{"id":37175897,"url":"https://github.com/makinako/openfips201","last_synced_at":"2026-01-14T20:31:53.276Z","repository":{"id":28635854,"uuid":"104690225","full_name":"makinako/OpenFIPS201","owner":"makinako","description":"An open source reference card application for NIST FIPS 201-2 / NIST SP800-73-4, targeting Javacard 3.0.4+","archived":false,"fork":false,"pushed_at":"2025-08-01T03:59:43.000Z","size":35418,"stargazers_count":77,"open_issues_count":19,"forks_count":37,"subscribers_count":11,"default_branch":"master","last_synced_at":"2025-08-01T05:37:00.509Z","etag":null,"topics":["aes","authentication","card-application","des","ecc","elliptic","fips201-2","javacard","nist","nist800-73","piv","rsa","smartcard","tripledes"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/makinako.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY_NOTES.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2017-09-25T01:34:44.000Z","updated_at":"2025-05-06T08:00:54.000Z","dependencies_parsed_at":"2025-07-16T05:57:38.889Z","dependency_job_id":"c57e5e69-46df-4f6e-937d-e54486fbc5cd","html_url":"https://github.com/makinako/OpenFIPS201","commit_stats":null,"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"purl":"pkg:github/makinako/OpenFIPS201","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/makinako%2FOpenFIPS201","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/makinako%2FOpenFIPS201/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/makinako%2FOpenFIPS201/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/makinako%2FOpenFIPS201/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/makinako","download_url":"https://codeload.github.com/makinako/OpenFIPS201/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/makinako%2FOpenFIPS201/sbom","scorecard":{"id":613658,"data":{"date":"2025-08-11","repo":{"name":"github.com/makinako/OpenFIPS201","commit":"bd19f243b845aee174a8c19c14718f70b02b4d0d"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":2.9,"checks":[{"name":"Code-Review","score":1,"reason":"Found 4/23 approved changesets -- score normalized to 1","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":-1,"reason":"no workflows found","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Maintained","score":1,"reason":"0 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 1","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Token-Permissions","score":-1,"reason":"No tokens found","details":null,"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Binary-Artifacts","score":0,"reason":"binaries present in source code","details":["Warn: binary detected: tools/ant-javacard.jar:1","Warn: binary detected: tools/ant/etc/ant-bootstrap.jar:1","Warn: binary detected: tools/ant/lib/ant-antlr.jar:1","Warn: binary detected: tools/ant/lib/ant-apache-bcel.jar:1","Warn: binary detected: tools/ant/lib/ant-apache-bsf.jar:1","Warn: binary detected: tools/ant/lib/ant-apache-log4j.jar:1","Warn: binary detected: tools/ant/lib/ant-apache-oro.jar:1","Warn: binary detected: tools/ant/lib/ant-apache-regexp.jar:1","Warn: binary detected: tools/ant/lib/ant-apache-resolver.jar:1","Warn: binary detected: tools/ant/lib/ant-apache-xalan2.jar:1","Warn: binary detected: tools/ant/lib/ant-commons-logging.jar:1","Warn: binary detected: tools/ant/lib/ant-commons-net.jar:1","Warn: binary detected: tools/ant/lib/ant-imageio.jar:1","Warn: binary detected: tools/ant/lib/ant-jai.jar:1","Warn: binary detected: tools/ant/lib/ant-javamail.jar:1","Warn: binary detected: tools/ant/lib/ant-jdepend.jar:1","Warn: binary detected: tools/ant/lib/ant-jmf.jar:1","Warn: binary detected: tools/ant/lib/ant-jsch.jar:1","Warn: binary detected: tools/ant/lib/ant-junit.jar:1","Warn: binary detected: tools/ant/lib/ant-junit4.jar:1","Warn: binary detected: tools/ant/lib/ant-junitlauncher.jar:1","Warn: binary detected: tools/ant/lib/ant-launcher.jar:1","Warn: binary detected: tools/ant/lib/ant-netrexx.jar:1","Warn: binary detected: tools/ant/lib/ant-swing.jar:1","Warn: binary detected: tools/ant/lib/ant-testutil.jar:1","Warn: binary detected: tools/ant/lib/ant-xz.jar:1","Warn: binary detected: tools/ant/lib/ant.jar:1","Warn: binary detected: tools/google-java-format-1.15.0-all-deps.jar:1","Warn: binary detected: tools/sdk/gp211/gp211.jar:1","Warn: binary detected: tools/sdk/gp221/gp221.jar:1","Warn: binary detected: tools/sdk/jc304/bin/cref_t0.exe:1","Warn: binary detected: tools/sdk/jc304/bin/cref_t1.exe:1","Warn: binary detected: tools/sdk/jc304/bin/cref_tdual.exe:1","Warn: binary detected: tools/sdk/jc304/lib/JCBytecodeProfiler.jar:1","Warn: binary detected: tools/sdk/jc304/lib/ant-contrib-1.0b3.jar:1","Warn: binary detected: tools/sdk/jc304/lib/api_classic.jar:1","Warn: binary detected: tools/sdk/jc304/lib/api_classic_annotations.jar:1","Warn: binary detected: tools/sdk/jc304/lib/api_connected.jar:1","Warn: binary detected: tools/sdk/jc304/lib/asm-all-3.1.jar:1","Warn: binary detected: tools/sdk/jc304/lib/bcel-5.2.jar:1","Warn: binary detected: tools/sdk/jc304/lib/commons-cli-1.0.jar:1","Warn: binary detected: tools/sdk/jc304/lib/commons-codec-1.3.jar:1","Warn: binary detected: tools/sdk/jc304/lib/commons-httpclient-3.0.jar:1","Warn: binary detected: tools/sdk/jc304/lib/commons-logging-1.1.jar:1","Warn: binary detected: tools/sdk/jc304/lib/jctasks.jar:1","Warn: binary detected: tools/sdk/jc304/lib/tools.jar:1","Warn: binary detected: tools/sdk/jc310/lib/api_classic-3.0.4.jar:1","Warn: binary detected: tools/sdk/jc310/lib/api_classic-3.0.5.jar:1","Warn: binary detected: tools/sdk/jc310/lib/api_classic-3.1.0.jar:1","Warn: binary detected: tools/sdk/jc310/lib/api_classic_annotations-3.0.4.jar:1","Warn: binary detected: tools/sdk/jc310/lib/api_classic_annotations-3.0.5.jar:1","Warn: binary detected: tools/sdk/jc310/lib/api_classic_annotations-3.1.0.jar:1","Warn: binary detected: tools/sdk/jc310/lib/asm-8.0.1.jar:1","Warn: binary detected: tools/sdk/jc310/lib/commons-cli-1.4.jar:1","Warn: binary detected: tools/sdk/jc310/lib/commons-logging-1.2-9f99a00.jar:1","Warn: binary detected: tools/sdk/jc310/lib/jctasks_tools.jar:1","Warn: binary detected: tools/sdk/jc310/lib/json.jar:1","Warn: binary detected: tools/sdk/jc310/lib/tools.jar:1"],"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"License","score":9,"reason":"license file detected","details":["Info: project has a license file: LICENSE.md:0","Warn: project license file does not contain an FSF or OSI license."],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Pinned-Dependencies","score":-1,"reason":"no dependencies found","details":null,"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Signed-Releases","score":4,"reason":"3 out of the last 5 releases have a total of 3 signed artifacts.","details":["Info: signed release artifact: OpenFIPS201_v1_10_2.zip.sig: https://github.com/makinako/OpenFIPS201/releases/tag/v1.10.2","Info: signed release artifact: OpenFIPS201_v1_10_1.zip.sig: https://github.com/makinako/OpenFIPS201/releases/tag/v1.10.1","Info: signed release artifact: OpenFIPS201_v1_10_0.zip.sig: https://github.com/makinako/OpenFIPS201/releases/tag/v1.10.0","Warn: release artifact v1.0.0-beta6 not signed: https://api.github.com/repos/makinako/OpenFIPS201/releases/9379084","Warn: release artifact v1.0.0-beta5 not signed: https://api.github.com/repos/makinako/OpenFIPS201/releases/8641413","Warn: release artifact v1.10.2 does not have provenance: https://api.github.com/repos/makinako/OpenFIPS201/releases/75894681","Warn: release artifact v1.10.1 does not have provenance: https://api.github.com/repos/makinako/OpenFIPS201/releases/69807886","Warn: release artifact v1.10.0 does not have provenance: https://api.github.com/repos/makinako/OpenFIPS201/releases/63521577","Warn: release artifact v1.0.0-beta6 does not have provenance: https://api.github.com/repos/makinako/OpenFIPS201/releases/9379084","Warn: release artifact v1.0.0-beta5 does not have provenance: https://api.github.com/repos/makinako/OpenFIPS201/releases/8641413"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":6,"reason":"branch protection is not maximal on development and all release branches","details":["Info: 'allow deletion' disabled on branch 'master'","Info: 'force pushes' disabled on branch 'master'","Info: 'branch protection settings apply to administrators' is required to merge on branch 'master'","Warn: required approving review count is 1 on branch 'master'","Warn: codeowners review is required - but no codeowners file found in repo","Warn: no status checks found to merge onto branch 'master'","Info: PRs are required in order to make changes on branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 11 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-21T03:17:46.576Z","repository_id":28635854,"created_at":"2025-08-21T03:17:46.576Z","updated_at":"2025-08-21T03:17:46.576Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28434466,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-14T18:57:19.464Z","status":"ssl_error","status_checked_at":"2026-01-14T18:52:48.501Z","response_time":107,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aes","authentication","card-application","des","ecc","elliptic","fips201-2","javacard","nist","nist800-73","piv","rsa","smartcard","tripledes"],"created_at":"2026-01-14T20:31:52.684Z","updated_at":"2026-01-14T20:31:53.265Z","avatar_url":"https://github.com/makinako.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"# OpenFIPS201 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)\n\nThis project has been commissioned and funded by the Australian Department of Defence, to provide an open source implementation of the card application for the NIST Personal Identity Verification (PIV) standard as specified by [NIST FIPS PUB 201-2](https://en.wikipedia.org/wiki/FIPS_201) and [NIST SP 800-73-4](http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-73-4.pdf). \n\n**OpenFIPS201 implements the following functionality:**\n\n* A flexible filesystem that can be defined easily without recompilation\n* A flexible key store that defines key roles instead of hard-coding which key is used for what function\n* It compiles to Javacard 3.0.4 as a minimum\n* Secure personalisation over SCP w/CENC+CMAC using the CHANGE REFERENCE DATA and PUT DATA commands\n* The following is out-of-scope at this time:\n  * Virtual Contact Interface\n  * Secure Messaging (Opacity)\n  * Biometric On-Card Comparison (OCC)\n\nTo get started, please head on over to the [OpenFIPS201 Wiki](https://openfips201.atlassian.net/wiki/spaces/OD/overview)\nThe latest binary release is: [OpenFIPS201 v1.10.0](#ref)\n\n**Want to get in touch?**\n\nContact us at piv@makina.com.au if you want to talk about the project, or just to even say how you're using it!\n\nTo contact the author directly, email kim@makina.com.au\n\n**This project makes use of the following Open Source tools:**\n\n* [Apache Ant](https://ant.apache.org/) by the [Apache Foundation](https://www.apache.org/)\n* [Ant-JavaCard](https://github.com/martinpaljak/ant-javacard) by [Martin Paljak](https://github.com/martinpaljak)\n* [Google Java Format](https://github.com/google/google-java-format) by [Google](https://github.com/google)\n\n----\n\n\n\n### UPDATE 4th April 2022 - OpenFIPS201 v1.10.0 Release\n\nThe latest revision of OpenFIPS201 is ready! Here are a few features and enhancements that have been added:\n\n#### Documentation\n\n* Documentation relating to OpenFIPS201 has now been moved [here](https://openfips201.atlassian.net/wiki/spaces/OD/overview) to a public Confluence instance, as the docs were outgrowing the GitHub wiki. \n* [Discussions](https://github.com/makinako/OpenFIPS201/discussions) has now been enabled, we welcome any feedback you have or let us know how you're using OpenFIPS201!\n\n#### Dynamic Configuration\n\nAll `FEATURE` compilation constants are now gone and been replaced with a more extensive set of configuration registers for controlling aspects of applet behaviour. This means there is no longer a need to modify or build from source code in order to configure it.