1

I found that on ICAO 9303_11 5.1: The inspection system performs the following steps:

  1. The inspection system SHALL read the Document Security Object (SO D ) (which MUST contain the Document Signer Certificate (C DS ), see also Doc 9303-10) from the contactless IC.

  2. The inspection system SHALL build and validate a certification path from a Trust Anchor to the Document Signer Certificate used to sign the Document Security Object (SO D ) according to Doc 9303-12.

  3. The inspection system SHALL use the verified Document Signer Public Key (KPu DS ) to verify the signature of the Document Security Object (SO D ).
  4. The inspection system MAY read relevant Data Groups from the contactless IC.
  5. The inspection system SHALL ensure that the contents of the Data Group are authentic and unchanged by hashing the contents and comparing the result with the corresponding hash value in the Document Security Object (SO D ).

I'm stuck on step 2. What is certificate path and How to build and validate a certification path from a Trust Anchor to the Document Signer Certificate?
Could anyone help me out?

neo
  • 618
  • 1
  • 10
  • 29
  • Note that [jmrtd](http://www.jmrtd.org/) already runs on Android, so I'm not sure what you're trying to program, but you might want to join them instead. Say "Hi" to Martijn if you do :) – Maarten Bodewes Jul 29 '17 at 17:01

1 Answers1

1

A certificate path or chain is a sequence of public keys, where each one is used to verify the correctness of the following.

The first key in the chain, the Country Signing CA key is stored in the passport during production and has already to be available.

Roughly sketched the process is:

  • Select root
  • Follow the certificate chain up to that of the passport itself, i. e. verify the signature of the certificate and in positive case extract the contained public key for the next step.
guidot
  • 5,095
  • 2
  • 25
  • 37
  • There you go: https://pkddownloadsg.icao.int/download and some certs are also available from jmrtd: http://www.jmrtd.org/certificates.shtml. – Maarten Bodewes Jul 29 '17 at 16:59
  • 1
    The CSCA (Country Signing CA) is not stored on the passport. It is a trust anchor, which the terminal has to provide. The Document Signer Certificate, which is signed from the CSCA should be part of EF.SOD, which is a file on the chip of the passport. So chain building is reversed here. We read the DS certificate from the chip and have to identify a trust anchor, which did sign the DS certificate in our set of trust anchors – Daniel Heldt Jul 31 '17 at 11:14