keysupport-java-api

Java API for reading, and potentially managing, smart cards with applets that conform to NIST SP 800-73 (all versions)

Overview

This code is a work-in-progress that requires additional re-structuring and direction.

The intent is to provide an API that is lightweight in order to operate on a PC/terminal as well as mobile devices with no external dependencies.

Interfacing with cards on a PC/terminal makes use of javax.smartcardio, and; interfacing with cards from a mobile device (Android) can occur through NFC or a Java-based USB CCID driver.

The long-term desire is to abstract the javax.smartcardio and Android NFC & USB CCID though some form of a "provider" mechanism for cross-platform use.

At this time, the code to interface via Android NFC & USB CCID is not being shared as open source.

Download & Examples

Please feel free to browse the source at:

https://code.google.com/p/keysupport-java-api/source/browse/#svn%2Ftrunk%2Fsrc%2Forg%2Fkeysupport

At this time, the code is only being distributed by source only through the Google Code hosted SVN repository. You can checkout a read-only copy of the code via SVN:

svn checkout http://keysupport-java-api.googlecode.com/svn/trunk/ keysupport-java-api-read-only

The code in the following directory of the source provides some general usage examples:

~/src/org/keysupport/tests

  • CAKTest.java - Provides an example of authentication to a terminal using the Card Authentication Key.
  • CertDownload.java - Retrieves all 4 certificates from the card and pretty prints them to the console.
  • CHUIDTest.java - Retrieves the CHUID and validates the digital signature.
  • FASCNTest.java - Encodes a zero filled FASC-N and outputs in Hex to the console.
  • GetCHUIDTimed.java - Similar to CHUIDTest, only timestamps are added, and PDVAL based certificate validation to the Federal Common Policy Root CA occurs.
  • PIVReadTest.java - Example of end user authentication to the card in order to obtain PIN REQUIRED objects from the PIV Application on the card.

All API JavaDoc can be viewed via:

~/doc/index.html

Some Important Notes

  1. The ASN.1 types, encoding, and decoding do not currently strictly adhere to rules defined in their respective RFCs. If this is desired, then external libraries can be used to suit your needs.
  2. The cryptography performed by this API (I.e., GENERAL/EXTERNAL AUTHENTICATE, signature & key generation, as well as validation) rely mostly on the underlying JCE provider and is NOT FIPS-140 validated.
  3. This API is NOT on any "approved product list", such as the GSA APL. Since it is a free open source implementation, the intent is not for it to be a product, but an educational API. Putting this API through such validation testing would potentially yield substantial costs, for which it has no revenue backing.

Contributing

At the moment there is no formal method of coordination and code maintenance. I am open to ideas!

Would you like to help? Please reach out to me! I would also like to hear from you if this is of any benefit to you, as well as desired features!

Additional API Information

Updated 07/23/2013

Internal API Dependencies:

https://lh5.googleusercontent.com/-bb4SqTYNYNU/Ue758sXheeI/AAAAAAAAMNg/UpjpPXJB9JE/w1145-h533-no/ksjava_deps.png

General Code Metrics:

https://lh3.googleusercontent.com/-jXXCJtmL6GE/Ue75_HXInMI/AAAAAAAAMNo/oQlVavs-5uc/w1147-h583-no/ksjava_metrics.png

Project Information

The project was created on Jul 23, 2013.

Labels:
Academic Java SmartCard HSPD-12 SP800-73 CAC PIV-I CIV TWIC GlobalPlatform FIPS-201 Open Source PIV API