Package de.cardcontact.opencard.service.smartcardhsm

Class SmartCardHSMCardService

java.lang.Object

opencard.core.service.CardService

opencard.opt.applet.BasicAppletCardService

de.cardcontact.opencard.service.smartcardhsm.SmartCardHSMCardService

All Implemented Interfaces:

CHVCardServiceWithControl, CHVManagementCardService, FileSystemSendAPDU, RemoteUpdateService, DecipherCardService, KeyGenerationCardServiceWithSpec, FileAccessCardService, FileSystemCardService, CHVCardService, SecureService, CardServiceInterface, KeyGenerationCardService, SignatureCardService, APDUInterface

public class SmartCardHSMCardService
extends BasicAppletCardService
implements FileSystemCardService, CHVCardServiceWithControl, CHVManagementCardService, SecureService, KeyGenerationCardServiceWithSpec, DecipherCardService, FileSystemSendAPDU, RemoteUpdateService, APDUInterface

Class implementing a SmartCard HSM card service

Author:

lew

Nested Class Summary

Nested classes/interfaces inherited from interface de.cardcontact.opencard.service.isocard.CHVCardServiceWithControl

CHVCardServiceWithControl.PasswordStatus

Field Summary

Fields

Modifier and Type	Field	Description
static java.lang.String	ALGO_PADDING_PKCS1_PSS
static byte	CACERTIFICATEPREFIX	Prefix for CA certificates
static byte	CERTDESCRIPTIONPREFIX	Prefix for CA certificates description
static byte	EECERTIFICATEPREFIX	Prefix for EE certificates
static ObjectIdentifier	ID_KEY_DOMAIN_UID
static byte	KEYPREFIX	Prefix for private keys
static byte	PRKDPREFIX	Prefix for private key description

Fields inherited from interface de.cardcontact.opencard.service.smartcardhsm.DecipherCardService

RSA_DECRYPTION_OAEP, RSA_DECRYPTION_PLAIN, RSA_DECRYPTION_V15

Fields inherited from interface opencard.opt.iso.fs.FileAccessCardService

READ_SEVERAL

Constructor Summary

Constructors

Constructor	Description
SmartCardHSMCardService()

Method Summary

Modifier and Type	Method	Description
void	addCertToMap(java.security.cert.Certificate cert, boolean isEECertificate, byte id, java.lang.String label)	Add a certificate to the map
void	addDeviceCertificateToAliases(boolean addDeviceCertificateToAliases)	Enable or disable adding the Device Authentication Certificates to the aliases
SmartCardHSMKey	addKey(byte kid)	Add a key from device including a certificate
void	addKeyToMap(SmartCardHSMKey key)	Add a new key to the map of keys
void	appendRecord(CardFilePath file, byte[] data)	Deprecated.
void	cancel()	Cancel pending request
boolean	changeReferenceData()	Get both passwords, the current password and the new one from a callback mechanism and send it to the card.
boolean	changeReferenceData(SecurityDomain domain, int number, CHVControl cc, byte[] currentPassword, byte[] newPassword)	Change the User PIN or SO PIN.
protected void	checkSelectResponse(AppletInfo info)	Process response to applet selection and extract version number
void	closeApplication(SecurityDomain domain)	Reselect applet, thus removing any authentication state and secure channel
boolean	containsLabel(java.lang.String label)	Check if the label exists.
void	create(CardFilePath parent, byte[] data)	Create a new file.
void	deactivateSecureMessaging()	Deactivate the use of secure messaging.
byte[]	decipher(SmartCardHSMKey privateKey, byte[] cryptogram)	The device decrypts using the private key a cryptogram enciphered with the public key and returns the plain value.
byte[]	decipher(SmartCardHSMKey privateKey, byte[] cryptogram, byte algorithmID)	The device decrypts using the private key a cryptogram enciphered with the public key and returns the plain value.
void	delete(CardFilePath file)	Delete elementary files or key objects
boolean	deleteKeyDomain(KeyDomain kd)
byte[]	deriveSymmetricKey(byte keyId, byte algo, byte[] data)	Use the secret key referenced in keyId to derive a secret using the algorithm selected in algo and the derivation parameter in data
void	deriveXKEK(byte keyId, CardVerifiableCertificate puk)	Derive XKEK usingt the exchange key referenced by keyId and the peer public key The device certificate for validating the public key must have been selected with verifyCertificateChain() before.
byte	determineFreeCAId()	Determine an unused CA identifier
byte	determineFreeKeyId()	Determine an unused key identifier
byte[]	enumerateObjects()	Enumerate all currently used file and key identifier.
boolean	exists(CardFilePath file)	Determine if file exists.
boolean	externalAuthenticate(byte[] signature)	Public Key Authentication is the mechanism by which an external entity can use its private key to authenticate.
byte[]	generalAuthenticate(byte[] data)	The GENERAL AUTHENTICATE command allows the terminal to perform an explicit authentication of the device and agree secret session keys KS_ENC and KS_MAC for secure messaging.
byte[]	generateKey(byte newKeyId, SmartCardHSMSecretKeySpec spec)	Generate a new symmetric key
byte[]	generateKeyPair(byte keyId, byte signingId, SmartCardHSMPrivateKeySpec spec)	Deprecated. Signing with key other than PrK.DevAur dropped in firmware 3.0
byte[]	generateKeyPair(byte keyId, SmartCardHSMPrivateKeySpec spec)	Initiate the generation of a fresh key pair for the selected key object.
void	generateKeyPair(PrivateKeyRef privateDest, PublicKeyRef publicDest, int strength, java.lang.String keyAlgorithm)	Deprecated.
byte[]	generateRandom(int length)	Request random byte values generated by the build in random number generator.
java.util.Vector<java.lang.String>	getAliases()	Return a Vector containing all aliases that are used on the SmartCardHSM.
ChangeReferenceDataDialog	getChangeReferenceDataDialog()
java.security.interfaces.ECPublicKey	getDevAutPK()
CardFileInfo	getFileInfo(CardFilePath file)	Queries information about a file.
java.lang.String	getId()	Return the unique id for the SmartCard-HSM The ID is only available after the secure channel has been established
java.util.List<KeyDomain>	getKeyDomains()
protected static int	getLengthFieldSizeHelper(int length)	Helper function for getSize() and getLengthFieldSize()
int	getPasswordLength(SecurityDomain domain, int number)	Not implemented
CHVCardServiceWithControl.PasswordStatus	getPasswordStatus(SecurityDomain domain, int number)	Get the smartcard's password status.
java.lang.String	getProvisioningURL()
CardFilePath	getRoot()	Return the application path.
boolean	getSecurityStatus()	Get the card's security status
SmartCardHSMEntry	getSmartCardHSMEntry(java.lang.String label)	Get a Entry object
TrustStore	getTrustStore()
int	getVersion()
byte[]	importDKEKShare(byte[] keyShare)	Import a single key share of the Device Encryption Key.
byte[]	importPublicKey(CardVerifiableCertificate cert)	Import public keys for authentication.
void	initialize(byte[] config, byte[] initPin, byte[] initCode, byte retryCounter)	Initialize the SmartCard-HSM.
void	initialize(byte[] config, byte[] initPin, byte[] initCode, byte retryCounter, byte noOfShares)	Initialize the SmartCard-HSM.
void	initialize(InitializeConfiguration config)	Initialize the SmartCard-HSM.
protected void	initialize(CardServiceScheduler scheduler, SmartCard card, boolean blocking)	Instantiates a BasicAppletCardService and tie it both to its CardServiceScheduler and its using SmartCard object.
void	initSecureMessaging()	Calculate credential and set the flag for secure messaging
void	invalidate(CardFilePath file)	Deprecated.
protected boolean	isSelected(CardChannel channel)	Allow derived class to veto select if applet is already selected, e.g.
protected static void	lengthToByteArrayOutputStream(int length, java.io.ByteArrayOutputStream bos)	Encode length field in byte array
void	manageSE(byte[] data)	Select algorithms and keys for security operations.
boolean	manageSE(byte p1, byte p2, byte[] cdata)	Select algorithms and keys for security operations.
byte[]	performECCDH(SmartCardHSMKey privateKey, byte[] pkComponents)	The device calculates a shared secret point using an EC Diffie-Hellman operation.
void	provideCredentials(SecurityDomain domain, CredentialBag creds)	Deprecated.
byte[]	read(CardFilePath file, int offset, int length)	READ BINARY
java.security.PublicKey	readPublicKey(PublicKeyRef pulicKey, java.lang.String keyAlgorithm)	Deprecated.
byte[]	readRecord(CardFilePath file, int recordNumber)	Deprecated.
byte[][]	readRecords(CardFilePath file, int number)	Deprecated.
void	rehabilitate(CardFilePath file)	Deprecated.
void	removeEntry(java.lang.String label)	Remove an entry both from map and card.
void	renameEntry(java.lang.String oldlabel, java.lang.String newlabel)
boolean	resetRetryCounter(SecurityDomain domain, int number, CHVControl cc, byte[] unblockingCode, byte[] newPassword)	The device is initialized with a User PIN during device initialization.
boolean	selectPubKeyForAuthentication(byte[] chr)	Manage Security Environment APDU for External Authenticate
boolean	selectPubKeyForSignature(PublicKeyReference chr)	Manage Security Environment APDU for Certificate and Public Key Verification
ResponseAPDU	sendCommandAPDU(CommandAPDU com)	Send a command to the card, potentially using secure messaging
ResponseAPDU	sendCommandAPDU(CardFilePath path, CommandAPDU com, int usageQualifier)	Send APDU making sure that the object referenced by path is selected
void	setChangeReferenceDataDialog(ChangeReferenceDataDialog dialog)
void	setFastDeleteThreshold(int threshold)	Enable fast delete operation without garbage collecting freed memory.
void	setHttpURLConnectionFactory(HttpURLConnectionFactory factory)	Set an HttpURLConnectionFactory which creates preconfigured HttpURLConnections
byte[]	signData(PrivateKeyRef privateKey, java.lang.String signAlgorithm, byte[] data)	Generate a digital Signature.
byte[]	signData(PrivateKeyRef privateKey, java.lang.String signAlgorithm, java.lang.String padAlgorithm, byte[] data)	Create a signature.
byte[]	signHash(PrivateKeyRef privateKey, java.lang.String signAlgorithm, byte[] hash)	Create a signature.
byte[]	signHash(PrivateKeyRef privateKey, java.lang.String signAlgorithm, java.lang.String padAlgorithm, byte[] hash)	Create a signature.
void	storePRKD(byte kid, KeyDescription prkd)	Store the private key description on the card
boolean	unwrapKey(byte kid, byte[] key)	The Unwrap command allows the terminal to import a private or secret key value and meta data encrypted under the Device Key Encryption Key.
void	update(java.lang.String url, java.lang.String sessionId, RemoteNotificationListener notificationListener)	Update the card by obtaining command APDUs from a remote administration server.
void	useClassThreePinPad(boolean usePinPad)	Enable or disable the pin pad
boolean	verifyBio(byte id, byte[] template)	Verify biometric template
void	verifyCertificate(CardVerifiableCertificate cvc)	Present a card verifiable certificate in order to establish a trusted public key in the device.
void	verifyCertificateChain(CardVerifiableCertificate[] chain)	Ensure that the issuer of the certificate or request in chain[0] is validated.
boolean	verifyPassword()	Get password from a callback mechanism or from a terminal pin pad and send it to the card.
boolean	verifyPassword(SecurityDomain domain, int number, byte[] password)	Checks a password for card holder verification.
boolean	verifyPassword(SecurityDomain domain, int number, CHVControl cc, byte[] password)	If there is a class 3 card terminal the pin will be entered on the terminal's pin pad.
boolean	verifySignedData(PublicKeyRef publicKey, java.lang.String signAlgorithm, byte[] data, byte[] signature)	Deprecated.
boolean	verifySignedData(PublicKeyRef publicKey, java.lang.String signAlgorithm, java.lang.String padAlgorithm, byte[] data, byte[] signature)	Deprecated.
boolean	verifySignedHash(PublicKeyRef publicKey, java.lang.String signAlgorithm, byte[] hash, byte[] signature)	Deprecated.
boolean	verifySignedHash(PublicKeyRef publicKey, java.lang.String signAlgorithm, java.lang.String padAlgorithm, byte[] hash, byte[] signature)	Deprecated.
byte[]	wrapKey(byte kid)	The Wrap command allows the terminal to extract a private or secret key value encrypted under the Device Key Encryption Key.
void	write(CardFilePath file, int offset, byte[] data)	Writes data to a transparent file, using a complete array.
void	write(CardFilePath file, int foffset, byte[] source, int soffset, int length)	Deprecated.
void	writeRecord(CardFilePath file, int recordNumber, byte[] data)	Deprecated.

Methods inherited from class opencard.opt.applet.BasicAppletCardService

getAppletSelector, getCardState, sendCommandAPDU, sendCommandAPDU, sendVerifiedAPDU, setAppletSelector

Methods inherited from class opencard.core.service.CardService

allocateCardChannel, getCard, getCardChannel, getCHVDialog, releaseCardChannel, setCardChannel, setCHVDialog

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface opencard.opt.service.CardServiceInterface

getCard, setCHVDialog

Field Detail

ALGO_PADDING_PKCS1_PSS

public static final java.lang.String ALGO_PADDING_PKCS1_PSS

See Also:

Constant Field Values

KEYPREFIX

public static final byte KEYPREFIX

Prefix for private keys

See Also:

Constant Field Values

PRKDPREFIX

public static final byte PRKDPREFIX

Prefix for private key description

See Also:

Constant Field Values

EECERTIFICATEPREFIX

public static final byte EECERTIFICATEPREFIX

Prefix for EE certificates

See Also:

Constant Field Values

CACERTIFICATEPREFIX

public static final byte CACERTIFICATEPREFIX

Prefix for CA certificates

See Also:

Constant Field Values

CERTDESCRIPTIONPREFIX

public static final byte CERTDESCRIPTIONPREFIX

Prefix for CA certificates description

See Also:

Constant Field Values

ID_KEY_DOMAIN_UID

public static final ObjectIdentifier ID_KEY_DOMAIN_UID

Constructor Detail

SmartCardHSMCardService

public SmartCardHSMCardService()

Method Detail

initialize

protected void initialize(CardServiceScheduler scheduler,
                          SmartCard card,
                          boolean blocking)
                   throws CardServiceException

Description copied from class: BasicAppletCardService

Instantiates a BasicAppletCardService and tie it both to its CardServiceScheduler and its using SmartCard object.

Overrides:

initialize in class BasicAppletCardService

Parameters:

scheduler - The scheduler of this CardExecutiveCardService.

card - The controlling SmartCard object.

blocking - Specify the wait behavior for obtaining a CardChannel from the CardServiceScheduler.

Throws:

CardServiceException - if the service could not be initialized. The object created via the default constructor may not be used if this happens.

See Also:

CardServiceFactory

checkSelectResponse

protected void checkSelectResponse(AppletInfo info)

Process response to applet selection and extract version number

Overrides:

checkSelectResponse in class BasicAppletCardService

Parameters:

info - The application info returned from the AppletSelector

useClassThreePinPad

public void useClassThreePinPad(boolean usePinPad)

Enable or disable the pin pad

Parameters:

usePinPad -

addDeviceCertificateToAliases

public void addDeviceCertificateToAliases(boolean addDeviceCertificateToAliases)

Enable or disable adding the Device Authentication Certificates to the aliases

Parameters:

usePinPad -

isSelected

protected boolean isSelected(CardChannel channel)
                      throws CardTerminalException

Description copied from class: BasicAppletCardService

Allow derived class to veto select if applet is already selected, e.g. because the applet is already active and a re-select would clear the security status

Overrides:

isSelected in class BasicAppletCardService

Parameters:

channel - The CardChannel to be used for sending the select command to the card.

Returns:

true is applet is already selected and select should be skipped

Throws:

CardTerminalException

initSecureMessaging

public void initSecureMessaging()
                         throws CardServiceException,
                                CardTerminalException,
                                java.security.cert.CertPathBuilderException

Calculate credential and set the flag for secure messaging

Throws:

CardServiceException

CardTerminalException

java.security.cert.CertPathBuilderException

getId

public java.lang.String getId()
                       throws OpenCardException,
                              java.security.cert.CertPathBuilderException

Return the unique id for the SmartCard-HSM The ID is only available after the secure channel has been established

Returns:

the id or null if secure messaging has not been started yet

Throws:

java.security.cert.CertPathBuilderException

OpenCardException

getProvisioningURL

public java.lang.String getProvisioningURL()

getVersion

public int getVersion()
               throws CardTerminalException,
                      CardServiceException

Throws:

CardTerminalException

CardServiceException

deactivateSecureMessaging

public void deactivateSecureMessaging()

Deactivate the use of secure messaging. All further APDUs will be send in plain until invocation of initSecureMessaging()

sendCommandAPDU

public ResponseAPDU sendCommandAPDU(CommandAPDU com)
                             throws CardTerminalException,
                                    CardServiceException

Send a command to the card, potentially using secure messaging

Specified by:

sendCommandAPDU in interface APDUInterface

Parameters:

com - the command

Returns:

the response

Throws:

CardTerminalException

CardServiceException

closeApplication

public void closeApplication(SecurityDomain domain)
                      throws CardServiceException,
                             CardTerminalException

Reselect applet, thus removing any authentication state and secure channel

Specified by:

closeApplication in interface CHVCardService

Parameters:

domain - the security domain for which to reset card holder verifications

Throws:

CardServiceException - if this service, or the underlying implementation, encountered an error

CardTerminalException - if the underlying terminal encountered an error while communicating with the smartcard

getPasswordLength

public int getPasswordLength(SecurityDomain domain,
                             int number)
                      throws CardServiceException,
                             CardTerminalException

Not implemented

Specified by:

getPasswordLength in interface CHVCardService

Parameters:

domain - The security domain in which the password resides. null can be passed to refer to the root domain on the smartcard.
For file system based smartcards, the security domain is specified as a CardFilePath. The root domain then corresponds to the master file.

number - The number of the password. This parameter is used to distinguish between different passwords in the same security domain.

Returns:

the number of data bytes for the specified password

Throws:

CardServiceException - if this service encountered an error. This may occur if the service needs to contact the smartcard in order to determine the password length. An exception may also be thrown if the service is unable to locate the security domain.

CardTerminalException - if the underlying card terminal encountered an error when communicating with the smartcard

verifyBio

public boolean verifyBio(byte id,
                         byte[] template)
                  throws CardTerminalException,
                         CardServiceException

Verify biometric template

Parameters:

id - the template id (0x85 or 0x86)

template - the biometric template

Returns:

true if authentication was successful

Throws:

CardTerminalException

CardServiceException

verifyPassword

public boolean verifyPassword()
                       throws CardServiceException,
                              CardTerminalException

Get password from a callback mechanism or from a terminal pin pad and send it to the card. This method uses default CHVControl settings.

Returns:

true if verification was successful

Throws:

CardServiceException

CardTerminalException

CardServiceOperationFailedException - is operation is cancelled by user or change PIN failed

getSecurityStatus

public boolean getSecurityStatus()
                          throws CardServiceException,
                                 CardTerminalException

Get the card's security status

Returns:

true if the card is in a verified state, false otherwise

Throws:

CardServiceException

CardTerminalException

verifyPassword

public boolean verifyPassword(SecurityDomain domain,
                              int number,
                              byte[] password)
                       throws CardServiceException,
                              CardTerminalException

Description copied from interface: CHVCardService

Checks a password for card holder verification. Note that repeated verification of a wrong password will typically block that password on the smartcard.

Specified by:

verifyPassword in interface CHVCardService

Parameters:

domain - not in use, set to null

number - not in use, set to 0

password - The password data that has to be verified or null

Throws:

CardServiceException - if this service encountered an error. In this context, it is not considered an error if the password to be verified is wrong. However, if the password is blocked on the smartcard, an exception will be thrown.

CardTerminalException - if the underlying card terminal encountered an error when communicating with the smartcard

verifyPassword

public boolean verifyPassword(SecurityDomain domain,
                              int number,
                              CHVControl cc,
                              byte[] password)
                       throws CardServiceException,
                              CardTerminalException

If there is a class 3 card terminal the pin will be entered on the terminal's pin pad. Otherwise a callback mechanism will be used. To guarantee the functionality of the class 3 terminal the command apdu will never send with secure messaging.

Specified by:

verifyPassword in interface CHVCardServiceWithControl

Parameters:

domain - not in use, set to null

number - not in use, set to 0

password - not in use, set to null

cc - Control parameter defined by the application

Throws:

CardServiceException - if this service encountered an error. In this context, it is not considered an error if the password to be verified is wrong. However, if the password is blocked on the smartcard, an exception will be thrown.

CardTerminalException - if the underlying card terminal encountered an error when communicating with the smartcard

getPasswordStatus

public CHVCardServiceWithControl.PasswordStatus getPasswordStatus(SecurityDomain domain,
                                                                  int number)
                                                           throws CardServiceException,
                                                                  CardTerminalException

Description copied from interface: CHVCardServiceWithControl

Get the smartcard's password status.

Specified by:

getPasswordStatus in interface CHVCardServiceWithControl

Parameters:

domain - not in use, set to null

number - not in use, set to 0

Returns:

The password status

Throws:

CardServiceException - if this service encountered an error.

CardTerminalException - if the underlying card terminal encountered an error when communicating with the smartcard

appendRecord

@Deprecated
public void appendRecord(CardFilePath file,
                         byte[] data)
                  throws CardServiceException,
                         CardTerminalException

Deprecated.

Not implemented

Specified by:

appendRecord in interface FileAccessCardService

Parameters:

file - the path to the file to append to

data - the data to write to the new record

Throws:

CardServiceException - if the service encountered an error

CardTerminalException - if the terminal encountered an error

See Also:

FileAccessCardService.readRecord(opencard.opt.iso.fs.CardFilePath, int), FileAccessCardService.writeRecord(opencard.opt.iso.fs.CardFilePath, int, byte[])

exists

public boolean exists(CardFilePath file)
               throws CardServiceException,
                      CardTerminalException

Determine if file exists.

Specified by:

exists in interface FileAccessCardService

Parameters:

file - the path to the file

Returns:

true or false if file doesn't exist

Throws:

CardServiceException - if the service encountered an error

CardTerminalException - if the terminal encountered an error

See Also:

FileAccessCardService.exists(CardFilePath)

getFileInfo

public CardFileInfo getFileInfo(CardFilePath file)
                         throws CardServiceException,
                                CardTerminalException

Queries information about a file. If the file doesn't exists throws a CardServiceObjectNotAvailableException If the file is an AID, this operation will reset the card's security state.

Specified by:

getFileInfo in interface FileAccessCardService

Parameters:

file - the path to the file to query

Returns:

information about the file

Throws:

CardServiceObjectNotAvailableException - if the file doesn't exists

CardServiceException - if the service encountered an error

CardTerminalException - if the terminal encountered an error

See Also:

FileAccessCardService.getFileInfo(opencard.opt.iso.fs.CardFilePath)

getRoot

public CardFilePath getRoot()

Return the application path.

Specified by:

getRoot in interface FileAccessCardService

Returns:

the path to the master file

See Also:

FileAccessCardService.getRoot()

read

public byte[] read(CardFilePath file,
                   int offset,
                   int length)
            throws CardServiceException,
                   CardTerminalException

READ BINARY

Specified by:

read in interface FileAccessCardService

Parameters:

file - the path to the file

offset -

length -

Returns:

an array holding the data read from the file, or null if a read with length READ_SEVERAL has been performed at the end of the file

Throws:

CardServiceException - if the service encountered an error

CardTerminalException - if the terminal encountered an error

See Also:

FileAccessCardService.READ_SEVERAL

readRecord

@Deprecated
public byte[] readRecord(CardFilePath file,
                         int recordNumber)
                  throws CardServiceException,
                         CardTerminalException

Deprecated.

Not implemented

Specified by:

readRecord in interface FileAccessCardService

Parameters:

file - the path to the file to read from

recordNumber - the index of the record to read (0 for first)

Returns:

an array holding the record read. If the record has length 0, which may happen with linear variable files, an array of length 0 is returned.

Throws:

CardServiceException - if the service encountered an error

CardTerminalException - if the terminal encountered an error

See Also:

FileAccessCardService.readRecords(opencard.opt.iso.fs.CardFilePath, int)

readRecords

@Deprecated
public byte[][] readRecords(CardFilePath file,
                            int number)
                     throws CardServiceException,
                            CardTerminalException

Deprecated.

Not implemented

Specified by:

readRecords in interface FileAccessCardService

Parameters:

file - the path to the file to read from

number - the number of records to read, or READ_SEVERAL. If 0 is passed, the behavior is implementation dependent.

Returns:

an array holding the records read, where the records are arrays themselves

Throws:

CardServiceException - if the service encountered an error

CardTerminalException - if the terminal encountered an error

See Also:

FileAccessCardService.readRecord(opencard.opt.iso.fs.CardFilePath, int), FileAccessCardService.READ_SEVERAL

write

@Deprecated
public void write(CardFilePath file,
                  int foffset,
                  byte[] source,
                  int soffset,
                  int length)
           throws CardServiceException,
                  CardTerminalException

Deprecated.

Not implemented, use write(CardFilePath file, int offset, byte[] data)

Specified by:

write in interface FileAccessCardService

Parameters:

file - the path to the file to write to

foffset - the file index of the first byte to overwrite (0 for first byte in file)

source - an array holding the data to write

soffset - the array index of the first byte to write

length - the number of bytes to write

Throws:

CardServiceException - if the service encountered an error

CardTerminalException - if the terminal encountered an error

See Also:

FileAccessCardService.read(opencard.opt.iso.fs.CardFilePath, int, int), FileAccessCardService.write(opencard.opt.iso.fs.CardFilePath, int, byte[])

write

public void write(CardFilePath file,
                  int offset,
                  byte[] data)
           throws CardServiceException,
                  CardTerminalException

Description copied from interface: FileAccessCardService

Writes data to a transparent file, using a complete array. This is a convenience method for write with five arguments. It does not allow to specify an array index and the number of bytes to write. Instead, it always writes the complete array passed. Typically, this method will be implemented as follows:

 

 final public void write(CardFilePath file, int offset, byte[] data)
  {
    write(file, offset, data, 0, data.length);
  }
 
 

Specified by:

write in interface FileAccessCardService

Parameters:

file - the path to the file

offset -

data -

Throws:

CardServiceException - if the service encountered an error

CardTerminalException - if the terminal encountered an error

See Also:

FileAccessCardService.write(opencard.opt.iso.fs.CardFilePath, int, byte[], int, int)

writeRecord

@Deprecated
public void writeRecord(CardFilePath file,
                        int recordNumber,
                        byte[] data)
                 throws CardServiceException,
                        CardTerminalException

Deprecated.

Not implemented

Specified by:

writeRecord in interface FileAccessCardService

Parameters:

file - the path to the file to write to

recordNumber - the index of the record to overwrite (0 for first)

data - the data to write to the file

Throws:

CardServiceException - if the service encountered an error

CardTerminalException - if the terminal encountered an error

See Also:

FileAccessCardService.readRecord(opencard.opt.iso.fs.CardFilePath, int), FileAccessCardService.appendRecord(opencard.opt.iso.fs.CardFilePath, byte[])

provideCredentials

@Deprecated
public void provideCredentials(SecurityDomain domain,
                               CredentialBag creds)
                        throws CardServiceException

Deprecated.

Not implemented

Specified by:

provideCredentials in interface SecureService

Parameters:

domain - the security domain for which to provide credentials

creds - the credentials for that domain

Throws:

CardServiceException - If the card service could not process the credentials, if the SecurityDomain is invalid.

See Also:

CardService

getLengthFieldSizeHelper

protected static int getLengthFieldSizeHelper(int length)

Helper function for getSize() and getLengthFieldSize()

Parameters:

length -

Returns:

the size of the length field

lengthToByteArrayOutputStream

protected static void lengthToByteArrayOutputStream(int length,
                                                    java.io.ByteArrayOutputStream bos)

Encode length field in byte array

Parameters:

length - Length to be encoded

bos - ByteArrayOutputStream to copy length into

create

public void create(CardFilePath parent,
                   byte[] data)
            throws CardServiceException,
                   CardTerminalException

Create a new file. Internal use of write(CardFilePath path, int offset, byte[] data)

Specified by:

create in interface FileSystemCardService

Parameters:

parent - The parent CardFilePath

data - File identifier encoded as FCP data object

Throws:

CardServiceException - if the service encountered an error

CardTerminalException - if the terminal encountered an error

See Also:

FileAccessCardService.getFileInfo(opencard.opt.iso.fs.CardFilePath), CardFileInfo.getHeader(), CardID, SmartCard.getCardID()

setFastDeleteThreshold

public void setFastDeleteThreshold(int threshold)

Enable fast delete operation without garbage collecting freed memory. The garbage collector in the JCVM is triggered if memory is running low or if an out of memory condition occurs. However, garbage collection only occurs before executing the next command, so the OOM error is always reported to the application and must be handled accordingly. As a default setting, the DELETE command will trigger garbage collection on every invocation. By setting a threshold, the specified number of delete operations will be performed without garbage collection.

Parameters:

threshold - the number of delete operations without garbage collection.

delete

public void delete(CardFilePath file)
            throws CardServiceException,
                   CardTerminalException

Delete elementary files or key objects

Specified by:

delete in interface FileSystemCardService

Parameters:

file - the path to the file to delete

Throws:

CardServiceException - if the service encountered an error

CardTerminalException - if the terminal encountered an error

invalidate

@Deprecated
public void invalidate(CardFilePath file)
                throws CardServiceInabilityException,
                       CardServiceException,
                       CardTerminalException

Deprecated.

