ePassport在Android(java)中使用jmrtd进行被动身份验证

huangapple go评论70阅读模式
英文:

ePassport Passive Authentication in Android(java) using jmrtd

问题

我正在使用 jmrtd 进行护照芯片的被动身份验证。
我能够使用 DSC(数字签名证书)验证签名。
但是我无法使用 CSC(国家签名证书)验证 DSC。

请提供一些方法,提前致谢。

英文:

I am performing Passive Authentication of passport chip using jmrtd.
I am able to verify signature using DSC(Digital Singing Certificate).
But I am not able to verify DSC using CSC (Country Signing Certificate).

Please provide some approach, thanks in advance.

答案1

得分: 1

可能已经太晚了,但以防其他人遇到这个问题 ePassport在Android(java)中使用jmrtd进行被动身份验证

要做到这一点,基本上需要创建一个包含CSC的信任存储库。基本上,它们只是证书颁发机构,需要像这样处理。

第一步是创建一个包含所有你想要/需要的CSC的PKCS12文件,不知何故,无法使用OpenSSL完成此操作,但幸运的是,keytool可以帮助你:https://stackoverflow.com/questions/14660767/keytool-importing-multiple-certificates-in-single-file

接下来是创建一个信任存储库,例如,按照这个示例操作:https://stackoverflow.com/a/6379434/1441857

上述步骤所需的密钥库如下所示:

private KeyStore createStore(InputStream pkcs12Stream) {
    final KeyStore keyStore = KeyStore.getInstance("PKCS12");
    keyStore.load(pkcs12Stream, "password".toCharArray());
    return keyStore;
}

最后,你可以通过使用你的信任管理器(实际上只有一个,如预期的那样)进行验证,按照我链接的第一个答案进行操作。authType参数似乎是"RSA_EXPORT",尚未弄清楚为什么。

我认为这应该能解决问题 ePassport在Android(java)中使用jmrtd进行被动身份验证

英文:

Probably way too late for you, but in case anyone else runs in to this ePassport在Android(java)中使用jmrtd进行被动身份验证

To do that you basically need to create a trust store with the CSCs. Basically they are just certificate authorities and needs to be treated as such.

First step is to create a PKCS12 containing all the CSCs you want/need, this for some reason can't be done using OpenSSL, but fortunately keytool is your friend: https://stackoverflow.com/questions/14660767/keytool-importing-multiple-certificates-in-single-file

Next up is creating a trust store, e.g., by following this example: https://stackoverflow.com/a/6379434/1441857

The keystore needed for the step above is created as follows:

private KeyStore createStore(InputStream pkcs12Stream) {
    final KeyStore keyStore = KeyStore.getInstance("PKCS12");
    keyStore.load(pkcs12Stream, "password".toCharArray());
    return keyStore;
}

finally you can simply validate by using your trustmanager(s) (there's actually just one, as expected), following the first answer I linked. The authType parameter seems to be "RSA_EXPORT", haven't figured why yet.

I think that should do the trick ePassport在Android(java)中使用jmrtd进行被动身份验证

huangapple
  • 本文由 发表于 2020年1月3日 20:29:02
  • 转载请务必保留本文链接:https://go.coder-hub.com/59578678.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定