2017-09-21 13:06:36 +00:00
# JavaCard Hardware Wallet
2017-09-27 17:04:26 +00:00
The status.im Hardware Wallet. At the moment Secure Channel and PIN management/verification are implemented.
2017-09-21 13:06:36 +00:00
2017-09-21 13:29:28 +00:00
The project is built using Gradle with the [Fidesmo Javacard Gradle plugin ](https://github.com/fidesmo/gradle-javacard ).
2017-09-25 11:36:28 +00:00
You can set the JavaCard HOME not only through the environment but also creating a gradle.properties file with the
property "com.fidesmo.gradle.javacard.home" set to the correct path.
2017-09-25 08:27:55 +00:00
2017-09-27 17:04:26 +00:00
Loading and installing the applet requires [gpshell ](https://sourceforge.net/p/globalplatform/wiki/GPShell/ ) to be
installed on the system. The gradle.properties file must contain the following properties
* im.status.gradle.gpshell = the path to the gpshell executable
* im.status.gradle.gpshell.isd = the AID of the issuer security domain
* im.status.gradle.gpshell.mac_key = the MAC key for the ISD
* im.status.gradle.gpshell.enc_key = the ENC key for the ISD
* im.status.gradle.gpshell.kek_key = the KEK key for the ISD
* im.status.gradle.gpshell.kvn = the Key Version Number for the ISD
2017-12-31 18:14:40 +00:00
* im.status.wallet.test.simulated = true if the test should run on the simulator, false (or anything else) otherwise
2017-09-27 17:04:26 +00:00
2017-10-06 09:58:10 +00:00
Testing is done with JUnit and performed either on a real card or on [jCardSim ](https://github.com/status-im/jcardsim ).
Although the tests are comprehensive, debugging on the real card is not easy because raw APDUs are not shown in the test
log and there is no way to set breakpoints in the applet.
2017-12-31 18:14:40 +00:00
In order to test with the simulator with an IDE, you need to pass these additional parameters to the JVM
2017-10-06 09:58:10 +00:00
```-noverify -Dim.status.wallet.test.simulated=true```
## Compilation
1. Download and install the JavaCard 3.0.4 SDK from [Oracle ](http://www.oracle.com/technetwork/java/javasebusiness/downloads/java-archive-downloads-javame-419430.html#java_card_kit-classic-3_0_4-rr-bin-do )
2. Clone the Github repo for our fork of [jCardSim ](https://github.com/status-im/jcardsim )
3. Create a gradle.properties (see below for an example)
2017-10-26 13:00:01 +00:00
4. Run `./gradlew convertJavacard`
## Installation
1. Follow all steps from the Compilation phase (except the last one)
2. Disconnect all card reader terminals from the system, except the one with the card where you want to install the applet
3. Run `./gradlew install`
## Testing
1. Follow all steps from the Installation phase (except the last one)
2017-12-31 17:29:15 +00:00
2. Make sure your JRE has the [JCE Unlimited Strength Jurisdiction Policy Files ](http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html )
installed. For more information check [here ](https://stackoverflow.com/questions/41580489/how-to-install-unlimited-strength-jurisdiction-policy-files ).
3. Run `./gradlew test`
2017-09-27 17:04:26 +00:00
## Example gradle.properties file
```
2017-10-06 09:58:10 +00:00
com.fidesmo.gradle.javacard.home=/home/username/javacard-3_0_4
2017-09-27 17:04:26 +00:00
im.status.gradle.gpshell=/usr/local/bin/gpshell
2017-10-25 11:29:13 +00:00
im.status.gradle.gpshell.isd=A000000151000000
2017-09-27 17:04:26 +00:00
im.status.gradle.gpshell.mac_key=404142434445464748494a4b4c4d4e4f
im.status.gradle.gpshell.enc_key=404142434445464748494a4b4c4d4e4f
im.status.gradle.gpshell.kek_key=404142434445464748494a4b4c4d4e4f
2017-10-25 11:29:13 +00:00
im.status.gradle.gpshell.kvn=0
2017-12-31 18:16:06 +00:00
im.status.wallet.test.simulated=false
2017-09-27 17:04:26 +00:00
```
2018-08-14 10:27:52 +00:00
## Alternative installation method
This method does not require the JavaCard SDK but requires an already compiled CAP file. The cards generated this way
have a random PUK and pairing code so they have better security. However applet installation/removal is not disabled,
because the script is still meant to be used during the development phase.
1. Install GPShell and Python 3
2. Put the wallet.cap file in the same directory as status_hw_perso.py
3. Disconnect all card reader terminals from the system, except the one with the card where you want to install the applet
4. Run the status_hw_perso.py script with no arguments.
5. Take note of the pairing code and PUK output by the script
2017-09-25 09:26:15 +00:00
## Implementation notes
2017-10-06 09:58:10 +00:00
* The applet requires JavaCard 3.0.4 or later.
2017-11-25 08:43:30 +00:00
* The class byte of the APDU is not checked since there are no conflicting INS code.
The algorithms the card must support are at least:
* Cipher.ALG_AES_BLOCK_128_CBC_NOPAD
* Cipher.ALG_AES_CBC_ISO9797_M2
* KeyAgreement.ALG_EC_SVDP_DH_PLAIN
* KeyPair.ALG_EC_FP (generation of 256-bit keys)
* MessageDigest.ALG_SHA_256
* MessageDigest.ALG_SHA_512
* RandomData.ALG_SECURE_RANDOM
* Signature.ALG_ECDSA_SHA_256
Best performance is achieved if the card supports:
* KeyAgreement.ALG_EC_SVDP_DH_PLAIN_XY
* Signature.ALG_AES_MAC_128_NOPAD (if this is supported, then Cipher.ALG_AES_BLOCK_128_CBC_NOPAD is not required)
* Signature.ALG_HMAC_SHA_512