Skip to content

F
Fido2Applet
Commit 8906f0a4 authored by Josh Ji's avatar Josh Ji
Browse files
Options

testSharedPIN() method, pushTempBuffer() method, passport.jar, passport.exp

parent 3007aeb3
Expand all Hide whitespace changes
Inline Side-by-side
Showing with 7809 additions and 45 deletions
.idea/misc.xml
View file @ 8906f0a4
......@@ -7,4 +7,7 @@
<component name="ProjectRootManager" version="2" languageLevel="JDK_11" default="true" project-jdk-name="11" project-jdk-type="JavaSDK">
<output url="file://$PROJECT_DIR$/out" />
</component>
<component name="ProjectType">
<option name="id" value="jpab" />
</component>
</project>
\ No newline at end of file
build.gradle
View file @ 8906f0a4
......@@ -37,6 +37,12 @@ javacard{
className 'com.josh.vku2f.CTAP2'
aid 'A0000006472F0001'
}
dependencies{
local {// 這邊的路徑建議用絕對路徑
exps 'C:\\Users\\josh2\\Documents\\GitLab\\EID\\Fido2Applet\\lib\\javacard\\applet.exp'
jar 'C:\\Users\\josh2\\Documents\\GitLab\\EID\\Fido2Applet\\lib\\javacard\\applet.exp\\passport.jar'
}
}
}
}
......
lib/javacard/applet.jca 0 → 100644
View file @ 8906f0a4
This diff is collapsed.
src/main/java/com/josh/vku2f/AuthenticatorGetAssertion.java
View file @ 8906f0a4
......@@ -75,7 +75,7 @@ public class AuthenticatorGetAssertion {
// Read the map. It has 2 things in it.
vars[3] = decoder.readMajorType(CBORBase.TYPE_MAP);
if(vars[3] != 2) {
UserException.throwIt(CTAP2_ERR_INVALID_CBOR);
UserException.throwIt(CTAP2ErrorCode.CTAP2_ERR_INVALID_CBOR);
break;
}
for(vars[5] = 0; vars[5] < (short) 2; vars[5]++) {
......@@ -90,7 +90,7 @@ public class AuthenticatorGetAssertion {
// It doesn't matter what it is, just check it's string and exists.
} else {
// If it's not these two, throw an error
UserException.throwIt(CTAP2_ERR_INVALID_CBOR);
UserException.throwIt(CTAP2ErrorCode.CTAP2_ERR_INVALID_CBOR);
break;
}
}
......@@ -121,7 +121,7 @@ public class AuthenticatorGetAssertion {
// Pin UV Auth Param // 0x06
pinUvAuthParam = new byte[16];
if(decoder.readByteString(pinUvAuthParam, (short)0 ) < (short)16)
UserException.throwIt(CTAP2_ERR_PIN_INVALID);
UserException.throwIt(CTAP2ErrorCode.CTAP2_ERR_PIN_INVALID);
break;
case 0x07:
// Pin protocol
......@@ -135,7 +135,7 @@ public class AuthenticatorGetAssertion {
}
// We should check we have our "mandatory" options
if(rpId == null || clientDataHash == null) {
UserException.throwIt(CTAP2_ERR_MISSING_PARAMETER);
UserException.throwIt(CTAP2ErrorCode.CTAP2_ERR_MISSING_PARAMETER);
}
// Good to go I guess
......
src/main/java/com/josh/vku2f/AuthenticatorMakeCredential.java
View file @ 8906f0a4
......@@ -83,7 +83,7 @@ public class AuthenticatorMakeCredential {
len2 = decoder.readMajorType(CBORBase.TYPE_MAP);
// If less than 2, error
if (len2 < (short) 2) {
UserException.throwIt(CTAP2_ERR_INVALID_CBOR);
UserException.throwIt(CTAP2ErrorCode.CTAP2_ERR_INVALID_CBOR);
}
// Read the map iteratively
for (short j = 0; j < len2; j++) {
......@@ -165,7 +165,7 @@ public class AuthenticatorMakeCredential {
// Read the map length - should be 2
short len3 = decoder.readMajorType(CBORBase.TYPE_MAP);
if(len3 != 2) {
UserException.throwIt(CTAP2_ERR_INVALID_CBOR);
UserException.throwIt(CTAP2ErrorCode.CTAP2_ERR_INVALID_CBOR);
}
// Iterate over the map
for (short k = 0; k < (short) 2; k++) {
......@@ -199,10 +199,10 @@ public class AuthenticatorMakeCredential {
// Check it
decoder.readTextString(scratch1, (short) 0);
if(Util.arrayCompare(scratch1, (short) 0, Utf8Strings.UTF8_PUBLIC_KEY, (short) 0, (short) 10) != (byte) 0) {
UserException.throwIt(CTAP2_ERR_UNSUPPORTED_ALGORITHM);
UserException.throwIt(CTAP2ErrorCode.CTAP2_ERR_UNSUPPORTED_ALGORITHM);
}
} else {
UserException.throwIt(CTAP2_ERR_INVALID_CBOR);
UserException.throwIt(CTAP2ErrorCode.CTAP2_ERR_INVALID_CBOR);
}
}
// Done
......@@ -218,7 +218,7 @@ public class AuthenticatorMakeCredential {
// Read the map. It has 2 things in it.
short len3 = decoder.readMajorType(CBORBase.TYPE_MAP);
if (len3 != 2) {
UserException.throwIt(CTAP2_ERR_INVALID_CBOR);
UserException.throwIt(CTAP2ErrorCode.CTAP2_ERR_INVALID_CBOR);
}
// Parse it, properly
for(short k = 0; k < (short) 2; k++) {
......@@ -233,7 +233,7 @@ public class AuthenticatorMakeCredential {
// It doesn't matter what it is, just check it's string and exists.
} else {
// If it's not these two, throw an error
UserException.throwIt(CTAP2_ERR_CBOR_UNEXPECTED_TYPE);
UserException.throwIt(CTAP2ErrorCode.CTAP2_ERR_CBOR_UNEXPECTED_TYPE);
break;
}
}
......@@ -245,7 +245,7 @@ public class AuthenticatorMakeCredential {
// Parse the two rk and uv objects
// Read the map
if(decoder.getMajorType() != CBORBase.TYPE_MAP) {
UserException.throwIt(CTAP2_ERR_CBOR_UNEXPECTED_TYPE);
UserException.throwIt(CTAP2ErrorCode.CTAP2_ERR_CBOR_UNEXPECTED_TYPE);
break;
}
len2 = decoder.readMajorType(CBORBase.TYPE_MAP);
......@@ -263,7 +263,7 @@ public class AuthenticatorMakeCredential {
decoder.readBoolean();
} else if (Util.arrayCompare(scratch1, (short) 0, Utf8Strings.UTF8_UP, (short) 0, (short) 2) == (short) 0) {
// Error out
UserException.throwIt(CTAP2_ERR_INVALID_OPTION);
UserException.throwIt(CTAP2ErrorCode.CTAP2_ERR_INVALID_OPTION);
break;
} else {
// Skip it
......@@ -278,7 +278,7 @@ public class AuthenticatorMakeCredential {
// So check it's a map and skip
// TODO implement prlab extensions
if(decoder.getMajorType() != CBORBase.TYPE_MAP) {
UserException.throwIt(CTAP2_ERR_CBOR_UNEXPECTED_TYPE);
UserException.throwIt(CTAP2ErrorCode.CTAP2_ERR_CBOR_UNEXPECTED_TYPE);
break;
}
decoder.skipEntry();
......@@ -286,7 +286,7 @@ public class AuthenticatorMakeCredential {
case (short)8: // pinUvAuthToken
pinUvAuthParam = new byte[16];
if(decoder.readByteString(pinUvAuthParam, (short)0 ) < (short)16)
UserException.throwIt(CTAP2_ERR_PIN_INVALID);
UserException.throwIt(CTAP2ErrorCode.CTAP2_ERR_PIN_INVALID);
break;
case (short)9: // pinProtocol
short pinProtocol = decoder.readInt8();
......@@ -301,11 +301,11 @@ public class AuthenticatorMakeCredential {
}
if(pinUvAuthParam == null){
UserException.throwIt(CTAP2_ERR_PIN_INVALID);
UserException.throwIt(CTAP2ErrorCode.CTAP2_ERR_PIN_INVALID);
}
// Check we've got stuff like the clientDataHash
if(dataHash == null || rp == null || user == null || params == null) {
UserException.throwIt(CTAP2_ERR_MISSING_PARAMETER);
UserException.throwIt(CTAP2ErrorCode.CTAP2_ERR_MISSING_PARAMETER);
}
......
src/main/java/com/josh/vku2f/CTAP2.java
View file @ 8906f0a4
......@@ -27,7 +27,6 @@ import javacard.framework.Util;
import javacard.security.*;
import javacardx.apdu.ExtendedLength;
import static com.josh.vku2f.CTAP2ErrorCode.*;
import static com.josh.vku2f.ClientPINSubCommand.*;
public class CTAP2 extends Applet implements ExtendedLength {
......@@ -176,7 +175,7 @@ public class CTAP2 extends Applet implements ExtendedLength {
// Check CLA
if (!apdu.isCommandChainingCLA() && apdu.isISOInterindustryCLA()) {
ISOException.throwIt(ISO7816.SW_CLA_NOT_SUPPORTED);
// ISOException.throwIt(ISO7816.SW_CLA_NOT_SUPPORTED);
}
JCSystem.requestObjectDeletion();
switch (buffer[ISO7816.OFFSET_INS]) {
......@@ -220,7 +219,7 @@ public class CTAP2 extends Applet implements ExtendedLength {
tempVars[3] = apdu.getIncomingLength();
// Check if the APDU is too big, we only handle 1200 byte
if (tempVars[3] > 1200) {
returnError(apdu, CTAP2_ERR_REQUEST_TOO_LARGE);
returnError(apdu, CTAP2ErrorCode.CTAP2_ERR_REQUEST_TOO_LARGE);
return 0;
}
// Check what we need to do re APDU buffer, is it full (special case for 1 len)
......@@ -340,7 +339,7 @@ public class CTAP2 extends Applet implements ExtendedLength {
getCert(apdu);
break;
default:
returnError(apdu, CTAP1_ERR_INVALID_COMMAND);
returnError(apdu, CTAP2ErrorCode.CTAP1_ERR_INVALID_COMMAND);
}
}
......@@ -348,9 +347,9 @@ public class CTAP2 extends Applet implements ExtendedLength {
private void personalizationComplete(APDU apdu) {
if (attestationKeyPair.isCertSet() && !personalizeComplete) {
personalizeComplete = true;
returnError(apdu, CTAP1_ERR_SUCCESS);
returnError(apdu, CTAP2ErrorCode.CTAP1_ERR_SUCCESS);
} else {
returnError(apdu, CTAP1_ERR_INVALID_COMMAND);
returnError(apdu, CTAP2ErrorCode.CTAP1_ERR_INVALID_COMMAND);
}
}
......@@ -361,7 +360,7 @@ public class CTAP2 extends Applet implements ExtendedLength {
*/
private void getAttestPublic(APDU apdu) {
if (personalizeComplete) {
returnError(apdu, CTAP1_ERR_INVALID_COMMAND);
returnError(apdu, CTAP2ErrorCode.CTAP1_ERR_INVALID_COMMAND);
return;
}
dataBuffer[0] = 0x00;
......@@ -448,7 +447,7 @@ public class CTAP2 extends Applet implements ExtendedLength {
* dump secrets
*/
private void dumpIDSecret(APDU apdu) {
tempVars[0] = idSecret.dump(dataBuffer, cborEncoder);
tempVars[0] = idSecret.dump(apdu.getBuffer(), dataBuffer, cborEncoder);
// apdu.setOutgoing();
// apdu.setOutgoingLength(tempVars[0]);
// apdu.sendBytesLong(dataBuffer, (short)0, tempVars[0]);
......@@ -463,7 +462,7 @@ public class CTAP2 extends Applet implements ExtendedLength {
*/
public void attestSignRaw(APDU apdu, short bufLen) {
if (personalizeComplete) {
