示例#1
0
 def doVerifyDGIntegrity(self, dgs=None):
     """  
     Execute the second part of the passive authentication: The verification of the dataGroups integrity.
     
     @raise dgException: If the data groups could not be read
     @raise paException: If the object is badly configured
     @raise openSSLException: See the openssl documentation 
     """
     res = None
     try:
         sod = self.readSod()
         if dgs == None:
             dgs = self.readDataGroups()
         res = self._pa.executePA(sod, dgs)
         return res
     except datagroup.DataGroupException as msg:
         res = msg
         raise datagroup.DataGroupException(msg)
     except passiveauthentication.PassiveAuthenticationException as msg:
         res = msg
         raise passiveauthentication.PassiveAuthenticationException(msg)
     except openssl.OpenSSLException as msg:
         res = msg
         raise openssl.OpenSSLException(msg)
     except Exception as msg:
         res = msg
     finally:
         self.log("Data Groups integrity verification: " + str(res))
示例#2
0
 def doActiveAuthentication(self, dg15=None):
     """
     Execute the active authentication protocol.
     
     @return: A boolean if the test complete.
     @raise aaException: If the hash algo is not supported or if the AA is not supported.
     @raise openSSLException: See the openssl documentation
     @raise SimIso7816Exception: The AA is not possible with the simulator
     """
     res = ""
     try:
         if dg15 == None:
             dg15 = self["DG15"]
         res = self._aa.executeAA(dg15)
         return res
     except datagroup.DataGroupException as msg:
         res = msg
         raise datagroup.DataGroupException(msg)
     except openssl.OpenSSLException as msg:
         res = msg
         raise openssl.OpenSSLException(msg)
     except Exception as msg:
         res = msg
         raise activeauthentication.ActiveAuthenticationException(msg)
     finally:
         self.log("Active Authentication: " + str(res))
示例#3
0
 def doVerifySODCertificate(self):
     """  
     Execute the first part of the passive authentication: The verification of the certificate validity.
     
     @raise dgException: If the SOD could not be read
     @raise paException: If the object is badly configured
     @raise openSSLException: See the openssl documentation 
     """
     res = ""
     try:
         sod = self.readSod()
         res = self._pa.verifySODandCDS(sod, self.CSCADirectory)
         return res
     except datagroup.DataGroupException as msg:
         res = msg
         raise datagroup.DataGroupException(msg)
     except passiveauthentication.PassiveAuthenticationException as msg:
         res = msg
         raise passiveauthentication.PassiveAuthenticationException(msg)
     except openssl.OpenSSLException as msg:
         res = msg
         raise openssl.OpenSSLException(msg)
     finally:
         self.log("Document Signer Certificate verification: " + str(res))
示例#4
0
class EPassport(dict, logger.Logger):
    """
    This class is the high level class that encapsulates every mechanism needed to communicate with the passport
    and to validate it.

    This object is implemented as a dictionary.
    When a dataGroup is read, the corresponding object is added inside the object dictionary.

    Example with the DG1 file using the simulator:
    (see the dataGroups.converter for an exaustive conversion list)


    >>> import os
    >>> from pypassport.epassport import *
    >>> from pypassport.iso7816 import *
    >>> sep = os.path.sep
    >>> sim = "data" + sep + "dump" + sep + "test"
    >>> p = EPassport(None, sim)
    Select Passport Application
    >>> p["DG1"]
    Reading DG1
    {'5F05': '7', '5F04': '4', '5F07': '0', '5F06': '2', '59': '130312', '5F03': 'P<', '5F02': '0', '5F5B': 'ROGER<<OLIVIER<VINCENT<MICHAEL<<<<<<<<<', '5F1F': 'P<BELROGER<<OLIVIER<VINCENT<MICHAEL<<<<<<<<<AB123456<4BEL9503157M1303122<<<<<<<<<<<<<<00', '53': '<<<<<<<<<<<<<<', '5F2C': 'BEL', '5F57': '950315', '5F28': 'BEL', '5F35': 'M', '5A': 'AB123456<'}
    >>> p["61"]
    {'5F05': '7', '5F04': '4', '5F07': '0', '5F06': '2', '59': '130312', '5F03': 'P<', '5F02': '0', '5F5B': 'ROGER<<OLIVIER<VINCENT<MICHAEL<<<<<<<<<', '5F1F': 'P<BELROGER<<OLIVIER<VINCENT<MICHAEL<<<<<<<<<AB123456<4BEL9503157M1303122<<<<<<<<<<<<<<00', '53': '<<<<<<<<<<<<<<', '5F2C': 'BEL', '5F57': '950315', '5F28': 'BEL', '5F35': 'M', '5A': 'AB123456<'}


    You can notice that the DG1 is read only during the first call.

