Package org.jmrtd
Class AbstractMRTDCardService
- java.lang.Object
-
- net.sf.scuba.smartcards.CardService
-
- org.jmrtd.FileSystemCardService
-
- org.jmrtd.AbstractMRTDCardService
-
- Direct Known Subclasses:
PassportService
public abstract class AbstractMRTDCardService extends FileSystemCardService
Base class for MRTD card services.- Since:
- 0.7.0
- Version:
- $Revision: 1850 $
- Author:
- The JMRTD team ([email protected])
-
-
Constructor Summary
Constructors Constructor Description AbstractMRTDCardService()
-
Method Summary
All Methods Instance Methods Abstract Methods Concrete Methods Deprecated Methods Modifier and Type Method Description abstract AAResult
doAA(PublicKey publicKey, String digestAlgorithm, String signatureAlgorithm, byte[] challenge)
Performs the Active Authentication protocol.abstract BACResult
doBAC(SecretKey kEnc, SecretKey kMac)
Performs the Basic Access Control protocol.abstract BACResult
doBAC(AccessKeySpec bacKey)
Performs the Basic Access Control protocol.abstract EACCAResult
doEACCA(BigInteger keyId, String oid, String publicKeyOID, PublicKey publicKey)
Perform CA (Chip Authentication) part of EAC (version 1).abstract EACTAResult
doEACTA(CVCPrincipal caReference, List<CardVerifiableCertificate> terminalCertificates, PrivateKey terminalKey, String taAlg, EACCAResult chipAuthenticationResult, String documentNumber)
Performs Terminal Authentication (TA) part of EAC (version 1).abstract EACTAResult
doEACTA(CVCPrincipal caReference, List<CardVerifiableCertificate> terminalCertificates, PrivateKey terminalKey, String taAlg, EACCAResult chipAuthenticationResult, PACEResult paceResult)
Performs Terminal Authentication (TA) part of EAC (version 1).PACEResult
doPACE(AccessKeySpec keySpec, String oid, AlgorithmParameterSpec params)
Deprecated.Use the variant with additional parameter identifierabstract PACEResult
doPACE(AccessKeySpec keySpec, String oid, AlgorithmParameterSpec params, BigInteger parameterId)
Performs the PACE 2.0 / SAC protocol.abstract int
getMaxReadBinaryLength()
Returns the currently set maximum length to be requested in READ BINARY commands.abstract SecureMessagingWrapper
getWrapper()
Returns the secure messaging wrapper currently in use.abstract void
sendSelectApplet(boolean shouldUseSecureMessaging)
Selects the card side applet.abstract void
sendSelectMF()
Selects the master file.-
Methods inherited from class org.jmrtd.FileSystemCardService
getInputStream, getInputStream
-
-
-
-
Method Detail
-
doBAC
public abstract BACResult doBAC(AccessKeySpec bacKey) throws net.sf.scuba.smartcards.CardServiceException
Performs the Basic Access Control protocol.- Parameters:
bacKey
- the key based on the document number, the card holder's birth date, and the document's expiration date- Returns:
- the BAC result
- Throws:
net.sf.scuba.smartcards.CardServiceException
- if authentication failed
-
doBAC
public abstract BACResult doBAC(SecretKey kEnc, SecretKey kMac) throws net.sf.scuba.smartcards.CardServiceException, GeneralSecurityException
Performs the Basic Access Control protocol. It does BAC using kEnc and kMac keys, usually calculated from the document number, the card holder's date of birth, and the card's date of expiry. A secure messaging channel is set up as a result.- Parameters:
kEnc
- static 3DES key required for BACkMac
- static 3DES key required for BAC- Returns:
- the result
- Throws:
net.sf.scuba.smartcards.CardServiceException
- if authentication failedGeneralSecurityException
- on security primitives related problems
-
doPACE
@Deprecated public PACEResult doPACE(AccessKeySpec keySpec, String oid, AlgorithmParameterSpec params) throws net.sf.scuba.smartcards.CardServiceException
Deprecated.Use the variant with additional parameter identifierPerforms the PACE 2.0 / SAC protocol. A secure messaging channel is set up as a result.- Parameters:
keySpec
- the MRZoid
- as specified in the PACEInfo, indicates GM or IM or CAM, DH or ECDH, cipher, digest, lengthparams
- explicit static domain parameters the domain params for DH or ECDH- Returns:
- the result
- Throws:
net.sf.scuba.smartcards.CardServiceException
- if authentication failed or on error
-
doPACE
public abstract PACEResult doPACE(AccessKeySpec keySpec, String oid, AlgorithmParameterSpec params, BigInteger parameterId) throws net.sf.scuba.smartcards.CardServiceException
Performs the PACE 2.0 / SAC protocol. A secure messaging channel is set up as a result.- Parameters:
keySpec
- the MRZoid
- as specified in the PACEInfo, indicates GM or IM or CAM, DH or ECDH, cipher, digest, lengthparams
- explicit static domain parameters the domain params for DH or ECDHparameterId
- parameter identifier ornull
