I noticed, that I was not able to successfully authenticate using PACE with German passports. I then compared the commands and responses with the ones JMRTD produces and found out, that NFCPassportReader sends an expected result length (LE) with some commands, while JMRTD does not.
According to the ICAO specs, these commands (INS 0xA4 and 0x22) should not have an LE field at all. While some passports seem to ignore that, all German documents, I tested it with, do not - and therefore fall back to BAC.
I tested the changes with 6 German documents (2008 - 2022), two Dutch (2006, 2020), a Croatian (2018) and a Turkish one (2021). All worked reliably with the changes.
AndyQ
commented
1 year ago
I noticed, that I was not able to successfully authenticate using PACE with German passports. I then compared the commands and responses with the ones JMRTD produces and found out, that NFCPassportReader sends an expected result length (LE) with some commands, while JMRTD does not. According to the ICAO specs, these commands (INS 0xA4 and 0x22) should not have an LE field at all. While some passports seem to ignore that, all German documents, I tested it with, do not - and therefore fall back to BAC.
I tested the changes with 6 German documents (2008 - 2022), two Dutch (2006, 2020), a Croatian (2018) and a Turkish one (2021). All worked reliably with the changes.