Not implemented

Specified by:

invalidate in interface FileSystemCardService

Parameters:

file - the path to the file to invalidate

Throws:

CardServiceInabilityException - if the service does not support this operation

CardServiceException - if the service encountered an error

CardTerminalException - if the terminal encountered an error

rehabilitate

@Deprecated
public void rehabilitate(CardFilePath file)
                  throws CardServiceInabilityException,
                         CardServiceException,
                         CardTerminalException

Deprecated.

Not implemented

Specified by:

rehabilitate in interface FileSystemCardService

Parameters:

file - the path to the file to rehabilitate

Throws:

CardServiceInabilityException - if the service does not support this operation

CardServiceException - if the service encountered an error

CardTerminalException - if the terminal encountered an error

changeReferenceData

public boolean changeReferenceData()
                            throws CardServiceException,
                                   CardTerminalException

Get both passwords, the current password and the new one from a callback mechanism and send it to the card. This method uses default CHVControl settings.

Returns:

true if verification was successful

Throws:

CardServiceException

CardTerminalException

changeReferenceData

public boolean changeReferenceData(SecurityDomain domain,
                                   int number,
                                   CHVControl cc,
                                   byte[] currentPassword,
                                   byte[] newPassword)
                            throws CardTerminalException,
                                   CardServiceException

Change the User PIN or SO PIN.

Specified by:

changeReferenceData in interface CHVManagementCardService

Parameters:

domain - Not used

number - Must be one of 0x81 for User PIN or 0x88 for SO PIN

cc - Not used

currentPassword -

newPassword -

Throws:

CardServiceException

CardTerminalException

resetRetryCounter

public boolean resetRetryCounter(SecurityDomain domain,
                                 int number,
                                 CHVControl cc,
                                 byte[] unblockingCode,
                                 byte[] newPassword)
                          throws CardTerminalException,
                                 CardServiceException

The device is initialized with a User PIN during device initialization. If this User PIN is blocked it can be reset using the SO PIN (initialization code) of the device.

Specified by:

resetRetryCounter in interface CHVManagementCardService

Parameters:

domain - Not in use

number - Set to local PIN '81'

cc - Not in use

unblockingCode - The code to unblock the card

newPassword - The new password or null

Throws:

CardServiceException

CardTerminalException

initialize

public void initialize(byte[] config,
                       byte[] initPin,
                       byte[] initCode,
                       byte retryCounter)
                throws CardTerminalException,
                       CardServiceException,
                       TLVEncodingException

Initialize the SmartCard-HSM. This clears all cryptographic material and transparent files. It also sets the user PIN, generate a random Device Key Encryption Key and defines the basic configuration options.

Parameters:

config - The configuration options (default '0001')

initPin - Set the user pin

initCode - 8 byte code that protects unauthorized re-initialization

retryCounter - Initial value for the retry counter

Throws:

CardTerminalException

CardServiceException

TLVEncodingException

initialize

public void initialize(byte[] config,
                       byte[] initPin,
                       byte[] initCode,
                       byte retryCounter,
                       byte noOfShares)
                throws CardTerminalException,
                       CardServiceException,
                       TLVEncodingException

Initialize the SmartCard-HSM. This clears all cryptographic material and transparent files. It also sets the user PIN, defines the basic configuration options and the number of Device Key Encryption Key shares for key wrapping/unwrapping.

Parameters:

config - the configuration options (default '0001')

initPin - Set the user pin

initCode - 8 byte code that protects unauthorized re-initialization

retryCounter - Initial value for the retry counter

noOfShares - Number of Device Key Encryption Key shares

Throws:

CardTerminalException

CardServiceException

TLVEncodingException

initialize

public void initialize(InitializeConfiguration config)
                throws CardTerminalException,
                       CardServiceException,
                       TLVEncodingException

Initialize the SmartCard-HSM. This clears all cryptographic material and transparent files except for the Device Authentication key and its certificate. Device initialization allows resetting the User PIN to an initial value or switching between User PIN and public key authentication. The first device initialization also sets an Initialization Code to prevent unauthorized re-initialization. Device Initialization allows the user to define that a Device Key Encryption Key is used and how many key shares are used to split the secret between key custodians. Device Initialization allows to enable n-of-m authentication using a threshold scheme by defining the number (m) of key custodians and the required quota to authentication (n). User PIN and n-of-m authentication are mutually exclusive. A successful device authentication sets the security state to authenticated until the next applet select or card reset.

Parameters:

config - how the SmartCard-HSM shall be initialized

Throws:

CardTerminalException

CardServiceException

TLVEncodingException

generateKeyPair

@Deprecated
public byte[] generateKeyPair(byte keyId,
                              byte signingId,
                              SmartCardHSMPrivateKeySpec spec)
                       throws CardTerminalException,
                              CardServiceException,
                              TLVEncodingException

Deprecated.

Signing with key other than PrK.DevAur dropped in firmware 3.0

Initiate the generation of a fresh key pair for the selected key object. Generating a new key pair requires a successful verification of the User PIN.

Parameters:

keyId - the ID for the key to be generated

signingId - the ID for signing authenticated request

spec - the AlgorithmParameterSpec containing the domain parameter

Throws:

CardTerminalException

CardServiceException

TLVEncodingException

generateKeyPair

public byte[] generateKeyPair(byte keyId,
                              SmartCardHSMPrivateKeySpec spec)
                       throws OpenCardException

Initiate the generation of a fresh key pair for the selected key object. Generating a new key pair requires a successful verification of the User PIN.

Specified by:

generateKeyPair in interface KeyGenerationCardServiceWithSpec

Parameters:

keyId - the ID for the key to be generated

spec - the AlgorithmParameterSpec containing the domain parameter

Throws:

OpenCardException

generateKey

public byte[] generateKey(byte newKeyId,
                          SmartCardHSMSecretKeySpec spec)
                   throws OpenCardException

Generate a new symmetric key

Specified by:

generateKey in interface KeyGenerationCardServiceWithSpec

Parameters:

newKeyId - the id for the key to be generated

spec - the key specification

Returns:

Throws:

OpenCardException

importDKEKShare

public byte[] importDKEKShare(byte[] keyShare)
                       throws CardTerminalException,
                              CardServiceException

Import a single key share of the Device Encryption Key.

