@trustchex/react-native-sdk 1.381.0 → 1.464.0

package/lib/module/Shared/Components/NavigationManager.js

@@ -10,10 +10,14 @@ import i18n from "../../Translation/index.js";
 import StyledButton from "./StyledButton.js";
 import { analyticsService } from "../Services/AnalyticsService.js";
 
-// Simple global navigation lock
+// Navigation lock - use a ref-like pattern so unmounting resets state.
+// The module-level object is shared across all instances but the
+// cleanup effect in the component resets it on unmount.
 import { jsx as _jsx } from "react/jsx-runtime";
-let isNavigating = false;
-let lastNavigationTime = 0;
+const navigationLock = {
+  isNavigating: false,
+  lastNavigationTime: 0
+};
 const NavigationManager = /*#__PURE__*/forwardRef(({
   canSkipStep
 }, ref) => {
@@ -29,18 +33,20 @@ const NavigationManager = /*#__PURE__*/forwardRef(({
       CONTRACT_ACCEPTANCE: 'ContractAcceptanceScreen',
       IDENTITY_DOCUMENT_SCAN: 'IdentityDocumentScanningScreen',
       IDENTITY_DOCUMENT_EID_SCAN: 'IdentityDocumentEIDScanningScreen',
-      LIVENESS_CHECK: 'LivenessDetectionScreen'
+      LIVENESS_CHECK: 'LivenessDetectionScreen',
+      VERBAL_CONSENT: 'VerbalConsentScreen',
+      VIDEO_CALL: 'VideoCallScreen'
     },
     RESULT: 'ResultScreen'
   };
   React.useEffect(() => {
     const handleFocus = () => {
-      isNavigating = false;
+      navigationLock.isNavigating = false;
     };
     navigation.addListener('focus', handleFocus);
     return () => {
       navigation.removeListener('focus', handleFocus);
-      isNavigating = false;
+      navigationLock.isNavigating = false;
     };
   }, [navigation]);
   const getNextRoute = useCallback((workflowSteps, currentWorkFlowStep) => {
@@ -69,16 +75,22 @@ const NavigationManager = /*#__PURE__*/forwardRef(({
     if (nextStep.type === 'LIVENESS_CHECK') {
       return routes.DYNAMIC_ROUTES.LIVENESS_CHECK;
     }
+    if (nextStep.type === 'VIDEO_CALL') {
+      return routes.DYNAMIC_ROUTES.VIDEO_CALL;
+    }
+    if (nextStep.type === 'VERBAL_CONSENT') {
+      return routes.DYNAMIC_ROUTES.VERBAL_CONSENT;
+    }
     return routes.VERIFICATION_SESSION_CHECK;
-  }, [appContext, routes.VERIFICATION_SESSION_CHECK, routes.DYNAMIC_ROUTES.CONTRACT_ACCEPTANCE, routes.DYNAMIC_ROUTES.IDENTITY_DOCUMENT_EID_SCAN, routes.DYNAMIC_ROUTES.IDENTITY_DOCUMENT_SCAN, routes.DYNAMIC_ROUTES.LIVENESS_CHECK, routes.RESULT]);
+  }, [appContext, routes.VERIFICATION_SESSION_CHECK, routes.RESULT, routes.DYNAMIC_ROUTES.CONTRACT_ACCEPTANCE, routes.DYNAMIC_ROUTES.IDENTITY_DOCUMENT_SCAN, routes.DYNAMIC_ROUTES.IDENTITY_DOCUMENT_EID_SCAN, routes.DYNAMIC_ROUTES.LIVENESS_CHECK, routes.DYNAMIC_ROUTES.VIDEO_CALL, routes.DYNAMIC_ROUTES.VERBAL_CONSENT]);
   const goToNextRoute = useCallback(() => {
     const currentTime = Date.now();
     const minTimeBetweenNavigation = 1000;
-    if (isNavigating || currentTime - lastNavigationTime < minTimeBetweenNavigation) {
+    if (navigationLock.isNavigating || currentTime - navigationLock.lastNavigationTime < minTimeBetweenNavigation) {
       return;
     }
-    isNavigating = true;
-    lastNavigationTime = currentTime;
+    navigationLock.isNavigating = true;
+    navigationLock.lastNavigationTime = currentTime;
     try {
       const nextRoute = getNextRoute(appContext.workflowSteps, appContext.currentWorkflowStep);
       navigation.dispatch(CommonActions.navigate({
@@ -88,15 +100,15 @@ const NavigationManager = /*#__PURE__*/forwardRef(({
         }
       }));
     } catch (error) {
-      isNavigating = false;
+      navigationLock.isNavigating = false;
       throw error;
     }
     setTimeout(() => {
-      isNavigating = false;
+      navigationLock.isNavigating = false;
     }, 1000);
   }, [getNextRoute, appContext.workflowSteps, appContext.currentWorkflowStep, navigation]);
   const goToNextRouteWithAlert = useCallback(() => {
-    if (isNavigating) {
+    if (navigationLock.isNavigating) {
       return;
     }
     Alert.alert(t('general.warning'), t('navigationManager.skipStepWarning'), [{
@@ -108,10 +120,10 @@ const NavigationManager = /*#__PURE__*/forwardRef(({
     }]);
   }, [goToNextRoute, t]);
   const reset = useCallback(() => {
-    if (isNavigating) {
+    if (navigationLock.isNavigating) {
       return;
     }
-    isNavigating = true;
+    navigationLock.isNavigating = true;
     try {
       // Preserve demo session state when resetting
       const wasDemoSession = appContext.isDemoSession;
@@ -124,8 +136,15 @@ const NavigationManager = /*#__PURE__*/forwardRef(({
           contractIds: [],
           deviceInfo: ''
         },
-        locale: appContext.locale || i18n.language
+        locale: appContext.locale || i18n.language,
+        // Explicitly reset collected data fields
+        scannedDocument: undefined,
+        livenessDetection: undefined,
+        authToken: undefined,
+        videoSessionId: undefined
       };
+
+      // Reset branding to defaults while preserving any custom values
       appContext.branding = {
         logoUrl: appContext.branding?.logoUrl || '',
         primaryColor: appContext.branding?.primaryColor || '#000000',
@@ -138,6 +157,7 @@ const NavigationManager = /*#__PURE__*/forwardRef(({
         appContext.setIsDemoSession?.(false);
         analyticsService.setDemoSession(false);
       }
+      appContext.isTestVideoSession = false;
       navigation.dispatch(CommonActions.reset({
         index: 0,
         routes: [{
@@ -145,17 +165,17 @@ const NavigationManager = /*#__PURE__*/forwardRef(({
         }]
       }));
     } catch (error) {
-      isNavigating = false;
+      navigationLock.isNavigating = false;
       throw error;
     }
     setTimeout(() => {
-      isNavigating = false;
+      navigationLock.isNavigating = false;
     }, 1000);
   }, [appContext, navigation, routes.VERIFICATION_SESSION_CHECK]);
   usePreventRemove(true, ({
     data
   }) => {
-    if (data.action.type === 'RESET') {
+    if (data?.action?.type === 'RESET') {
       navigation.dispatch(data.action);
     }
   });

package/lib/module/Shared/Contexts/AppContext.js

@@ -23,6 +23,7 @@ export default /*#__PURE__*/createContext({
   workflowSteps: [],
   currentWorkflowStep: undefined,
   isDebugNavigated: false,
+  isTestVideoSession: false,
   onCompleted: undefined,
   onError: undefined,
   setSessionId: undefined,

package/lib/module/Shared/EIDReader/aesSecureMessagingWrapper.js

@@ -0,0 +1,51 @@
+"use strict";
+
+import { SecureMessagingWrapper } from "./secureMessagingWrapper.js";
+import { Buffer } from 'buffer';
+import { aesEncryptCBC, aesDecryptCBC, aesEncryptECB, aesCMAC } from "./utils/aesCrypto.utils.js";
+
+/**
+ * AES-based secure messaging wrapper for PACE.
+ *
+ * Uses AES-CBC for encryption and AES-CMAC for MAC computation,
+ * as specified in ICAO Doc 9303 Part 11.
+ */
+export class AESSecureMessagingWrapper extends SecureMessagingWrapper {
+  constructor(ksEnc, ksMac, maxTransceiveLength, shouldCheckMAC, ssc) {
+    super(ksEnc, ksMac, maxTransceiveLength, shouldCheckMAC, ssc);
+  }
+  getType() {
+    return 'AES';
+  }
+  getPadLength() {
+    return 16;
+  }
+  getIV() {
+    // AES IV is E(ksEnc, SSC)
+    const sscHex = Buffer.from(this.getEncodedSendSequenceCounter()).toString('hex');
+    const ivHex = aesEncryptECB(sscHex, this.getEncryptionKey());
+    return Array.from(Buffer.from(ivHex, 'hex'));
+  }
+  encrypt(dataHex, keyHex) {
+    const ivHex = Buffer.from(this.getIV()).toString('hex');
+    return aesEncryptCBC(dataHex, keyHex, ivHex);
+  }
+  decrypt(dataHex, keyHex) {
+    const ivHex = Buffer.from(this.getIV()).toString('hex');
+    return aesDecryptCBC(dataHex, keyHex, ivHex);
+  }
+  computeMAC(dataHex, keyHex) {
+    return aesCMAC(dataHex, keyHex);
+  }
+  getEncodedSendSequenceCounter() {
+    // AES uses 16-byte SSC (128-bit counter)
+    const ssc = this.getSendSequenceCounter();
+    const bytes = new Uint8Array(16);
+    let remaining = ssc;
+    for (let i = 15; i >= 0; i--) {
+      bytes[i] = Number(remaining & 0xffn);
+      remaining >>= 8n;
+    }
+    return bytes;
+  }
+}

package/lib/module/Shared/EIDReader/apduLevelPACECapable.js

@@ -0,0 +1,3 @@
+"use strict";
+
+export {};

package/lib/module/Shared/EIDReader/bacKey.js

@@ -69,13 +69,27 @@ export class BACKey {
    */
   getKey() {
     try {
-      const mrz = this.documentNumber + MRZInfo.checkDigit(this.documentNumber, false) + this.dateOfBirth + MRZInfo.checkDigit(this.dateOfBirth, false) + this.dateOfExpiry + MRZInfo.checkDigit(this.dateOfExpiry, false);
-      return cryptoUtils.computeKeySeed(mrz, 'SHA-1', true);
+      return cryptoUtils.computeKeySeed(this.getMRZString(), 'SHA-1', true);
     } catch (gse) {
       throw new Error('Unexpected exception');
     }
   }
 
+  /**
+   * Returns the key seed for PACE, which is the full (non-truncated) SHA-1 hash
+   * of the MRZ info. PACE uses the full 20-byte hash unlike BAC which truncates to 16.
+   */
+  getKeySeedForPACE() {
+    try {
+      return cryptoUtils.computeKeySeed(this.getMRZString(), 'SHA-1', false);
+    } catch (gse) {
+      throw new Error('Unexpected exception');
+    }
+  }
+  getMRZString() {
+    return this.documentNumber + MRZInfo.checkDigit(this.documentNumber, false) + this.dateOfBirth + MRZInfo.checkDigit(this.dateOfBirth, false) + this.dateOfExpiry + MRZInfo.checkDigit(this.dateOfExpiry, false);
+  }
+
   /**
    * Sets the document number.
    *

package/lib/module/Shared/EIDReader/eidReader.js

@@ -1,35 +1,374 @@
 "use strict";
 
