Initialization
Before the applet can be used, it must be initialized. OpenSC in the latest version must be installed to complete this procedure.
This step cannot be skipped. Use
pkcs15-init --create-pkcs15
to create the PKCS#15 file structure in the applet's filesystem. If you plan on
using the IsoApplet in Windows using the OpenSC Minidriver, it is highly
recommended to set a serial number with the --serial parameter. Choose
a hexadecimal number (i.e. consisting of 0-9 and A-F characters) that is long
enough (16 bytes, i.e. 32 characters is recommended) and unique
among the smartcards that are to be used on
your system or in your environment.
It will ask for a PIN and a PUK. If the PUK must be set (see Configuration, you can not skip by pressing enter.
At the moment, 2048 Bit RSA keys and different ECC curves are supported. Note however that ECC currently does not support decryption or key derivation (e.g. ECDH), only signing. Only very recent versions of the Java Card API allow to sign pre-calculated hashes (3.0.4 - as far as I can tell there are no smartcards available that support this yet). If you use ECDSA, all the data to be signed will be sent to the card. For that reason, I would currently recommend to use RSA keys. However, the implementation provides a nice indication to what will be possible in the future! If you want to create an EC key, you should first find out which field lengths are supported by your smartcard. The JavaCard support test project project might be a good starting point. You can also have a look at the specification of your card or just try generating EC keys with the IsoApplet. The IsoApplet supports FP curves up to 521 bit, but I do not have a smartcard that I can use to test 384 bit curves or higher. If you know where one can obtain unlocked cards, please contact me (wendlandphilip@gmail.com).
If you did chose which key type to use, please do some tests before deploying anything. If you run into problems, you can contact me (wendlandphilip@gmail.com).
pkcs15-init --generate-key "rsa/2048" --auth-id "FF" --label "myKey" --id "1"
will generate a key with the label "myKey" and the ID 1. Use the additional
parameter -u decrypt if you want to use the key for decryption. The
generation may take some time. Also, the time may vary from key to key. Tests
have shown results up to 2.5 minutes.
Other ECC key options are:
- ec/brainpoolP192r1
- ec/brainpoolP224r1
- ec/brainpoolP256r1
- ec/brainpoolP320r1
- ec/secp192r1, nistp192, prime192v1, ansiX9p192r1
- ec/secp224r1, nistp224
- ec/secp256r1, nistp256, prime256v1, ansiX9p256r1
- ec/secp384r1, nistp384, prime384v1, ansiX9p384r1
- secp192k1 and secp256k1 as of IsoApplet 00.06.
Check the existence of the key after the generation had been completed with
pkcs15-tool --dump
Finally, you may want to read the corresponding public key from the filesystem with
pkcs15-tool --read-public-key "01" --output "publicKey.pem"
You can, of course, also generate more than one key pair!
You may upload uninterpreted files, e.g. configuration files. If the data should be protected by the user PIN, use
pkcs15-init --store-data "file.txt" --auth-id "FF" --label "myFile"
If not, omit the --auth-id "FF" part. You can download the file again by
invoking
pkcs15-tool --read-data-object "myFile" --output "welcomeBack.txt"
Delete the file with
pkcs15-init --delete-objects data --application-id "A000000063504B43532D3135" --label "myFile"
There are two different options to change the PIN:
- Change it using the old PIN:
pkcs15-tool --change-pin - Change or unblock it using the PUK:
pkcs15-tool --unblock-pin
There is no option to completely reset the applet to the pre-initialization state. You can easily reinstall the applet to accomplish this.