From 050d20bfdf019614e8905516722ae6dd48874638 Mon Sep 17 00:00:00 2001 From: Klas Lindfors Date: Thu, 13 Dec 2012 12:21:18 +0100 Subject: [PATCH] Make the openpgp app suitable for the YubiKey NEO add documentation for building it with eclipse-jcde make it compatible with jcop 2.4.2r1 add gpshell script for loading to card --- .classpath | 6 ++ .gitignore | 2 + .jcproject | 7 ++ .project | 23 ++++ .settings/org.eclipse.jdt.core.prefs | 11 ++ README | 112 ++++++++++++++++++++ gpinstall.txt | 14 +++ src/openpgpcard/OpenPGPApplet.java | 14 ++- src/openpgpcard/OpenPGPSecureMessaging.java | 4 +- src/openpgpcard/PGPKey.java | 4 +- 10 files changed, 185 insertions(+), 12 deletions(-) create mode 100644 .classpath create mode 100644 .gitignore create mode 100644 .jcproject create mode 100644 .project create mode 100644 .settings/org.eclipse.jdt.core.prefs create mode 100644 gpinstall.txt diff --git a/.classpath b/.classpath new file mode 100644 index 0000000..dd30865 --- /dev/null +++ b/.classpath @@ -0,0 +1,6 @@ + + + + + + diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..9fe01eb --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +bin/ +src/openpgpcard/javacard/ diff --git a/.jcproject b/.jcproject new file mode 100644 index 0000000..780bdf4 --- /dev/null +++ b/.jcproject @@ -0,0 +1,7 @@ + + + +Java Card project properties +0xD2:0x76:0x00:0x01:0x24:0x01 +0xD2:0x76:0x00:0x01:0x24:0x01:0x02:0x00:0x00:0x00:0x00:0x00:0x00:0x01:0x00:0x00 + diff --git a/.project b/.project new file mode 100644 index 0000000..7a9166e --- /dev/null +++ b/.project @@ -0,0 +1,23 @@ + + + ykneo-openpgp + + + + + + org.eclipse.jdt.core.javabuilder + + + + + org.eclipsejcde.core.javacardBuilder + + + + + + org.eclipse.jdt.core.javanature + org.eclipsejcde.core.javacardNature + + diff --git a/.settings/org.eclipse.jdt.core.prefs b/.settings/org.eclipse.jdt.core.prefs new file mode 100644 index 0000000..416f4fb --- /dev/null +++ b/.settings/org.eclipse.jdt.core.prefs @@ -0,0 +1,11 @@ +eclipse.preferences.version=1 +org.eclipse.jdt.core.compiler.codegen.inlineJsrBytecode=enabled +org.eclipse.jdt.core.compiler.codegen.targetPlatform=1.5 +org.eclipse.jdt.core.compiler.codegen.unusedLocal=preserve +org.eclipse.jdt.core.compiler.compliance=1.5 +org.eclipse.jdt.core.compiler.debug.lineNumber=generate +org.eclipse.jdt.core.compiler.debug.localVariable=generate +org.eclipse.jdt.core.compiler.debug.sourceFile=generate +org.eclipse.jdt.core.compiler.problem.assertIdentifier=error +org.eclipse.jdt.core.compiler.problem.enumIdentifier=error +org.eclipse.jdt.core.compiler.source=1.5 diff --git a/README b/README index e69de29..1b11e5c 100644 --- a/README +++ b/README @@ -0,0 +1,112 @@ +YubiKey NEO App: OpenPGP +======================== + +This project implement the OpenPGP card functionality used on the +YubiKey NEO device that is sold by Yubico. This project is relatively +unmodified from the upstream project on which this project is based: + + http://sourceforge.net/p/javacardopenpgp/ + Author: Joeri de Ruiter + +The initial modifications we have made compared to the upstream +project are minor, but we reserve the right to make other +changes/improvements that are specific to the YubiKey NEO hardware. + +License +------- + +The upstream project was released under the GPLv2+ and our fork uses +the same license. All of our changes are released under the same +license. See the file LICENSE for more information. + +Building +-------- + +It is possible to build the project using proprietary NXP Java Card +tools. + +Another way to build the project is with Eclipse and eclipse-jcde. + +First install Eclipse following instructions on: + + http://www.eclipse.org/ + +On Debian/Ubuntu systems Eclipse is packaged and can be installed from +the command line: + + apt-get install eclipse + +Start Eclipse once to make sure it creates a $HOME/.eclipse/ +directory. Then quit Eclipse. + +Download the eclipse-jcde-0.2.zip file from + + http://eclipse-jcde.sourceforge.net/ + +and unpack it like this: + + $ cd ~/.eclipse/*/ + $ unzip /path/to/eclipse-jcde-0.2.zip + +The path to unpack the file into depends on your Eclipse installation, +on my Debien Wheezy system the directory was called +~/.eclipse/org.eclipse.platform_3.8_155965261/ + +Start Eclipse again and confirm that you have a new top-level menu +called "Java Card". + +You then need to install the Java Card Development Kit version 2.2.2, +download it from: + + http://www.oracle.com/technetwork/java/javasebusiness/downloads/java-archive-downloads-javame-419430.html#java_card_kit-2.2.2-oth-JPR + +Unpack it into a new directory called for example "jckit" like this: + + $ mkdir jckit + $ cd jckit + $ unzip /path/to/java_card_kit-2_2_2-linux.zip + $ cd java_card_kit-2_2_2/ + $ unzip java_card_kit-2_2_2-rr-bin-linux-do.zip + +Then in Eclipse select the "Preferences" menu under "Java Card" and +point the "Java Card Home" directory to +/path/to/jckit/java_card_kit-2_2_2 replacing /path/to as appropriate. + +After that the project can be imported into the workspace. +Right-click in the "Project Explorer" window and select "Import". +Under "General" select "Existing Projects into Workspace". As the +root directory point the directory holding this file. You need to +select "Copy projects into workspace". + +To build the .cap file, expand and right click on the "openpgpcard" +sub-directory and select "Java Card Tools" and then "Convert". The +CAP file will be available in your Eclipse workspace as: + + javacardopenpgp/bin/openpgpcard/javacard/openpgpcard.cap + +For loading the applet onto the card first make sure the YubiKey NEO +is in the HID/CCID or CCID mode, using ykpers from the YubiKey +Personalization tool: + + http://code.google.com/p/yubikey-personalization/ + https://github.com/Yubico/yubikey-personalization + +For example: + + sudo ykpersonalize -m82 + +Then install the gpshell tool from Global Platform: + + http://sourceforge.net/projects/globalplatform/ + +The projects that are needed is the GlobalPlatform Library 6.0.0, +GPShell 1.4.4, and gppcscconnectionplugin which doesn't seem to be +available in any released tarball so you have to get it from +Subversion. + +You need to whitelist the device in /etc/libccid_Info.plist. + +When the CAP file has been built and is available in the path shown +above, you may use the gpshell tool to load it: + + $ gpshell gpinstall.txt diff --git a/gpinstall.txt b/gpinstall.txt new file mode 100644 index 0000000..f7a7891 --- /dev/null +++ b/gpinstall.txt @@ -0,0 +1,14 @@ +mode_211 +enable_trace + +establish_context +card_connect +select -AID a000000003000000 +open_sc -security 1 -keyind 0 -keyver 0 -mac_key 404142434445464748494a4b4c4d4e4f -enc_key 404142434445464748494a4b4c4d4e4f + +delete -AID D2760001240102000000000000010000 +delete -AID D27600012401 + +install -file ./bin/openpgpcard/javacard/openpgpcard.cap -instParam 00 -priv 00 +card_disconnect +release_context diff --git a/src/openpgpcard/OpenPGPApplet.java b/src/openpgpcard/OpenPGPApplet.java index f584e5d..ed14c2f 100644 --- a/src/openpgpcard/OpenPGPApplet.java +++ b/src/openpgpcard/OpenPGPApplet.java @@ -34,8 +34,8 @@ * 0000 - RFU * * @author Joeri de Ruiter (joeri@cs.ru.nl) - * @version $Revision$ by $Author$ - * $LastChangedDate$ + * @version $Revision: 12 $ by $Author: joeridr $ + * $LastChangedDate: 2012-02-23 15:31:33 +0100 (tor, 23 feb 2012) $ */ public class OpenPGPApplet extends Applet implements ISO7816 { private static final short _0 = 0; @@ -47,8 +47,8 @@ public class OpenPGPApplet extends Applet implements ISO7816 { 0x00 }; private static final byte[] EXTENDED_CAP = { - (byte) 0xF0, // Support for GET CHALLENGE - // Support for Key Import + (byte) 0xD0, // Support for GET CHALLENGE + // No support for Key Import // PW1 Status byte changeable 0x00, // Secure messaging using 3DES 0x00, (byte) 0xFF, // Maximum length of challenges @@ -61,7 +61,7 @@ public class OpenPGPApplet extends Applet implements ISO7816 { private static short RESPONSE_SM_MAX_LENGTH = 231; private static short CHALLENGES_MAX_LENGTH = 255; - private static short BUFFER_MAX_LENGTH = 510; + private static short BUFFER_MAX_LENGTH = 1020; private static short LOGINDATA_MAX_LENGTH = 254; private static short URL_MAX_LENGTH = 254; @@ -74,7 +74,7 @@ public class OpenPGPApplet extends Applet implements ISO7816 { // Default PW1 '123456' private static byte[] PW1_DEFAULT = { 0x31, 0x32, 0x33, 0x34, 0x35, 0x36 }; private static byte PW1_MODE_NO81 = 0; - private static byte PW1_MODE_NO82 = 0; + private static byte PW1_MODE_NO82 = 1; private static final byte RC_MIN_LENGTH = 8; private static final byte RC_MAX_LENGTH = 127; @@ -631,13 +631,11 @@ private short genAsymKey(APDU apdu, byte mode) { if (!pw3.isValidated()) ISOException.throwIt(SW_SECURITY_STATUS_NOT_SATISFIED); - JCSystem.beginTransaction(); key.genKeyPair(); if (buffer[0] == (byte) 0xB6) { Util.arrayFillNonAtomic(ds_counter, _0, (short) 3, (byte) 0); } - JCSystem.commitTransaction(); } // Output requested key diff --git a/src/openpgpcard/OpenPGPSecureMessaging.java b/src/openpgpcard/OpenPGPSecureMessaging.java index 6bb7550..c30dafa 100644 --- a/src/openpgpcard/OpenPGPSecureMessaging.java +++ b/src/openpgpcard/OpenPGPSecureMessaging.java @@ -42,8 +42,8 @@ * e-passport Java Card applet from the JMRTD project (http://jmrtd.org/). * * @author Pim Vullers - * @version $Revision$ by $Author$ - * $LastChangedDate$ + * @version $Revision: 12 $ by $Author: joeridr $ + * $LastChangedDate: 2012-02-23 15:31:33 +0100 (tor, 23 feb 2012) $ */ public class OpenPGPSecureMessaging { private static final short SW_INTERNAL_ERROR = (short) 0x6D66; diff --git a/src/openpgpcard/PGPKey.java b/src/openpgpcard/PGPKey.java index c36822e..ba146d6 100644 --- a/src/openpgpcard/PGPKey.java +++ b/src/openpgpcard/PGPKey.java @@ -23,8 +23,8 @@ /** * @author Joeri de Ruiter (joeri@cs.ru.nl) - * @version $Revision$ by $Author$ - * $LastChangedDate$ + * @version $Revision: 12 $ by $Author: joeridr $ + * $LastChangedDate: 2012-02-23 15:31:33 +0100 (tor, 23 feb 2012) $ */ public class PGPKey implements ISO7816 { public static final short KEY_SIZE = 2048;// 2368;