NFCPassportReader icon indicating copy to clipboard operation
NFCPassportReader copied to clipboard

Published 20 hours ago verified publisher icon AndyQ

Which LDIF files to parse, what countries test ok?

Open datocrats-org opened this issue 5 years ago • 1 comments

I retrieved the ICAO's master list version icaopkd-002-ml-000137.ldif which was referred to as "The latest collection of CSCA Master Lists." I attempted to parse from LDIF into the PEM format using scripts/extract.py and it caught some encoding errors see below.

# b'unable to load certificate
# \r\n14136:error:0D078094:asn1 encoding routines:asn1_item_embed_d2i:sequence length mismatch:../openssl-1.1.1c/crypto/asn1/tasn_dec.c:386:Type=X509_NAME_ENTRY
# \r\n14136:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../openssl-1.1.1c/crypto/asn1/tasn_dec.c:596:
# \r\n14136:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../openssl-1.1.1c/crypto/asn1/tasn_dec.c:596:
# \r\n14136:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../openssl-1.1.1c/crypto/asn1/tasn_dec.c:627:Field=issuer, Type=X509_CINF
# \r\n14136:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../openssl-1.1.1c/crypto/asn1/tasn_dec.c:627:Field=cert_info, Type=X509

I am debugging python on vscode for the first time, would be happy to learn what else to gather to document the problem. I don't know if I am using the right file. It's name includes ml for master list so it looked correct. On visual inspection it contains 10 certs for various countries: image

ICAO also has icaopkd-001-dsccrl-004079.ldif which is much larger and appears to have more countries. This was named "The latest collection of Document Signing Certificates(DSCs) and Certificate Revocation Lists(CRLs) to verify electronic passports." This has my country's certs.

  1. Which are you testing with and what countries' passports have you tested with? Can we start a list somewhere of what's tested ok?
  2. Can we document how to build a smaller test case for a single country?
  3. Are there any test or developer mocks that the ICAO has or we could develop ourselves?

datocrats-org avatar Feb 06 '20 19:02 datocrats-org

I'm using the latest collection of CSCA Master Lists (item 2) - currently icaopkd-002-ml-000138.ldif. I haven't quite figured out how to check against the revocation lists yet though (hence why I'm not using that one).

Just run that through and didn't get any errors though - although I'm using OpenSSL 1.0.2s 28 May 2019 though as the one that comes with OSX doesn't support the cms command.

I've tested against British, Spanish, Irish, NZ, and a couple of other passport countries.

There is little documentation around this - most of what I've found was from http://wiki.yobi.be/wiki/EPassport and looking through the pypassport and JMRTD code.

AndyQ avatar Feb 07 '20 13:02 AndyQ