org.jmrtd

Class PassportService

java.lang.Object

net.sf.scuba.smartcards.CardService

org.jmrtd.PassportService

public class PassportService
extends net.sf.scuba.smartcards.CardService

Card service for reading files (such as data groups) and using the BAC and AA protocols on the passport. Defines secure messaging. Defines active authentication. Based on Doc 9303. Originally based on ICAO-TR-PKI and ICAO-TR-LDS. Usage:

        open() ==><br />
        sendSelectApplet() ==><br />
        doBAC(...) ==><br />
        doAA() ==><br />
        getInputStream(...)<sup>*</sup> ==><br />
        close()
 

Version:

$Revision:352 $

Author:

The JMRTD team ([email protected])

Field Summary

Fields

Modifier and Type	Field and Description
protected static byte[]	APPLET_AID The applet we select when we start a session.
static byte	CAN_PACE_KEY_REFERENCE Shared secret type for PACE according to BSI TR-03110 v2.03 B.11.1.
static int	DEFAULT_MAX_BLOCKSIZE The default maximal blocksize used for unencrypted APDUs.
static short	EF_CARD_ACCESS Card Access.
static short	EF_CARD_SECURITY Card Security.
static short	EF_COM The data group presence list.
static short	EF_CVCA Contains EAC CVA references.
static short	EF_DG1 File identifier for data group 1.
static short	EF_DG10 File identifier for data group 10.
static short	EF_DG11 File identifier for data group 11.
static short	EF_DG12 File identifier for data group 12.
static short	EF_DG13 File identifier for data group 13.
static short	EF_DG14 File identifier for data group 14.
static short	EF_DG15 File identifier for data group 15.
static short	EF_DG16 File identifier for data group 16.
static short	EF_DG2 File identifier for data group 2.
static short	EF_DG3 File identifier for data group 3.
static short	EF_DG4 File identifier for data group 4.
static short	EF_DG5 File identifier for data group 5.
static short	EF_DG6 File identifier for data group 6.
static short	EF_DG7 File identifier for data group 7.
static short	EF_DG8 File identifier for data group 8.
static short	EF_DG9 File identifier for data group 9.
static short	EF_SOD The security document.
int	maxBlockSize Deprecated. hack
static byte	MRZ_PACE_KEY_REFERENCE Shared secret type for PACE according to BSI TR-03110 v2.03 B.11.1.
static byte	PIN_PACE_KEY_REFERENCE Shared secret type for PACE according to BSI TR-03110 v2.03 B.11.1.
static byte	PUK_PACE_KEY_REFERENCE Shared secret type for PACE according to BSI TR-03110 v2.03 B.11.1.
static byte	SF_COM Short file identifier for file.
static byte	SF_CVCA Short file identifier for file.
static byte	SF_DG1 Short file identifier for file.
static byte	SF_DG10 Short file identifier for file.
static byte	SF_DG11 Short file identifier for file.
static byte	SF_DG12 Short file identifier for file.
static byte	SF_DG13 Short file identifier for file.
static byte	SF_DG14 Short file identifier for file.
static byte	SF_DG15 Short file identifier for file.
static byte	SF_DG16 Short file identifier for file.
static byte	SF_DG2 Short file identifier for file.
static byte	SF_DG3 Short file identifier for file.
static byte	SF_DG4 Short file identifier for file.
static byte	SF_DG5 Short file identifier for file.
static byte	SF_DG6 Short file identifier for file.
static byte	SF_DG7 Short file identifier for file.
static byte	SF_DG8 Short file identifier for file.
static byte	SF_DG9 Short file identifier for file.
static byte	SF_SOD Short file identifier for file.

Fields inherited from class net.sf.scuba.smartcards.CardService

SESSION_STARTED_STATE, SESSION_STOPPED_STATE

Constructor Summary

Constructors

Constructor and Description
PassportService(net.sf.scuba.smartcards.CardService service) Creates a new passport service for accessing the passport.
PassportService(net.sf.scuba.smartcards.CardService service, int maxBlockSize) Creates a new passport service for accessing the passport.

Method Summary

Modifier and Type	Method and Description
void	addAPDUListener(net.sf.scuba.smartcards.APDUListener l) Adds a listener.
void	addPlainTextAPDUListener(net.sf.scuba.smartcards.APDUListener l) Adds a plain text listener.
void	close() Closes this service.
AAResult	doAA(PublicKey publicKey, String digestAlgorithm, String signatureAlgorithm, byte[] challenge) Performs the Active Authentication protocol.
BACResult	doBAC(BACKeySpec bacKey) Performs the Basic Access Control protocol.
BACResult	doBAC(SecretKey kEnc, SecretKey kMac) Performs the Basic Access Control protocol.
CAResult	doCA(BigInteger keyId, String oid, String publicKeyOID, PublicKey publicKey) Perform CA (Chip Authentication) part of EAC (version 1).
PACEResult	doPACE(KeySpec keySpec, String oid, AlgorithmParameterSpec params) Performs the PACE 2.0 / SAC protocol.
TAResult	doTA(CVCPrincipal caReference, List<CardVerifiableCertificate> terminalCertificates, PrivateKey terminalKey, String taAlg, CAResult chipAuthenticationResult, PACEResult paceResult) Performs Terminal Authentication (TA) part of EAC (version 1).
TAResult	doTA(CVCPrincipal caReference, List<CardVerifiableCertificate> terminalCertificates, PrivateKey terminalKey, String taAlg, CAResult chipAuthenticationResult, String documentNumber) Performs Terminal Authentication (TA) part of EAC (version 1).
byte[]	getATR() Gets the answer to reset bytes.
net.sf.scuba.smartcards.CardFileInputStream	getInputStream(short fid) Gets the file as an input stream indicated by a file identifier.
net.sf.scuba.smartcards.APDUWrapper	getWrapper() Gets the wrapper.
boolean	isOpen() Gets whether this service is open.
protected void	notifyExchangedPlainTextAPDU(int count, net.sf.scuba.smartcards.CommandAPDU capdu, net.sf.scuba.smartcards.ResponseAPDU rapdu) Notifies listeners about APDU event.
void	open() Opens a session to the card.
void	removeAPDUListener(net.sf.scuba.smartcards.APDUListener l) Removes a listener.
void	removePlainTextAPDUListener(net.sf.scuba.smartcards.APDUListener l) Removes a plain text listener.
byte[]	sendGeneralAuthenticate(net.sf.scuba.smartcards.APDUWrapper wrapper, byte[] data, boolean isLast) Sends a General Authenticate command.
byte[]	sendGetChallenge() Sends a GET CHALLENGE command to the passport.
byte[]	sendGetChallenge(net.sf.scuba.smartcards.APDUWrapper wrapper) Sends a GET CHALLENGE command to the passport.
byte[]	sendInternalAuthenticate(net.sf.scuba.smartcards.APDUWrapper wrapper, byte[] rndIFD) Sends an INTERNAL AUTHENTICATE command to the passport.
void	sendMSEKAT(net.sf.scuba.smartcards.APDUWrapper wrapper, byte[] keyData, byte[] idData) The MSE KAT APDU, see EAC 1.11 spec, Section B.1
void	sendMSESetATExtAuth(net.sf.scuba.smartcards.APDUWrapper wrapper, byte[] data) The MSE Set AT APDU for TA, see EAC 1.11 spec, Section B.2.
void	sendMSESetATIntAuth(net.sf.scuba.smartcards.APDUWrapper wrapper, String oid, BigInteger keyId) The MSE Set AT for chip authentication.
void	sendMSESetATMutualAuth(net.sf.scuba.smartcards.APDUWrapper wrapper, String oid, int refPublicKeyOrSecretKey, byte[] refPrivateKeyOrForComputingSessionKey) The MSE AT APDU for PACE, see ICAO TR-SAC-1.01, Section 3.2.1, BSI TR 03110 v2.03 B11.1.
void	sendMSESetDST(net.sf.scuba.smartcards.APDUWrapper wrapper, byte[] data) The MSE DST APDU, see EAC 1.11 spec, Section B.2
byte[]	sendMutualAuth(byte[] rndIFD, byte[] rndICC, byte[] kIFD, SecretKey kEnc, SecretKey kMac) Sends an EXTERNAL AUTHENTICATE command to the passport.
void	sendMutualAuthenticate(net.sf.scuba.smartcards.APDUWrapper wrapper, byte[] signature) Sends the EXTERNAL AUTHENTICATE command.
void	sendPSOChainMode(net.sf.scuba.smartcards.APDUWrapper wrapper, byte[] certBodyData, byte[] certSignatureData) Sends a perform security operation command in chain mode.
void	sendPSOExtendedLengthMode(net.sf.scuba.smartcards.APDUWrapper wrapper, byte[] certBodyData, byte[] certSignatureData) Sends a perform security operation command in extended length mode.
byte[]	sendReadBinary(net.sf.scuba.smartcards.APDUWrapper wrapper, int offset, int le, boolean isExtendedLength) Sends a READ BINARY command to the passport.
byte[]	sendReadBinary(int offset, int le, boolean isExtendedLength) Sends a READ BINARY command to the passport, use wrapper when secure channel set up.
byte[]	sendReadBinary(short offset, int le, boolean isExtendedLength) Sends a READ BINARY command to the passport.
void	sendSelectApplet(net.sf.scuba.smartcards.APDUWrapper wrapper, byte[] aid) Sends a SELECT APPLET command to the card.
void	sendSelectApplet(boolean hasPACESucceeded) Selects the MRTD card side applet.
void	sendSelectFile(net.sf.scuba.smartcards.APDUWrapper wrapper, short fid) Sends a SELECT FILE command to the passport.
void	sendSelectFile(short fid) Selects a file within the MRTD application.
void	setService(net.sf.scuba.smartcards.CardService service) Sets the service.
void	setWrapper(SecureMessagingWrapper wrapper) Deprecated. hack
net.sf.scuba.smartcards.ResponseAPDU	transmit(net.sf.scuba.smartcards.CommandAPDU capdu) Tranceives an APDU.

Methods inherited from class net.sf.scuba.smartcards.CardService

getInstance, isExtendedAPDULengthSupported, notifyExchangedAPDU

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

EF_CARD_ACCESS

public static final short EF_CARD_ACCESS

Card Access.

See Also:

Constant Field Values

EF_CARD_SECURITY

public static final short EF_CARD_SECURITY

Card Security.

See Also:

Constant Field Values

EF_DG1

public static final short EF_DG1

File identifier for data group 1. Data group 1 contains the MRZ.

See Also:

Constant Field Values

EF_DG2

public static final short EF_DG2

File identifier for data group 2. Data group 2 contains face image data.

See Also:

Constant Field Values

EF_DG3

public static final short EF_DG3

File identifier for data group 3. Data group 3 contains finger print data.

See Also:

Constant Field Values

EF_DG4

public static final short EF_DG4

File identifier for data group 4. Data group 4 contains iris data.

See Also:

Constant Field Values

EF_DG5

public static final short EF_DG5

File identifier for data group 5. Data group 5 contains displayed portrait.

See Also:

Constant Field Values

EF_DG6

public static final short EF_DG6

File identifier for data group 6. Data group 6 is RFU.

See Also:

Constant Field Values

EF_DG7

public static final short EF_DG7

File identifier for data group 7. Data group 7 contains displayed signature.

See Also:

Constant Field Values

EF_DG8

public static final short EF_DG8

File identifier for data group 8. Data group 8 contains data features.

See Also:

Constant Field Values

EF_DG9

public static final short EF_DG9

File identifier for data group 9. Data group 9 contains structure features.

See Also:

Constant Field Values

EF_DG10

public static final short EF_DG10

File identifier for data group 10. Data group 10 contains substance features.

See Also:

Constant Field Values

EF_DG11

public static final short EF_DG11

File identifier for data group 11. Data group 11 contains additional personal details.

See Also:

Constant Field Values

EF_DG12

public static final short EF_DG12

File identifier for data group 12. Data group 12 contains additional document details.

See Also:

Constant Field Values

EF_DG13

public static final short EF_DG13

File identifier for data group 13. Data group 13 contains optional details.

See Also:

Constant Field Values

EF_DG14

public static final short EF_DG14

File identifier for data group 14. Data group 14 contains security infos.

See Also:

Constant Field Values

EF_DG15

public static final short EF_DG15

File identifier for data group 15. Data group 15 contains the public key used for Active Authentication.

See Also:

Constant Field Values

EF_DG16

public static final short EF_DG16

File identifier for data group 16. Data group 16 contains person(s) to notify.

See Also:

Constant Field Values

EF_SOD

public static final short EF_SOD

The security document.

See Also:

Constant Field Values

EF_COM

public static final short EF_COM

The data group presence list.

See Also:

Constant Field Values

EF_CVCA

public static final short EF_CVCA

Contains EAC CVA references. Note: this can be overridden by a file identifier in the DG14 file (in a TerminalAuthenticationInfo). Check DG14 first. Also, this file does not have a header tag, like the others.

See Also:

Constant Field Values

SF_DG1

public static final byte SF_DG1

Short file identifier for file.

See Also:

Constant Field Values

SF_DG2

public static final byte SF_DG2

Short file identifier for file.

See Also:

Constant Field Values

SF_DG3

public static final byte SF_DG3

Short file identifier for file.

See Also:

Constant Field Values

SF_DG4

public static final byte SF_DG4

Short file identifier for file.

See Also:

Constant Field Values

SF_DG5

public static final byte SF_DG5

Short file identifier for file.

See Also:

Constant Field Values

SF_DG6

public static final byte SF_DG6

Short file identifier for file.

See Also:

Constant Field Values

SF_DG7

public static final byte SF_DG7

Short file identifier for file.

See Also:

Constant Field Values

SF_DG8

public static final byte SF_DG8

Short file identifier for file.

See Also:

Constant Field Values

SF_DG9

public static final byte SF_DG9

Short file identifier for file.

See Also:

Constant Field Values

SF_DG10

public static final byte SF_DG10

Short file identifier for file.

See Also:

Constant Field Values

SF_DG11

public static final byte SF_DG11

Short file identifier for file.

See Also:

Constant Field Values

SF_DG12

public static final byte SF_DG12

Short file identifier for file.

See Also:

Constant Field Values

SF_DG13

public static final byte SF_DG13

Short file identifier for file.

See Also:

Constant Field Values

SF_DG14

public static final byte SF_DG14

Short file identifier for file.

See Also:

Constant Field Values

SF_DG15

public static final byte SF_DG15

Short file identifier for file.

See Also:

Constant Field Values

SF_DG16

public static final byte SF_DG16

Short file identifier for file.

See Also:

Constant Field Values

SF_COM

public static final byte SF_COM

Short file identifier for file.

See Also:

Constant Field Values

SF_SOD

public static final byte SF_SOD

Short file identifier for file.

See Also:

Constant Field Values

SF_CVCA

public static final byte SF_CVCA

Short file identifier for file.

See Also:

Constant Field Values

DEFAULT_MAX_BLOCKSIZE

public static final int DEFAULT_MAX_BLOCKSIZE

The default maximal blocksize used for unencrypted APDUs.

See Also:

Constant Field Values

maxBlockSize

@Deprecated
public int maxBlockSize

Deprecated. hack

The file read block size, some passports cannot handle large values

MRZ_PACE_KEY_REFERENCE

public static final byte MRZ_PACE_KEY_REFERENCE

Shared secret type for PACE according to BSI TR-03110 v2.03 B.11.1.

See Also:

Constant Field Values

CAN_PACE_KEY_REFERENCE

public static final byte CAN_PACE_KEY_REFERENCE

Shared secret type for PACE according to BSI TR-03110 v2.03 B.11.1.

See Also:

Constant Field Values

PIN_PACE_KEY_REFERENCE

public static final byte PIN_PACE_KEY_REFERENCE

Shared secret type for PACE according to BSI TR-03110 v2.03 B.11.1.

See Also:

Constant Field Values

PUK_PACE_KEY_REFERENCE

public static final byte PUK_PACE_KEY_REFERENCE

Shared secret type for PACE according to BSI TR-03110 v2.03 B.11.1.

See Also:

Constant Field Values

APPLET_AID

protected static final byte[] APPLET_AID

The applet we select when we start a session.

Constructor Detail

PassportService

public PassportService(net.sf.scuba.smartcards.CardService service)
                throws net.sf.scuba.smartcards.CardServiceException

Creates a new passport service for accessing the passport.

Parameters:

service - another service which will deal with sending the apdus to the card

Throws:

net.sf.scuba.smartcards.CardServiceException - when the available JCE providers cannot provide the necessary cryptographic primitives:

• Cipher: "DESede/CBC/Nopadding"
• Mac: "ISO9797Alg3Mac"

PassportService

public PassportService(net.sf.scuba.smartcards.CardService service,
                       int maxBlockSize)
                throws net.sf.scuba.smartcards.CardServiceException

Creates a new passport service for accessing the passport.

Parameters:

service - another service which will deal with sending the APDUs to the card

maxBlockSize - maximum size for plain text APDUs

Throws:

net.sf.scuba.smartcards.CardServiceException - when the available JCE providers cannot provide the necessary cryptographic primitives:

• Cipher: "DESede/CBC/Nopadding"
• Mac: "ISO9797Alg3Mac"

Method Detail

open

public void open()
          throws net.sf.scuba.smartcards.CardServiceException

Opens a session to the card. As of 0.4.10 this no longer auto selects the passport application, caller is responsible to call #sendSelectApplet(boolean) now.

Throws:

net.sf.scuba.smartcards.CardServiceException - on error

sendSelectApplet

public void sendSelectApplet(boolean hasPACESucceeded)
                      throws net.sf.scuba.smartcards.CardServiceException

Selects the MRTD card side applet. If PACE has been executed successfully previously, then the card has authenticated us and a secure messaging channel has already been established. If not, then the caller should request BAC execution as a next step.

Parameters:

hasPACESucceeded - indicates whether PACE has been executed successfully (in which case a secure messaging channel has been established)

Throws:

net.sf.scuba.smartcards.CardServiceException - on error

isOpen

public boolean isOpen()

Gets whether this service is open.

Returns:

a boolean that indicates whether this service is open

sendSelectFile

public void sendSelectFile(short fid)
                    throws net.sf.scuba.smartcards.CardServiceException

Selects a file within the MRTD application.

Parameters:

fid - a file identifier

Throws:

net.sf.scuba.smartcards.CardServiceException - on error

sendReadBinary

public byte[] sendReadBinary(int offset,
                             int le,
                             boolean isExtendedLength)
                      throws net.sf.scuba.smartcards.CardServiceException

Sends a READ BINARY command to the passport, use wrapper when secure channel set up.

Parameters:

offset - offset into the file

le - the expected length of the file to read

isExtendedLength - whether to use extended length APDUs

Returns:

a byte array of length le with (the specified part of) the contents of the currently selected file

Throws:

net.sf.scuba.smartcards.CardServiceException - on tranceive error

doBAC

public BACResult doBAC(BACKeySpec bacKey)
                throws net.sf.scuba.smartcards.CardServiceException

Performs the Basic Access Control protocol.

Parameters:

bacKey - the key based on the document number, the card holder's birth date, and the document's expiration date

Returns:

the BAC result

Throws:

net.sf.scuba.smartcards.CardServiceException - if authentication failed

doBAC

public BACResult doBAC(SecretKey kEnc,
                       SecretKey kMac)
                throws net.sf.scuba.smartcards.CardServiceException,
                       GeneralSecurityException

Performs the Basic Access Control protocol. It does BAC using kEnc and kMac keys, usually calculated from the document number, the card holder's date of birth, and the card's date of expiry. A secure messaging channel is set up as a result.

Parameters:

kEnc - static 3DES key required for BAC

kMac - static 3DES key required for BAC

Returns:

the result

Throws:

net.sf.scuba.smartcards.CardServiceException - if authentication failed

GeneralSecurityException - on security primitives related problems

doPACE

public PACEResult doPACE(KeySpec keySpec,
                         String oid,
                         AlgorithmParameterSpec params)
                  throws PACEException

Performs the PACE 2.0 / SAC protocol. A secure messaging channel is set up as a result.

Parameters:

keySpec - the MRZ

oid - as specified in the PACEInfo, indicates GM or IM or CAM, DH or ECDH, cipher, digest, length

params - explicit static domain parameters the domain params for DH or ECDH

Returns:

the result

Throws:

PACEException - on error

doCA

public CAResult doCA(BigInteger keyId,
                     String oid,
                     String publicKeyOID,
                     PublicKey publicKey)
              throws net.sf.scuba.smartcards.CardServiceException

Perform CA (Chip Authentication) part of EAC (version 1). For details see TR-03110 ver. 1.11. In short, we authenticate the chip with (EC)DH key agreement protocol and create new secure messaging keys. A new secure messaging channel is set up as a result.

Parameters:

keyId - passport's public key id (stored in DG14), null if none

oid - the object identifier indicating the Chip Authentication protocol

publicKeyOID - the object identifier indicating the public key algorithm used

publicKey - passport's public key (stored in DG14)

Returns:

the chip authentication result

Throws:

net.sf.scuba.smartcards.CardServiceException - if CA failed or some error occurred

doTA

public TAResult doTA(CVCPrincipal caReference,
                     List<CardVerifiableCertificate> terminalCertificates,
                     PrivateKey terminalKey,
                     String taAlg,
                     CAResult chipAuthenticationResult,
                     String documentNumber)
              throws net.sf.scuba.smartcards.CardServiceException

Performs Terminal Authentication (TA) part of EAC (version 1). For details see TR-03110 ver. 1.11. In short, we feed the sequence of terminal certificates to the card for verification, get a challenge from the card, sign it with the terminal private key, and send the result back to the card for verification.

Parameters:

caReference - reference issuer

terminalCertificates - terminal certificate chain

terminalKey - terminal private key

taAlg - algorithm

chipAuthenticationResult - the chip authentication result

documentNumber - the document number

Returns:

the challenge from the card

Throws:

net.sf.scuba.smartcards.CardServiceException - on error

doTA

public TAResult doTA(CVCPrincipal caReference,
                     List<CardVerifiableCertificate> terminalCertificates,
                     PrivateKey terminalKey,
                     String taAlg,
                     CAResult chipAuthenticationResult,
                     PACEResult paceResult)
              throws net.sf.scuba.smartcards.CardServiceException

Performs Terminal Authentication (TA) part of EAC (version 1). For details see TR-03110 ver. 1.11. In short, we feed the sequence of terminal certificates to the card for verification, get a challenge from the card, sign it with the terminal private key, and send the result back to the card for verification.

Parameters:

caReference - reference issuer

terminalCertificates - terminal certificate chain

terminalKey - terminal private key

taAlg - algorithm

chipAuthenticationResult - the chip authentication result

paceResult - the PACE result

Returns:

the challenge from the card

Throws:

net.sf.scuba.smartcards.CardServiceException - on error

doAA

public AAResult doAA(PublicKey publicKey,
                     String digestAlgorithm,
                     String signatureAlgorithm,
                     byte[] challenge)
              throws net.sf.scuba.smartcards.CardServiceException

Performs the Active Authentication protocol.

Parameters:

publicKey - the public key to use (usually read from the card)

digestAlgorithm - the digest algorithm to use, or null

signatureAlgorithm - signature algorithm

challenge - challenge

Returns:

a boolean indicating whether the card was authenticated

Throws:

net.sf.scuba.smartcards.CardServiceException - on error

close

public void close()

Closes this service.

getWrapper

public net.sf.scuba.smartcards.APDUWrapper getWrapper()

Gets the wrapper. Returns null until access control has been performed.

Returns:

the wrapper

setWrapper

@Deprecated
public void setWrapper(SecureMessagingWrapper wrapper)

Deprecated. hack

Parameters:

wrapper - wrapper

getInputStream

public net.sf.scuba.smartcards.CardFileInputStream getInputStream(short fid)
                                                           throws net.sf.scuba.smartcards.CardServiceException

Gets the file as an input stream indicated by a file identifier. The resulting input stream will send APDUs to the card.

Parameters:

fid - ICAO file identifier

Returns:

the file as an input stream

Throws:

net.sf.scuba.smartcards.CardServiceException - if the file cannot be read

transmit

public net.sf.scuba.smartcards.ResponseAPDU transmit(net.sf.scuba.smartcards.CommandAPDU capdu)
                                              throws net.sf.scuba.smartcards.CardServiceException

Tranceives an APDU. If the card responds with a status word other than 0x9000 this method does NOT throw a CardServiceException, but it returns this as error code as result.

Specified by:

transmit in class net.sf.scuba.smartcards.CardService

Parameters:

capdu - the command APDU

Returns:

the response APDU

Throws:

net.sf.scuba.smartcards.CardServiceException - on error

getATR

public byte[] getATR()

Gets the answer to reset bytes.

Specified by:

getATR in class net.sf.scuba.smartcards.CardService

Returns:

the answer to reset bytes

setService

public void setService(net.sf.scuba.smartcards.CardService service)

Sets the service.

Parameters:

service - the carrier service that is decorated by this service

service - the carrier service

addAPDUListener

public void addAPDUListener(net.sf.scuba.smartcards.APDUListener l)

Adds a listener.

Overrides:

addAPDUListener in class net.sf.scuba.smartcards.CardService

Parameters:

l - a listener

removeAPDUListener

public void removeAPDUListener(net.sf.scuba.smartcards.APDUListener l)

Removes a listener.

Overrides:

removeAPDUListener in class net.sf.scuba.smartcards.CardService

Parameters:

l - a listener

sendSelectApplet

public void sendSelectApplet(net.sf.scuba.smartcards.APDUWrapper wrapper,
                             byte[] aid)
                      throws net.sf.scuba.smartcards.CardServiceException

Sends a SELECT APPLET command to the card.

Parameters:

wrapper - the secure messaging wrapper to use

aid - the applet to select

Throws:

net.sf.scuba.smartcards.CardServiceException - on tranceive error

sendSelectFile

public void sendSelectFile(net.sf.scuba.smartcards.APDUWrapper wrapper,
                           short fid)
                    throws net.sf.scuba.smartcards.CardServiceException

Sends a SELECT FILE command to the passport. Secure messaging will be applied to the command and response apdu.

Parameters:

wrapper - the secure messaging wrapper to use

fid - the file to select

Throws:

net.sf.scuba.smartcards.CardServiceException - on tranceive error

sendReadBinary

public byte[] sendReadBinary(short offset,
                             int le,
                             boolean isExtendedLength)
                      throws net.sf.scuba.smartcards.CardServiceException

Sends a READ BINARY command to the passport.

Parameters:

offset - offset into the file

le - the expected length of the file to read

isExtendedLength - whether to use extended length APDUs

Returns:

a byte array of length le with (the specified part of) the contents of the currently selected file

Throws:

net.sf.scuba.smartcards.CardServiceException - if the command was not successful

sendReadBinary

public byte[] sendReadBinary(net.sf.scuba.smartcards.APDUWrapper wrapper,
                             int offset,
                             int le,
                             boolean isExtendedLength)
                      throws net.sf.scuba.smartcards.CardServiceException

Sends a READ BINARY command to the passport. Secure messaging will be applied to the command and response apdu.

Parameters:

wrapper - the secure messaging wrapper to use

offset - offset into the file

le - the expected length of the file to read

isExtendedLength - whether it should be a long (INS == 0xB1) read

Returns:

a byte array of length at most le with (the specified part of) the contents of the currently selected file

Throws:

net.sf.scuba.smartcards.CardServiceException - if the command was not successful

sendGetChallenge

public byte[] sendGetChallenge()
                        throws net.sf.scuba.smartcards.CardServiceException

Sends a GET CHALLENGE command to the passport.

Returns:

a byte array of length 8 containing the challenge

Throws:

net.sf.scuba.smartcards.CardServiceException - on tranceive error

sendGetChallenge

public byte[] sendGetChallenge(net.sf.scuba.smartcards.APDUWrapper wrapper)
                        throws net.sf.scuba.smartcards.CardServiceException

Sends a GET CHALLENGE command to the passport.

Parameters:

wrapper - secure messaging wrapper

Returns:

a byte array of length 8 containing the challenge

Throws:

net.sf.scuba.smartcards.CardServiceException - on tranceive error

sendInternalAuthenticate

public byte[] sendInternalAuthenticate(net.sf.scuba.smartcards.APDUWrapper wrapper,
                                       byte[] rndIFD)
                                throws net.sf.scuba.smartcards.CardServiceException

Sends an INTERNAL AUTHENTICATE command to the passport. This is part of AA.

Parameters:

wrapper - secure messaging wrapper

rndIFD - the challenge to send

Returns:

the response from the passport (status word removed)

Throws:

net.sf.scuba.smartcards.CardServiceException - on tranceive error

sendMutualAuth

public byte[] sendMutualAuth(byte[] rndIFD,
                             byte[] rndICC,
                             byte[] kIFD,
                             SecretKey kEnc,
                             SecretKey kMac)
                      throws net.sf.scuba.smartcards.CardServiceException

Sends an EXTERNAL AUTHENTICATE command to the passport. This is part of BAC. The resulting byte array has length 32 and contains rndICC (first 8 bytes), rndIFD (next 8 bytes), their key material " kICC" (last 16 bytes).

Parameters:

rndIFD - our challenge

rndICC - their challenge

kIFD - our key material

kEnc - the static encryption key

kMac - the static mac key

Returns:

a byte array of length 32 containing the response that was sent by the passport, decrypted (using kEnc) and verified (using kMac)

Throws:

net.sf.scuba.smartcards.CardServiceException - on tranceive error

sendMutualAuthenticate

public void sendMutualAuthenticate(net.sf.scuba.smartcards.APDUWrapper wrapper,
                                   byte[] signature)
                            throws net.sf.scuba.smartcards.CardServiceException

Sends the EXTERNAL AUTHENTICATE command. This is used in EAC-TA.

Parameters:

wrapper - secure messaging wrapper

signature - terminal signature

Throws:

net.sf.scuba.smartcards.CardServiceException - if the resulting status word different from 9000

sendMSEKAT

public void sendMSEKAT(net.sf.scuba.smartcards.APDUWrapper wrapper,
                       byte[] keyData,
                       byte[] idData)
                throws net.sf.scuba.smartcards.CardServiceException

The MSE KAT APDU, see EAC 1.11 spec, Section B.1

Parameters:

wrapper - secure messaging wrapper

keyData - key data object (tag 0x91)

idData - key id data object (tag 0x84), can be null

Throws:

net.sf.scuba.smartcards.CardServiceException - on error

sendMSESetDST

public void sendMSESetDST(net.sf.scuba.smartcards.APDUWrapper wrapper,
                          byte[] data)
                   throws net.sf.scuba.smartcards.CardServiceException

The MSE DST APDU, see EAC 1.11 spec, Section B.2

Parameters:

wrapper - secure messaging wrapper

data - public key reference data object (tag 0x83)

Throws:

net.sf.scuba.smartcards.CardServiceException - on error

sendMSESetATExtAuth

public void sendMSESetATExtAuth(net.sf.scuba.smartcards.APDUWrapper wrapper,
                                byte[] data)
                         throws net.sf.scuba.smartcards.CardServiceException

The MSE Set AT APDU for TA, see EAC 1.11 spec, Section B.2. MANAGE SECURITY ENVIRONMENT command with SET Authentication Template function. Note that caller is responsible for prefixing the byte[] params with specified tags.

Parameters:

wrapper - secure messaging wrapper

data - public key reference data object (should already be prefixed with tag 0x83)

Throws:

net.sf.scuba.smartcards.CardServiceException - on error

sendMSESetATIntAuth

public void sendMSESetATIntAuth(net.sf.scuba.smartcards.APDUWrapper wrapper,
                                String oid,
                                BigInteger keyId)
                         throws net.sf.scuba.smartcards.CardServiceException

The MSE Set AT for chip authentication.

Parameters:

wrapper - secure messaging wrapper

oid - the OID

keyId - the keyId or null

Throws:

net.sf.scuba.smartcards.CardServiceException - on error

sendMSESetATMutualAuth

public void sendMSESetATMutualAuth(net.sf.scuba.smartcards.APDUWrapper wrapper,
                                   String oid,
                                   int refPublicKeyOrSecretKey,
                                   byte[] refPrivateKeyOrForComputingSessionKey)
                            throws net.sf.scuba.smartcards.CardServiceException

The MSE AT APDU for PACE, see ICAO TR-SAC-1.01, Section 3.2.1, BSI TR 03110 v2.03 B11.1. Note that (for now) caller is responsible for prefixing the byte[] params with specified tags.

Parameters:

wrapper - secure messaging wrapper

oid - OID of the protocol to select (this method will prefix 0x80)

refPublicKeyOrSecretKey - value specifying whether to use MRZ (0x01) or CAN (0x02) (this method will prefix 0x83)

refPrivateKeyOrForComputingSessionKey - indicates a private key or reference for computing a session key (this method will prefix 0x84)

Throws:

net.sf.scuba.smartcards.CardServiceException - on error

sendGeneralAuthenticate

public byte[] sendGeneralAuthenticate(net.sf.scuba.smartcards.APDUWrapper wrapper,
                                      byte[] data,
                                      boolean isLast)
                               throws net.sf.scuba.smartcards.CardServiceException

Sends a General Authenticate command.

Parameters:

wrapper - secure messaging wrapper

data - data to be sent, without the 0x7C prefix (this method will add it)

isLast - indicates whether this is the last command in the chain

Returns:

dynamic authentication data without the 0x7C prefix (this method will remove it)

Throws:

net.sf.scuba.smartcards.CardServiceException - on error

sendPSOExtendedLengthMode

public void sendPSOExtendedLengthMode(net.sf.scuba.smartcards.APDUWrapper wrapper,
                                      byte[] certBodyData,
                                      byte[] certSignatureData)
                               throws net.sf.scuba.smartcards.CardServiceException

Sends a perform security operation command in extended length mode.

Parameters:

wrapper - secure messaging wrapper

certBodyData - the certificate body

certSignatureData - signature data

Throws:

net.sf.scuba.smartcards.CardServiceException - on error communicating over the service

sendPSOChainMode

public void sendPSOChainMode(net.sf.scuba.smartcards.APDUWrapper wrapper,
                             byte[] certBodyData,
                             byte[] certSignatureData)
                      throws net.sf.scuba.smartcards.CardServiceException

Sends a perform security operation command in chain mode.

Parameters:

wrapper - secure messaging wrapper

certBodyData - the certificate body

certSignatureData - signature data

Throws:

net.sf.scuba.smartcards.CardServiceException - on error communicating over the service

addPlainTextAPDUListener

public void addPlainTextAPDUListener(net.sf.scuba.smartcards.APDUListener l)

Adds a plain text listener.

Parameters:

l - a listener

removePlainTextAPDUListener

public void removePlainTextAPDUListener(net.sf.scuba.smartcards.APDUListener l)

Removes a plain text listener.

Parameters:

l - a listener

notifyExchangedPlainTextAPDU

protected void notifyExchangedPlainTextAPDU(int count,
                                            net.sf.scuba.smartcards.CommandAPDU capdu,
                                            net.sf.scuba.smartcards.ResponseAPDU rapdu)

Notifies listeners about APDU event.

Parameters:

count - count

capdu - command APDU

rapdu - response APDU