Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Which LDIF files to parse, what countries test ok? #40

Open
datocrats-org opened this issue Feb 6, 2020 · 1 comment
Open

Which LDIF files to parse, what countries test ok? #40

datocrats-org opened this issue Feb 6, 2020 · 1 comment
Labels
documentation Improvements or additions to documentation

Comments

@datocrats-org
Copy link

I retrieved the ICAO's master list version icaopkd-002-ml-000137.ldif which was referred to as "The latest collection of CSCA Master Lists." I attempted to parse from LDIF into the PEM format using scripts/extract.py and it caught some encoding errors see below.

# b'unable to load certificate
# \r\n14136:error:0D078094:asn1 encoding routines:asn1_item_embed_d2i:sequence length mismatch:../openssl-1.1.1c/crypto/asn1/tasn_dec.c:386:Type=X509_NAME_ENTRY
# \r\n14136:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../openssl-1.1.1c/crypto/asn1/tasn_dec.c:596:
# \r\n14136:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../openssl-1.1.1c/crypto/asn1/tasn_dec.c:596:
# \r\n14136:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../openssl-1.1.1c/crypto/asn1/tasn_dec.c:627:Field=issuer, Type=X509_CINF
# \r\n14136:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../openssl-1.1.1c/crypto/asn1/tasn_dec.c:627:Field=cert_info, Type=X509

I am debugging python on vscode for the first time, would be happy to learn what else to gather to document the problem. I don't know if I am using the right file. It's name includes ml for master list so it looked correct. On visual inspection it contains 10 certs for various countries:
image

ICAO also has icaopkd-001-dsccrl-004079.ldif which is much larger and appears to have more countries. This was named "The latest collection of Document Signing Certificates(DSCs) and Certificate Revocation Lists(CRLs) to verify electronic passports." This has my country's certs.

  1. Which are you testing with and what countries' passports have you tested with? Can we start a list somewhere of what's tested ok?
  2. Can we document how to build a smaller test case for a single country?
  3. Are there any test or developer mocks that the ICAO has or we could develop ourselves?
@AndyQ
Copy link
Owner

AndyQ commented Feb 7, 2020

I'm using the latest collection of CSCA Master Lists (item 2) - currently icaopkd-002-ml-000138.ldif.
I haven't quite figured out how to check against the revocation lists yet though (hence why I'm not using that one).

Just run that through and didn't get any errors though - although I'm using OpenSSL 1.0.2s 28 May 2019 though as the one that comes with OSX doesn't support the cms command.

I've tested against British, Spanish, Irish, NZ, and a couple of other passport countries.

There is little documentation around this - most of what I've found was from http://wiki.yobi.be/wiki/EPassport and looking through the pypassport and JMRTD code.

@AndyQ AndyQ added the documentation Improvements or additions to documentation label Feb 18, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation Improvements or additions to documentation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@AndyQ @datocrats-org