Home > Archive > Java Security > December 2004 > How do you access a keypair on a smart card?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
How do you access a keypair on a smart card?
|
|
| Rogan Dawes 2004-09-03, 3:57 am |
| Hi folks,
I am trying to write an application that can use a keypair on a
smartcard for SSL client authentication.
I already have the program working for a certificate in a PKCS#12 file,
but am now looking for help on how to access the cards.
I have found opencard (www.opencard.org), but it does not seem to have
much information on how to do this. Have I perhaps just been too
superficial, or is this the right way to go?
Alternatively, if anyone can provide me with some sample code, it would
be much appreciated!
Ideally, I am looking for a cross-platform solution, but Windows only
solutions will also work.
Many thanks.
Rogan
--
Rogan Dawes
*ALL* messages to discard@dawes.za.net will be dropped, and added
to my blacklist. Please respond to "nntp AT dawes DOT za DOT net"
| |
| Michael Amling 2004-09-03, 4:04 pm |
| Rogan Dawes wrote:
> Hi folks,
>
> I am trying to write an application that can use a keypair on a
> smartcard for SSL client authentication.
>
> I already have the program working for a certificate in a PKCS#12 file,
> but am now looking for help on how to access the cards.
>
> I have found opencard (www.opencard.org), but it does not seem to have
> much information on how to do this. Have I perhaps just been too
> superficial, or is this the right way to go?
>
> Alternatively, if anyone can provide me with some sample code, it would
> be much appreciated!
>
> Ideally, I am looking for a cross-platform solution, but Windows only
> solutions will also work.
I think you need something from the vendor of the smartcard. A while
back I did some work with two keypair-on-a-smartcard vendors. They both
supplied software that used the interface described in RSA Labs' PKCS
#11 Cryptographic Token Interface, currently available at
http://www.rsasecurity.com/rsalabs/node.asp?id=2133.
--Mike Amling
| |
| Karl Scheibelhofer 2004-09-06, 8:58 am |
| pkcs#11 is surely preferrable over opencard, because it it provides a
higher-level API which hides internals of smart cards. based on pkcs#11, one
can write applications which work with almost any signature card. with
opencard, this is problematic or impossible. moreover, nearly every card
manufacturer provides pkcs#11 software for the cards, but you will hardly
find anyone supporting opencard.
you can have a look at our pkcs#11 wrapper. there is a product description
on http://jce.iaik.tugraz.at/products/...pper/index.php. you can
download it with full source (apache style license) from
http://jce.iaik.tugraz.at/download/evaluation/index.php after a free
registration. documentation and demo code is included. with this library,
you can access any smart card, HSM, crypto token, ....
if you want a more convenient way to access smart cards and HSMs, you may
have a look at our pkcs#11 provider
(http://jce.iaik.tugraz.at/products/...vider/index.php). it
provides access to smart cards and HSM through the standard JCA/JCE
framework of Java. this makes it simple to extend existing pure software
implementations with smart card support. the pkcs#11 provider is free for
non-commerical use. for commercial use, one needs to buy a license. a free
evaluation version can be downloaded from
http://jce.iaik.tugraz.at/download/...tion/index.php. it contains
documentation and sample code (e.g. for SSL client authentication).
regards
Karl
--
Karl Scheibelhofer, IAIK - Graz University of Technology
Inffeldgasse 16a, 8010 Graz, Austria
Fax: +43 316 873 5520
http://jce.iaik.tugraz.at/
"Rogan Dawes" <discard@dawes.za.net> wrote in message
news:ch96dc$p7b$1@server4.gts.cz...
> Hi folks,
>
> I am trying to write an application that can use a keypair on a
> smartcard for SSL client authentication.
>
> I already have the program working for a certificate in a PKCS#12 file,
> but am now looking for help on how to access the cards.
>
> I have found opencard (www.opencard.org), but it does not seem to have
> much information on how to do this. Have I perhaps just been too
> superficial, or is this the right way to go?
>
> Alternatively, if anyone can provide me with some sample code, it would
> be much appreciated!
>
> Ideally, I am looking for a cross-platform solution, but Windows only
> solutions will also work.
>
> Many thanks.
