def doVerifyDGIntegrity(self, dgs=None):
"""
Execute the second part of the passive authentication: The verification of the dataGroups integrity.
@raise dgException: If the data groups could not be read
@raise paException: If the object is badly configured
@raise openSSLException: See the openssl documentation
"""
res = None
try:
sod = self.readSod()
if dgs == None:
dgs = self.readDataGroups()
res = self._pa.executePA(sod, dgs)
return res
except datagroup.DataGroupException as msg:
res = msg
raise datagroup.DataGroupException(msg)
except passiveauthentication.PassiveAuthenticationException as msg:
res = msg
raise passiveauthentication.PassiveAuthenticationException(msg)
except openssl.OpenSSLException as msg:
res = msg
raise openssl.OpenSSLException(msg)
except Exception as msg:
res = msg
finally:
self.log("Data Groups integrity verification: " + str(res))
def doActiveAuthentication(self, dg15=None):
"""
Execute the active authentication protocol.
@return: A boolean if the test complete.
@raise aaException: If the hash algo is not supported or if the AA is not supported.
@raise openSSLException: See the openssl documentation
@raise SimIso7816Exception: The AA is not possible with the simulator
"""
res = ""
try:
if dg15 == None:
dg15 = self["DG15"]
res = self._aa.executeAA(dg15)
return res
except datagroup.DataGroupException as msg:
res = msg
raise datagroup.DataGroupException(msg)
except openssl.OpenSSLException as msg:
res = msg
raise openssl.OpenSSLException(msg)
except Exception as msg:
res = msg
raise activeauthentication.ActiveAuthenticationException(msg)
finally:
self.log("Active Authentication: " + str(res))
def doVerifySODCertificate(self):
"""
Execute the first part of the passive authentication: The verification of the certificate validity.
@raise dgException: If the SOD could not be read
@raise paException: If the object is badly configured
@raise openSSLException: See the openssl documentation
"""
res = ""
try:
sod = self.readSod()
res = self._pa.verifySODandCDS(sod, self.CSCADirectory)
return res
except datagroup.DataGroupException as msg:
res = msg
raise datagroup.DataGroupException(msg)
except passiveauthentication.PassiveAuthenticationException as msg:
res = msg
raise passiveauthentication.PassiveAuthenticationException(msg)
except openssl.OpenSSLException as msg:
res = msg
raise openssl.OpenSSLException(msg)
finally:
self.log("Document Signer Certificate verification: " + str(res))
class EPassport(dict, logger.Logger):
"""
This class is the high level class that encapsulates every mechanism needed to communicate with the passport
and to validate it.
This object is implemented as a dictionary.
When a dataGroup is read, the corresponding object is added inside the object dictionary.
Example with the DG1 file using the simulator:
(see the dataGroups.converter for an exaustive conversion list)
>>> import os
>>> from pypassport.epassport import *
>>> from pypassport.iso7816 import *
>>> sep = os.path.sep
>>> sim = "data" + sep + "dump" + sep + "test"
>>> p = EPassport(None, sim)
Select Passport Application
>>> p["DG1"]
Reading DG1
{'5F05': '7', '5F04': '4', '5F07': '0', '5F06': '2', '59': '130312', '5F03': 'P<', '5F02': '0', '5F5B': 'ROGER<<OLIVIER<VINCENT<MICHAEL<<<<<<<<<', '5F1F': 'P<BELROGER<<OLIVIER<VINCENT<MICHAEL<<<<<<<<<AB123456<4BEL9503157M1303122<<<<<<<<<<<<<<00', '53': '<<<<<<<<<<<<<<', '5F2C': 'BEL', '5F57': '950315', '5F28': 'BEL', '5F35': 'M', '5A': 'AB123456<'}
>>> p["61"]
{'5F05': '7', '5F04': '4', '5F07': '0', '5F06': '2', '59': '130312', '5F03': 'P<', '5F02': '0', '5F5B': 'ROGER<<OLIVIER<VINCENT<MICHAEL<<<<<<<<<', '5F1F': 'P<BELROGER<<OLIVIER<VINCENT<MICHAEL<<<<<<<<<AB123456<4BEL9503157M1303122<<<<<<<<<<<<<<00', '53': '<<<<<<<<<<<<<<', '5F2C': 'BEL', '5F57': '950315', '5F28': 'BEL', '5F35': 'M', '5A': 'AB123456<'}
You can notice that the DG1 is read only during the first call.
