Caution
At the current moment, this project does not provide built-in credential issuance/provisioning for user devices. Users are fully responsible for procuring valid Aliro credentials and reader configuration material at this time.
This project provides a Python-based implementation of the NFC part of the Aliro protocol, including the following commands:
- AUTH0;
- AUTH1;
- EXCHANGE;
- ENVELOPE.
- A way to procure valid credentials/reader configuration material externally (not provided by this project at this moment);
- Linux or macOS;
- Python 3.10+;
- PN532 connected over UART or USB (recommended/tested path);
For PC usage with PN532 via UART connect as follows:
| Step | uv (recommended) |
pip |
|---|---|---|
| 1. Install dependencies | uv sync |
python3 -m pip install --upgrade pippython3 -m pip install -e . |
| 2. Configure | nano configuration.json |
nano configuration.json |
| 3. Run | uv run python main.py |
python3 main.py |
Configuration lives in configuration.json.
level: Python logging level integer (for example20for INFO).
path: NFC frontend path string.
Examples:
- PN532 serial:
tty:usbserial-0001:pn532 - ACR122U USB:
usb:072f:2200
If you need to discover serial ports:
# Linux
ls /dev/*
# macOS
ls /dev/tty.*persist: path to JSON state file used by repository storage;flow: preferred minimum authentication flow. Supported values:expedited/fast->FAST,standard->STANDARD,attestation/step_up/stepup->STEP_UP;
authentication_policy: user authentication policy string; supported values:user_device_setting/user/original/express->USER_DEVICE_SETTING(0x01),secure->USER_DEVICE_SETTING_SECURE_ACTION(0x02),force->FORCE_USER_AUTHENTICATION(0x03), defaults touser;
reader_certificate: optionalLOAD CERTsource used beforeAUTH1when transaction goes through Standard/Step-up path:false/ omitted: do not sendLOAD CERT;true: generate a profile0000 certificate once at startup fromreader_private_keyusing a generated intermediate subject key; activereader_private_keyis then replaced with that intermediate private key for authentication;string: profile0000 certificate bytes encoded as hex or base64; configured certificates are validated locally for profile format, and subject key is checked againstreader_private_key;
reader_private_key: reader private key as hex;reader_group_identifier: group identifier as hex;reader_group_sub_identifier: reader group sub-identifier as hex.
main.py: runtime entrypoint, configuration loading, NFC loop, signal handling;aliro/: core Aliro protocol/authentication logic module;repository.py: state persistence for reader metadata/endpoints;entity.py: protocol and endpoint entities;util/afclf.py: modified contactless frontend transport helpers;util/: cryptography, ISO7816, TLV, ECP helpers.
By default, the following state file is used:
persist.json: stored endpoint data and reader identifiers.
- The project currently does not offer built-in Aliro credential provisioning or generation;
- Because of this, credential issuer validation is also currently omitted;
- Implementation predates the published Aliro specification and is only partially aligned, although sufficient for Fast and Standard flow.
If you've encountered an issue or would like to help improve this project, feel free to open an issue or submit a pull request.
Use of AI-assisted tools for contributions is welcome. However, as AI is a powerful tool that is subject to abuse, any wide-reaching or architectural changes made with AI assistance should be consulted with the maintainers beforehand.
- This code is provided as-is. Considering the sensitive nature of authentication and security, the maintainers assume no responsibility for any issues that may arise while using this project;
- Logs and state files can contain sensitive data (keys, identifiers, endpoint metadata);
- Do not publish raw logs or state files from real environments.
- Specifications - Connectivity Standards Alliance - official Aliro specification;
- Aliro - kormax - aliro protocol info based on wallet app research;
- Apple Home Key Reader - kormax - original Apple Home Key implementation used as the base for this project;
- Enhanced Contactless Polling - Polling Loop Annotations, ECP.