Stream: smart/health-cards
Topic: Validation Error
Grahame Grieve (Sep 20 2021 at 07:02):
When I validate this card at https://demo-portals.smarthealth.cards/VerifierPortal.html it says:
JWS.payload.vc.type SHOULD NOT contain 'https://smarthealth.cards#covid19', no covid immunization or observation found (Warning)
shc:/56762959532654603460292540772804336028702865676754222809286237253760287028647167452228092862676756640775452733594526440840395570532363315424440541063307566255713324083245655533382608634305290341261266314211605736011041313153717074243574414406734174043054283344715444266067755228640373587408675242057467406359383271752050040838666624540959452569742507075608745565522669762271593666520810666877750445637503527645655944110969272131360074334075550433423738060856666458402520123669720621254031123331090850522571620459326604644022721044570862665231671064342405523655532700280352055352506339063938523358632829596803620960567269060603640728226228577652052041352130637164593854330454555604076622597064526558417158507525714423443872522536624044673975614424652023002577303112075063096753097464032842654265693608372809737565750454730535322531533463225968044024773311446263236227224020006467100573442135217212337372675357612810684569636157695535635341684032281029254165250605411257727167207152590905040366340340343668082338602404313675555636376767530926315674450072666537085574617255396365397109587111382025055675665958771006271167043329341105745657035727086220053728533008683775690676223440673407003940230939034431592545100358244543200870737774123242757105443621547161677056602465356010123376583433242304357756236541700808363162706000606729763234070761616260605407456409636945393432570568252311053556702575706371373600615506043632690636350712623572037335505736357445750411017706236169621207522310593128677677003259244526565704043072692271296668055233503768717076633411536135593465634411264329687541696306661145570728305020587211437233071024380420
I think that this is wrong; it is a covid immunization
Christian Paquin (Sep 20 2021 at 13:39):
The dev tool (and the related portal) currently only recognizes the CVX codes for the CDC-approved vaccines. I opened issue 155 to track.
Grahame Grieve (Sep 20 2021 at 17:00):
@Christian Paquin I get this error:
Grahame Grieve (Sep 20 2021 at 17:00):
key[Jizn1dsadf9Q7ll9KpF6WsxzGm4NLfwMHne_btToh-o]: 'kid' does not match thumbprint in issuer key. expected: P0dT_um48eUyAcuwnquYNyhkF6yFeSqD0MwarDEX-RY, actual: Jizn1dsadf9Q7ll9KpF6WsxzGm4NLfwMHne_btToh-o (Error)
Grahame Grieve (Sep 20 2021 at 17:00):
for the key
Grahame Grieve (Sep 20 2021 at 17:01):
{
"keys": [
{
"kty": "EC",
"use": "sig",
"crv": "P-256",
"kid": "Jizn1dsadf9Q7ll9KpF6WsxzGm4NLfwMHne_btToh-o",
"x": "6BCsFU2b4brCIu84tLirgRklxqnjo4qFrkz6vAD1WGY",
"y": "-EocuDdDkTQkUJTyyUbUQuF3Gaa1fG8NLhFFkDXWMSs",
"alg": "ES256"
}
]
}
Grahame Grieve (Sep 20 2021 at 17:01):
but I calculate a different thumbprint for that key, VLJ4BhnFrN0aSnQ5RKUPH7vXjzFPkh4zCe_-Ma0duIU
Grahame Grieve (Sep 20 2021 at 17:02):
I'm hashing {"crv":"P-256","kty":"EC","x":"6BCsFU2b4brCIu84tLirgRklxqnjo4qFrkz6vAD1WGY","y";"-EocuDdDkTQkUJTyyUbUQuF3Gaa1fG8NLhFFkDXWMSs"} - how does the portal come up with the thumbprint?
Grahame Grieve (Sep 20 2021 at 17:06):
@Larry Joy
Christian Paquin (Sep 20 2021 at 17:51):
The validation tool uses the npm jose package to calculate the kid. Are you using SHA-256 for the kid calculation? Are you placing the properties in alphabetical order, per section 3 of RFC 7638?
Grahame Grieve (Sep 20 2021 at 18:00):
yes, SHA-256 from openSSL, and it calculated this example OK: https://connect2id.com/products/nimbus-jose-jwt/examples/jwk-thumbprints
And yes, alphabetic - I showed that abvove
Larry Joy (Sep 20 2021 at 18:03):
Here is code to compute the KID on a browser client that agrees with the jose implementation:
The key is to sort the properties in alphabetical order and only include the required properties
//
// Computes the 'kid' of a JWK key using SHA-256
//
async function computeKid(keyJwk) {
// Kid computation requires properties in alphabetical order
keyJwk = { "crv": "P-256", "kty": "EC", "x": keyJwk.x, "y": keyJwk.y, };
const keyBytes = new Uint8Array(JSON.stringify(keyJwk).split('').map(c => c.charCodeAt(0)));
return window.crypto.subtle.digest({ name: "SHA-256", }, keyBytes)
.then(function (hash) {
return arrayBufferToBase64url(hash);
})
.catch(function (err) {
console.error(err);
});
}
Grahame Grieve (Sep 20 2021 at 18:16):
thanks for the help. I made a typo, which is why I was getting it wrong
Grahame Grieve (Sep 20 2021 at 19:22):
anyway, I'm happy, I can get my cards into Apple Health ;-)
Last updated: Apr 12 2022 at 19:14 UTC