    The passport application is selected during the init phase,
    and the basic access control is done automatically if needed.

    Example using a rfid reader:
    *Detect the reader
    *Init the EPassport class
    *Read the DG1
    *Perform Active Auth
    *Perform Passive Auth (Verification of the SOD Certificate, Verification of the DG integrity)
    *Extract the DS Certificate
    *Extract the DG15 public key
    *Extract the faces from DG2
    *Extract the signature from DG7

    (The informations are hidded)

    We changed the MRZ informations for privacy reasons, that's why the doctest is not valid.
    Anyway it is not possible for you to test it without the real passport (you do not possess it).
    Just consider it as a trace explaining how to access a real passport.


    >>> from pypassport.epassport import EPassport, mrz
    >>> from pypassport.reader import pcscAutoDetect
    >>> from pypassport.openssl import OpenSSLException
    >>> detect = pcscAutoDetect()
    >>> detect
    (<pypassport.reader.pcscReader object at 0x00CA46F0>, 1, 'OMNIKEY CardMan 5x21-CL 0', 'GENERIC')
    >>> reader = detect[0]
    >>> mrz = mrz.MRZ('EHxxxxxx<0BELxxxxxx8Mxxxxxx7<<<<<<<<<<<<<<04')
    >>> mrz.checkMRZ()
    True
    >>> p = EPassport(mrz, reader)
    Select Passport Application
    >>> p["DG1"]
    Reading DG1
    {'5F05': '8', '5F04': '0', '5F07': '4', '5F06': '7', '59': '130221', '5F03': 'P<
    ', '5F02': '0', '5F5B': 'ROGER<<OLIVIER<VINCENT<MICHAEL<<<<<<<<<', '5F1F': 'P<BE
    LROGER<<OLIVIER<VINCENT<MICHAEL<<<<<<<<<EHxxxxx<0BELxxxxxx8Mxxxxxx7<<<<<<<<<<<<<<04', '53': '<<<<<<<<<<<<<<', '5F2C': 'BEL', '5F57': '840615', '5F28': 'BEL', '5F35': 'M', '5A': 'EH276509<'}
    >>> p.openSslDirectory = "C:\\OpenSSL\\bin\\openssl"
    >>> p.doActiveAuthentication()
    Reading DG15
    Active Authentication: True
    True
    >>> p.CSCADirectory = 'D:\\workspace\\pypassport\\src\data\\cert'
    >>> try:
    ...     p.doVerifySODCertificate()
    ... except OpenSSLException, msg:
    ...     print msg
    ...
    /C=BE/O=Kingdom of Belgium/OU=Federal Public Service Foreign Affairs Belgium/CN=DSPKI_BEerror 20 at 0 depth lookup:unable to get local issuer certificate
    >>> try:
    ...     p.doVerifyDGIntegrity()
    ... except pypassport.openssl.OpenSSLException, msg:
    ...     print msg
    ...
    Reading Common
    Reading DG2
    Reading DG7
    Reading DG11
    Reading DG12
    {'DG15': True, 'DG11': True, 'DG12': True, 'DG2': True, 'DG1': True, 'DG7': True}
    >>> p.getCertificate()
    'subject=/C=BE/O=Kingdom of Belgium/OU=Feder...eign Affairs Belgium/CN=CSCAPKI_BE
    -----BEGIN CERTIFICATE-----
    MIIEnDCCAoSgA...IJhypc0=
    -----END CERTIFICATE-----'
    >>> p.getPublicKey()
    'Modulus=D8772AC284BE...8FC508B57AFBD57
    -----BEGIN PUBLIC KEY-----
    MIGdMA0GCSqGSIb3DQEBAQUAA...ck4/FCLV6+9VwIBAw==
    -----END PUBLIC KEY-----'
    >>> p.getFaces()
    ['\x14R\x06\x14\xd3E\x14\xfa\x87C\xff\xd9...']
    >>> p.getSignature()
    ['\x01h\xa4\xa2...\x80?\xff\xd9']


    """

    #TODO: property pr le buffSize de la lecture et pour choisir si FS ou SFID
    def __init__(self, reader, epMrz=None):
        """
        This object provides most of the functionalities described in the EPassport document.
            - The basic access control + secure messaging
            - The active authentication
            - The passive authentication
            - Reading of the various dataGroups

        @param reader: It can be a reader or a path to dumps
        @type reader: A reader object, then it will use the specified rfid reader.
                      A string, then the simulator will read the dumps from the specified url.

        @param mrz: An object representing the passport MRZ.
        @type mrz: An MRZ object
        """
        logger.Logger.__init__(self, "EPassport")

        if epMrz:
            self._mrz = mrz.MRZ(epMrz)
            if self._mrz.checkMRZ() == False:
                raise EPassportException("Invalid MRZ")
        else:
            self._mrz = None

        self._iso7816 = iso7816.Iso7816(reader)
        self._iso7816.register(self._logFct)

        self._dgReader = datagroup.DataGroupReaderFactory().create(
            self._iso7816)
        self._dgReader.register(self._logFct)

        self._bac = bac.BAC(self._iso7816)
        self._bac.register(self._logFct)

        self._openSSL = openssl.OpenSSL()
        self._openSSL.register(self._logFct)

        self._aa = activeauthentication.ActiveAuthentication(
            self._iso7816, self._openSSL)
        self._aa.register(self._logFct)

        self._pa = passiveauthentication.PassiveAuthentication(self._openSSL)
        self._pa.register(self._logFct)

        self._CSCADirectory = None
        self._selectPassportApp()

    def _getOpenSslDirectory(self):
        return self._openSSL.location

    def _setOpenSslDirectory(self, value):
        self._openSSL.location = value

    def getCSCADirectory(self):
        return self._CSCADirectory

    def setCSCADirectory(self, value, hash=False):
        self._CSCADirectory = camanager.CAManager(value)
        if hash:
            self.log("Document Signer Certificate hash creation")
            self._CSCADirectory.toHashes()

    def getCommunicationLayer(self):
        return self._iso7816

    def _isSecureMessaging(self):
        return self._reader.isSecured()

    def _selectPassportApp(self):
        """
        Select the passport application
        """
        self.log("Select Passport Application")
        # MODIFICATION 6/14/2012 by ANTONIN BEAUJEANT #
        return self._iso7816.rstConnection()
        ################################################

    def doBasicAccessControl(self):
        """
        Execute the basic access control protocol and set up the secure messaging.

        @return: A True if the BAC execute correctly
        @raise bacException: If an error occurs during the process
        @raise EPassportException: If the mrz is not initialized.
        """
        if self._mrz == None:
            raise EPassportException(
                "The object must be initialized with the ePassport MRZ")

        (KSenc, KSmac,
         ssc) = self._bac.authenticationAndEstablishmentOfSessionKeys(
             self._mrz)
        sm = securemessaging.SecureMessaging(KSenc, KSmac, ssc)
        sm.register(self._logFct)
        return self._iso7816.setCiphering(sm)

    def doActiveAuthentication(self, dg15=None):
        """
        Execute the active authentication protocol.

        @return: A boolean if the test completes.
        @raise aaException: If the hash algo is not supported or if the AA is not supported.
        @raise openSSLException: See the openssl documentation
        @raise SimIso7816Exception: The AA is not possible with the simulator
        """
        res = ""
        try:
            if dg15 == None:
                dg15 = self["DG15"]
            res = self._aa.executeAA(dg15)
            return res
        except datagroup.DataGroupException, msg:
            res = msg
            raise dgException(msg)
        except openssl.OpenSSLException, msg:
            res = msg
            raise openssl.OpenSSLException(msg)
示例#5
0
        @raise openSSLException: See the openssl documentation
        """
        res = ""
        try:
            sod = self.readSod()
            res = self._pa.verifySODandCDS(sod, self.CSCADirectory)
            return res
        except datagroup.DataGroupException, msg:
            res = msg
            raise datagroup.DataGroupException(msg)
        except passiveauthentication.PassiveAuthenticationException, msg:
            res = msg
            raise passiveauthentication.PassiveAuthenticationException(msg)
        except openssl.OpenSSLException, msg:
            res = msg
            raise openssl.OpenSSLException(msg)
        finally:
            self.log("Document Signer Certificate verification: " + str(res))

    def doVerifyDGIntegrity(self, dgs=None):
        """
        Execute the second part of the passive authentication: The verification of the dataGroups integrity.

        @raise dgException: If the data groups could not be read
        @raise paException: If the object is badly configured
        @raise openSSLException: See the openssl documentation
        """
        res = None
        try:
            sod = self.readSod()
            if dgs == None: