@trustchex/react-native-sdk 1.381.0 → 1.464.0

package/src/Shared/EIDReader/eidReader.ts

@@ -1,4 +1,5 @@
 import { BACKey } from './bacKey';
+import { PACEKeySpec } from './paceKeySpec';
 import { NFCManagerCardService } from './nfcManagerCardService';
 import { EIDService } from './eidService';
 import { DG1File } from './lds/icao/dg1File';
@@ -8,6 +9,283 @@ import { Buffer } from 'buffer';
 import { MRZInfo } from './lds/icao/mrzInfo';
 import { InputStream } from './java/inputStream';
 
+// --- Minimal PNG encoder (pure JS, no native deps) ---
+// Uses deflate stored (uncompressed) blocks for O(n) encoding speed.
+// A naive DCT-based JPEG encoder would be O(n²) and freeze the JS thread
+// on real passport photos (400×500+ pixels).
+
+/** Standard CRC32 lookup table */
+const CRC_TABLE = new Uint32Array(256);
+for (let n = 0; n < 256; n++) {
+  let c = n;
+  for (let k = 0; k < 8; k++) {
+    c = c & 1 ? 0xedb88320 ^ (c >>> 1) : c >>> 1;
+  }
+  CRC_TABLE[n] = c;
+}
+
+function crc32(data: Uint8Array): number {
+  let crc = 0xffffffff;
+  for (let i = 0; i < data.length; i++) {
+    crc = CRC_TABLE[(crc ^ data[i]!) & 0xff]! ^ (crc >>> 8);
+  }
+  return (crc ^ 0xffffffff) >>> 0;
+}
+
+function adler32(data: Uint8Array): number {
+  let a = 1;
+  let b = 0;
+  for (let i = 0; i < data.length; i++) {
+    a = (a + data[i]!) % 65521;
+    b = (b + a) % 65521;
+  }
+  return ((b << 16) | a) >>> 0;
+}
+
+function writeU32BE(arr: Uint8Array, offset: number, val: number) {
+  arr[offset] = (val >>> 24) & 0xff;
+  arr[offset + 1] = (val >>> 16) & 0xff;
+  arr[offset + 2] = (val >>> 8) & 0xff;
+  arr[offset + 3] = val & 0xff;
+}
+
+/**
+ * Encode raw RGB/RGBA pixels as an uncompressed PNG.
+ * Uses deflate stored blocks (no compression) for maximum compatibility.
+ */
+function pixelsToPng(
+  pixels: Uint8ClampedArray | Uint8Array,
+  width: number,
+  height: number,
+  channels: number
+): Uint8Array {
+  // Build raw scanlines: filter byte (0) + RGB data per row
+  const rawRowLen = 1 + width * 3; // filter byte + RGB
+  const rawData = new Uint8Array(rawRowLen * height);
+  for (let y = 0; y < height; y++) {
+    const rowOff = y * rawRowLen;
+    rawData[rowOff] = 0; // filter: None
+    for (let x = 0; x < width; x++) {
+      const srcIdx = (y * width + x) * channels;
+      const dstIdx = rowOff + 1 + x * 3;
+      rawData[dstIdx] = pixels[srcIdx]!; // R
+      rawData[dstIdx + 1] = pixels[srcIdx + 1]!; // G
+      rawData[dstIdx + 2] = pixels[srcIdx + 2]!; // B
+    }
+  }
+
+  // Wrap raw data in zlib stored (uncompressed) format
+  const MAX_BLOCK = 65535;
+  const numBlocks = Math.ceil(rawData.length / MAX_BLOCK) || 1;
+  const zlibSize = 2 + rawData.length + numBlocks * 5 + 4;
+  const zlib = new Uint8Array(zlibSize);
+  let zOff = 0;
+  // zlib header: CMF=0x78 (deflate, 32K window), FLG=0x01 (check bits, no dict, level 0)
+  zlib[zOff++] = 0x78;
+  zlib[zOff++] = 0x01;
+
+  let remaining = rawData.length;
+  let srcOff = 0;
+  while (remaining > 0) {
+    const blockLen = Math.min(remaining, MAX_BLOCK);
+    const isFinal = remaining <= MAX_BLOCK ? 1 : 0;
+    zlib[zOff++] = isFinal; // BFINAL + BTYPE=00 (stored)
+    zlib[zOff++] = blockLen & 0xff;
+    zlib[zOff++] = (blockLen >>> 8) & 0xff;
+    zlib[zOff++] = ~blockLen & 0xff;
+    zlib[zOff++] = (~blockLen >>> 8) & 0xff;
+    zlib.set(rawData.subarray(srcOff, srcOff + blockLen), zOff);
+    zOff += blockLen;
+    srcOff += blockLen;
+    remaining -= blockLen;
+  }
+  // Adler32 of uncompressed data
+  const adl = adler32(rawData);
+  writeU32BE(zlib, zOff, adl);
+  zOff += 4;
+  const zlibData = zlib.subarray(0, zOff);
+
+  // Build PNG chunks
+  const PNG_SIG = new Uint8Array([137, 80, 78, 71, 13, 10, 26, 10]);
+
+  function makeChunk(type: string, data: Uint8Array): Uint8Array {
+    const chunk = new Uint8Array(4 + 4 + data.length + 4);
+    writeU32BE(chunk, 0, data.length);
+    chunk[4] = type.charCodeAt(0);
+    chunk[5] = type.charCodeAt(1);
+    chunk[6] = type.charCodeAt(2);
+    chunk[7] = type.charCodeAt(3);
+    chunk.set(data, 8);
+    const crcInput = chunk.subarray(4, 8 + data.length);
+    writeU32BE(chunk, 8 + data.length, crc32(crcInput));
+    return chunk;
+  }
+
+  // IHDR: width, height, bit depth 8, color type 2 (RGB)
+  const ihdrData = new Uint8Array(13);
+  writeU32BE(ihdrData, 0, width);
+  writeU32BE(ihdrData, 4, height);
+  ihdrData[8] = 8; // bit depth
+  ihdrData[9] = 2; // color type: RGB
+  ihdrData[10] = 0; // compression
+  ihdrData[11] = 0; // filter
+  ihdrData[12] = 0; // interlace
+
+  const ihdrChunk = makeChunk('IHDR', ihdrData);
+  const idatChunk = makeChunk('IDAT', zlibData);
+  const iendChunk = makeChunk('IEND', new Uint8Array(0));
+
+  const png = new Uint8Array(
+    PNG_SIG.length + ihdrChunk.length + idatChunk.length + iendChunk.length
+  );
+  let off = 0;
+  png.set(PNG_SIG, off);
+  off += PNG_SIG.length;
+  png.set(ihdrChunk, off);
+  off += ihdrChunk.length;
+  png.set(idatChunk, off);
+  off += idatChunk.length;
+  png.set(iendChunk, off);
+  return png;
+}
+
+/**
+ * If the image is JPEG 2000, decode and convert to PNG so React Native can display it.
+ * Returns { base64, mimeType } with the converted image, or the original if not JP2.
+ */
+function convertJP2IfNeeded(
+  imageBuffer: Buffer,
+  mimeType: string
+): { base64: string; mimeType: string } {
+  if (mimeType !== 'image/jp2') {
+    return { base64: imageBuffer.toString('base64'), mimeType };
+  }
+
+  console.debug('[EID] Face image is JP2, attempting conversion…');
+  try {
+    // Lazy-load jpeg2000 to avoid crashing if it fails to import
+    const { JpxImage } = require('jpeg2000');
+    const jpx = new JpxImage();
+    jpx.parse(imageBuffer);
+    const tile = jpx.tiles[0];
+    console.debug(
+      `[EID] JP2 decoded: ${tile.width}x${tile.height}, ${jpx.componentsCount} channels, ${tile.items.length} bytes`
+    );
+    const pngBytes = pixelsToPng(
+      tile.items,
+      tile.width,
+      tile.height,
+      jpx.componentsCount
+    );
+    const pngBase64 = Buffer.from(pngBytes).toString('base64');
+    console.debug(
+      `[EID] Converted JP2 → PNG (${pngBytes.length} bytes, ${pngBase64.length} base64 chars)`
+    );
+    return { base64: pngBase64, mimeType: 'image/png' };
+  } catch (err) {
+    console.debug('[EID] JP2 conversion failed:', err);
+    return { base64: imageBuffer.toString('base64'), mimeType };
+  }
+}
+
+/**
+ * Try to parse PACE OID and parameter ID from EF.CardAccess data.
+ * Returns null if no PACE info is found.
+ */
+function parsePACEInfoFromCardAccess(
+  data: Buffer
+): { oid: string; parameterId: number } | null {
+  try {
+    // EF.CardAccess is a SET of SecurityInfo sequences (ASN.1 DER)
+    // Each SecurityInfo: SEQUENCE { OID, INTEGER (version), optional INTEGER (parameterId) }
+    let offset = 0;
+    if (data[offset] === 0x31) {
+      // SET tag
+      offset++;
+      const setLen = readASN1Length(data, offset);
+      offset = setLen.nextOffset;
+    }
+
+    while (offset < data.length) {
+      if (data[offset] !== 0x30) break; // SEQUENCE tag
+      offset++;
+      const seqLen = readASN1Length(data, offset);
+      const seqEnd = seqLen.nextOffset + seqLen.length;
+      offset = seqLen.nextOffset;
+
+      // Read OID
+      if (data[offset] !== 0x06) {
+        offset = seqEnd;
+        continue;
+      }
+      offset++;
+      const oidLen = readASN1Length(data, offset);
+      offset = oidLen.nextOffset;
+      const oidBytes = data.subarray(offset, offset + oidLen.length);
+      const oid = decodeOID(oidBytes);
+      offset += oidLen.length;
+
+      // Check if this is a PACE OID
+      if (oid.startsWith('0.4.0.127.0.7.2.2.4.')) {
+        // Read version (INTEGER)
+        let parameterId = 13; // default brainpoolP256r1
+        if (offset < seqEnd && data[offset] === 0x02) {
+          offset++;
+          const intLen = readASN1Length(data, offset);
+          offset = intLen.nextOffset + intLen.length;
+        }
+        // Read optional parameterId (INTEGER)
+        if (offset < seqEnd && data[offset] === 0x02) {
+          offset++;
+          const intLen = readASN1Length(data, offset);
+          offset = intLen.nextOffset;
+          parameterId = 0;
+          for (let i = 0; i < intLen.length; i++) {
+            parameterId = (parameterId << 8) | data[offset + i];
+          }
+        }
+        return { oid, parameterId };
+      }
+
+      offset = seqEnd;
+    }
+  } catch {
+    // Failed to parse, PACE not available
+  }
+  return null;
+}
+
+function readASN1Length(
+  data: Buffer,
+  offset: number
+): { length: number; nextOffset: number } {
+  const firstByte = data[offset];
+  if ((firstByte & 0x80) === 0) {
+    return { length: firstByte, nextOffset: offset + 1 };
+  }
+  const numBytes = firstByte & 0x7f;
+  let length = 0;
+  for (let i = 0; i < numBytes; i++) {
+    length = (length << 8) | data[offset + 1 + i];
+  }
+  return { length, nextOffset: offset + 1 + numBytes };
+}
+
+function decodeOID(bytes: Buffer): string {
+  const components: number[] = [];
+  components.push(Math.floor(bytes[0] / 40));
+  components.push(bytes[0] % 40);
+  let value = 0;
+  for (let i = 1; i < bytes.length; i++) {
+    value = (value << 7) | (bytes[i] & 0x7f);
+    if ((bytes[i] & 0x80) === 0) {
+      components.push(value);
+      value = 0;
+    }
+  }
+  return components.join('.');
+}
+
 const eidReader = async (
   documentNumber: string,
   dateOfBirth: string,
@@ -29,23 +307,129 @@ const eidReader = async (
   try {
     await passportService.open();
 
