How do you access a keypair on a smart card?

Thread view:

Rogan Dawes - 03 Sep 2004 08:27 GMT

Hi folks,

I am trying to write an application that can use a keypair on a
smartcard for SSL client authentication.

I already have the program working for a certificate in a PKCS#12 file,
but am now looking for help on how to access the cards.

I have found opencard (www.opencard.org), but it does not seem to have
much information on how to do this. Have I perhaps just been too
superficial, or is this the right way to go?

Alternatively, if anyone can provide me with some sample code, it would
be much appreciated!

Ideally, I am looking for a cross-platform solution, but Windows only
solutions will also work.

Many thanks.

Rogan

Signature

Rogan Dawes

*ALL* messages to discard@dawes.za.net will be dropped, and added
to my blacklist. Please respond to "nntp AT dawes DOT za DOT net"

Reply to this Message

Michael Amling - 03 Sep 2004 16:07 GMT

> Hi folks,
>
[quoted text clipped - 13 lines]
> Ideally, I am looking for a cross-platform solution, but Windows only
> solutions will also work.

I think you need something from the vendor of the smartcard. A while
back I did some work with two keypair-on-a-smartcard vendors. They both
supplied software that used the interface described in RSA Labs' PKCS
#11 Cryptographic Token Interface, currently available at
http://www.rsasecurity.com/rsalabs/node.asp?id=2133.

--Mike Amling

Reply to this Message

Karl Scheibelhofer - 06 Sep 2004 11:48 GMT

pkcs#11 is surely preferrable over opencard, because it it provides a
higher-level API which hides internals of smart cards. based on pkcs#11, one
can write applications which work with almost any signature card. with
opencard, this is problematic or impossible. moreover, nearly every card
manufacturer provides pkcs#11 software for the cards, but you will hardly
find anyone supporting opencard.

you can have a look at our pkcs#11 wrapper. there is a product description
on http://jce.iaik.tugraz.at/products/14_PKCS11_Wrapper/index.php. you can
download it with full source (apache style license) from
http://jce.iaik.tugraz.at/download/evaluation/index.php after a free
registration. documentation and demo code is included. with this library,
you can access any smart card, HSM, crypto token, ....

if you want a more convenient way to access smart cards and HSMs, you may
have a look at our pkcs#11 provider
(http://jce.iaik.tugraz.at/products/15_PKCS11_Provider/index.php). it
provides access to smart cards and HSM through the standard JCA/JCE
framework of Java. this makes it simple to extend existing pure software
implementations with smart card support. the pkcs#11 provider is free for
non-commerical use. for commercial use, one needs to buy a license. a free
evaluation version can be downloaded from
http://jce.iaik.tugraz.at/download/evaluation/index.php. it contains
documentation and sample code (e.g. for SSL client authentication).

regards

Karl

--

Karl Scheibelhofer, IAIK - Graz University of Technology
Inffeldgasse 16a, 8010 Graz, Austria
Fax: +43 316 873 5520
http://jce.iaik.tugraz.at/

> Hi folks,
>
[quoted text clipped - 17 lines]
>
> Rogan

Reply to this Message

Jyrki Nivala - 15 Sep 2004 16:44 GMT

> Hi folks,
>
[quoted text clipped - 3 lines]
> I already have the program working for a certificate in a PKCS#12 file,
> but am now looking for help on how to access the cards.

That should then be enough already.

Ask from your smart card vendor that what CSP software do they recommend.
CSP stands for the cryptographic service provider. It usually provides MS
CAPI interface (IE uses this) and PKCS#11 API (used by Mozilla, e.g). Once a
proper CSP is installed on a client, certificates stored on a smartcard are
shown in the browser same way as PKCS#12 files.

One example of CSP is SmartTrust Personal:
http://www.nexus-secured.com/main/info/?main=v_stpersonal&nav=verksamhet&sub=sak
rade&sub2=digital&advert=sakrade

Regards,
Jyrki Nivala

> I have found opencard (www.opencard.org), but it does not seem to have
> much information on how to do this. Have I perhaps just been too
[quoted text clipped - 9 lines]
>
> Rogan

Reply to this Message

Joseph Daniel Zukiger - 08 Oct 2004 03:48 GMT

> > Hi folks,
> >
[quoted text clipped - 9 lines]
> CSP stands for the cryptographic service provider. It usually provides MS
> CAPI interface (IE uses this) and PKCS#11 API (used by Mozilla, e.g).

What does one do when one wants to hook the card terminal up to a non-MSWxxx box?

Or is there something I'm missing here?

> Once a
> proper CSP is installed on a client, certificates stored on a smartcard are
[quoted text clipped - 19 lines]
> >
> > Rogan

Reply to this Message

Sebastian Hentschel - 15 Dec 2004 15:25 GMT

With OpenCardFrame you are on the right way.
But it is realy hard to programm with it.
For our CardTerminals and Signaturecards
we use SecSigner from http://www.seccommerce.com/

It works, but its have a not realy nice UI.

Hope it helps
Sebastian

> Hi folks,
>
[quoted text clipped - 17 lines]
>
> Rogan

Reply to this Message

Sebastian Hentschel - 15 Dec 2004 15:28 GMT

Ah forgotten a important information
for OpenCardFramework you need an provider(they
call it service) from the card terminal manufacturer
and from the signature card manufacturer.

Sebastian

> With OpenCardFrame you are on the right way.
> But it is realy hard to programm with it.
[quoted text clipped - 27 lines]
>>
>> Rogan

Reply to this Message

How do you access a keypair on a smart card?

Free Magazines