-
Notifications
You must be signed in to change notification settings - Fork 5
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add CI build for javacard applets (#2)
[enhancement] add CI javacard applets build
- Loading branch information
Showing
2 changed files
with
98 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,62 @@ | ||
language: java | ||
os: linux | ||
dist: | ||
- xenial | ||
|
||
|
||
addons: | ||
apt: | ||
update: true | ||
packages: | ||
- repo | ||
- git | ||
- make | ||
- gcc-arm-none-eabi | ||
- binutils-arm-none-eabi | ||
- python-pip | ||
- python3-pip | ||
- python-pyscard | ||
- python-crypto | ||
- openjdk-8-jdk | ||
- maven | ||
- ant | ||
- curl | ||
- zip | ||
- unzip | ||
- bash | ||
|
||
# installing dependencies | ||
before_install: | ||
- pip install --user intelhex | ||
- sudo pip3 install kconfiglib | ||
- curl -s "https://get.sdkman.io" -o /tmp/sdk | ||
- chmod +x /tmp/sdk | ||
- /tmp/sdk | ||
- sudo bash -c ". $HOME/.sdkman/bin/sdkman-init.sh && sdk install maven 3.6.1" | ||
- git clone https://github.com/martinpaljak/oracle_javacard_sdks.git /tmp/oracle_sdks | ||
|
||
# let's sync and build for disco407, wookey, and build doc | ||
jobs: | ||
include: | ||
- stage: javacard_build | ||
script: | ||
- mkdir build && cd build | ||
- export PATH=/usr/local/bin:$PATH | ||
- git config --global color.ui true | ||
- repo init -u https://github.com/wookey-project/manifest.git -m soft/wookey_nightly.xml && repo sync | ||
- echo 'export CROSS_COMPILE=arm-none-eabi-' > setenv.local.sh | ||
- echo 'export JAVA_SC_SDK=/tmp/oracle_sdks/jc303_kit' >> setenv.local.sh | ||
- if [ "$TRAVIS_EVENT_TYPE" = "pull_request" ]; then cd javacard/applet && git fetch github refs/pull/${TRAVIS_PULL_REQUEST}/head && git checkout FETCH_HEAD; cd ../..; fi | ||
- source setenv.sh | ||
- make boards/wookey/configs/wookey2_graphic_ada_hs_defconfig | ||
- make prepare | ||
- make externals | ||
- make javacard_compile | ||
|
||
notifications: | ||
email: | ||
recipients: | ||
- wookey@ssi.gouv.fr | ||
on_success: never | ||
on_failure: always | ||
on_pull_requests: always |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
# Wookey Javacard applets | ||
|
||
[![Release](https://img.shields.io/github/release/wookey-project/javacard-applet.svg)](https://github.com/wookey-project/javacard-applet/releases/latest) | ||
[![Travis CI Build Status](https://api.travis-ci.com/wookey-project/javacard-applet.svg?branch=master)](https://travis-ci.com/wookey-project/javacard-applet) | ||
|
||
## About Wookey applets | ||
|
||
The WooKey project authentication, DFU and signature tokens are implemented using JavaCard (https://docs.oracle.com/en/java/javacard/). | ||
|
||
JavaCard is a public ecosystem for developing and distributing code on secure elements. Actually, this is one of the only frameworks allowing to access secure elements without signing NDAs: this makes it a perfect match for open source projects since the source code can be distributed. | ||
|
||
JavaCard systems (composed of a secure IC and a JavaCard framework) are usually certified using the EAL Common Criteria scheme: this ensures that security and penetration tests as well as code review have been performed by entitled ITSEF (Information Technology Security Evaluation Facility) using a formal and approved process. | ||
|
||
This makes certified JavaCards an interesting choice for hardened components when designing security solutions: they are robust against a wide variety of advanced attack scenarios. | ||
|
||
For the WooKey project, we have validated our JavaCard applets on an EAL 4+ NXP JCOP J3D081 (https://www.fi.muni.cz/~xsvenda/jcalgtest/run_time/NXPJCOPJ3D081.html). This JavaCard is dual interface (contact and contacless), is JavaCard 3.0.1 and GlobalPlatform 2.2 compliant, and is EAL 4+ certified. The public certification report can be found here: | ||
|
||
https://www.commoncriteriaportal.org/files/epfiles/0860b_pdf.pdf | ||
|
||
The JCOP J3D081 have been chosen for price and availability reasons. Please note that the WooKey project applets should be compatible with any JavaCard 3.0.1 and above compatible card! | ||
|
||
|
||
## About compilation step | ||
|
||
|
||
The JavaCard and GlobalPlatform ecosystems require tools for compiling as well as pushing the compiled applets (CAP files) to the target. Fortunately, open source components are available for all these steps. | ||
|
||
Compiling can be performed using the ant-javacard project, with Oracle SDKs: | ||
|
||
https://github.com/martinpaljak/ant-javacard | ||
|
||
https://github.com/martinpaljak/oracle_javacard_sdks | ||
|
||
Pushing the compiled applets can be done through the GlobalPlatformPro tool: | ||
|
||
https://github.com/martinpaljak/GlobalPlatformPro |