 import { BACKey } from "./bacKey.js";
+import { PACEKeySpec } from "./paceKeySpec.js";
 import { NFCManagerCardService } from "./nfcManagerCardService.js";
 import { EIDService } from "./eidService.js";
 import { DG1File } from "./lds/icao/dg1File.js";
 import { DG2File } from "./lds/icao/dg2File.js";
 import { Buffer } from 'buffer';
 import { InputStream } from "./java/inputStream.js";
+
+// --- Minimal PNG encoder (pure JS, no native deps) ---
+// Uses deflate stored (uncompressed) blocks for O(n) encoding speed.
+// A naive DCT-based JPEG encoder would be O(n²) and freeze the JS thread
+// on real passport photos (400×500+ pixels).
+
+/** Standard CRC32 lookup table */
+const CRC_TABLE = new Uint32Array(256);
+for (let n = 0; n < 256; n++) {
+  let c = n;
+  for (let k = 0; k < 8; k++) {
+    c = c & 1 ? 0xedb88320 ^ c >>> 1 : c >>> 1;
+  }
+  CRC_TABLE[n] = c;
+}
+function crc32(data) {
+  let crc = 0xffffffff;
+  for (let i = 0; i < data.length; i++) {
+    crc = CRC_TABLE[(crc ^ data[i]) & 0xff] ^ crc >>> 8;
+  }
+  return (crc ^ 0xffffffff) >>> 0;
+}
+function adler32(data) {
+  let a = 1;
+  let b = 0;
+  for (let i = 0; i < data.length; i++) {
+    a = (a + data[i]) % 65521;
+    b = (b + a) % 65521;
+  }
+  return (b << 16 | a) >>> 0;
+}
+function writeU32BE(arr, offset, val) {
+  arr[offset] = val >>> 24 & 0xff;
+  arr[offset + 1] = val >>> 16 & 0xff;
+  arr[offset + 2] = val >>> 8 & 0xff;
+  arr[offset + 3] = val & 0xff;
+}
+
+/**
+ * Encode raw RGB/RGBA pixels as an uncompressed PNG.
+ * Uses deflate stored blocks (no compression) for maximum compatibility.
+ */
+function pixelsToPng(pixels, width, height, channels) {
+  // Build raw scanlines: filter byte (0) + RGB data per row
+  const rawRowLen = 1 + width * 3; // filter byte + RGB
+  const rawData = new Uint8Array(rawRowLen * height);
+  for (let y = 0; y < height; y++) {
+    const rowOff = y * rawRowLen;
+    rawData[rowOff] = 0; // filter: None
+    for (let x = 0; x < width; x++) {
+      const srcIdx = (y * width + x) * channels;
+      const dstIdx = rowOff + 1 + x * 3;
+      rawData[dstIdx] = pixels[srcIdx]; // R
+      rawData[dstIdx + 1] = pixels[srcIdx + 1]; // G
+      rawData[dstIdx + 2] = pixels[srcIdx + 2]; // B
+    }
+  }
+
+  // Wrap raw data in zlib stored (uncompressed) format
+  const MAX_BLOCK = 65535;
+  const numBlocks = Math.ceil(rawData.length / MAX_BLOCK) || 1;
+  const zlibSize = 2 + rawData.length + numBlocks * 5 + 4;
+  const zlib = new Uint8Array(zlibSize);
+  let zOff = 0;
+  // zlib header: CMF=0x78 (deflate, 32K window), FLG=0x01 (check bits, no dict, level 0)
+  zlib[zOff++] = 0x78;
+  zlib[zOff++] = 0x01;
+  let remaining = rawData.length;
+  let srcOff = 0;
+  while (remaining > 0) {
+    const blockLen = Math.min(remaining, MAX_BLOCK);
+    const isFinal = remaining <= MAX_BLOCK ? 1 : 0;
+    zlib[zOff++] = isFinal; // BFINAL + BTYPE=00 (stored)
+    zlib[zOff++] = blockLen & 0xff;
+    zlib[zOff++] = blockLen >>> 8 & 0xff;
+    zlib[zOff++] = ~blockLen & 0xff;
+    zlib[zOff++] = ~blockLen >>> 8 & 0xff;
+    zlib.set(rawData.subarray(srcOff, srcOff + blockLen), zOff);
+    zOff += blockLen;
+    srcOff += blockLen;
+    remaining -= blockLen;
+  }
+  // Adler32 of uncompressed data
+  const adl = adler32(rawData);
+  writeU32BE(zlib, zOff, adl);
+  zOff += 4;
+  const zlibData = zlib.subarray(0, zOff);
+
+  // Build PNG chunks
+  const PNG_SIG = new Uint8Array([137, 80, 78, 71, 13, 10, 26, 10]);
+  function makeChunk(type, data) {
+    const chunk = new Uint8Array(4 + 4 + data.length + 4);
+    writeU32BE(chunk, 0, data.length);
+    chunk[4] = type.charCodeAt(0);
+    chunk[5] = type.charCodeAt(1);
+    chunk[6] = type.charCodeAt(2);
+    chunk[7] = type.charCodeAt(3);
+    chunk.set(data, 8);
+    const crcInput = chunk.subarray(4, 8 + data.length);
+    writeU32BE(chunk, 8 + data.length, crc32(crcInput));
+    return chunk;
+  }
+
+  // IHDR: width, height, bit depth 8, color type 2 (RGB)
+  const ihdrData = new Uint8Array(13);
+  writeU32BE(ihdrData, 0, width);
+  writeU32BE(ihdrData, 4, height);
+  ihdrData[8] = 8; // bit depth
+  ihdrData[9] = 2; // color type: RGB
+  ihdrData[10] = 0; // compression
+  ihdrData[11] = 0; // filter
+  ihdrData[12] = 0; // interlace
+
+  const ihdrChunk = makeChunk('IHDR', ihdrData);
+  const idatChunk = makeChunk('IDAT', zlibData);
+  const iendChunk = makeChunk('IEND', new Uint8Array(0));
+  const png = new Uint8Array(PNG_SIG.length + ihdrChunk.length + idatChunk.length + iendChunk.length);
+  let off = 0;
+  png.set(PNG_SIG, off);
+  off += PNG_SIG.length;
+  png.set(ihdrChunk, off);
+  off += ihdrChunk.length;
+  png.set(idatChunk, off);
+  off += idatChunk.length;
+  png.set(iendChunk, off);
+  return png;
+}
+
+/**
+ * If the image is JPEG 2000, decode and convert to PNG so React Native can display it.
+ * Returns { base64, mimeType } with the converted image, or the original if not JP2.
+ */
+function convertJP2IfNeeded(imageBuffer, mimeType) {
+  if (mimeType !== 'image/jp2') {
+    return {
+      base64: imageBuffer.toString('base64'),
+      mimeType
+    };
+  }
+  console.debug('[EID] Face image is JP2, attempting conversion…');
+  try {
+    // Lazy-load jpeg2000 to avoid crashing if it fails to import
+    const {
+      JpxImage
+    } = require('jpeg2000');
+    const jpx = new JpxImage();
+    jpx.parse(imageBuffer);
+    const tile = jpx.tiles[0];
+    console.debug(`[EID] JP2 decoded: ${tile.width}x${tile.height}, ${jpx.componentsCount} channels, ${tile.items.length} bytes`);
+    const pngBytes = pixelsToPng(tile.items, tile.width, tile.height, jpx.componentsCount);
+    const pngBase64 = Buffer.from(pngBytes).toString('base64');
+    console.debug(`[EID] Converted JP2 → PNG (${pngBytes.length} bytes, ${pngBase64.length} base64 chars)`);
+    return {
+      base64: pngBase64,
+      mimeType: 'image/png'
+    };
+  } catch (err) {
+    console.debug('[EID] JP2 conversion failed:', err);
+    return {
+      base64: imageBuffer.toString('base64'),
+      mimeType
+    };
+  }
+}
+
+/**
+ * Try to parse PACE OID and parameter ID from EF.CardAccess data.
+ * Returns null if no PACE info is found.
+ */
+function parsePACEInfoFromCardAccess(data) {
+  try {
+    // EF.CardAccess is a SET of SecurityInfo sequences (ASN.1 DER)
