Under the hood: Australian International Covid Certificate
Oct 30, 2021I’ve just spent a day looking under the hood at the Australian international covid certificates, and I thought I’d post a few observations here.
You can get these covid Vaccination Certificates in various ways, but I got mine from the medicare express app. In order to get it, you have to enter your passport details, and they have to match government records or your Australian passport or visa. I have at least one friend who can’t get one because he doesn’t have either of those (some people legally here don’t).
What you get is a PDF that contains a QR code. The QR code represents the following JSON (not encoded or encrypted - this is what any bar code scanner will give you):
{{
"data" : {
"hdr" : {
"is" : "AUS",
"t" : "icao.vacc",
"v" : 1
},
"msg" : {
"pid" : {
"dob" : "YYYY-MM-DD",
"i" : "XXXXXXXXX",
"n" : "FAMILY FIRST NAMES",
"sex" : "M"
},
"uvci" : "VA0010262211",
"ve" : [
{
"des" : "XM68M6",
"dis" : "RA01.0",
"nam" : "AstraZeneca Vaxzevria",
"vd" : [
{
"adm" : "General Practitioner",
"ctr" : "AUS",
"dvc" : "2021-06-05",
"lot" : "305592P",
"seq" : 1
},
{
"adm" : "General Practitioner",
"ctr" : "AUS",
"dvc" : "2021-08-28",
"lot" : "308978P",
"seq" : 2
}
]
}
]
}
},
"sig" : {
"alg" : "ES256",
"cer" : "MIIDhDCCAWygAwIBAgICGMkwDQYJKoZIhvcNAQELBQAwZTELMAkGA1UEBhMCQVUxDDAKBgNVBAoMA0dPVjENMAsGA1UECwwEREZBVDEMMAoGA1UECwwDQVBPMSswKQYDVQQDDCJQYXNzcG9ydCBDb3VudHJ5IFNpZ25pbmcgQXV0aG9yaXR5MB4XDTIxMDkzMDE0MDAwMFoXDTMxMTAzMTEyNTk1OVowHDELMAkGA1UEBhMCQVUxDTALBgNVBAMTBERGQVQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATc5tWUh8cnqT2JMJRqwOb4eqooPo2K36p9r9aXW7A5n_eXLv6c5_TVvDUaX4bslfwmRxtUzzARCuTMo5lcXp_Wo1IwUDAWBgdngQgBAQYCBAswCQIBADEEEwJOVjAVBgNVHSUBAf8ECzAJBgdngQgBAQ4CMB8GA1UdIwQYMBaAFDYXwef1Z5VxLjd1cI5VgzGG6TgOMA0GCSqGSIb3DQEBCwUAA4ICAQBr9XvPP3NRKyLDPQWZjA-_2InLI72SNEiYbwnw4beq4lMl1Y-Oueli44hquwDJD13cxUyunRVcpuKPSThQYkZq6wHLWtAHNTXKF_nAdXGpXV-5RbaqTCfu-1ZQS5LpU62MByUVOmoGKf4uNkUdsMektolQHwAq6PwAG1HpPGDey3ZRbAvuDCi4ovVoffdAxuvuEUkr4_UgdcqfQ35mTx074doYubeCH6CduA_V_Xq76tA5X6CF_wW2TI_npdVL0KCel3L1BKbmXjOAmRVEioOItMAF0RmN4s78CdDBGfsv7dOsCCQl1TWVX6ZqIlkXt5xOU-mDDt8hvsloS9hkUTqfUuBcM13YmYfymKCQ_xMXAzDHH5pI8xn-MyNaYe9V5_BqQ2XOWDh5-VYyRWwyn_zdRdgUo2AboKZzZi34po57Bpkt-_u6sHJxzoqDWn9FxY18hThvFh_EKsY7pr7_gL04bCE17PJzKmbGmKppBEhle0X7K0NF9KyX5T3nzNY0q59JJkfAApXrE207zY6KboJjdc_weAnB8P38Kq8SgY4cc1MiKCM7Pz7uWEEynA1LG6vvAkjchSrLnu5e0QMW2Rc94wccfZOcx0xs9clHydcZ_ITGrRvq6tfgad73pcMJ0GRW9jqq6KCdqYa8h_DXrlyYcJTXqbgw1JIBTdOU6pHT5g==",
"sigvl" : "kOz5jiwN5RZwERz3GWQfWv8yG82QlSWuxHmjQCBzg1-DQtcwQt6J496QXbKlbY4pdloaVQPJllDpOA5Lj4I0cA=="
}
}
}
This, btw, is my real certificate with PHI redacted out. The certificate format here is defined by the ICAO as the “Visual Digital Seal” (VDS) - see here.
The data is pretty straight forward: my name, date of birth, gender, and passport number, and then vaccine, date of vaccinations and assorted supporting information. There’s only really two features to comment on.
The first is the specification says the name should be ‘FAMILY, GIVEN GIVEN etc’, but the Australian certificates have FAMILY GIVEN GIVEN’. Note in particular that there’s two spaces between the family and the given names. I haven’t seen a certificate for someone with a space in their surname, but I presume the two spaces thing is reliable for that, and have coded accordingly.
The other feature of interest is that the vaccine code is “des” : “XM68M6”, “dis” : “RA01.0”, “nam” : “AstraZeneca Vaxzevria” - that’s pretty interesting. That’s two ICD-11 codes: XM68M6 = generic code for any covid-19 vaccine, and RA01.0 is the code for Covid-19, the disease. As far as I can tell, the code for the disease doesn’t add any value - it’s implied by XM68M6 and just wastes bytes. There must be some underlying reason (I know specs, and there’ll be some reason, but I can’t infer what it is). The odd thing about this is that there is ICD-11 codes for the specific vaccines (e.g. XM4YL8 for Astrazeneca), but they’re not used. This, btw, is a feature of the specification - while ‘des’ is documented as a “Vaccine or vaccine sub-type (ICD-11 Extension codes)”, all the examples use the generic code XM68M6.
This means that if you need to figure out which vaccine was given - and most processors probably will - you’ll have to read the name field. So far, I’ve seen the values “AstraZeneca Vaxzevria” and “Pfizer Comirnity” in there.
Moving on to the certificate: the data is signed by an X509 certificate per the specification. That X509 certificate is signed by the master (self-signed) certificate issued by the Australian Government (with CRL etc). It all verifies and validates ok. It’s super good that the certificate is signed, btw. Internal Australian vaccination certificates aren’t signed - I’ll come back to this issue in a later post.
So it’s possible to generate smart health cards (SHC) from these certificates. And I wrote a service to do just that, just for interest and to help people interested in playing around with SHCs. Go to https://test.fhir.org/icao/process, upload your covid certificate or an image of the QR code, and you’ll get back a signed SHC you can load into your favourite SHC app (eg. Apple Wallet). Note that the card is signed (properly) by https://test.fhir.org, and Apple etc (rightly) don’t recognise test.fhir.org as a real healthcare service, so they’ll tell you it’s not a trusted certificate. Also note that the service has problems with some QR codes - I’ve had to get a screen shot of the screen shot of the QR code and send that instead (don’t know why, it’s the industry standard ZXing library running on the server).
For those really interested… you can also use this an API service: POST a QR code as an image/png or the text as application/json to https://test.fhir.org/icao/process, and set the Accept header to one of image/png, application/jwt, or application/smart-health-cards, and you’ll get back a smart health card.
Update: in an earlier version of this post I hadn’t found the certificate page, and didn’t know how to verify the certificate. Fixed now.