Struggling with U2F load on FlexSecure: can't --create or select applet

Heyya @StarGate01 – wondered if I could bother you, please. I’m trying to install the U2F as described in the repo but am running into some issues. I’ve boiled down my problems into a Gist (using dummy/throwaway keys, so worry not for my security), but basically I’ve got both physical P71D321 chips as well as the FlexSecure and am seeing identical behavior with two readers and a physical card programmer.

Is there something obvious I’m missing, please? Here’s what I’m up to: P71D321/FlexSecure U2F Woes · GitHub

Basically, calling --create causes problems for some reason + the select command isn’t working. Please let me know if I can help at all with debug; I work in software but I’m just learning about the intricacies of the cards.

If relevant, I’m using an ACR1252 but have the same issue with an ACR122U and a generic cheapy USB contact writer.

Thank you so much!

Hey, thanks for the report.

First of all the applet binary appears to be loaded, and the instance is created as well according to the output of the second list command:

APP: A0000006472F000101 (SELECTABLE) (|....G/...|)
     Parent:  A000000151000000
     From:    A0000006472F0001

PKG: A0000006472F0001 (LOADED) (|....G/..|)
     Parent:  A000000151000000
     Version: 1.1

So that step appears to work.

Now, from the file paths I assume you are on Windows. Windows has a very annoying behaviour concerning FIDO cards - the OS blocks access to all applets matching the FIDO AID and expects all programs to use the Microsoft wrapper API. This means that you have to run the attestation loader as administator, otherwise you are not allowed to interface with the FIDO applet on a low level. I’ll add that to the docs.

Second, I do not recommend using the --install and --create flag of GPP in one step. Behaviour appears to have changed sometime back in an update, I instead recommend to split the command in two if you really have to perform an explicit instanciation (like you would do for the e.g. the BIP32 applet), and first use a --load and then a --create command.

1 Like

Well hey that indeed was the issue; thank you so much! Just had a successful write and login using webauthn with the reader and Chrome.

Have some grumpy feelings about Windows deciding what I can and can’t say to my own dang USB hardware, but I assume it’s for my own good to prevent malware from signing things on my behalf.

Thanks again!


And to celebrate – the working implant.


Just wanted to add – fantastic documentation, @StarGate01. It’s been a godsend as I begin to do applet dev to see your examples of dockerized build environments, and your overall documentation of loading/configuring applets and tech overviews on the secure element itself have been my main way points as I explore. Truly, a tremendously helpful resource. Thank you!!!


Thank you :slight_smile:

The Javacard ecosystem is notoriously closed and proprietary, but over time the open source options have been steadily improving and growing! I am always happy to bring new people into the ecosystem.