org.jmrtd

Class PassportService

java.lang.Object

net.sf.scuba.smartcards.CardService

org.jmrtd.PassportApduService

org.jmrtd.PassportService

All Implemented Interfaces:

java.io.Serializable

public class PassportService
extends PassportApduService
implements java.io.Serializable

Card service for reading files (such as data groups) and using the BAC and AA protocols on the passport. Defines secure messaging. Defines active authentication. Based on ICAO-TR-PKI and ICAO-TR-LDS. Usage:

        open() ==><br />
        sendSelectApplet() ==><br />
        doBAC(...) ==><br />
        doAA() ==><br />
        getInputStream(...)<sup>*</sup> ==><br />
        close()
 

Version:

$Revision:352 $

Author:

Cees-Bart Breunesse ([email protected]), Wojciech Mostowski ([email protected]), Martijn Oostdijk ([email protected])

See Also:

Serialized Form

Field Summary

Fields

Modifier and Type	Field and Description
static short	EF_CARD_ACCESS CardAccess.
static short	EF_COM The data group presence list.
static short	EF_CVCA File with the EAC CVCA references.
static short	EF_DG1 Data group 1 contains the MRZ.
static short	EF_DG10 Data group 10 contains substance features.
static short	EF_DG11 Data group 11 contains additional personal details.
static short	EF_DG12 Data group 12 contains additional document details.
static short	EF_DG13 Data group 13 contains optional details.
static short	EF_DG14 Data group 14 is RFU.
static short	EF_DG15 Data group 15 contains the public key used for Active Authentication.
static short	EF_DG16 Data group 16 contains person(s) to notify.
static short	EF_DG2 Data group 2 contains face image data.
static short	EF_DG3 Data group 3 contains finger print data.
static short	EF_DG4 Data group 4 contains iris data.
static short	EF_DG5 Data group 5 contains displayed portrait.
static short	EF_DG6 Data group 6 is RFU.
static short	EF_DG7 Data group 7 contains displayed signature.
static short	EF_DG8 Data group 8 contains data features.
static short	EF_DG9 Data group 9 contains structure features.
static short	EF_SOD The security document.
static int	maxBlockSize Deprecated. hack
protected java.util.Random	random
static java.text.SimpleDateFormat	SDF
static byte	SF_COM Short file identifiers for the DGs
static byte	SF_CVCA Short file identifiers for the DGs
static byte	SF_DG1 Short file identifiers for the DGs
static byte	SF_DG10 Short file identifiers for the DGs
static byte	SF_DG11 Short file identifiers for the DGs
static byte	SF_DG12 Short file identifiers for the DGs
static byte	SF_DG13 Short file identifiers for the DGs
static byte	SF_DG14 Short file identifiers for the DGs
static byte	SF_DG15 Short file identifiers for the DGs
static byte	SF_DG16 Short file identifiers for the DGs
static byte	SF_DG2 Short file identifiers for the DGs
static byte	SF_DG3 Short file identifiers for the DGs
static byte	SF_DG4 Short file identifiers for the DGs
static byte	SF_DG5 Short file identifiers for the DGs
static byte	SF_DG6 Short file identifiers for the DGs
static byte	SF_DG7 Short file identifiers for the DGs
static byte	SF_DG8 Short file identifiers for the DGs
static byte	SF_DG9 Short file identifiers for the DGs
static byte	SF_SOD Short file identifiers for the DGs
protected SecureMessagingWrapper	wrapper Deprecated. visibility will be set to private

Fields inherited from class org.jmrtd.PassportApduService

APPLET_AID, CAN_PACE_KEY_REFERENCE, MRZ_PACE_KEY_REFERENCE, PIN_PACE_KEY_REFERENCE, PUK_PACE_REFERENCE

Constructor Summary

Constructors

Constructor and Description
PassportService(net.sf.scuba.smartcards.CardService service) Creates a new passport service for accessing the passport.

Method Summary

Modifier and Type	Method and Description
void	close() Closes this service.
byte[]	doAA(java.security.PublicKey publicKey, java.lang.String digestAlgorithm, java.lang.String signatureAlgorithm, byte[] challenge) Performs the Active Authentication protocol.
void	doBAC(BACKeySpec bacKey) Performs the Basic Access Control protocol.
void	doBAC(javax.crypto.SecretKey kEnc, javax.crypto.SecretKey kMac) Performs the Basic Access Control protocol.
ChipAuthenticationResult	doCA(java.math.BigInteger keyId, java.security.PublicKey publicKey) Perform CA (Chip Authentication) part of EAC (version 1).
void	doPACE(BACKeySpec keySpec, java.lang.String oid, java.security.spec.AlgorithmParameterSpec params) Performs the PACE 2.0 / SAC protocol.
TerminalAuthenticationResult	doTA(CVCPrincipal caReference, java.util.List<CardVerifiableCertificate> terminalCertificates, java.security.PrivateKey terminalKey, java.lang.String taAlg, ChipAuthenticationResult chipAuthenticationResult, java.lang.String documentNumber) Perform TA (Terminal Authentication) part of EAC (version 1).
net.sf.scuba.smartcards.CardFileInputStream	getInputStream(short fid) Gets the file as an input stream indicated by a file identifier.
net.sf.scuba.smartcards.APDUWrapper	getWrapper() Gets the wrapper.
boolean	isOpen() Whether this service is open.
void	open() Opens a session to the card.
byte[]	sendReadBinary(int offset, int le, boolean longRead) Sends a READ BINARY command to the passport, use wrapper when secure channel set up.
void	sendSelectApplet(boolean hasPACESucceeded) Selects the MRTD card side applet.
void	sendSelectFile(short fid)
void	setWrapper(SecureMessagingWrapper wrapper) Deprecated. hack

Methods inherited from class org.jmrtd.PassportApduService

addAPDUListener, addPlainTextAPDUListener, getATR, notifyExchangedPlainTextAPDU, removeAPDUListener, removePlainTextAPDUListener, sendGeneralAuthenticate, sendGetChallenge, sendGetChallenge, sendInternalAuthenticate, sendMSEKAT, sendMSESetATExtAuth, sendMSESetATMutualAuth, sendMSESetDST, sendMutualAuth, sendMutualAuthenticate, sendPSOChainMode, sendPSOExtendedLengthMode, sendReadBinary, sendReadBinary, sendSelectApplet, sendSelectFile, setService, transmit

Methods inherited from class net.sf.scuba.smartcards.CardService

getInstance, isExtendedAPDULengthSupported, notifyExchangedAPDU

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

EF_DG1

public static final short EF_DG1

Data group 1 contains the MRZ.

See Also:

Constant Field Values

EF_DG2

public static final short EF_DG2

Data group 2 contains face image data.

See Also:

Constant Field Values

EF_DG3

public static final short EF_DG3

Data group 3 contains finger print data.

See Also:

Constant Field Values

EF_DG4

public static final short EF_DG4

Data group 4 contains iris data.

See Also:

Constant Field Values

EF_DG5

public static final short EF_DG5

Data group 5 contains displayed portrait.

See Also:

Constant Field Values

EF_DG6

public static final short EF_DG6

Data group 6 is RFU.

See Also:

Constant Field Values

EF_DG7

public static final short EF_DG7

Data group 7 contains displayed signature.

See Also:

Constant Field Values

EF_DG8

public static final short EF_DG8

Data group 8 contains data features.

See Also:

Constant Field Values

EF_DG9

public static final short EF_DG9

Data group 9 contains structure features.

See Also:

Constant Field Values

EF_DG10

public static final short EF_DG10

Data group 10 contains substance features.

See Also:

Constant Field Values

EF_DG11

public static final short EF_DG11

Data group 11 contains additional personal details.

See Also:

Constant Field Values

EF_DG12

public static final short EF_DG12

Data group 12 contains additional document details.

See Also:

Constant Field Values

EF_DG13

public static final short EF_DG13

Data group 13 contains optional details.

See Also:

Constant Field Values

EF_DG14

public static final short EF_DG14

Data group 14 is RFU.

See Also:

Constant Field Values

EF_DG15

public static final short EF_DG15

Data group 15 contains the public key used for Active Authentication.

See Also:

Constant Field Values

EF_DG16

public static final short EF_DG16

Data group 16 contains person(s) to notify.

See Also:

Constant Field Values

EF_CARD_ACCESS

public static final short EF_CARD_ACCESS

CardAccess.

See Also:

Constant Field Values

EF_SOD

public static final short EF_SOD

The security document.

See Also:

Constant Field Values

EF_COM

public static final short EF_COM

The data group presence list.

See Also:

Constant Field Values

EF_CVCA

public static final short EF_CVCA

File with the EAC CVCA references. Note: this can be overridden by a file identifier in the DG14 file (TerminalAuthenticationInfo). So check that one first. Also, this file does not have a header tag, like the others.

