NFC data is followed ICAO’s specification.
We must verify the Security Object Document (SoD), it contains signature, data and certificate of Document Signer (DS).
Wait, what’s Document Signer Certificate (DSC)? DSC is intermediate certificate, which is signed by Country Signing Certification Authority (CSCA). DSC is in SoD, CSCA should be public, so everyone can verify the SoD independently.
Look at SoD, we have someway to inspect it.
Extract SoD, we have base64 data, then convert it to der format:
1
cat sod.txt| base64 -d > sod.der
strip out SoD header, we have pkcs7 format:
1
openssl asn1parse -inform der -in sod.der -strparse 4 -noout -out sod.pkcs7
with sod.pkcs7 we have all data group’s hashes.
1
2
openssl cms -inform der -noverify -verify -in sod.pkcs7 -out sod.message
openssl asn1parse -inform der -in sod.message
Extract the certificate from SoD:
1
openssl pkcs7 -inform der -print_certs -in sod.pkcs7
Inspect certificate from SoD:
1
openssl pkcs7 -inform der -print_certs -in sod.pkcs7 | openssl x509 -noout -text
We know the CSCA location from DSC’s content.
If we have CSCA, we can verify SoD from our end independently:
1
openssl cms -inform der -verify -certfile CSCA.cert -in sod.pkcs7 -noout
If we have CSCA - which should be public by default, we will validate without problem on our side.