- Returns:
- the result
- Throws:
net.sf.scuba.smartcards.CardServiceException
- if authentication failed or on error
-
sendSelectApplet
public abstract void sendSelectApplet(boolean shouldUseSecureMessaging) throws net.sf.scuba.smartcards.CardServiceException
Selects the card side applet. If PACE has been executed successfully previously, then the card has authenticated us and a secure messaging channel has already been established. If not, then the caller should request BAC execution as a next step.- Parameters:
shouldUseSecureMessaging
- indicates whether a secure messaging channel has already been established (which is the case if PACE has been executed)- Throws:
net.sf.scuba.smartcards.CardServiceException
- on error
-
sendSelectMF
public abstract void sendSelectMF() throws net.sf.scuba.smartcards.CardServiceException
Selects the master file.- Throws:
net.sf.scuba.smartcards.CardServiceException
- on error
-
doAA
public abstract AAResult doAA(PublicKey publicKey, String digestAlgorithm, String signatureAlgorithm, byte[] challenge) throws net.sf.scuba.smartcards.CardServiceException
Performs the Active Authentication protocol.- Parameters:
publicKey
- the public key to use (usually read from the card)digestAlgorithm
- the digest algorithm to use, or nullsignatureAlgorithm
- signature algorithmchallenge
- challenge- Returns:
- a boolean indicating whether the card was authenticated
- Throws:
net.sf.scuba.smartcards.CardServiceException
- on error
-
doEACCA
public abstract EACCAResult doEACCA(BigInteger keyId, String oid, String publicKeyOID, PublicKey publicKey) throws net.sf.scuba.smartcards.CardServiceException
Perform CA (Chip Authentication) part of EAC (version 1). For details see TR-03110 ver. 1.11. In short, we authenticate the chip with (EC)DH key agreement protocol and create new secure messaging keys. A new secure messaging channel is set up as a result.- Parameters:
keyId
- the chip's public key id (stored in DG14),null
if noneoid
- the object identifier indicating the Chip Authentication protocolpublicKeyOID
- the object identifier indicating the public key algorithm usedpublicKey
- passport's public key (stored in DG14)- Returns:
- the Chip Authentication result
- Throws:
net.sf.scuba.smartcards.CardServiceException
- if CA failed or some error occurred
-
doEACTA
public abstract EACTAResult doEACTA(CVCPrincipal caReference, List<CardVerifiableCertificate> terminalCertificates, PrivateKey terminalKey, String taAlg, EACCAResult chipAuthenticationResult, String documentNumber) throws net.sf.scuba.smartcards.CardServiceException
Performs Terminal Authentication (TA) part of EAC (version 1). For details see TR-03110 ver. 1.11. In short, we feed the sequence of terminal certificates to the card for verification, get a challenge from the card, sign it with the terminal private key, and send the result back to the card for verification.- Parameters:
caReference
- reference issuerterminalCertificates
- terminal certificate chainterminalKey
- terminal private keytaAlg
- algorithmchipAuthenticationResult
- the chip authentication resultdocumentNumber
- the document number- Returns:
- the Terminal Authentication result
- Throws:
net.sf.scuba.smartcards.CardServiceException
- on error
-
doEACTA
public abstract EACTAResult doEACTA(CVCPrincipal caReference, List<CardVerifiableCertificate> terminalCertificates, PrivateKey terminalKey, String taAlg, EACCAResult chipAuthenticationResult, PACEResult paceResult) throws net.sf.scuba.smartcards.CardServiceException
Performs Terminal Authentication (TA) part of EAC (version 1). For details see TR-03110 ver. 1.11. In short, we feed the sequence of terminal certificates to the card for verification, get a challenge from the card, sign it with the terminal private key, and send the result back to the card for verification.- Parameters:
caReference
- reference issuerterminalCertificates
- terminal certificate chainterminalKey
- terminal private keytaAlg
- algorithmchipAuthenticationResult
- the chip authentication resultpaceResult
- the PACE result- Returns:
- the Terminal Authentication result
- Throws:
net.sf.scuba.smartcards.CardServiceException
- on error
-
getWrapper
public abstract SecureMessagingWrapper getWrapper()
Returns the secure messaging wrapper currently in use.- Returns:
- the secure messaging wrapper
-
getMaxReadBinaryLength
public abstract int getMaxReadBinaryLength()
Returns the currently set maximum length to be requested in READ BINARY commands. If the applet file system has not yet been selected, this will return the normal length.- Returns:
- the currently set maximum length to be requested in READ BINARY commands
-
-