Hi,
It’s been awhile since I’ve been on the forum, but wanted to post the project I’ve been working on-and-off for a bit now.
I always disliked the idea of needing to use a static URI when passing VCFs over FlexSecure, because I wasn’t able to figure out the best way to keep the link secure.
So, I put together an applet that:
- Accepts a custom domain
- Accepts a secure key
- Has a counter for taps
- Generates a cmac from count + key
- Generates a url-safe base64
- Appends the base64 to the URL
On the server, I check for the parameter and do the reverse:
- Decode the URL
- Validate the cmac via key and counter
If it’s valid, I provide a popup to download a VCF.
I’ve created a release, along with the source code, instructions, etc, that’s available via github: GitHub - FTRST/ndef-cmac-share: A privacy-preserving, stateful NFC applet for implantable Java Card devices that generates dynamic, cryptographically-signed URLs on tap.
Additionally, there is an included nextjs project that gives an example of how to process the information serverside, as well as an included shell script to generate the params for installing.
Lastly, I have an example of including additional data, such as a unique card id, if you plan on changing that and tracking replays, or want to include and parse additional information.
Cheers!