Skip to content
This repository has been archived by the owner on May 16, 2023. It is now read-only.

[Business Rules Validation]Business Rules "passed" not displayed in "open status screen" when some schema versions do not match #679

Open
2 of 3 tasks
vaubaehn opened this issue Aug 7, 2021 · 6 comments
Assignees
Labels
bug Something isn't working mirrored-to-jira This item is also tracked internally in JIRA

Comments

@vaubaehn
Copy link

vaubaehn commented Aug 7, 2021

Avoid duplicates

  • Bug is not mentioned in the FAQ
  • Bug affects both Android and iOS, for specific issues - I only tested for Android, please check IOS
  • Bug is not already reported in another issue

Technical details

  • Device name: LGH-815 (but should be true for all)
  • iOS/Android version: Android 6.0 (but should be true for all)
  • App version: 2.6.1

Describe the bug

When DCCs are validated against the business rules of countries of arrival (CoA), CWA (and other wallet apps) need to show an "open status screen", when at least one rule could not be validated due to schema version mismatch between DCC schema version and business rule schema version. For example, as of today (07.08.2021) the Netherlands are providing business rules for vaccination certificates with schema version 1.3.0, while many vaccination certificates in Germany have been issued with schema version 1.0.0. In result, CWA currently shows for vaccination DCCs (issued before July 1st) an "open status screen" when validating against NL business rules, where every business rule is displayed for the vaccination certificate to be able (for human beings) to verify, if every rule nevertheless is compliant with requirements for vacc. DCCs set up by the NL health authorities.

But now NL added some rules for test certificates (TR-NL-0005, TR-NL-0006), where the schema version is set to "1.0.0", while other business rules for test DCCs are still schema version "1.3.0".
All business rules with schema version 1.3.0 are resulting in a status "open", and they are displayed accordingly in CWA's validation information screen. But rules that pass validation with status "pass", are not shown at all.
It would be expected, that in case some rules pass but other rules are "open" that CWA shows all rules with their related DCC content, so that the human user is able to validate its complete DCC against information found on https://reopen.europa.eu .

By the way: the other way round it's working well: when one rule fails while all other rules are "open", then CWA shows all results correctly (failed rules on top, open rules below), see #671 (comment). So "fail/open" is correct, "pass/open" is not correctly displayed.

Steps to reproduce the issue

  1. Scan TEST DCC above. The sample of the rapid immunoassay was/will be taken at 09.08.2021T10:00:00Z, and is valid for 24 hours according to rule TR-NL-0006.
  2. Check validity of DCC against Netherland rules between/for entry time between 09.08.2021T10:01:00Z and 10.08.2021T10:00:00Z
  3. See that rule TR-NL-0006 is missing in the list of all rules displayed. But it should show up (either as "passed" or at least as "open").
  4. Check validity of DCC against Netherland rules after/for entry time after 10.08.2021T10:00:00Z.
  5. See that rule TR-NL-0006 is displayed correctly as failed, while all other rules are displayed as open.

Expected behaviour

When checking validity of DCC against Netherland rules between/for entry time between 09.08.2021T10:01:00Z and 10.08.2021T10:00:00Z, the rule TR-NL-0006 should be displayed as either "passed" or also as "open", when using DCC you find above.

Possible Fix

Align logic to display validation results with mixed rules "pass/open" to the logic "fail/open".

Additional context

You'll find the related NL business rules here:
Acceptance_Rules-NL-20210806.json.txt
Pay attention to rules TR-NL-0006 (for antigen test used here) and TR-NL-0005 for NAAT.


Internal Tracking ID: EXPOSUREAPP-8909

@vaubaehn vaubaehn added the bug Something isn't working label Aug 7, 2021
@Jo-Achim
Copy link

Jo-Achim commented Aug 9, 2021

An unpleasant additional problem ... different EU vaccination certificates with different QR codes for one and the same vaccination and person!

Please verify.

There are different EU vaccination paper certificates (1) for one and the same vaccination of the same person, which can or lead to different results when the certificate is checked by the CWA with regard to entry requirements!

