Go library for reading Machine Readable Travel Documents (MRTDs) such as passports and identity cards, as specified by ICAO Doc 9303.

This library focuses on NFC protocol handling, access control, LDS parsing, and cryptographic security checks, including passive authentication and chip authentication where supported.

Higher-level concerns such as OCR and UI are intentionally left to the integrator.

gmrtd provides low-level building blocks for reading and authenticating eMRTDs:

• Access Control (BAC and PACE)
• Secure messaging and APDU handling
• LDS parsing (EF.COM, EF.SOD, Data Groups)
• Passive Authentication (SOD verification)
• Chip Authentication (where supported)
• Extended-length APDU support

The library is transport-agnostic and can be used with desktop, mobile, or embedded NFC stacks.

• Legacy access control mechanism
• MRZ-based key derivation only
• Used by older passports and some current documents
• Automatically selected when PACE is not available

• Supported as specified in ICAO Doc 9303
• Strong, modern access control mechanism
• Supported password types:
  • MRZ (Machine Readable Zone)
  • CAN (Card Access Number), commonly used by modern ID cards
• Supports multiple PACE variants:
  • ECDH (GM / CAM)
  • AES / 3DES
  • Brainpool and secp elliptic curves

The caller supplies either MRZ or CAN; gmrtd negotiates and executes the appropriate protocol automatically based on document capabilities.

• ✅ BAC (MRZ)
• ✅ PACE-GM/CAM (MRZ and CAN)
• ✅ Secure messaging
• ✅ LDS parsing (EF.COM, EF.SOD, DGs)
• ✅ Passive Authentication (SOD verification)
• ✅ Chip Authentication (document-dependent)
• ✅ Extended-length APDU support
• ✅ Transport-agnostic design

• ❌ Terminal Authentication (TA) not implemented
• ❌ PACE-IM not implemented
• ❌ No OCR or MRZ extraction
• ❌ Personal data handling and storage are the responsibility of the caller

A PC/SC demo reader is included in this repository as a Go command: cmd/gmrtd-reader.

It:

• Connects to the first available PC/SC reader
• Runs PACE by default (unless --skipPace is set)
• Reads and verifies the document (including passive authentication)
• Renders a HTML report (APDU logs + parsed LDS) and opens it in your browser

go run ./cmd/gmrtd-reader --help

go run ./cmd/gmrtd-reader --doc <DOCUMENT_NUMBER> --dob <YYMMDD> --exp <YYMMDD>

go run ./cmd/gmrtd-reader --can <CAN>

# enable debug logging
--debug

# set/cap maximum Le / read size (bytes)
--maxRead 4096

# skip PACE negotiation (forces BAC where possible; mostly for debugging)
--skipPace

Notes:

• --doc/--dob/--exp and --can are mutually exclusive.
• Requires a PC/SC-compatible NFC reader and a working PC/SC stack.

The following documents have been successfully read using gmrtd:

Notes:

• PACE entries may use MRZ or CAN depending on document type.
• Cloneable reflects the document’s chip feature set, not a gmrtd vulnerability.

Some MRTDs do not implement strong cryptographic anti-cloning mechanisms (notably Chip Authentication (CA) or Active Authentication (AA)). In these cases:

• Chip data is protected only by access control (BAC or PACE) and secure messaging
• If the access secret (MRZ/CAN) is obtained and the chip is read once, data can be copied and replayed
• This is a document issuer design choice, not a vulnerability in gmrtd

Cloneability does not imply that the physical document can be trivially forged.

For convenience and interoperability testing, gmrtd includes built-in CSCA trust anchors as standard for:

• Germany (DE)
• Netherlands (NL)
• Indonesia – 2010 CSCA series

These defaults can be replaced, extended, or disabled depending on your trust model.

• Go: 1.19+
• Transports: PC/SC, Core NFC, Android NFC, custom APDU transceivers
• Platforms: Desktop, mobile, embedded

• ICAO Doc 9303 — Machine Readable Travel Documents
• ISO/IEC 7816-4 — Smart card command interface

This library is intended for legitimate, consent-based MRTD reading.

Handle personal data in accordance with applicable laws and regulations.

Issues and pull requests are welcome.

When reporting document compatibility issues:

• Do not upload personal data
• Include document type/year, protocol used, and anonymised logs

Made with contrib.rocks.