We have handle the fundamentals to JavaCard in last two articles, and completely setup a decentralized cryptography system (OpenPGP). So, in this, we’re going to raise up out PKI (CA) system so that we can issue certificates such as TLS and PIV on our JavaCard.
The security and reliability of asymmetric cryptography depends crucially on the confidentiality of the private key. While the public key can be sent to anyone, it is absolutely important that the private key is not compromised. Smartcards have its own processor, RAM and even operating system. They are hermetically sealed from the rest of the system (i.e. the host computer that might be compromised). Also, the developers and manufacturers of smartcards take a huge effort to ensure that no confidential data can be extracted from the card when it is not intended, even by using costly and time-consuming methods such as electron microscopy.
IsoApplet and OpenSSL
The IsoApplet is the one of few PKCS#15 applets supported by OpenSC, which provides us a standard PKCS#11 interface to use cryptograhpgy functions to the keys on card which is generated on card and not extractable.
What is PKCS#x?
PKCS#11 defines an application programming interface (API) for single-user devices that possess cryptographic information (such as encryption keys and certificates) and execute cryptographic functions. Smart cards are typical devices that implement PKCS#11. Note: PKCS#11 defines the cryptographic function interface but does not specify how the device should implement these functions.
PKCS#15 defineds the interoperability of cryptographic tokens by defining a common format for cryptographic objects stored on the token. Data stored on a device that implements PKCS#15 is identical to all applications using that device, although the format may differ in the actual internal implementation. The PKCS#15 implementation acts as a translator, converting between the card’s internal format and the data formats supported by the application.
In short words, the pkcs11 defines the api that software to use, the pkcs15 defines the api to communicate with card. In general situation, the pkcs11 is implemented by vendor library, in our case, that is OpenSC. Also, the openssl requires an engine, in our case, that is libp11.
So, in first, we have to install that applet:
1 | gp --install IsoApplet.cap --key emv:<KEY> |
Then initlize the PKCS#15 filesystem
1 | pkcs15-init --create-pkcs15 |
We have to also modify the configuration file of openssl to let it recongize the pkcs#11 engine:
Note: the libp11 is not provided with OpenSC installation, you have to manually download and install it.
1 | [openssl_init] |
As a quick confirmation,openssl engine -t should report that pkcs#11 engine is available:
1 | (rdrand) Intel RDRAND engine |
Create our PKI
Firstly, generate the root certificate, that private key of root certificate should remain offline, unless we need to issue more intermediate ca or update crl.
1 | openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:4096 -out </path/to/key> -aes256 |
Then transfer the root certificate to card (not necessary), generate key of TLS intermediate CA, produce CSR of the intermediate CA on card. Finally issue the certificate by root, store the intermediate certificate to card.
1 | # pkcs15-init --store-certificate </path/to/root-cert> --label Alan Trust Root CA |
The intermediate certificate is qualified by our intermediate-ca.cnf file, to ensure that the intermediate can not issue more CA; also specify the URI to the Certificate Revocation List(CRL) and AuthorityInfoAccess URI (URL to the root certificate).
1 | [ ca ] |
Therefore, we now can issue end entity TLS certificates:
1 | openssl x509 -req -engine pkcs11 -CAkeyform ENGINE -in cert.csr -CA tls-ca-rsa-2026.crt -CAkey "pkcs11:object=Alan Trust TLS CA RSA 2026;type=private" -CAcreateserial -out tls-ca-rsa-2026.crt -extfile tls-cert.cnf -extensions tls_cert -days 365 |
Also, with following qualification:
1 | [ tls_cert ] |
Now, by installing the entire certificate chain to the certificate storage, we now have full funtional PKI chain.
1 | C:\Program Files>certutil -verify C:\Users\AlanC\Downloads\test.crt D:\15_CFPages\pki.alancui.cc\tls-ca-rsa-2026.crt |
Here is some useful OID:
- 1.3.6.1.5.5.7.3.1 = Server authentication
- 1.3.6.1.5.5.7.3.2 = Client authentication
- 1.3.6.1.5.5.7.3.3 = Code Signing
- 1.3.6.1.5.5.7.3.4 = Email Protection
- 1.3.6.1.5.5.7.3.5 = IPSec End System
- 1.3.6.1.5.5.7.3.6 = IPSec Tunnel
- 1.3.6.1.5.5.7.3.7 = IPSec User
- 1.3.6.1.5.5.7.3.8 = Timestamping
- 1.3.6.1.4.1.311.20.2.2 = Windows Smartcard Logon
- 1.3.6.1.4.1.311.80.1 = Microsoft Document Encryption
- 1.3.6.1.4.1.311.10.3.12 = Microsoft Document Signing
- 1.3.6.1.4.1.311.67.1.1 = Windows BitLocker Encryption
- 1.3.6.1.4.1.311.67.1.2 = Windows BitLocker Recovery
- 1.3.6.1.4.1.44986.2.1.1 = PIV Authentication
- 1.3.6.1.4.1.44986.2.1.0 = PIV Signature
- 1.3.6.1.4.1.44986.2.1.2 = PIV Key Management
- 1.3.6.1.4.1.44986.2.5.0 = PIV Card Authentication
For example, an email S/MIME certification should have following qualification:
1 | [ tls_cert ] |
for a bitlocker+windows logon certification:
1 | [ tls_cert ] |
The AlanTrust PKI architecture is shown in the diagram below. You can also obtain it from pki.alancui.cc. Please note that this TLS certificate will be used on *.alancui.local or *.alancui.internal without any futher domain ownership verification.
1 | O=Alan Trust |