OpenSC (including initialization) works with JavaCards if you have a supported applet on the card.
JavaCards can come in different flavors:
- Empty (preferred)
- Pre-loaded with an applet in EEPROM
- With an applet in ROM
- With a pre-loaded applet in a finalized state (applets can't be deleted or added).
Some cards, for example older IBM JCOP or older Cyberflex, come pre-loaded with a filesystem (PKCS#15) applet, which are of no interest in the broader context of JavaCards.
The core of OpenSC is a bunch of card drivers, both read-only drivers as well as PKCS#15 initialization drivers. It is important to realize, that all of the initialization drivers target a single card (usually proprietary) which is closely tied to the card vendor. Open source is all about providing options and being tied to a card vendor (even if the card comes with good documentation) has the same advantages and disadvantages as some popular binary-only display drivers provided by the vendor: it is not possible to change the way the card behaves. Therefore it is desirable to have open source code both inside the card and on the host computer and use JavaCards.
The main difference between "native" cards and JavaCards is the requirement to install the proper application to the card before continuing with OpenSC, which has historically been a somewhat complicated procedure and what this page tried to demystify.
List of applets OpenSC supports (can be read-only and locked cards):
- IsoApplet
- General PKCS#15 filesystem and PKI operations.
- Requires Java Card 3.0.4 or newer for v1, Java Card 2.2.1 or newer for legacy branch, forks with 2.2.1 support exist.
pkcs15-init -E
to erase thenpkcs15-init -C
to create a filesystem, PIN, and PUK. Thenpkcs15-tool
for any further operations.
- GidsApplet
- Also compatible with Windows built-in drivers, for most features.
- Requires Java Card 2.2.1 or newer.
gids-tool --initialize
to initialize, set 48-char hex string as admin key, and set a user pin. Thengids-tool
,pkcs15-init
, andpkcs15-tool
for any further operations.
- SmartPGP
- OpenPGP card 3.4 implementation. Java Card 3.0.4 or newer.
- Serial number is embedded in the applet ID: see how to set the serial number at install time using
gp
. - Use CLI tool in its source repo to set key size, then
openpgp-tool
orgpg --card-edit
to set up.
- PivApplet
- PIV (NIST SP 800-73-4) compatible JavaCard applet.
- JavaCard 2.2.2 or newer.
- MuscleApplet (deprecated)
Things to consider when buying JavaCards, please have a look at JavaCard Buyer's Guide
After you have fetched a suitable applet for your card (pay attention to JavaCard version and card peculiarities like Cyberflex cards), you'll need to load the software to the card. Here's how to do it.
A GlobalPlatform compliant software is needed for loading the applet to the card. Card vendors also provide tools for loading applets but also open source alternatives exist.
- GlobalPlatformPro - https://github.com/martinpaljak/GlobalPlatformPro - requires Java 1.8+
The following Open Source applets are fully supported for use and initialization with OpenSC:
- https://github.com/vletoux/GidsApplet
- https://github.com/philipWendland/IsoApplet
- https://github.com/Yubico/ykneo-openpgp
- https://github.com/arekinath/PivApplet
Open source applets possibly usable (with some work) with OpenSC:
- CoolKey Applet (MuscleApplet fork)
- JavaCardSign PKCS#15 applet
- OpenPGP applet:, related wiki page and a somewhat matching
javax.smartcardio
GUI
Other interesting applets:
- MRTD (biometric passport) applet, from JMRTD
- ISO18013 driving license applet
- Web server in Java Card
List of Java Card open source applets can be found at https://github.com/crocs-muni/javacard-curated-list.