+    progress = 1;
+    if (progressCallback) {
+      progressCallback(progress);
+    }
+
+    // Try to read EF.CardAccess before selecting applet to check for PACE.
+    // Explicitly SELECT MF first so the SFI=0x1C context is correct,
+    // regardless of which application the chip activates on power-on.
+    let hasPACESucceeded = false;
+
+    try {
+      await passportService.sendSelectMF();
+      console.debug('[EID] SELECT MF OK');
+    } catch (mfErr) {
+      const mfMsg = mfErr instanceof Error ? mfErr.message : String(mfErr);
+      console.debug(
+        `[EID] SELECT MF failed (${mfMsg}), continuing with SFI read anyway`
+      );
+    }
+
+    progress = 2;
+    if (progressCallback) {
+      progressCallback(progress);
+    }
+
+    // Read EF.CardAccess — kept in a separate try/catch so we can distinguish
+    // "file read failure" from "PACE protocol failure" in the logs.
+    let cardAccessBuf: Buffer | null = null;
+    try {
+      const cardAccessStream = passportService.getInputStream(
+        EIDService.EF_CARD_ACCESS
+      );
+      await cardAccessStream.init();
+      const cardAccessLen = cardAccessStream.getLength();
+      const buf = Buffer.alloc(cardAccessLen);
+      for (let i = 0; i < cardAccessLen; i++) {
+        buf[i] = await cardAccessStream.read();
+      }
+      cardAccessBuf = buf;
+      console.debug(
+        `[EID] EF.CardAccess read OK: ${cardAccessLen} bytes = ${cardAccessBuf.toString('hex')}`
+      );
+    } catch (readErr) {
+      const readMsg =
+        readErr instanceof Error ? readErr.message : String(readErr);
+      console.debug(
+        `[EID] EF.CardAccess read FAILED: ${readMsg} — falling back to BAC`
+      );
+    }
+
+    progress = 3;
+    if (progressCallback) {
+      progressCallback(progress);
+    }
+
+    // If EF.CardAccess was read successfully, attempt PACE.
+    if (cardAccessBuf !== null) {
+      try {
+        const paceInfo = parsePACEInfoFromCardAccess(cardAccessBuf);
+
+        if (paceInfo) {
+          console.debug(
+            `[EID] PACE available: oid=${paceInfo.oid} parameterId=${paceInfo.parameterId}`
+          );
+          // PACE is available - derive key from MRZ and perform PACE
+          const bacKey = new BACKey(documentNumber, dateOfBirth, dateOfExpiry);
+          const paceKey = PACEKeySpec.createMRZKey(bacKey.getKeySeedForPACE());
+
+          progress = 4;
+          if (progressCallback) {
+            progressCallback(progress);
+          }
+
+          await passportService.doPACE(
+            paceKey,
+            paceInfo.oid,
+            paceInfo.parameterId,
+            progressCallback
+          );
+          hasPACESucceeded = true;
+          console.debug('[EID] PACE succeeded');
+        } else {
+          console.debug(
+            '[EID] EF.CardAccess read OK but no PACE SecurityInfo found — document does not support PACE, falling back to BAC'
+          );
+        }
+      } catch (paceError) {
+        // PACE protocol exchange failed — fall back to BAC
+        const msg =
+          paceError instanceof Error ? paceError.message : String(paceError);
+        console.debug(
+          `[EID] PACE protocol failed (${msg}), falling back to BAC`
+        );
+        if (paceError instanceof Error && paceError.stack) {
+          console.debug('[EID] PACE error stack:', paceError.stack);
+        }
+      }
+    }
+
+    progress = 9;
+    if (progressCallback) {
+      progressCallback(progress);
+    }
+
     // Select Applet for MRTD
-    await passportService.sendSelectApplet(false);
+    await passportService.sendSelectApplet(hasPACESucceeded);
 
     progress = 10;
     if (progressCallback) {
       progressCallback(progress);
     }
 
-    // Check if EF_COM is available
-    try {
-      const efComStream = passportService.getInputStream(EIDService.EF_COM);
-      await efComStream.init();
-      await efComStream.read();
-    } catch (error) {
-      // EF_COM not available -> try to do BAC
-      const bacKey = new BACKey(documentNumber, dateOfBirth, dateOfExpiry);
-      await passportService.doBAC(bacKey);
+    if (!hasPACESucceeded) {
+      // Check if EF_COM is available
+      try {
+        const efComStream = passportService.getInputStream(EIDService.EF_COM);
+        await efComStream.init();
+        await efComStream.read();
+      } catch (error) {
+        // EF_COM not available -> try to do BAC
+        const bacKey = new BACKey(documentNumber, dateOfBirth, dateOfExpiry);
+        await passportService.doBAC(bacKey);
+      }
     }
 
     progress = 20;
@@ -89,8 +473,10 @@ const eidReader = async (
       const imageInputStream = await faceImageInfo.getImageInputStream();
       const buffer = Buffer.alloc(imageLength);
       await imageInputStream.readBytesWithOffset(buffer, 0, imageLength);
-      imageAsBase64 = buffer.toString('base64');
-      mimeType = faceImageInfo.getMimeType();
+      const rawMimeType = faceImageInfo.getMimeType();
+      const converted = convertJP2IfNeeded(buffer, rawMimeType);
+      imageAsBase64 = converted.base64;
+      mimeType = converted.mimeType;
     }
 
     progress = 100;

package/src/Shared/EIDReader/eidService.ts

@@ -9,6 +9,9 @@ import { BACAPDUSender } from './protocol/bacAPDUSender';
 import { ReadBinaryAPDUSender } from './protocol/readBinaryAPDUSender';
 import { BACResult } from './protocol/bacResult';
 import { BACProtocol } from './protocol/bacProtocol';
+import { PACEAPDUSender } from './protocol/paceAPDUSender';
+import { PACEProtocol } from './protocol/paceProtocol';
+import { PACEResult } from './protocol/paceResult';
 import { CommandAPDU } from './smartcards/commandAPDU';
 import type { APDUListener } from './smartcards/apduListener';
 import { APDUEvent } from './smartcards/apduEvent';
@@ -209,7 +212,20 @@ export class EIDService extends AbstractMRTDCardService {
     this.shouldCheckMAC = shouldCheckMAC;
     this.isAppletSelected = false;
     this.isOpen = false;
-    this.rootFileSystem = new DefaultFileSystem(this.readBinarySender, false);
+    // EF.CardAccess and EF.CardSecurity live in the MF (Master File), outside
+    // the ICAO applet. They must be read via SFI-based READ BINARY (no SELECT
+    // needed). Without SFI, the implementation falls back to SELECT-by-FID
+    // which many passport chips reject at MF level before applet selection,
+    // causing PACE to be falsely reported as "not available".
+    const rootFidToSFI = new Map<number, number>([
+      [EID_CONSTANTS.EF_CARD_ACCESS, EID_CONSTANTS.SFI_CARD_ACCESS],
+      [EID_CONSTANTS.EF_CARD_SECURITY, EID_CONSTANTS.SFI_CARD_SECURITY],
+    ]);
+    this.rootFileSystem = new DefaultFileSystem(
+      this.readBinarySender,
+      true,
+      rootFidToSFI
+    );
     this.appletFileSystem = new DefaultFileSystem(
       this.readBinarySender,
       isSFIEnabled
@@ -261,6 +277,38 @@ export class EIDService extends AbstractMRTDCardService {
     return bacResult;
   }
 
