-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
Technical specification of the certificate.
You verify it by verifying the signature of the qr-code against the list of published X509 certificates. There is no EU wide standardized list, every country provides it's own list. A certificate gets "revoked" by just being deleted from that list. Usually countries say you should update the list at least daily, better hourly and never use a trust list that is older than 48 hours. I wrote a tiny tool to do that kind of cryptographic verification and download of the trust list as provided by several countries: https://github.com/panzi/verify-ehc
It's all a lot of work they did in very little time. I'm just glad they mostly used proven technology. Well, they use CBOR (compact binary object representation), which I never heard before and for the rules they use CertLogic, a dialect of JsonLogic that they've made up. JsonLogic seems to be a bit of an obscure and really under-specified rule format. CertLogic is more minimal, cuts out some crap, and is better specified. Although I think a bit too minimal at parts. (Anyway, I also wrote an JsonLogic+CertLogic interpreter in C, just for fun, not for serious use: https://github.com/panzi/jsonlogic-c Don't use badly tested C libraries for obscure rule formats! I just wanted to learn how to write something with tagged pointers (well, IEEE double NaN payload "pointers") and a manually crafted hashtable just for fun. The things I do for fun. But I digress.)
However, your assumption that those three entries are UVCI hashes appears to be wrong. They are only hashing and matching the "Issuing Entity" component of the UVCI. This is easier to see in the Android version of the code. See also Annex 2 of the corresponding guidelines document for more information about the composition of the UVCI.