Stream: smart/health-cards
Topic: Validation
Grahame Grieve (Sep 15 2021 at 03:46):
Presently, you can use https://demo-portals.smarthealth.cards/VerifierPortal.html or https://github.com/smart-on-fhir/health-cards-dev-tools to validate your smart health cards. These validators do a super good job of validating all the card stuff - crypto signatures etc. but they don't do a great job of validating inside the bundle.
So from the next release, the validator will be able to validate Smart Health Cards directly. You can give it a jwt (jws) or a qr code as text (shc:/...). It will open up the jwt, validate the payload and the bundle against the recommended profiles. (I got a long list of errors for mine...)
Grahame Grieve (Sep 15 2021 at 03:46):
it does not validate the signature, and I'm not planning to work on that part, since we already have excellent tools for that
Grahame Grieve (Sep 15 2021 at 12:01):
I updated the documentation too - https://confluence.hl7.org/display/FHIR/Using+the+FHIR+Validator#UsingtheFHIRValidator-Choosingwhattovalidate
Poonam Kariya (Nov 23 2021 at 14:02):
We are trying to verify Canada covid pass of our employee and we are facing following error:
"errors": [
"JWS verification failed: can't find key with 'kid' = qFdl0tDZK9JAWP6g9_cAv57c3KWxMKwvxCrRVSzcxvM in issuer set",
"JWS.payload.vc shouldn't have a @context property",
"JWS.payload.vc.type : 'VerifiableCredential' is not required and may be omitted to conserve space",
"Schema: /type error : must be equal to one of the allowed values",
"Schema: property must must match exactly one schema in oneOf",
"Schema: /type error : must be equal to one of the allowed values",
"Schema: property must must match exactly one schema in oneOf"
Josh Mandel (Nov 23 2021 at 14:37):
What's the source of the data you're using, and what's the process by which you're receiving these errors?
Vitor Pamplona (Nov 23 2021 at 14:46):
Quebec rotates the KID on their servers frequently. Unless you have saved KIDs for the previous months, Quebec's records will almost always fail (the QR is generally older than the KID on their server)
Vitor Pamplona (Nov 23 2021 at 14:47):
@Poonam Kariya here's the key you are looking for:
{
"kty": "EC",
"kid": "qFdl0tDZK9JAWP6g9_cAv57c3KWxMKwvxCrRVSzcxvM",
"use": "sig",
"alg": "ES256",
"crv": "P-256",
"x": "XSxuwW_VI_s6lAw6LAlL8N7REGzQd_zXeIVDHP_j_Do",
"y": "88-aI4WAEl4YmUpew40a9vq_w5OcFvsuaKMxJRLRLL0"
}
Josh Mandel (Nov 23 2021 at 14:49):
It sounds like this key publication behavior is not compliant with the SHC specification, so it's worth asking Quebec about whether these failures are intended.
Vitor Pamplona (Nov 23 2021 at 15:08):
I am not sure if it is intentional. Quebec's own verifier app ignores the KID and verifies each QR against all available keys in the server. Ignoring the KID field is a very common feature among JOSE libraries. They might be using KID rotations to represent some internal status without noticing that it breaks any app checking and only verifying against the right KID.
Last updated: Apr 12 2022 at 19:14 UTC
