org.jmrtd

Class PassportService

java.lang.Object

net.sf.scuba.smartcards.CardService

org.jmrtd.PassportApduService

org.jmrtd.PassportService

All Implemented Interfaces:

Serializable

public class PassportService
extends PassportApduService
implements Serializable

Card service for reading files (such as data groups) and using the BAC and AA protocols on the passport. Defines secure messaging. Defines active authentication. Based on Doc 9303. Originally based on ICAO-TR-PKI and ICAO-TR-LDS. Usage:

        open() ==><br />
        sendSelectApplet() ==><br />
        doBAC(...) ==><br />
        doAA() ==><br />
        getInputStream(...)<sup>*</sup> ==><br />
        close()
 

Version:

$Revision:352 $

Author:

The JMRTD team ([email protected])

See Also:

Serialized Form

Field Summary

Fields

Modifier and Type	Field and Description
static int	DEFAULT_MAX_BLOCKSIZE The default maximal blocksize used for unencrypted APDUs.
static short	EF_CARD_ACCESS Card Access.
static short	EF_CARD_SECURITY Card Security.
static short	EF_COM The data group presence list.
static short	EF_CVCA Contains EAC CVA references.
static short	EF_DG1 File identifier for data group 1.
static short	EF_DG10 File identifier for data group 10.
static short	EF_DG11 File identifier for data group 11.
static short	EF_DG12 File identifier for data group 12.
static short	EF_DG13 File identifier for data group 13.
static short	EF_DG14 File identifier for data group 14.
static short	EF_DG15 File identifier for data group 15.
static short	EF_DG16 File identifier for data group 16.
static short	EF_DG2 File identifier for data group 2.
static short	EF_DG3 File identifier for data group 3.
static short	EF_DG4 File identifier for data group 4.
static short	EF_DG5 File identifier for data group 5.
static short	EF_DG6 File identifier for data group 6.
static short	EF_DG7 File identifier for data group 7.
static short	EF_DG8 File identifier for data group 8.
static short	EF_DG9 File identifier for data group 9.
static short	EF_SOD The security document.
int	maxBlockSize Deprecated. hack
static SimpleDateFormat	SDF YYMMDD format.
static byte	SF_COM Short file identifier for file.
static byte	SF_CVCA Short file identifier for file.
static byte	SF_DG1 Short file identifier for file.
static byte	SF_DG10 Short file identifier for file.
static byte	SF_DG11 Short file identifier for file.
static byte	SF_DG12 Short file identifier for file.
static byte	SF_DG13 Short file identifier for file.
static byte	SF_DG14 Short file identifier for file.
static byte	SF_DG15 Short file identifier for file.
static byte	SF_DG16 Short file identifier for file.
static byte	SF_DG2 Short file identifier for file.
static byte	SF_DG3 Short file identifier for file.
static byte	SF_DG4 Short file identifier for file.
static byte	SF_DG5 Short file identifier for file.
static byte	SF_DG6 Short file identifier for file.
static byte	SF_DG7 Short file identifier for file.
static byte	SF_DG8 Short file identifier for file.
static byte	SF_DG9 Short file identifier for file.
static byte	SF_SOD Short file identifier for file.
protected SecureMessagingWrapper	wrapper Deprecated. visibility will be set to private

Fields inherited from class org.jmrtd.PassportApduService

APPLET_AID, CAN_PACE_KEY_REFERENCE, MRZ_PACE_KEY_REFERENCE, PIN_PACE_KEY_REFERENCE, PUK_PACE_KEY_REFERENCE

Fields inherited from class net.sf.scuba.smartcards.CardService

SESSION_STARTED_STATE, SESSION_STOPPED_STATE

Constructor Summary

Constructors

Constructor and Description
PassportService(net.sf.scuba.smartcards.CardService service) Creates a new passport service for accessing the passport.
PassportService(net.sf.scuba.smartcards.CardService service, int maxBlockSize) Creates a new passport service for accessing the passport.

