Type: New Feature
Affects Version/s: None
Fix Version/s: EJBCA 6.1.0
Currently the EAC 1.11 (Tech_docs/Standarder/Passport/EAC 1.11.pdf) specification, as implemented in cert-cvc.jar, protects DG3 and DG4 for extended access control.
The access is encoded in the certificate as an AuthorizationField that specifies Role and access rights.
In the current version of cert-cvc there is only possibility to specify the enums DG3, DG4 or DG3 and DG4 (AccessRightEnum).
According to EAC 2.10 (Tech_docs/Standarder/Passport/TR-03110_v2.1*.pdf) specifies additional DGs that can "optionally" be protected. There is some sort of byte field determining the access control bits.
- Extend cert-cvc to be able to encode access control bits for the extra DGs
- Extend the EJBCA Certificate Profiles in Admin GUI to handle extra DGs.
Hopefully this field is compatible between EAC 1.11 and 2.10, since we need to still create 1.11 CVC certificates for EAC ePassports.
There are some sample EAC 2.10 certificates available in Tech_docs/Standarder/Passport/BSI_EAC-2.1-Worked-Example.zip.