Returns:

The total number of shares, outstanding shares and the KCV

Throws:

CardServiceException

CardTerminalException

wrapKey

public byte[] wrapKey(byte kid)
               throws CardTerminalException,
                      CardServiceException

The Wrap command allows the terminal to extract a private or secret key value encrypted under the Device Key Encryption Key.

Parameters:

kid - The key identifier

Returns:

the wrapped key

Throws:

CardServiceException

CardTerminalException

unwrapKey

public boolean unwrapKey(byte kid,
                         byte[] key)
                  throws CardTerminalException,
                         CardServiceException

The Unwrap command allows the terminal to import a private or secret key value and meta data encrypted under the Device Key Encryption Key.

Parameters:

kid - The key identifier

Throws:

CardServiceException

CardTerminalException

generateKeyPair

@Deprecated
public void generateKeyPair(PrivateKeyRef privateDest,
                            PublicKeyRef publicDest,
                            int strength,
                            java.lang.String keyAlgorithm)
                     throws CardServiceException,
                            java.security.InvalidKeyException,
                            CardTerminalException

Deprecated.

Not implemented

Specified by:

generateKeyPair in interface KeyGenerationCardService

Parameters:

privateDest - Location on card where the private key should be stored.

publicDest - Location on card where the public key should be stored

strength - number of bits in the generated key

keyAlgorithm - Standard Algorithm names as defined in the Java Cryptography Architecture API Specification & Reference for example DSA: Digital Signature Algorithm, as defined in Digital Signature Standard, NIST FIPS 186. RSA: The Rivest, Shamir and Adleman AsymmetricCipher algorithm.

Throws:

CardServiceException - Thrown when the card does not support the requested strength or algorithm.

java.security.InvalidKeyException - Thrown when the key files do not match the requested strength or algorithm.

CardTerminalException - any subclass of CardTerminalException

readPublicKey

@Deprecated
public java.security.PublicKey readPublicKey(PublicKeyRef pulicKey,
                                             java.lang.String keyAlgorithm)
                                      throws CardServiceException,
                                             java.security.InvalidKeyException,
                                             CardTerminalException

Deprecated.

Not implemented

Specified by:

readPublicKey in interface KeyGenerationCardService

Parameters:

pulicKey - Reference to the key on card that should be read.

keyAlgorithm - Standard Algorithm names as defined in the Java Cryptography Architecture API Specification & Reference for example DSA: Digital Signature Algorithm, as defined in Digital Signature Standard, NIST FIPS 186. RSA: The Rivest, Shamir and Adleman AsymmetricCipher algorithm.

Returns:

key The public key

Throws:

CardServiceException - access conditions do not allow reading the key, key is not found

java.security.InvalidKeyException - Thrown when the key file does not match the requested algorithm.

CardTerminalException - any subclass of CardTerminalException

signData

public byte[] signData(PrivateKeyRef privateKey,
                       java.lang.String signAlgorithm,
                       byte[] data)
                throws CardServiceException,
                       CardTerminalException

Description copied from interface: SignatureCardService

Generate a digital Signature. First hash the data, then pad the hash and then apply the PKA algorithm to the padded hash.

The padding algorithm is chosen as defined in the Java Cryptography Architecture Specification.

The standard algorithm name must be specified as defined in the Java Cryptography Architecture API Specification & Reference, for example

MD5withRSA

The Signature algorithm obtained by combining the RSA AsymmetricCipher algorithm with the MD5 MessageDigest Algorithm.

MD2withRSA

The Signature algorithm obtained by combining the RSA AsymmetricCipher algorithm with the MD2 MessageDigest Algorithm.

SHA1withRSA

The Signature algorithm obtained by combining the RSA AsymmetricCipher algorithm with the SHA-1 MessageDigest Algorithm.

SHA1withDSA

Digital Signature Algorithm, as defined in Digital Signature Standard, NIST FIPS 186. This standard defines a digital signature algorithm that uses the RawDSA asymmetric transformation along with the SHA-1 message digest algorithm.

Specified by:

signData in interface SignatureCardService

Parameters:

privateKey - a reference to the private key on card to be used for signing

signAlgorithm - standard digital signature algorithm name

data - data to be signed

Returns:

signature

Throws:

CardServiceException - any subclass of CardServiceException

CardTerminalException - any subclass of CardTerminalException

See Also:

JCAStandardNames

signData

public byte[] signData(PrivateKeyRef privateKey,
                       java.lang.String signAlgorithm,
                       java.lang.String padAlgorithm,
                       byte[] data)
                throws CardServiceException,
                       CardTerminalException

Create a signature.

Specified by:

signData in interface SignatureCardService

Parameters:

privateKey - a reference to the private key on card to be used for signing

signAlgorithm - standard digital signature algorithm name

padAlgorithm - padding algorithm name, for example one of ISO9796, PKCS#1, ZEROPADDING

data - data to be signed

Returns:

signature

Throws:

CardServiceException - any subclass of CardServiceException

CardTerminalException - any subclass of CardTerminalException

See Also:

JCAStandardNames

signHash

public byte[] signHash(PrivateKeyRef privateKey,
                       java.lang.String signAlgorithm,
                       byte[] hash)
                throws CardServiceException,
                       java.security.InvalidKeyException,
                       CardTerminalException

Create a signature. If the referenced key type is RSA then the hash will be padded according to the EMSA-PKCS1-v1_5 encoding. The data will be send to the card which performs a Plain RSA signature operation. If the key is of type ECC then the hash will be send to the card which performs a Plain ECDSA operation.

Specified by:

signHash in interface SignatureCardService

Parameters:

privateKey - the SmartCardHSMKey

signAlgorithm - String containing the signing algorithm

hash -

Returns:

signature

Throws:

CardServiceException - any subclass of CardServiceException

java.security.InvalidKeyException - Thrown when the key is not valid or does not match the requested algorithm.