Method Summary

Modifier and Type	Method and Description
void	close() Closes this service.
AAResult	doAA(PublicKey publicKey, String digestAlgorithm, String signatureAlgorithm, byte[] challenge) Performs the Active Authentication protocol.
BACResult	doBAC(BACKeySpec bacKey) Performs the Basic Access Control protocol.
BACResult	doBAC(SecretKey kEnc, SecretKey kMac) Performs the Basic Access Control protocol.
CAResult	doCA(BigInteger keyId, String oid, String publicKeyOID, PublicKey publicKey) Perform CA (Chip Authentication) part of EAC (version 1).
PACEResult	doPACE(KeySpec keySpec, String oid, AlgorithmParameterSpec params) Performs the PACE 2.0 / SAC protocol.
TAResult	doTA(CVCPrincipal caReference, List<CardVerifiableCertificate> terminalCertificates, PrivateKey terminalKey, String taAlg, CAResult chipAuthenticationResult, String documentNumber) Performs Terminal Authentication (TA) part of EAC (version 1).
net.sf.scuba.smartcards.CardFileInputStream	getInputStream(short fid) Gets the file as an input stream indicated by a file identifier.
net.sf.scuba.smartcards.APDUWrapper	getWrapper() Gets the wrapper.
boolean	isOpen() Gets whether this service is open.
void	open() Opens a session to the card.
byte[]	sendReadBinary(int offset, int le, boolean longRead) Sends a READ BINARY command to the passport, use wrapper when secure channel set up.
void	sendSelectApplet(boolean hasPACESucceeded) Selects the MRTD card side applet.
void	sendSelectFile(short fid) Selects a file within the MRTD application.
void	setWrapper(SecureMessagingWrapper wrapper) Deprecated. hack

Methods inherited from class org.jmrtd.PassportApduService

addAPDUListener, addPlainTextAPDUListener, getATR, notifyExchangedPlainTextAPDU, removeAPDUListener, removePlainTextAPDUListener, sendGeneralAuthenticate, sendGetChallenge, sendGetChallenge, sendInternalAuthenticate, sendMSEKAT, sendMSESetATExtAuth, sendMSESetATIntAuth, sendMSESetATMutualAuth, sendMSESetDST, sendMutualAuth, sendMutualAuthenticate, sendPSOChainMode, sendPSOExtendedLengthMode, sendReadBinary, sendReadBinary, sendSelectApplet, sendSelectFile, setService, transmit

Methods inherited from class net.sf.scuba.smartcards.CardService

getInstance, isExtendedAPDULengthSupported, notifyExchangedAPDU

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

EF_CARD_ACCESS

public static final short EF_CARD_ACCESS

Card Access.

See Also:

Constant Field Values

EF_CARD_SECURITY

public static final short EF_CARD_SECURITY

Card Security.

See Also:

Constant Field Values

EF_DG1

public static final short EF_DG1

File identifier for data group 1. Data group 1 contains the MRZ.

See Also:

Constant Field Values

EF_DG2

public static final short EF_DG2

File identifier for data group 2. Data group 2 contains face image data.

See Also:

Constant Field Values

EF_DG3

public static final short EF_DG3

File identifier for data group 3. Data group 3 contains finger print data.

See Also:

Constant Field Values

EF_DG4

public static final short EF_DG4

File identifier for data group 4. Data group 4 contains iris data.

See Also:

Constant Field Values

EF_DG5

public static final short EF_DG5

File identifier for data group 5. Data group 5 contains displayed portrait.

See Also:

Constant Field Values

EF_DG6

public static final short EF_DG6

File identifier for data group 6. Data group 6 is RFU.

See Also:

Constant Field Values

EF_DG7

public static final short EF_DG7

File identifier for data group 7. Data group 7 contains displayed signature.

See Also:

Constant Field Values

EF_DG8

public static final short EF_DG8

File identifier for data group 8. Data group 8 contains data features.

See Also:

Constant Field Values

EF_DG9

public static final short EF_DG9

File identifier for data group 9. Data group 9 contains structure features.

See Also:

Constant Field Values

EF_DG10

public static final short EF_DG10

File identifier for data group 10. Data group 10 contains substance features.

See Also:

Constant Field Values

EF_DG11

public static final short EF_DG11

File identifier for data group 11. Data group 11 contains additional personal details.

See Also:

Constant Field Values

EF_DG12

public static final short EF_DG12

File identifier for data group 12. Data group 12 contains additional document details.

See Also:

Constant Field Values

EF_DG13

public static final short EF_DG13

File identifier for data group 13. Data group 13 contains optional details.

See Also:

Constant Field Values

EF_DG14

public static final short EF_DG14

File identifier for data group 14. Data group 14 contains security infos.

See Also:

Constant Field Values

EF_DG15

public static final short EF_DG15

File identifier for data group 15. Data group 15 contains the public key used for Active Authentication.

See Also:

Constant Field Values

EF_DG16

public static final short EF_DG16

File identifier for data group 16. Data group 16 contains person(s) to notify.

See Also:

Constant Field Values

EF_SOD

public static final short EF_SOD

The security document.

See Also:

Constant Field Values

EF_COM

public static final short EF_COM

The data group presence list.

See Also:

Constant Field Values

EF_CVCA

public static final short EF_CVCA

Contains EAC CVA references. Note: this can be overridden by a file identifier in the DG14 file (in a TerminalAuthenticationInfo). Check DG14 first. Also, this file does not have a header tag, like the others.

See Also:

Constant Field Values

SF_DG1

public static final byte SF_DG1

Short file identifier for file.

See Also:

Constant Field Values

SF_DG2

public static final byte SF_DG2

Short file identifier for file.

See Also:

Constant Field Values

SF_DG3

public static final byte SF_DG3

Short file identifier for file.

See Also:

Constant Field Values

SF_DG4

public static final byte SF_DG4

Short file identifier for file.

See Also:

Constant Field Values

SF_DG5

public static final byte SF_DG5

Short file identifier for file.

See Also:

Constant Field Values

SF_DG6

public static final byte SF_DG6

Short file identifier for file.

See Also:

Constant Field Values

SF_DG7

public static final byte SF_DG7

Short file identifier for file.

See Also:

Constant Field Values

SF_DG8

public static final byte SF_DG8

Short file identifier for file.

See Also:

Constant Field Values

SF_DG9

public static final byte SF_DG9

Short file identifier for file.

See Also:

Constant Field Values

SF_DG10

public static final byte SF_DG10

Short file identifier for file.

See Also:

Constant Field Values

SF_DG11

public static final byte SF_DG11

Short file identifier for file.

See Also:

Constant Field Values

SF_DG12

public static final byte SF_DG12

Short file identifier for file.

See Also:

Constant Field Values

SF_DG13

public static final byte SF_DG13

Short file identifier for file.

See Also:

Constant Field Values

SF_DG14

public static final byte SF_DG14

Short file identifier for file.

See Also:

Constant Field Values

SF_DG15

public static final byte SF_DG15

Short file identifier for file.

See Also:

Constant Field Values

SF_DG16

public static final byte SF_DG16

Short file identifier for file.

See Also:

Constant Field Values

SF_COM

public static final byte SF_COM

Short file identifier for file.

See Also:

Constant Field Values

SF_SOD

public static final byte SF_SOD

Short file identifier for file.

See Also:

Constant Field Values

SF_CVCA

public static final byte SF_CVCA

Short file identifier for file.

See Also:

Constant Field Values

SDF

public static final SimpleDateFormat SDF

YYMMDD format.

DEFAULT_MAX_BLOCKSIZE

public static final int DEFAULT_MAX_BLOCKSIZE

The default maximal blocksize used for unencrypted APDUs.