The passport application is selected during the init phase,
and the basic access control is done automatically if needed.
Example using a rfid reader:
*Detect the reader
*Init the EPassport class
*Read the DG1
*Perform Active Auth
*Perform Passive Auth (Verification of the SOD Certificate, Verification of the DG integrity)
*Extract the DS Certificate
*Extract the DG15 public key
*Extract the faces from DG2
*Extract the signature from DG7
(The informations are hidded)
We changed the MRZ informations for privacy reasons, that's why the doctest is not valid.
Anyway it is not possible for you to test it without the real passport (you do not possess it).
Just consider it as a trace explaining how to access a real passport.
>>> from pypassport.epassport import EPassport, mrz
>>> from pypassport.reader import pcscAutoDetect
>>> from pypassport.openssl import OpenSSLException
>>> detect = pcscAutoDetect()
>>> detect
(<pypassport.reader.pcscReader object at 0x00CA46F0>, 1, 'OMNIKEY CardMan 5x21-CL 0', 'GENERIC')
>>> reader = detect[0]
>>> mrz = mrz.MRZ('EHxxxxxx<0BELxxxxxx8Mxxxxxx7<<<<<<<<<<<<<<04')
>>> mrz.checkMRZ()
True
>>> p = EPassport(mrz, reader)
Select Passport Application
>>> p["DG1"]
Reading DG1
{'5F05': '8', '5F04': '0', '5F07': '4', '5F06': '7', '59': '130221', '5F03': 'P<
', '5F02': '0', '5F5B': 'ROGER<<OLIVIER<VINCENT<MICHAEL<<<<<<<<<', '5F1F': 'P<BE
LROGER<<OLIVIER<VINCENT<MICHAEL<<<<<<<<<EHxxxxx<0BELxxxxxx8Mxxxxxx7<<<<<<<<<<<<<<04', '53': '<<<<<<<<<<<<<<', '5F2C': 'BEL', '5F57': '840615', '5F28': 'BEL', '5F35': 'M', '5A': 'EH276509<'}
>>> p.openSslDirectory = "C:\\OpenSSL\\bin\\openssl"
>>> p.doActiveAuthentication()
Reading DG15
Active Authentication: True
True
>>> p.CSCADirectory = 'D:\\workspace\\pypassport\\src\data\\cert'
>>> try:
... p.doVerifySODCertificate()
... except OpenSSLException, msg:
... print msg
...
/C=BE/O=Kingdom of Belgium/OU=Federal Public Service Foreign Affairs Belgium/CN=DSPKI_BEerror 20 at 0 depth lookup:unable to get local issuer certificate
>>> try:
... p.doVerifyDGIntegrity()
... except pypassport.openssl.OpenSSLException, msg:
... print msg
...
Reading Common
Reading DG2
Reading DG7
Reading DG11
Reading DG12
{'DG15': True, 'DG11': True, 'DG12': True, 'DG2': True, 'DG1': True, 'DG7': True}
>>> p.getCertificate()
'subject=/C=BE/O=Kingdom of Belgium/OU=Feder...eign Affairs Belgium/CN=CSCAPKI_BE
-----BEGIN CERTIFICATE-----
MIIEnDCCAoSgA...IJhypc0=
-----END CERTIFICATE-----'
>>> p.getPublicKey()
'Modulus=D8772AC284BE...8FC508B57AFBD57
-----BEGIN PUBLIC KEY-----
MIGdMA0GCSqGSIb3DQEBAQUAA...ck4/FCLV6+9VwIBAw==
-----END PUBLIC KEY-----'
>>> p.getFaces()
['\x14R\x06\x14\xd3E\x14\xfa\x87C\xff\xd9...']
>>> p.getSignature()
['\x01h\xa4\xa2...\x80?\xff\xd9']
"""
#TODO: property pr le buffSize de la lecture et pour choisir si FS ou SFID
def __init__(self, reader, epMrz=None):
"""
This object provides most of the functionalities described in the EPassport document.
