-
Notifications
You must be signed in to change notification settings - Fork 711
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Simulate and test Open Source Java Card Applets #1568
Conversation
Compiles jCardSim, IsoApplet, GidsApplet, ykneo-openpgp, PivApplet as described [here](https://github.com/OpenSC/OpenSC/wiki/Smart-Card-Simulation). Thanks to https://github.com/arekinath/jcardsim/ this is now also possible on Linux in combination with https://github.com/frankmorgner/vsmartcard. Travis-CI now also runs some basic personalization and PKCS#11-tests. This commit also adds caching of apt, brew and maven packages as well as the OpenSSL/OpenPACE build on macOS
Good job! I certainly plan to have a look into this to continue the work with either coolkey applet (should be easy to adapt, but I will need to figure out the initialization) and/or libcacard (that is not actually the java applet, but c emulation). For this PR, I have only few comments/proposals:
would it make sense to modify the applet build to give it some different serial number so it does not complain here?
|
|
Excellent idea !
|
I hoped that the GIDS applet would be that potent. The only problem is that I don't know the exact scriptable commands to do all this. |
In regards to: "Doug wasn't interested in maintaining vendor specific personalization." That is true. There is no standard PIV applet. Each card vendor writes their own applet. NIST will test and approve cards that past the NIST accreditation process. NIST left up to each vendor on how to do the installation and personalization to give them a competitive edge in the market. The NIST approved vendors do no publish their source code. They sell their cards with their PIV applet already installed. They provide information on how to personalize them but this is via NDAs. Thus trying to "maintaining vendor specific personalization" would in most cases violate nondisclosure agreements. Many of the non approved PIV applets were written so they could use the builtin Windows PIV driver without any other middle ware. Vendors such as Yubico, PIVCard and MyEID provide their own tools to do personalization and some of them only run on Windows. The piv-tool can do some personalization using the '9B' admin key with PUT DATA and GENERATE KEY PAIR. This key is optional in the NIST standards but was just enough for testing cards. There are many objects on a PIV card that are not normally needed. The CHUID is needed because the the Windows builtin driver expects it. (The OpenSC driver will use it if present to generate a serial number.) As far as I can tell, all the open source PIV applets have not been tested or approved by NIST and have missing or buggy implementations. Especially in the handling of SELECT AID and the VERIFY Lc=0 cases. As a side note: The piv-tool when reading or writing objects considers the "53" BER-TLV to be part of the object. (i.e. the object is what is read or written by the GET_DATA "CB" or PUT_DATA "DB" APDUs). The yubico-tool adds or removes the outer "53" BER-TLV. The piv-tool can write certificates. It puts them into a certificate object and if requested gzip them. |
a single build of clang and gcc each is enough
Yes, it would. Currently PivApplet implements the proprietary YubicoPIV command to get the applet version number, and returns 4.0.0 always. It seems like at https://github.com/Yubico/yubico-piv-tool/blob/master/lib/util.c#L736 they look for <4.3.5 in that field to print that message, so stopping that output should be an easy fix. I've filed this as arekinath/PivApplet#14 and also another issue for the 0 serial number as arekinath/PivApplet#15 Regarding personalization, as well as the |
feel free to extend the script file ( |
Compiles jCardSim, IsoApplet, GidsApplet, ykneo-openpgp, PivApplet as described here. Thanks to https://github.com/arekinath/jcardsim/ this is now also possible on Linux in combination with https://github.com/frankmorgner/vsmartcard. @OpenSC/maintainers
Unfortunately, I'm not very fluent in personalizing most of the Java Card Applets, so I'm hoping that @vletoux, @arekinath, @philipWendland could maybe add some more details and corner cases that should be added for the applets. Testing special PIV's special cases should also be interesting for @mouse07410 and @dengert. I think @Jakuje also has a link to some CAC applet code that could be integrated.
Finally, Travis-CI now also runs some basic PKCS#11-tests, but adding p11tests to the automation would be better. If extend this testing, I hope we can achieve shorter release cycles...
This commit also adds caching of apt, brew and maven packages as well as the OpenSSL/OpenPACE build on macOS.