See Also:

Constant Field Values

maxBlockSize

public int maxBlockSize

Deprecated. hack

The file read block size, some passports cannot handle large values

wrapper

protected SecureMessagingWrapper wrapper

Deprecated. visibility will be set to private

Constructor Detail

PassportService

public PassportService(net.sf.scuba.smartcards.CardService service)
                throws net.sf.scuba.smartcards.CardServiceException

Creates a new passport service for accessing the passport.

Parameters:

service - another service which will deal with sending the apdus to the card

Throws:

net.sf.scuba.smartcards.CardServiceException - when the available JCE providers cannot provide the necessary cryptographic primitives:

• Cipher: "DESede/CBC/Nopadding"
• Mac: "ISO9797Alg3Mac"

PassportService

public PassportService(net.sf.scuba.smartcards.CardService service,
                       int maxBlockSize)
                throws net.sf.scuba.smartcards.CardServiceException

Creates a new passport service for accessing the passport.

Parameters:

service - another service which will deal with sending the APDUs to the card

maxBlockSize - maximum size for plain text APDUs

Throws:

net.sf.scuba.smartcards.CardServiceException - when the available JCE providers cannot provide the necessary cryptographic primitives:

• Cipher: "DESede/CBC/Nopadding"
• Mac: "ISO9797Alg3Mac"

Method Detail

open

public void open()
          throws net.sf.scuba.smartcards.CardServiceException

Opens a session to the card. As of 0.4.10 this no longer auto selects the passport application, caller is responsible to call #sendSelectApplet(boolean) now.

Overrides:

open in class PassportApduService

Throws:

net.sf.scuba.smartcards.CardServiceException - on error

sendSelectApplet

public void sendSelectApplet(boolean hasPACESucceeded)
                      throws net.sf.scuba.smartcards.CardServiceException

Selects the MRTD card side applet. If PACE has been executed successfully previously, then the card has authenticated us and a secure messaging channel has already been established. If not, then the caller should request BAC execution as a next step.

Parameters:

hasPACESucceeded - indicates whether PACE has been executed successfully (in which case a secure messaging channel has been established)

Throws:

net.sf.scuba.smartcards.CardServiceException - on error

isOpen

public boolean isOpen()

Gets whether this service is open.

Overrides:

isOpen in class PassportApduService

Returns:

a boolean that indicates whether this service is open

sendSelectFile

public void sendSelectFile(short fid)
                    throws net.sf.scuba.smartcards.CardServiceException

Selects a file within the MRTD application.

Overrides:

sendSelectFile in class PassportApduService

Parameters:

fid - a file identifier

Throws:

net.sf.scuba.smartcards.CardServiceException - on error

sendReadBinary

public byte[] sendReadBinary(int offset,
                             int le,
                             boolean longRead)
                      throws net.sf.scuba.smartcards.CardServiceException

Sends a READ BINARY command to the passport, use wrapper when secure channel set up.

Parameters:

offset - offset into the file

le - the expected length of the file to read

longRead - whether to use extended length APDUs

Returns:

a byte array of length le with (the specified part of) the contents of the currently selected file

Throws:

net.sf.scuba.smartcards.CardServiceException - on tranceive error

doBAC

public BACResult doBAC(BACKeySpec bacKey)
                throws net.sf.scuba.smartcards.CardServiceException

Performs the Basic Access Control protocol.

Parameters:

bacKey - the key based on the document number, the card holder's birth date, and the document's expiration date

Throws:

net.sf.scuba.smartcards.CardServiceException - if authentication failed

doBAC

public BACResult doBAC(SecretKey kEnc,
                       SecretKey kMac)
                throws net.sf.scuba.smartcards.CardServiceException,
                       GeneralSecurityException

Performs the Basic Access Control protocol. It does BAC using kEnc and kMac keys, usually calculated from the document number, the card holder's date of birth, and the card's date of expiry. A secure messaging channel is set up as a result.

Parameters:

kEnc - static 3DES key required for BAC

kMac - static 3DES key required for BAC

Returns:

the result

Throws:

net.sf.scuba.smartcards.CardServiceException - if authentication failed

GeneralSecurityException - on security primitives related problems

doPACE

public PACEResult doPACE(KeySpec keySpec,
                         String oid,
                         AlgorithmParameterSpec params)
                  throws PACEException

Performs the PACE 2.0 / SAC protocol. A secure messaging channel is set up as a result.

Parameters:

keySpec - the MRZ

oid - as specified in the PACEInfo, indicates GM or IM or CAM, DH or ECDH, cipher, digest, length

params - explicit static domain parameters the domain params for DH or ECDH

Returns:

the result

Throws:

PACEException - on error

doCA

public CAResult doCA(BigInteger keyId,
                     String oid,
                     String publicKeyOID,
                     PublicKey publicKey)
              throws net.sf.scuba.smartcards.CardServiceException

Perform CA (Chip Authentication) part of EAC (version 1). For details see TR-03110 ver. 1.11. In short, we authenticate the chip with (EC)DH key agreement protocol and create new secure messaging keys. A new secure messaging channel is set up as a result.

Parameters:

keyId - passport's public key id (stored in DG14), -1 if none

oid - the object identifier indicating the Chip Authentication protocol

publicKeyOID - the object identifier indicating the public key algorithm used

publicKey - passport's public key (stored in DG14)

Returns:

the chip authentication result

Throws:

net.sf.scuba.smartcards.CardServiceException - if CA failed or some error occurred

doTA

public TAResult doTA(CVCPrincipal caReference,
                     List<CardVerifiableCertificate> terminalCertificates,
                     PrivateKey terminalKey,
                     String taAlg,
                     CAResult chipAuthenticationResult,
                     String documentNumber)
              throws net.sf.scuba.smartcards.CardServiceException

Performs Terminal Authentication (TA) part of EAC (version 1). For details see TR-03110 ver. 1.11. In short, we feed the sequence of terminal certificates to the card for verification, get a challenge from the card, sign it with the terminal private key, and send the result back to the card for verification.

Parameters:

caReference - reference issuer

terminalCertificates - terminal certificate chain

terminalKey - terminal private key

taAlg - algorithm

chipAuthenticationResult - the chip authentication result

documentNumber - the document number

Returns:

the challenge from the card

Throws:

net.sf.scuba.smartcards.CardServiceException - on error

doAA

public AAResult doAA(PublicKey publicKey,
                     String digestAlgorithm,
                     String signatureAlgorithm,
                     byte[] challenge)
              throws net.sf.scuba.smartcards.CardServiceException

Performs the Active Authentication protocol.

Parameters:

publicKey - the public key to use (usually read from the card)

digestAlgorithm - the digest algorithm to use, or null

signatureAlgorithm - signature algorithm

challenge - challenge

Returns:

a boolean indicating whether the card was authenticated

Throws:

net.sf.scuba.smartcards.CardServiceException - on error

close

public void close()

Closes this service.

Overrides:

close in class PassportApduService

getWrapper

public net.sf.scuba.smartcards.APDUWrapper getWrapper()

Gets the wrapper. Returns null until BAC has been performed.

Returns:

the wrapper

setWrapper

public void setWrapper(SecureMessagingWrapper wrapper)

Deprecated. hack

Parameters:

wrapper - wrapper

getInputStream

public net.sf.scuba.smartcards.CardFileInputStream getInputStream(short fid)
                                                           throws net.sf.scuba.smartcards.CardServiceException

Gets the file as an input stream indicated by a file identifier. The resulting input stream will send APDUs to the card.

Parameters:

fid - ICAO file identifier

Returns:

the file as an input stream

Throws:

net.sf.scuba.smartcards.CardServiceException - if the file cannot be read