Package org.jmrtd.protocol
Class EACCAProtocol
- java.lang.Object
-
- org.jmrtd.protocol.EACCAProtocol
-
public class EACCAProtocol extends Object
The EAC Chip Authentication protocol (version 1).- Since:
- 0.5.6
- Version:
- $Revision: 1805 $
- Author:
- The JMRTD team ([email protected])
-
-
Constructor Summary
Constructors Constructor Description EACCAProtocol(APDULevelEACCACapable service, SecureMessagingWrapper wrapper, int maxTranceiveLength, boolean shouldCheckMAC)
Constructs a protocol instance.
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description static byte[]
computeSharedSecret(String agreementAlg, PublicKey piccPublicKey, PrivateKey pcdPrivateKey)
Performs the key agreement step.EACCAResult
doCA(BigInteger keyId, String oid, String publicKeyOID, PublicKey piccPublicKey)
Perform EAC-CA (Chip Authentication) part of EAC (version 1).static byte[]
getKeyHash(String agreementAlg, PublicKey pcdPublicKey)
Returns the key hash which will be used as input for Terminal Authentication.SecureMessagingWrapper
getWrapper()
Returns the secure messaging wrapper currently in use.static SecureMessagingWrapper
restartSecureMessaging(String oid, byte[] sharedSecret, int maxTranceiveLength, boolean shouldCheckMAC)
Restarts secure messaging based on the shared secret.static void
sendPublicKey(APDULevelEACCACapable service, SecureMessagingWrapper wrapper, String oid, BigInteger keyId, PublicKey pcdPublicKey)
Sends the PCD's public key to the PICC.
-
-
-
Constructor Detail
-
EACCAProtocol
public EACCAProtocol(APDULevelEACCACapable service, SecureMessagingWrapper wrapper, int maxTranceiveLength, boolean shouldCheckMAC)
Constructs a protocol instance.- Parameters:
service
- the card servicewrapper
- the existing secure messaging wrappermaxTranceiveLength
- the maximal tranceive length (on responses toREAD BINARY
) to use in the resulting secure messaging channelshouldCheckMAC
- whether the resulting secure messaging channel should apply strict MAC checking on response APDUs
-
-
Method Detail
-
doCA
public EACCAResult doCA(BigInteger keyId, String oid, String publicKeyOID, PublicKey piccPublicKey) throws net.sf.scuba.smartcards.CardServiceException
Perform EAC-CA (Chip Authentication) part of EAC (version 1). For details see TR-03110 ver. 1.11. In short, we authenticate the chip with DH or ECDH key agreement protocol and create new secure messaging keys. The newly established secure messaging wrapper is made available to the caller in the result.- Parameters:
keyId
- passport's public key id (stored in DG14),null
if noneoid
- the object identifier indicating the Chip Authentication protocolpublicKeyOID
- the OID indicating the type of public keypiccPublicKey
- PICC's public key (stored in DG14)- Returns:
- the Chip Authentication result
- Throws:
net.sf.scuba.smartcards.CardServiceException
- if Chip Authentication failed or some error occurred
-
sendPublicKey
public static void sendPublicKey(APDULevelEACCACapable service, SecureMessagingWrapper wrapper, String oid, BigInteger keyId, PublicKey pcdPublicKey) throws net.sf.scuba.smartcards.CardServiceException
Sends the PCD's public key to the PICC.- Parameters:
service
- the card servicewrapper
- the existing secure messaging wrapperoid
- the Chip Authentication object identifierkeyId
- a key identifier ornull
pcdPublicKey
- the public key to send- Throws:
net.sf.scuba.smartcards.CardServiceException
- on error
-
computeSharedSecret
public static byte[] computeSharedSecret(String agreementAlg, PublicKey piccPublicKey, PrivateKey pcdPrivateKey) throws NoSuchAlgorithmException, InvalidKeyException
Performs the key agreement step. Generates a secret based on the PICC's public key and the PCD's private key.- Parameters:
agreementAlg
- the agreement algorithmpiccPublicKey
- the PICC's public keypcdPrivateKey
- the PCD's private key- Returns:
- the shared secret
- Throws:
NoSuchAlgorithmException
- if the agreement algorithm is unsupportedInvalidKeyException
- if one of the keys is invalid
-
restartSecureMessaging
public static SecureMessagingWrapper restartSecureMessaging(String oid, byte[] sharedSecret, int maxTranceiveLength, boolean shouldCheckMAC) throws GeneralSecurityException
Restarts secure messaging based on the shared secret.- Parameters:
oid
- the Chip Authentication object identifiersharedSecret
- the shared secretmaxTranceiveLength
- the maximum APDU tranceive lengthshouldCheckMAC
- whether to check MAC- Returns:
- the secure messaging wrapper
- Throws:
GeneralSecurityException
- on error
-
getWrapper
public SecureMessagingWrapper getWrapper()
Returns the secure messaging wrapper currently in use.- Returns:
- a secure messaging wrapper
-
getKeyHash
public static byte[] getKeyHash(String agreementAlg, PublicKey pcdPublicKey) throws NoSuchAlgorithmException
Returns the key hash which will be used as input for Terminal Authentication.- Parameters:
agreementAlg
- the agreement algorithm, either"DH"
or"ECDH"
pcdPublicKey
- the inspection system's public key- Returns:
- the key hash
- Throws:
NoSuchAlgorithmException
- on error
-
-