South Africa's Covid-19 vaccine certificate system is live

Norrad

Expert Member
Joined
Jul 27, 2004
Messages
3,361
Is there anywhere you need to produce this?
A few events are asking for them. Soccer and racing come to mind. I've had to supply mine for a hotel booking for next month and for a visa application for early next year. I also had it scanned at the local post office, but on a voluntary basis to test the system.
 

Norrad

Expert Member
Joined
Jul 27, 2004
Messages
3,361
Dear South African,

Your application has been DENIED!

- The World
Actually nope. Only flights are the issue, but visas are being processed as normal and if you spend 21 days in another country, without travel restrictions, then you are able to travel to anywhere you want. Changed my flights so now heading to a former Soviet block country for three weeks before continuing my travel plans as normal ;)
 

"D"

Expert Member
Joined
Oct 20, 2006
Messages
4,111
Changed my flights so now heading to a former Soviet block country for three weeks before continuing my travel plans as normal ;)
There is only Soviet block, comrade ...
There is no former Soviet block - remember that, comrade ...
 

JHS1

Member
Joined
Mar 17, 2018
Messages
16
The "hcert" string is base64 encoded, you can decode that to see the json payload with your personal details, pretty much what's printed on the certificate.
Can get all the info by decoding the "main" base64 encoded string. The hsa256 inside the qr code also seems to be a base64 encoded string. I can get the hex hsa256 string from it eg D4A60EBF3029D6D9869864DD1C4B0E0D0EB56AA5477F700E4468CB0C47F9F09C

It is 256 bits long.

But how is the hsa256 inside the qr code calculated from the "payload" and the "public key"?

There can be a trillion ways to try and calculate it....fact is, it has to be able to work off line. Image you and your family go out to dinner at a restaurant and the DOH database is off line. Surely they will not show away everyone wanting to visit the restaurant because DOH is off line? There must be a way to verify the authenticity of the certificate when DOH database is off line. The only way is to calculate the sha256 from the payload (or part of it for eg using ID and certificate number) and compare it with the sha256 inside the qr code. Anyone that managed to crack it ie how to calculate the sha256 from the info inside the qr code?
 
Last edited:

DA-LION-619

Honorary Master
Joined
Aug 22, 2009
Messages
13,777
Can get all the info by decoding the "main" base64 encoded string. The hsa256 inside the qr code also seems to be a base64 encoded string. I can get the hex hsa256 string from it eg D4A60EBF3029D6D9869864DD1C4B0E0D0EB56AA5477F700E4468CB0C47F9F09C

It is 256 bits long.

But how is the hsa256 inside the qr code calculated from the "payload" and the "public key"?

There can be a trillion ways to try and calculate it....fact is, it has to be able to work off line. Image you and your family go out to dinner at a restaurant and the DOH database is off line. Surely they will not show away everyone wanting to visit the restaurant because DOH is off line? There must be a way to verify the authenticity of the certificate when DOH database is off line. The only way is to calculate the sha256 from the payload (or part of it for eg using ID and certificate number) and compare it with the sha256 inside the qr code. Anyone that managed to crack it ie how to calculate the sha256 from the info inside the qr code?
hashvalues => $"{alg}--{kid}--{iss}--{iat}--{exp}--{hcert}--{hashalg}";
 

Geoff.D

Honorary Master
Joined
Aug 4, 2005
Messages
25,242
So the first people "eligible" for boosters will only be able get an appointment for it from January 2022.

Nothing like perpetuating a broken system.
 

JHS1

Member
Joined
Mar 17, 2018
Messages
16
hashvalues => $"{alg}--{kid}--{iss}--{iat}--{exp}--{hcert}--{hashalg}";
Oh my goodness - got it sorted out! Amazing! Thanks for the direction - took a while to get to the correct string format to calculate the SHA256 but eventually got it sorted. I can calculate SHA256 for version 2 from the data inside the qr code....
 
Last edited:

blunt

Expert Member
Joined
May 1, 2006
Messages
3,469
Can get all the info by decoding the "main" base64 encoded string. The hsa256 inside the qr code also seems to be a base64 encoded string. I can get the hex hsa256 string from it eg D4A60EBF3029D6D9869864DD1C4B0E0D0EB56AA5477F700E4468CB0C47F9F09C

It is 256 bits long.

But how is the hsa256 inside the qr code calculated from the "payload" and the "public key"?

There can be a trillion ways to try and calculate it....fact is, it has to be able to work off line. Image you and your family go out to dinner at a restaurant and the DOH database is off line. Surely they will not show away everyone wanting to visit the restaurant because DOH is off line? There must be a way to verify the authenticity of the certificate when DOH database is off line. The only way is to calculate the sha256 from the payload (or part of it for eg using ID and certificate number) and compare it with the sha256 inside the qr code. Anyone that managed to crack it ie how to calculate the sha256 from the info inside the qr code?
i haven't done any investigations into this vaccine certificate but I work with DM/QR code offline auth (entry permits and the like) and the way to auth offline is usually up to a private key that sits on the authenticating device, no need to be online as long as it can replicate the same signature using the private key and the data presented.
 

JHS1

Member
Joined
Mar 17, 2018
Messages
16
i haven't done any investigations into this vaccine certificate but I work with DM/QR code offline auth (entry permits and the like) and the way to auth offline is usually up to a private key that sits on the authenticating device, no need to be online as long as it can replicate the same signature using the private key and the data presented.
I have cracked it open...actually very simple once one knows what the string should look like to calculate the sha256 from
 
Last edited:

blunt

Expert Member
Joined
May 1, 2006
Messages
3,469
I have cracked it open...actually very simple once one knows what the string should look like to calculate the sha256 from
So no external salt to make it not replicable.. amature hour at gov.za
 
Top