X.509 Certificates on Java Card

Similar Messages

• Java Card & X 509 certificates

  Hi,
  i have a question about using Java Card with X.509 Certificates (including Attribute Certificates RFC 3281).
  I already have some experience with JC 2.1.1. I have implemented applets for storing files and retrieving them (deployed on card using GemXplore Developer Kit)
  and then managed the communication between off card application using the OCF 1.2.
  But that was back in 2004. From what i see now OCF has been abandoned.
  What i want to implement now is to load Certificates on Java Card (and store files as well).
  I read that in order to manage Certificates, i have to use a PKCS 11 API (like Bouncy Castle or IAKI). Does this substitute OCF? I remember OCF was complimentary to PKCS 11.
  And if it does, can i use such API to read and write other files except from Certificates? Finally does it treat Attribute Certificates (AC) same as PKI Certs?
  I case you need clarifications, i ll be happy to provide. Thank you in advance
  John

  I think you can store keys and data to sign in the same applet. data is just data, it won't auto interfere.
  about javacard 3, I think this is a very polemic subject. To feed the troll, I'll say that I'm working in a smart card company that has done cards for many years. since the beginning, i can say. All my colleagues and I think that javacard 3 is an evil. APDUs ARE card-ish and a good thing for such small CPUs. Javacard 3 has been made by sun under pressure of telcos that don't want complicated things, and are big specification fans, that never wrote a line of code. Javacard 3 will put a big overhead on card response time: as of now, there are many abstractions levels to cross to execute bytecode, and servlets and (dont know what will replace apdus) will increase transaction times.
  cards are cards, not web servers. for us, public transportaton sectors guys, javacard 3 is a frankenstein. we want speed and low level access. we don't care about J2EE.
  just don't tell me about the increased mem and power of new cards. How much will they cost? A javacard is already expensive, they will not get cheaper, and this will not help spreading javacards.
  people working in the J2EE world will code for javacard 3 like they do for mainframes. They will require more powerful card just because they're too lazy to code a correct embedded software . Can you imagine that? Maybe javacard 4 will require a heatsink on cards.
  this is a very personal opinion of course ;)

• APDU for X.509 Certificate

  Would like to understand APDU commands necessary to read X.509 Certificate from CAC card. Have ActivCard document describing "PKI Applet Specification", and believe I must first perform "Install" (CLA:84, INS:E6) then "PIN Verify" (CLA:80, INS:20) then presumably can read EF 02FE, which is the certificate.
  My implementation of "Install", only using "make selectable", returns 6985, "conditions of use not satisfied".
  And my implementation of "PIN Verify" returns 6D00, "unknown instruction given in the command".
  Any sample APDU code for getting the X.509? Thanks.

  I have the ActivCard SDK, and I have run their acbsi_sample.exe program, which reasonably interacts with a Navy issued CAC card, for which I know the PIN.
  Even with the SDK, which implements BSI, I remain ignorant of how to verify PIN and then read the X.509 Certificate. The demo program has no option to do either.
  I am quite aware of the GSCISV2-0.pdf document. It identifies the CAC RID as A000000079 and the "PKI Certificate Container" as FID 02FE.
  Using the ActivCard BSI demo program, I can interrogate that AID but cannot access any tag, all attempts to "read data value" returning "data value length: 0". Furthermore, as stated above, I see no way to verify PIN, and the GSCISV2-0.pdf clearly states that access to the "PKI Certificate Container" is "PIN always".
  Would be most grateful for any assistance you can provide.

• Plz Help! How to Store digital certificate on to java card?

  We are working on java cards.......
  But i don't know how to store digital certificate on to java card?
  Any "step-by-step procedure" to follow after getting the certificate will be appriciated.....
  Plz any relative information if u have do reply...............
  Its urgent..............
  Thanks in advance..........

  I'm not understanding the confusion. Instead of storing a picture you are storing a certificate. Treat it as a blob of data. You will send data, approx 250 bytes in length, then send the next blob beginning from previous offset, etc. On the card, you store data into a large byte array beginning at the offsets. Read the picture sample again.
  You would generate the key pair using the KeyPair class. Send that public key to the CA and store the cert returned from the CA.
  If you are attempting PKCS#15, I wouldn't go that route until you understand Java Cards and the PKCS specification.

