Skip to content

Latest commit

 

History

History
77 lines (52 loc) · 4.7 KB

JavaCards.md

File metadata and controls

77 lines (52 loc) · 4.7 KB

Java Cards

OpenSC (including initialization) works with JavaCards if you have a supported applet on the card.

JavaCards can come in different flavors:

  • Empty (preferred)
  • Pre-loaded with an applet in EEPROM
  • With an applet in ROM
  • With a pre-loaded applet in a finalized state (applets can't be deleted or added).

Some cards, for example older IBM JCOP or older Cyberflex, come pre-loaded with a filesystem (PKCS#15) applet, which are of no interest in the broader context of JavaCards.

The core of OpenSC is a bunch of card drivers, both read-only drivers as well as PKCS#15 initialization drivers. It is important to realize, that all of the initialization drivers target a single card (usually proprietary) which is closely tied to the card vendor. Open source is all about providing options and being tied to a card vendor (even if the card comes with good documentation) has the same advantages and disadvantages as some popular binary-only display drivers provided by the vendor: it is not possible to change the way the card behaves. Therefore it is desirable to have open source code both inside the card and on the host computer and use JavaCards.

The main difference between "native" cards and JavaCards is the requirement to install the proper application to the card before continuing with OpenSC, which has historically been a somewhat complicated procedure and what this page tried to demystify.

List of applets OpenSC supports (can be read-only and locked cards):

  • IsoApplet
    • General PKCS#15 filesystem and PKI operations.
    • Requires Java Card 3.0.4 or newer for v1, Java Card 2.2.1 or newer for legacy branch, forks with 2.2.1 support exist.
    • pkcs15-init -E to erase then pkcs15-init -C to create a filesystem, PIN, and PUK. Then pkcs15-tool for any further operations.
  • GidsApplet
    • Also compatible with Windows built-in drivers, for most features.
    • Requires Java Card 2.2.1 or newer.
    • gids-tool --initialize to initialize, set 48-char hex string as admin key, and set a user pin. Then gids-tool, pkcs15-init, and pkcs15-tool for any further operations.
  • SmartPGP
    • OpenPGP card 3.4 implementation. Java Card 3.0.4 or newer.
    • Serial number is embedded in the applet ID: see how to set the serial number at install time using gp.
    • Use CLI tool in its source repo to set key size, then openpgp-tool or gpg --card-edit to set up.
  • PivApplet
    • PIV (NIST SP 800-73-4) compatible JavaCard applet.
    • JavaCard 2.2.2 or newer.
  • MuscleApplet (deprecated)

Supported cards

Things to consider when buying JavaCards, please have a look at JavaCard Buyer's Guide

Loading the applet

After you have fetched a suitable applet for your card (pay attention to JavaCard version and card peculiarities like Cyberflex cards), you'll need to load the software to the card. Here's how to do it.

Required software

A GlobalPlatform compliant software is needed for loading the applet to the card. Card vendors also provide tools for loading applets but also open source alternatives exist.

Interesting JavaCard applets

The following Open Source applets are fully supported for use and initialization with OpenSC:

Open source applets possibly usable (with some work) with OpenSC:

Other interesting applets:

List of Java Card open source applets can be found at https://github.com/crocs-muni/javacard-curated-list.

Resources