shc_vaccination_test_kit 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 1c23c78ef1451bcc51f3633dd1c0d20ba64368e126ad0eeb4be8fcd1b8becc29
+  data.tar.gz: 7698e4dc844ffc7e5e4f036f806f240cc74021be0a7a2333b2099d5c8eda04fa
+SHA512:
+  metadata.gz: fe7b22402868e2a3c8e46b034ab143d073dec02680038236a33c52bc346d4cd21f974afb7096d4d7d84a20fe689d74fced392b9849cfba2fd2694a8b614da8e3
+  data.tar.gz: 3e0e040010f37e656910b7a0a1265583977ed6a9f29f720d0188568ea2c75db2c0cd54fc425d9fc2300afb8c4ddcdada6df255347ed1ab30f145bc9726592d5c

data/LICENSE

@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "{}"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright {yyyy} {name of copyright owner}
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

data/lib/covid19_vci/fhir_operation.rb

@@ -0,0 +1,105 @@
+require_relative 'vc_fhir_validation'
+require_relative 'vc_headers'
+require_relative 'vc_payload_verification'
+require_relative 'vc_signature_verification'
+
+module Covid19VCI
+  class FHIROperation < Inferno::TestGroup
+    id 'vci_fhir_operation'
+    title 'Download and validate a health card via FHIR $health-cards-issue operation'
+
+    input :base_fhir_url, :patient_id
+
+    fhir_client do
+      url :base_fhir_url
+    end
+
+    test do
+      title 'Server advertises health card support in its SMART configuration'
+      id 'vci-fhir-01'
+
+      run do
+        get("#{base_fhir_url}/.well-known/smart-configuration")
+
+        assert_response_status(200)
+        assert_valid_json(response[:body])
+
+        smart_configuration = JSON.parse(response[:body])
+
+        assert smart_configuration['capabilities']&.include?('health-cards'),
+               "SMART configuration does not list support for 'health-cards' capability"
+      end
+    end
+
+    test do
+      title 'Server advertises $health-cards-issue operation support in its CapabilityStatement'
+      id 'vci-fhir-02'
+
+      run do
+        fhir_get_capability_statement
+
+        assert_response_status(200)
+
+        operations = resource.rest&.flat_map do |rest|
+          rest.resource
+            &.select { |r| r.type == 'Patient' && r.respond_to?(:operation) }
+            &.flat_map(&:operation)
+        end&.compact
+
+        operation_defined = operations.any? { |operation| operation.name == 'health-cards-issue' }
+
+        assert operation_defined,
+               'Server CapabilityStatement did not declare support for $health-cards-issue operation ' \
+               'on the Patient resource.'
+      end
+    end
+
+    test do
+      title 'Server returns a health card from the $health-cards-issue operation'
+      id 'vci-fhir-03'
+      output :credential_strings
+
+      run do
+        request_params = FHIR::Parameters.new(
+          parameter: [
+            {
+              name: 'credentialType',
+              valueUri: 'https://smarthealth.cards#covid19'
+            }
+          ]
+        )
+        fhir_operation("/Patient/#{patient_id}/$health-cards-issue", body: request_params)
+
+        assert_response_status((200..207).to_a)
+        assert_resource_type(:parameters)
+
+        hc_parameters = resource.parameter.select { |parameter| parameter.name == 'verifiableCredential' }
+
+        assert hc_parameters.present?, 'No COVID-19 health cards were returned'
+        credential_strings = hc_parameters.map(&:value).join(',')
+
+        output credential_strings: credential_strings
+
+        count = hc_parameters.length
+
+        pass "#{count} verifiable #{'credential'.pluralize(count)} received"
+      end
+    end
+
+    test from: :vc_headers do
+      id 'vci-fhir-04'
+    end
+
+    test from: :vc_signature_verification do
+      id 'vci-fhir-05'
+    end
+
+    test from: :vc_payload_verification do
+      id 'vci-fhir-06'
+    end
+
+    test from: :vc_fhir_verification do
+      id 'vci-fhir-07'
+    end
+  end
+end

