Give us a call
Call us at +41 41 555 20 40
The Document Validation Server (DocVal server) will directly communicate with the eMRTD ( NFC Chip) of an ICAO Passport. The Communication between the NFC Chip and the DocVal server will be End-to-End encrypted.
The DocVal server is able to read the data (like MRZ Info or Photo of Face) and verify the authenticity and integrity of the data.
If the NFC Chip supports the Active Authentication Protocol or the Chip Authentication Protocol, the DocVal server will additionally be able to verify that the chip was not cloned.
This process is implemented as defined in ICAO Doc9303.
The Result (Data and Check Results) will be posted (Using a HTTP POST Request) to a Result Server.
As the WebSocket Session to the client is closed, all data about a passport will be deleted. The DocVal server is designed to not store any passport data longer than needed.
The Server will access the Chip through a WebSocket Connection.
The client device (which may be an Android Phone or Apple iPhone with NFC capabilities) connects to the WebSocket.
The OVDK Instance of the DocVal Service can be reached via the following url:
wss://kinegramdocval.lkis.de/ws1/validate
If the query parameter return_result
is set to true, the result will also be returned to the client device. This is useful if the result should be displayed on the client device.
wss://kinegramdocval.lkis.de/ws1/validate?return_result=true
To start the process, the client sends a StartMessage
to the server. The StartMessage is JSON encoded and sent as a text message to the server:
{
"client_id": "YOUR CLIENT ID",
"validation_id": "cf847daa-a548-4509-bdeb-4edd51aee448",
"access_key": {
"can": "153036"
},
"nfc_adapter_supports_extended_length": false,
"platform": "android"
}
{
"client_id": "YOUR CLIENT ID",
"validation_id": "cf847daa-a548-4509-bdeb-4edd51aee448",
"access_key": {
"can": "153036"
},
"nfc_adapter_supports_extended_length": true,
"max_command_bytes": 1024,
"max_response_bytes": 1024,
"platform": "ios"
}
{
"client_id": "YOUR CLIENT ID",
"validation_id": "cf847daa-a548-4509-bdeb-4edd51aee448",
"access_key": {
"document_number": "123465789",
"date_of_birth": "970825",
"date_of_expiry": "251008"
},
"nfc_adapter_supports_extended_length": true,
"max_command_bytes": 1024,
"max_response_bytes": 1024,
"platform": "ios"
}
client_id
validation_id
access_key
nfc_adapter_supports_extended_length
true
. For Android Devices this value can be queried from the IsoDep instance. https://developer.android.com/reference/android/nfc/tech/IsoDep#isExtendedLengthApduSupported()max_command_bytes
max_response_bytes
platform
Once the DocVal server received the StartMessage the server sends apdu-commands as binary messages to the client device. The client device needs to pass those binary messages to the chip. The client device then sends the response from the chip as a binary message to the server.
+---------------+ 1 +--------------------------+ 2 +--------------+
| Document |--------------->| Client Device |------------->| eMRTD |
| Validation | | (e.g. Phone) | | (NFC Chip) |
| Server |<---------------| |<-------------| |
+---------------+ 4 +--------------------------+ 3 +--------------+
The Client device functions as a proxy to allow the server and the NFC Chip to communicate.
The Server will provide updates about the current status to the client device. These updates will be text messages and contain a JSON.
{
"status": "READ_DG1"
}
The following status messages are to be expected (also in that order):
Status Message | Description |
---|---|
"READ_ATR_INFO" | Server is reading the ATR/INFO file. |
"ACCESS_CONTROL" | Server is accessing Chip using the Access Key. |
"READ_SOD" | Server is reading the SOD file. |
"READ_DG14" | Server is reading the DG14 file (only if present). |
"CHIP_AUTHENTICATION" | Server is performing Chip Authentication (only if supported). |
"READ_DG15" | Server is reading the DG15 file (only if present). |
"ACTIVE_AUTHENTICATION" | Server is performing Active Authentication (only if supported). |
"READ_DG1" | Server is reading the DG1 file. |
"READ_DG2" | Server is reading the DG2 file. |
"READ_DG7" | Server is reading the DG7 file (only if present). |
"READ_DG11" | Server is reading the DG11 file (only if present). |
"READ_DG12" | Server is reading the DG12 file (only if present). |
"PASSIVE_AUTHENTICATION" | Server is verifying the authenticity and integrity of the data. |
"DONE" | Process is finished |
The server will only attempt to read the ATR/INFO file, if the nfc adapter supports extended-length-APDUs and the max_command_bytes
and max_response_bytes
in the StartMessage have not been set.
