@trustchex/react-native-sdk 1.409.0 → 1.464.0

package/lib/module/Shared/EIDReader/aesSecureMessagingWrapper.js

@@ -0,0 +1,51 @@
+"use strict";
+
+import { SecureMessagingWrapper } from "./secureMessagingWrapper.js";
+import { Buffer } from 'buffer';
+import { aesEncryptCBC, aesDecryptCBC, aesEncryptECB, aesCMAC } from "./utils/aesCrypto.utils.js";
+
+/**
+ * AES-based secure messaging wrapper for PACE.
+ *
+ * Uses AES-CBC for encryption and AES-CMAC for MAC computation,
+ * as specified in ICAO Doc 9303 Part 11.
+ */
+export class AESSecureMessagingWrapper extends SecureMessagingWrapper {
+  constructor(ksEnc, ksMac, maxTransceiveLength, shouldCheckMAC, ssc) {
+    super(ksEnc, ksMac, maxTransceiveLength, shouldCheckMAC, ssc);
+  }
+  getType() {
+    return 'AES';
+  }
+  getPadLength() {
+    return 16;
+  }
+  getIV() {
+    // AES IV is E(ksEnc, SSC)
+    const sscHex = Buffer.from(this.getEncodedSendSequenceCounter()).toString('hex');
+    const ivHex = aesEncryptECB(sscHex, this.getEncryptionKey());
+    return Array.from(Buffer.from(ivHex, 'hex'));
+  }
+  encrypt(dataHex, keyHex) {
+    const ivHex = Buffer.from(this.getIV()).toString('hex');
+    return aesEncryptCBC(dataHex, keyHex, ivHex);
+  }
+  decrypt(dataHex, keyHex) {
+    const ivHex = Buffer.from(this.getIV()).toString('hex');
+    return aesDecryptCBC(dataHex, keyHex, ivHex);
+  }
+  computeMAC(dataHex, keyHex) {
+    return aesCMAC(dataHex, keyHex);
+  }
+  getEncodedSendSequenceCounter() {
+    // AES uses 16-byte SSC (128-bit counter)
+    const ssc = this.getSendSequenceCounter();
+    const bytes = new Uint8Array(16);
+    let remaining = ssc;
+    for (let i = 15; i >= 0; i--) {
+      bytes[i] = Number(remaining & 0xffn);
+      remaining >>= 8n;
+    }
+    return bytes;
+  }
+}

package/lib/module/Shared/EIDReader/apduLevelPACECapable.js

@@ -0,0 +1,3 @@
+"use strict";
+
+export {};

package/lib/module/Shared/EIDReader/bacKey.js

@@ -69,13 +69,27 @@ export class BACKey {
    */
   getKey() {
     try {
-      const mrz = this.documentNumber + MRZInfo.checkDigit(this.documentNumber, false) + this.dateOfBirth + MRZInfo.checkDigit(this.dateOfBirth, false) + this.dateOfExpiry + MRZInfo.checkDigit(this.dateOfExpiry, false);
-      return cryptoUtils.computeKeySeed(mrz, 'SHA-1', true);
+      return cryptoUtils.computeKeySeed(this.getMRZString(), 'SHA-1', true);
     } catch (gse) {
       throw new Error('Unexpected exception');
     }
   }
 
+  /**
+   * Returns the key seed for PACE, which is the full (non-truncated) SHA-1 hash
+   * of the MRZ info. PACE uses the full 20-byte hash unlike BAC which truncates to 16.
+   */
+  getKeySeedForPACE() {
+    try {
+      return cryptoUtils.computeKeySeed(this.getMRZString(), 'SHA-1', false);
+    } catch (gse) {
+      throw new Error('Unexpected exception');
+    }
+  }
+  getMRZString() {
+    return this.documentNumber + MRZInfo.checkDigit(this.documentNumber, false) + this.dateOfBirth + MRZInfo.checkDigit(this.dateOfBirth, false) + this.dateOfExpiry + MRZInfo.checkDigit(this.dateOfExpiry, false);
+  }
+
   /**
    * Sets the document number.
    *

package/lib/module/Shared/EIDReader/eidReader.js

@@ -1,35 +1,374 @@
 "use strict";
 