data/lib/covid19_vci/file_download.rb

@@ -0,0 +1,109 @@
+require_relative 'vc_fhir_validation'
+require_relative 'vc_headers'
+require_relative 'vc_payload_verification'
+require_relative 'vc_signature_verification'
+
+module Covid19VCI
+  class FileDownload < Inferno::TestGroup
+    id 'vci_file_download'
+    title 'Download and validate a health card via file download'
+
+    input :file_download_url
+
+    test do
+      id 'vci-file-01'
+      title 'Health card can be downloaded'
+      description 'The health card can be downloaded and is a valid JSON object'
+      makes_request :vci_file_download
+
+      run do
+        get(file_download_url, name: :vci_file_download)
+
+        assert_response_status(200)
+        assert_valid_json(response[:body])
+      end
+    end
+
+    test do
+      id 'vci-file-02'
+      title 'Response contains correct Content-Type of application/smart-health-card'
+      uses_request :vci_file_download
+
+      run do
+        skip_if request.status != 200, 'Health card not successfully downloaded'
+
+        content_type = request.response_header('Content-Type')
+
+        assert content_type.present?, 'Response did not include a Content-Type header'
+        assert content_type.value.match?(%r{\Aapplication/smart-health-card(\z|\W)}),
+               "Content-Type header was '#{content_type.value}' instead of 'application/smart-health-card'"
+      end
+    end
+
+    test do
+      id 'vci-file-03'
+      title 'Health card is provided as a file download with a .smart-health-card extension'
+      uses_request :vci_file_download
+
+      run do
+        skip_if request.status != 200, 'Health card not successfully downloaded'
+
+        pass_if request.url.ends_with?('.smart-health-card')
+
+        content_disposition = request.response_header('Content-Disposition')
+        assert content_disposition.present?,
+               "Url did not end with '.smart-health-card' and response did not include a Content-Disposition header"
+
+        attachment_pattern = /\Aattachment;/
+        assert content_disposition.value.match?(attachment_pattern),
+               "Url did not end with '.smart-health-card' and " \
+               "Content-Disposition header does not indicate file should be downloaded: '#{content_disposition}'"
+
+        extension_pattern = /filename=".*\.smart-health-card"/
+        assert content_disposition.value.match?(extension_pattern),
+               "Url did not end with '.smart-health-card' and Content-Disposition header does not indicate " \
+               "file should have a '.smart-health-card' extension: '#{content_disposition}'"
+      end
+    end
+
+    test do
+      id 'vci-file-04'
+      title 'Response contains an array of Verifiable Credential strings'
+      uses_request :vci_file_download
+      output :credential_strings
+
+      run do
+        skip_if request.status != 200, 'Health card not successfully downloaded'
+
+        body = JSON.parse(response[:body])
+        assert body.include?('verifiableCredential'),
+               "Health card does not contain 'verifiableCredential' field"
+
+        vc = body['verifiableCredential']
+
+        assert vc.is_a?(Array), "'verifiableCredential' field must contain an Array"
+        assert vc.length.positive?, "'verifiableCredential' field must contain at least one verifiable credential"
+
+        output credential_strings: vc.join(',')
+
+        pass "Received #{vc.length} verifiable #{'credential'.pluralize(vc.length)}"
+      end
+    end
+
+    test from: :vc_headers do
+      id 'vci-file-05'
+    end
+
+    test from: :vc_signature_verification do
+      id 'vci-file-06'
+    end
+
+    test from: :vc_payload_verification do
+      id 'vci-file-07'
+    end
+
+    test from: :vc_fhir_verification do
+      id 'vci-file-08'
+    end
+  end
+end