+    // Each SecurityInfo: SEQUENCE { OID, INTEGER (version), optional INTEGER (parameterId) }
+    let offset = 0;
+    if (data[offset] === 0x31) {
+      // SET tag
+      offset++;
+      const setLen = readASN1Length(data, offset);
+      offset = setLen.nextOffset;
+    }
+    while (offset < data.length) {
+      if (data[offset] !== 0x30) break; // SEQUENCE tag
+      offset++;
+      const seqLen = readASN1Length(data, offset);
+      const seqEnd = seqLen.nextOffset + seqLen.length;
+      offset = seqLen.nextOffset;
+
+      // Read OID
+      if (data[offset] !== 0x06) {
+        offset = seqEnd;
+        continue;
+      }
+      offset++;
+      const oidLen = readASN1Length(data, offset);
+      offset = oidLen.nextOffset;
+      const oidBytes = data.subarray(offset, offset + oidLen.length);
+      const oid = decodeOID(oidBytes);
+      offset += oidLen.length;
+
+      // Check if this is a PACE OID
+      if (oid.startsWith('0.4.0.127.0.7.2.2.4.')) {
+        // Read version (INTEGER)
+        let parameterId = 13; // default brainpoolP256r1
+        if (offset < seqEnd && data[offset] === 0x02) {
+          offset++;
+          const intLen = readASN1Length(data, offset);
+          offset = intLen.nextOffset + intLen.length;
+        }
+        // Read optional parameterId (INTEGER)
+        if (offset < seqEnd && data[offset] === 0x02) {
+          offset++;
+          const intLen = readASN1Length(data, offset);
+          offset = intLen.nextOffset;
+          parameterId = 0;
+          for (let i = 0; i < intLen.length; i++) {
+            parameterId = parameterId << 8 | data[offset + i];
+          }
+        }
+        return {
+          oid,
+          parameterId
+        };
+      }
+      offset = seqEnd;
+    }
+  } catch {
+    // Failed to parse, PACE not available
+  }
+  return null;
+}
+function readASN1Length(data, offset) {
+  const firstByte = data[offset];
+  if ((firstByte & 0x80) === 0) {
+    return {
+      length: firstByte,
+      nextOffset: offset + 1
+    };
+  }
+  const numBytes = firstByte & 0x7f;
+  let length = 0;
+  for (let i = 0; i < numBytes; i++) {
+    length = length << 8 | data[offset + 1 + i];
+  }
+  return {
+    length,
+    nextOffset: offset + 1 + numBytes
+  };
+}
+function decodeOID(bytes) {
+  const components = [];
+  components.push(Math.floor(bytes[0] / 40));
+  components.push(bytes[0] % 40);
+  let value = 0;
+  for (let i = 1; i < bytes.length; i++) {
+    value = value << 7 | bytes[i] & 0x7f;
+    if ((bytes[i] & 0x80) === 0) {
+      components.push(value);
+      value = 0;
+    }
+  }
+  return components.join('.');
+}
 const eidReader = async (documentNumber, dateOfBirth, dateOfExpiry, progressCallback) => {
   let progress = 0;
   const nfcManagerCardService = new NFCManagerCardService();
   const passportService = new EIDService(nfcManagerCardService, EIDService.NORMAL_MAX_TRANSCEIVE_LENGTH, EIDService.DEFAULT_MAX_BLOCKSIZE, false, true);
   try {
     await passportService.open();
+    progress = 1;
+    if (progressCallback) {
+      progressCallback(progress);
+    }
 
-    // Select Applet for MRTD
-    await passportService.sendSelectApplet(false);
-    progress = 10;
+    // Try to read EF.CardAccess before selecting applet to check for PACE.
+    // Explicitly SELECT MF first so the SFI=0x1C context is correct,
+    // regardless of which application the chip activates on power-on.
+    let hasPACESucceeded = false;
+    try {
+      await passportService.sendSelectMF();
+      console.debug('[EID] SELECT MF OK');
+    } catch (mfErr) {
+      const mfMsg = mfErr instanceof Error ? mfErr.message : String(mfErr);
+      console.debug(`[EID] SELECT MF failed (${mfMsg}), continuing with SFI read anyway`);
+    }
+    progress = 2;
     if (progressCallback) {
       progressCallback(progress);
     }
 
-    // Check if EF_COM is available
+    // Read EF.CardAccess — kept in a separate try/catch so we can distinguish
+    // "file read failure" from "PACE protocol failure" in the logs.
+    let cardAccessBuf = null;
     try {
-      const efComStream = passportService.getInputStream(EIDService.EF_COM);
-      await efComStream.init();
-      await efComStream.read();
-    } catch (error) {
-      // EF_COM not available -> try to do BAC
-      const bacKey = new BACKey(documentNumber, dateOfBirth, dateOfExpiry);
-      await passportService.doBAC(bacKey);
+      const cardAccessStream = passportService.getInputStream(EIDService.EF_CARD_ACCESS);
+      await cardAccessStream.init();
+      const cardAccessLen = cardAccessStream.getLength();
+      const buf = Buffer.alloc(cardAccessLen);
+      for (let i = 0; i < cardAccessLen; i++) {
+        buf[i] = await cardAccessStream.read();
+      }
+      cardAccessBuf = buf;
+      console.debug(`[EID] EF.CardAccess read OK: ${cardAccessLen} bytes = ${cardAccessBuf.toString('hex')}`);
+    } catch (readErr) {
+      const readMsg = readErr instanceof Error ? readErr.message : String(readErr);
+      console.debug(`[EID] EF.CardAccess read FAILED: ${readMsg} — falling back to BAC`);
+    }
+    progress = 3;
+    if (progressCallback) {
+      progressCallback(progress);
+    }
+
+    // If EF.CardAccess was read successfully, attempt PACE.
+    if (cardAccessBuf !== null) {
+      try {
+        const paceInfo = parsePACEInfoFromCardAccess(cardAccessBuf);
+        if (paceInfo) {
+          console.debug(`[EID] PACE available: oid=${paceInfo.oid} parameterId=${paceInfo.parameterId}`);
+          // PACE is available - derive key from MRZ and perform PACE
+          const bacKey = new BACKey(documentNumber, dateOfBirth, dateOfExpiry);
+          const paceKey = PACEKeySpec.createMRZKey(bacKey.getKeySeedForPACE());
+          progress = 4;
+          if (progressCallback) {
+            progressCallback(progress);
+          }
+          await passportService.doPACE(paceKey, paceInfo.oid, paceInfo.parameterId, progressCallback);
+          hasPACESucceeded = true;
+          console.debug('[EID] PACE succeeded');
+        } else {
+          console.debug('[EID] EF.CardAccess read OK but no PACE SecurityInfo found — document does not support PACE, falling back to BAC');
+        }
+      } catch (paceError) {
+        // PACE protocol exchange failed — fall back to BAC
+        const msg = paceError instanceof Error ? paceError.message : String(paceError);
+        console.debug(`[EID] PACE protocol failed (${msg}), falling back to BAC`);
+        if (paceError instanceof Error && paceError.stack) {
+          console.debug('[EID] PACE error stack:', paceError.stack);
+        }
+      }
+    }
+    progress = 9;
+    if (progressCallback) {
+      progressCallback(progress);
+    }
+
+    // Select Applet for MRTD
+    await passportService.sendSelectApplet(hasPACESucceeded);
+    progress = 10;
+    if (progressCallback) {
+      progressCallback(progress);
+    }
+    if (!hasPACESucceeded) {
+      // Check if EF_COM is available
+      try {
+        const efComStream = passportService.getInputStream(EIDService.EF_COM);
+        await efComStream.init();
+        await efComStream.read();
+      } catch (error) {
+        // EF_COM not available -> try to do BAC
+        const bacKey = new BACKey(documentNumber, dateOfBirth, dateOfExpiry);
+        await passportService.doBAC(bacKey);
+      }
     }
     progress = 20;
     if (progressCallback) {
@@ -69,8 +408,10 @@ const eidReader = async (documentNumber, dateOfBirth, dateOfExpiry, progressCall
       const imageInputStream = await faceImageInfo.getImageInputStream();
       const buffer = Buffer.alloc(imageLength);
       await imageInputStream.readBytesWithOffset(buffer, 0, imageLength);
-      imageAsBase64 = buffer.toString('base64');
-      mimeType = faceImageInfo.getMimeType();
+      const rawMimeType = faceImageInfo.getMimeType();
+      const converted = convertJP2IfNeeded(buffer, rawMimeType);
+      imageAsBase64 = converted.base64;
+      mimeType = converted.mimeType;
     }
     progress = 100;
     if (progressCallback) {

package/lib/module/Shared/EIDReader/eidService.js

@@ -6,6 +6,8 @@ import { DefaultFileSystem } from "./defaultFileSystem.js";
 import { BACAPDUSender } from "./protocol/bacAPDUSender.js";
 import { ReadBinaryAPDUSender } from "./protocol/readBinaryAPDUSender.js";
 import { BACProtocol } from "./protocol/bacProtocol.js";
+import { PACEAPDUSender } from "./protocol/paceAPDUSender.js";
+import { PACEProtocol } from "./protocol/paceProtocol.js";
 import { EID_CONSTANTS } from "./constants/eidConstants.js";
 export class EIDService extends AbstractMRTDCardService {
   /** Shared secret type for non-PACE key. */
@@ -175,7 +177,13 @@ export class EIDService extends AbstractMRTDCardService {
     this.shouldCheckMAC = shouldCheckMAC;
     this.isAppletSelected = false;
     this.isOpen = false;
-    this.rootFileSystem = new DefaultFileSystem(this.readBinarySender, false);
+    // EF.CardAccess and EF.CardSecurity live in the MF (Master File), outside
+    // the ICAO applet. They must be read via SFI-based READ BINARY (no SELECT
+    // needed). Without SFI, the implementation falls back to SELECT-by-FID
+    // which many passport chips reject at MF level before applet selection,
+    // causing PACE to be falsely reported as "not available".
+    const rootFidToSFI = new Map([[EID_CONSTANTS.EF_CARD_ACCESS, EID_CONSTANTS.SFI_CARD_ACCESS], [EID_CONSTANTS.EF_CARD_SECURITY, EID_CONSTANTS.SFI_CARD_SECURITY]]);
+    this.rootFileSystem = new DefaultFileSystem(this.readBinarySender, true, rootFidToSFI);
     this.appletFileSystem = new DefaultFileSystem(this.readBinarySender, isSFIEnabled);
   }
   async open() {
@@ -209,6 +217,22 @@ export class EIDService extends AbstractMRTDCardService {
     this.appletFileSystem.setWrapper(this.wrapper);
     return bacResult;
   }
+
+  /**
+   * Performs the PACE protocol.
+   *
+   * @param accessKey the access key (MRZ or CAN based)
+   * @param oid the PACE OID string from EF.CardAccess
+   * @param parameterId the standard domain parameter ID (e.g. 13 for brainpoolP256r1)
+   */
+  async doPACE(accessKey, oid, parameterId, progressCallback) {
+    const paceSender = new PACEAPDUSender(this.service);
+    const paceProtocol = new PACEProtocol(paceSender, this.wrapper, EIDService.NORMAL_MAX_TRANSCEIVE_LENGTH, this.maxTransceiveLengthForSecureMessaging, this.shouldCheckMAC);
+    const paceResult = await paceProtocol.doPACE(accessKey, oid, parameterId, progressCallback);
+    this.wrapper = paceResult.getWrapper();
+    this.appletFileSystem.setWrapper(this.wrapper);
+    return paceResult;
+  }
   async close() {
     try {
       await this.service.close();