• Verify a X.509 Certificate with Bouncy Castle and Java ME

  Hi,
  Can anybody point me to an example of verifying a X.509 certificate with Bouncy Castle under Java ME?
  I can see how to easily do it in Java SE code with java.security.cert.Certificate.verify(), but I could not find an equivalent method in the lightweight API.
  Any help is much appreciated.
  Best regards,
  iobytrap

  That's a shame. I'm afraid I don't have any solutions, but I'm am interested if you find one. If you solve your problem, please post back here. In the mean time I'll keep looking around. Have you considered non-free software? IAIK has some fairly complete Java libraries for $$$, though I'm not sure what they have for JME.
  EDIT:
  Yes, they have a library for JME and it has an X509Certificate class. Here are the javadocs .
  Edited by: ghstark on Apr 17, 2010 2:14 PM

• Java Card, Web Start and 2 certificates

  I have a WebStart application that is required to use client certificates. These certificates come from a user's Smart Card that gets put into Internet Explorer. WebStart will automatically grab the certificate and send it to the server.
  My problem comes when there are 2 certificates that fit the profile. In that case, a dialog pops up asking the user to pick 1. It comes up with just about every new connection made back to the server.
  The way I see it, my options are:
  1) Try to reuse connections, extend keep-alive so not too many connections are made.
  2) Try to get the certificates from Internet Explorer manually and pass one of them with the connection
  or
  3) Read the certificate directly from the Card and pass it along.
  I've been trying #1 for a while now, and it doesn't get too much better.
  Any ideas?

  I'll have to check. I'm not running the system, so I don't have any control over this.
  If it is, should I grab it out of there?
  I'm sorry, Java Card and certificate programming is new to me, so...
  The code required to grab the certificate out of the Microsoft Certificate Store would be OS-dependent? If I grab the certificate directly off the card, would that be OS-independent?
  Is this true?

• Java card certificate

  How do i store certificate certificate on a java card 2.1.1 comapatible.
  I do not know how to do i without RMI what is there in 2.2.2
  Please advice

  How do i store certificate certificate on a java card 2.1.1 comapatible.
  I do not know how to do i without RMI what is there in 2.2.2
  Please advice

• Java Crypto - X.509 Certificate - DER encoded to Base64

  How to convert DER encoded X.509 Certificate to Base64 encoded X.509 Certificate?

  One way is to use the keytool utility supplied with the jdk. My keystore is already set up so you may have some additional steps beyond what I show below.
  First import the DER encoded certificate
  keytool -import -alias tempaliasname -file file.der(you will be prompted for the keystore password)
  Then export to Base64
  keytool -export -alias tempaliasname -file file.cer -rfc(you will be prompted for the keystore password)
  That will give you the Base64 version of your certificate.
  You can use the keytool -delete command to delete the key from your keystore if you want.
  Bruce

• PKI Certificates on smart cards.

  Hi techies,
  I am a Smart card operating system developer.
  I m working on a PKI OS project.
  and i m stuck while implementing the verify certificate command.
  Well currently the issue i m facing is how to store certificates on smart card.
  i mean which file to use, which format to use, (may be x.509), which document is relevent for implementation point of view.
  could anybody help me out.
  Regards,
  Rishabh Agarwal

  Hi Polat,
  thanks for reply as i thought i wont have any reply.
  well I am talking about a native card not a java card but i think it doesnt make any diffrence as at application level both are same. (diffrent at implementation level not application level)
  so here i got some clue after searching meterial and brainstorming... we need to read following documents
  1) PKCS#1 v2.1
  2) PKCS#15
  3) PKCS#7 (may be, as i havent gone through it yet)
  I am almost ready with my OS for native card and have tested some its features except related to certificate...
  Now i want to test it with some CSP application i dont know how will it go... i m trying to get some demo CSP code in which i can change and test my card by integrating it to some windows aplications.
  if you have any clue about abovementioned then pls let me know..
  and please ask if you need any help from my side
  Regards
  Rishabh Agarwal

• Certificates and smart cards

  Is it possible to store a certificate on a smart card using Java card technology? All I want to do is write the bytes to the card and read the bytes from it. I don't want anything per sey to execute on the card. Is this possible?

  Yes, you can operate any javacard like normal smart card. That means you don't identify javacard from its aspect at all because javacard transmit/accept APDU/response as same as non-javacard.
  No doubt to contact me if you have any question: [email protected]
  Chen Song
  P.R.China

• How to pass x.509 certificate in my request...

  Hi all,
  Can any one of you tell me how to create a x.509 certificate?? and how to pass it in my request???
  Thanks in advance
  Manoj Nair....

  Thanks a lot abhishek but I couldn't make out any thing.
  What I have seen in one the ppts is that no coding is required for sending the certificate in the request.
  Can you help me how would I go about it regarding the above??
  The thing is like I have created a java keystore and it fetched me a self-signed certificate.
  The thing is like How would I send this certificate in my request... and you know that there is a policy step like "verfify certificate" where in it asks for the keystore.
  I have given my keystore location.
  When I tried to test the page, it should an error like " verification of certificate failed"
  When I saw my gateway logs, it spoke something like;
  'certificate is not presented in the request'
  'no matching certificate is found in the keystore'
  'verification of certificate failed'
  It is evident from the first two statements of the gateway log that there is no certificate coming in the request. Had there been certificate, it would have tried to match the certificate with the certificate that is in the keystore and would have verified it. But here it is not the case... I am not able to send in the certificate in my request...
  Can you tell me out how to go about this...
  one more question.......
  is the self-signed certificate that is created by the keytool utility written in x.509 certificate standard or not?

• Java Card headache

  Hi,I am doing my final year project on java card and I have the software installed(java_card_kit-2_2_1, OCF 1.2, j2sdk1.4.1).I'm using Schlumberger Cyberflex Access Toolkit 4.4 and I already have the e-gate USB token.The problem is that I'm not sure how i shld start developing my application.I planned to do online cash withdrawal which can download cash from the bank account directly to the smart card. Anybody can help me with this?Where should i start from?I really need help and plz feel free 2 mail me.my email is [email protected] u very much.

  You are trying to run before you learn to walk. Learn the Java Card architecture. If you don't learn these things first, you'll be asking, how to write the applet, how to generate key pairs, how to create memory in EEPROM, how to send commands to the applet to store large data sizes over 256, etc. Take one step at a time !
  To answer you question: Depends on your solution. If you are using certs for digital signing, you should generate the signing keys on the card and send a CSR with the public key. Store the signing cert on the card. PKCS#15 is the standard, but time consuming to implement on a Java Card, so I recommend just a buffer and handle it off card. For encryption certs, you can generate the key pair off card and store the certificates on the card.
  CA questions should be directed to the Security Forum.
  HTH !

• Help about running Java Card developement Kit Demo

  I am following the Java Card development kit step by step. I have set all environments but I could not run the demo at all. D:\JAVACARD\SAMPLES\SRC\DEMO>
  if I type "jcwde jcwde.app" at the demo directory, it tells me that, jcwde is not an intenal or batch file command. when I copied the jcwde.bat from bin directory to demo directory, it run but a lot of erros.
  I will be glad if somebody can help to overcome this initial and very important steps in my adventure to smart card.
  Thanks

  Thanks everybody for their contribution and suggestion. I have been able to make the demo works apart from demo1 which still give problems.
  if I type jcwde jcwde.app, it gives me the following errors.
  Java Card 2.2 Workstation Development Environment (version 0.18).
  Copyright 2002 Sun Microsystems, Inc. All rights reserved.
  jcwde is listening for T=0 Apdu's on TCP/IP port 9,025.
  Exception in thread "main" java.lang.IllegalAccessError: class javacard.framewor
  k.JCWDEDispatcher cannot access its superclass javacard.framework.Dispatcher
  at java.lang.ClassLoader.defineClass0(Native Method)
  at java.lang.ClassLoader.defineClass(ClassLoader.java:509)
  at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:12
  3)
  at java.net.URLClassLoader.defineClass(URLClassLoader.java:246)
  at java.net.URLClassLoader.access$100(URLClassLoader.java:54)
  at java.net.URLClassLoader$1.run(URLClassLoader.java:193)
  at java.security.AccessController.doPrivileged(Native Method)
  at java.net.URLClassLoader.findClass(URLClassLoader.java:186)
  at java.lang.ClassLoader.loadClass(ClassLoader.java:306)
  at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:265)
  at java.lang.ClassLoader.loadClass(ClassLoader.java:262)
  at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:322)
  at com.sun.javacard.jcwde.Main.run(Main.java:77)
  at com.sun.javacard.jcwde.Main.main(Main.java:141)

• Does Java Card 2 API support all the smart card?

  Does Java Card 2 API support all the smart card? I guess all the java cards are smart card but all the smart card are not java card. so Java card 2 API supports only java card. It does not support all the smart card. Please somebody let me know wheather I am correct or not. Because I want to make an application which supports all the smart card. I am confuse wheather I have to use JavaCard API or OCF or any other framework/API. Please help me. Thanks

  I am clear with java card.
  But I want to make an application which can verify the PIN inside card and read logon certificate, which is saved inside card. Is there any framework which I can use to full fill my simple requiremnt. I dont want to deal with any applet inside card.

• Load file to java card?

  Hi
  Is there any way to load jks file to javacard?
  Please helpme

  How to send a certificate file(.p12 file) into the java card?
  I am trying to send a p12 - certificate file to the smart card using javacard. Is it possible to send a file directly to java card or not? Thanks....