Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Active Authentication fails - SW2 indicates 27 bytes still available #174

Closed
rbrouwer opened this issue Feb 28, 2023 · 8 comments
Closed

Active Authentication fails - SW2 indicates 27 bytes still available #174

rbrouwer opened this issue Feb 28, 2023 · 8 comments

Comments

@rbrouwer
Copy link

rbrouwer commented Feb 28, 2023
edited
Loading

Some passports (I know of Finland) with active authentication using long m1 and different RSA SHA hashes will have response exceeding 256 bytes when doing tagReader.doInternalAuthentication.

This will result in response containing sw1 - 0x61, sw2 - 0x1B, which causes a NFCPasswordReaderError.ResponseError.

Increasing exceptedResponseLength in doInternalAuthentication removes this exception, but also only return 256 bytes of the response, which is then invalid for verifyActiveAuthentication (given part of the hash and the trailing bytes will be gone).
@rbrouwer
Copy link
Author

rbrouwer commented Feb 28, 2023
edited
Loading

In this case possibly doing some additional read, perhaps 0xC0, (bit like TagReader in selectFileAndRead, but with 0xC0) might get the remaining data? I guess in that case either PassportReader or TagReader would need to handle that. It would also be nice if in case of a NFCPasswordReaderError.ResponseError the data would get passed along, so the first 256 do not have to be re-read using a read.

Looking at JMRTD that would be the right thing to do; looking at https://sourceforge.net/p/jmrtd/code/HEAD/tree/trunk/jmrtd/src/main/java/org/jmrtd/protocol/SecureMessagingAPDUSender.java#l204

@kirillivonin
Copy link

In my case, there seems to be a problem with Netherlands National ID where AA response is too short - 14 bytes vs 80 in JMRTD

@rbrouwer
Copy link
Author

rbrouwer commented Apr 6, 2023

In my case, there seems to be a problem with Netherlands National ID where AA response is too short - 14 bytes vs 80 in JMRTD

I have not see any issues with Netherlands National ID (other than iPhones not having the strongest RFID antennas). What model is it precisely?/when was that ID issued? And it possibly might be a different issue or do you also get a identical response object?

@pawisoon
Copy link

pawisoon commented Apr 6, 2023

@rbrouwer

other than iPhones not having the strongest RFID antennas)

Is there any reference on what iPhone models might experience this? It would be very helpful to know which models are "problematic"

@kirillivonin
Copy link

might be - NFCPassportReader verifies the signature and greenlights it; however, our backend which uses same code as JMRTD to verify the signature says it's incorrect. Which is a bit weird as NFCPassportReader is based on JMRTD :/

ID is issued in 2021

@rbrouwer
Copy link
Author

rbrouwer commented Apr 6, 2023

@rbrouwer
Is there any reference on what iPhone models might experience this? It would be very helpful to know which models are "problematic"

iPhone 14 Pro really do not like the latest NLD passports (2021 and later).

@kirillivonin
Copy link

New French passport is also finicky on iPhone 14 Pro (iPhone 13 works fine)

@petteri-huusko-op petteri-huusko-op mentioned this issue Dec 28, 2023
Merged
@AndyQ
Copy link
Owner

AndyQ commented Feb 13, 2024
edited
Loading

Should be fixed in release 2.1.1

@AndyQ AndyQ closed this as completed Feb 13, 2024
@petteri-huusko-op petteri-huusko-op mentioned this issue Feb 15, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@AndyQ @kirillivonin @rbrouwer @pawisoon