Certificates for document validation
The validity checking of an
ePassport involves verifying a signature on the information embedded
in the ePassport (passive authentication).
Most issuing countries include the so-called
Document Signing Certificate (DSC) in the ePassport itself.
The certificate to ultimately check the chain of
signatures is called the Country Signing Certificate (CSC).
Some countries have made their CSC publicly available. The list
below contains those CSCs that we could find with
Google.
The list has links to government Web and LDAP servers where we found the
certificates. (But please, don't trust us, go to your government's server, see if you trust it, and download the certificate yourself!)
Some countries also distribute their DSCs and CSCs through a central
infrastructure called the
ICAO PKD.
Te German BSI has a list of CSCs in a so-called CSCA Master List.
Adam Laurie also maintains a
list of DSCs
read from passports from different countries.
A Certificate Revocation List (CRL) contains certificates which
should no longer be used for document verification. Those countries
publishing CSCs also publish CRLs.
The ICAO PKD also contains CRLs.
Other countries
Some other countries, while not offering their CSC certificate for
download, do provide some information. (In some cases this information
is given in the form of a distinguished name, serial number, and certificate
thumbprint which may be enough to check whether a claimed CSC is valid.)
Philippe Teuwen did some research into which manufacturers provide technology for which countries.
Using the ICAO PKD files with OpenLDAP
The ICAO PKD currently provides
dumps of the read-only PKD for download (for non-commercial personal
use).
Importing these into OpenLDAP is easy:
- Download the
pkd.
xxxxxx.ldif
- Stop
slapd
and setup
slapd.conf
to use suffix
"dc=data,dc=pkdDownload"
- In the ldif file replace
"
userCertificate::
" with
"userCertificate;binary::
" and
"certificateRevocationList::
" with
"certificateRevocationList;binary::
".
slapadd
the resulting ldif file and start
slapd
.
A JNDI interface to such
a PKD LDAP server is supported in the latest version of JMRTD.
To access the CSA master lists (cross signed lists containing the root CSCs)
a new schema has to be added to OpenLDAP:
objectidentifier id-icao-mrtd-security 2.23.136
objectidentifier id-icao-cscaMasterList 2.23.136.2
objectidentifier id-icao-cscaMasterListSigningKey 2.23.136.3
attributetype (2.23.136.1.1.2 NAME 'CscaMasterListData'
DESC 'CSCA Master List Data'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 SINGLE-VALUE )
objectclass (2.23.136.2 NAME 'CscaMasterList'
DESC 'CSCA Master List'
SUP person
STRUCTURAL
MUST ( CscaMasterListData ) )
The suffix for the CSCA master lists is
"dc=CSCAMasterList,dc=pkdDownload"
.
Other open source LDAP servers
(OpenDS,
OpenDJ)
work as well.
Certificate validation with OpenSSL
If you wish to verify the signature of the CSC (in file csc.cer
)
on some DSC (in file dsc.cer
), without relying on JMRTD, here's
how to do it with OpenSSL:
openssl x509 -in csc.cer -inform DER -out csc.pem
openssl x509 -in dsc.cer -inform DER -out dsc.pem
openssl verify -CAfile csc.pem dsc.pem