This applet includes code to implement the FIDO2 CTAP standard.
Currently finished is basic registration, assertion, and information commands.
This is targeted at an implant form factor, for the VivoKey Apex but can be used elsewhere.
Please change the aaguid in CTAP2.java if you fork this applet, as this is specific per-manufacturer and per-model.
This is built with JC3.0.5u3, with ant-javacard. As such, it only targets the NXP P71 (for Fidesmo), and any equivalent.
Ensure you initialise the submodules, as this will pull the sdk libraries for javacard itself.
I use VS Code to edit this, and I've included JC3.0.4 and JC3.0.5 sources for attachment.
The CTAP2 implementation is completely separate from the U2F implementation - handoff is done in U2FApplet.java in process() when the correct tagging is detected.
Attestation is incomplete, but expects a certificate to be loaded for the CTAP2 attestation pair, which is generated on-card. Load commands are not (yet) implemented.
It is envisioned we use a Yubico-compatible certificate for this, but that is outside the scope of this applet and will be covered in a personalisation project.
Push requests are welcome.
User verification, by default, is flagged as complete. This is based on our implant form factor, as we consider the tap of an implant to fulfill this. As such, PIN support is not included, because it requires you to hold the implant to the reader as you type the PIN. Feel free to submit PIN support, but I will not be dedicating time to it at present.
This is a fork of the Ledger U2F Applet that is focused on privacy and compatability. It has several unique features:
- Still works with JC 3.0.1 cards. (Probably not anymore - Riley)
- Supports iOS via NFC, by working around a bug in Apple's FIDO2 implementation.
- Multiple counters (8), which are assigned to registrations in a round-robin fashion.
- EEPROM wear-leveling for counters
- Supports "dont-enforce-user-presence-and-sign".
This fork also fixes some problems with Extended APDUs that is present in the upstream version.
If you want to just get a CAP file and install it, you can find it in the releases section. Check the assets for the release, there should be a U2FApplet.cap and a U2FApplet.cap.gpg. The cap file is signed with my public gpg key.
Once you have a CAP file, you can use this script to install using GlobalPlatformPro.
What follows below is from the original project README, with a few edits for things that have clearly changed.
This applet is a Java Card implementation of the FIDO Alliance U2F standard
It uses no proprietary vendor API and is freely available on Ledger Unplugged and for a small fee on other Fidesmo devices through Fidesmo store
- Set the environment variable
JC_HOMEto the folder containg the Java Card Development Kit 3.0.2 - Run
gradlew convertJavacard
Either load the CAP file using your favorite third party software or refer to Fidesmo Gradle Plugin to use on the Fidesmo platform
The following install parameters are expected :
- 1 byte flag : provide 01 to pass the current Fido NFC interoperability tests, or 00 (You almost certainly want to pass in 00)
- 2 bytes length (big endian encoded) : length of the attestation certificate to load, supposed to be using a private key on the P-256 curve
- 32 bytes : private key of the attestation certificate
Before using the applet, the attestation certificate shall be loaded using a proprietary APDU
| CLA | INS | P1 | P2 | Data |
|---|---|---|---|---|
| 80 | 01 | offset (high) | offset (low) | Certificate data chunk |
- Download Google Authenticator
- Test on http://u2fdemo.appspot.com or https://demo.yubico.com/u2f from Chrome
- For additional API reference and implementations, check the reference code, the beta NFC API and Yubico guide
This implementation has been certified FIDO U2F compliant on December 17, 2015 (U2F100020151217001). See tag u2f-certif-171215
This application is licensed under Apache 2.0
Please contact hello@ledger.fr for any question