South Africa's Covid-19 vaccine certificate system is live

[Norrad]

Is there anywhere you need to produce this?

A few events are asking for them. Soccer and racing come to mind. I've had to supply mine for a hotel booking for next month and for a visa application for early next year. I also had it scanned at the local post office, but on a voluntary basis to test the system.

 

["D"]

and for a visa application for early next year

Dear South African,

Your application has been DENIED!

- The World

 

[Norrad]

Dear South African,

Your application has been DENIED!

- The World

Actually nope. Only flights are the issue, but visas are being processed as normal and if you spend 21 days in another country, without travel restrictions, then you are able to travel to anywhere you want. Changed my flights so now heading to a former Soviet block country for three weeks before continuing my travel plans as normal

 

["D"]

Changed my flights so now heading to a former Soviet block country for three weeks before continuing my travel plans as normal

There is only Soviet block, comrade ...
There is no former Soviet block - remember that, comrade ...

 

[JHS1]

The "hcert" string is base64 encoded, you can decode that to see the json payload with your personal details, pretty much what's printed on the certificate.

Can get all the info by decoding the "main" base64 encoded string. The hsa256 inside the qr code also seems to be a base64 encoded string. I can get the hex hsa256 string from it eg D4A60EBF3029D6D9869864DD1C4B0E0D0EB56AA5477F700E4468CB0C47F9F09C

It is 256 bits long.

But how is the hsa256 inside the qr code calculated from the "payload" and the "public key"?

There can be a trillion ways to try and calculate it....fact is, it has to be able to work off line. Image you and your family go out to dinner at a restaurant and the DOH database is off line. Surely they will not show away everyone wanting to visit the restaurant because DOH is off line? There must be a way to verify the authenticity of the certificate when DOH database is off line. The only way is to calculate the sha256 from the payload (or part of it for eg using ID and certificate number) and compare it with the sha256 inside the qr code. Anyone that managed to crack it ie how to calculate the sha256 from the info inside the qr code?

 

[DA-LION-619]

Can get all the info by decoding the "main" base64 encoded string. The hsa256 inside the qr code also seems to be a base64 encoded string. I can get the hex hsa256 string from it eg D4A60EBF3029D6D9869864DD1C4B0E0D0EB56AA5477F700E4468CB0C47F9F09C

It is 256 bits long.

But how is the hsa256 inside the qr code calculated from the "payload" and the "public key"?

There can be a trillion ways to try and calculate it....fact is, it has to be able to work off line. Image you and your family go out to dinner at a restaurant and the DOH database is off line. Surely they will not show away everyone wanting to visit the restaurant because DOH is off line? There must be a way to verify the authenticity of the certificate when DOH database is off line. The only way is to calculate the sha256 from the payload (or part of it for eg using ID and certificate number) and compare it with the sha256 inside the qr code. Anyone that managed to crack it ie how to calculate the sha256 from the info inside the qr code?

hashvalues => $"{alg}--{kid}--{iss}--{iat}--{exp}--{hcert}--{hashalg}";

 

["D"]

Spurvalues => $"{all}--{kids}--{eat}--{free}--{all}--{day}--{hashtag}";

True/False?

 

["D"]

South Africa's Covid-19 vaccine certificate system is live​

... and now more useless than ever.

 

[Geoff.D]

So the first people "eligible" for boosters will only be able get an appointment for it from January 2022.

Nothing like perpetuating a broken system.

 

[ShaunSA]

... and now more useless than ever.

I reckon in a few months the Covid Karens will be having vaccine certificate burnings

 

[DA-LION-619]

True/False?

relax karen

 

[JHS1]

hashvalues => $"{alg}--{kid}--{iss}--{iat}--{exp}--{hcert}--{hashalg}";

Oh my goodness - got it sorted out! Amazing! Thanks for the direction - took a while to get to the correct string format to calculate the SHA256 but eventually got it sorted. I can calculate SHA256 for version 2 from the data inside the qr code....

 

[blunt]

Can get all the info by decoding the "main" base64 encoded string. The hsa256 inside the qr code also seems to be a base64 encoded string. I can get the hex hsa256 string from it eg D4A60EBF3029D6D9869864DD1C4B0E0D0EB56AA5477F700E4468CB0C47F9F09C

It is 256 bits long.

But how is the hsa256 inside the qr code calculated from the "payload" and the "public key"?

There can be a trillion ways to try and calculate it....fact is, it has to be able to work off line. Image you and your family go out to dinner at a restaurant and the DOH database is off line. Surely they will not show away everyone wanting to visit the restaurant because DOH is off line? There must be a way to verify the authenticity of the certificate when DOH database is off line. The only way is to calculate the sha256 from the payload (or part of it for eg using ID and certificate number) and compare it with the sha256 inside the qr code. Anyone that managed to crack it ie how to calculate the sha256 from the info inside the qr code?

i haven't done any investigations into this vaccine certificate but I work with DM/QR code offline auth (entry permits and the like) and the way to auth offline is usually up to a private key that sits on the authenticating device, no need to be online as long as it can replicate the same signature using the private key and the data presented.

 

[JHS1]

i haven't done any investigations into this vaccine certificate but I work with DM/QR code offline auth (entry permits and the like) and the way to auth offline is usually up to a private key that sits on the authenticating device, no need to be online as long as it can replicate the same signature using the private key and the data presented.

I have cracked it open...actually very simple once one knows what the string should look like to calculate the sha256 from

 

[blunt]

I have cracked it open...actually very simple once one knows what the string should look like to calculate the sha256 from

So no external salt to make it not replicable.. amature hour at gov.za

 

[Flanders]

... and now more useless than ever.

Only the clean shall spread the germ at sporting events, in theaters and to foreign lands!

 

[JHS1]

So no external salt to make it not replicable.. amature hour at gov.za

No Salt.