Home Extract passport NFC's SoD certificate

Extract passport NFC's SoD certificate

NFC data is followed ICAO’s specification.

We must verify the Security Object Document (SoD), it contains signature, data and certificate of Document Signer (DS).

Wait, what’s Document Signer Certificate (DSC)? DSC is intermediate certificate, which is signed by Country Signing Certification Authority (CSCA). DSC is in SoD, CSCA should be public, so everyone can verify the SoD independently.

Look at SoD, we have someway to inspect it.

Extract SoD, we have base64 data, then convert it to der format:

cat sod.txt| base64 -d > sod.der

strip out SoD header, we have pkcs7 format:

openssl asn1parse -inform der -in sod.der -strparse 4 -noout -out sod.pkcs7

with sod.pkcs7 we have all data group’s hashes.

openssl cms -inform der -noverify -verify -in sod.pkcs7 -out sod.message
openssl asn1parse -inform der -in sod.message

Extract the certificate from SoD:

openssl pkcs7 -inform der -print_certs -in sod.pkcs7

Inspect certificate from SoD:

openssl pkcs7 -inform der -print_certs -in sod.pkcs7 | openssl x509 -noout -text

We know the CSCA location from DSC’s content.

If we have CSCA, we can verify SoD from our end independently:

openssl cms -inform der  -verify -certfile CSCA.cert -in sod.pkcs7 -noout

If we have CSCA - which should be public by default, we will validate without problem on our side.

This post is licensed under CC BY 4.0 by the author.