Awesome
U2FToken
An U2F Token implementation based on JavaCard This U2F Token: https://github.com/LedgerHQ/ledger-u2f-javacard cannot pass the NFC self-conformance test in the phase: "U2F_REGISTER, Short APDU, Change BlockSize", as it doesn't handle the situation which Le(BlockSize) is not 256 bytes. My implementation can handle of this case nicely and pass the test.
Install(Use JCOP Shell Command)
- Complie this Applet and upload to the JavaCard(>3.0)
- Set the attestation certificate(with Extended APDU, CLA:F0, INS:01, P1,P2:00, Lc:000119):
/send f0010000000119308201153081bc020900c5f4ee4c59503e05300a06082a8648ce3d04030230133111300f0603550403130859616e675a686f75301e170d3135313230393037303435385a170d3136313230383037303435385a30133111300f0603550403130859616e675a686f753059301306072a8648ce3d020106082a8648ce3d03010703420004729a71d08162428492f2d961924d37443a4f1bda580f8aea2920d2997cbea43960ce729e35c1f74092f2250e6074823fc57f3360b7cd3969c3c3125ece265c29300a06082a8648ce3d0403020348003045022100e767fa941035d5853d52d87d671470bc763bc5b12e1d4577ea9f8ca674e59d3902203fe11cad59f53576001f15ee05da8746fed3276b16829e9d5efdff705e089c6d
- Set the attestation private key(CLA:F0, INS:02, P1,P2:00):
/send f0020000#(4cc7cf68911896c8e2f9c8cc2f7f0aa21c6acbba381c109afe9118f6cad90f0b)
U2F Self-Comformance Test
- Please access the NFC self-conformance test tool here: https://github.com/google/u2f-ref-code/tree/master/u2f-tests/NFC
- Download the newly Android Google Authenticator
- Open https://crxjs-dot-u2fdemo.appspot.com/ or https://demo.yubico.com/u2f with the newly Android chrome.
- Do the Register and Authenticate
Some Tips For Implementation
- The authenticate private key is stored in the SE, as there is enough memory to hold thousands of keys.
- The key handle consists with index(first 2 bytes) of the authenticate private key and Sha-256 appid(left 32 bytes)
//TODO
- The database which stores anthenticate private keys can not increase dynamicly now.
- I also want to implement a "wrapped" key handle rather than storing the authenticate private key locally in SE.