Apex Flex - Couple of questions

I am planning on getting my Apex installed in a few weeks and am diving back into the JavaCard/smartcard/Fidesmo world and had a few questions. I was part of the VivoKey Flex beta group and did a bit of applet development, but it was several years ago and I’ve forgotten most of it.

  • The Apex uses the P71 SmartMX3 chip. It looks like that runs JavaCard 3.0.5. Whereas the original VK Flex used a P60 chip running JavaCard 3.0.4. The JC update looks to have some nice new features, but since it is a patch bump, I’m assuming that it it should be mostly backwards compatible. Anyone know if any of the Fidesmo applets for Apex are using any of the new 3.0.5 features?

  • Assuming the answer to the question above is no, them is there any reason why I can’t continue to use my P60 VK to test with? I actually have a few naked VKs (no coating, so can’t be installed). I know they they have issues with getting bricked, but I’d still like to test on them instead of my Apex. If I’m able to get an applet running on the P60, and assuming it doesn’t use any of the new P71/3.0.5 encryption libraries, then my assuming is that it should work identically on the P71. Is that a fair assumption?

  • For official applets, it looks like the Fidesmo app on my phone is showing the same applets available for original VivoKeys as for the Apex. My plan is to get the official applets I want installed and tested on an original VK, repeat the installs on the Apex, then get the Apex implanted. Does this make sense?

  • I know Fidesmo shut down their developer portal about a year ago, but I can’t find any information on the new portal, and a lot of the documentation references are have broken links to the old one. Can I deploy applets to the Apex without a developer key using the FDSM utility? I’m guessing that I would need to contact Fidesmo if I ever wanted to deploy an app on their platform, unless there’s something I’m missing.

(1)

I’m assuming that it it should be mostly backwards compatible.

The P71 explicitly supports both 3.0.4 and 3.0.5 .

Anyone know if any of the Fidesmo applets for Apex are using any of the new 3.0.5 features?

Fidesmo does not yet support 3.0.5 in their applet delivery platform, so Vivokey compiles for 3.0.4 which is enough for all the applets. SmartPGP for example requires >= 3.0.4 for e.g. proper elliptic curve support.

(2)

Assuming the answer to the question above is no, them is there any reason why I can’t continue to use my P60 VK to test with?

Sure, should be no problem. I use on of the the older Fidesmo card 2.0 for testing occasinally, which is a P60 as well. However, these chips might be rather limited in terms of memory.

If I’m able to get an applet running on the P60, and assuming it doesn’t use any of the new P71/3.0.5 encryption libraries, then my assuming is that it should work identically on the P71. Is that a fair assumption?

Yes. The standard part of JC is chip agnostic. Currently no Vivokey applets use proprietary libraries.

(3)

repeat the installs on the Apex, then get the Apex implanted. Does this make sense?

Sure, why not. Make sure to load the same keys if you want the chips to generate the same responses (e.g. for HMAC-SHA1 or PGP). You might have a hard time connecting to the Apex though its sterile packaging, depending on thickness. It worked for me but I did a lot of reconfiguration once I had it in my arm as well.

(4)

I can’t find any information on the new portal

The interactive Fidesmo API which serves also serves as documentation is located at Fidesmo - Self service portal , this need a developer login for some endpoints. More information can be found at Technology - Fidesmo .

Can I deploy applets to the Apex without a developer key using the FDSM utility?

No, each applet needs to be signed in order to be loaded onto a Fidesmo-secured token, which requires their signing servers and developer credentials.

I’m guessing that I would need to contact Fidesmo if I ever wanted to deploy an app on their platform, unless there’s something I’m missing.

You need to email them at support@fidesmo.com and ask nicely as well as explain your reason.

another alternative would be to work with us… we can clone OSS repos, compile, and deploy?

2 Likes

Thanks for the detailed response StarGate!

I had my own partially functioning applet on a VK original for generating some custom encryption keys for an archival app I was working on. Still had a ways to go but I’d like to revive it at some point. Once it’s ready for testing, I’m hoping I can deploy it to a non-provisioned P71. In the meantime, I’ll contact Fidesmo about a dev account. I kind of wish they had a self-signing option for local development/testing (I must have been misremembering that being available on the VK Flex).

@amal if it ever gets to the point where I’d feel comfortable releasing it, then definitely.

1 Like