 import { BACKey } from "./bacKey.js";
+import { PACEKeySpec } from "./paceKeySpec.js";
 import { NFCManagerCardService } from "./nfcManagerCardService.js";
 import { EIDService } from "./eidService.js";
 import { DG1File } from "./lds/icao/dg1File.js";
 import { DG2File } from "./lds/icao/dg2File.js";
 import { Buffer } from 'buffer';
 import { InputStream } from "./java/inputStream.js";
+
+// --- Minimal PNG encoder (pure JS, no native deps) ---
+// Uses deflate stored (uncompressed) blocks for O(n) encoding speed.
+// A naive DCT-based JPEG encoder would be O(n²) and freeze the JS thread
+// on real passport photos (400×500+ pixels).
+
+/** Standard CRC32 lookup table */
+const CRC_TABLE = new Uint32Array(256);
+for (let n = 0; n < 256; n++) {
+  let c = n;
+  for (let k = 0; k < 8; k++) {
+    c = c & 1 ? 0xedb88320 ^ c >>> 1 : c >>> 1;
+  }
+  CRC_TABLE[n] = c;
+}
+function crc32(data) {
+  let crc = 0xffffffff;
+  for (let i = 0; i < data.length; i++) {
+    crc = CRC_TABLE[(crc ^ data[i]) & 0xff] ^ crc >>> 8;
+  }
+  return (crc ^ 0xffffffff) >>> 0;
+}
+function adler32(data) {
+  let a = 1;
+  let b = 0;
+  for (let i = 0; i < data.length; i++) {
+    a = (a + data[i]) % 65521;
+    b = (b + a) % 65521;
+  }
+  return (b << 16 | a) >>> 0;
+}
+function writeU32BE(arr, offset, val) {
+  arr[offset] = val >>> 24 & 0xff;
+  arr[offset + 1] = val >>> 16 & 0xff;
+  arr[offset + 2] = val >>> 8 & 0xff;
+  arr[offset + 3] = val & 0xff;
+}
+
+/**
+ * Encode raw RGB/RGBA pixels as an uncompressed PNG.
+ * Uses deflate stored blocks (no compression) for maximum compatibility.
+ */
+function pixelsToPng(pixels, width, height, channels) {
+  // Build raw scanlines: filter byte (0) + RGB data per row
+  const rawRowLen = 1 + width * 3; // filter byte + RGB
+  const rawData = new Uint8Array(rawRowLen * height);
+  for (let y = 0; y < height; y++) {
+    const rowOff = y * rawRowLen;
+    rawData[rowOff] = 0; // filter: None
+    for (let x = 0; x < width; x++) {
+      const srcIdx = (y * width + x) * channels;
+      const dstIdx = rowOff + 1 + x * 3;
+      rawData[dstIdx] = pixels[srcIdx]; // R
+      rawData[dstIdx + 1] = pixels[srcIdx + 1]; // G
+      rawData[dstIdx + 2] = pixels[srcIdx + 2]; // B
+    }
+  }
+
+  // Wrap raw data in zlib stored (uncompressed) format
+  const MAX_BLOCK = 65535;
+  const numBlocks = Math.ceil(rawData.length / MAX_BLOCK) || 1;
+  const zlibSize = 2 + rawData.length + numBlocks * 5 + 4;
+  const zlib = new Uint8Array(zlibSize);
+  let zOff = 0;
+  // zlib header: CMF=0x78 (deflate, 32K window), FLG=0x01 (check bits, no dict, level 0)
+  zlib[zOff++] = 0x78;
+  zlib[zOff++] = 0x01;
+  let remaining = rawData.length;
+  let srcOff = 0;
+  while (remaining > 0) {
+    const blockLen = Math.min(remaining, MAX_BLOCK);
+    const isFinal = remaining <= MAX_BLOCK ? 1 : 0;
+    zlib[zOff++] = isFinal; // BFINAL + BTYPE=00 (stored)
+    zlib[zOff++] = blockLen & 0xff;
+    zlib[zOff++] = blockLen >>> 8 & 0xff;
+    zlib[zOff++] = ~blockLen & 0xff;
+    zlib[zOff++] = ~blockLen >>> 8 & 0xff;
+    zlib.set(rawData.subarray(srcOff, srcOff + blockLen), zOff);
