How do you access a keypair on a smart card?

Hi folks,

I am trying to write an application that can use a keypair on a
smartcard for SSL client authentication.

I already have the program working for a certificate in a PKCS#12 file,
but am now looking for help on how to access the cards.

I have found opencard (www.opencard.org), but it does not seem to have
much information on how to do this. Have I perhaps just been too
superficial, or is this the right way to go?

Alternatively, if anyone can provide me with some sample code, it would
be much appreciated!

Ideally, I am looking for a cross-platform solution, but Windows only
solutions will also work.

Many thanks.

Rogan
--
Rogan Dawes

*ALL* messages to discard@dawes.za.net will be dropped, and added
to my blacklist. Please respond to "nntp AT dawes DOT za DOT net"

Rogan Dawes wrote:
> Hi folks,
>
> I am trying to write an application that can use a keypair on a
> smartcard for SSL client authentication.
>
> I already have the program working for a certificate in a PKCS#12 file,
> but am now looking for help on how to access the cards.
>
> I have found opencard (www.opencard.org), but it does not seem to have
> much information on how to do this. Have I perhaps just been too
> superficial, or is this the right way to go?
>
> Alternatively, if anyone can provide me with some sample code, it would
> be much appreciated!
>
> Ideally, I am looking for a cross-platform solution, but Windows only
> solutions will also work.

I think you need something from the vendor of the smartcard. A while
back I did some work with two keypair-on-a-smartcard vendors. They both
supplied software that used the interface described in RSA Labs' PKCS
#11 Cryptographic Token Interface, currently available at
http://www.rsasecurity.com/rsalabs/node.asp?id=2133.

--Mike Amling

pkcs#11 is surely preferrable over opencard, because it it provides a
higher-level API which hides internals of smart cards. based on pkcs#11, one
can write applications which work with almost any signature card. with
opencard, this is problematic or impossible. moreover, nearly every card
manufacturer provides pkcs#11 software for the cards, but you will hardly
find anyone supporting opencard.

you can have a look at our pkcs#11 wrapper. there is a product description
on http://jce.iaik.tugraz.at/products/...pper/index.php. you can
download it with full source (apache style license) from
http://jce.iaik.tugraz.at/download/evaluation/index.php after a free
registration. documentation and demo code is included. with this library,
you can access any smart card, HSM, crypto token, ....

if you want a more convenient way to access smart cards and HSMs, you may
have a look at our pkcs#11 provider
(http://jce.iaik.tugraz.at/products/...vider/index.php). it
provides access to smart cards and HSM through the standard JCA/JCE
framework of Java. this makes it simple to extend existing pure software
implementations with smart card support. the pkcs#11 provider is free for
non-commerical use. for commercial use, one needs to buy a license. a free
evaluation version can be downloaded from
http://jce.iaik.tugraz.at/download/...tion/index.php. it contains
documentation and sample code (e.g. for SSL client authentication).

regards

Karl

--

Karl Scheibelhofer, IAIK - Graz University of Technology
Inffeldgasse 16a, 8010 Graz, Austria
Fax: +43 316 873 5520
http://jce.iaik.tugraz.at/


"Rogan Dawes" <discard@dawes.za.net> wrote in message
news:ch96dc$p7b$1@server4.gts.cz...
> Hi folks,
>
> I am trying to write an application that can use a keypair on a
> smartcard for SSL client authentication.
>
> I already have the program working for a certificate in a PKCS#12 file,
> but am now looking for help on how to access the cards.
>
> I have found opencard (www.opencard.org), but it does not seem to have
> much information on how to do this. Have I perhaps just been too
> superficial, or is this the right way to go?
>
> Alternatively, if anyone can provide me with some sample code, it would
> be much appreciated!
>
> Ideally, I am looking for a cross-platform solution, but Windows only
> solutions will also work.
>
> Many thanks.
>
> Rogan
> --
> Rogan Dawes
>
> *ALL* messages to discard@dawes.za.net will be dropped, and added
> to my blacklist. Please respond to "nntp AT dawes DOT za DOT net"

"Rogan Dawes" <discard@dawes.za.net> wrote in message
news:ch96dc$p7b$1@server4.gts.cz...
> Hi folks,
>
> I am trying to write an application that can use a keypair on a smartcard
> for SSL client authentication.
>
> I already have the program working for a certificate in a PKCS#12 file,
> but am now looking for help on how to access the cards.

That should then be enough already.

Ask from your smart card vendor that what CSP software do they recommend.
CSP stands for the cryptographic service provider. It usually provides MS
CAPI interface (IE uses this) and PKCS#11 API (used by Mozilla, e.g). Once a
proper CSP is installed on a client, certificates stored on a smartcard are
shown in the browser same way as PKCS#12 files.

One example of CSP is SmartTrust Personal:
http://www.nexus-secured.com/main/i...&advert=sakrade

Regards,
Jyrki Nivala
>
> I have found opencard (www.opencard.org), but it does not seem to have
> much information on how to do this. Have I perhaps just been too
> superficial, or is this the right way to go?
>
> Alternatively, if anyone can provide me with some sample code, it would be
> much appreciated!
>
> Ideally, I am looking for a cross-platform solution, but Windows only
> solutions will also work.
>
> Many thanks.
>
> Rogan
> --
> Rogan Dawes
>
> *ALL* messages to discard@dawes.za.net will be dropped, and added
> to my blacklist. Please respond to "nntp AT dawes DOT za DOT net"

"Jyrki Nivala" <jyrki.nivala@invalid.invalid> wrote in message news:<TrZ1d.218$AA4.169@read
3.inet.fi>...
> "Rogan Dawes" <discard@dawes.za.net> wrote in message
> news:ch96dc$p7b$1@server4.gts.cz... 
>
> That should then be enough already.
>
> Ask from your smart card vendor that what CSP software do they recommend.
> CSP stands for the cryptographic service provider. It usually provides MS
> CAPI interface (IE uses this) and PKCS#11 API (used by Mozilla, e.g).

What does one do when one wants to hook the card terminal up to a non-MSWxxx
 box?

Or is there something I'm missing here?

> Once a
> proper CSP is installed on a client, certificates stored on a smartcard ar
e
> shown in the browser same way as PKCS#12 files.
>
> One example of CSP is SmartTrust Personal:
> http://www.nexus-secured.com/main/i...&advert=sakrade
>
> Regards,
> Jyrki Nivala 

With OpenCardFrame you are on the right way.
But it is realy hard to programm with it.
For our CardTerminals and Signaturecards
we use SecSigner from http://www.seccommerce.com/

It works, but its have a not realy nice UI.

Hope it helps
Sebastian

Rogan Dawes wrote:
> Hi folks,
>
> I am trying to write an application that can use a keypair on a
> smartcard for SSL client authentication.
>
> I already have the program working for a certificate in a PKCS#12 file,
> but am now looking for help on how to access the cards.
>
> I have found opencard (www.opencard.org), but it does not seem to have
> much information on how to do this. Have I perhaps just been too
> superficial, or is this the right way to go?
>
> Alternatively, if anyone can provide me with some sample code, it would
> be much appreciated!
>
> Ideally, I am looking for a cross-platform solution, but Windows only
> solutions will also work.
>
> Many thanks.
>
> Rogan

Ah forgotten a important information
for OpenCardFramework you need an provider(they
call it service) from the card terminal manufacturer
and from the signature card manufacturer.

Sebastian

Sebastian Hentschel wrote:
> With OpenCardFrame you are on the right way.
> But it is realy hard to programm with it.
> For our CardTerminals and Signaturecards
> we use SecSigner from http://www.seccommerce.com/
>
> It works, but its have a not realy nice UI.
>
> Hope it helps
> Sebastian
>
> Rogan Dawes wrote:
>