Your Question

• Source File: https://github.com/corona-warn-app/cwa-testresult-server/blob/master/docs/architecture-overview.md
• Line(s): https://github.com/corona-warn-app/cwa-testresult-server/blob/master/docs/architecture-overview.md#threat-model
• Question: The document states that the section "Thread Model" is still in work. This statement was added more than 2 years ago with PR #35. Will you ever add this section?

Rating: Informational

Description:
It seems like some of the definitions have been copy pasted from other code with some names/comments not correctly beeing adapted to the new environment.

Proof of Concept:

Example:
The entitiy definition of
cwa-testresult-server-0.3.1/src/main/java/app/coronawarn/testresult/TestResultEntity.java
was copied from
cwa-verification-server/src/main/java/app/coronawarn/verification/domain/VerificationTan.java
and TestResultEntity still has the comment: This class represents the TAN - entity.

Rating: High

Description:

Multiple code and config files include hardcoded credentials.

Proof of Concept:

The following code and config files hold potentially sensitive data (examples are given):

cwa-testresult-server-master/TestResultsService/appsettings.Development.json:

	"LabTestResultsDB": "Server=tcp:80.158.39.182,1433;Initial Catalog=LabResultsDB;Persist Security Info=False;User ID=rdsuser01;Password=[redacted]

cwa-testresult-server-master/TestResultsDB/TestResultsDBContext.cs:25

	//optionsBuilder.UseSqlServer("Server=tcp:labresultsdbsrv.database.windows.net,1433;Initial Catalog=LabResultsDB;Persist Security Info=False;User ID=dbadmin;Password=[redacted];MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;");


cwa-testresult-server-master/TestResultsService/Properties/launchSettings.json:22/32

	"ConnectionStrings__LabTestResultsDB": "Server=tcp:80.158.39.182,1433;Initial Catalog=LabResultsDB;Persist Security Info=False;User ID=rdsuser01;Password=[redacted]

Describe the bug

keine Übermittlung des PCR Testergebnis obwohl Testergebnisse vorliegen.
Der "Übermittlungs / Schnittstellen"-Fehler liegt bei mindestens zwei PCR-Tests (Ehepaar) vor.

Expected behaviour

Da das Testergebnis vom Labor nachweislich hochgeladen wurde, muss die Corona-Warn-App das Testergebnis übermitteln und anzeigen. Sonst macht diese Funktion keinen Sinn.

Steps to reproduce the issue

1. QR Code des PCR-Test erfolgreich eingescannt
2. Geburtsdatum zur Verifizierung eingegeben
3. PCR-Test wurde erfolgreich in der App hinterlegt.
4. Das Labor www.labor-froreich.de hat am selben Tag den Test fertiggestellt und das Ergebnis hochgeladen.
5. Selbst drei Tage später zeigt die App das Ergebnis nicht an, und behautet das kein Testergebnis vorliegt.

Technical details

ID 68258DD18B56C6D92384 des Fehleranalyseprotokoll
CWA Log 2021-11-15 20_41_49.281.zip

Current Implementation

Test representation as hash (Hashed GUID) and test result are send from the quicktest backend when the test result is confirmed.

Suggested Enhancement

Pass a timestamp from the Quicktest backend when the test result is confirmed. This timestamp can be considered as confirmation time of the test. The test reuslt shall get an additional attribute timestamp, which is the time of generating the QRCode in the quick-test front end (timestamp value in QRCode) at test registration and will be updated with the time of confirmation at the time the test result is given.

Interface

The existing REST payload shall be enhanced by a key "sc": number containing the time of confirmation in UNIX epoch format. This timestamp shall be mapped to the entity resultDate

Expected Benefits

As Antigen Tests give prove for certain activities (shop visits etc) and are valid for a given period of time, the exact time of the proof is crucial.

Dear server devs,

from time to time in the past year some CWA Android users experience a Web Security Exception, which looks like the certificate chain of the backend servers looks invalid for the client. See: corona-warn-app/cwa-app-android#968
While for many users this is only a temporary problem that recovers itself automatically after a while, other users were reporting, that in result some Android OS versions deactivate the root certificate T-Telesec Global Root Class 2 permanently, which makes it necessary to manually re-activate that certificate, what can be quite tricky for non-tech savvy users.
I was suspecting, that server maintenance could cause the problem, when after the maintenance the server is re-initialising and for a (probably very short) time the certificate chain (root/intermediate/server) is still not (fully) available to be delivered to the client. (1 second downtime could affect > 100 Android users, given equal distribution of client requests over the day)

I would be happy if you could confirm whether there was any maintenance going on on
Friday, 2021-06-18, between 18:50 CEST and 19:45 CEST ? That could help to find out where the issue originates.

Any idea from your side what could causethe problems described in corona-warn-app/cwa-app-android#968 would be highly appreciated.

Thank you in advance, kind regards,
v.

Current Implementation

When uploading a TR the origin is not saved.

Suggested Enhancement

Add the parameter "labId" to uploaded TR to save the ID of the laboratory.
Also add this information when TR is downloaded by verification-server.

Expected Benefits

The labId is needed to create DCC.

Rating: Medium

Description:
The client certificate check in the testresult API is currently disabled (code commented out and always returns 'true').

Proof of Concept:

From cwa-testresult-server-master/TestResultsService/ApiClientCertificateValidationService.cs:
public class ApiClientCertificateValidationService
{
public bool ValidateCertificate(X509Certificate2 clientCertificate)
{
//var cert = new X509Certificate2(Path.Combine("sts_dev_cert.pfx"), "1234");
//if (clientCertificate.Thumbprint == cert.Thumbprint)
//{
// return true;
//}

        return true;
    }
}

Your Question

After registering a PCR test in the app and waiting for some hours, a Twitter user is now seeing this:

What does Error 500 mean? Will the user still receive their test result via the CWA?

Rating: High

Description:

Authorization is disabled for all 'api/v1/app/' endpoints. This might be on purpose but has to be double checked.

Proof of Concept:

This code excerpt from /cwa-testresult-server-master/TestResultsService/Controllers/AppApiController.cs shows, that the '[Authorize' tag is commented out:

[Route("api/v1/app")]
[ApiController]
[Produces("application/json")]
[ApiExplorerSettings(GroupName = "app")]
//[Authorize]

When using the hexadecimal hash of a GUID as a key, the TestResultServer should always use upper case or always use lower case. To avoid duplicate entries for the same GUID, and to avoid false negative lookups. I would suggest enforcing it here, and possibly in addition normalizing the case closer to where the request enters the TestResultServer so callers do not need to care.

Describe the bug

All requests result in a 403 error since 24.01.2022 13:00h

Expected 204 - ok

Additional context

See corona-warn-app/cwa-quicktest-onboarding#83
corona-warn-app/cwa-quicktest-onboarding#84

Describe the bug

Trivial grammar issue: "information" doesn't have a plural. Therefore, "test result informations" in the project description should be "test result information".

Current Implementation

See the current implementation insertOrUpdate. If no TestResultEntity is beeing found in the database, the orElseGet(...) gets triggered and a new TestResultEntity is beeing saved.
After following the execution inside this function the just created entity is beeing saved again. Keep in mind that database access is expensive.

Mentioned in #57.

Suggested Enhancement

Check if TestResultEntity was beeing created and after that skip or exit function. Another approach is to check if two objects of TestResultEntity are equal. If so, do not save to database and skip or exit function.

Expected Benefits

Improved performance (even if it small) with less database access and quicker response time for the client.

Feature description

The secrets shall be read directly from the vault

Problem and motivation

Credentials and certificates are stored in vault and are exported to Openshift secrets periodicly. The use of secrets shall be prevented in favor to direcly read the properties from a vault.

[gellöst]

Es ist der gleiche Fehler wie hier bereits hier beschrieben: https://github.com/corona-warn-app/cwa-testresult-server/issues/110 nur mit einer anderen Teststation.

Insofern ist die Lösung vlt. doch im Interesse mehrerer.

Android. Samsung. Sicherheitspatch-Ebene: 1. Oktober 2022

Possible Fix

CWA Log 2022-11-06 09_49_11.652.txt

Additional context

Dank für Hilfe im Voraus!

Grüße
lovelytux

Rating: high

The testresult insertion point does not seem to be authenticated.
According to the docu there should be JWT-Token based auth.
We couldn't find an implementation of it yet.