+    zOff += blockLen;
+    srcOff += blockLen;
+    remaining -= blockLen;
+  }
+  // Adler32 of uncompressed data
+  const adl = adler32(rawData);
+  writeU32BE(zlib, zOff, adl);
+  zOff += 4;
+  const zlibData = zlib.subarray(0, zOff);
+
+  // Build PNG chunks
+  const PNG_SIG = new Uint8Array([137, 80, 78, 71, 13, 10, 26, 10]);
+  function makeChunk(type, data) {
+    const chunk = new Uint8Array(4 + 4 + data.length + 4);
+    writeU32BE(chunk, 0, data.length);
+    chunk[4] = type.charCodeAt(0);
+    chunk[5] = type.charCodeAt(1);
+    chunk[6] = type.charCodeAt(2);
+    chunk[7] = type.charCodeAt(3);
+    chunk.set(data, 8);
+    const crcInput = chunk.subarray(4, 8 + data.length);
+    writeU32BE(chunk, 8 + data.length, crc32(crcInput));
+    return chunk;
+  }
+
+  // IHDR: width, height, bit depth 8, color type 2 (RGB)
+  const ihdrData = new Uint8Array(13);
+  writeU32BE(ihdrData, 0, width);
+  writeU32BE(ihdrData, 4, height);
+  ihdrData[8] = 8; // bit depth
+  ihdrData[9] = 2; // color type: RGB
+  ihdrData[10] = 0; // compression
+  ihdrData[11] = 0; // filter
+  ihdrData[12] = 0; // interlace
+
+  const ihdrChunk = makeChunk('IHDR', ihdrData);
+  const idatChunk = makeChunk('IDAT', zlibData);
+  const iendChunk = makeChunk('IEND', new Uint8Array(0));
+  const png = new Uint8Array(PNG_SIG.length + ihdrChunk.length + idatChunk.length + iendChunk.length);
+  let off = 0;
+  png.set(PNG_SIG, off);
+  off += PNG_SIG.length;
+  png.set(ihdrChunk, off);
+  off += ihdrChunk.length;
+  png.set(idatChunk, off);
+  off += idatChunk.length;
+  png.set(iendChunk, off);
+  return png;
+}
+
+/**
+ * If the image is JPEG 2000, decode and convert to PNG so React Native can display it.
+ * Returns { base64, mimeType } with the converted image, or the original if not JP2.
+ */
+function convertJP2IfNeeded(imageBuffer, mimeType) {
+  if (mimeType !== 'image/jp2') {
+    return {
+      base64: imageBuffer.toString('base64'),
+      mimeType
+    };
+  }
+  console.debug('[EID] Face image is JP2, attempting conversion…');
+  try {
+    // Lazy-load jpeg2000 to avoid crashing if it fails to import
+    const {
+      JpxImage
+    } = require('jpeg2000');
+    const jpx = new JpxImage();
+    jpx.parse(imageBuffer);
+    const tile = jpx.tiles[0];
+    console.debug(`[EID] JP2 decoded: ${tile.width}x${tile.height}, ${jpx.componentsCount} channels, ${tile.items.length} bytes`);
+    const pngBytes = pixelsToPng(tile.items, tile.width, tile.height, jpx.componentsCount);
+    const pngBase64 = Buffer.from(pngBytes).toString('base64');
+    console.debug(`[EID] Converted JP2 → PNG (${pngBytes.length} bytes, ${pngBase64.length} base64 chars)`);
+    return {
+      base64: pngBase64,
+      mimeType: 'image/png'
+    };
+  } catch (err) {
+    console.debug('[EID] JP2 conversion failed:', err);
+    return {
+      base64: imageBuffer.toString('base64'),
+      mimeType
+    };
+  }
+}
+
+/**
+ * Try to parse PACE OID and parameter ID from EF.CardAccess data.
+ * Returns null if no PACE info is found.
+ */
+function parsePACEInfoFromCardAccess(data) {
+  try {
+    // EF.CardAccess is a SET of SecurityInfo sequences (ASN.1 DER)