- The basic access control + secure messaging
- The active authentication
- The passive authentication
- Reading of the various dataGroups
@param reader: It can be a reader or a path to dumps
@type reader: A reader object, then it will use the specified rfid reader.
A string, then the simulator will read the dumps from the specified url.
@param mrz: An object representing the passport MRZ.
@type mrz: An MRZ object
"""
logger.Logger.__init__(self, "EPassport")
if epMrz:
self._mrz = mrz.MRZ(epMrz)
if self._mrz.checkMRZ() == False:
raise EPassportException("Invalid MRZ")
else:
self._mrz = None
self._iso7816 = iso7816.Iso7816(reader)
self._iso7816.register(self._logFct)
self._dgReader = datagroup.DataGroupReaderFactory().create(
self._iso7816)
self._dgReader.register(self._logFct)
self._bac = bac.BAC(self._iso7816)
self._bac.register(self._logFct)
self._openSSL = openssl.OpenSSL()
self._openSSL.register(self._logFct)
self._aa = activeauthentication.ActiveAuthentication(
self._iso7816, self._openSSL)
self._aa.register(self._logFct)
self._pa = passiveauthentication.PassiveAuthentication(self._openSSL)
self._pa.register(self._logFct)
self._CSCADirectory = None
self._selectPassportApp()
def _getOpenSslDirectory(self):
return self._openSSL.location
def _setOpenSslDirectory(self, value):
self._openSSL.location = value
def getCSCADirectory(self):
return self._CSCADirectory
def setCSCADirectory(self, value, hash=False):
self._CSCADirectory = camanager.CAManager(value)
if hash:
self.log("Document Signer Certificate hash creation")
self._CSCADirectory.toHashes()
def getCommunicationLayer(self):
return self._iso7816
def _isSecureMessaging(self):
return self._reader.isSecured()
def _selectPassportApp(self):
"""
Select the passport application
"""
self.log("Select Passport Application")
# MODIFICATION 6/14/2012 by ANTONIN BEAUJEANT #
return self._iso7816.rstConnection()
################################################
def doBasicAccessControl(self):
"""
Execute the basic access control protocol and set up the secure messaging.
@return: A True if the BAC execute correctly
@raise bacException: If an error occurs during the process
@raise EPassportException: If the mrz is not initialized.
"""
if self._mrz == None:
raise EPassportException(
"The object must be initialized with the ePassport MRZ")
(KSenc, KSmac,
ssc) = self._bac.authenticationAndEstablishmentOfSessionKeys(
self._mrz)
sm = securemessaging.SecureMessaging(KSenc, KSmac, ssc)
sm.register(self._logFct)
return self._iso7816.setCiphering(sm)
def doActiveAuthentication(self, dg15=None):
"""
Execute the active authentication protocol.
@return: A boolean if the test completes.
@raise aaException: If the hash algo is not supported or if the AA is not supported.
@raise openSSLException: See the openssl documentation
@raise SimIso7816Exception: The AA is not possible with the simulator
"""
res = ""
try:
if dg15 == None:
dg15 = self["DG15"]
res = self._aa.executeAA(dg15)
return res
except datagroup.DataGroupException, msg:
res = msg
raise dgException(msg)
except openssl.OpenSSLException, msg:
res = msg
raise openssl.OpenSSLException(msg)
@raise openSSLException: See the openssl documentation
"""
res = ""
try:
sod = self.readSod()
res = self._pa.verifySODandCDS(sod, self.CSCADirectory)
return res
except datagroup.DataGroupException, msg:
res = msg
raise datagroup.DataGroupException(msg)
except passiveauthentication.PassiveAuthenticationException, msg:
res = msg
raise passiveauthentication.PassiveAuthenticationException(msg)
except openssl.OpenSSLException, msg:
res = msg
raise openssl.OpenSSLException(msg)
finally:
self.log("Document Signer Certificate verification: " + str(res))
def doVerifyDGIntegrity(self, dgs=None):
"""
Execute the second part of the passive authentication: The verification of the dataGroups integrity.
@raise dgException: If the data groups could not be read
@raise paException: If the object is badly configured
@raise openSSLException: See the openssl documentation
"""
res = None
try:
sod = self.readSod()
if dgs == None:
