(PowerShell) Aadhaar Paperless Offline e-kyc

Opens an encrypted .zip containing Aadhaar Paperless Offline e-KYC XML. Gets the XML and validates the digital signature. Then computes the hash for the mobile number and Email ID.

For more information, see https://uidai.gov.in/ecosystem/authentication-devices-documents/about-aadhaar-paperless-offline-e-kyc.html

Chilkat .NET Downloads Chilkat .NET Assemblies

Add-Type -Path "C:\chilkat\ChilkatDotNet47-9.5.0-x64\ChilkatDotNet47.dll"

# This example requires the Chilkat API to have been previously unlocked.
# See Global Unlock Sample for sample code.

# Open the .zip containing the Aadhaar Paperless Offline e-KYC XML.
# The .zip is encrypted using the "Share Phrase".
$zip = New-Object Chilkat.Zip
$success = $zip.OpenZip("qa_data/xml_dsig/offline_paperless_kyc.zip")
if ($success -eq $false) {
    $($zip.LastErrorText)
    exit
}

# The .zip should contain 1 XML file.
$entry = $zip.GetEntryByIndex(0)
if ($zip.LastMethodSuccess -eq $false) {
    $($zip.LastErrorText)
    exit
}

# To get the contents, we need to specify the Share Phrase.
$sharePhrase = "Lock@487"
$zip.DecryptPassword = $sharePhrase

$bdXml = New-Object Chilkat.BinData
# The XML file will be unzipped into the bdXml object.
$success = $entry.UnzipToBd($bdXml)
if ($success -eq $false) {
    $($entry.LastErrorText)

    exit
}

# First verify the XML digital signature.
$dsig = New-Object Chilkat.XmlDSig
$success = $dsig.LoadSignatureBd($bdXml)
if ($success -ne $true) {
    $($dsig.LastErrorText)
    exit
}

# The UIDAI XML signature does not contain the KeyInfo, so we must load the uidai certificate
# and indicate that its public key is to be used for verifying the signature.
$cert = New-Object Chilkat.Cert
$success = $cert.LoadFromFile("qa_data/xml_dsig/uidai_auth_sign_prod_2023.cer")
if ($success -ne $true) {
    $($cert.LastErrorText)
    exit
}

# Get the certificate's public key.
$pubKey = $cert.ExportPublicKey()
$success = $dsig.SetPublicKey($pubKey)

# The XML in this example contains only 1 signature.
$bVerifyReferenceDigests = $true
$bVerified = $dsig.VerifySignature($bVerifyReferenceDigests)
if ($bVerified -eq $false) {
    $($dsig.LastErrorText)
    $("The signature was not valid.")
    exit
}

$("The XML digital signature is valid.")

# Let's compute the hash for the Mobile Number.

# 	Hashing logic for Mobile Number :
# 	Sha256(Sha256(Mobile+SharePhrase))*number of times last digit of Aadhaar number
# 	(Ref ID field contains last 4 digits).
# 
# 	Example :
# 	Mobile: 1234567890
# 	Aadhaar Number:XXXX XXXX 3632
# 	Passcode : Lock@487
# 	Hash: Sha256(Sha256(1234567890Lock@487))*2
# 	In case of Aadhaar number ends with Zero we will hashed one time.

$crypt = New-Object Chilkat.Crypt2
$crypt.HashAlgorithm = "sha256"
$crypt.EncodingMode = "hexlower"

$strToHash = "1234567890Lock@487"
$bdHash = New-Object Chilkat.BinData
$success = $bdHash.AppendString($strToHash,"utf-8")

# Hash a number of times equal to the last digit of your Aadhaar number.
# If the Aadhaar number ends with 0, then hash one time.
# For this example, we'll just set the number of times to hash
# for the case where an Aadhaar number ends in "9"
$numTimesToHash = 9

for ($i = 1; $i -le $numTimesToHash; $i++) {
    $tmpStr = $crypt.HashBdENC($bdHash)
    $bdHash.Clear()
    $bdHash.AppendString($tmpStr,"utf-8")
}

$("Computed Mobile hash = " + $bdHash.GetString("utf-8"))

# Let's get the mobile hash stored in the XML and compare it with our computed hash.
$xml = New-Object Chilkat.Xml
$success = $xml.LoadBd($bdXml,$true)
$m_hash = $xml.ChilkatPath("UidData|Poi|(m)")

$("Stored Mobile hash   = " + $m_hash)

# Now do the same thing for the email hash:

$strToHash = "abc@gm.comLock@487"
$bdHash.Clear()
$success = $bdHash.AppendString($strToHash,"utf-8")

for ($i = 1; $i -le $numTimesToHash; $i++) {
    $tmpStr = $crypt.HashBdENC($bdHash)
    $bdHash.Clear()
    $bdHash.AppendString($tmpStr,"utf-8")
}

$("Computed Email hash = " + $bdHash.GetString("utf-8"))

$e_hash = $xml.ChilkatPath("UidData|Poi|(e)")
$("Stored Email hash   = " + $e_hash)