You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/3-dev-setup.md
+2-2Lines changed: 2 additions & 2 deletions
Original file line number
Diff line number
Diff line change
@@ -1,6 +1,6 @@
1
1
# JavaCard Development Setup
2
2
3
-
If you want to compile applets from source, you need to install a few requirements. These instructions are for Linux, but it should work on Windows as well (using Docker, see below).
3
+
If you want to compile applets from source, you need to install a few requirements. These instructions are for Linux, but it should work on Windows as well (using Docker or maybe WSL, see below).
Replace `KK` with the amount of bytes after `KK`. Replace `PP` with the amount of `QQ` bytes. Replace `QQ QQ QQ ...` with the AID of the applet. If you want to pass initialization parameters, replace `RR` with the amount of `SS` bytes, and `SS SS SS ...` with the initialization data. Do not actually write the `[ ]` brackets, these just mean that the initialization section is optional. Example: `80 b8 00 00 0A 07 a0 00 00 05 27 20 01 00 FF`.
76
76
77
-
make sure the command was successful by watching for `Received (SW1=0x90, SW2=0x00)`.
77
+
Make sure the command was successful by watching for `Received (SW1=0x90, SW2=0x00)`.
Copy file name to clipboardExpand all lines: docs/applets/1-pgp.md
+1-1Lines changed: 1 addition & 1 deletion
Original file line number
Diff line number
Diff line change
@@ -33,7 +33,7 @@ For more options, see the SmartPGP README file.
33
33
34
34
## Installing the Applet
35
35
36
-
To install the applet to your card, you have to first construct a valid AID (refer to section 4.2.1 of the OpenPGP card specification, linked below). Every AID starts with `D2 76 00 01 24 01`, which is the unique identifier of the FSFE joined with the application identifier `01`. Next comes the OpenPGP version, which is `03 04` (3.4) for this applet. The next two bytes are a manufacturer id, which should be registered with the FSF Europe e.V. , however you can just put whatever you like - I use `C0 FE`. The next four bytes specify the card serial number (e.g. `00 00 00 01`), and the last two bytes are reserved for future use and alway zero.
36
+
To install the applet to your card, you have to first construct a valid AID (refer to section 4.2.1 of the OpenPGP card specification, linked below). Every AID starts with `D2 76 00 01 24 01`, which is the unique identifier of the FSFE, joined with the application identifier `01`. Next comes the OpenPGP version, which is `03 04` (3.4) for this applet. The next two bytes are a manufacturer id, which should be registered with the FSF Europe e.V. , however you can just put whatever you like - I use `C0 FE`. The next four bytes specify the card serial number (e.g. `00 00 00 01`), and the last two bytes are reserved for future use and are always zero.
37
37
38
38
The complete AID should look like this: `D2 76 00 01 24 01 03 04 C0 FE 00 00 00 01 00 00`.
Copy file name to clipboardExpand all lines: docs/applets/3-hmac-sha1.md
+3-3Lines changed: 3 additions & 3 deletions
Original file line number
Diff line number
Diff line change
@@ -2,7 +2,7 @@
2
2
3
3
HMAC-SHA1 challenge-response provides a mechanism for two systems to ensure bilateral knowledge of a secret, without disclosing or transmitting the secret.
4
4
5
-
This applets is compatible to the Yubikey-style protocol, used in e.g. KeepassXC.
5
+
This applet is compatible to the Yubikey-style protocol, supported by e.g. KeePassXC.
6
6
7
7
## Applet Information
8
8
@@ -42,7 +42,7 @@ PKG: A00000052720 (LOADED)
42
42
43
43
This applet behaves the same way as the challenge-response functionality on a Yubikey. However, it cannot be initialized using the Yubikey Personalization GUI tools, because these require a USB connection. Instead, various other tools can be used.
44
44
45
-
First of all, make sure no YubiKey is connected to your PC, or it might be overwritten if you are not careful.
45
+
First of all, make sure no YubiKeys are connected to your PC, or it might be overwritten if you are not careful.
46
46
47
47
Second, make sure to keep a backup of your secret key somewhere.
48
48
@@ -80,7 +80,7 @@ If everything is encoded correctly, the commands should give the same response.
80
80
81
81
### Usage with KeePassXC
82
82
83
-
Thanks to a patch by me (https://github.com/keepassxreboot/keepassxc/pull/6895, https://github.com/keepassxreboot/keepassxc/pull/6766) KeePassXC is able to interface with this applet and Yubikeys via NFC using any compatible reader. This work on Windows, Linux and Mac.
83
+
Thanks to a PR by me (https://github.com/keepassxreboot/keepassxc/pull/6895, https://github.com/keepassxreboot/keepassxc/pull/6766) KeePassXC is able to interface with this applet and Yubikeys via NFC using any compatible reader. This work on Windows, Linux and Mac.
84
84
85
85
To add a Yubikey as protection to your Database, refer to the KeePassXC documentation (or just look at the UI).
Copy file name to clipboardExpand all lines: docs/applets/4-ndef.md
+1-2Lines changed: 1 addition & 2 deletions
Original file line number
Diff line number
Diff line change
@@ -17,7 +17,6 @@ Use git to clone the sources, and change into the directory. To compile, run `an
17
17
18
18
The build definition produces various versions of the applet, the most interesting ones are `full`, which is a read-write enabled version, and `tiny`, which is a read-only version with static data.
19
19
20
-
21
20
## Installing the Applet
22
21
23
22
To install the applet to your card, you have to pass along some configuration data.
@@ -30,7 +29,7 @@ To install the `full` variant with 2KB re-writeable storage:
30
29
gp -install openjavacard-ndef-full.cap -create D2760000850101 -params 8102000082020800
31
30
```
32
31
33
-
The TLV configuration format is not trivial, for the specification see the openjavacard-ndef documentation at https://github.com/OpenJavaCard/openjavacard-ndef/blob/master/doc/install.md .
32
+
The TLV configuration format has a few options, for the specification see the openjavacard-ndef documentation at https://github.com/OpenJavaCard/openjavacard-ndef/blob/master/doc/install.md .
34
33
35
34
To install the `tiny` variant with the static URL "https://chrz.de":
FIDOU2F is a standard for two-factor authentication. It is extended and superseded by FIDO2, but still widely used.
3
+
**FIDO** (Fast IDentity Online) **U2F** (Universal 2nd Factor) is a standard for two-factor authentication. It is extended and superseded by FIDO2, but still widely used.
4
4
5
-
FIDO2 CTAP2 is an extension and improvement over FIDO U2F, and remains backwards-compatible to U2F.
5
+
The applet requires an attestation certificate. This certificate can be a default one, or generated by you, or an official one signed by a company like Vivokey or Yubico. You don't want to generate a unique certificate for each token, because that would make the tokens uniquely identifiable, leading to privacy concerns.
6
6
7
-
The FIDO2 applet is still in development, and not completely finished. You can test the beta code, but keep in mind that some features do not work yet, e.g. Windows Hello. In addition, only the FIDO U2F applet has been certified to be standards compliant as of now.
7
+
The attestation certificate is used to sign certificates for transport when you register with a service. The token manufacturer (e.g. Vivokey) can also use this certificate (which they sign using their certificate authority) to validate the authenticity and model of the token and applet.
8
+
9
+
**FIDO2 CTAP2** (Client to Authenticator Protocol) is an extension and improvement over FIDO U2F, and remains backwards-compatible to U2F.
10
+
11
+
The FIDO2 applet is still in development, and not completely finished. For example, Windows Hello is not supported yet. The attestation certificate loading procedure is not yet properly documented, and neither is the generation of such a certificate. Stay tuned.
- Repository: https://github.com/VivoKey/vk-u2f (forked from u2f-javacard)
21
25
- Binary name: `CTAP2.cap`
@@ -32,15 +36,99 @@ Use git to clone the sources recursively, and change into the directory. To comp
32
36
33
37
You can not use the U2F applet at the same time as the FIDO2 one because they use the same AID.
34
38
35
-
Use GlobalPlatformPro (GPP) from https://github.com/martinpaljak/GlobalPlatformPro/releases to install the applet:
39
+
Loading the attestation certificate requires manual steps as of now, but Vivokey and I are planning to release tools for U2F and FIDO2 attestation certificate loading sometime in the future.
40
+
41
+
### Default Attestation Certificate
42
+
43
+
You can use the default example U2F attestation certificate, which I have extracted from https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-raw-message-formats-v1.2-ps-20170411.html#examples and converted to the OpenSSL x509 / ECC PEM format. Note that it is no longer valid according to its date, but it still works. Then again, it was never signed by any company, so it was never seen as valid in the first place.
Creating and signing using a proper certificate authority is out of scope for this document.
109
+
110
+
Next, extract the private key (32 bytes), look for `priv`:
111
+
112
+
```
113
+
openssl ec -in attestation_key.pem -text -noout
114
+
```
115
+
116
+
The bytes for the certificate are just the verbatim DER encoding:
117
+
118
+
```
119
+
openssl x509 -outform der -in attestation.pem -out attestation.der
120
+
121
+
xxd -c 128 -p attestation.der
122
+
wc -c < attestation.der
123
+
```
124
+
125
+
Use GlobalPlatformPro (GPP) from https://github.com/martinpaljak/GlobalPlatformPro/releases to install the applet:
38
126
39
127
```
40
128
gp -install U2FApplet.cap --create A0000006472F0001 --params 000140f3fccc0d00d8031954f90864d43c247f4bf5f0665c6b50cc17749a27d1cf7664
41
129
```
42
130
43
-
You have to pass a few parameters for the installer, e.g. the private key of the attestation certificate. See https://github.com/darconeous/u2f-javacard/blob/master/README.mdand for more details.
131
+
The parameter data is `00`, the length of the public attestation certificate (hex `0140`), and the private key (32 bytes). See https://github.com/darconeous/u2f-javacard/blob/master/README.md for more info.
44
132
45
133
Listing the applets using `gp --list` should print something like this:
Next, you have to load the attestation certificate by sending a few APDUs:
146
+
Next, you have to load the public attestation certificate by sending a few chained APDUs. The DER encoded public certificate has to be chopped into `128` byte chunks, which are sent attached to a small header. The header is `80 01 HHLL KK`, with `HHLL` being a 16 bit integer offset of that chunk, and `KK` being the chunk length (hex `80`, usually smaller for the last chunk). Before sending the certificate, a small preamble command is required.
gp -d -v -a "00 A4 04 00 08 A0 00 00 06 47 2F 00 01" -a "80 01 0000 80 3082013c3081e4a003020102020a47901280001155957352300a06082a8648ce3d0403023017311530130603550403130c476e756262792050696c6f74301e170d3132303831343138323933325a170d3133303831343138323933325a3031312f302d0603550403132650696c6f74476e756262792d302e342e312d34373930" -a "80 01 0080 80 313238303030313135353935373335323059301306072a8648ce3d020106082a8648ce3d030107034200048d617e65c9508e64bcc5673ac82a6799da3c1446682c258c463fffdf58dfd2fa3e6c378b53d795c4a4dffb4199edd7862f23abaf0203b4b8911ba0569994e101300a06082a8648ce3d0403020347003044022060cd" -a "80 01 0100 40 b6061e9c22262d1aac1d96d8c70829b2366531dda268832cb836bcd30dfa0220631b1459f09e6330055722c8d89b7f48883b9089b88d60d1d9795902b30410df"
66
150
```
67
151
68
-
In the future, Vivokey or I will provide a nice tool to generate and load attestation certificates.
152
+
See also https://gist.github.com/darconeous/adb1b2c4b15d3d8fbc72a5097270cdaf for more info on these APDUs.
69
153
70
154
## Using the Applet
71
155
72
-
Using the applet requires a modern browser with support for FIDO. NFC tokens don't work on Linux (yet, see https://twitter.com/FIDOAlliance/status/1278331283874156544).
156
+
Using the applet in the web requires a modern browser with support for FIDO. NFC tokens don't work on Linux (yet, see https://twitter.com/FIDOAlliance/status/1278331283874156544).
73
157
74
158
You can use the *Yubikey WebAuthn test page* at https://demo.yubico.com/webauthn-technical/registration to test your token.
75
159
76
-
On Android, you can use the *FIDO / Webauthn Example* App at https://play.google.com/store/apps/details?id=de.cotech.hw.fido.example for testing.
160
+
On Android, you can use the *FIDO / Webauthn Example* App at https://play.google.com/store/apps/details?id=de.cotech.hw.fido.example for testing (Use the U2F tab).
77
161
78
162
## Sources and Further Reading
79
163
@@ -88,5 +172,8 @@ On Android, you can use the *FIDO / Webauthn Example* App at https://play.google
0 commit comments