\n\nAll configuration elements can be updated either individually, or batched into a single command (using OPTIONAL ASN.1 elements). If you choose not to update the configuration, you can just use the default values that have all been defined to adhere to PIV, or if PIV doesn't specify something then sensible default values have been used.\n\n#### Pre-Personalisation Interface\n\nThe PUT DATA ADMIN command has changed a bit due to dynamic configuration. The following BER-TLV structures are defined:\n\n* Create Data Object\n* Delete Data Object (Defined but not implemented)\n* Create Key Command\n* Delete Key (Defined but not implemented)\n* Update Configuration\n* Legacy Operation\n\nYour current pre-perso will still work via the `Legacy Operation`, but you will not be able to take advantage of some of the extended features, notably dynamic configuration. We encourage you to migrate over to the new commands, which have been kept as similar as possible to ease the transition.\n\n#### Bulk Pre-Personalisation\n\nYou can combine any number of the above pre-perso commands into the same APDU to reduce the command overheads of sending so many of them!\n\nThe command is identical to the normal `PUT DATA ADMIN` format, with the exception that you have an outer BER-TLV tag that contains a SEQUENCE OF individual commands.\n\nYou can also mix and match different kinds of updates in one (i.e. Keys, Data Objects and Config).\n\n#### PIN Enhancements\n\nThe applet supports a number of additional useful enhancements to PIN functionality:\n\n* PIN Extended Length - You can define PIN lengths up to 16 digits in dynamic configuration\n* PIN Character Set - You can define PIN format requirements as either `numeric`, `alpha numeric`, `alpha numeric (case insensitive)` or `raw` (any byte value)\n* PIN History - You can configure the applet to remember up to the last 12 PIN values that were changed and prevent the user from re-using them.\n* PIN Complexity Rules - Two basic 'weak PIN' prevention rules have been added as optional parameters:\n  * Sequence Rule - Allows you to prevent more than `[n]` consecutive digits from being used (for example, 123456).\n  * Distinct Rule - Allows you to prevent more than [n] instances of the same character being used (for example, 111111).\n* PUK Retry Limits - PUK retries can now be defined in the same way PIN retries are (including separate counters for the Contact and Contactless interface). If the PUK is locked, it can only be unlocked by an administrative role over SCP03.\n\n\u003cu\u003ePIV Impacts:\u003c/u\u003e\n\n- Setting the PIN Extended Length feature above 8 or below 6 will cause the padding/length to no longer comply with SP 800-73.\n- Setting the PIN Character Set to anything other than `numeric` will not work with any middleware that enforces numeric-only digits. \n- PIN History and Complexity Rules should be transparent and simply result in an error condition that should be handled by PIV middleware / clients.\n\n#### Dynamic Admin Keys\n\nFor each data object and asymmetric key, you can now optionally define which symmetric key is responsible for managing it. This gives you the capacity to give write / key generation access to targeted objects. This feature is optional and if you do not specify an admin key, objects will default to the`9B` key.\n\n\u003cu\u003ePIV Impact\u003c/u\u003e: PIV defaults to the `9B` key as the administrative key, so to maintain compatibility, simply define this key or don't specify the key.\n\n#### User Manageable Data Objects\n\nFor asymmetric keys and data objects, it is possible to now add the `User Admin` access mode privilege. If this is set, the data object can be written to, or the key generated as long as the access conditions for that card have been met. This can be separated for contact / contactless and the special 'always' access mode may not be paired with this.\n\nThis has been included to permit the possibility of lower security applications whereby it is useful for regularly-changing operational data to be managed on the card without the requirement for administrative keys. Of course if the thought of this horrifies you, do nothing to your pre-perso scripts and the functionality will stay disabled.\n\n#### Optional Cryptographic Mechanisms\n\nThe applet now attempts to instantiate all the required cryptographic mechanisms, but if there are any that it can't this now only results in those corresponding mechanisms being disabled, not prevention of the entire applet install.\n\n\u003cu\u003ePIV Impact:\u003c/u\u003e None, provided the card is able to support at least one of the asymmetric key pair types.\n\n\n#### Other\n\n* The GlobalPlatform library now targets GP 2.2.1 instead of GP 2.1.1. This should not pose a problem for JC 3.0.4+ cards.\n* The `Admin` key attribute has now been deprecated as it replaced by the `adminKey` option\n* A `Permit Mutual` key attribute has been added for symmetric keys so it needs to be explicitly enabled. For legacy operations this attribute is automatically applied to maintain compatibility.\n* The discovery object is generated at run-time instead of applet compilation now, so you can change configuration parameters and it will reflect correctly.\n* `FEATURE_STRICT_APDU_CHAINING` has been removed as ISO7816 is pretty clear that you should be able to interrupt chained commands without an error. \n* `FEATURE_DISCOVERY_OBJECT_DEFAULT` has been removed now that the discovery object generates every call.\n* `FEATURE_PIV_TEST_VECTORS` has been removed as it's usefulness reduced with ECC support and FIPS 140 doesn't like test values.\n* The `Options.restrictContactlessGlobal`configuration parameter has been added, which will make the applet non-selectable over the contactless interface.\n* The `Options.restrictContactlessAdmin` configuration parameter has been added, which prevents SCP03 administration over contactless.\n* The `Options.restrictSingleKey` configuration parameter has been added, which will prevent the applet from allowing the same key to be defined with multiple mechanisms.\n* `GET STATUS` and `GET VERSION` are improved (more additions and improvements will follow in the coming months, but compatibility with the current response bytes will be maintained so don't hard-code length requirements into your code!).\n* Lots of other background changes, code review changes, etc.\n\n\n\n----\n\n\n\n### UPDATE - 25th July 2021\n\nThe applet has been updated (and will continue to be) over the next few months for accreditation.\nBelow is a summary of changes, with wiki updates to follow shortly:\n\n- General review for FIPS 140-3 + Static analysis + all General Authenticate cases\n- Splitting of General Authenticate, which was getting too complex.\n- Changes to Key Roles and addition of Key Attributes (compatibility break for pre-perso!)\n- Beginning of support for multi-byte data object id's (pre-perso only, not breaking compatibility yet)\n- Addition of GET VERSION command to get major/minor/revision/debug status\n- Addition of GET STATUS command (more to be added to this)\n- Removal of FEATURE_PIV_TEST_VECTORS and all test data (FIPS 140-3 doesn't permit it)\n- SSP Deletion - Key and data objects can now be properly zeroised/cleared\n- Numerous minor fixes and changes (none breaking the PIV interoperability)\n- Namespace change to all-lowercase\n\nNote that because of [issue #29](https://github.com/makinako/OpenFIPS201/issues/29) there is a minor breaking change to the pre-personalisation interface. Details are in the comments and will be updated in the documentation. Feedback is still sought on whether this can be improved as things are flexible up until validation starts.\n\n----\n\n\n\n### **\u003cu\u003eUPDATE - 23th April 2021\u003c/u\u003e**\n\nThings have been a bit quiet here, but behind the scenes we are in the process of preparing OpenFIPS201 for CMVP / FIPS 140-3 accreditation! \n\nThis is a very steep learning curve, but out of the process is coming a number of changes that will need to be made to the applet in order to comply with direct requirements or smooth the way through the process. In the next few weeks, I'll be adding these to the issues register to open up the changes to discussion, as some of the changes will impact pre-personalisation and configuration (whilst of course maintaining compatibility with the actual PIV spec).\n\nThe (somewhat simplified) phases of accreditation are:\n\n- **Feature Completion** - We are now implementing Secure Messaging, Pairing Code and VCI functionality. This will nearly complete all optional features of the PIV specification, with the notable exception of Biometric On-Card Comparison (OCC). The aim is to have as much as we can in, to avoid the need for re-validation.\n- **CMVP Research** - In parallel, we are in the process of understanding the CMVP/FIPS requirements, contacting labs and producing an internally generated gap analysis. \n- **Design, Documentation and Testing** - There are specific documentary requirements for FIPS 140-3, some of which we won't know until we engage the lab.\n- **Pre-Validation** - This a workshop, undertaken with our chosen lab to gain an external view of \n- **Validation** - This is the main process where the lab performs the assessment, code review, etc and together with us produces the Security Policy document, which will ultimately be published on the NIST CMVP web site.\n- **Submission** - Once everything is in place and the lab has produced all the required documentary evidence, their report is formally submitted to NIST and we join the queue to become a validated product.\n- **Approval** - We are assigned a certificate from NIST and we pop the champagne.\n\nOne additional aspect, because this is a PIV implementation is that we will also need to undergo NPIVP accreditation. This is effectively an interoperability and functional compliance test rather than security and as I understand it is largely about passing the PIV Test Runner test suite.\n\nIf you have any specific questions or issues, please raise them on the issues list or contact us at piv@makina.com.au.\n\n----\n\n\n\n### **\u003cu\u003eUPDATE - 27th August 2020\u003c/u\u003e**\n\nThanks largely to the efforts of [@dmercer-google](https://github.com/dmercer-google) we now have support for Elliptic Curve! You can now generate key objects with ECC256 (#11) and ECC384 (#14) mechanisms and make use of them in General Authenticate for authentication, signing and key establishment. VCI / SM is not yet included in this, but watch this space. Thanks Dave!\n\n----\n\n\n\n\n### **\u003cu\u003eUPDATE - 22nd July 2020\u003c/u\u003e**\n\nOpenFIPS201 has attempted to maintain compatibility with Javacard 2.2.x, however it is clear that there are a number of very good reasons to move away from it in the context of the PIV standard:\n\n* There are a number of cryptographic primitives that are not supported by JC22, especially in the Elliptic Curve domain. This makes it impossible to fully implement SP800-73-4. \n* The PIV requirement to format signature input blocks off-card, which is not supported by JC22 resulted in the need to implement a hack to encrypt using the private key. Moving to JC30 will allow the use of Signature with 'signPreComputedHash()' and 'setInitialDigest', which are both specifically intended for off-card signature block formatting.\n* JC22 does not support the 'Applet.reselectingApplet()' feature, which again is a breaking point for PIV. NIST have indicated they will permit certification exceptions to support JC22 cards, however this hasn't been tested to our knowledge.\n\nGoing forward, OpenFIPS201 will target Javacard SDK 3.0.4 as a minimum. To continue to support Javacard 2.2.x we have added a new repository [OpenFIPS201-jc22](https://github.com/makinako/OpenFIPS201-jc22), which will serve as the compatibility release going forward.\n\n----\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmakinako%2Fopenfips201","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmakinako%2Fopenfips201","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmakinako%2Fopenfips201/lists"}