Skip to content

Releases: makinako/OpenFIPS201

OpenFIPS201 v1_10_2

31 Aug 13:55
e8dfba3
Compare
Choose a tag to compare

Release Package: OpenFIPS201_v1_10_2.zip
Release Version: v1.10.2
Release Date: 31st August 2022
Release Hash: 1132316d5627370f9bddabe81a68c381d057a57b6999ba8f23efee4d1254b8a0 (SHA256)
Release Commit: e8dfba3

Release Signed By:

Bugs

  • OF-132 Applet doesn't install on JCardSim
  • OF-130 Applet does not uninstall unless the package is also deleted
  • OF-127 retriesContact and retriesContactless for PIN/PUK should be limited to 15
  • OF-122 Applet does not permit contact and contactless retries to be the same value
  • OF-119 RESET RETRY COUNTER not checking intermediate PUK value
  • OF-118 Contactless intermediate retries incorrectly evaluated

Notes

  • Access to the OpenFIPS201 JIRA is currently restricted, if you wish to have access please contact kim@openfips201.org.
  • Documentation relating to OpenFIPS201 can be found here.
  • Discussions have been enabled, we welcome any feedback you have or let us know how you're using OpenFIPS201!

OpenFIPS201 v1_10_1

20 Jun 02:25
5783b21
Compare
Choose a tag to compare

Release Package: OpenFIPS201_v1_10_1.zip
Release Version: v1.10.1
Release Date: 20th June 2022
Release Hash: 0dd84ed5aee89a61767fa162be845eb3ef9bb1ce8270f70655a8afca6a58cde9 (SHA256)
Release Commit: 5783b21

Release Signed By:

Release notes - OpenFIPS201 Development - Version OpenFIPS201 v1.10.1

Bugs

  • OF-117 PinPolicy.RuleDistinct not enforced for CHANGE REFERENCE and RESET RETRY COUNTER
  • OF-46 GET STATUS prefixes tags with FF
  • OF-45 GET VERSION command prefixes tags with FF

Enhancements

  • OF-47 Move 'fips' indicator from GET VERSION to GET STATUS

Notes

  • Access to the OpenFIPS201 JIRA is currently restricted, if you wish to have access please contact kim@openfips201.org.
  • Documentation relating to OpenFIPS201 can be found here.
  • Discussions have been enabled, we welcome any feedback you have or let us know how you're using OpenFIPS201!

OpenFIPS201 v1_10_0

04 Apr 13:40
25cb2e6
Compare
Choose a tag to compare

Release Package: OpenFIPS201_v1_10_0.zip
Release Version: v1.10.0
Release Date: 4th Apr 2022
Release Hash: c5a58c8742e68d65cf21e9617d74643ca6b4d78771034e54ae5acb7648e81cfa (SHA256)

Release Signed By:

The latest revision of OpenFIPS201 is ready! Here are a few features and enhancements that have been added:

Documentation

  • Documentation relating to OpenFIPS201 has now been moved here to a public Confluence instance, as the docs were outgrowing the GitHub wiki.
  • Discussions has now been enabled, we welcome any feedback you have or let us know how you're using OpenFIPS201!

Dynamic Configuration

All FEATURE compilation constants are now gone and been replaced with a more extensive set of configuration registers for controlling aspects of applet behaviour. This means there is no longer a need to modify or build from source code in order to configure it.

All configuration elements can be updated either individually, or batched into a single command (using OPTIONAL ASN.1 elements). If you choose not to update the configuration, you can just use the default values that have all been defined to adhere to PIV, or if PIV doesn't specify something then sensible default values have been used.

Pre-Personalisation Interface

The PUT DATA ADMIN command has changed a bit due to dynamic configuration. The following BER-TLV structures are defined:

  • Create Data Object
  • Delete Data Object (Defined but not implemented)
  • Create Key Command
  • Delete Key (Defined but not implemented)
  • Update Configuration
  • Legacy Operation

Your current pre-perso will still work via the Legacy Operation, but you will not be able to take advantage of some of the extended features, notably dynamic configuration. We encourage you to migrate over to the new commands, which have been kept as similar as possible to ease the transition.

Bulk Pre-Personalisation

You can combine any number of the above pre-perso commands into the same APDU to reduce the command overheads of sending so many of them!

The command is identical to the normal PUT DATA ADMIN format, with the exception that you have an outer BER-TLV tag that contains a SEQUENCE OF individual commands.

You can also mix and match different kinds of updates in one (i.e. Keys, Data Objects and Config).

PIN Enhancements

The applet supports a number of additional useful enhancements to PIN functionality:

  • PIN Extended Length - You can define PIN lengths up to 16 digits in dynamic configuration
  • PIN Character Set - You can define PIN format requirements as either numeric, alpha numeric, alpha numeric (case insensitive) or raw (any byte value)
  • PIN History - You can configure the applet to remember up to the last 12 PIN values that were changed and prevent the user from re-using them.
  • PIN Complexity Rules - Two basic 'weak PIN' prevention rules have been added as optional parameters:
    • Sequence Rule - Allows you to prevent more than [n] consecutive digits from being used (for example, 123456).
    • Distinct Rule - Allows you to prevent more than [n] instances of the same character being used (for example, 111111).
  • PUK Retry Limits - PUK retries can now be defined in the same way PIN retries are (including separate counters for the Contact and Contactless interface). If the PUK is locked, it can only be unlocked by an administrative role over SCP03.

PIV Impacts:

  • Setting the PIN Extended Length feature above 8 or below 6 will cause the padding/length to no longer comply with SP 800-73.
  • Setting the PIN Character Set to anything other than numeric will not work with any middleware that enforces numeric-only digits.
  • PIN History and Complexity Rules should be transparent and simply result in an error condition that should be handled by PIV middleware / clients.

Dynamic Admin Keys

For each data object and asymmetric key, you can now optionally define which symmetric key is responsible for managing it. This gives you the capacity to give write / key generation access to targeted objects. This feature is optional and if you do not specify an admin key, objects will default to the9B key.

PIV Impact: PIV defaults to the 9B key as the administrative key, so to maintain compatibility, simply define this key or don't specify the key.

User Manageable Data Objects

For asymmetric keys and data objects, it is possible to now add the User Admin access mode privilege. If this is set, the data object can be written to, or the key generated as long as the access conditions for that card have been met. This can be separated for contact / contactless and the special 'always' access mode may not be paired with this.

This has been included to permit the possibility of lower security applications whereby it is useful for regularly-changing operational data to be managed on the card without the requirement for administrative keys. Of course if the thought of this horrifies you, do nothing to your pre-perso scripts and the functionality will stay disabled.

Optional Cryptographic Mechanisms

The applet now attempts to instantiate all the required cryptographic mechanisms, but if there are any that it can't this now only results in those corresponding mechanisms being disabled, not prevention of the entire applet install.

PIV Impact: None, provided the card is able to support at least one of the asymmetric key pair types.

Other

  • The GlobalPlatform library now targets GP 2.2.1 instead of GP 2.1.1. This should not pose a problem for JC 3.0.4+ cards.
  • The Admin key attribute has now been deprecated as it replaced by the adminKey option
  • A Permit Mutual key attribute has been added for symmetric keys so it needs to be explicitly enabled. For legacy operations this attribute is automatically applied to maintain compatibility.
  • The discovery object is generated at run-time instead of applet compilation now, so you can change configuration parameters and it will reflect correctly.
  • FEATURE_STRICT_APDU_CHAINING has been removed as ISO7816 is pretty clear that you should be able to interrupt chained commands without an error.
  • FEATURE_DISCOVERY_OBJECT_DEFAULT has been removed now that the discovery object generates every call.
  • FEATURE_PIV_TEST_VECTORS has been removed as it's usefulness reduced with ECC support and FIPS 140 doesn't like test values.
  • The Options.restrictContactlessGlobalconfiguration parameter has been added, which will make the applet non-selectable over the contactless interface.
  • The Options.restrictContactlessAdmin configuration parameter has been added, which prevents SCP03 administration over contactless.
  • The Options.restrictSingleKey configuration parameter has been added, which will prevent the applet from allowing the same key to be defined with multiple mechanisms.
  • GET STATUS and GET VERSION are improved (more additions and improvements will follow in the coming months, but compatibility with the current response bytes will be maintained so don't hard-code length requirements into your code!).
  • Lots of other background changes, code review changes, etc.

OpenFIPS201 v1.0.0-beta6 - Patch release

25 Jan 04:42
Compare
Choose a tag to compare

This is a public release of OpenFIPS201. Although tested, it is currently still marked as 'beta' and will remain so until it passes NIST PIV accreditation, after which it will be released as 'v1.0.0-final'. This is to give an opportunity to correct any issues that may come out of the accreditation process.

The attached file OpenFIPS201_V1_0_0_Beta_6.zip contains the following contents:

  • bin - The generated CAP files for this revision (one production, one with FEATURE_PIV_TEST_VECTORS set to true which must NOT be used in production!)
  • javadoc - The generated documentation including embedded source
  • scripts - Default pre-personalisation and test personalisation scripts
  • test - The output from PIV Test Runner
  • wiki - The contents of the wiki repository

CHANGES:

  1. Patches issue #2 (GeneralAuthenticate - RSA signature clobbering)

OpenFIPS201 v1.0.0-beta5 - Initial release

24 Nov 02:31
Compare
Choose a tag to compare

This is the first public release of OpenFIPS201. Although tested, it is currently still marked as 'beta' and will remain so until it passes NIST PIV accreditation, after which it will be released as 'v1.0.0-final'. This is to give an opportunity to correct any issues that may come out of the accreditation process.

The attached file OpenFIPS201_V1_0_0_Beta_5.zip contains the following contents:

  • bin - The generated CAP files for this revision (one regular, one with FEATURE_PIV_TEST_VECTORS set to true)
  • javadoc - The generated documentation including embedded source
  • scripts - Default pre-personalisation and test personalisation scripts
  • test - The output from PIV Test Runner
  • wiki - The contents of the wiki repository