+  /**
+   * Performs the PACE protocol.
+   *
+   * @param accessKey the access key (MRZ or CAN based)
+   * @param oid the PACE OID string from EF.CardAccess
+   * @param parameterId the standard domain parameter ID (e.g. 13 for brainpoolP256r1)
+   */
+  public async doPACE(
+    accessKey: AccessKeySpec,
+    oid: string,
+    parameterId: number | null,
+    progressCallback?: (progress: number) => void
+  ): Promise<PACEResult> {
+    const paceSender = new PACEAPDUSender(this.service);
+    const paceProtocol = new PACEProtocol(
+      paceSender,
+      this.wrapper,
+      EIDService.NORMAL_MAX_TRANSCEIVE_LENGTH,
+      this.maxTransceiveLengthForSecureMessaging,
+      this.shouldCheckMAC
+    );
+    const paceResult = await paceProtocol.doPACE(
+      accessKey,
+      oid,
+      parameterId,
+      progressCallback
+    );
+    this.wrapper = paceResult.getWrapper();
+    this.appletFileSystem.setWrapper(this.wrapper);
+    return paceResult;
+  }
+
   public async close(): Promise<void> {
     try {
       await this.service.close();

package/src/Shared/EIDReader/nfcManagerCardService.ts

@@ -13,7 +13,10 @@ export class NFCManagerCardService extends CardService {
       NfcTech.NfcA,
       NfcTech.NfcB,
     ]);
-    // await NFCManager.setTimeout(5000);
+    // Increase transceive timeout for slow curves (e.g. brainpoolP512r1 ECDH on passport chip)
+    if (Platform.OS === 'android') {
+      await NFCManager.setTimeout(10000);
+    }
     this.isOpened = true;
   }
 
@@ -22,10 +25,6 @@ export class NFCManagerCardService extends CardService {
   }
 
   public async transmit(commandAPDU: CommandAPDU): Promise<ResponseAPDU> {
-    // console.debug(
-    //   `T[${ISO7816_INS[commandAPDU.getINS()]}]:`,
-    //   Buffer.from(commandAPDU.getBytes()).toString('hex').toUpperCase(),
-    // );
     let response: number[];
 
     if (Platform.OS === 'ios') {
@@ -38,7 +37,6 @@ export class NFCManagerCardService extends CardService {
         Array.from(commandAPDU.getBytes())
       );
     }
-    // console.debug('R:', Buffer.from(response).toString('hex').toUpperCase());
 