returnError(apdu, CTAP1_ERR_INVALID_COMMAND);
returnError(apdu, CTAP2ErrorCode.CTAP1_ERR_INVALID_COMMAND);
return;
}
Util.arrayCopy(dataBuffer, (short) 1, scratch, (short) 0, (short) (bufLen - 1));
......@@ -476,7 +475,7 @@ public class CTAP2 extends Applet implements ExtendedLength {
public void attestSetCert(APDU apdu, short bufLen) {
if (personalizeComplete) {
returnError(apdu, CTAP1_ERR_INVALID_COMMAND);
returnError(apdu, CTAP2ErrorCode.CTAP1_ERR_INVALID_COMMAND);
return;
}
// We don't actually use any CBOR here, simplify copying
......@@ -492,7 +491,7 @@ public class CTAP2 extends Applet implements ExtendedLength {
public void authMakeCredential(APDU apdu, short bufLen) {
if (pinRetries < (short) 1) {
returnError(apdu, CTAP2_ERR_PIN_AUTH_BLOCKED);
returnError(apdu, CTAP2ErrorCode.CTAP2_ERR_PIN_AUTH_BLOCKED);
return;
}
......@@ -518,12 +517,12 @@ public class CTAP2 extends Applet implements ExtendedLength {
tempCredential = new StoredPS256Credential(authenticatorMakeCredential);
break;
default:
returnError(apdu, CTAP2_ERR_UNSUPPORTED_ALGORITHM);
returnError(apdu, CTAP2ErrorCode.CTAP2_ERR_UNSUPPORTED_ALGORITHM);
return;
}
if (authenticatorMakeCredential.isResident()) {
idSecret.writeTempBuffer(pinUvAuthProtocolOne.authenticate(pinToken, authenticatorMakeCredential.getDataHash()), (short) 0);
idSecret.writeTempBuffer(authenticatorMakeCredential.getPinUvAuthParam(), (short) 64);
// idSecret.writeTempBuffer(pinUvAuthProtocolOne.authenticate(pinToken, authenticatorMakeCredential.getDataHash()), (short) 0);
// idSecret.writeTempBuffer(authenticatorMakeCredential.getPinUvAuthParam(), (short) 64);
// verify the pin UV Auth token
if (pinUvAuthProtocolOne.verify(
......@@ -535,7 +534,7 @@ public class CTAP2 extends Applet implements ExtendedLength {
pinRetries = MAX_PIN_RETRIES;
} else {
pinRetries--;
returnError(apdu, CTAP2_ERR_PIN_AUTH_INVALID);
returnError(apdu, CTAP2ErrorCode.CTAP2_ERR_PIN_AUTH_INVALID);
return;
}
......@@ -543,7 +542,7 @@ public class CTAP2 extends Applet implements ExtendedLength {
// Check if a credential exists on the excluded list
if (authenticatorMakeCredential.isExclude() && isPresent(authenticatorMakeCredential.exclude)) {
// Throw the error
returnError(apdu, CTAP2_ERR_CREDENTIAL_EXCLUDED);
returnError(apdu, CTAP2ErrorCode.CTAP2_ERR_CREDENTIAL_EXCLUDED);
return;
}
......@@ -661,7 +660,7 @@ public class CTAP2 extends Applet implements ExtendedLength {
} else {
// Non-resident credential
// TODO - we currently force resident credentials
returnError(apdu, CTAP2_ERR_UNSUPPORTED_OPTION);
returnError(apdu, CTAP2ErrorCode.CTAP2_ERR_UNSUPPORTED_OPTION);
}
}
......@@ -682,7 +681,7 @@ public class CTAP2 extends Applet implements ExtendedLength {
// Use the first one; this complies with both ideas - use the most recent match
// if no allow list, use any if an allowing list existed
if (assertionCredentials.length == 0 || assertionCredentials[0] == null) {
returnError(apdu, CTAP2_ERR_NO_CREDENTIALS);
returnError(apdu, CTAP2ErrorCode.CTAP2_ERR_NO_CREDENTIALS);
return;
}
// Create the authenticatorData to sign
......@@ -756,7 +755,7 @@ public class CTAP2 extends Applet implements ExtendedLength {
switch (clientPINCommand.getSubCommandCode()) {
case SUBCOMMAND_GET_PIN_RETRIES:
dataBuffer[0] = CTAP1_ERR_SUCCESS; // 0x00 : response success code
dataBuffer[0] = CTAP2ErrorCode.CTAP1_ERR_SUCCESS; // 0x00 : response success code
cborEncoder.init(dataBuffer, (short) 1, (short) (1199));
cborEncoder.startMap((short) 1);
cborEncoder.encodeUInt8(ClientPINResponse.PIN_RETRIES);
......@@ -764,7 +763,7 @@ public class CTAP2 extends Applet implements ExtendedLength {
sendLongChaining(apdu, cborEncoder.getCurrentOffset());
break;
case SUBCOMMAND_GET_KEY_AGREEMENT:
dataBuffer[0] = CTAP1_ERR_SUCCESS; // 0x00 : response success code
dataBuffer[0] = CTAP2ErrorCode.CTAP1_ERR_SUCCESS; // 0x00 : response success code
cborEncoder.init(dataBuffer, (short) 1, (short) 1199);
// Start a map
cborEncoder.startMap((short) 1);
......@@ -838,7 +837,7 @@ public class CTAP2 extends Applet implements ExtendedLength {
for (short i = 0; i < (short) hashedPin_leftHalf.length; i++) {
if (hashedPin_leftHalf[i] != currentStoredPIN[i]) {
pinRetries--;
UserException.throwIt(CTAP2_ERR_PIN_INVALID);
UserException.throwIt(CTAP2ErrorCode.CTAP2_ERR_PIN_INVALID);
break;
}
}
......@@ -851,7 +850,7 @@ public class CTAP2 extends Applet implements ExtendedLength {
byte[] pinTokenEnc = pinUvAuthProtocolOne.encrypt(sharedSecret, pinToken);
dataBuffer[0] = CTAP1_ERR_SUCCESS;
dataBuffer[0] = CTAP2ErrorCode.CTAP1_ERR_SUCCESS;
cborEncoder.init(dataBuffer, (short) 1, (short) 1199);
cborEncoder.startMap((short) 1);
cborEncoder.encodeUInt8((byte) 0x02);
......@@ -974,7 +973,7 @@ public class CTAP2 extends Applet implements ExtendedLength {
// TODO: Implement Resetting
credentialArray = new CredentialArray((short) 5);
JCSystem.requestObjectDeletion();
returnError(apdu, CTAP1_ERR_SUCCESS);
returnError(apdu, CTAP2ErrorCode.CTAP1_ERR_SUCCESS);
}
/**
......
src/main/java/com/josh/vku2f/CredentialArray.java
View file @ 8906f0a4
......@@ -51,7 +51,7 @@ public class CredentialArray {
slotStatus[slot] = true;
count = (short)(slot + 1);
} catch (Exception e) {
UserException.throwIt(CTAP2_ERR_KEY_STORE_FULL);
UserException.throwIt(CTAP2ErrorCode.CTAP2_ERR_KEY_STORE_FULL);
}
}
/**
......
src/main/java/com/josh/vku2f/IDSecret.java
View file @ 8906f0a4
package com.josh.vku2f;
import javacard.framework.JCSystem;
import javacard.framework.Util;
import javacard.framework.*;
import javacard.security.AESKey;
import javacard.security.KeyBuilder;
import javacard.security.MessageDigest;
import javacardx.crypto.Cipher;
import josh.passport.SharePIN;
/**
* Hold some params about the identification binding framework
*/
......@@ -31,9 +32,11 @@ public class IDSecret {
private byte[] scratch;
private final short SCRATCH_LENGTH = (short)128 ;
private CBOREncoder encoder = new CBOREncoder();
public final byte[] tempBuffer = new byte[100];
public byte[] tempBuffer = new byte[256];
public short tempBufferLength = (short)0;
private short tempCursor = (short)0;
public IDSecret(){
IDx = new DomString(Utf8Strings.UTF8_NULL, (short)Utf8Strings.UTF8_NULL.length);
Random.getInstance().nextBytes(Rx, (short)0, (short)Rx.length);
......@@ -136,11 +139,22 @@ public class IDSecret {
Util.arrayCopy(inputBuffer, (short)0, tempBuffer, offset, (short)inputBuffer.length);
}
public void pushTempBuffer(byte[] inputBuffer, short inputOffset, short inputLength){
if((short)(inputLength + tempCursor) > (short)tempBuffer.length){
tempBuffer[0] = 'T'; // too
tempBuffer[1] = 'L'; // long
Util.setShort(tempBuffer, (short)2, (short)inputBuffer.length); // input length
return;
}
Util.arrayCopy(inputBuffer, inputOffset, tempBuffer, tempCursor, inputLength);
tempCursor += inputLength;
}
/**
* put IDSecret data with CBOR form in dataBuffer
* return data length
*/
public short dump(byte[] dataBuffer, CBOREncoder encoder){
public short dump(byte[] apduBuffer, byte[] dataBuffer, CBOREncoder encoder){
encoder.init(dataBuffer, (short)0, (short)1200);
encoder.startMap((short)1);
......@@ -180,4 +194,30 @@ public class IDSecret {
return encoder.getCurrentOffset();
}
private void testSharedPIN(byte[] apduBuffer){
byte[] aid = new byte[]{(byte)0xa0,(byte)0x00,(byte)0x00,(byte)0x02,(byte)0x47,(byte)0x10,(byte)0x01};
AID passportAID = JCSystem.lookupAID(aid, (short)0,(byte)aid.length);
SharePIN sharePIN = (SharePIN) JCSystem.getAppletShareableInterfaceObject(passportAID,(byte)0x00);
short length = 0;
byte[] sharedPIN = new byte[]{'h','e','l','l','o','_','j','o','s','h'};
Util.arrayCopy(sharedPIN, (short)0, apduBuffer, (short)0, (short) sharedPIN.length );
try{
if(sharePIN != null) {
//must use apdu buffer to transmit and receive data
sharePIN.setSharedPIN(apduBuffer, (short)0, (short)sharedPIN.length );
length = sharePIN.getSharedPIN(apduBuffer, (short) 0);
Util.arrayCopy(apduBuffer, (short)0, tempBuffer, (short)0, length );
//this will fail
// sharePIN.getSharedPIN(tempBuffer, (short)0);
}
}catch (Exception e){
tempBuffer[0] = 'a';
}
}
}
src/main/java/com/josh/vku2f/PinUvAuthProtocolOne.java
View file @ 8906f0a4
......@@ -4,7 +4,6 @@ import javacard.framework.JCSystem;
import javacard.framework.Util;
import javacard.security.*;
import javacardx.crypto.Cipher;
import jdk.nashorn.internal.ir.Block;
public class PinUvAuthProtocolOne extends PinUvAuthProtocol{
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment