OpenCard Framework 1.2 Programmer's Guide - OpenSCDP
OpenCard Framework 1.2 Programmer's Guide - OpenSCDP
OpenCard Framework 1.2 Programmer's Guide - OpenSCDP
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
} catch <strong>OpenCard</strong> Exceptions {<br />
// handle exception<br />
...<br />
}<br />
Instead of performing both of these operations (the hashing operation and the<br />
public key algorithm) on the card, it is possible to perform the time-consuming<br />
hashing of long messages outside the OPENCARD FRAMEWORK. To do this,<br />
SignatureCardService offers two methods: the SignHash() method and the<br />
VerifySignedHash() method, respectively. Computing the hash value is then the<br />
responsibility of the application, and can be performed using classes like SUN’s<br />
MESSAGEDIGEST in the java.security package or subpackages. It may also make<br />
sense to perform signature verification (which does not involve any private keys)<br />
off card using the java.security package. Wherever the private key is needed (for<br />
example when performing signature generation), a smart card offers tamper-proof<br />
storage to protect the private key.<br />
Importing keys<br />
In addition to generating and verifying signatures, KeyImportCardService (which<br />
extends the SignatureCardService interface) offers methods for the importation<br />
and subsequent in-card verification of keys for asymmetric key algorithms. The<br />
non-validating methods to import keys are importPrivateKey and importPublicKey.<br />
In addition to the actual key data and key information, these methods take as<br />
parameters a key reference to identify the storage location of the imported key. The<br />
key reference for file-oriented cards consists of a directory CardFilePath object and<br />
an integer specifying the number of the key relative to the directory. The<br />
corresponding validating methods are importAndValidatePrivateKey and<br />
importAndValidatePublicKey. These methods make the smart card check the<br />
integrity of the imported key by validating a signature of the key, which is passed<br />
as an additional parameter, using (another) indicated key for signature verification.<br />
The smart card accepts the imported keys subject to successful verification. The<br />
code to import and validate a private key might look something like this:<br />
RSACRTKey rsaPrivate = ...;<br />
byte[] signature = ...;<br />
byte[] keyInfo = ...;<br />
SignatureCardService scs = null;<br />
try {<br />
// wait for card and obtain the two card services<br />
// ...<br />
// create the private key reference for the key to be imported<br />
CardFilePath path1 = new CardFilePath(":3F00:C110");<br />
PrivateKeyFile targetKey = new PrivateKeyFile(path1,0);<br />
// create the public key reference for the key to verify the signature<br />
CardFilePath path2 = new CardFilePath(":3F00:C200");<br />
PublicKeyFile valKey = new PublicKeyFile(path2,1);<br />
boolean result = scs.importAndValidatePrivateKey(targetKey,<br />
rsaPrivate, keyInfo, signature, valKey);<br />
// ...<br />
} catch <strong>OpenCard</strong> Exceptions {<br />
// handle exception<br />
...<br />
}<br />
Generating keys<br />
In addition to working with signatures, KeyGenerationCardService — a further<br />
extension of the SignatureCardService interface — also offers methods for<br />
generating a key pair for a public key algorithm on the card and for reading the<br />
public key part of the pair for usage outside of the card.<br />
Chapter 4. Programming with OCF 27