Note that some files (DG14, DG15, DG7, DG11, DG12) are optional and not available on all passports.
Also note that the protocols Active Authentication and Chip Authentication are optional and not supported on all passports.
The DocVal server will pass the result on to the Result Server. The Result Server Url can be configured for each client_id. See the file INSTALL.html.
+---------------+ * Result (Passport Data & Check Results) +------------------+
| | * Validation ID | |
| DocVal server |------------------------------------------------>| Result Server |
| | | |
+---------------+ +------------------+
This architecture was chosen to avoid that the DocVal server needs to store data about a passport.
Result JSON Example:
{
"emrtd_passport": {
"sod_info": ...,
"mrz_info": ...,
"face_photo": ...,
"signature_photos": ...,
"additional_personal_details": ...,
"additional_document_details": ...,
"passive_authentication": ...,
"passive_authentication_details": ...,
"chip_authentication_result": ...,
"active_authentication_result": ...,
"errors": ...
},
"client_validation_id": "cf847daa-a548-4509-bdeb-4edd51aee448"
}
See the file emrtd_result.html for details about the Object "emrtd_passport". The "client_validation_id" is the validation_id provided by the client with the StartMessage.
If the URL Query parameter return_result is set to true (e.g. wss: //kinegramdocval.lkis.de/ws1/validate?return_result=true) the DocVal server will also send the Result JSON to the client. See the file emrtd_result.html for an explanation of the emrtd_passport object.
In some very special cases the iOS native URLSessionWebSocketTask on iOS 13 and 14 does not call the Close-Delegate-Function. Yet Wireshark recordings show that the ios client is indeed receiving and confirming the Close.
At this point, there are no clues indicating a bug in the server implementation, so we believe this is a URLSessionWebSocketTask related issue. Also with iOS 15 this issue seems to not exist anymore. The in-depth details about this behaviour are documented in the Server and IOS SDK Source Code.
To circumvent this downside and to ensure a reliable iOS Client, the close code and close reason are (unconventionally) sent as a json encoded text message.
Just before closing the WebSocket, the server will send the close_code
and (conditional) the close_reason
to the client as a json encoded text message. The Close-Codes and Close-Reasons to expect are defined in the two sections below.
Examples:
{
"close_code": 1000
}
{
"close_code": 1011,
"close_reason": "POST_TO_RESULT_SERVER_FAILED"
}
Client implementations that are reliably able to handle WebSocket-Session-Closes may in good conscience ignore this text message.
When everything is done and no errors occurred, the DocVal server will close the WebSocket connection with Close Code 1000
and no explicit Close-Reason-Phrases.
If something goes wrong the server will close the Connection. The following Close-Reason-Phrases are possible:
TIMEOUT_WHILE_WAITING_FOR_START_MESSAGE
TIMEOUT_WHILE_WAITING_FOR_RESPONSE
MAX_SESSION_TIME_EXCEEDED
UNEXPECTED_MESSAGE
INVALID_START_MESSAGE
INVALID_ACCESS_KEY_VALUES
The Access Key values are not valid. The CAN must be a 6 digit string. The Document Number must at least contain 8 characters. Date of Birth/Expiry must be encoded as "yyMMdd".COMMUNICATION_FAILED
FILE_READ_ERROR
EMRTD_PASSPORT_READER_ERROR
SERVER_ERROR
POST_TO_RESULT_SERVER_FAILED
INVALID_CLIENT_ID
ACCESS_CONTROL_FAILED
The Close-Codes are from the WebSocket Protocol which is defined in RFC6455.
Because of this there can be multiple phrases for a single Close-Code.
A Close-Code reflects the raw status from the WebSocket, while the Close-Reason-Phrases communicate additional information from this server.
Give us a call
Call us at +41 41 555 20 40
Contact by e-mail
Contact us via our contact form.
Personal meeting
Arrange a personal meeting.