OpenFIPS201
OpenFIPS201 copied to clipboard
makinako
An open source reference card application for NIST FIPS 201-2 / NIST SP800-73-4, targeting Javacard 3.0.4+
In PIVSecurityProvider.java, lines 307-314 of checkAccessModeAdmin(): ``` // // ACCESS CONDITION 3 - User Administration Privilege // if ((mode != PIVObject.ACCESS_MODE_ALWAYS) && ((mode & PIVObject.ACCESS_MODE_USER_ADMIN) == PIVObject.ACCESS_MODE_USER_ADMIN) && checkAccessModeObject(object)) {...
I'm working on some unit testing for use with OpenFIPS201, and am using jCardSim. The open source version does not support Global Platform or Secure Channel. Looking through the code,...
The Access Mode Enumeration described [here](https://openfips201.atlassian.net/wiki/spaces/OD/pages/459060/Appendix+-+ASN.1+Schema#5.1-Schema) does not allow for a complete expression of all access modes described in 800-73-4. You define: ``` AccessMode ::= ENUMERATED { never (0), pin...
The [PUT_DATA_ADMIN schema](https://openfips201.atlassian.net/wiki/spaces/OD/pages/459060/Appendix+-+ASN.1+Schema#5.1-Schema) enumerates ```pin (1)``` and ```pinAlways (2)``` which makes sense. For occ you have only defined ```occ (4)``` and have omitted ```occAlways```. If you look at the Security...
The [NIST compliant Profile for key objects](https://openfips201.atlassian.net/wiki/spaces/OD/pages/491612/Appendix+-+NIST+Compliant+Profile#6-Key-Object-Scripts) does not specify any OCC conditions. While I realize that OCC is not currently supported It would be good to address them in...
When reading the CHUID, it's often not necessary to grab the entire data structure if pre-enrollment has occurred. SP 800-73-4 Appendix A states "For each container, compliant cards shall return...
I'm attempting to provision the GSA ICAM golden PIV card to OpenFIPS201. I can successfully enroll to the PIVClass Workstation software (which is generally fairly picky), but the PIVClass reader/PAM...
JC 3.0.5 introduced [`Cipher.OneShot`](https://docs.oracle.com/javacard/3.0.5/api/javacardx/crypto/Cipher.OneShot.html) operations. Our experience with `OneShot` signatures indicates a significant performance boost (40ms+ ???, I don't remember the exact number) when using ECDSA P-256 on one of...
`TLVWriter` doesn't offer _good_ support for multibyte tags. It should also have a `writeTag(byte[] tag)` method. I also noticed that `writeTag(short tag)` doesn't set a multibyte indicator byte nor does...
The TLV reader class seems to handle multibyte TLVs correctly when seeking the length field but not when getting a tag. `static short getLength(byte[] data, short offset)` handles multibyte tags...