How can I display a CBOR Web Token encoded token in a legible manner?

Asked 4/7, 2021 at 18:20 Answered 8/8, 2021 at 11:5

I am trying to make the content of the QR code from the corona vaccination legible. Found the following page. I just don't quite understand how I can read the scanned string.

Link / Certification API

String: HC1:6BFOXN*TS0BI$ZD4N9:9S6RCVN5+O30K3/XIV0W23NTDEPWK G2EP4J0B3KLASMUG8GJL8LLG.3SA3/-2E%5VR5VVBJZILDBZ8D%JTQOL2009UVD0HX2JN*4CY009TX/9F/GZ%5U1MC82*%95HC2FCG2K80H-1GW$5IKKQJO0OPN484SI4UUIMI.J9WVHWVH+ZE/T9MX1HRIWQHCR2HL9EIAESHOP6OH6MN9*QHAO96Y2/*13A5-8E6V59I9BZK6:IR/S09T./0LWTHC0/P6HRTO$9KZ56DE/.QC$QUC0:GOODPUHLO$GAHLW 70SO:GOV636*2. KOKGKZGJMI:TU+MMPZ5OV1 V125VE-4RZ4E%5MK9BM57KPGX7K:7D-M1MO0Q2AQE:CA7ED6LF90I3DA+:E3OGJMSGX8+KL1FD*Y49+574MYKOE1MJ-69KKRB4AC8.C8HKK9NTYV4E1MZ3K1:HF.5E1MRB4WKP/HLIJL8JF8JF172M*8OEB2%7OREF:FO:7-WF11SKCU1MH8FWPVH%L635OBXTY*LPM6B9OBYSH:4Q1BQ:A5+I6:DQR9VKR8 BLHCFQMZA5:PHR14%GV4ZOP50$ A 3

Apparently this string is encoded by CBOR Web Token. Does anyone know how I can decode it with e.g. Java or PHP?

Locust answered 4/7, 2021 at 18:20 Comment(0)

base45_decode()
zlib_decode()
CBOR_decode() to headers1, headers2, cbor_data, signature
CBOR_decode() cbor_data to greenpassdata
JSON stringify greenpassdata to a greenpass_json

Collimore answered 15/7, 2021 at 20:47 Comment(1)

Any similar chain for browser-javascript? I got it for steps 1 and 2, but can't find anything for 3 and 4. – Cleisthenes 10/9, 2021 at 13:51

Adding to david's answer, if you also want to verify the signature, look up the signing certificate by its kid, which is headers2[4] in base64, and call

require("cose-js").sign.verify(
  <result from step 2>,
  <public key of signing certificate>
)

(that's Node.js, but there may be Java or PHP equivalents).

Crucial answered 17/7, 2021 at 12:17 Comment(1)

alternatives without node.js? – Cleisthenes 10/9, 2021 at 13:52

Using a base45 decoder:

composer require mhauri/base45

You can decode the string:

$base45 = new \Mhauri\Base45();
$decoded = $base45->decode(preg_replace("/^[^\:]+:/", "", $encoded));

Note that we're ignoring the first few characters HC1:, they are the Health Certificate version (1) and are not part of the base45 encoded string. You now have a zLib compressed string.

You can then using the inbuilt zilb_decode() method to decompress the string:

$decompressed = zlib_decode($decoded);

Now we have the actual CBOR Web Token string. The next step would be to parse that string into an array. The trouble is that I have only found two open source PHP CBOR packages, neither of which are suitable for the task.

The 2tvenom/cborencode package doesn't support tags (yet). And spomky-labs/cbor-php doesn't seem to understand the string at all, although it's such a complex package, maybe I am doing something wrong.

I'm sure there must be a way, I just haven't found it yet. For now, I'm using https://ehealth.vyncke.org/index.php to learn more about CBOR. If you figure out a way, please share!

Laughable answered 8/8, 2021 at 11:5 Comment(1)

spomky-labs/cbor-php is perfectly suitable for that. Please refer to github.com/Spomky-Labs/cbor-php/issues/32 – Blume 26/7, 2023 at 12:19

Recommended topics

Hot tags