+    // Each SecurityInfo: SEQUENCE { OID, INTEGER (version), optional INTEGER (parameterId) }
+    let offset = 0;
+    if (data[offset] === 0x31) {
+      // SET tag
+      offset++;
+      const setLen = readASN1Length(data, offset);
+      offset = setLen.nextOffset;
+    }
+    while (offset < data.length) {
+      if (data[offset] !== 0x30) break; // SEQUENCE tag
+      offset++;
+      const seqLen = readASN1Length(data, offset);
+      const seqEnd = seqLen.nextOffset + seqLen.length;
+      offset = seqLen.nextOffset;
+
+      // Read OID
+      if (data[offset] !== 0x06) {
+        offset = seqEnd;
+        continue;
+      }
+      offset++;
+      const oidLen = readASN1Length(data, offset);
+      offset = oidLen.nextOffset;
+      const oidBytes = data.subarray(offset, offset + oidLen.length);
+      const oid = decodeOID(oidBytes);
+      offset += oidLen.length;
+
+      // Check if this is a PACE OID
+      if (oid.startsWith('0.4.0.127.0.7.2.2.4.')) {
+        // Read version (INTEGER)
+        let parameterId = 13; // default brainpoolP256r1
+        if (offset < seqEnd && data[offset] === 0x02) {
+          offset++;
+          const intLen = readASN1Length(data, offset);
+          offset = intLen.nextOffset + intLen.length;
+        }
+        // Read optional parameterId (INTEGER)
+        if (offset < seqEnd && data[offset] === 0x02) {
+          offset++;
+          const intLen = readASN1Length(data, offset);
+          offset = intLen.nextOffset;
+          parameterId = 0;
+          for (let i = 0; i < intLen.length; i++) {
+            parameterId = parameterId << 8 | data[offset + i];
+          }
+        }
+        return {
+          oid,
+          parameterId
+        };
+      }
+      offset = seqEnd;
+    }
+  } catch {
+    // Failed to parse, PACE not available
+  }
+  return null;
+}
+function readASN1Length(data, offset) {
+  const firstByte = data[offset];
+  if ((firstByte & 0x80) === 0) {
+    return {
+      length: firstByte,
+      nextOffset: offset + 1
+    };
+  }
+  const numBytes = firstByte & 0x7f;
+  let length = 0;
+  for (let i = 0; i < numBytes; i++) {
+    length = length << 8 | data[offset + 1 + i];
+  }
+  return {
+    length,
+    nextOffset: offset + 1 + numBytes
+  };
+}
+function decodeOID(bytes) {
+  const components = [];
+  components.push(Math.floor(bytes[0] / 40));
+  components.push(bytes[0] % 40);
+  let value = 0;
+  for (let i = 1; i < bytes.length; i++) {
+    value = value << 7 | bytes[i] & 0x7f;
+    if ((bytes[i] & 0x80) === 0) {
+      components.push(value);
+      value = 0;
+    }
+  }
+  return components.join('.');
+}
 const eidReader = async (documentNumber, dateOfBirth, dateOfExpiry, progressCallback) => {
   let progress = 0;
   const nfcManagerCardService = new NFCManagerCardService();
   const passportService = new EIDService(nfcManagerCardService, EIDService.NORMAL_MAX_TRANSCEIVE_LENGTH, EIDService.DEFAULT_MAX_BLOCKSIZE, false, true);
   try {
     await passportService.open();
+    progress = 1;
+    if (progressCallback) {
+      progressCallback(progress);
+    }
 
