Skip to content

Latest commit

 

History

History
123 lines (95 loc) · 4.54 KB

README.md

File metadata and controls

123 lines (95 loc) · 4.54 KB

NeoPGP - A robust Java Card OpenPGP applet

NeoPGP is a free and open souce Java card applet which implements the OpenPGP 3.4.1 specification. It aims to be robust, lightweight (in a sense of RAM consumption) and highly configurable. The applet supports ECC as well as RSA keys.

Prior Work

So, why yet another OpenPGP applet?

Only SmartPGP supports ECC keys, all the other applets only support RSA keys. SmartPGP on the other hand use dynamically allocated memory. On a Java Card, all objects are allocated in non-volatile memory, not in RAM. While the API offers a manual garbage colletion via JCSystem.requestObjectDeletion(), this is (a) optional and (b) apparently broken on some cards1. Thus it is not possible to return any allocations to the OS. If the applet will drop a reference to an object this memory is leaked forever. It is good practice to only allocate memory during the applet installation, that is preallocate any object which will ever be used by the applet. This is exactly what NeoPGP is doing. There are no uses of the new operator (or calls to factory functions) outside of an object constructor and all objects are created during the .install() hook.

Features

  • Pre-allocated resources
  • Resources consumption configurable during applet registration
  • Generate keys on card
  • Key algorithm changable
  • Key import
  • Support for RSA keys
  • Support for ECC keys
  • KDF support
  • Get Challenge command support
  • Private DOs
  • AES encryption/decryption
  • Per signature request PIN verification
  • Cardholder Certificates (DO 7F21)
  • SmartPGPs secure messaging

Build it yourself

You have to download a java card development kit, either from the offical source or by cloning the handy git repository. Set the environment variable JC_HOME to the SDK you want to use.

The latest SDK v3.1 will support newer java compiler and still can generate code for the 3.0.x java cards.

export JC_HOME=/path/to/jcsdk
ant

If everything is successful, there will be a NeoPGPApplet.cap.

Installation

You can use GlobalPlatformPro to install the NeoPGPApplet.cap onto your smart card. E.g.

java gp.jar -install NeoPGPApplet.cap

Configuration Parameters

NeoPGP is highly configurable. During applet installation you can choose the supported key and quirks that are needed for your card, can be enabled.

Parameter Bitmask Description
00010000 RSA-2048 support
00020000 RSA-3072 support
00040000 RSA-4096 support
00080000 NIST P-256 support
00100000 NIST P-384 support
00200000 NIST P-521 support
00400000 Brainpool P-256 support
00800000 Brainpool P-384 support
01000000 Brainpool P-512 support
02000000 secp256k1 support
00000001 Disable transaction during key generation
00000002 Turn on KDF by default
00000004 Disable tag and length field for GET DATA on the KDF DO

Working Cards

Java Card Parameters Notes
JCOP J3R180 (DI) 03f90000 [1]
JCOP J3R180 4K RSA (DI) 03ff0000 [1]
ACOSJ 40K (DI) 00d80001 [2], [3]
  • [1]: 3k/4k-RSA needs special pre-personalization and is not always available.
  • [2]: Only ECC, because no ExtendedLength support.
  • [3]: ECC up to 384bits.

License

The license is the GPLv3+, see COPYING.

Please note, that if you use this applet in commercial products, the GPLv3 demands that the user can modify the source code and replace the applet on the smart card. Therefore, you probably have to supply the user with the security key of the smart card.

Footnotes

  1. https://stackoverflow.com/questions/28147582/ implies that the garbage collention might brick the whole card and should only be used in secure environment, i.e. during card production.