Make the openpgp app suitable for the YubiKey NEO

add documentation for building it with eclipse-jcde make it compatible with jcop 2.4.2r1 add gpshell script for loading to card
Yubico · Dec 18, 2012 · 050d20b · 050d20b
1 parent 72f711a
commit 050d20b
Show file tree

Hide file tree

Showing 10 changed files with 185 additions and 12 deletions.
diff --git a/.classpath b/.classpath
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<classpath>
+	<classpathentry kind="src" path="src"/>
+	<classpathentry kind="con" path="JCDK2.2.2"/>
+	<classpathentry kind="output" path="bin"/>
+</classpath>
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,2 @@
+bin/
+src/openpgpcard/javacard/
diff --git a/.jcproject b/.jcproject
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE properties SYSTEM "http://java.sun.com/dtd/properties.dtd">
+<properties>
+<comment>Java Card project properties</comment>
+<entry key="openpgpcard">0xD2:0x76:0x00:0x01:0x24:0x01</entry>
+<entry key="openpgpcard.OpenPGPApplet">0xD2:0x76:0x00:0x01:0x24:0x01:0x02:0x00:0x00:0x00:0x00:0x00:0x00:0x01:0x00:0x00</entry>
+</properties>
diff --git a/.project b/.project
@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<projectDescription>
+	<name>ykneo-openpgp</name>
+	<comment></comment>
+	<projects>
+	</projects>
+	<buildSpec>
+		<buildCommand>
+			<name>org.eclipse.jdt.core.javabuilder</name>
+			<arguments>
+			</arguments>
+		</buildCommand>
+		<buildCommand>
+			<name>org.eclipsejcde.core.javacardBuilder</name>
+			<arguments>
+			</arguments>
+		</buildCommand>
+	</buildSpec>
+	<natures>
+		<nature>org.eclipse.jdt.core.javanature</nature>
+		<nature>org.eclipsejcde.core.javacardNature</nature>
+	</natures>
+</projectDescription>
diff --git a/.settings/org.eclipse.jdt.core.prefs b/.settings/org.eclipse.jdt.core.prefs
@@ -0,0 +1,11 @@
+eclipse.preferences.version=1
+org.eclipse.jdt.core.compiler.codegen.inlineJsrBytecode=enabled
+org.eclipse.jdt.core.compiler.codegen.targetPlatform=1.5
+org.eclipse.jdt.core.compiler.codegen.unusedLocal=preserve
+org.eclipse.jdt.core.compiler.compliance=1.5
+org.eclipse.jdt.core.compiler.debug.lineNumber=generate
+org.eclipse.jdt.core.compiler.debug.localVariable=generate
+org.eclipse.jdt.core.compiler.debug.sourceFile=generate
+org.eclipse.jdt.core.compiler.problem.assertIdentifier=error
+org.eclipse.jdt.core.compiler.problem.enumIdentifier=error
+org.eclipse.jdt.core.compiler.source=1.5
diff --git a/README b/README
@@ -0,0 +1,112 @@
+YubiKey NEO App: OpenPGP
+========================
+
+This project implement the OpenPGP card functionality used on the
+YubiKey NEO device that is sold by Yubico.  This project is relatively
+unmodified from the upstream project on which this project is based:
+
+  http://sourceforge.net/p/javacardopenpgp/
+  Author: Joeri de Ruiter
+
+The initial modifications we have made compared to the upstream
+project are minor, but we reserve the right to make other
+changes/improvements that are specific to the YubiKey NEO hardware.
+
+License
+-------
+
+The upstream project was released under the GPLv2+ and our fork uses
+the same license.  All of our changes are released under the same
+license.  See the file LICENSE for more information.
+
+Building
+--------
+
+It is possible to build the project using proprietary NXP Java Card
+tools.
+
+Another way to build the project is with Eclipse and eclipse-jcde.
+
+First install Eclipse following instructions on:
+
+  http://www.eclipse.org/
+
+On Debian/Ubuntu systems Eclipse is packaged and can be installed from
+the command line:
+
+  apt-get install eclipse
+
+Start Eclipse once to make sure it creates a $HOME/.eclipse/
+directory.  Then quit Eclipse.
+
+Download the eclipse-jcde-0.2.zip file from
+
+  http://eclipse-jcde.sourceforge.net/
+
+and unpack it like this:
+
+  $ cd ~/.eclipse/*/
+  $ unzip /path/to/eclipse-jcde-0.2.zip
+
+The path to unpack the file into depends on your Eclipse installation,
+on my Debien Wheezy system the directory was called
+~/.eclipse/org.eclipse.platform_3.8_155965261/
+
+Start Eclipse again and confirm that you have a new top-level menu
+called "Java Card".
+
+You then need to install the Java Card Development Kit version 2.2.2,
+download it from:
+
+  http://www.oracle.com/technetwork/java/javasebusiness/downloads/java-archive-downloads-javame-419430.html#java_card_kit-2.2.2-oth-JPR
+
+Unpack it into a new directory called for example "jckit" like this:
+
+  $ mkdir jckit
+  $ cd jckit
+  $ unzip /path/to/java_card_kit-2_2_2-linux.zip
+  $ cd java_card_kit-2_2_2/
+  $ unzip java_card_kit-2_2_2-rr-bin-linux-do.zip
+
+Then in Eclipse select the "Preferences" menu under "Java Card" and
+point the "Java Card Home" directory to
+/path/to/jckit/java_card_kit-2_2_2 replacing /path/to as appropriate.
+
+After that the project can be imported into the workspace.
+Right-click in the "Project Explorer" window and select "Import".
+Under "General" select "Existing Projects into Workspace".  As the
+root directory point the directory holding this file.  You need to
+select "Copy projects into workspace".
+
+To build the .cap file, expand and right click on the "openpgpcard"
+sub-directory and select "Java Card Tools" and then "Convert".  The
+CAP file will be available in your Eclipse workspace as:
+
+  javacardopenpgp/bin/openpgpcard/javacard/openpgpcard.cap
+
+For loading the applet onto the card first make sure the YubiKey NEO
+is in the HID/CCID or CCID mode, using ykpers from the YubiKey
+Personalization tool:
+
+  http://code.google.com/p/yubikey-personalization/
+  https://github.com/Yubico/yubikey-personalization
+
+For example:
+
+  sudo ykpersonalize -m82
+
+Then install the gpshell tool from Global Platform:
+
+  http://sourceforge.net/projects/globalplatform/
+
+The projects that are needed is the GlobalPlatform Library 6.0.0,
+GPShell 1.4.4, and gppcscconnectionplugin which doesn't seem to be
+available in any released tarball so you have to get it from
+Subversion.
+
+You need to whitelist the device in /etc/libccid_Info.plist.
+
+When the CAP file has been built and is available in the path shown
+above, you may use the gpshell tool to load it:
+
+  $ gpshell gpinstall.txt
diff --git a/gpinstall.txt b/gpinstall.txt
@@ -0,0 +1,14 @@
+mode_211
+enable_trace
+
+establish_context
+card_connect
+select -AID a000000003000000
+open_sc -security 1 -keyind 0 -keyver 0 -mac_key 404142434445464748494a4b4c4d4e4f -enc_key 404142434445464748494a4b4c4d4e4f
+
+delete -AID D2760001240102000000000000010000
+delete -AID D27600012401
+
+install -file ./bin/openpgpcard/javacard/openpgpcard.cap -instParam 00 -priv 00
+card_disconnect
+release_context
diff --git a/src/openpgpcard/OpenPGPApplet.java b/src/openpgpcard/OpenPGPApplet.java
@@ -34,8 +34,8 @@
  * 0000 - RFU
  * 
  * @author Joeri de Ruiter (joeri@cs.ru.nl)
- * @version $Revision$ by $Author$
- *          $LastChangedDate$
+ * @version $Revision: 12 $ by $Author: joeridr $
+ *          $LastChangedDate: 2012-02-23 15:31:33 +0100 (tor, 23 feb 2012) $
  */
 public class OpenPGPApplet extends Applet implements ISO7816 {
 	private static final short _0 = 0;
@@ -47,8 +47,8 @@ public class OpenPGPApplet extends Applet implements ISO7816 {
 			0x00 };
 
 	private static final byte[] EXTENDED_CAP = { 
-			(byte) 0xF0, // Support for GET CHALLENGE
-						 // Support for Key Import
+			(byte) 0xD0, // Support for GET CHALLENGE
+						 // No support for Key Import
 						 // PW1 Status byte changeable
 			0x00, // Secure messaging using 3DES
 			0x00, (byte) 0xFF, // Maximum length of challenges
@@ -61,7 +61,7 @@ public class OpenPGPApplet extends Applet implements ISO7816 {
 	private static short RESPONSE_SM_MAX_LENGTH = 231;
 	private static short CHALLENGES_MAX_LENGTH = 255;
 
-	private static short BUFFER_MAX_LENGTH = 510;
+	private static short BUFFER_MAX_LENGTH = 1020;
 
 	private static short LOGINDATA_MAX_LENGTH = 254;
 	private static short URL_MAX_LENGTH = 254;
@@ -74,7 +74,7 @@ public class OpenPGPApplet extends Applet implements ISO7816 {
 	// Default PW1 '123456'
 	private static byte[] PW1_DEFAULT = { 0x31, 0x32, 0x33, 0x34, 0x35, 0x36 };
 	private static byte PW1_MODE_NO81 = 0;
-	private static byte PW1_MODE_NO82 = 0;
+	private static byte PW1_MODE_NO82 = 1;
 
 	private static final byte RC_MIN_LENGTH = 8;
 	private static final byte RC_MAX_LENGTH = 127;
@@ -631,13 +631,11 @@ private short genAsymKey(APDU apdu, byte mode) {
 			if (!pw3.isValidated())
 				ISOException.throwIt(SW_SECURITY_STATUS_NOT_SATISFIED);
 
-			JCSystem.beginTransaction();
 			key.genKeyPair();
 
 			if (buffer[0] == (byte) 0xB6) {
 				Util.arrayFillNonAtomic(ds_counter, _0, (short) 3, (byte) 0);
 			}
-			JCSystem.commitTransaction();
 		}
 
 		// Output requested key

diff --git a/src/openpgpcard/OpenPGPSecureMessaging.java b/src/openpgpcard/OpenPGPSecureMessaging.java
@@ -42,8 +42,8 @@
  * e-passport Java Card applet from the JMRTD project (http://jmrtd.org/).
  * 
  * @author Pim Vullers
- * @version $Revision$ by $Author$
- *          $LastChangedDate$
+ * @version $Revision: 12 $ by $Author: joeridr $
+ *          $LastChangedDate: 2012-02-23 15:31:33 +0100 (tor, 23 feb 2012) $
  */
 public class OpenPGPSecureMessaging {
     private static final short SW_INTERNAL_ERROR = (short) 0x6D66;

diff --git a/src/openpgpcard/PGPKey.java b/src/openpgpcard/PGPKey.java
@@ -23,8 +23,8 @@
 
 /**
  * @author Joeri de Ruiter (joeri@cs.ru.nl)
- * @version $Revision$ by $Author$
- *          $LastChangedDate$
+ * @version $Revision: 12 $ by $Author: joeridr $
+ *          $LastChangedDate: 2012-02-23 15:31:33 +0100 (tor, 23 feb 2012) $
  */
 public class PGPKey implements ISO7816 {
 	public static final short KEY_SIZE = 2048;// 2368;