Add Android compatibility to FIDO2

Author: StarGate01

applets/vk-u2f

@@ -108,7 +108,7 @@ For Fidesmo-deployed cards, use the `fdsm` tool from https://github.com/fidesmo/
 
 Do not remove the management applet package (`A0000001515350`), or security controller (`A000000151000000`). They are part of the operating system.
 
-## Sources and Further Readingfdsm
+## Sources and Further Reading
 
 - https://www.docker.com/
 - https://github.com/DangerousThings/smartcard-ci/blob/master/Dockerfile

docs/3-dev-setup.md

@@ -0,0 +1,31 @@
+# Android Problems and Solutions
+
+Android has some particularities concerning NFC.
+
+## FIDO requires Security Manager
+
+FIDO keys are handled by a Google Services component, which is absent on FOSS (e.g. Lineage) Android builds. Use MicroG instead, which implements a security manager and FIDO adapter since version `v0.2.25.223616` . Make sure to also apply my two patches (https://github.com/microg/GmsCore/pulls/StarGate01) for smooth operation. These patches will be eventually released in a new version of MicroG.
+
+## Maximum NFC Transceive Length
+
+On some Android ROMS, the NFC driver is configured improperly, which limits the size of data packets that can be exchanged. FIDO2 requires very large packets (~1KB).
+
+To change the configuration, add the line
+
+```
+ISO_DEP_MAX_TRANSCEIVE=0xFEFF 	 	
+```
+
+to each of the files `/vendor/etc/libnfc-nci.conf` and `/vendor/etc/libnfc-brcm.conf` .
+
+This requires root access.
+
+## Sources and Further Reading
+
+- https://github.com/microg/GmsCore
+- https://microg.org/
+- https://android.stackexchange.com/questions/110927/how-to-mount-system-rewritable-or-read-only-rw-ro
+- https://github.com/microg/GmsCore/pulls/StarGate01
+- https://github.com/NXPNFCLinux/linux_libnfc-nci/issues/116
+
+Improve this document: https://github.com/DangerousThings/flexsecure-applets/tree/master/docs

docs/4-android.md

@@ -6,7 +6,7 @@ The applet requires an attestation certificate. This certificate can be a defaul
 
 The attestation certificate is used to sign certificates for transport when you register with a service. The token manufacturer (e.g. Vivokey) can also use this certificate (which they sign using their certificate authority) to validate the authenticity and model of the token and applet.
 
-**FIDO2 CTAP2** (Client to Authenticator Protocol) is an extension and improvement over FIDO U2F, and remains backwards-compatible to U2F.
+**FIDO2 CTAP2** (Client to Authenticator Protocol) is an extension and improvement over FIDO U2F.
 
 The FIDO2 applet is still in development, and not completely finished. For example, Windows Hello is not supported yet. Stay tuned. It is also not officially certified.
 
@@ -135,7 +135,7 @@ Using the applet in the web requires a modern browser with support for FIDO. NFC
 
 You can use the *Yubikey WebAuthn test page* at https://demo.yubico.com/webauthn-technical/registration to test your token.
 
-On Android, you can use the *FIDO / Webauthn Example* App at https://play.google.com/store/apps/details?id=de.cotech.hw.fido.example for testing (Use the U2F tab).
+On Android, you can use the *FIDO / Webauthn Example* App at https://play.google.com/store/apps/details?id=de.cotech.hw.fido.example for testing (Use the U2F tab), or use any Browser which supports the Security Manager (for details, see *Android Problems and Solutions*) and use the Yubico page.
 
 ## Sources and Further Reading
 

docs/applets/5-fido.md

@@ -2,5 +2,5 @@
 
 mkdir -p /app/src/bin /app/src/applets/vk-u2f/target
 cd /app/src/applets/vk-u2f
-JC_HOME=/app/sdks/jc304_kit ant
+JC_HOME=/app/sdks/jc305u3_kit ant
 cp /app/src/applets/vk-u2f/target/*.cap /app/src/bin/

scripts/compile/vk-u2f.sh

@@ -18,12 +18,14 @@ setup() {
     cd /app/tools/fido-attestation-loader
     ./attestation.py ca create -cap 123456
     ./attestation.py cert create -p 1234 -cap 123456
-    PARAM=`./attestation.py cert show -p 1234 -f parameter -m u2fci`
+    PARAM=`./attestation.py cert show -p 1234 -f parameter -m u2fci -cap 123456`
     opensc-tool -r 'Virtual PCD 00 00' -s "80 b8 00 00 2F  08  A0 00 00 06 47 2F 00 01  00  23 $PARAM FF"
     ./attestation.py cert upload -m u2fci
 }
 
 teardown() {
+    cd /app/tools/fido-attestation-loader
+    rm -f *.der *.p8 
     _teardown
 }
 

scripts/test/u2f-javacard.bats

@@ -12,24 +12,26 @@ teardown_file() {
 
 setup() {
     cd /app/src/applets/vk-u2f
-    java -cp /app/src/jcardsim/target/jcardsim-3.0.5-SNAPSHOT.jar:./target com.licel.jcardsim.remote.VSmartCard /app/src/scripts/test/res/vk-u2f.jcardsim.cfg 1>&3 2>&3  & # > /dev/null &
+    java -cp /app/tools/jcardsim/target/jcardsim-3.0.5-SNAPSHOT.jar:./target com.licel.jcardsim.remote.VSmartCard /app/src/scripts/test/res/vk-u2f.jcardsim.cfg > /dev/null &
     JCSIM_PID="$!"
     sleep 2
     cd /app/tools/fido-attestation-loader
     ./attestation.py ca create -cap 123456
     ./attestation.py cert create -p 1234 -cap 123456
-    PARAM=`./attestation.py cert show -p 1234 -f parameter -m fido2`
-    # opensc-tool -r 'Virtual PCD 00 00' -s "80 b8 00 00 3F  08  A0 00 00 06 47 2F 00 01  00  33 $PARAM FF" 1>&3 2>&3
-    # ./attestation.py cert upload -m fido2
+    PARAM=`./attestation.py cert show -p 1234 -f parameter -m fido2 -cap 123456`
+    opensc-tool -r 'Virtual PCD 00 00' -s "80 b8 00 00 3F  08  A0 00 00 06 47 2F 00 01  00  33 $PARAM FF"
+    ./attestation.py cert upload -m fido2
 }
 
 teardown() {
+    cd /app/tools/fido-attestation-loader
+    rm -f *.der *.p8 
     _teardown
 }
 
 
-#@test "U2F Register and Authenticate https://demo.yubico.com/" {
-#    RES=`fido2-webauthn-client "pcsc://slot0" 2>&1 | sed -n -e '/http_response_json: https:\/\/demo\.yubico\.com\/api\/v1\/simple\/webauthn\/authenticate-finish/,$p' | sed 1d`
-#    STATUS=`echo $RES | jq -r '.status'`
-#    [ "$STATUS" == "success" ]
-#}
+@test "FIDO2 Register and Authenticate https://demo.yubico.com/" {
+    RES=`fido2-webauthn-client "pcsc://slot0" 2>&1 | sed -n -e '/http_response_json: https:\/\/demo\.yubico\.com\/api\/v1\/simple\/webauthn\/authenticate-finish/,$p' | sed 1d`
+    STATUS=`echo $RES | jq -r '.status'`
+    [ "$STATUS" == "success" ]
+}