1

I'm actually working on a project that use a SD card(smart card using java card techno)to realize some functions, for example: doing a mutual authentication with another card(client). so i write some java card applet, but now i have a problem:

from those references on the card spec or global platform spec, i didn't find a way to reuse the key ON CARD(NOT create a key repository at off-card side) , firstly i tried to find some methods in api dispo, i havn't found it; then in fact i have to write the prog in java card applet, so how i can retrive/access/use the existing keysets ON card; in order to use for crypto in authentication?

anyone can help?

vivi
  • 334
  • 2
  • 13
  • Two close votes already without any explanation to a new user, for a question that is acceptable (if badly written) for persons that know global platform. Please don't hit close without a comment. Welcome, liu. – Maarten Bodewes Jul 01 '12 at 23:38

2 Answers2

0

Just save the key into a variable in your applet. By default all variables are persistent.

You can of course implement import/export functions that allow to install an existing key pair into an applet after applet installation.

Update

Don't deal with the Security Domains - if you want to access a key from within your applet, store it inside.

For example using an RSA key you can import it field by field (e.g. modulus and exponent for an RSA public key). For importing you have to transmit everything into byte[] form. Then the byte array can be transferred using one or multiple APDUs into the card. Multiple APDUs are necessary if the byte array is too long for payload data of one APDU.

Once you have data for exponent or modulus transferred you can create the public key instance and then set it's components. 

RSAPublicKey pub = KeyBuilder.buildKey(ALG_RSA, LENGTH_RSA_1024);
pub.setExponent(...);
pub.setModulus(...);

If you save the created RSAPublicKey instance in a field variable of your applet class you can be sure that is saved persistent.

The same way you can create private keys and keys for other crypto algorithms.

Robert
  • 39,162
  • 17
  • 99
  • 152
  • Thank you for reply, but can you explain more clearly? "import/export? " do we realize it in java card applet code? but by using which method in java card api? excuse me but i just a bit new to this domain (in fact now we have a tool /software where we can add new key in the Security domain on SD card directly, so at present we want to use these keys directly, but not creat in our code by crypto methods ) – vivi Jun 28 '12 at 15:16
  • yes i saw in api too, there are lots of methods to deal with keys operations; but is it means that key database that i create on the card in the software can not be reused later in my code?? but what is the interest of that software then? furthermore, for example, there are also java/c++ application of global platform for this type of java card, which we can execute like PUT KEYS/ store data/install applets etc on the SD card. if what they put inside the card can not be used later in program, isn't it strange to do such an effort? – vivi Jun 28 '12 at 16:01
  • They *can* be reused, as I wrote in my answer, but not directly. They are normally only used for "personalization". The global platform keys are otherwise used to *manage* the applets on the card (e.g. the MAC key is normally required to upload the applet the card. See the GlobalPlatform specifications for more information. – Maarten Bodewes Jun 30 '12 at 10:55
  • As far as I know, the only way to use the SD keys in the applet is to delegate secure messaging to the SD by using `org.globalplatform.SecureChannel` obtained by `org.globalplatform.GPSystem.getSecureChannel()`. – vlp Aug 18 '15 at 22:52
  • Nothing prevents you from using the same API (i.e. PUT KEY) for key management of your applet. But you have to implement it yourself. – vlp Aug 18 '15 at 22:55
0

There is no mechanism for a Java card applet to create a Java Key object from a key that was PUT to the associated Security Domain. The GP services available to the applet are from the org.globalplatform.GPSystem class, including access to a secure channel, cardholder verification, locking the card, and a few others. Java card applets on the device can also publish their own services.

An applet can be loaded via the Issuer Security Domain (ISD), whereupon it is associated with that security domain. It thereby gains access to a secure channel implementation, based on the ISD keys.

The org.globalplatform.Application.processData() method will handle STORE DATA APDU's before the applet is made selectable. See section 7.3.2 of the GP Card Specification v.2.3.1. After the applet is made selectable, the applet can handle the secure channel APDU's (here) and delegate the secure channel implementation to the ISD.

If the incoming data contains key material, the applet can transfer these key bytes to Java Key objects.

Steve Mitchell
  • 1,895
  • 1
  • 15
  • 12