Menu
▾
▴
Re: [Opensc-devel] Support for the Montenegrin eID
|
From: Frank M. <fra...@gm...> - 2025-04-25 20:30:37
|
Sorry, I don't have any insights about the card to share, but it seems you already managed to gather quite some infrmation. I think the jar will not help you much in integrating the card into OpenSC (or some similar). I assume there must be some middleware that allows using the cryptographic keys of the card, i.e. some PKCS#11 module or a macOS/Windows card driver. If you find one (Athena IDProtect?), you can intercept the middleware commands together with the APDUs to the card. If you have that, you can start re-implementing that in an open source fashon. Best Regards, Frank Am 22.04.25 um 14:44 schrieb dzeri96 via Opensc-devel: > Hello everyone, > > I'm trying to kickstart support for the new Montenegrin eID > <https://www.gov.me/mup/elk>, or at least figure out how it works. > I've sent multiple requests for technical specs to the government, but > unless I take them to court, I doubt I'll get any useful information. > Therefore I'll just write down what I manage to figure out on my own, > and hopefully you can provide further insight. One thing about a > country as small as Montenegro, is that there is a very high > probability we didn't implement anything custom, as it's not > financially viable. > > Here's what I have so far: > > * *ATR*: > 3b:dc:96:ff:81:91:fe:1f:c3:80:73:c8:21:13:66:05:03:63:51:00:02:de. > It doesn't seem to comply with the ATR scheme in the IAS ECC > specification, even though the government says the card complies > with all EU ID regulations (unclear which ones). > * *EF.ATR raw data*: 80004301B946040400ECC24703940180 > 4F0BF0496173456363526F6F74E01002 020104020200E6020200E6020200E678 > 0806062B8122F8780282029000 > * *EF.DIR raw data*: 61374F0EE828BD080FD25047656E6572 > 6963500743686970446F63731C300404 025031A004040250324F0EE828BD080F > D2504543432D654944610F4F07A00000 0247100150044943414F61184F0A4D4F > 4E54454E4547524F500A4E6174696F6E 616C4944 > * By deciphering the EF.DIR data, we can discover 4 applications: > o E828BD080FD25047656E65726963 - ECC Generic PKI / ChipDocs Applet > o E828BD080FD2504543432D654944 - ECC eID > o A0000002471001 - ICAO > o 4D4F4E54454E4547524F - Spells out MONTENEGRO in ASCII, label > is "NationalID". No idea what this could be... maybe something > related to healthcare? > * I managed to use npa-tool and read the MRZ stored on the card > using CAN-based PACE, but all other functions of the tool don't > work, not even PIN-based PACE. I'm just using it as an APDU > debugger with PACE support. > * The official middleware supplied by the government is Athena > IDProtect. > * The activation software is available here > <https://wapi.gov.me/download/e63b50c5-9ccc-4034-961f-5bb401a9b375?version=1.0>. > It's a java program developed by Mühlbauer > <https://www.muehlbauer.de/>. I decompiled it and saw that it's > accessing the ECC eID application. I managed to extract some APDUs > and get the activation status of the card (PIN change is required > on first use). > * iasecc-tool and pkcs15-tool say "Card is invalid or cannot be > handled" regardless of what I try. > > I've skimmed over hundreds of pages of standards, including the > ISO-7816 parts, the NXP ChipDoc v4 spec, the BSI TR-03110, the IAS ECC > spec, but I can barely find any concrete info on these applications. > Someone must know how to access them because there are vendor-provided > tools to do so. > > My goals are: > > 1. Get general knowledge about the card and build some PoC APDU > chains to read/set data. > 2. Get the birthdate of the person via PIN-based auth and verify the > authenticity of the data. > 3. Get the openSC suite of tools to work with the card. > 4. Replace the closed-source middleware provided by the government. > > > I would really appreciate any help here. Thanks! > > > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel |
