-
Notifications
You must be signed in to change notification settings - Fork 257
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Error identifying Active Authentication Hash Algorithm - Chinese ePassport #223
Comments
Setting Expected Response Length to 231 on this line works for those documents as well. Guessing the extended format is not being liked. |
Thats really annoying! will have a re-think |
I've created a test branch - aa_test which makes the following changes:
If anyone can test this branch to see if it works fine that would be great! |
I do not believe that would work. Some documents (like that Australian passport in #194) will actually return OK with a partial signature (cutting off whatever did not fit). The implementation in aa_test would return that response and not go for an extended read. This of course would work fine for this one document I now mentioned in this issue, but that other one would again break. |
Hmmm thats a good point. Wonder if it would work the other way round? try first with extended read and if that failed then try standard? I've pushed up a small change to try that |
That will not work for my document as you would need to handle the NFCPasswordReaderError.ResponseError thrown from TagReader.send(). This Chinese document returns sw - 0x69, sw2 - 0x88 (SM data objects incorrect) when doing the extended version first. |
Ah of course - small change! - currently doesn't check the error, just retries non-extended - any better? I'm really interested if the passport will allow the normal read after the extended read fails! |
Well... Apparently that will give you: and then So apparently not. |
? |
@rbrouwer Did you solve the problem |
The |
Thats a shame! Not quite sure what to do here really. I could add a flag to enable extended mode BUT you'd have to know that the passport supports/doesn't support that. I'll did a little more into JMRTD code and see if I can see what they did to solve this. I had a quick look thorugh and they had some functions in bouncy castle that could get certain info about the keys that I haven't yet figured out how to do (I'm sure its possible though). |
Could you try with version 2.1.1 and see if that works for you (that doesn't enable extended read) and has been working for most passports (except newer Australian and probably other newer ones)? |
Hello, I tried but unfortunately there was an issue. It doesn't decode, most likely. The ID is a Turkish ID and it should normally be supported. |
It works seamlessly on Android using JMRTD. |
So what I've done for the moment is instead of enabling extended mode for AA by default, we now have an additional flag set on PassportReader init - useExtendedMode. Not ideal but will think more. Also, as per #224 - We're now using OpenSSL 1.1.2300 which is a signed release and includes a privacy policy. Currently main branch only, |
The latest update solved my problem, thank you. You saved me from a big issue; I had been researching it for a week. 🙏❤️ |
@AndyQ looks like it's working for @baskurtbey maybe it's time for a release? ;) Also, when we should use the flag for extended? Which passports as far as you know require it to read them correctly? |
It's definitely getting closer. I'm still not 100% happy as I do t yet know what passport support extended reads and which don't! It looks like some Chinese ones don't but I'm sure there are others too. So I can't yet say when you should use extended read or not. JMRTD does some best guesses based on key lengths BITBi haven't yet figured out how to replicate that in OpenSSL (JMRTD uses bouncycastle which has different APIs). |
@AndyQ for what it's worth, ICAO specifies in https://www.icao.int/publications/documents/9303_p11_cons_en.pdf that
For Australian R-series EPassports, DG14 includes Logs from here are:
|
The solution of #194 broke AA for recent Chinese passports.
Those will return 0 bytes when giving them an Expected Response Length of 65536. When undoing the changes to secure messaging and setting the Expected Response Length to 256. Those work just fine again.
I guess behaviour such as in JMRTD' AAAPDUSender is wanted; Guessing the correct length and even retrying with 65536 when 256 did not make sense.
The text was updated successfully, but these errors were encountered: