SELLO ELECTRONICO,2.5.4.5=S2633001I,CN=Gobierno de La Rioja CN=DSC_FR_002,OU=26750045200011,O=APHP,C=FR ST=Berlin,2.5.4.5=CSM026460044,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE ST=Berlin,2.5.4.5=CSM026414081,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE CN=LT_DGC_DSC_1,O=Ministry of Health of The Republic of Lithuania,ST=Lithuania,C=LT CN=CZ DSC 2,O=MZCR,C=CZ CN=CZ DSC 1,O=MZCR,C=CZ CN=Grand Duchy of Luxembourg DS DCC 4,O=Ministry of Health,C=LU ST=Berlin,2.5.4.5=CSM026414133,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE CN=DIRECCIÓN DE SALUD PÚBLICA Y ADICCIONES,2.5.4.97=VATES-S4833001C,OU=SELLO ELECTRONICO,O=EUSKO JAURLARITZA - GOBIERNO VASCO,C=ES CN=Slovenian Digital Covid Certificate Signer,OU=NIJZ eHealth,O=NIJZ\, National Institute of Public Health of Slovenia,C=SI ST=Berlin,2.5.4.5=CSM026382995,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE CN=DSC_FR_018,OU=120036017,O=DGS,C=FR CN=DSC_FR_013,OU=120036017,O=DGS,C=FR C=ES,O=SERVICIO DE SALUD DE LAS ISLAS BALEARES,2.5.4.97=VATES-Q0719003F,OU=SELLO ELECTRONICO,2.5.4.5=Q0719003F,CN=IBSALUT-CVD-SELLO CN=DSC_FR_012,OU=120036017,O=DGS,C=FR ST=Berlin,2.5.4.5=CSM026460026,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE ST=Berlin,2.5.4.5=CSM026414160,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE ST=Berlin,2.5.4.5=CSM026317104,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE ST=Berlin,2.5.4.5=CSM026413347,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE CN=DSC_FR_019,OU=180035024,O=CNAM,C=FR ST=Berlin,2.5.4.5=CSM026413569,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE ST=Berlin,2.5.4.5=CSM026413639,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE C=ES,O=Servicio Navarro de Salud-Osasunbidea,2.5.4.97=VATES-Q3150004D,OU=Servicio Navarro de Salud-Osasunbidea,OU=SELLO ELECTRONICO,2.5.4.5=Q3150004D,CN=Sello Electrónico del Servicio Navarro de Salud-Osasunbidea CN=DSC_FR_016,OU=120036017,O=DGS,C=FR C=ES,O=Servicio de Salud de Castilla-La Mancha,2.5.4.97=VATES- Q4500146H,OU=SELLO ELECTRONICO,2.5.4.5=Q4500146H,CN=SESCAM Certificado Digital COVID UE ST=Berlin,2.5.4.5=CSM026460008,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE CN=DSC_FR_022,OU=180035024,O=CNAM,C=FR ST=Berlin,2.5.4.5=CSM026413417,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE ST=Berlin,2.5.4.5=CSM026460123,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE C=LV,O=Nacionālais veselības dienests,CN=LV DSC 001 ST=Berlin,2.5.4.5=CSM026164195,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE C=PT,O=Republica Portuguesa - Portuguese Republic,2.5.4.5=001,CN=DGC DS CN=DSC_FR_014,OU=120036017,O=DGS,C=FR CN=DSC_FR_003,OU=26750045200011,O=APHP,C=FR C=PL,O=Ministry of Health,OU=eHealth Centre,CN=Recovery DGC Service 1 1.2.840.113549.1.9.1=kontakt@sundhedsdata.dk,CN=PROD_DSC_DGC_DK_01,OU=The Danish Health Data Authority,O=The Danish Health Data Authority,C=DK C=ES,O=GOBIERNO DE ARAGON,2.5.4.97=VATES-S5011001D,OU=DEPARTAMENTO DE SANIDAD,OU=SELLO ELECTRONICO,2.5.4.5=S5011001D,CN=DEPARTAMENTO DE SANIDAD DEL GOBIERNO DE ARAGON ST=Berlin,2.5.4.5=CSM026382773,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE ST=Berlin,2.5.4.5=CSM026414054,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE ST=Berlin,2.5.4.5=CSM026383046,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE ST=Berlin,2.5.4.5=CSM026413462,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE CN=DSC_FR_023,OU=180035024,O=CNAM,C=FR 1.2.840.113549.1.9.1=webmaster@llv.li,CN=DGC-NB-DSC-RECOVERY-PROD-20210608,O=Liechtensteinische Landesverwaltung,L=Vaduz,C=LI C=ES,O=MINISTERIO DE SANIDAD,2.5.4.97=VATES-S2827001E,OU=SELLO MINISTERIO DE SANIDAD CERTIFICACION COVID19,OU=SELLO ELECTRONICO,2.5.4.5=S2827001E,CN=SELLO MINISTERIO DE SANIDAD CERTIFICACION COVID19 CN=DSC_FR_015,OU=120036017,O=DGS,C=FR CN=Grand Duchy of Luxembourg DS DCC 2,O=Ministry of Health,C=LU C=ES,O=GENERALITAT VALENCIANA,2.5.4.97=VATES-S4611001A,OU=CONSELLERIA DE SANITAT UNIVERSAL I SALUT PÚBLICA,OU=SELLO ELECTRONICO,2.5.4.5=S4611001A,CN=GENERALITAT VALENCIANA C=PL,O=Ministry of Health,OU=eHealth Centre,CN=Poland Vaccination DGC Service 1 CN=Todistuspalvelu,2.5.4.5=1.2.246.556.12.21.2,OU=Kanta,O=Kansanelakelaitos,L=Helsinki,ST=Finland,C=FI C=ES,O=Servicio Extremeño de Salud,2.5.4.97=VATES-Q0600413I,OU=SSII,OU=SELLO ELECTRONICO,2.5.4.5=Q0600413I,CN=Servicio Extremeño de Salud C=ES,O=Principado de Asturias,2.5.4.97=VATES- S3333001J,OU=SELLO ELECTRONICO,2.5.4.5=S3333001J,CN=Consejería de Salud del Principado de Asturias ST=Berlin,2.5.4.5=CSM026413860,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE CN=Grand Duchy of Luxembourg DS DCC 3,O=Ministry of Health,C=LU CN=Grand Duchy of Luxembourg DS DCC 1,O=Ministry of Health,C=LU ST=Berlin,2.5.4.5=CSM026413897,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE C=ES,O=GERENCIA REGIONAL DE SALUD DE CASTILLA Y LEON,2.5.4.97=VATES- Q4700608E,OU=GERENCIA REGIONAL DE SALUD DE CASTILLA Y LEON,OU=SELLO ELECTRONICO,2.5.4.5=Q4700608E,CN=GERENCIA REGIONAL DE SALUD CASTILLA Y LEÓN (SACYL) ST=Berlin,2.5.4.5=CSM026382968,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE CN=DCC Signer,2.5.4.97=202100-6552,O=Swedish eHealth Agency,C=SE C=ES,O=Ministerio de Defensa,2.5.4.97=VATES-S2830001J,OU=Inspección General de Sanidad de la Defensa,OU=SELLO ELECTRONICO,2.5.4.5=S2830001J,CN=Inspección General de Sanidad de la Defensa C=ES,O=CIUDAD AUTÓNOMA DE MELILLA,2.5.4.97=VATES-S7900010E,OU=DIRECCIÓN GENERAL DE LA SOCIEDAD DE LA INFORMACIÓN,OU=SELLO ELECTRONICO,2.5.4.5=S7900010E,CN=SELLO ELECTRONICO DE LA CIUDAD AUTÓNOMA DE MELILLA CN=BSC,O=Ministerul Sanatatii,C=RO CN=DSC_FR_024,OU=180035024,O=CNAM,C=FR C=ES,O=Servicio Canario de la Salud,2.5.4.97=VATES-Q8555011I,OU=Secretaría General del Servicio Canario de la Salud,OU=SELLO ELECTRONICO,2.5.4.5=Q8555011I,CN=Secretaría General del Servicio Canario de la Salud CN=DSC HN EU 2,O=Norwegian Institute of Public Health,C=NO ST=Berlin,2.5.4.5=CSM026460099,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE OU=Health and Welfare Information Systems Centre,O=Estonia,C=EE,2.5.4.5=02-2021,CN=02-2021_DCC CN=grnet.gr,C=GR ST=Berlin,2.5.4.5=CSM026382913,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE C=PL,O=Ministry of Health,OU=eHealth Centre,CN=Poland Test DGC Service 1 C=IS,O=Directorate of Health,OU=Directorate of Health,2.5.4.5=1,CN=IS-DSC-1 ST=Berlin,2.5.4.5=CSM026413541,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE ST=Berlin,2.5.4.5=CSM026413693,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE ST=Berlin,2.5.4.5=CSM026383107,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE CN=DSC_FR_021,OU=180035024,O=CNAM,C=FR
References
- Electronic Health Certificates, define the CWT and its encoding
- Digital Covid Certificate JSON Schema, the payload of the CWT
- Python code for signing and verifying HC1
- Technical Specifications for Digital Green Certificates Volume 1
- Technical Specifications for Digital Green Certificates Volume 2, European Digital Green Certificate Gateway
- Technical Specifications for Digital Green Certificates Volume 3, Interoperable 2D Code
- Technical Specifications for EU Digital COVID Certificates JSON Schema Specification
- Value Sets for Digital Green Certificates
- eHealth and COVID-19
- TousAntiCovid Verif Android, source code
- TousAntiCovid Verif iOS, source code
- Base 45 draft
- RFC 8392, CBOR Web Token (CWT)
- RFC 8152, CBOR Object Signing and Encryption (COSE)
- RFC 7049, Concise Binary Object Representation (CBOR)
- Pass sanitaire : existe-t-il une «liste noire» des QR codes frauduleux ?
On a similar topic: