/YkOtpApplet

Javacard applet emulating the Yubikey challenge-response interface

Primary LanguageJava

YkOtpApplet

About

This is a JavaCard applet that emulates the HMAC challenge-response functionality of the Yubikey NEO/4. It presents the same interface that a real Yubikey presents over CCID (i.e. this applet does not have any HID features).

The goal is to be able to write applications that use the HMAC-SHA1 Challenge-Response mode of the Yubikey, and have a JavaCard with this applet be a drop-in replacement.

Current status

What works:

  • HMAC-SHA1 challenge response, in HMAC_LT64 mode

  • Setting configuration using CMD_SET_CONF_{1,2}

  • Using the protection access code to prevent accidental slot overwrite

Installing

The pre-built .cap files for each release can be found on the project release page.

You can use the Global Platform command-line tool (gp) to upload the applet to your JavaCard:

$ gp -install YkOtpApplet.cap
CAP loaded

The easiest way to program the applet with an HMAC secret is to use yktool:

$ yktool list
Yubikeys available:
  - Yubikey 4 #279305487 v4.0.0

$ echo 'b6e3f555562c894b7af13b1db37f28deff3ea89b' | yktool program hmac 1 -x -X
Programmed slot 1 ok

$ printf 'aaaa' | yktool hmac 1 -x
72:7E:C8:E8:15:EE:C5:32:8F:9D:9C:BE:5E:F2:4E:A8:36:D7:CE:56

Building the project

We use ant-javacard for builds.

$ git clone https://github.com/arekinath/YkOtpApplet
...

$ cd YkOtpApplet
$ git submodule init && git submodule update
...

$ export JC_HOME=/path/to/jckit-2.2.2
$ ant

The capfile will be output in the ./bin directory, along with the .class files (which can be used with jCardSim).