Active Authentication fails - SW2 indicates 27 bytes still available

[rbrouwer]

Some passports (I know of Finland) with active authentication using long m1 and different RSA SHA hashes will have response exceeding 256 bytes when doing tagReader.doInternalAuthentication.

This will result in response containing sw1 - 0x61, sw2 - 0x1B, which causes a NFCPasswordReaderError.ResponseError.

Increasing exceptedResponseLength in doInternalAuthentication removes this exception, but also only return 256 bytes of the response, which is then invalid for verifyActiveAuthentication (given part of the hash and the trailing bytes will be gone).

[rbrouwer]

In this case possibly doing some additional read, perhaps 0xC0, (bit like TagReader in selectFileAndRead, but with 0xC0) might get the remaining data? I guess in that case either PassportReader or TagReader would need to handle that. It would also be nice if in case of a NFCPasswordReaderError.ResponseError the data would get passed along, so the first 256 do not have to be re-read using a read.

Looking at JMRTD that would be the right thing to do; looking at https://sourceforge.net/p/jmrtd/code/HEAD/tree/trunk/jmrtd/src/main/java/org/jmrtd/protocol/SecureMessagingAPDUSender.java#l204

[kirillivonin]

In my case, there seems to be a problem with Netherlands National ID where AA response is too short - 14 bytes vs 80 in JMRTD

[rbrouwer]

In my case, there seems to be a problem with Netherlands National ID where AA response is too short - 14 bytes vs 80 in JMRTD

I have not see any issues with Netherlands National ID (other than iPhones not having the strongest RFID antennas). What model is it precisely?/when was that ID issued? And it possibly might be a different issue or do you also get a identical response object?

[pawisoon]

@rbrouwer

other than iPhones not having the strongest RFID antennas)

Is there any reference on what iPhone models might experience this? It would be very helpful to know which models are "problematic"

[kirillivonin]

might be - NFCPassportReader verifies the signature and greenlights it; however, our backend which uses same code as JMRTD to verify the signature says it's incorrect. Which is a bit weird as NFCPassportReader is based on JMRTD :/

ID is issued in 2021

[rbrouwer]

@rbrouwer Is there any reference on what iPhone models might experience this? It would be very helpful to know which models are "problematic"

iPhone 14 Pro really do not like the latest NLD passports (2021 and later).

[kirillivonin]

New French passport is also finicky on iPhone 14 Pro (iPhone 13 works fine)

[AndyQ]

Should be fixed in release 2.1.1