Hi NXP,
I'm writing this to ask what the NXP policy of sharing code that is written in the JCShell language, or Java Card with references to NXP proprietary libraries that are only released under NDA.
Specifically, we have developed a sizeable number of JCShell scripts for testing our open source applet, OpenFIPS201. Most of these are the individual scripts for each test, and then there are some common libraries to provide script re-use.
In addition, our applet code base is almost all based on generic JC304/JC305 library calls, however for our FIPS 140 build we necessarily make a few calls to P71 libraries.
In the spirit of our MIT license, we would like to publish our testing scripts and our entire code base to GitHub as we always have. To not do so would be asking our users to 'just trust us' on critical code sections, which is something we are directly trying to avoid.
For clarity, what we intend to include is:
- The JCShell scripts used for tests and common functions for the tests
- Our own code, with a few calls to the P60 and P71 libraries supplied with JCOP tools
We would of course not include:
- The JCOP tools themselves, or JCShell
- Any documentation under NDA for JCOP Tools, JCShell or the P60/P71 products
- Any libraries supplied by NXP for the P60/P71/etc.
An example of a code call to a P71 library is:
short outLength =
OpacitySmKeyEstablishment.generateSecret(
inBuffer, inOffset, inLength, outBuffer, outOffset, privateKey);
Does NXP have a generic position on this? One of the observations I've made in working with these products is that community support for NXP tools and languages for smart cards is extremely limited. A clear definition of what is/isn't permitted to publish would go a long way to helping build a community of users that feel able to share knowledge and code snippets / libraries which would then have a general benefit to NXP's product offering. I haven't been able to find this in the NDA or the software license files.
