This website is a tool for generating and validating COVID-19 credentials in the EU DCC and UK domestic standard. These are not real credentials but ones able to be validated via the acceptance (ACC) and test environments of the EU DCC gateway and UK national backend.
Fig 1 - Vaccination tab
During my time as a Techincal Architect on the NHS Covid Pass Programme, I had the responsibilty of ensuring the NHS app and verifier conformed to the EU Digital Covid Certificate (DCC) standard. There were many times where I needed to quickly ensure the validity of a generated credential, or create a new one to test the NHS Verifier App or extract a public key/key id from a document signing certificate. This could be time consuming to accomplish as the end to end process of generating a credential in our lower enviroments required test accounts that often contained out of date test data meaning the generated credential would automatically fail verification or our test private keys would be locked under Azure Key Vault access which most people in the program did not have access to. I started creating small node apps to accomplish some of these tasks. Running them locally via the command line. This proved to be extremely useful in my work. Eventually, I had so many of these apps it seemed like a much better idea to collate them into one application and open it up on the web for others in the NHS Covid Pass program to use. Thus resulting in the Covid-Credential-Tools web app!
Generation
The standard defines Vaccination, Recovery and Test certificate types. Each type contains it's own set of unique properties along with several shared properites for security claims, personal info and signing details. Using ChakraUI, I created forms for each type and placed them within their own tab. The idea would be that more tabs could be added for future supported standards or functionality but the immediate goal was the EU DCC.
All properties are auto filled out for easy generation. Clicking the "Generate Certificate" button will open a modal with the generated credential encoded as a downloadable QR code. Alongside this, there is a string representation of the encoded certificate labeled "HC1". As well as the public key and key id used for verification.
Fig 2 - Generation result modal
Verification
The QR is easily downloadable via the download QR button and can then be uploaded directly into the validation section. Unless the private key used for signing was selected from a certificate available in the DCC Gateway, the "Input public key" option must be selected to validation to succeed.
Fig 3 - Validation upload tab
Webcam can also be used to scan the QR code directly! Once uploaded, the validation modal will appear with the results of decoding and signature verification.
Fig 4 - Validation result modal
There are several steps to successful verification of a valid EU DCC, failure at anyone of these is highlighted on the righthand side of the modal. As this is a testing tool, it's important to highlight if there are multiple failures within the certificate so a single point of failure wont necessarily stop the validation process as highlighted in Fig 5.
Fig 5 - Validation result modal failures
Key Id + Public Key Extraction
The public key and key id of a DCC is a very important component in verification of a DCC's signature. The key id value is embedded into one of the DCC's security claims at the point of generation and is taken from a series of bytes within the Document Signing Certificate used to sign it. Extracting a key id can only be done via a programmatic process and made sense to be added to this toolset.
Fig 6 - Key Id Extraction tab