     return new ResponseAPDU(response);
   }

package/src/Shared/EIDReader/paceInfo.ts

@@ -0,0 +1,159 @@
+/**
+ * PACE (Password Authenticated Connection Establishment) protocol info.
+ * Parses PACE OIDs to extract mapping type, cipher, digest, key agreement algorithm, and key length.
+ *
+ * Based on ICAO Doc 9303 Part 11 and BSI TR-03110.
+ */
+
+export enum MappingType {
+  GM = 'GM',
+  IM = 'IM',
+  CAM = 'CAM',
+}
+
+// PACE OID constants (BSI TR-03110 / ICAO 9303)
+export const ID_PACE = '0.4.0.127.0.7.2.2.4';
+
+export const ID_PACE_DH_GM = '0.4.0.127.0.7.2.2.4.1';
+export const ID_PACE_DH_GM_3DES_CBC_CBC = '0.4.0.127.0.7.2.2.4.1.1';
+export const ID_PACE_DH_GM_AES_CBC_CMAC_128 = '0.4.0.127.0.7.2.2.4.1.2';
+export const ID_PACE_DH_GM_AES_CBC_CMAC_192 = '0.4.0.127.0.7.2.2.4.1.3';
+export const ID_PACE_DH_GM_AES_CBC_CMAC_256 = '0.4.0.127.0.7.2.2.4.1.4';
+
+export const ID_PACE_ECDH_GM = '0.4.0.127.0.7.2.2.4.2';
+export const ID_PACE_ECDH_GM_3DES_CBC_CBC = '0.4.0.127.0.7.2.2.4.2.1';
+export const ID_PACE_ECDH_GM_AES_CBC_CMAC_128 = '0.4.0.127.0.7.2.2.4.2.2';
+export const ID_PACE_ECDH_GM_AES_CBC_CMAC_192 = '0.4.0.127.0.7.2.2.4.2.3';
+export const ID_PACE_ECDH_GM_AES_CBC_CMAC_256 = '0.4.0.127.0.7.2.2.4.2.4';
+
+export const ID_PACE_DH_IM = '0.4.0.127.0.7.2.2.4.3';
+export const ID_PACE_DH_IM_3DES_CBC_CBC = '0.4.0.127.0.7.2.2.4.3.1';
+export const ID_PACE_DH_IM_AES_CBC_CMAC_128 = '0.4.0.127.0.7.2.2.4.3.2';
+export const ID_PACE_DH_IM_AES_CBC_CMAC_192 = '0.4.0.127.0.7.2.2.4.3.3';
+export const ID_PACE_DH_IM_AES_CBC_CMAC_256 = '0.4.0.127.0.7.2.2.4.3.4';
+
+export const ID_PACE_ECDH_IM = '0.4.0.127.0.7.2.2.4.4';
+export const ID_PACE_ECDH_IM_3DES_CBC_CBC = '0.4.0.127.0.7.2.2.4.4.1';
+export const ID_PACE_ECDH_IM_AES_CBC_CMAC_128 = '0.4.0.127.0.7.2.2.4.4.2';
+export const ID_PACE_ECDH_IM_AES_CBC_CMAC_192 = '0.4.0.127.0.7.2.2.4.4.3';
+export const ID_PACE_ECDH_IM_AES_CBC_CMAC_256 = '0.4.0.127.0.7.2.2.4.4.4';
+
+export const ID_PACE_ECDH_CAM = '0.4.0.127.0.7.2.2.4.6';
+export const ID_PACE_ECDH_CAM_AES_CBC_CMAC_128 = '0.4.0.127.0.7.2.2.4.6.2';
+export const ID_PACE_ECDH_CAM_AES_CBC_CMAC_192 = '0.4.0.127.0.7.2.2.4.6.3';
+export const ID_PACE_ECDH_CAM_AES_CBC_CMAC_256 = '0.4.0.127.0.7.2.2.4.6.4';
+
+// Standard domain parameter identifiers
+export const PARAM_ID_ECP_NIST_P256_R1 = 12;
+export const PARAM_ID_ECP_BRAINPOOL_P256_R1 = 13;
+export const PARAM_ID_ECP_BRAINPOOL_P384_R1 = 16;
+export const PARAM_ID_ECP_BRAINPOOL_P512_R1 = 17;
+export const PARAM_ID_ECP_NIST_P384_R1 = 15;
+export const PARAM_ID_ECP_NIST_P521_R1 = 18;
+
+const GM_OIDS = new Set([
+  ID_PACE_DH_GM_3DES_CBC_CBC,
+  ID_PACE_DH_GM_AES_CBC_CMAC_128,
+  ID_PACE_DH_GM_AES_CBC_CMAC_192,
+  ID_PACE_DH_GM_AES_CBC_CMAC_256,
+  ID_PACE_ECDH_GM_3DES_CBC_CBC,
+  ID_PACE_ECDH_GM_AES_CBC_CMAC_128,
+  ID_PACE_ECDH_GM_AES_CBC_CMAC_192,
+  ID_PACE_ECDH_GM_AES_CBC_CMAC_256,
+]);
+
+const IM_OIDS = new Set([
+  ID_PACE_DH_IM_3DES_CBC_CBC,
+  ID_PACE_DH_IM_AES_CBC_CMAC_128,
+  ID_PACE_DH_IM_AES_CBC_CMAC_192,
+  ID_PACE_DH_IM_AES_CBC_CMAC_256,
+  ID_PACE_ECDH_IM_3DES_CBC_CBC,
+  ID_PACE_ECDH_IM_AES_CBC_CMAC_128,
+  ID_PACE_ECDH_IM_AES_CBC_CMAC_192,
+  ID_PACE_ECDH_IM_AES_CBC_CMAC_256,
+]);
+
+const CAM_OIDS = new Set([
+  ID_PACE_ECDH_CAM_AES_CBC_CMAC_128,
+  ID_PACE_ECDH_CAM_AES_CBC_CMAC_192,
+  ID_PACE_ECDH_CAM_AES_CBC_CMAC_256,
+]);
+
+const DH_OIDS = new Set([
+  ID_PACE_DH_GM_3DES_CBC_CBC,
+  ID_PACE_DH_GM_AES_CBC_CMAC_128,
+  ID_PACE_DH_GM_AES_CBC_CMAC_192,
+  ID_PACE_DH_GM_AES_CBC_CMAC_256,
+  ID_PACE_DH_IM_3DES_CBC_CBC,
+  ID_PACE_DH_IM_AES_CBC_CMAC_128,
+  ID_PACE_DH_IM_AES_CBC_CMAC_192,
+  ID_PACE_DH_IM_AES_CBC_CMAC_256,
+]);
+
+const DES_OIDS = new Set([
+  ID_PACE_DH_GM_3DES_CBC_CBC,
+  ID_PACE_DH_IM_3DES_CBC_CBC,
+  ID_PACE_ECDH_GM_3DES_CBC_CBC,
+  ID_PACE_ECDH_IM_3DES_CBC_CBC,
+]);
+
+const KEY_128_OIDS = new Set([
+  ID_PACE_DH_GM_3DES_CBC_CBC,
+  ID_PACE_DH_IM_3DES_CBC_CBC,
+  ID_PACE_ECDH_GM_3DES_CBC_CBC,
+  ID_PACE_ECDH_IM_3DES_CBC_CBC,
+  ID_PACE_DH_GM_AES_CBC_CMAC_128,
+  ID_PACE_DH_IM_AES_CBC_CMAC_128,
+  ID_PACE_ECDH_GM_AES_CBC_CMAC_128,
+  ID_PACE_ECDH_IM_AES_CBC_CMAC_128,
+  ID_PACE_ECDH_CAM_AES_CBC_CMAC_128,
+]);
+
+const KEY_192_OIDS = new Set([
+  ID_PACE_DH_GM_AES_CBC_CMAC_192,
+  ID_PACE_DH_IM_AES_CBC_CMAC_192,
+  ID_PACE_ECDH_GM_AES_CBC_CMAC_192,
+  ID_PACE_ECDH_IM_AES_CBC_CMAC_192,
+  ID_PACE_ECDH_CAM_AES_CBC_CMAC_192,
+]);
+
+const KEY_256_OIDS = new Set([
+  ID_PACE_DH_GM_AES_CBC_CMAC_256,
+  ID_PACE_DH_IM_AES_CBC_CMAC_256,
+  ID_PACE_ECDH_GM_AES_CBC_CMAC_256,
+  ID_PACE_ECDH_IM_AES_CBC_CMAC_256,
+  ID_PACE_ECDH_CAM_AES_CBC_CMAC_256,
+]);
+
+const SHA256_OIDS = new Set([...KEY_192_OIDS, ...KEY_256_OIDS]);
+
+export class PACEInfo {
+  public static toMappingType(oid: string): MappingType {
+    if (GM_OIDS.has(oid)) return MappingType.GM;
+    if (IM_OIDS.has(oid)) return MappingType.IM;
+    if (CAM_OIDS.has(oid)) return MappingType.CAM;
+    throw new Error(`Unknown PACE OID: ${oid}`);
+  }
+
+  public static toKeyAgreementAlgorithm(oid: string): 'DH' | 'ECDH' {
+    if (DH_OIDS.has(oid)) return 'DH';
+    return 'ECDH';
+  }
+
+  public static toCipherAlgorithm(oid: string): 'DESede' | 'AES' {
+    if (DES_OIDS.has(oid)) return 'DESede';
+    return 'AES';
+  }
+
+  public static toDigestAlgorithm(oid: string): 'SHA-1' | 'SHA-256' {
+    if (SHA256_OIDS.has(oid)) return 'SHA-256';
+    return 'SHA-1';
+  }
+
+  public static toKeyLength(oid: string): 128 | 192 | 256 {
+    if (KEY_128_OIDS.has(oid)) return 128;
+    if (KEY_192_OIDS.has(oid)) return 192;
+    if (KEY_256_OIDS.has(oid)) return 256;
+    throw new Error(`Unknown PACE OID: ${oid}`);
+  }
+}