Package org.jmrtd.protocol

Class EACCAProtocol

  • public class EACCAProtocol
extends Object
    The EAC Chip Authentication protocol (version 1).
    Since:
    0.5.6
    Version:
    $Revision: 1805 $
    Author:
    The JMRTD team ([email protected])

    • Constructor Detail

      • EACCAProtocol

        public EACCAProtocol​(APDULevelEACCACapable service,
                     SecureMessagingWrapper wrapper,
                     int maxTranceiveLength,
                     boolean shouldCheckMAC)
        Constructs a protocol instance.
        Parameters:
        service - the card service
        wrapper - the existing secure messaging wrapper
        maxTranceiveLength - the maximal tranceive length (on responses to READ BINARY) to use in the resulting secure messaging channel
        shouldCheckMAC - whether the resulting secure messaging channel should apply strict MAC checking on response APDUs

    • Method Detail

      • doCA

        public EACCAResult doCA​(BigInteger keyId,
                        String oid,
                        String publicKeyOID,
                        PublicKey piccPublicKey)
                 throws net.sf.scuba.smartcards.CardServiceException
        Perform EAC-CA (Chip Authentication) part of EAC (version 1). For details see TR-03110 ver. 1.11. In short, we authenticate the chip with DH or ECDH key agreement protocol and create new secure messaging keys. The newly established secure messaging wrapper is made available to the caller in the result.
        Parameters:
        keyId - passport's public key id (stored in DG14), null if none
        oid - the object identifier indicating the Chip Authentication protocol
        publicKeyOID - the OID indicating the type of public key
        piccPublicKey - PICC's public key (stored in DG14)
        Returns:
        the Chip Authentication result
        Throws:
        net.sf.scuba.smartcards.CardServiceException - if Chip Authentication failed or some error occurred

      • sendPublicKey

        public static void sendPublicKey​(APDULevelEACCACapable service,
                                 SecureMessagingWrapper wrapper,
                                 String oid,
                                 BigInteger keyId,
                                 PublicKey pcdPublicKey)
                          throws net.sf.scuba.smartcards.CardServiceException
        Sends the PCD's public key to the PICC.
        Parameters:
        service - the card service
        wrapper - the existing secure messaging wrapper
        oid - the Chip Authentication object identifier
        keyId - a key identifier or null
        pcdPublicKey - the public key to send
        Throws:
        net.sf.scuba.smartcards.CardServiceException - on error

      • computeSharedSecret

        public static byte[] computeSharedSecret​(String agreementAlg,
                                         PublicKey piccPublicKey,
                                         PrivateKey pcdPrivateKey)
                                  throws NoSuchAlgorithmException,
                                         InvalidKeyException
        Performs the key agreement step. Generates a secret based on the PICC's public key and the PCD's private key.
        Parameters:
        agreementAlg - the agreement algorithm
        piccPublicKey - the PICC's public key
        pcdPrivateKey - the PCD's private key
        Returns:
        the shared secret
        Throws:
        NoSuchAlgorithmException - if the agreement algorithm is unsupported
        InvalidKeyException - if one of the keys is invalid

      • restartSecureMessaging

        public static SecureMessagingWrapper restartSecureMessaging​(String oid,
                                                            byte[] sharedSecret,
                                                            int maxTranceiveLength,
                                                            boolean shouldCheckMAC)
                                                     throws GeneralSecurityException
        Restarts secure messaging based on the shared secret.
        Parameters:
        oid - the Chip Authentication object identifier
        sharedSecret - the shared secret
        maxTranceiveLength - the maximum APDU tranceive length
        shouldCheckMAC - whether to check MAC
        Returns:
        the secure messaging wrapper
        Throws:
        GeneralSecurityException - on error

      • getWrapper

        public SecureMessagingWrapper getWrapper()
        Returns the secure messaging wrapper currently in use.
        Returns:
        a secure messaging wrapper

      • getKeyHash

        public static byte[] getKeyHash​(String agreementAlg,
                                PublicKey pcdPublicKey)
                         throws NoSuchAlgorithmException
        Returns the key hash which will be used as input for Terminal Authentication.
        Parameters:
        agreementAlg - the agreement algorithm, either "DH" or "ECDH"
        pcdPublicKey - the inspection system's public key
        Returns:
        the key hash
        Throws:
        NoSuchAlgorithmException - on error