Skip to content

Commit fc841aa

Browse files
committed
Add Android compatibility to FIDO2
1 parent aceb0f0 commit fc841aa

File tree

8 files changed

+51
-16
lines changed

8 files changed

+51
-16
lines changed

applets/vk-u2f

docs/3-dev-setup.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -108,7 +108,7 @@ For Fidesmo-deployed cards, use the `fdsm` tool from https://github.com/fidesmo/
108108

109109
Do not remove the management applet package (`A0000001515350`), or security controller (`A000000151000000`). They are part of the operating system.
110110

111-
## Sources and Further Readingfdsm
111+
## Sources and Further Reading
112112

113113
- https://www.docker.com/
114114
- https://github.com/DangerousThings/smartcard-ci/blob/master/Dockerfile

docs/4-android.md

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
# Android Problems and Solutions
2+
3+
Android has some particularities concerning NFC.
4+
5+
## FIDO requires Security Manager
6+
7+
FIDO keys are handled by a Google Services component, which is absent on FOSS (e.g. Lineage) Android builds. Use MicroG instead, which implements a security manager and FIDO adapter since version `v0.2.25.223616` . Make sure to also apply my two patches (https://github.com/microg/GmsCore/pulls/StarGate01) for smooth operation. These patches will be eventually released in a new version of MicroG.
8+
9+
## Maximum NFC Transceive Length
10+
11+
On some Android ROMS, the NFC driver is configured improperly, which limits the size of data packets that can be exchanged. FIDO2 requires very large packets (~1KB).
12+
13+
To change the configuration, add the line
14+
15+
```
16+
ISO_DEP_MAX_TRANSCEIVE=0xFEFF
17+
```
18+
19+
to each of the files `/vendor/etc/libnfc-nci.conf` and `/vendor/etc/libnfc-brcm.conf` .
20+
21+
This requires root access.
22+
23+
## Sources and Further Reading
24+
25+
- https://github.com/microg/GmsCore
26+
- https://microg.org/
27+
- https://android.stackexchange.com/questions/110927/how-to-mount-system-rewritable-or-read-only-rw-ro
28+
- https://github.com/microg/GmsCore/pulls/StarGate01
29+
- https://github.com/NXPNFCLinux/linux_libnfc-nci/issues/116
30+
31+
Improve this document: https://github.com/DangerousThings/flexsecure-applets/tree/master/docs

docs/applets/5-fido.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ The applet requires an attestation certificate. This certificate can be a defaul
66

77
The attestation certificate is used to sign certificates for transport when you register with a service. The token manufacturer (e.g. Vivokey) can also use this certificate (which they sign using their certificate authority) to validate the authenticity and model of the token and applet.
88

9-
**FIDO2 CTAP2** (Client to Authenticator Protocol) is an extension and improvement over FIDO U2F, and remains backwards-compatible to U2F.
9+
**FIDO2 CTAP2** (Client to Authenticator Protocol) is an extension and improvement over FIDO U2F.
1010

1111
The FIDO2 applet is still in development, and not completely finished. For example, Windows Hello is not supported yet. Stay tuned. It is also not officially certified.
1212

@@ -135,7 +135,7 @@ Using the applet in the web requires a modern browser with support for FIDO. NFC
135135

136136
You can use the *Yubikey WebAuthn test page* at https://demo.yubico.com/webauthn-technical/registration to test your token.
137137

138-
On Android, you can use the *FIDO / Webauthn Example* App at https://play.google.com/store/apps/details?id=de.cotech.hw.fido.example for testing (Use the U2F tab).
138+
On Android, you can use the *FIDO / Webauthn Example* App at https://play.google.com/store/apps/details?id=de.cotech.hw.fido.example for testing (Use the U2F tab), or use any Browser which supports the Security Manager (for details, see *Android Problems and Solutions*) and use the Yubico page.
139139

140140
## Sources and Further Reading
141141

scripts/compile/vk-u2f.sh

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,5 +2,5 @@
22

33
mkdir -p /app/src/bin /app/src/applets/vk-u2f/target
44
cd /app/src/applets/vk-u2f
5-
JC_HOME=/app/sdks/jc304_kit ant
5+
JC_HOME=/app/sdks/jc305u3_kit ant
66
cp /app/src/applets/vk-u2f/target/*.cap /app/src/bin/

scripts/test/u2f-javacard.bats

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,12 +18,14 @@ setup() {
1818
cd /app/tools/fido-attestation-loader
1919
./attestation.py ca create -cap 123456
2020
./attestation.py cert create -p 1234 -cap 123456
21-
PARAM=`./attestation.py cert show -p 1234 -f parameter -m u2fci`
21+
PARAM=`./attestation.py cert show -p 1234 -f parameter -m u2fci -cap 123456`
2222
opensc-tool -r 'Virtual PCD 00 00' -s "80 b8 00 00 2F 08 A0 00 00 06 47 2F 00 01 00 23 $PARAM FF"
2323
./attestation.py cert upload -m u2fci
2424
}
2525

2626
teardown() {
27+
cd /app/tools/fido-attestation-loader
28+
rm -f *.der *.p8
2729
_teardown
2830
}
2931

scripts/test/vk-u2f.bats

Lines changed: 11 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -12,24 +12,26 @@ teardown_file() {
1212

1313
setup() {
1414
cd /app/src/applets/vk-u2f
15-
java -cp /app/src/jcardsim/target/jcardsim-3.0.5-SNAPSHOT.jar:./target com.licel.jcardsim.remote.VSmartCard /app/src/scripts/test/res/vk-u2f.jcardsim.cfg 1>&3 2>&3 & # > /dev/null &
15+
java -cp /app/tools/jcardsim/target/jcardsim-3.0.5-SNAPSHOT.jar:./target com.licel.jcardsim.remote.VSmartCard /app/src/scripts/test/res/vk-u2f.jcardsim.cfg > /dev/null &
1616
JCSIM_PID="$!"
1717
sleep 2
1818
cd /app/tools/fido-attestation-loader
1919
./attestation.py ca create -cap 123456
2020
./attestation.py cert create -p 1234 -cap 123456
21-
PARAM=`./attestation.py cert show -p 1234 -f parameter -m fido2`
22-
# opensc-tool -r 'Virtual PCD 00 00' -s "80 b8 00 00 3F 08 A0 00 00 06 47 2F 00 01 00 33 $PARAM FF" 1>&3 2>&3
23-
# ./attestation.py cert upload -m fido2
21+
PARAM=`./attestation.py cert show -p 1234 -f parameter -m fido2 -cap 123456`
22+
opensc-tool -r 'Virtual PCD 00 00' -s "80 b8 00 00 3F 08 A0 00 00 06 47 2F 00 01 00 33 $PARAM FF"
23+
./attestation.py cert upload -m fido2
2424
}
2525

2626
teardown() {
27+
cd /app/tools/fido-attestation-loader
28+
rm -f *.der *.p8
2729
_teardown
2830
}
2931

3032

31-
#@test "U2F Register and Authenticate https://demo.yubico.com/" {
32-
# RES=`fido2-webauthn-client "pcsc://slot0" 2>&1 | sed -n -e '/http_response_json: https:\/\/demo\.yubico\.com\/api\/v1\/simple\/webauthn\/authenticate-finish/,$p' | sed 1d`
33-
# STATUS=`echo $RES | jq -r '.status'`
34-
# [ "$STATUS" == "success" ]
35-
#}
33+
@test "FIDO2 Register and Authenticate https://demo.yubico.com/" {
34+
RES=`fido2-webauthn-client "pcsc://slot0" 2>&1 | sed -n -e '/http_response_json: https:\/\/demo\.yubico\.com\/api\/v1\/simple\/webauthn\/authenticate-finish/,$p' | sed 1d`
35+
STATUS=`echo $RES | jq -r '.status'`
36+
[ "$STATUS" == "success" ]
37+
}

smartcard-ci

0 commit comments

Comments
 (0)