data/lib/covid19_vci/vc_fhir_validation.rb

@@ -0,0 +1,75 @@
+module Covid19VCI
+  class VCFHIRVerification < Inferno::Test
+    title 'Health Card payloads conform to the Vaccination Credential Bundle Profiles'
+    input :credential_strings
+
+    id :vc_fhir_verification
+
+    run do
+      skip_if credential_strings.blank?, 'No Verifiable Credentials received'
+
+      credential_strings.split(',').each do |credential|
+        raw_payload = HealthCards::JWS.from_jws(credential).payload
+        assert raw_payload&.length&.positive?, 'No payload found'
+
+        decompressed_payload =
+          begin
+            Zlib::Inflate.new(-Zlib::MAX_WBITS).inflate(raw_payload)
+          rescue Zlib::DataError
+            assert false, 'Payload compression error. Unable to inflate payload.'
+          end
+
+        assert decompressed_payload.length.positive?, 'Payload compression error. Unable to inflate payload.'
+
+        payload_length = decompressed_payload.length
+        health_card = HealthCards::COVIDHealthCard.from_jws(credential)
+        health_card_length = health_card.to_json.length
+
+        assert_valid_json decompressed_payload, 'Payload is not valid JSON'
+
+        payload = JSON.parse(decompressed_payload)
+        vc = payload['vc']
+        assert vc.is_a?(Hash), "Expected 'vc' claim to be a JSON object, but found #{vc.class}"
+
+        subject = vc['credentialSubject']
+        assert subject.is_a?(Hash), "Expected 'vc.credentialSubject' to be a JSON object, but found #{subject.class}"
+
+        raw_bundle = subject['fhirBundle']
+        assert raw_bundle.is_a?(Hash), "Expected 'vc.fhirBundle' to be a JSON object, but found #{raw_bundle.class}"
+
+        bundle = FHIR::Bundle.new(raw_bundle)
+
+        # assert bundle.entry.any? { |r| r.resource.is_a?(FHIR::Immunization) } || bundle.entry.any? { |r| r.resource.is_a?(FHIR::Observation) },
+        # "Bundle must have either Immunization entries or Observation entries"
+
+        # if bundle.entry.any? { |r| r.resource.is_a?(FHIR::Immunization) }
+          assert_valid_resource(
+            resource: bundle,
+            profile_url: 'http://hl7.org/fhir/uv/smarthealthcards-vaccination/StructureDefinition/vaccination-credential-bundle'
+          )
+
+          warning do
+            assert_valid_resource(
+              resource: bundle,
+              profile_url: 'http://hl7.org/fhir/uv/smarthealthcards-vaccination/StructureDefinition/vaccination-credential-bundle-dm'
+            )
+          end
+        # end
+
+        if bundle.entry.any? { |r| r.resource.is_a?(FHIR::Observation) }
+          assert_valid_resource(
+            resource: bundle,
+            profile_url: 'http://hl7.org/fhir/uv/smarthealthcards-vaccination/StructureDefinition/covid19-laboratory-bundle'
+          )
+
+          warning do
+            assert_valid_resource(
+              resource: bundle,
+              profile_url: 'http://hl7.org/fhir/uv/smarthealthcards-vaccination/StructureDefinition/covid19-laboratory-bundle-dm'
+            )
+          end
+        end
+      end
+    end
+  end
+end

data/lib/covid19_vci/vc_headers.rb

@@ -0,0 +1,21 @@
+module Covid19VCI
+  class VCHeaders < Inferno::Test
+    title 'Health Cards contain the correct headers'
+    input :credential_strings
+
+    id :vc_headers
+
+    run do
+      skip_if credential_strings.blank?, 'No Verifiable Credentials received'
+      credential_strings.split(',').each do |credential|
+        header = HealthCards::JWS.from_jws(credential).header
+
+        assert header['zip'] == 'DEF', "Expected 'zip' header to equal 'DEF', but found '#{header['zip']}'"
+        assert header['alg'] == 'ES256', "Expected 'alg' header to equal 'ES256', but found '#{header['alg']}'"
+        assert header['kid'].present?, "No 'kid' header was present"
+      rescue StandardError => e
+        assert false, "Error decoding credential: #{e.message}"
+      end
+    end
+  end
+end

data/lib/covid19_vci/vc_payload_verification.rb

@@ -0,0 +1,115 @@
+module Covid19VCI
+  class VCPayloadVerification < Inferno::Test
+    title 'Health Card payloads follow the spec requirements'
+    input :credential_strings
+
+    id :vc_payload_verification
+
+    run do
+      skip_if credential_strings.blank?, 'No Verifiable Credentials received'
+
+      credential_strings.split(',').each do |credential|
+        raw_payload = HealthCards::JWS.from_jws(credential).payload
+        assert raw_payload&.length&.positive?, 'No payload found'
+
+        decompressed_payload =
+          begin
+            Zlib::Inflate.new(-Zlib::MAX_WBITS).inflate(raw_payload)
+          rescue Zlib::DataError
+            assert false, 'Payload compression error. Unable to inflate payload.'
+          end
+
+        assert decompressed_payload.length.positive?, 'Payload compression error. Unable to inflate payload.'
+
+        payload_length = decompressed_payload.length
+        health_card = HealthCards::HealthCard.from_jws(credential)
+        health_card_length = health_card.to_json.length
+
+        warning do
+          assert payload_length <= health_card_length,
+                 "Payload may not be properly minified. Received a payload with length #{payload_length}, " \
+                 "but was able to generate a payload with length #{health_card_length}"
+        end
+
+        assert_valid_json decompressed_payload, 'Payload is not valid JSON'
+
+        payload = JSON.parse(decompressed_payload)
+
+        warning do
+          nbf = payload['nbf']
+          assert nbf.present?, "Payload does not include an 'nbf' claim"
+          assert nbf.is_a?(Numeric), "Expected 'nbf' claim to be Numeric, but found #{nbf.class}"
+          issue_time = Time.at(nbf).to_datetime
+          assert issue_time < DateTime.now, "'nbf' is in the future: #{issue_time.rfc822}"
+        end
+
+        vc = payload['vc']
+        assert vc.is_a?(Hash), "Expected 'vc' claim to be a JSON object, but found #{vc.class}"
+        type = vc['type']
+
+        warning do
+          assert type.is_a?(Array), "Expected 'vc.type' to be an array, but found #{type.class}"
+          assert type.include?('https://smarthealth.cards#health-card'),
+                 "'vc.type' does not include 'https://smarthealth.cards#health-card'"
+        end
+
+        subject = vc['credentialSubject']
+        assert subject.is_a?(Hash), "Expected 'vc.credentialSubject' to be a JSON object, but found #{subject.class}"
+
+        warning do
+          assert subject['fhirVersion'].present?, "'vc.credentialSubject.fhirVersion' not provided"
+        end
+
+        raw_bundle = subject['fhirBundle']
+        assert raw_bundle.is_a?(Hash), "Expected 'vc.fhirBundle' to be a JSON object, but found #{raw_bundle.class}"
+
+        resource_scheme_regex = /\Aresource:\d+\z/
+        warning do
+          urls = raw_bundle['entry'].map { |entry| entry['fullUrl'] }
+          bad_urls = urls.reject { |url| url.match?(resource_scheme_regex) }
+          assert bad_urls.empty?,
+                 "The following Bundle entry urls do not use short resource-scheme URIs: #{bad_urls.join(', ')}"
+        end
+
+        bundle = FHIR::Bundle.new(raw_bundle)
+        resources = bundle.entry.map(&:resource)
+        bundle.entry.each { |entry| entry.resource = nil }
+        resources << bundle
+
+        resources.each do |resource|
+          warning { assert resource.id.nil?, "#{resource.resourceType} resource should not have an 'id' element" }
+
+          if resource.respond_to? :text
+            warning { assert resource.text.nil?, "#{resource.resourceType} resource should not have a 'text' element" }
+          end
+
+          walk_resource(resource) do |value, meta, path|
+            case meta['type']
+            when 'CodeableConcept'
+              warning { assert value.text.nil?, "#{resource.resourceType} should not have a #{path}.text element" }
+            when 'Coding'
+              warning do
+                assert value.display.nil?, "#{resource.resourceType} should not have a #{path}.display element"
+              end
+            when 'Reference'
+              warning do
+                next if value.reference.nil?
+
+                assert value.reference.match?(resource_scheme_regex),
+                       "#{resource.resourceType}.#{path}.reference is not using the short resource URI scheme: " \
+                       "#{value.reference}"
+              end
+            when 'Meta'
+              hash = value.to_hash
+              warning do
+                assert hash.length == 1 && hash.include?('security'),
+                       "If present, Bundle 'meta' field should only include 'security', " \
+                       "but found: #{hash.keys.join(', ')}"
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/covid19_vci/vc_signature_verification.rb

