CommandAPDU status 6988

[abdullahkaracabey]

Hi, I am getting on some documents CommandAPDU status 6988 instead of 9000.

Do you know about this error?

[smlu]

The 0x6988 is error indicating that SM (secure messaging) data is incorrect (e.g.: wrong message SCC, wrong hash etc ...). For reference see section 5.4.5 Status bytes: https://web.archive.org/web/20220803181757/http://cardwerk.com/smart-card-standard-iso7816-4-section-5-basic-organizations

[abdullahkaracabey]

Understood, but I get no error if I read document with jmrtd. I think there is something missing in this project.

[smlu]

It's gonna be hard to diagnose what causes the error without any data. Any chance to paste some logs here?

Note, there can be many reasons why this particular error occurs; form incorrect implementation of emrtd / iso7816 standard by passport manufacture to wrong data passed to the passport. It could be also a bug or missing implementation by this library.

I guess first thing is to try to locate at what stage the error occurs:

1. Does the BAC protocol successfully establish secure session? If not; Is passed BAC data correct? Does passport supports BAC protocol at all? Some newer passports only support PACE session key exchange (German passports). PACE is not yet supported by dmrtd.
2. If BAC session is established which command fails with this error? (e.g. reading data, signing challenge etc...). Is there any other error before this error?

[smlu]

For reference: https://github.com/AndyQ/NFCPassportReader/issues/25

Passports not supporting reading large data chunks is one common problem. If session is not re-established after hitting an error SW=0x6988 can be returned by the passport. The MrtdApi:L211-L216 already tries to handle wrong length error. Also, a new BAC session should be re-established in this case: MrtdApi:L222-L225

[smlu]

Closing this issue since no further information was provided.