September Update

This is no longer valid as Kry started to comply with EU laws to provide a validation QR code.

However I have not been given any oportunity to test their new procedures.

It is therefore unknown whether any internal procedures have changed regarding the issuance of those certificates.

Original

Covid PCR Travel Certificates have become a necessity for travel.

The market is full with private labs, pop-up pharmacies and anything in between to provide PCR Travel tests and their certificates.

It seems in that, in the Rush To Market, one particular provider that’s very famous here in Sweden (Kry.se) has completely forgotten to safeguard those certificates.

I was astonished to find out that the FfF Bit wasnt set anywhere on the PDF.

As a result, every Certificate PDF they issued is actually a PDF-Form that’s not locked in any notable way.

Meaning: Regardless of your PCR Result you can just untick the box and make yourself Fit-For-Travel.

Not only is this quite a sad Tech-Fail but at this point it’s also potentially endangering many people.

Now you would assume that these certificates would have any form of tamperproofing, like a QR Code or even just a cryptographic signature embedded in the PDF.

Kry’s Travel Certificates, which are widely accepted and used, does not.

It has a picture of the physician’s signature and a picture of the lab’s stamp/sigil. That’s it.

If you want to travel and dont want to spend 1250 SEK for a certificate you can just use this API to generate your certificate at will:

curl -X POST -H "Content-Type: application/json" --data '{"result":false,"name":"f0o","dob":"19920520-1234","country":"::/0","passport":"Something kewl"}' -v "https://kry-zwmnk48ux5t8333uv9r9j9x2.azurewebsites.net/api/generate"

Parameters:

{
    "result": false, //False = Negative PCR - i.e. Fit For Travel
    "name": "f0o", //Full name as stated on the passport
    "dob": "19920520-1234", //I'm uncertain about the true format, this was what I got which is your swedish personal number
    "country": "Sweden",
    "passport": "ABCDEF1234", //Literally your passport number, For swedes that might be identical to the personal number
    "doc": "Sven Svensson" //Physician's Name
}

Source Code:

const fs = require('fs');
const path = require('path');
const pdfform = require('pdfform.js');
const dateFormat = require('dateformat');
const tpl = fs.readFileSync(path.join(__dirname, "/template.pdf"));

module.exports = function(context, req) {
    var fields = {}
    fields["Check Box 21"]  = [req.body.result === true ? true : false]
    fields["Check Box 22"]  = [req.body.result === false ? true : false]
    fields["Text Field 60"] = [dateFormat(new Date(), "d mmmm yyyy HH:MM")]
    fields["Text Field 61"] = [req.body.name ? req.body.name : "John Doe"]
    fields["Text Field 62"] = [req.body.dob ? req.body.dob : "01.01.1970"]
    fields["Text Field 63"] = [req.body.passport ? req.body.passport : "123456"]
    fields["Text Field 64"] = [req.body.country ? req.body.country : "Sweden"]
    fields["Text Field 65"] = [req.body.doc ? req.body.doc : "Kry-PCR Generator"]
    context.res = {
        headers: {
            'Content-Type': 'application/pdf'
        },
        body: Buffer.from(pdfform("pdf.js").transform(tpl, fields)),
        isRaw: true
    }
    context.done()
}

PS:

This whole incident has been reported to the Authorities and has been published after 3 months.