search

tananaev / passport-reader

e-Passport NFC Reader Android app
356 stars 136 forks source link

Chip authentication failed (Chinese passport) #54

Open Iey4iej3 opened 1 year ago

Iey4iej3 commented 1 year ago

The name, gender, country, nationality and the identity photo are correctly loaded. The passive authentication passes, but the chip authentication fails.

Version 3.0 (F-Droid)

Not sure whether the following part of logcat helps:

net.sf.scuba.smartcards.CardServiceException: File not found, CAPDU = 00A4020C02011C, RAPDU = 6A82 (SW = 0x6A82: FILE NOT FOUND)
    at org.jmrtd.protocol.ReadBinaryAPDUSender.checkStatusWordAfterFileOperation(ReadBinaryAPDUSender.java:218)
    at org.jmrtd.protocol.ReadBinaryAPDUSender.sendSelectFile(ReadBinaryAPDUSender.java:79)
    at org.jmrtd.DefaultFileSystem.sendSelectFile(DefaultFileSystem.java:321)
    at org.jmrtd.DefaultFileSystem.getFileInfo(DefaultFileSystem.java:272)
    at org.jmrtd.DefaultFileSystem.getSelectedPath(DefaultFileSystem.java:129)
    at net.sf.scuba.smartcards.CardFileInputStream.<init>(CardFileInputStream.java:60)
    at org.jmrtd.PassportService.getInputStream(PassportService.java:595)
    at com.tananaev.passportreader.MainActivity$ReadTask.doInBackground(MainActivity.kt:235)
    at com.tananaev.passportreader.MainActivity$ReadTask.doInBackground(MainActivity.kt:207)
    at android.os.AsyncTask$3.call(AsyncTask.java:394)
    at java.util.concurrent.FutureTask.run(FutureTask.java:264)
    at android.os.AsyncTask$SerialExecutor$1.run(AsyncTask.java:305)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1137)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:637)
    at java.lang.Thread.run(Thread.java:1012)

and

net.sf.scuba.smartcards.CardServiceException: File not found, CAPDU = 00A4020C02010E, RAPDU = 6A82 (SW = 0x6A82: FILE NOT FOUND)
    at org.jmrtd.protocol.ReadBinaryAPDUSender.checkStatusWordAfterFileOperation(ReadBinaryAPDUSender.java:218)
    at org.jmrtd.protocol.ReadBinaryAPDUSender.sendSelectFile(ReadBinaryAPDUSender.java:79)
    at org.jmrtd.DefaultFileSystem.sendSelectFile(DefaultFileSystem.java:321)
    at org.jmrtd.DefaultFileSystem.getFileInfo(DefaultFileSystem.java:272)
    at org.jmrtd.DefaultFileSystem.getSelectedPath(DefaultFileSystem.java:129)
    at net.sf.scuba.smartcards.CardFileInputStream.<init>(CardFileInputStream.java:60)
    at org.jmrtd.PassportService.getInputStream(PassportService.java:600)
    at com.tananaev.passportreader.MainActivity$ReadTask.doChipAuth(MainActivity.kt:291)
    at com.tananaev.passportreader.MainActivity$ReadTask.doInBackground(MainActivity.kt:266)
    at com.tananaev.passportreader.MainActivity$ReadTask.doInBackground(MainActivity.kt:207)
    at android.os.AsyncTask$3.call(AsyncTask.java:394)
    at java.util.concurrent.FutureTask.run(FutureTask.java:264)
    at android.os.AsyncTask$SerialExecutor$1.run(AsyncTask.java:305)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1137)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:637)
    at java.lang.Thread.run(Thread.java:1012)

and

Transaction too large, intent: Intent { cmp=com.tananaev.passportreader/.ResultActivity (has extras) }, extras size: 307744, icicle size: 0
olegshtch commented 1 year ago

Same for Russian passport. Also it have in logs:

11-18 13:19:57.532  9715 10418 W org.jmrtd: Failed to send GENERAL AUTHENTICATE, falling back to command chaining
11-18 13:19:57.532  9715 10418 W org.jmrtd: net.sf.scuba.smartcards.CardServiceException: Sending general authenticate failed (SW = 0x6A80: WRONG DATA or FILEHEADER INCONSISTENT)
11-18 13:19:57.532  9715 10418 W org.jmrtd:     at org.jmrtd.protocol.EACCAAPDUSender.sendGeneralAuthenticate(EACCAAPDUSender.java:185)
11-18 13:19:57.532  9715 10418 W org.jmrtd:     at org.jmrtd.protocol.EACCAAPDUSender.sendGeneralAuthenticate(EACCAAPDUSender.java:149)
11-18 13:19:57.532  9715 10418 W org.jmrtd:     at org.jmrtd.protocol.EACCAProtocol.sendPublicKey(EACCAProtocol.java:187)
11-18 13:19:57.532  9715 10418 W org.jmrtd:     at org.jmrtd.protocol.EACCAProtocol.doCA(EACCAProtocol.java:146)
11-18 13:19:57.532  9715 10418 W org.jmrtd:     at org.jmrtd.PassportService.doEACCA(PassportService.java:428)
11-18 13:19:57.532  9715 10418 W org.jmrtd:     at com.tananaev.passportreader.MainActivity$ReadTask.doChipAuth(MainActivity.kt:298)
11-18 13:19:57.532  9715 10418 W org.jmrtd:     at com.tananaev.passportreader.MainActivity$ReadTask.doInBackground(MainActivity.kt:266)
11-18 13:19:57.532  9715 10418 W org.jmrtd:     at com.tananaev.passportreader.MainActivity$ReadTask.doInBackground(MainActivity.kt:207)
11-18 13:19:57.532  9715 10418 W org.jmrtd:     at android.os.AsyncTask$2.call(AsyncTask.java:333)
11-18 13:19:57.532  9715 10418 W org.jmrtd:     at java.util.concurrent.FutureTask.run(FutureTask.java:266)
11-18 13:19:57.532  9715 10418 W org.jmrtd:     at android.os.AsyncTask$SerialExecutor$1.run(AsyncTask.java:245)
11-18 13:19:57.532  9715 10418 W org.jmrtd:     at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)
11-18 13:19:57.532  9715 10418 W org.jmrtd:     at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)
11-18 13:19:57.532  9715 10418 W org.jmrtd:     at java.lang.Thread.run(Thread.java:764)

It looks like it was fixed in recent jmrtd versions.

amcs99 commented 10 months ago

Hello, Did you solved this problem?

olegshtch commented 10 months ago

I've tried to update jmrtd but it still fails.

Edit: Update of scuba-sc-android dependency doesn't help either. But I've tried to iterate all 8 oids for Chip Authentication and it worked with ChipAuthenticationPublicKeyInfo.ID_CA_ECDH_3DES_CBC_CBC (0.4.0.127.0.7.2.2.3.2.1)

olegshtch commented 10 months ago

It quite strange I don't get previous stacktrace when ChipAuthenticationPublicKeyInfo.ID_CA_ECDH_AES_CBC_CMAC_256 fails but with that approach instead I get:

01-08 23:08:09.913 27753 27830 W MainActivity: org.jmrtd.CardServiceProtocolException: Exception during MSE Set AT Int Auth (SW = 0x6985: CONDITIONS NOT SATISFIED) (step: 1)
01-08 23:08:09.913 27753 27830 W MainActivity:  at org.jmrtd.protocol.EACCAProtocol.sendPublicKey(EACCAProtocol.java:195)
01-08 23:08:09.913 27753 27830 W MainActivity:  at org.jmrtd.protocol.EACCAProtocol.doCA(EACCAProtocol.java:150)
01-08 23:08:09.913 27753 27830 W MainActivity:  at org.jmrtd.PassportService.doEACCA(PassportService.java:461)
01-08 23:08:09.913 27753 27830 W MainActivity:  at com.tananaev.passportreader.MainActivity$ReadTask.doChipAuth(MainActivity.kt:308)
01-08 23:08:09.913 27753 27830 W MainActivity:  at com.tananaev.passportreader.MainActivity$ReadTask.doInBackground(MainActivity.kt:266)
01-08 23:08:09.913 27753 27830 W MainActivity:  at com.tananaev.passportreader.MainActivity$ReadTask.doInBackground(MainActivity.kt:207)
01-08 23:08:09.913 27753 27830 W MainActivity:  at android.os.AsyncTask$2.call(AsyncTask.java:333)
01-08 23:08:09.913 27753 27830 W MainActivity:  at java.util.concurrent.FutureTask.run(FutureTask.java:266)
01-08 23:08:09.913 27753 27830 W MainActivity:  at android.os.AsyncTask$SerialExecutor$1.run(AsyncTask.java:245)
01-08 23:08:09.913 27753 27830 W MainActivity:  at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)
01-08 23:08:09.913 27753 27830 W MainActivity:  at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)
01-08 23:08:09.913 27753 27830 W MainActivity:  at java.lang.Thread.run(Thread.java:764)
01-08 23:08:09.913 27753 27830 W MainActivity: Caused by: net.sf.scuba.smartcards.CardServiceException: Sending MSE AT failed (SW = 0x6985: CONDITIONS NOT SATISFIED)
01-08 23:08:09.913 27753 27830 W MainActivity:  at org.jmrtd.protocol.EACCAAPDUSender.sendMSESetATIntAuth(EACCAAPDUSender.java:130)
01-08 23:08:09.913 27753 27830 W MainActivity:  at org.jmrtd.protocol.EACCAProtocol.sendPublicKey(EACCAProtocol.java:193)
01-08 23:08:09.913 27753 27830 W MainActivity:  ... 11 more

Maybe there should be limit of queries or after succeeded chip authentication it changes answer.

SnehaDudhat2170 commented 9 months ago

Hello @olegshtch, Have you found a solution for the above error? I'm encountering the same issue as well.

ahmedmolawale commented 9 months ago

Chip Authentication is a cloning detection mechanism which is not supported by all passports. Some NFC chips dont support because its not a mandatory requirement by ICAO 9303.

li0ard commented 1 month ago

Chip Authentication is a cloning detection mechanism which is not supported by all passports. Some NFC chips dont support because its not a mandatory requirement by ICAO 9303.

The Russian passport supports Chip Authentication (EF.DG14 is present), hence it is a problem of jmrtd or this application

image