>
> Rogan
> --
> Rogan Dawes
>
> *ALL* messages to discard@dawes.za.net will be dropped, and added
> to my blacklist. Please respond to "nntp AT dawes DOT za DOT net"
| |
| Jyrki Nivala 2004-09-15, 4:01 pm |
|
"Rogan Dawes" <discard@dawes.za.net> wrote in message
news:ch96dc$p7b$1@server4.gts.cz...
> Hi folks,
>
> I am trying to write an application that can use a keypair on a smartcard
> for SSL client authentication.
>
> I already have the program working for a certificate in a PKCS#12 file,
> but am now looking for help on how to access the cards.
That should then be enough already.
Ask from your smart card vendor that what CSP software do they recommend.
CSP stands for the cryptographic service provider. It usually provides MS
CAPI interface (IE uses this) and PKCS#11 API (used by Mozilla, e.g). Once a
proper CSP is installed on a client, certificates stored on a smartcard are
shown in the browser same way as PKCS#12 files.
One example of CSP is SmartTrust Personal:
http://www.nexus-secured.com/main/i...&advert=sakrade
Regards,
Jyrki Nivala
>
> I have found opencard (www.opencard.org), but it does not seem to have
> much information on how to do this. Have I perhaps just been too
> superficial, or is this the right way to go?
>
> Alternatively, if anyone can provide me with some sample code, it would be
> much appreciated!
>
> Ideally, I am looking for a cross-platform solution, but Windows only
> solutions will also work.
>
> Many thanks.
>
> Rogan
> --
> Rogan Dawes
>
> *ALL* messages to discard@dawes.za.net will be dropped, and added
> to my blacklist. Please respond to "nntp AT dawes DOT za DOT net"
| |
| Joseph Daniel Zukiger 2004-10-08, 3:57 am |
| "Jyrki Nivala" <jyrki.nivala@invalid.invalid> wrote in message news:<TrZ1d.218$AA4.169@read3.inet.fi>...
> "Rogan Dawes" <discard@dawes.za.net> wrote in message
> news:ch96dc$p7b$1@server4.gts.cz...
>
> That should then be enough already.
>
> Ask from your smart card vendor that what CSP software do they recommend.
> CSP stands for the cryptographic service provider. It usually provides MS
> CAPI interface (IE uses this) and PKCS#11 API (used by Mozilla, e.g).
What does one do when one wants to hook the card terminal up to a non-MSWxxx box?
Or is there something I'm missing here?
[color=darkred]
> Once a
> proper CSP is installed on a client, certificates stored on a smartcard are
> shown in the browser same way as PKCS#12 files.
>
> One example of CSP is SmartTrust Personal:
> http://www.nexus-secured.com/main/i...&advert=sakrade
>
> Regards,
> Jyrki Nivala
| |
| Sebastian Hentschel 2004-12-15, 4:00 pm |
| With OpenCardFrame you are on the right way.
But it is realy hard to programm with it.
For our CardTerminals and Signaturecards
we use SecSigner from http://www.seccommerce.com/
It works, but its have a not realy nice UI.
Hope it helps
Sebastian
Rogan Dawes wrote:
> Hi folks,
>
> I am trying to write an application that can use a keypair on a
> smartcard for SSL client authentication.
>
> I already have the program working for a certificate in a PKCS#12 file,
> but am now looking for help on how to access the cards.
>
> I have found opencard (www.opencard.org), but it does not seem to have
> much information on how to do this. Have I perhaps just been too
> superficial, or is this the right way to go?
>
> Alternatively, if anyone can provide me with some sample code, it would
> be much appreciated!
>
> Ideally, I am looking for a cross-platform solution, but Windows only
> solutions will also work.
>
> Many thanks.
>
> Rogan
| |
| Sebastian Hentschel 2004-12-15, 4:00 pm |
| Ah forgotten a important information
for OpenCardFramework you need an provider(they
call it service) from the card terminal manufacturer
and from the signature card manufacturer.
Sebastian
Sebastian Hentschel wrote:[color=darkred]
> With OpenCardFrame you are on the right way.
> But it is realy hard to programm with it.
> For our CardTerminals and Signaturecards
> we use SecSigner from http://www.seccommerce.com/
>
> It works, but its have a not realy nice UI.
>
> Hope it helps
> Sebastian
>
> Rogan Dawes wrote:
>
|
|
|
|
|