Fix PACE access control failures on eIDs#269
Open
gbrickley wants to merge 1 commit intoAndyQ:mainfrom
Open
Conversation
fca563f to
73aa6e5
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🧾 Summary
I've been struggling with PACE failures for months (specifically German and Polish eIDs) and I finally figured out the issue.
This PR fixes the issue by including the Parameter ID (tag
0x84) in the MSE SET AT command when multiple PACE configurations are supported by the card.This resolves NFC session failures during PACE Step 2 caused by a mismatch between the card’s selected domain parameters and the ones used by the reader (PCD).
🐛 Problem
Some eIDs (I've personally seen on German / Polish) advertise multiple PACE configurations via the
CardAccessfile. Each configuration is represented as aPACEInfoentry with a distinct parameter ID.Per spec, this field is technically optional — but in practice, required when multiple parameter sets exist. Omitting causes the reading to fail.
Without it:
Result:
Tag response error / no response(no SW returned)✅ Solution
Include the parameter ID (tag
0x84) in the MSE SET AT command using the value parsed fromCardAccess.Before
After
🔍 Implementation Details
parameterIdis parsed from the ASN.1PACEInfostructure inCardAccessPACEInfo.parameterIdpaceInfo.getParameterId()when building the MSE SET AT APDU🧠 Background
CardAccesscontains a list ofSecurityInfoentries, including one or morePACEInforecordsPACEInfodefines:Example:
The parameter ID maps to standardized curves defined in BSI TR-03110.
0x84) is optionalCards supporting multiple curves cannot infer which one the PCD intends to use — omission leads to undefined behavior (typically fallback to the weakest/default curve).
🧪 Result