Class EAC20
Class implementing support for Extended Access Control V2
Defined in: EAC20.js.
Constructor Attributes | Constructor Name and Description |
---|---|
EAC20(crypto, card)
Create a protocol object for EAC
|
Field Attributes | Field Name and Description |
---|---|
<static> |
EAC20.ID_CAN
PACE PWD is the CAN
|
<static> |
EAC20.ID_MRZ
PACE PWD is the hashed MRZ
|
<static> |
EAC20.ID_PIN
PACE PWD is the PIN
|
<static> |
EAC20.ID_PUK
PACE PWD is the PUK
|
Method Attributes | Method Name and Description |
---|---|
calculateBACKey(mrz, keyno)
Calculate the Basic Access Control (BAC) key from the MRZ
|
|
<static> |
EAC20.decodeDocumentNumber(mrz)
Decode document number from 2 or 3 line MRZ
This method supports a document number in a three line MRZ longer than 10 digits. |
Return the list of ChipAuthenticationDomainParameterInfo objects
|
|
Return the list of ChipAuthenticationInfo objects
|
|
getCAKeyId(privileged)
Return the key id of the chip authentication key
|
|
Return the list of PACEDomainParameterInfo objects
|
|
Return the list of PACEInfo objects
|
|
getRIKeyId(authOnly)
Return the key id of the restricted identification key
|
|
getTrustAnchorCAR(previous,)
Return the trust anchor's CAR as indicated by the card in the PACE protocol
|
|
hashMRZ(mrz)
Calculate the hash over document number, date of birth and date of expiration from 2 or 3 line MRZ
2 line MRZ of Silver Data Set P |
|
performBAC(kenc, kmac)
Perform BAC using the provided Kenc and Kmac values.
|
|
performBACWithMRZ(kenc, kmac)
Perform BAC using the provided Kenc and Kmac values.
|
|
performChipAuthentication(keyid)
Perform chip authentication and establish a secure channel
|
|
performChipAuthenticationV1(keyid)
Perform chip authentication in version 1 and establish a secure channel
|
|
Perform chip authentication in version 2 and establish a secure channel
|
|
performPACE(parameterId, pwdid, pwd, chat, certExt)
Perform PACE using the indicated parameter set, the identified password, the password value and
an optional cardholder authentication template.
|
|
performRestrictedIdentification(keyId, sectorPublicKey, sectorPublicKeyIndex)
Perform restricted identification
|
|
performTerminalAuthentication(termkey, auxdata, crypto)
Perform terminal authentication using a given terminal key
|
|
performTerminalAuthenticationFinal(signature)
Complete terminal authentication by submitting the signature to the card
|
|
performTerminalAuthenticationSetup(auxdata)
Prepare terminal authentication by setting the required security environment
|
|
prepareChipAuthentication(keyId)
Prepare chip authentication by generating the ephemeral key pair
|
|
processSecurityInfos(si, fromCardSecurity)
Process a list of security infos from EF.CardInfo, EF.CardSecurity or EF.ChipSecurity
|
|
Read EF.CardAccess and process security infos
|
|
Read EF.CardSecurity and process security infos
|
|
Read EF.ChipSecurity and process security infos
|
|
readCVCA()
Read EF.CVCA and process contained CARs
|
|
readDG14()
Read EF.DG14 and process security infos
|
|
readEFwithFID(fid)
Select EF using FID and read elementary file
|
|
readEFwithSFI(short)
Select and read EF using SFI
|
|
readTLVEFwithSFI(short)
Select and read a TLV encoded EF using SFI
|
|
Select eID Application
|
|
Select eSign Application
|
|
selectADF(aid)
Select application DF
|
|
Select ePass LDS Application
|
|
setIDPICC(id, kmac)
Set the ID_PICC used for terminal authentication in EAC 1.11
|
|
updateEFwithFID(fid, data)
Select EF using FID and update content
|
|
updateEFwithSFI(short, data)
Select EF using SFI and update content
|
|
verifyAuxiliaryData(oid)
Verify authenticated auxiliary data
|
|
verifyCertificateChain(cvcchain)
Submit a list of certificates to the card for verification
|
Class Detail
EAC20(crypto, card)
Create a protocol object for EAC
- Parameters:
- {Crypto} crypto
- the crypto provider
- {Card} card
- the card object
Field Detail
<static>
EAC20.ID_CAN
PACE PWD is the CAN
<static>
EAC20.ID_MRZ
PACE PWD is the hashed MRZ
<static>
EAC20.ID_PIN
PACE PWD is the PIN
<static>
EAC20.ID_PUK
PACE PWD is the PUK
Method Detail
{Key}
calculateBACKey(mrz, keyno)
Calculate the Basic Access Control (BAC) key from the MRZ
- Parameters:
- {String} mrz
- 2 line or 3 line machine readable zone
- {Number} keyno
- Number of key to calculate (1 for Kenc and 2 for Kmac)
- Returns:
- the key object
<static>
{String}
EAC20.decodeDocumentNumber(mrz)
Decode document number from 2 or 3 line MRZ
This method supports a document number in a three line MRZ longer than 10 digits.
- Parameters:
- {String} mrz
- the concatenation of the MRZ lines
- Returns:
- the document number
{ChipAuthenticationDomainParameterInfo[]}
getCADomainParameterInfos()
Return the list of ChipAuthenticationDomainParameterInfo objects
- Returns:
- the list of ChipAuthenticationDomainParameterInfo objects read from the card, indexed by the keyId
{ChipAuthenticationInfo[]}
getCAInfos()
Return the list of ChipAuthenticationInfo objects
- Returns:
- the list of ChipAuthenticationInfo objects read from the card, indexed by the keyId
getCAKeyId(privileged)
Return the key id of the chip authentication key
- Parameters:
- privileged
- Returns:
- the key id
{PACEDomainParameterInfo[]}
getPACEDomainParameterInfos()
Return the list of PACEDomainParameterInfo objects
- Returns:
- the list of PACEDomainParameterInfo objects read from the card, indexed by the parameterId
{PACEInfo[]}
getPACEInfos()
Return the list of PACEInfo objects
- Returns:
- the list of PACEInfo objects read from the card, indexed by the parameterId
getRIKeyId(authOnly)
Return the key id of the restricted identification key
- Parameters:
- {boolean} authOnly
- return the RI key available after authentication only (to calculate the pseudonym)
- Returns:
- the key id
{PublicKeyReference}
getTrustAnchorCAR(previous,)
Return the trust anchor's CAR as indicated by the card in the PACE protocol
- Parameters:
- {boolean} previous,
- true to return the previous CAR, if any
- Returns:
- the CertificationAuthorityReference (CAR)
{ByteString}
hashMRZ(mrz)
Calculate the hash over document number, date of birth and date of expiration from 2 or 3 line MRZ
2 line MRZ of Silver Data Set P
- Parameters:
- {String} mrz
- 2 line or 3 line machine readable zone
- Returns:
- the SHA-1 hash over the concatenation of document number, date of birth and date of expiration
performBAC(kenc, kmac)
Perform BAC using the provided Kenc and Kmac values.
- Parameters:
- {Key} kenc
- the key Kenc
- {Key} kmac
- the key Kmac
performBACWithMRZ(kenc, kmac)
Perform BAC using the provided Kenc and Kmac values.
- Parameters:
- {Key} kenc
- the key Kenc
- {Key} kmac
- the key Kmac
{boolean}
performChipAuthentication(keyid)
Perform chip authentication and establish a secure channel
- Parameters:
- {Number} keyid
- the key identifier (only required for ChipAuthentication in version 1)
- Returns:
- true, if chip authentication was successfull
{boolean}
performChipAuthenticationV1(keyid)
Perform chip authentication in version 1 and establish a secure channel
- Parameters:
- keyid
- Returns:
- true, if chip authentication was successfull
{boolean}
performChipAuthenticationV2()
Perform chip authentication in version 2 and establish a secure channel
- Returns:
- true, if chip authentication was successfull
performPACE(parameterId, pwdid, pwd, chat, certExt)
Perform PACE using the indicated parameter set, the identified password, the password value and
an optional cardholder authentication template.
This method supports PACE version 1 and 2. For version 2, parameterId with a value between 0 and 31 denotes a standardized domain parameter as defined in TR-03110 2.04 or later.
- Parameters:
- {Number} parameterId
- the identifier for the PACEInfo and PACEDomainParameterInfo from EF.CardInfo. Use 0 for the default.
- {Number} pwdid
- one of EAC20.ID_MRZ, EAC20.ID_CAN, EAC20.ID_PIN, EAC20.ID_PUK
- {ByteString} pwd
- the PACE password or PACE key
- {ASN1} chat
- the CHAT data object with tag 7F4C or null
- {ASN1} certExt
- the certificate extensions data object with tag 65 or null
{ByteString}
performRestrictedIdentification(keyId, sectorPublicKey, sectorPublicKeyIndex)
Perform restricted identification
- Parameters:
- {Number} keyId
- restricted identification key identifier
- {ByteString} sectorPublicKey
- the sector public key data
- {Number} sectorPublicKeyIndex
- optional argument that allows to select a specific sector public key in the terminal certificate
- Returns:
- the sector specific identifier
performTerminalAuthentication(termkey, auxdata, crypto)
Perform terminal authentication using a given terminal key
- Parameters:
- {Key} termkey
- the terminal private key
- {ByteString} auxdata
- auxiliary data (tag '67') to be included in terminal authentication
- {Crypto} crypto
- optional alternative crypto provider (e.g. for key in SmartCard-HSM)
performTerminalAuthenticationFinal(signature)
Complete terminal authentication by submitting the signature to the card
- Parameters:
- {ByteString} signature
- the signature as concatenation of r and s
performTerminalAuthenticationSetup(auxdata)
Prepare terminal authentication by setting the required security environment
- Parameters:
- {ByteString} auxdata
- auxiliary data (tag '67') to be included in terminal authentication
prepareChipAuthentication(keyId)
Prepare chip authentication by generating the ephemeral key pair
- Parameters:
- {Number} keyId
- the key identifier to be used for chip authentication
processSecurityInfos(si, fromCardSecurity)
Process a list of security infos from EF.CardInfo, EF.CardSecurity or EF.ChipSecurity
- Parameters:
- {ASN1} si
- the security info ASN Sequence
- {boolean} fromCardSecurity
- true if security infos are taken from EF.CardSecurity, EF.ChipSecurity or EF.DG14
readCardAccess()
Read EF.CardAccess and process security infos
readCardSecurity()
Read EF.CardSecurity and process security infos
readChipSecurity()
Read EF.ChipSecurity and process security infos
readCVCA()
Read EF.CVCA and process contained CARs
readDG14()
Read EF.DG14 and process security infos
{ByteString}
readEFwithFID(fid)
Select EF using FID and read elementary file
- Parameters:
- {ByteString} fid
- 2 byte file identifier
- Returns:
- the content of the EF
{ByteString}
readEFwithSFI(short)
Select and read EF using SFI
- Parameters:
- {Number} short
- file identifier
- Returns:
- the content of the EF
{ByteString}
readTLVEFwithSFI(short)
Select and read a TLV encoded EF using SFI
- Parameters:
- {Number} short
- file identifier
- Returns:
- the TLV content of the EF
select_eID()
Select eID Application
select_eSign()
Select eSign Application
selectADF(aid)
Select application DF
- Parameters:
- {ByteString} aid
- the application identifier
selectLDS()
Select ePass LDS Application
setIDPICC(id, kmac)
Set the ID_PICC used for terminal authentication in EAC 1.11
- Parameters:
- {ByteString} id
- {Key} kmac
- the key Kmac
updateEFwithFID(fid, data)
Select EF using FID and update content
- Parameters:
- {ByteString} fid
- 2 byte file identifier
- {ByteString} data
- data to be written
updateEFwithSFI(short, data)
Select EF using SFI and update content
- Parameters:
- {Number} short
- file identifier
- {ByteString} data
- data to be written
{boolean}
verifyAuxiliaryData(oid)
Verify authenticated auxiliary data
- Parameters:
- {ByteString} oid
- the object identifier for the auxiliary data provided during terminal authentication
- Returns:
- true, if auxiliary data was verified
verifyCertificateChain(cvcchain)
Submit a list of certificates to the card for verification
- Parameters:
- {CVC[]} cvcchain
- the list of certificates, starting with link certificates, DVCA certificate and terminal certificate.