Comments (20)
Well... Apparently that will give you: (Extended try) sw - 0x67, sw2 - 0x00, and no data
and then (Normal try) sw - 0x69, sw2 - 0x88, and no data
So apparently not.
Thats a shame! Not quite sure what to do here really. I could add a flag to enable extended mode BUT you'd have to know that the passport supports/doesn't support that. I'll did a little more into JMRTD code and see if I can see what they did to solve this. I had a quick look thorugh and they had some functions in bouncy castle that could get certain info about the keys that I haven't yet figured out how to do (I'm sure its possible though).
from nfcpassportreader.
The
doInternalAuthentication
function is actually not working. Active Authentication (AA) is not being created.
Could you try with version 2.1.1 and see if that works for you (that doesn't enable extended read) and has been working for most passports (except newer Australian and probably other newer ones)?
from nfcpassportreader.
So what I've done for the moment is instead of enabling extended mode for AA by default, we now have an additional flag set on PassportReader init - useExtendedMode. Not ideal but will think more.
Also, as per #224 - We're now using OpenSSL 1.1.2300 which is a signed release and includes a privacy policy.
Currently main branch only,
from nfcpassportreader.
The latest update solved my problem, thank you. You saved me from a big issue; I had been researching it for a week. πβ€οΈ
from nfcpassportreader.
It's definitely getting closer. I'm still not 100% happy as I do t yet know what passport support extended reads and which don't! It looks like some Chinese ones don't but I'm sure there are others too. So I can't yet say when you should use extended read or not. JMRTD does some best guesses based on key lengths BITBi haven't yet figured out how to replicate that in OpenSSL (JMRTD uses bouncycastle which has different APIs).
from nfcpassportreader.
Setting Expected Response Length to 231 on this line works for those documents as well. Guessing the extended format is not being liked.
from nfcpassportreader.
Thats really annoying! will have a re-think
from nfcpassportreader.
I've created a test branch - aa_test which makes the following changes:
- passportReader.readPassport now takes in an optional PassportReaderOptions struct with various configuration options
- Added option usePACEPolling - Switches to PACE Polling for detecting passports rather that iso14443
- Active Authentication no longer always uses extended read
- Instead, we first try with standard 256 byte read, and if fails, tries extended read
- Note this is currently untested as I don't have any passports that require extended read
- Sample app updated to show new options
If anyone can test this branch to see if it works fine that would be great!
from nfcpassportreader.
I do not believe that would work. Some documents (like that Australian passport in #194) will actually return OK with a partial signature (cutting off whatever did not fit). The implementation in aa_test would return that response and not go for an extended read.
This of course would work fine for this one document I now mentioned in this issue, but that other one would again break.
from nfcpassportreader.
Hmmm thats a good point. Wonder if it would work the other way round? try first with extended read and if that failed then try standard? I've pushed up a small change to try that
from nfcpassportreader.
That will not work for my document as you would need to handle the NFCPasswordReaderError.ResponseError thrown from TagReader.send(). This Chinese document returns sw - 0x69, sw2 - 0x88 (SM data objects incorrect) when doing the extended version first.
from nfcpassportreader.
Ah of course - small change! - currently doesn't check the error, just retries non-extended - any better?
I'm really interested if the passport will allow the normal read after the extended read fails!
from nfcpassportreader.
Well... Apparently that will give you:
(Extended try)
sw - 0x67, sw2 - 0x00, and no data
and then
(Normal try)
sw - 0x69, sw2 - 0x88, and no data
So apparently not.
from nfcpassportreader.
?
from nfcpassportreader.
@rbrouwer Did you solve the problem
from nfcpassportreader.
The doInternalAuthentication
function is actually not working. Active Authentication (AA) is not being created.
from nfcpassportreader.
Hello, I tried but unfortunately there was an issue. It doesn't decode, most likely. The ID is a Turkish ID and it should normally be supported.
from nfcpassportreader.
It works seamlessly on Android using JMRTD.
from nfcpassportreader.
@AndyQ looks like it's working for @baskurtbey maybe it's time for a release? ;)
Also, when we should use the flag for extended? Which passports as far as you know require it to read them correctly?
from nfcpassportreader.
@AndyQ for what it's worth, ICAO specifies in https://www.icao.int/publications/documents/9303_p11_cons_en.pdf that
Note.β It should be noted that when using key lengths exceeding 1 848 bits (if Secure Messaging with 3DES is used) / 1 792 bits (if Secure Messaging with AES is used) in Active Authentication with Secure Messaging, Extended Length APDUs MUST be supported by the eMRTD chip and the Inspection System.
For Australian R-series EPassports, DG14 includes id-PACE-ECDH-GM-AES-CBC-CMAC-256
(0.4.0.127.0.7.2.2.4.2.4) as the only supported PACE algorithm.
This is a 256-byte key, so based on that we know the chip MUST support extended length APDUs.
Logs from here are:
doPace - inpit parameters
paceOID - 0.4.0.127.0.7.2.2.4.2.4
parameterSpec - 933
mappingType - Generic Mapping
agreementAlg - ECDH
cipherAlg - AES
digestAlg - SHA-256
keyLength - 256
from nfcpassportreader.
Related Issues (20)
- Exclude OpenSSL HOT 1
- File not found ID Card HOT 2
- TagReader keeps failing on reading DG2 from older dutch passport. HOT 4
- How can i read to German Passport to old fw version ?
- Sample app fails to read German passport HOT 5
- iOS 17.4 nfc popup allows to cancel already failed scanning session
- Getting errors for "Log" and "LogLevel" not being in scope on example_cocoapods HOT 2
- Can not add as SPM HOT 2
- Library evolution issue HOT 5
- DG11 return nil in reading nfc Vietnam Id Card HOT 4
- Mohammad Dawood Karimy
- Mohammad Dawood Karimy
- OpenSSL 3.1.5001 HOT 5
- Some Portuguese and Spanish passports will not have image from DG2 HOT 3
- Can not select Master File to read EF.CardAccess (for PACE) with Vietnam ID card (error: 6D 00) HOT 6
- Sensitive data in logs HOT 2
- ITMS-91065: Missing signature - OpenSSL.framework HOT 8
- πΊπ¦ Ukrainian Passport issue
- Retry the card reading session when the "Tag connection lost" issue occurs. HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nfcpassportreader.