See Also:

Constant Field Values

SF_DG1

public static final byte SF_DG1

Short file identifiers for the DGs

See Also:

Constant Field Values

SF_DG2

public static final byte SF_DG2

Short file identifiers for the DGs

See Also:

Constant Field Values

SF_DG3

public static final byte SF_DG3

Short file identifiers for the DGs

See Also:

Constant Field Values

SF_DG4

public static final byte SF_DG4

Short file identifiers for the DGs

See Also:

Constant Field Values

SF_DG5

public static final byte SF_DG5

Short file identifiers for the DGs

See Also:

Constant Field Values

SF_DG6

public static final byte SF_DG6

Short file identifiers for the DGs

See Also:

Constant Field Values

SF_DG7

public static final byte SF_DG7

Short file identifiers for the DGs

See Also:

Constant Field Values

SF_DG8

public static final byte SF_DG8

Short file identifiers for the DGs

See Also:

Constant Field Values

SF_DG9

public static final byte SF_DG9

Short file identifiers for the DGs

See Also:

Constant Field Values

SF_DG10

public static final byte SF_DG10

Short file identifiers for the DGs

See Also:

Constant Field Values

SF_DG11

public static final byte SF_DG11

Short file identifiers for the DGs

See Also:

Constant Field Values

SF_DG12

public static final byte SF_DG12

Short file identifiers for the DGs

See Also:

Constant Field Values

SF_DG13

public static final byte SF_DG13

Short file identifiers for the DGs

See Also:

Constant Field Values

SF_DG14

public static final byte SF_DG14

Short file identifiers for the DGs

See Also:

Constant Field Values

SF_DG15

public static final byte SF_DG15

Short file identifiers for the DGs

See Also:

Constant Field Values

SF_DG16

public static final byte SF_DG16

Short file identifiers for the DGs

See Also:

Constant Field Values

SF_COM

public static final byte SF_COM

Short file identifiers for the DGs

See Also:

Constant Field Values

SF_SOD

public static final byte SF_SOD

Short file identifiers for the DGs

See Also:

Constant Field Values

SF_CVCA

public static final byte SF_CVCA

Short file identifiers for the DGs

See Also:

Constant Field Values

SDF

public static final java.text.SimpleDateFormat SDF

maxBlockSize

public static int maxBlockSize

Deprecated. hack

The file read block size, some passports cannot handle large values

wrapper

protected SecureMessagingWrapper wrapper

Deprecated. visibility will be set to private

random

protected java.util.Random random

Constructor Detail

PassportService

public PassportService(net.sf.scuba.smartcards.CardService service)
                throws net.sf.scuba.smartcards.CardServiceException

Creates a new passport service for accessing the passport.

Parameters:

service - another service which will deal with sending the apdus to the card

Throws:

net.sf.scuba.smartcards.CardServiceException - on error

Method Detail

open

public void open()
          throws net.sf.scuba.smartcards.CardServiceException

Opens a session to the card. As of 0.4.10 this no longer auto selects the passport application, caller is responsible to call #sendSelectApplet(boolean) now.

Overrides:

open in class PassportApduService

Throws:

net.sf.scuba.smartcards.CardServiceException - on error

sendSelectApplet

public void sendSelectApplet(boolean hasPACESucceeded)
                      throws net.sf.scuba.smartcards.CardServiceException

Selects the MRTD card side applet. If PACE has been executed successfully previously, then the card has authenticated us and a secure messaging channel has been established. If not, then the caller should request BAC execution as a next step.

Parameters:

hasPACESucceeded - indicates whether PACE has been executed successfully (in which case a secure messaging channel has been established)

Throws:

net.sf.scuba.smartcards.CardServiceException - on error

isOpen

public boolean isOpen()

Whether this service is open.

Overrides:

isOpen in class PassportApduService

Returns:

a boolean

doBAC

public void doBAC(BACKeySpec bacKey)
           throws net.sf.scuba.smartcards.CardServiceException

Performs the Basic Access Control protocol.

Parameters:

bacKey - the key based on the document number, the card holder's birth date, and the document's expiry date

Throws:

net.sf.scuba.smartcards.CardServiceException - if authentication failed

doBAC

public void doBAC(javax.crypto.SecretKey kEnc,
                  javax.crypto.SecretKey kMac)
           throws net.sf.scuba.smartcards.CardServiceException,
                  java.security.GeneralSecurityException

Performs the Basic Access Control protocol. It does BAC using kEnc and kMac keys, usually calculated from the document number, the card holder's date of birth, and the card's date of expiry.

Parameters:

kEnc - 3DES key required for BAC

kMac - 3DES key required for BAC

Throws:

net.sf.scuba.smartcards.CardServiceException - if authentication failed

java.security.GeneralSecurityException - on security primitives related problems

sendSelectFile

public void sendSelectFile(short fid)
                    throws net.sf.scuba.smartcards.CardServiceException

Overrides:

sendSelectFile in class PassportApduService

Throws:

net.sf.scuba.smartcards.CardServiceException

sendReadBinary

public byte[] sendReadBinary(int offset,
                             int le,
                             boolean longRead)
                      throws net.sf.scuba.smartcards.CardServiceException

Sends a READ BINARY command to the passport, use wrapper when secure channel set up.

Parameters:

offset - offset into the file

le - the expected length of the file to read

longRead - whether to use extended length APDUs

Returns:

a byte array of length le with (the specified part of) the contents of the currently selected file

Throws:

net.sf.scuba.smartcards.CardServiceException - on tranceive error

doPACE

public void doPACE(BACKeySpec keySpec,
                   java.lang.String oid,
                   java.security.spec.AlgorithmParameterSpec params)
            throws PACEException

Performs the PACE 2.0 / SAC protocol.

Parameters:

keySpec - the MRZ

oid - as specified in the PACEInfo, indicates GM or IM, DH or ECDH, cipher, digest, length

params - explicit static domain parameters the domain params for DH or ECDH

Throws:

PACEException - on error

doCA

public ChipAuthenticationResult doCA(java.math.BigInteger keyId,
                                     java.security.PublicKey publicKey)
                              throws net.sf.scuba.smartcards.CardServiceException

Perform CA (Chip Authentication) part of EAC (version 1). For details see TR-03110 ver. 1.11. In short, we authenticate the chip with (EC)DH key agreement protocol and create new secure messaging keys.

Parameters:

keyId - passport's public key id (stored in DG14), -1 if none

publicKey - passport's public key (stored in DG14)

Returns:

the chip authentication result

Throws:

net.sf.scuba.smartcards.CardServiceException - if CA failed or some error occurred

doTA

public TerminalAuthenticationResult doTA(CVCPrincipal caReference,
                                         java.util.List<CardVerifiableCertificate> terminalCertificates,
                                         java.security.PrivateKey terminalKey,
                                         java.lang.String taAlg,
                                         ChipAuthenticationResult chipAuthenticationResult,
                                         java.lang.String documentNumber)
                                  throws net.sf.scuba.smartcards.CardServiceException

Perform TA (Terminal Authentication) part of EAC (version 1). For details see TR-03110 ver. 1.11. In short, we feed the sequence of terminal certificates to the card for verification, get a challenge from the card, sign it with terminal private key, and send back to the card for verification.

Parameters:

caReference - reference issuer

terminalCertificates - terminal certificate chain

terminalKey - terminal private key

taAlg - algorithm

chipAuthenticationResult - the chip authentication result

documentNumber - the document number

Returns:

the challenge from the card

Throws:

net.sf.scuba.smartcards.CardServiceException - on error

doAA

public byte[] doAA(java.security.PublicKey publicKey,
                   java.lang.String digestAlgorithm,
                   java.lang.String signatureAlgorithm,
                   byte[] challenge)
            throws net.sf.scuba.smartcards.CardServiceException

Performs the Active Authentication protocol.

Parameters:

publicKey - the public key to use (usually read from the card)

digestAlgorithm - the digest algorithm to use, or null

signatureAlgorithm - signature algorithm

challenge - challenge

Returns:

a boolean indicating whether the card was authenticated

Throws:

net.sf.scuba.smartcards.CardServiceException - on error

close

public void close()

Closes this service.

Overrides:

close in class PassportApduService

getWrapper

public net.sf.scuba.smartcards.APDUWrapper getWrapper()

Gets the wrapper. Returns null until BAC has been performed.

Returns:

the wrapper

setWrapper

public void setWrapper(SecureMessagingWrapper wrapper)

Deprecated. hack

Parameters:

wrapper - wrapper

getInputStream

public net.sf.scuba.smartcards.CardFileInputStream getInputStream(short fid)
                                                           throws net.sf.scuba.smartcards.CardServiceException

Gets the file as an input stream indicated by a file identifier. The resulting input stream will send APDUs to the card.

Parameters:

fid - ICAO file identifier

Returns:

the file as an input stream

Throws:

net.sf.scuba.smartcards.CardServiceException - if the file cannot be read