The German BSI has released a new version 1.2 of TR-03105 Part 3.3 for eIDAS token. This test specification for chip assures conformity and interoperability of eIDAS token like eID cards or residence permits. TR-03105 Part 3.3 contains tests for protocols that are summarized under EACv2 and corresponding data groups.
In TR-03105 Part 3.3 Version 1.2 new test cases are added to verify and assure the correct handling of authorization extensions. Authorization extensions are specified in TR-03110 and they are a special type of certificate extensions. These extensions convey authorizations additional to those in the Certificate Holder Authorization Template (CHAT) contained in the certificate. Additionally, authorization extensions contain exactly one discretionary data object that encodes the relative authorization. The main changes of version 1.2 are:
- Test cases to verify correct handling of authorization extensions
- New certificates to perform test cases with authorization extensions
- The tests for command COMAPRE can now be performed in a more detailed way (see new table in ICS in annex A.1)
- A new test case to verify the TA migration according to the manufacturer’s implementation conformance statement where the AT trust point are replaced
- Some minor editorial changes and clarifications
Modified test cases in version 1.2
- EAC2_7816_L_36: Clarification in Purpose
- EAC2_7816_N_1: Clarification in purpose
- EAC2_7816_P_8: Added missing tag ‘7C’ in commands
- EAC2_ISO7816_P9: Removed tag ‘97’ that is not necessary in command RESET RETRY COUNTER (step 6)
- EAC2_7816_P_14: Added missing tag ‘7C’ in commands
- EAC2_7816_P_14: Added missing tag ‘7C’ in commands
- EAC2_7816_U_13: Expected results: Accept also a checking error in step 3 of preconditions
- EAC2_7816_U_14: Expected results: Accept also a checking error in step 3 of preconditions
- EAC2_DATA_B_11: Check a whitelist of SecurityInfos (PACEInfo, PACEDomainParameterInfo, PasswordInfo, ChipAuthenticationInfo, ChipAuthenticationDomainParameterInfo, PSAInfo, TerminalAuthenticationInfo, PSMInfo, CardInfo) and ignore PrivilegedTerminalInfos
- EAC2_DATA_C_12: Editorial correction in Test-ID
- EAC2_EIDDATA_B_6: Renamed data type ArtisticName by NomDePlume according to TR-03110
New test cases in version 1.2
- EAC2_7816_L_38: Positive test with a valid terminal authentication process. The DV certificate and the terminal certificate grant access to an eID access function that is reserved for future use (RFU).
- EAC2_7816_L_39: Positive test with a valid terminal authentication process. The DV certificate and the terminal certificate grant access to an eID special function that is reserved for future use (RFU).
- EAC2_7816_L_40: Positive test with a valid terminal authentication process. The DV certificate and the terminal certificate contain a certificate extension (authentication terminals) extended by two empty bytes. The authorization extension in both certificates are extended with leading ‘00 00’ (56 bit instead of 40 bit).
- EAC2_7816_L_41: Positive test with a valid terminal authentication process. The DV certificate and the terminal certificate contain a certificate extension (eID functions) extended by two empty bytes.
- EAC2_7816_L_42: Positive test with a valid terminal authentication process. The DV certificate and the terminal certificate contain a certificate extension (special functions) extended by two empty bytes.
- EAC2_7816_L_43: Positive test with a valid terminal authentication process. The DV certificate and the terminal certificate contain an unknown OID in CHA.
- EAC2_7816_L_44: Positive test with a valid terminal authentication process. The DV certificate and the terminal certificate contain an unknown authorization extension OID in for eID access.
- EAC2_7816_L_45: Positive test with a valid terminal authentication process. The DV certificate and the terminal certificate contain an unknown authorization extension OID in for special functions.
- EAC2_ISO7816_M_9: Positive test to verify that a link certificate can activate a feature of the eID card. In this test case the right to read DG1 is used to verify that the eID card supports activation of features by link certificates.
- EAC2_ISO7816_M_10: Positive test to verify that a link certificate can deactivate a feature of the eID card. In this test case the right to read DG1 is used to verify that the eID card supports deactivation of features by link certificates.
- EAC2_ISO7816_M_11: Positive test to verify that rights are granted by the last link certificate and not a combination of all rights in the whole certificate chain. In this test case the right to read DG1 is used.
- EAC2_ISO7816_M_12: Positive test to verify that a link certificate can activate a feature of the eID card. In this test case the right to compare DG8 is used to verify that the eID card supports activation of eID Access features by link certificates.
- EAC2_ISO7816_M_13: Positive test to verify that a link certificate can deactivate a feature of the eID card. In this test case the right to compare DG8 is used to verify that the eID card supports deactivation of eID Access features by link certificates.
- EAC2_ISO7816_M_14: Positive test to verify that eID Access rights are granted by the last link certificate and not a combination of all rights in the whole certificate chain. In this test case the right to compare DG8 is used.
- EAC2_7816_N_2: Positive test case to verify the TA mechanism migration according to the manufacturer’s implementation statement (replacement of the AT trust point)
As mentioned in my previous blog post describing latest version of TR-03105 Part 5.1, I’ve extended the focus of my blog from ePassports towards eID and eIDAS token. You can find a list of current test specifications here.