(1): EU certificates with "QR code left and text right" (old) and "text left and QR code right" (new).

Technical details:

Samsung Galaxy Note 10, SM-N970F/DS
Android 11 (One UI 3.1) with Android security update: 01. July 2021
Google Play-Systemupdate: June, 1st, 2021.
CWA Version: 2.6.1
ENF: 18212418000 / 18212621000

Describe the problem:

I have two different EU vaccination certificates for myself (with identical dates); once in the 'version old' (QR code on the left and text on the right corona-warn-app/cwa-app-android#3514 (comment)) and once in the 'version new' (text on the left and QR code on the right; see PS below); downloaded from my account at the local vaccination center.
Actually, I assumed that the QR codes were identical in each case - after all, as I said - it is the same two vaccinations. 'Old version' of the EU vaccination certificates was downloaded on June 21, 2021; 'Version new' on 07/30/2021.

Due to @vaubaehn's post, I have tested my two scanned EU vaccination certificates ('version old' and 'version new', each certificate from sheet 2/2, BionTech) with the entry date "09.08.2021T14:00:00Z" for the Netherlands and get different results!

Result (EU vaccination certificate, 'version old' (QR code on the left and text on the right)):

Screenshot_20210809-102558_Corona-Warn

Result (EU vaccination certificate, 'version new' (text on the left and QR code on the right)):

Screenshot_20210809-102830_Corona-Warn

Steps to reproduce the issue:

For the EU certificate 'version old' (QR code on the left and text on the right):

  1. Select "Certificates"
  2. Select your 'old certificate' (2/2): scroll down, check the URN with paper print to be sure to have the old certificate!
  3. Check validity of DCC against Netherland rules for entry time 09.08.2021T14:00:00Z
  4. Result: “Result (EU vaccination certificate, 'version old')…”; see above.

For the EU certificate 'version new' (text on the left and QR code on the right):

  1. Select "Certificates"
  2. Select your 'new certificate' (2/2): scroll down, check the URN with paper print to be sure to have the new certificate!
  3. Check validity of DCC against Netherland rules for entry time 09.08.2021T14:00:00Z
  4. Result: "Result (EU vaccination certificate, 'version new')..."; see above.

Selecting the certificates:

Screenshot_20210809-102339_Corona-Warn_2

Additional context:

I cannot check and evaluate what is normal, wrong or right here - in this respect I would like my post to be understood as a reference to be checked.

However, it might be helpful to have a hint for the user that says which of his EU vaccination certificates - if the user has several - should be used. At the moment it seems clear: the newer (currently the one with the “text on the left and QR code on the right” (new); see above) should be used.
But then it also applies: if you have the EU certificate "QR code left and text right" (old), you should get a newer one.
And what if more versions of the EU certificates come out with further QR code changes?

Possible Fixes:

Due to the different sizes of the QR codes (hopefully there are more unique version numbers in the QR code or similar) between "QR code left and text right" (old) and "text left and QR code right" (new) it could be determined which version the scanned EU vaccination certificate is. A note could be derived from this stating that the EU vaccination certificate should be renewed.
If relevant, the CWA could even check itself whether the stored certificates are stored in the current version of certificate.

Derived from the size of the QR code (or clearer version differences), the standard QR code displayed / used by CWA could be the most current / valid in each case.
Unfortunately, the QR code of the first scanned, i.e. older, certificate is currently displayed by default.

Alternatively, it would also make sense to simply advise the user to delete their old QR codes. However, these should then be marked in some way.

...

Overall, however, I cannot evaluate whether my mentioned 'possible fixes' represent sensible, permanent solutions.

In this sense, best regards, Joachim.


PS: The Links “DCC Certificate of Recovery“, ”DCC Test Certificate“ and “DCC Vaccination Certificate” in https://github.com/Digitaler-Impfnachweis/certification-apis/tree/master/templates are actually wrong: error 404.

@MikeMcC399
Copy link
Contributor

MikeMcC399 commented Aug 9, 2021

@Jo-Achim

There are different EU vaccination paper certificates (1) for one and the same vaccination of the same person, which can or lead to different results when the certificate is checked by the CWA with regard to entry requirements!

It is to be expected if an EU digital vaccination certificate is reissued, that it will have a different QR code. That is because the date of issue will be different (not the date of vaccination) and that date is included in the QR code. Also each valid certificate is individually signed.

The reason that you are getting different results for the check with the Netherlands is probably because the older certificate is using the 1.0.0 scheme and the newer one is using 1.3.0.

The simplest workaround is to remove any older vaccination certificates from CWA and just leave the newest 2 of 2 certificate in the app. You don't need any older certificate.

It would be better for you to post your issue as a separate new one. It is actually more related to corona-warn-app/cwa-app-android#3838.

The CovPass-App currently also chooses the first certificate which was scanned in. See Digitaler-Impfnachweis/covpass-android#57.

PS: The Links “DCC Certificate of Recovery“, ”DCC Test Certificate“ and “DCC Vaccination Certificate” in https://github.com/Digitaler-Impfnachweis/certification-apis/tree/master/templates are actually wrong: error 404.

You should report this issue in the https://github.com/Digitaler-Impfnachweis/certification-apis repository.

@dsarkar dsarkar added the mirrored-to-jira This item is also tracked internally in JIRA label Aug 9, 2021
@dsarkar
Copy link
Member

dsarkar commented Aug 9, 2021

@vaubaehn Thank you very much for the detailed bug report: Internal Tracking ID: EXPOSUREAPP-8909

@Jo-Achim
Copy link

Jo-Achim commented Aug 9, 2021

@MikeMcC399

Thanks for information.

It is understandable that there are newer versions of the EU vaccination card from time to time. But if older versions lead to the above-mentioned test result "Your certificate could not be fully checked", I will stick to my 'Possible Fixes:' in #679 (comment).
For example:

If relevant, the CWA could even check itself whether the stored certificates are stored in the current version of certificate.

... with appropriate information.
This would also prevent some possible frustration with the CWA.
Because a “normal consumer” who, for example, had an EU vaccination card issued - in his pharmacy, at the doctor's or in the vaccination center - hardly ever comes up with the idea that he might need a more recent certificate for the same vaccination. Therefore I think...

The simplest workaround is to remove any older vaccination certificates from CWA and just leave the newest 2 of 2 certificate in the app.

From my point of view, the easiest way is not the best here. Especially if further 'newer' vaccination certificates are expected in the future.

Unfortunately, the QR code of the first scanned, i.e. older, certificate is currently displayed by default.

It would be better for you to post your issue as a separate new one. It is actually more related to corona-warn-app/cwa-app-android#3838.

I think this point is already dealt with extensively there. But is that just an Android problem only?
Nevertheless, I added a cross-reference to my post above: corona-warn-app/cwa-app-android#3838 (comment).


PS: The Links “DCC Certificate of Recovery“, ”DCC Test Certificate“ and “DCC Vaccination Certificate” in https://github.com/Digitaler-Impfnachweis/certification-apis/tree/master/templates are actually wrong: error 404.

Done in: 'Wrong links in “DCC Certificate of Recovery“, ”DCC Test Certificate“ and “DCC Vaccination Certificate”'.

@Jo-Achim
Copy link

Jo-Achim commented Aug 10, 2021

@MikeMcC399

The CovPass-App currently also chooses the first certificate which was scanned in. See Digitaler-Impfnachweis/covpass-android#57.

that's right.

But there is a workaround to sort the EU certificates:

  1. Delete the relevant certificates.
  2. Scan the certificate that should be the standard certificate (1/2 and 2/2) first.
  3. Scan the 'old' certificate(s).

Result: the EU certificate scanned first is shown as the 'Standard Certificate'.

This works under CWA 2.6.1 as well as under CovPass 1.28.7.

Best regards, Joachim.

@Ein-Tim
Copy link
Contributor

Ein-Tim commented Apr 18, 2022

@vaubaehn I guess this was not fixed in the meantime, was it?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
bug Something isn't working mirrored-to-jira This item is also tracked internally in JIRA
Projects
None yet
Development

No branches or pull requests

6 participants