nz_covid_pass 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: a15dcb5d048451461d684042f0b6c555816785696fc6b5878b4c482d52252f2d
+  data.tar.gz: 9d6ecccff2869460d6049fafa285551f179c40d9d318b4ccbecc7afaa3ee85d0
+SHA512:
+  metadata.gz: f197842d3ddf735008a7e841c5bce7ba7d8da574084f7c1373ad74e804dd62b338b07a917c352841224af1d060190d28f81b0adc8a46157f0d649c09f56345b7
+  data.tar.gz: 433861af9fe0a5f01e2ee7318040766e45217ac7633c92f22a130accdfc6de02014798538060551105d7753c55ddf37ce3bdce2f9110d57f3a32adb2759284fc

data/lib/nz_covid_pass.rb

@@ -0,0 +1,164 @@
+require 'uri'
+require 'date'
+require 'net/http'
+require 'json'
+require 'base32'
+require 'cose'
+require 'cbor'
+require 'cwt'
+require 'jwt'
+
+class NZCovidPass
+  Error = Class.new(StandardError)
+  ParseError = Class.new(Error)
+  NetworkError = Class.new(Error)
+  NotYetValidError = Class.new(Error)
+  ExpiredError = Class.new(Error)
+
+  VERSION_IDENTIFIER = "1"
+
+  TRUSTED_ISSUER_IDENTIFIERS = [
+    "did:web:nzcp.identity.health.nz",
+  ]
+
+  TEST_TRUSTED_ISSUER_IDENTIFIERS = [
+    "did:web:nzcp.covid19.health.nz",
+  ]
+
+  def initialize(code, allow_test_issuers: false, time: Time.now, cache: nil)
+    @code = code
+    @allow_test_issuers = allow_test_issuers
+    @time = time
+    @cache = cache
+
+    verify!
+  end
+
+  def verify!
+    raise ParseError, "invalid URL format" unless url_components
+    raise ParseError, "scheme must be NZCP" unless url_components[:scheme] == "NZCP"
+    raise ParseError, "version must be #{VERSION_IDENTIFIER}" unless url_components[:version] == VERSION_IDENTIFIER
+    raise ParseError, "ALG must be ES256 (-7)" unless alg == -7
+    raise ParseError, "invalid issuer" unless trusted_issuer_identifiers.include?(cwt.iss)
+    raise ParseError, "no vc claim" unless vc
+    raise ParseError, "invalid vc @context" unless vc["@context"].first == "https://www.w3.org/2018/credentials/v1"
+    raise ParseError, "invalid vc type" unless vc["type"] == ["VerifiableCredential", "PublicCovidPass"]
+    raise NotYetValidError, "not yet valid" if cwt.nbf > @time.to_i
+    raise ExpiredError, "expired" if cwt.exp < @time.to_i
+    raise ParseError, "invalid jti" unless jti
+    raise ParseError, "credentialSubject missing" unless credential_subject
+    raise ParseError, "givenName missing" unless given_name
+    raise ParseError, "dob missing" unless dob
+
+    sign1.verify(retrieve_public_key)
+  end
+
+  def given_name
+    credential_subject["givenName"]
+  end
+
+  def family_name
+    credential_subject["familyName"]
+  end
+
+  def dob
+    credential_subject["dob"] && Date.parse(credential_subject["dob"])
+  end
+
+  def jti
+    cti = cwt.cti
+    if cti.length == 16
+      match = cti.unpack("H32").first.match(/^(.{8})(.{4})(.{4})(.{4})(.{12})$/)
+      "urn:uuid:#{match.captures.join("-")}"
+    end
+  end
+
+  def version
+    vc["version"]
+  end
+
+  private
+
+  def url_components
+    if match = @code.match(%r(\A([^:]+):/([^/]+)/([A-Z2-7]+)\z))
+      scheme, version, data = match.captures
+      {scheme: scheme, version: version, data: data}
+    end
+  end
+
+  def credential_subject
+    vc["credentialSubject"]
+  end
+
+  def kid
+    sign1.protected_headers.fetch(4)
+  end
+
+  def alg
+    sign1.protected_headers.fetch(1)
+  end
+
+  def sign1
+    @sign1 ||= begin
+      cbor_data = Base32.decode(url_components[:data])
+      COSE::Sign1.deserialize(cbor_data)
+    end
+  end
+
+  def sign1_payload
+    @sign1_payload ||= CBOR.decode(sign1.payload)
+  end
+
+  def cwt
+    @cwt ||= CWT::ClaimsSet.from_cbor(sign1.payload)
+  end
+
+  def vc
+    @vc ||= sign1_payload["vc"]
+  end
+
+  def retrieve_public_key
+    did_data = retrieve_did_document
+
+    key_reference = "#{cwt.iss}##{kid}"
+    verification_method = did_data["verificationMethod"].detect { |method| method["id"] == key_reference }
+
+    if verification_method.nil?
+      raise ParseError, "No matching verification method found in did document"
+    end
+
+    jwk_data = verification_method["publicKeyJwk"]
+    jwk = JWT::JWK.import(jwk_data)
+    key = COSE::Key.from_pkey(jwk.keypair)
+
+    key.kid = kid
+    key
+  end
+
+  def retrieve_did_document
+    host = cwt.iss.split(":").last
+
+    return @cache[host] if @cache && @cache[host]
+
+    http = Net::HTTP.new(host, 443)
+    http.use_ssl = true
+    http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+    request = Net::HTTP::Get.new("/.well-known/did.json", {"Accept" => "application/json"})
+
+    response = http.request(request)
+    raise NetworkError, "https request returned response code #{response.code}" unless response.code == "200"
+
+    document = JSON.parse(response.body)
+    @cache[host] = document if @cache
+
+    document
+  end
+
+  def trusted_issuer_identifiers
+    if @allow_test_issuers
+      TRUSTED_ISSUER_IDENTIFIERS + TEST_TRUSTED_ISSUER_IDENTIFIERS
+    else
+      TRUSTED_ISSUER_IDENTIFIERS
+    end
+  end
+end

metadata

@@ -0,0 +1,114 @@
+--- !ruby/object:Gem::Specification
+name: nz_covid_pass
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Roger Nesbitt
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2021-11-05 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: base32
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.3.4
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.3.4
+- !ruby/object:Gem::Dependency
+  name: cose
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.2.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.2.0
+- !ruby/object:Gem::Dependency
+  name: cbor
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.5.9.6
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.5.9.6
+- !ruby/object:Gem::Dependency
+  name: cwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.5.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.5.0
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.3.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.3.0
+description: This gem reads in the data contained in a NZ Covid Pass 2D barcode, confirms
+  the signature and outputs the signed data inside
+email: roger@seriousorange.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/nz_covid_pass.rb
+homepage: https://github.com/mogest/nz_covid_pass
+licenses:
+- MIT
+metadata: {}
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.1.6
+signing_key:
+specification_version: 4
+summary: Reads and validates the signature of NZ Covid Pass passes
+test_files: []