-
Notifications
You must be signed in to change notification settings - Fork 70
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot Generate Key inside Javacard #37
Comments
Hi, AFAIR you can set the log level with "OPENSC_DEBUG=9 pkcs15-init" (or multiple uses of verbose). Can you please post a log? It might contain sensitive data, your PIN, PUK, etc, so use dummy values. |
HI Philip, Thanks for a prompt response, I am attaching the log files when I try to initialize and when I try to create key with debug level 9, (There is no confidentiality issue as I am trying to learn use of smart cards in cryptography on a test setup). Looking forward to your inputs. |
Hi Philip, Have done some more research, it seems the particular variant of NXP chip used in my card (J3R200) does not seem to have on-card RSA key generation capability, I validated it by running a test with JCAlgTest. https://www.fi.muni.cz/~xsvenda/jcalgtest/table.html It seems from the table in the above link, J3R180 does seem to have key generation capability, while looking at the AlgTest Report I generated using JCAlgTest applet, J3R200 doesnt have this capability. I am attaching the report here aswell incase if someone else faces similar issue(I have also sent it to JCAlgTest so they can update their table with this card). NXP_JCOP_J3R200_ALGSUPPORT__3b_e0_00_00_81_31_fe_45_eb.csv So from the look of it, It seems I will have to buy a new card and continue my triails. In parallel, I would really appreciate if you can guide me about if I what I am trying to achieve with IsoApplet/OpenSC is even possible(assuming no card specific restriction), I wanted to achieve the following:
Are the above 5 steps likely to be achievable? |
It seems really weird that the card does not support on-card generation, but your CSV certainly indicates that. As for 4., the private and public key are available in the smart card even without importing the certificate again. pkcs11-tool has an option "-w, --write-object Write an object (key, cert, data) to the card", maybe this can be used to store the certificate on the card also. But this is something that we need to verify. As for 5., I am not sure about whether this works in Windows or .NET at all, to be honest. But maybe it will, through an PKCS#11/OpenSC interface. |
Dear Philip, IsoApplet Team,
First of all Thankyou for this excellent piece of work, it seems people will continue to benefit from this applet for a while.
I have a J3R200 Javacard which I understand is a Javacard 3.0.5. I have a contact reader, and OpenSC, GlobalPlatformPro setup on my computer to interact with the card. (J3R200 specs are defined here: https://www.mwcardtech.com/product/J3R200_J3R180_JCOP4_P71_Java_Card.html ). I have coding for a while but I am relatively quite new to the world of smartcards and seem to have hit a roadblock when it comes to generating private key.
My end objective is to be able to create a private key on the card, Create CSR, sign the CSR externally using openSSL to generate the x509 certificate, and then import it back into the card. Later I would use the card to sign/decrypt data.
I followed all the steps in your Wiki(Many thanks for well written documentation).
I installed the isoApplet.cap file 0.6.1, also Initialized the PCKS15 structure, Post this when I try to create a key, I have hit a roadblock and cannot see to create a key.
When I run List algorithms, here is what I get:
Here is when I run a dump:
Here is the error I get whenever I try to generate a key inside the card:
Another attempt:
When I list mechsnisms supported by my card here is the list:
Here are things I have tried(and didnt work)
My Question is, what is causing the pkcs15init key generation to fail, is there anything you would recommend to sort this?
Regards,
Nouman
The text was updated successfully, but these errors were encountered: