An open source API to validate the EU Covid Certificates / Green Certificates

Last update: May 30, 2022

Overview

Open Covid Certificate Validator

This an open source API to validate EU Digital COVID Certificates. It receives a COVID certificate and validates it using a list of signing certificates provided by an EU member state.

The server provides a simple JSON-API that returns validation result and the data stored inside a certificate. There is also a simple web frontend to test the service.

There is a basic demo available at

https://covid.merlinschumacher.de/

The demo neither logs IP addresses nor stores any COVID certificate data.

NOTICE: THIS IS NOT AN OFFICIAL VALIDATOR! IT COMES WITHOUT ANY WARRANTIES!

Getting started

The easiest way to run OCCV is to use a container. An up to date docker image is provided via GitHubs Container Image Registry under ghcr.io/merlinschumacher/open-covid-certificate-validator:main.

To start the container you need a recent version of Docker and docker-compose. Just execute docker-compose up and the server will answer on port 8000 of your server. Modify the compose file to fit your needs. Currently only validation against the german list of certificates provided by Ubirch is supported. But this should be able to validate all certificates issued in the EU. The certificates are updated every 24 hours.

To access the API send a POST request containing the following JSON to /:

    {"dcc": "HC1:XXXX..."}

Replace the payload with the data of the COVID certificate. The server will then return the following answer, if the certificate is valid:

{
  "valid": true,
  "dccdata": {
    "1": "AT",
    "4": 1635876000,
    "6": 1620324000,
    "-260": {
      "1": {
        "v": [
          {
            "dn": 1,
            "ma": "ORG-100030215",
            "vp": "1119349007",
            "dt": "2021-02-18",
            "co": "AT",
            "ci": "URN:UVCI:01:AT:10807843F94AEE0EE5093FBC254BD813#B",
            "mp": "EU/1/20/1528",
            "is": "Ministry of Health, Austria",
            "sd": 2,
            "tg": "840539006"
          }
        ],
        "nam": {
          "fnt": "MUSTERFRAU<GOESSINGER",
          "fn": "Musterfrau-Gößinger",
          "gnt": "GABRIELE",
          "gn": "Gabriele"
        },
        "ver": "1.0.0",
        "dob": "1998-02-26"
      }
    }
  }
}

If it's invalid, the server will simply return

{
    "valid":false, 
    "ddcdata":{}
}

The ddcdata field contains all the data encoded in the certificate according to the specification by the EU

Contributing

Everyone is invited to contribute to the service and provide pull-requests, ideas and feedback.

Foremost the service needs testing with certificates from all issuing countries and also the implementation of all available validation lists from the EU members. You can contribute with testing your certificate and reporting your success or possible errors.

Privacy

While the data encoded in the certificate are sent to the server, they are never stored. They will be processed to generate a response and are deleted afterwards. There is no logging of indidivual data of any kind.

The web service

This container provides a simple web service to test and validate certificates. It uses your webcam or phone camera to scan a QR code for a certificate and sends it to the API.

Technology

The API service is written in Python and uses FastAPI to provide the JSON API. The validation is handled by python-cwt, a CBOR Web Token library.

The web interface is still very rudimentary and build in Typescript using jsQR to decode the QR codes.

Comments

Bump loader-utils from 1.4.0 to 1.4.1 in /web
Bumps loader-utils from 1.4.0 to 1.4.1.

Release notes

Sourced from loader-utils's releases.

v1.4.1

1.4.1 (2022-11-07)

Bug Fixes

security problem (#220) (4504e34)

Changelog

Sourced from loader-utils's changelog.

1.4.1 (2022-11-07)

Bug Fixes

security problem (#220) (4504e34)

Commits

8f082b3 chore(release): 1.4.1

4504e34 fix: security problem (#220)

See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR

@dependabot recreate will recreate this PR, overwriting any edits that have been made to it

@dependabot merge will merge this PR after your CI passes on it

@dependabot squash and merge will squash and merge this PR after your CI passes on it

@dependabot cancel merge will cancel a previously requested merge and block automerging

@dependabot reopen will reopen this PR if it is closed

@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually

@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot use these labels will set the current labels as the default for future PRs for this repo and language

@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language

@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language

@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

dependencies
opened by dependabot[bot] 1
Bump qs from 6.5.2 to 6.5.3 in /web
Bumps qs from 6.5.2 to 6.5.3.

Changelog

Sourced from qs's changelog.

6.5.3

[Fix] parse: ignore __proto__ keys (#428)

[Fix] utils.merge: avoid a crash with a null target and a truthy non-array source

[Fix] correctly parse nested arrays

[Fix] stringify: fix a crash with strictNullHandling and a custom filter/serializeDate (#279)

[Fix] utils: merge: fix crash when source is a truthy primitive & no options are provided

[Fix] when parseArrays is false, properly handle keys ending in []

[Fix] fix for an impossible situation: when the formatter is called with a non-string value

[Fix] utils.merge: avoid a crash with a null target and an array source

[Refactor] utils: reduce observable [[Get]]s

[Refactor] use cached Array.isArray

[Refactor] stringify: Avoid arr = arr.concat(...), push to the existing instance (#269)

[Refactor] parse: only need to reassign the var once

[Robustness] stringify: avoid relying on a global undefined (#427)

[readme] remove travis badge; add github actions/codecov badges; update URLs

[Docs] Clean up license text so it’s properly detected as BSD-3-Clause

[Docs] Clarify the need for "arrayLimit" option

[meta] fix README.md (#399)

[meta] add FUNDING.yml

[actions] backport actions from main

[Tests] always use String(x) over x.toString()

[Tests] remove nonexistent tape option

[Dev Deps] backport from main

Commits

298bfa5 v6.5.3

ed0f5dc [Fix] parse: ignore __proto__ keys (#428)

691e739 [Robustness] stringify: avoid relying on a global undefined (#427)

1072d57 [readme] remove travis badge; add github actions/codecov badges; update URLs

12ac1c4 [meta] fix README.md (#399)

0338716 [actions] backport actions from main

5639c20 Clean up license text so it’s properly detected as BSD-3-Clause

51b8a0b add FUNDING.yml

45f6759 [Fix] fix for an impossible situation: when the formatter is called with a no...

f814a7f [Dev Deps] backport from main

Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR

@dependabot recreate will recreate this PR, overwriting any edits that have been made to it

@dependabot merge will merge this PR after your CI passes on it

@dependabot squash and merge will squash and merge this PR after your CI passes on it

@dependabot cancel merge will cancel a previously requested merge and block automerging

@dependabot reopen will reopen this PR if it is closed

@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually

@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot use these labels will set the current labels as the default for future PRs for this repo and language

@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language

@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language

@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

dependencies javascript
opened by dependabot[bot] 0
Bump certifi from 2021.10.8 to 2022.12.7
Bumps certifi from 2021.10.8 to 2022.12.7.

Commits

9e9e840 2022.12.07

b81bdb2 2022.09.24

939a28f 2022.09.14

aca828a 2022.06.15.2

de0eae1 Only use importlib.resources's new files() / Traversable API on Python ≥3.11 ...

b8eb5e9 2022.06.15.1

47fb7ab Fix deprecation warning on Python 3.11 (#199)

b0b48e0 fixes #198 -- update link in license

9d514b4 2022.06.15

4151e88 Add py.typed to MANIFEST.in to package in sdist (#196)

Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR

@dependabot recreate will recreate this PR, overwriting any edits that have been made to it

@dependabot merge will merge this PR after your CI passes on it

@dependabot squash and merge will squash and merge this PR after your CI passes on it

@dependabot cancel merge will cancel a previously requested merge and block automerging

@dependabot reopen will reopen this PR if it is closed

@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually

@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot use these labels will set the current labels as the default for future PRs for this repo and language

@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language

@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language

@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

dependencies python
opened by dependabot[bot] 0
Bump loader-utils from 1.4.0 to 1.4.2 in /web
Bumps loader-utils from 1.4.0 to 1.4.2.

Release notes

Sourced from loader-utils's releases.

v1.4.2

1.4.2 (2022-11-11)

Bug Fixes

ReDoS problem (#226) (17cbf8f)

v1.4.1

1.4.1 (2022-11-07)

Bug Fixes

security problem (#220) (4504e34)

Changelog

Sourced from loader-utils's changelog.

1.4.2 (2022-11-11)

Bug Fixes

ReDoS problem (#226) (17cbf8f)

1.4.1 (2022-11-07)

Bug Fixes

security problem (#220) (4504e34)

Commits

331ad50 chore(release): 1.4.2

17cbf8f fix: ReDoS problem (#226)

8f082b3 chore(release): 1.4.1

4504e34 fix: security problem (#220)

See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR

@dependabot recreate will recreate this PR, overwriting any edits that have been made to it

@dependabot merge will merge this PR after your CI passes on it

@dependabot squash and merge will squash and merge this PR after your CI passes on it

@dependabot cancel merge will cancel a previously requested merge and block automerging

@dependabot reopen will reopen this PR if it is closed

@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually

@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot use these labels will set the current labels as the default for future PRs for this repo and language

@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language

@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language

@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

dependencies
opened by dependabot[bot] 0
Bump minimatch from 3.0.4 to 3.0.8 in /web
Bumps minimatch from 3.0.4 to 3.0.8.

Commits

782c264 3.0.8

6ade2da fix: trim pattern

a6f52b0 3.0.7

e4cd434 fix: treat nocase:true as always having magic

e6bbe1c publishConfig for 3.0

5b7cd33 3.0.6

20b4b56 [fix] revert all breaking syntax changes

2ff0388 document, expose, and test 'partial:true' option

5dbd6a7 ci: tests and makework

dbda065 full test coverage, adding tests, deleting dead code

Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR

@dependabot recreate will recreate this PR, overwriting any edits that have been made to it

@dependabot merge will merge this PR after your CI passes on it

@dependabot squash and merge will squash and merge this PR after your CI passes on it

@dependabot cancel merge will cancel a previously requested merge and block automerging

@dependabot reopen will reopen this PR if it is closed

@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually

@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot use these labels will set the current labels as the default for future PRs for this repo and language

@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language

@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language

@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

dependencies
opened by dependabot[bot] 0
Bump json-schema and jsprim in /web
Bumps json-schema and jsprim. These dependencies needed to be updated together. Updates json-schema from 0.2.3 to 0.4.0

Commits

f6f6a3b Use a little more robust method of checking instances

ef60987 Update version

b62f1da Protect against constructor modification, #84

fb427cd Link to json-schema-org repository in addition to site, fixes #54

22f1461 Don't allow proto property to be used for schema default/coerce, fixes #84

c52a27c Get basic test to pass

b3f42b3 Add security policy

3b0cec3 Update version

c28470f Update readme to acknowledge the state of the package

7dff9cd Merge pull request #81 from hodovani/patch-1

Additional commits viewable in compare view

Updates jsprim from 1.4.1 to 1.4.2

Changelog

Sourced from jsprim's changelog.

v1.4.2 (2021-11-29)

#35 Backport json-schema 0.4.0 to version 1.4.x

Commits

5c8475f joyent/node-jsprim#35 Backport json-schema 0.4.0 to version 1.4.x

See full diff in compare view

Maintainer changes

This version was pushed to npm by bahamat, a new releaser for jsprim since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR

@dependabot recreate will recreate this PR, overwriting any edits that have been made to it

@dependabot merge will merge this PR after your CI passes on it

@dependabot squash and merge will squash and merge this PR after your CI passes on it

@dependabot cancel merge will cancel a previously requested merge and block automerging

@dependabot reopen will reopen this PR if it is closed

@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually

@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot use these labels will set the current labels as the default for future PRs for this repo and language

@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language

@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language

@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

dependencies
opened by dependabot[bot] 0
Bump node-forge and webpack-dev-server in /web
Bumps node-forge to 1.3.1 and updates ancestor dependency webpack-dev-server. These dependencies need to be updated together.

Updates node-forge from 0.10.0 to 1.3.1

Changelog

Sourced from node-forge's changelog.

1.3.1 - 2022-03-29

Fixes

RFC 3447 and RFC 8017 allow for optional DigestAlgorithm NULL parameters for sha* algorithms and require NULL paramters for md2 and md5 algorithms.

1.3.0 - 2022-03-17

Security

Three RSA PKCS#1 v1.5 signature verification issues were reported by Moosa Yahyazadeh ([email protected]).

HIGH: Leniency in checking digestAlgorithm structure can lead to signature forgery.

The code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. For more information, please see "Bleichenbacher's RSA signature forgery based on implementation error" by Hal Finney.

CVE ID: CVE-2022-24771

GHSA ID: GHSA-cfm4-qjh2-4765

HIGH: Failing to check tailing garbage bytes can lead to signature forgery.

The code does not check for tailing garbage bytes after decoding a DigestInfo ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. For more information, please see "Bleichenbacher's RSA signature forgery based on implementation error" by Hal Finney.

CVE ID: CVE-2022-24772

GHSA ID: GHSA-x4jg-mjrx-434g

MEDIUM: Leniency in checking type octet.

DigestInfo is not properly checked for proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest.

CVE ID: CVE-2022-24773

GHSA ID: GHSA-2r2c-g63r-vccr

Fixed

[asn1] Add fallback to pretty print invalid UTF8 data.

[asn1] fromDer is now more strict and will default to ensuring all input bytes are parsed or throw an error. A new option parseAllBytes can disable this behavior.

NOTE: The previous behavior is being changed since it can lead to security issues with crafted inputs. It is possible that code doing custom DER parsing may need to adapt to this new behavior and optional flag.

[rsa] Add and use a validator to check for proper structure of parsed ASN.1

... (truncated)

Commits

a0a4a42 Release 1.3.1.

a33830f Update changelog.

740954d Allow optional DigestAlgorithm parameters.

56f4316 Allow DigestInfo.DigestAlgorith.parameters to be optional

cbf0bd5 Start 1.3.1-0.

6c5b901 Release 1.3.0.

0f3972a Update changelog.

dc77b39 Fix error checking.

bb822c0 Add advisory links.

d4395fe Update changelog.

Additional commits viewable in compare view

Updates webpack-dev-server from 4.4.0 to 4.11.1

Release notes

Sourced from webpack-dev-server's releases.

v4.11.1

4.11.1 (2022-09-19)

Bug Fixes

respect client.logging option for all logs (#4572) (375835c)

v4.11.0

4.11.0 (2022-09-07)

Features

make allowedHosts accept localhost subdomains by default (#4357) (0a33e6a)

Bug Fixes

auto reply to OPTIONS requests only when unhandled (#4559) (984af02), closes #4551

v4.10.1

4.10.1 (2022-08-29)

Bug Fixes

compatibility with old browsers (#4544) (6a430d4)

v4.10.0

4.10.0 (2022-08-10)

Features

allow to configure more client options via resource URL (#4274) (216e3cb)

Bug Fixes

response correctly when receive an OPTIONS request (#4185) (2b3b7e0)

v4.9.3

4.9.3 (2022-06-29)

Bug Fixes

avoid creation unnecessary stream for static sockjs file (#4482) (049b153)

history-api-fallback now supports HEAD requests and handles them the same as GET (8936082)

... (truncated)

Changelog

Sourced from webpack-dev-server's changelog.

4.11.1 (2022-09-19)

Bug Fixes

respect client.logging option for all logs (#4572) (375835c)

4.11.0 (2022-09-07)

Features

make allowedHosts accept localhost subdomains by default (#4357) (0a33e6a)

Bug Fixes

auto reply to OPTIONS requests only when unhandled (#4559) (984af02), closes #4551

4.10.1 (2022-08-29)

Bug Fixes

compatibility with old browsers (#4544) (6a430d4)

4.10.0 (2022-08-10)

Features

allow to configure more client options via resource URL (#4274) (216e3cb)

Bug Fixes

response correctly when receive an OPTIONS request (#4185) (2b3b7e0)

4.9.3 (2022-06-29)

Bug Fixes

avoid creation unnecessary stream for static sockjs file (#4482) (049b153)

history-api-fallback now supports HEAD requests and handles them the same as GET (8936082)

4.9.2 (2022-06-06)

Bug Fixes

... (truncated)

Commits

418e932 chore(release): 4.11.1

375835c fix: respect client.logging option for all logs (#4572)

ef2f9e9 chore: fix examples for open target not working (#4575)

7da7336 ci: workflow security

5d4b347 chore(deps-dev): bump core-js from 3.25.1 to 3.25.2 (#4574)

87072c7 chore(deps-dev): bump @types/node-forge from 1.0.4 to 1.0.5 (#4571)

28f6381 chore(deps-dev): bump @babel/plugin-transform-runtime (#4567)

595003b chore(deps-dev): bump @babel/core from 7.19.0 to 7.19.1 (#4568)

67acc2e chore(deps-dev): bump @babel/eslint-parser from 7.18.9 to 7.19.1 (#4569)

ad2dcc5 chore(deps-dev): bump @babel/preset-env from 7.19.0 to 7.19.1 (#4570)

Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR

@dependabot recreate will recreate this PR, overwriting any edits that have been made to it

@dependabot merge will merge this PR after your CI passes on it

@dependabot squash and merge will squash and merge this PR after your CI passes on it

@dependabot cancel merge will cancel a previously requested merge and block automerging

@dependabot reopen will reopen this PR if it is closed

@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually

@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot use these labels will set the current labels as the default for future PRs for this repo and language

@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language

@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language

@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

dependencies
opened by dependabot[bot] 0
Bump nanoid from 3.1.25 to 3.3.4 in /web
Bumps nanoid from 3.1.25 to 3.3.4.

Changelog

Sourced from nanoid's changelog.

3.3.4

Fixed --help in CLI (by @Lete114).

3.3.3

Reduced size (by Anton Khlynovskiy).

3.3.2

Fixed enhanced-resolve support.

3.3.1

Reduced package size.

3.3

Added size argument to function from customAlphabet (by Stefan Sundin).

3.2

Added --size and --alphabet arguments to binary (by Vitaly Baev).

3.1.32

Reduced async exports size (by Artyom Arutyunyan).

Moved from Jest to uvu (by Vitaly Baev).

3.1.31

Fixed collision vulnerability on object in size (by Artyom Arutyunyan).

3.1.30

Reduced size for project with brotli compression (by Anton Khlynovskiy).

3.1.29

Reduced npm package size.

3.1.28

Reduced npm package size.

3.1.27

Cleaned dependencies from development tools.

3.1.26

Improved performance (by Eitan Har-Shoshanim).

Reduced npm package size.

Commits

fc5bd0d Release 3.3.4 version

5ae2628 Update dependencies

2f48e9c Try to fix CI

85991e3 fix: CLI help examples (#361)

89d994c Update dependencies

00547e7 Fix benchmark order

a8f4099 bench: add back @napi-rs/uuid (#360)

acd897f Added postgres extension to various README files (#359)

772a613 Update CI and dependencies

e7aeb0f Added zig-nanoid to readme. (#357)

Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR

@dependabot recreate will recreate this PR, overwriting any edits that have been made to it

@dependabot merge will merge this PR after your CI passes on it

@dependabot squash and merge will squash and merge this PR after your CI passes on it

@dependabot cancel merge will cancel a previously requested merge and block automerging

@dependabot reopen will reopen this PR if it is closed

@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually

@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot use these labels will set the current labels as the default for future PRs for this repo and language

@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language

@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language

@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

dependencies
opened by dependabot[bot] 0
Bump terser from 5.9.0 to 5.14.2 in /web
Bumps terser from 5.9.0 to 5.14.2.

Changelog

Sourced from terser's changelog.

v5.14.2

Security fix for RegExps that should not be evaluated (regexp DDOS)

Source maps improvements (#1211)

Performance improvements in long property access evaluation (#1213)

v5.14.1

keep_numbers option added to TypeScript defs (#1208)

Fixed parsing of nested template strings (#1204)

v5.14.0

Switched to @jridgewell/source-map for sourcemap generation (#1190, #1181)

Fixed source maps with non-terminated segments (#1106)

Enabled typescript types to be imported from the package (#1194)

Extra DOM props have been added (#1191)

Delete the AST while generating code, as a means to save RAM

v5.13.1

Removed self-assignments (varname=varname) (closes #1081)

Separated inlining code (for inlining things into references, or removing IIFEs)

Allow multiple identifiers with the same name in var destructuring (eg var { a, a } = x) (#1176)

v5.13.0

All calls to eval() were removed (#1171, #1184)

source-map was updated to 0.8.0-beta.0 (#1164)

NavigatorUAData was added to domprops to avoid property mangling (#1166)

v5.12.1

Fixed an issue with function definitions inside blocks (#1155)

Fixed parens of new in some situations (closes #1159)

v5.12.0

TERSER_DEBUG_DIR environment variable

@copyright comments are now preserved with the comments="some" option (#1153)

v5.11.0

Unicode code point escapes (\u{abcde}) are not emitted inside RegExp literals anymore (#1147)

acorn is now a regular dependency

v5.10.0

Massive optimization to max_line_len (#1109)

Basic support for import assertions

Marked ES2022 Object.hasOwn as a pure function

Fix delete optional?.property

New CI/CD pipeline with github actions (#1057)

... (truncated)

Commits

See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR

@dependabot recreate will recreate this PR, overwriting any edits that have been made to it

@dependabot merge will merge this PR after your CI passes on it

@dependabot squash and merge will squash and merge this PR after your CI passes on it

@dependabot cancel merge will cancel a previously requested merge and block automerging

@dependabot reopen will reopen this PR if it is closed

@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually

@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot use these labels will set the current labels as the default for future PRs for this repo and language

@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language

@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language

@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

dependencies
opened by dependabot[bot] 0
Bump async from 2.6.3 to 2.6.4 in /web
Bumps async from 2.6.3 to 2.6.4.

Changelog

Sourced from async's changelog.

v2.6.4

Fix potential prototype pollution exploit (#1828)

Commits

c6bdaca Version 2.6.4

8870da9 Update built files

4df6754 update changelog

8f7f903 Fix prototype pollution vulnerability (#1828)

See full diff in compare view

Maintainer changes

This version was pushed to npm by hargasinski, a new releaser for async since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR

@dependabot recreate will recreate this PR, overwriting any edits that have been made to it

@dependabot merge will merge this PR after your CI passes on it

@dependabot squash and merge will squash and merge this PR after your CI passes on it

@dependabot cancel merge will cancel a previously requested merge and block automerging

@dependabot reopen will reopen this PR if it is closed

@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually

@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot use these labels will set the current labels as the default for future PRs for this repo and language

@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language

@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language

@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

dependencies
opened by dependabot[bot] 0
Bump minimist from 1.2.5 to 1.2.6 in /web
Bumps minimist from 1.2.5 to 1.2.6.

Commits

7efb22a 1.2.6

ef88b93 security notice for additional prototype pollution issue

c2b9819 isConstructorOrProto adapted from PR

bc8ecee test from prototype pollution PR

See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR

@dependabot recreate will recreate this PR, overwriting any edits that have been made to it

@dependabot merge will merge this PR after your CI passes on it

@dependabot squash and merge will squash and merge this PR after your CI passes on it

@dependabot cancel merge will cancel a previously requested merge and block automerging

@dependabot reopen will reopen this PR if it is closed

@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually

@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot use these labels will set the current labels as the default for future PRs for this repo and language

@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language

@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language

@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

dependencies
opened by dependabot[bot] 0

Permission denied on startup

Hi,

I get this when trying to start the container:

# docker-compose up
Creating network "validator_default" with the default driver
Creating occv ... done
Attaching to occv
occv    | Traceback (most recent call last):
occv    |   File "/code/./main.py", line 5, in <module>
occv    | Open Covid Certificate Validator
occv    | Certificate country: DE
occv    | Development mode: False
occv    |     uvicorn.run("occv:app", host="0.0.0.0", port=8000, log_level="info")
occv    |   File "/usr/local/lib/python3.10/site-packages/uvicorn/main.py", line 447, in run
occv    |     server.run()
occv    |   File "/usr/local/lib/python3.10/site-packages/uvicorn/server.py", line 68, in run
occv    |     return asyncio.run(self.serve(sockets=sockets))
occv    |   File "/usr/local/lib/python3.10/asyncio/runners.py", line 44, in run
occv    |     return loop.run_until_complete(main)
occv    |   File "/usr/local/lib/python3.10/asyncio/base_events.py", line 641, in run_until_complete
occv    |     return future.result()
occv    |   File "/usr/local/lib/python3.10/site-packages/uvicorn/server.py", line 76, in serve
occv    |     config.load()
occv    |   File "/usr/local/lib/python3.10/site-packages/uvicorn/config.py", line 448, in load
occv    |     self.loaded_app = import_from_string(self.app)
occv    |   File "/usr/local/lib/python3.10/site-packages/uvicorn/importer.py", line 21, in import_from_string
occv    |     module = importlib.import_module(module_str)
occv    |   File "/usr/local/lib/python3.10/importlib/__init__.py", line 126, in import_module
occv    |     return _bootstrap._gcd_import(name[level:], package, level)
occv    |   File "<frozen importlib._bootstrap>", line 1050, in _gcd_import
occv    |   File "<frozen importlib._bootstrap>", line 1027, in _find_and_load
occv    |   File "<frozen importlib._bootstrap>", line 1006, in _find_and_load_unlocked
occv    |   File "<frozen importlib._bootstrap>", line 688, in _load_unlocked
occv    |   File "<frozen importlib._bootstrap_external>", line 883, in exec_module
occv    |   File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed
occv    |   File "/code/occv.py", line 47, in <module>
occv    |     validator = DCCValidator(CERT_COUNTRY)
occv    |   File "/code/validator.py", line 33, in __init__
occv    |     self._cert_loader = self._get_cert_loader(country)()
occv    |   File "/code/cert_loaders/de.py", line 23, in __init__
occv    |     self._build_certlist()
occv    |   File "/code/cert_loaders/de.py", line 140, in _build_certlist
occv    |     certs_str = self._load_certs()
occv    |   File "/code/cert_loaders/de.py", line 86, in _load_certs
occv    |     certs_str = self._download_certs()
occv    |   File "/code/cert_loaders/de.py", line 130, in _download_certs
occv    |     self._save_certs(certs_str, signature)
occv    |   File "/code/cert_loaders/de.py", line 55, in _save_certs
occv    |     with open("./data/" + self._cert_filename, 'wb') as f:
occv    | PermissionError: [Errno 13] Permission denied: './data/de.json'
occv exited with code 1

Maybe this has something to do with a version error on docker-compose.yml:

# docker-compose up -d
ERROR: Version in "./docker-compose.yml" is unsupported. You might be seeing this error because you're using the wrong Compose file version. Either specify a supported version (e.g "2.2" or "3.3") and place your service definitions under the `services` key, or omit the `version` key and place your service definitions at the root of the file to use version 1.
For more on the Compose file format versions, see https://docs.docker.com/compose/compose-file/

I changed the version entry to "3.3" which yields the above error.

System info:

# docker-compose -v
docker-compose version 1.25.0, build unknown

# docker -v
Docker version 20.10.7, build 20.10.7-0ubuntu5~20.04.2

opened by hokascha 2

check if a certificate is valid by date or is a final injection

Currently, the service only evaluates, if a certificate has a correct cryptographic signature, but not if the last vaccination was given more than 14 days ago or if it's a completed vaccination cycle of 1 or 2 injections.
enhancement

opened by merlinschumacher 0

Releases(v0.0.6)

v0.0.6(Jan 2, 2022)

This release fixes the broken update mechanism. The certificates will now be updated every 24hs.

Full Changelog: https://github.com/merlinschumacher/Open-Covid-Certificate-Validator/compare/v0.0.5...v0.0.6
Source code(tar.gz)
Source code(zip)
v0.0.5(Dec 15, 2021)

@dajiaji fixed a bug in https://github.com/dajiaji/python-cwt which blocked some certificates from being verified.
Source code(tar.gz)
Source code(zip)
v0.0.4(Dec 13, 2021)

This version will always return DCC data. Even if the validation fails. Also the tests have been extended.

Full Changelog: https://github.com/merlinschumacher/Open-Covid-Certificate-Validator/compare/v0.0.3...v0.0.4
Source code(tar.gz)
Source code(zip)
v0.0.3(Nov 25, 2021)

This version supports the Austrian certificate infrastructure. Just set AT as the CERT_COUNTRY variable. It also exports business rules needed to check the validity of a certificate according to national rules.
Source code(tar.gz)
Source code(zip)
v0.0.2(Nov 8, 2021)

This update only updates the dependencies and adds new certificates for unit testing.
Source code(tar.gz)
Source code(zip)
v0.0.1(Aug 16, 2021)

The first release contains a working validator for EU COVID certificates / EU Green Certificates / Digitaler Impfnachweis. It currently only supports the certificate list provided by Germany, which should be able to validate all conforming European vaccination certificates. The German certificates are signature checked when (down)loaded.

Notice: This software is still very rudimentary. It comes withour any warrant.
Source code(tar.gz)
Source code(zip)

An open source API to validate the EU Covid Certificates / Green Certificates

Related tags

Overview

Open Covid Certificate Validator

NOTICE: THIS IS NOT AN OFFICIAL VALIDATOR! IT COMES WITHOUT ANY WARRANTIES!

Getting started

Contributing

Privacy

The web service

Technology

Comments

v1.4.1

1.4.1 (2022-11-07)

Bug Fixes

1.4.1 (2022-11-07)

Bug Fixes

6.5.3

v1.4.2

1.4.2 (2022-11-11)

Bug Fixes

v1.4.1

1.4.1 (2022-11-07)

Bug Fixes

1.4.2 (2022-11-11)

Bug Fixes

1.4.1 (2022-11-07)

Bug Fixes

v1.4.2 (2021-11-29)

1.3.1 - 2022-03-29

Fixes

1.3.0 - 2022-03-17

Security

Fixed

v4.11.1

4.11.1 (2022-09-19)

Bug Fixes

v4.11.0

4.11.0 (2022-09-07)

Features

Bug Fixes

v4.10.1

4.10.1 (2022-08-29)

Bug Fixes

v4.10.0

4.10.0 (2022-08-10)

Features

Bug Fixes

v4.9.3

4.9.3 (2022-06-29)

Bug Fixes

4.11.1 (2022-09-19)

Bug Fixes

4.11.0 (2022-09-07)

Features

Bug Fixes

4.10.1 (2022-08-29)

Bug Fixes

4.10.0 (2022-08-10)

Features

Bug Fixes

4.9.3 (2022-06-29)

Bug Fixes

4.9.2 (2022-06-06)

Bug Fixes

3.3.4

3.3.3

3.3.2

3.3.1

3.3

3.2

3.1.32

3.1.31

3.1.30

3.1.29

3.1.28

3.1.27

3.1.26

v5.14.2

v5.14.1

v5.14.0