-    // Select Applet for MRTD
-    await passportService.sendSelectApplet(false);
-    progress = 10;
+    // Try to read EF.CardAccess before selecting applet to check for PACE.
+    // Explicitly SELECT MF first so the SFI=0x1C context is correct,
+    // regardless of which application the chip activates on power-on.
+    let hasPACESucceeded = false;
+    try {
+      await passportService.sendSelectMF();
+      console.debug('[EID] SELECT MF OK');
+    } catch (mfErr) {
+      const mfMsg = mfErr instanceof Error ? mfErr.message : String(mfErr);
+      console.debug(`[EID] SELECT MF failed (${mfMsg}), continuing with SFI read anyway`);
+    }
+    progress = 2;
     if (progressCallback) {
       progressCallback(progress);
     }
 
-    // Check if EF_COM is available
+    // Read EF.CardAccess — kept in a separate try/catch so we can distinguish
+    // "file read failure" from "PACE protocol failure" in the logs.
+    let cardAccessBuf = null;
     try {
-      const efComStream = passportService.getInputStream(EIDService.EF_COM);
-      await efComStream.init();
-      await efComStream.read();
-    } catch (error) {
-      // EF_COM not available -> try to do BAC
-      const bacKey = new BACKey(documentNumber, dateOfBirth, dateOfExpiry);
-      await passportService.doBAC(bacKey);
+      const cardAccessStream = passportService.getInputStream(EIDService.EF_CARD_ACCESS);
+      await cardAccessStream.init();
+      const cardAccessLen = cardAccessStream.getLength();
+      const buf = Buffer.alloc(cardAccessLen);
+      for (let i = 0; i < cardAccessLen; i++) {
+        buf[i] = await cardAccessStream.read();
+      }
+      cardAccessBuf = buf;
+      console.debug(`[EID] EF.CardAccess read OK: ${cardAccessLen} bytes = ${cardAccessBuf.toString('hex')}`);
+    } catch (readErr) {
+      const readMsg = readErr instanceof Error ? readErr.message : String(readErr);
+      console.debug(`[EID] EF.CardAccess read FAILED: ${readMsg} — falling back to BAC`);
+    }
+    progress = 3;
+    if (progressCallback) {
+      progressCallback(progress);
+    }
+
+    // If EF.CardAccess was read successfully, attempt PACE.
+    if (cardAccessBuf !== null) {
+      try {
+        const paceInfo = parsePACEInfoFromCardAccess(cardAccessBuf);
+        if (paceInfo) {
+          console.debug(`[EID] PACE available: oid=${paceInfo.oid} parameterId=${paceInfo.parameterId}`);
+          // PACE is available - derive key from MRZ and perform PACE
+          const bacKey = new BACKey(documentNumber, dateOfBirth, dateOfExpiry);
+          const paceKey = PACEKeySpec.createMRZKey(bacKey.getKeySeedForPACE());
+          progress = 4;
+          if (progressCallback) {
+            progressCallback(progress);
+          }
+          await passportService.doPACE(paceKey, paceInfo.oid, paceInfo.parameterId, progressCallback);
+          hasPACESucceeded = true;
+          console.debug('[EID] PACE succeeded');
+        } else {
+          console.debug('[EID] EF.CardAccess read OK but no PACE SecurityInfo found — document does not support PACE, falling back to BAC');
+        }
+      } catch (paceError) {
+        // PACE protocol exchange failed — fall back to BAC
+        const msg = paceError instanceof Error ? paceError.message : String(paceError);
+        console.debug(`[EID] PACE protocol failed (${msg}), falling back to BAC`);
+        if (paceError instanceof Error && paceError.stack) {
+          console.debug('[EID] PACE error stack:', paceError.stack);
+        }
+      }
+    }
+    progress = 9;
+    if (progressCallback) {
+      progressCallback(progress);
+    }
+
+    // Select Applet for MRTD
+    await passportService.sendSelectApplet(hasPACESucceeded);
+    progress = 10;
+    if (progressCallback) {
+      progressCallback(progress);
+    }
+    if (!hasPACESucceeded) {
+      // Check if EF_COM is available
+      try {
+        const efComStream = passportService.getInputStream(EIDService.EF_COM);
+        await efComStream.init();
+        await efComStream.read();
+      } catch (error) {
+        // EF_COM not available -> try to do BAC
+        const bacKey = new BACKey(documentNumber, dateOfBirth, dateOfExpiry);
+        await passportService.doBAC(bacKey);
+      }
     }
     progress = 20;
     if (progressCallback) {
@@ -69,8 +408,10 @@ const eidReader = async (documentNumber, dateOfBirth, dateOfExpiry, progressCall
       const imageInputStream = await faceImageInfo.getImageInputStream();
       const buffer = Buffer.alloc(imageLength);
       await imageInputStream.readBytesWithOffset(buffer, 0, imageLength);
-      imageAsBase64 = buffer.toString('base64');
-      mimeType = faceImageInfo.getMimeType();
+      const rawMimeType = faceImageInfo.getMimeType();
+      const converted = convertJP2IfNeeded(buffer, rawMimeType);
+      imageAsBase64 = converted.base64;
+      mimeType = converted.mimeType;
     }
     progress = 100;
     if (progressCallback) {

package/lib/module/Shared/EIDReader/eidService.js

@@ -6,6 +6,8 @@ import { DefaultFileSystem } from "./defaultFileSystem.js";
 import { BACAPDUSender } from "./protocol/bacAPDUSender.js";
 import { ReadBinaryAPDUSender } from "./protocol/readBinaryAPDUSender.js";
 import { BACProtocol } from "./protocol/bacProtocol.js";
+import { PACEAPDUSender } from "./protocol/paceAPDUSender.js";
+import { PACEProtocol } from "./protocol/paceProtocol.js";
 import { EID_CONSTANTS } from "./constants/eidConstants.js";
 export class EIDService extends AbstractMRTDCardService {
   /** Shared secret type for non-PACE key. */
@@ -175,7 +177,13 @@ export class EIDService extends AbstractMRTDCardService {
     this.shouldCheckMAC = shouldCheckMAC;
     this.isAppletSelected = false;
     this.isOpen = false;
-    this.rootFileSystem = new DefaultFileSystem(this.readBinarySender, false);
+    // EF.CardAccess and EF.CardSecurity live in the MF (Master File), outside
+    // the ICAO applet. They must be read via SFI-based READ BINARY (no SELECT
+    // needed). Without SFI, the implementation falls back to SELECT-by-FID
+    // which many passport chips reject at MF level before applet selection,
+    // causing PACE to be falsely reported as "not available".
+    const rootFidToSFI = new Map([[EID_CONSTANTS.EF_CARD_ACCESS, EID_CONSTANTS.SFI_CARD_ACCESS], [EID_CONSTANTS.EF_CARD_SECURITY, EID_CONSTANTS.SFI_CARD_SECURITY]]);
+    this.rootFileSystem = new DefaultFileSystem(this.readBinarySender, true, rootFidToSFI);
     this.appletFileSystem = new DefaultFileSystem(this.readBinarySender, isSFIEnabled);
   }
   async open() {
@@ -209,6 +217,22 @@ export class EIDService extends AbstractMRTDCardService {
     this.appletFileSystem.setWrapper(this.wrapper);
     return bacResult;
   }
+
+  /**
+   * Performs the PACE protocol.
+   *
+   * @param accessKey the access key (MRZ or CAN based)
+   * @param oid the PACE OID string from EF.CardAccess
+   * @param parameterId the standard domain parameter ID (e.g. 13 for brainpoolP256r1)
+   */
+  async doPACE(accessKey, oid, parameterId, progressCallback) {
+    const paceSender = new PACEAPDUSender(this.service);
+    const paceProtocol = new PACEProtocol(paceSender, this.wrapper, EIDService.NORMAL_MAX_TRANSCEIVE_LENGTH, this.maxTransceiveLengthForSecureMessaging, this.shouldCheckMAC);
+    const paceResult = await paceProtocol.doPACE(accessKey, oid, parameterId, progressCallback);
+    this.wrapper = paceResult.getWrapper();
+    this.appletFileSystem.setWrapper(this.wrapper);
+    return paceResult;
+  }
   async close() {
     try {
       await this.service.close();

package/lib/module/Shared/EIDReader/nfcManagerCardService.js

@@ -9,17 +9,16 @@ export class NFCManagerCardService extends CardService {
   async open() {
     await NFCManager.start();
     await NFCManager.requestTechnology([NfcTech.IsoDep, NfcTech.NfcA, NfcTech.NfcB]);
-    // await NFCManager.setTimeout(5000);
+    // Increase transceive timeout for slow curves (e.g. brainpoolP512r1 ECDH on passport chip)
+    if (Platform.OS === 'android') {
+      await NFCManager.setTimeout(10000);
+    }
     this.isOpened = true;
   }
   getIsOpen() {
     return this.isOpened;
   }
   async transmit(commandAPDU) {
-    // console.debug(
-    //   `T[${ISO7816_INS[commandAPDU.getINS()]}]:`,
-    //   Buffer.from(commandAPDU.getBytes()).toString('hex').toUpperCase(),
-    // );
     let response;
     if (Platform.OS === 'ios') {
       const iosResponse = await NFCManager.sendCommandAPDUIOS(Array.from(commandAPDU.getBytes()));
@@ -27,8 +26,6 @@ export class NFCManagerCardService extends CardService {
     } else {
       response = await NFCManager.transceive(Array.from(commandAPDU.getBytes()));
     }
-    // console.debug('R:', Buffer.from(response).toString('hex').toUpperCase());
-
     return new ResponseAPDU(response);
   }
   getATR() {

package/lib/module/Shared/EIDReader/paceInfo.js

@@ -0,0 +1,85 @@
+"use strict";
+
+/**
+ * PACE (Password Authenticated Connection Establishment) protocol info.
+ * Parses PACE OIDs to extract mapping type, cipher, digest, key agreement algorithm, and key length.
+ *
+ * Based on ICAO Doc 9303 Part 11 and BSI TR-03110.
+ */
+
+export let MappingType = /*#__PURE__*/function (MappingType) {
+  MappingType["GM"] = "GM";
+  MappingType["IM"] = "IM";
+  MappingType["CAM"] = "CAM";
+  return MappingType;
+}({});
+
+// PACE OID constants (BSI TR-03110 / ICAO 9303)
+export const ID_PACE = '0.4.0.127.0.7.2.2.4';
+export const ID_PACE_DH_GM = '0.4.0.127.0.7.2.2.4.1';
+export const ID_PACE_DH_GM_3DES_CBC_CBC = '0.4.0.127.0.7.2.2.4.1.1';
+export const ID_PACE_DH_GM_AES_CBC_CMAC_128 = '0.4.0.127.0.7.2.2.4.1.2';
+export const ID_PACE_DH_GM_AES_CBC_CMAC_192 = '0.4.0.127.0.7.2.2.4.1.3';
+export const ID_PACE_DH_GM_AES_CBC_CMAC_256 = '0.4.0.127.0.7.2.2.4.1.4';
+export const ID_PACE_ECDH_GM = '0.4.0.127.0.7.2.2.4.2';
+export const ID_PACE_ECDH_GM_3DES_CBC_CBC = '0.4.0.127.0.7.2.2.4.2.1';
+export const ID_PACE_ECDH_GM_AES_CBC_CMAC_128 = '0.4.0.127.0.7.2.2.4.2.2';
+export const ID_PACE_ECDH_GM_AES_CBC_CMAC_192 = '0.4.0.127.0.7.2.2.4.2.3';
+export const ID_PACE_ECDH_GM_AES_CBC_CMAC_256 = '0.4.0.127.0.7.2.2.4.2.4';
+export const ID_PACE_DH_IM = '0.4.0.127.0.7.2.2.4.3';
+export const ID_PACE_DH_IM_3DES_CBC_CBC = '0.4.0.127.0.7.2.2.4.3.1';
+export const ID_PACE_DH_IM_AES_CBC_CMAC_128 = '0.4.0.127.0.7.2.2.4.3.2';
+export const ID_PACE_DH_IM_AES_CBC_CMAC_192 = '0.4.0.127.0.7.2.2.4.3.3';
+export const ID_PACE_DH_IM_AES_CBC_CMAC_256 = '0.4.0.127.0.7.2.2.4.3.4';
+export const ID_PACE_ECDH_IM = '0.4.0.127.0.7.2.2.4.4';
+export const ID_PACE_ECDH_IM_3DES_CBC_CBC = '0.4.0.127.0.7.2.2.4.4.1';
+export const ID_PACE_ECDH_IM_AES_CBC_CMAC_128 = '0.4.0.127.0.7.2.2.4.4.2';
+export const ID_PACE_ECDH_IM_AES_CBC_CMAC_192 = '0.4.0.127.0.7.2.2.4.4.3';
+export const ID_PACE_ECDH_IM_AES_CBC_CMAC_256 = '0.4.0.127.0.7.2.2.4.4.4';
+export const ID_PACE_ECDH_CAM = '0.4.0.127.0.7.2.2.4.6';
+export const ID_PACE_ECDH_CAM_AES_CBC_CMAC_128 = '0.4.0.127.0.7.2.2.4.6.2';
+export const ID_PACE_ECDH_CAM_AES_CBC_CMAC_192 = '0.4.0.127.0.7.2.2.4.6.3';
+export const ID_PACE_ECDH_CAM_AES_CBC_CMAC_256 = '0.4.0.127.0.7.2.2.4.6.4';
+
+// Standard domain parameter identifiers
+export const PARAM_ID_ECP_NIST_P256_R1 = 12;
+export const PARAM_ID_ECP_BRAINPOOL_P256_R1 = 13;
+export const PARAM_ID_ECP_BRAINPOOL_P384_R1 = 16;
+export const PARAM_ID_ECP_BRAINPOOL_P512_R1 = 17;
+export const PARAM_ID_ECP_NIST_P384_R1 = 15;
+export const PARAM_ID_ECP_NIST_P521_R1 = 18;
+const GM_OIDS = new Set([ID_PACE_DH_GM_3DES_CBC_CBC, ID_PACE_DH_GM_AES_CBC_CMAC_128, ID_PACE_DH_GM_AES_CBC_CMAC_192, ID_PACE_DH_GM_AES_CBC_CMAC_256, ID_PACE_ECDH_GM_3DES_CBC_CBC, ID_PACE_ECDH_GM_AES_CBC_CMAC_128, ID_PACE_ECDH_GM_AES_CBC_CMAC_192, ID_PACE_ECDH_GM_AES_CBC_CMAC_256]);
+const IM_OIDS = new Set([ID_PACE_DH_IM_3DES_CBC_CBC, ID_PACE_DH_IM_AES_CBC_CMAC_128, ID_PACE_DH_IM_AES_CBC_CMAC_192, ID_PACE_DH_IM_AES_CBC_CMAC_256, ID_PACE_ECDH_IM_3DES_CBC_CBC, ID_PACE_ECDH_IM_AES_CBC_CMAC_128, ID_PACE_ECDH_IM_AES_CBC_CMAC_192, ID_PACE_ECDH_IM_AES_CBC_CMAC_256]);
+const CAM_OIDS = new Set([ID_PACE_ECDH_CAM_AES_CBC_CMAC_128, ID_PACE_ECDH_CAM_AES_CBC_CMAC_192, ID_PACE_ECDH_CAM_AES_CBC_CMAC_256]);
+const DH_OIDS = new Set([ID_PACE_DH_GM_3DES_CBC_CBC, ID_PACE_DH_GM_AES_CBC_CMAC_128, ID_PACE_DH_GM_AES_CBC_CMAC_192, ID_PACE_DH_GM_AES_CBC_CMAC_256, ID_PACE_DH_IM_3DES_CBC_CBC, ID_PACE_DH_IM_AES_CBC_CMAC_128, ID_PACE_DH_IM_AES_CBC_CMAC_192, ID_PACE_DH_IM_AES_CBC_CMAC_256]);
+const DES_OIDS = new Set([ID_PACE_DH_GM_3DES_CBC_CBC, ID_PACE_DH_IM_3DES_CBC_CBC, ID_PACE_ECDH_GM_3DES_CBC_CBC, ID_PACE_ECDH_IM_3DES_CBC_CBC]);
+const KEY_128_OIDS = new Set([ID_PACE_DH_GM_3DES_CBC_CBC, ID_PACE_DH_IM_3DES_CBC_CBC, ID_PACE_ECDH_GM_3DES_CBC_CBC, ID_PACE_ECDH_IM_3DES_CBC_CBC, ID_PACE_DH_GM_AES_CBC_CMAC_128, ID_PACE_DH_IM_AES_CBC_CMAC_128, ID_PACE_ECDH_GM_AES_CBC_CMAC_128, ID_PACE_ECDH_IM_AES_CBC_CMAC_128, ID_PACE_ECDH_CAM_AES_CBC_CMAC_128]);
+const KEY_192_OIDS = new Set([ID_PACE_DH_GM_AES_CBC_CMAC_192, ID_PACE_DH_IM_AES_CBC_CMAC_192, ID_PACE_ECDH_GM_AES_CBC_CMAC_192, ID_PACE_ECDH_IM_AES_CBC_CMAC_192, ID_PACE_ECDH_CAM_AES_CBC_CMAC_192]);
+const KEY_256_OIDS = new Set([ID_PACE_DH_GM_AES_CBC_CMAC_256, ID_PACE_DH_IM_AES_CBC_CMAC_256, ID_PACE_ECDH_GM_AES_CBC_CMAC_256, ID_PACE_ECDH_IM_AES_CBC_CMAC_256, ID_PACE_ECDH_CAM_AES_CBC_CMAC_256]);
+const SHA256_OIDS = new Set([...KEY_192_OIDS, ...KEY_256_OIDS]);
+export class PACEInfo {
+  static toMappingType(oid) {
+    if (GM_OIDS.has(oid)) return MappingType.GM;
+    if (IM_OIDS.has(oid)) return MappingType.IM;
+    if (CAM_OIDS.has(oid)) return MappingType.CAM;
+    throw new Error(`Unknown PACE OID: ${oid}`);
+  }
+  static toKeyAgreementAlgorithm(oid) {
+    if (DH_OIDS.has(oid)) return 'DH';
+    return 'ECDH';
+  }
+  static toCipherAlgorithm(oid) {
+    if (DES_OIDS.has(oid)) return 'DESede';
+    return 'AES';
+  }
+  static toDigestAlgorithm(oid) {
+    if (SHA256_OIDS.has(oid)) return 'SHA-256';
+    return 'SHA-1';
+  }
+  static toKeyLength(oid) {
+    if (KEY_128_OIDS.has(oid)) return 128;
+    if (KEY_192_OIDS.has(oid)) return 192;
+    if (KEY_256_OIDS.has(oid)) return 256;
+    throw new Error(`Unknown PACE OID: ${oid}`);
+  }
+}