I am performing Passive Authentication of passport chip using jmrtd. I am able to verify signature using DSC(Digital Singing Certificate). But I am not able to verify DSC using CSC (Country Signing Certificate).
Please provide some approach, thanks in advance.
Probably way too late for you, but in case anyone else runs in to this :)
To do that you basically need to create a trust store with the CSCs. Basically they are just certificate authorities and needs to be treated as such.
First step is to create a PKCS12 containing all the CSCs you want/need, this for some reason can't be done using OpenSSL, but fortunately keytool is your friend: keytool importing multiple certificates in single file
Next up is creating a trust store, e.g., by following this example: https://stackoverflow.com/a/6379434/1441857
The keystore needed for the step above is created as follows:
private KeyStore createStore(InputStream pkcs12Stream) {
final KeyStore keyStore = KeyStore.getInstance("PKCS12");
keyStore.load(pkcs12Stream, "password".toCharArray());
return keyStore;
}
finally you can simply validate by using your trustmanager(s) (there's actually just one, as expected), following the first answer I linked. The authType parameter seems to be "RSA_EXPORT", haven't figured why yet.
I think that should do the trick :)
