Our great sponsors
-
-
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
Awesome breakdown, thank you! I was able to use the info in your post to confirm that verifier app code -- now published at https://github.com/bcgov/BCVAX-iOS -- hard-codes the JWK at https://smarthealthcard.phsa.ca/v1/issuer/.well-known/jwks.json . It also handles the JWS in a not-obviously-bad way (I reviewed for two specific well-known JWT shenanigans that spoofers could exploit): https://twitter.com/jstash/status/1436855539745525760
You're welcome! Funny, you were analyzing the iOS app's source at the same time I was analyzing the Android app's source. On Android, it stores the JWK as an asset so it doesn't even hit the network to get the public key, meaning that it functions perfectly well in airplane mode. Thanks for the info about the JWT shananigans. I spoofed my card's alg as both "none" and "HS256" and it rejected both, as it should.