@@ -0,0 +1,69 @@
+module Covid19VCI
+  class VCSignatureVerification < Inferno::Test
+    title 'Verifiable Credential signatures can be verified'
+    input :credential_strings
+
+    id :vc_signature_verification
+
+    run do
+      skip_if credential_strings.blank?, 'No Verifiable Credentials received'
+      credential_strings.split(',').each do |credential|
+        card = HealthCards::HealthCard.from_jws(credential)
+        iss = card.issuer
+
+        jws = HealthCards::JWS.from_jws(credential)
+
+        assert iss.present?, 'Credential contains no `iss`'
+        warning { assert iss.start_with?('https://'), "`iss` SHALL use the `https` scheme: #{iss}" }
+        assert !iss.end_with?('/'), "`iss` SHALL NOT include a trailing `/`: #{iss}"
+
+        key_set_url = "#{card.issuer}/.well-known/jwks.json"
+
+        get(key_set_url)
+
+        assert_response_status(200)
+        assert_valid_json(response[:body])
+
+        cors_header = request.response_header('Control-Allow-Origin')
+        warning do
+          assert cors_header.present?,
+                 'No CORS header received. Issuers SHALL publish their public keys with CORS enabled'
+          assert cors_header.value == '*',
+                 "Expected CORS header value of `*`, but actual value was `#{cors_header.value}`"
+        end
+
+        key_set = JSON.parse(response[:body])
+
+        public_key = key_set['keys'].find { |key| key['kid'] == jws.kid }
+        key_object = HealthCards::Key.from_jwk(public_key)
+
+        assert public_key.present?, "Key set did not contain a key with a `kid` of #{jws.kid}"
+
+        warning { assert public_key['kty'] == 'EC', "Key had a `kty` value of `#{public_key['kty']}` instead of `EC`" }
+        warning do
+          assert public_key['use'] == 'sig', "Key had a `use` value of `#{public_key['use']}` instead of `sig`"
+        end
+        warning do
+          assert public_key['alg'] == 'ES256', "Key had an `alg` value of `#{public_key['alg']}` instead of `ES256`"
+        end
+        warning do
+          assert public_key['crv'] == 'P-256', "Key had a `crv` value of `#{public_key['crv']}` instead of `P-256`"
+        end
+        warning { assert !public_key.include?('d'), 'Key SHALL NOT have the private key parameter `d`' }
+        warning do
+          assert public_key['kid'] == key_object.kid,
+                 "'kid' SHALL be equal to the base64url-encoded SHA-256 JWK Thumbprint of the key. " \
+                 "Received: '#{public_key['kid']}', Expected: '#{key_object.kid}'"
+        end
+
+        verifier = HealthCards::Verifier.new(keys: key_object, resolve_keys: false)
+
+        begin
+          assert verifier.verify(jws), 'JWS signature invalid'
+        rescue StandardError => e
+          assert false, "Error decoding credential: #{e.message}"
+        end
+      end
+    end
+  end
+end

data/lib/covid19_vci/version.rb

@@ -0,0 +1,3 @@
+module Covid19VCI
+  VERSION = '0.0.1'.freeze
+end

data/lib/shc_vaccination_test_kit.rb

@@ -0,0 +1,13 @@
+require 'health_cards'
+require_relative 'covid19_vci/file_download'
+require_relative 'covid19_vci/fhir_operation'
+
+module Covid19VCI
+  class Suite < Inferno::TestSuite
+    id 'c19-vci'
+    title 'SMART Health Cards: Vaccination & Testing'
+
+    group from: :vci_file_download
+    group from: :vci_fhir_operation
+  end
+end

metadata

@@ -0,0 +1,140 @@
+--- !ruby/object:Gem::Specification
+name: shc_vaccination_test_kit
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Stephen MacVicar
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2021-06-23 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: health_cards
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: inferno_core
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.0.2
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.0.2
+- !ruby/object:Gem::Dependency
+  name: database_cleaner-sequel
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.8'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.8'
+- !ruby/object:Gem::Dependency
+  name: factory_bot
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '6.1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '6.1'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.10'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.10'
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.11'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.11'
+description: 'A collection of tests for the SMART Health Cards: Vaccination & Testing
+  FHIR Implementation Guide'
+email:
+- vci-ig@mitre.org
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- LICENSE
+- lib/covid19_vci/fhir_operation.rb
+- lib/covid19_vci/file_download.rb
+- lib/covid19_vci/vc_fhir_validation.rb
+- lib/covid19_vci/vc_headers.rb
+- lib/covid19_vci/vc_payload_verification.rb
+- lib/covid19_vci/vc_signature_verification.rb
+- lib/covid19_vci/version.rb
+- lib/shc_vaccination_test_kit.rb
+homepage: https://github.com/inferno_community/shc-vaccination-test-kit
+licenses:
+- Apache-2.0
+metadata:
+  homepage_uri: https://github.com/inferno_community/shc-vaccination-test-kit
+  source_code_uri: https://github.com/inferno_community/shc-vaccination-test-kit
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.7.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.1.4
+signing_key:
+specification_version: 4
+summary: 'A collection of tests for the SMART Health Cards: Vaccination & Testing
+  FHIR Implementation Guide'
+test_files: []