CardTerminalException - any subclass of CardTerminalException

See Also:

JCAStandardNames

signHash

public byte[] signHash(PrivateKeyRef privateKey,
                       java.lang.String signAlgorithm,
                       java.lang.String padAlgorithm,
                       byte[] hash)
                throws CardServiceException,
                       CardTerminalException

Create a signature. RSASSA-PSS: If using a SmartCard-HSM with version 2.00 or newer, PSS padding performed by the card is supported. The SmartCard-HSM supports padding according to PSS for the hash algorithm SHA1 and SHA256. SHA384 and SHA512 hashes will still be padded externally by this card service. If the key is of type ECC then the hash will be send to the card which performs a Plain ECDSA operation.

Specified by:

signHash in interface SignatureCardService

Parameters:

privateKey - the SmartCardHSMKey

signAlgorithm - String containing the signing algorithm

padAlgorithm - String containing the padding algorithm

hash -

Returns:

signature

Throws:

CardServiceException - any subclass of CardServiceException

CardTerminalException - any subclass of CardTerminalException

See Also:

JCAStandardNames

verifySignedData

@Deprecated
public boolean verifySignedData(PublicKeyRef publicKey,
                                java.lang.String signAlgorithm,
                                byte[] data,
                                byte[] signature)
                         throws CardServiceException,
                                java.security.InvalidKeyException,
                                CardTerminalException

Deprecated.

Not implemented

Specified by:

verifySignedData in interface SignatureCardService

Parameters:

publicKey - a reference to the public key on card to be used for signature validation

signAlgorithm - standard digital signature algorithm name

data - the data for which the signature should be verified

signature - signature to be verified

Returns:

True if signature valdidation was successfull

Throws:

CardServiceException - any subclass of CardServiceException

java.security.InvalidKeyException - Thrown when the key is not valid or does not match the requested algorithm.

CardTerminalException - any subclass of CardTerminalException

See Also:

JCAStandardNames

verifySignedData

@Deprecated
public boolean verifySignedData(PublicKeyRef publicKey,
                                java.lang.String signAlgorithm,
                                java.lang.String padAlgorithm,
                                byte[] data,
                                byte[] signature)
                         throws CardServiceException,
                                java.security.InvalidKeyException,
                                CardTerminalException

Deprecated.

Not implemented

Specified by:

verifySignedData in interface SignatureCardService

Parameters:

publicKey - a reference to the public key on card to be used for signature validation

signAlgorithm - standard digital signature algorithm name

padAlgorithm - padding algorithm name, for example one of ISO9796, PKCS#1, ZEROPADDING

data - the data for which the signature should be verified

signature - signature to be verified

Returns:

True if signature valdidation was successfull

Throws:

CardServiceException - any subclass of CardServiceException

java.security.InvalidKeyException - Thrown when the key is not valid or does not match the requested algorithm.

CardTerminalException - any subclass of CardTerminalException

See Also:

JCAStandardNames

verifySignedHash

@Deprecated
public boolean verifySignedHash(PublicKeyRef publicKey,
                                java.lang.String signAlgorithm,
                                byte[] hash,
                                byte[] signature)
                         throws CardServiceException,
                                java.security.InvalidKeyException,
                                CardTerminalException

Deprecated.

Not implemented

Specified by:

verifySignedHash in interface SignatureCardService

Parameters:

publicKey - a reference to the public key on card to be used for signature validation

signAlgorithm - standard key algorithm name

hash - The hash for which the signature should be verified.

signature - signature to be verified

Returns:

True if signature valdidation was successfull

Throws:

CardServiceException - any subclass of CardServiceException

java.security.InvalidKeyException - Thrown when the key is not valid or does not match the requested algorithm.

CardTerminalException - any subclass of CardTerminalException

See Also:

JCAStandardNames

verifySignedHash

@Deprecated
public boolean verifySignedHash(PublicKeyRef publicKey,
                                java.lang.String signAlgorithm,
                                java.lang.String padAlgorithm,
                                byte[] hash,
                                byte[] signature)
                         throws CardServiceException,
                                java.security.InvalidKeyException,
                                CardTerminalException

Deprecated.

Not implemented

Specified by:

verifySignedHash in interface SignatureCardService

Parameters:

publicKey - a reference to the public key on card to be used for signature validation

signAlgorithm - standard key algorithm name

padAlgorithm - padding algorithm name, for example one of ISO9796, PKCS#1, ZEROPADDING

hash - The hash for which the signature should be verified.

signature - signature to be verified

Returns:

True if signature valdidation was successfull

Throws:

CardServiceException - any subclass of CardServiceException

java.security.InvalidKeyException - Thrown when the key is not valid or does not match the requested algorithm.

CardTerminalException - any subclass of CardTerminalException

See Also:

JCAStandardNames

enumerateObjects

public byte[] enumerateObjects()
                        throws CardTerminalException,
                               CardServiceException

Enumerate all currently used file and key identifier.

Returns:

Even number of bytes that compose a list of 16 bit file identifier

Throws:

CardTerminalException

CardServiceException

generateRandom

public byte[] generateRandom(int length)
                      throws CardTerminalException,
                             CardServiceException

Request random byte values generated by the build in random number generator.

Parameters:

length -

Returns:

Random bytes

Throws:

CardTerminalException

CardServiceException

decipher

public byte[] decipher(SmartCardHSMKey privateKey,
                       byte[] cryptogram,
                       byte algorithmID)
                throws CardTerminalException,
                       CardServiceException

The device decrypts using the private key a cryptogram enciphered with the public key and returns the plain value.

Specified by:

decipher in interface DecipherCardService

Parameters:

privateKey - the private SmartCardHSMKey

cryptogram -

algorithmID - one of RSA_DECRYPTION_Plain, RSA_DECRYPTION_V15 or RSA_DECRYPTION_OAEP

Returns:

the plain value

Throws:

CardTerminalException

CardServiceException

decipher

public byte[] decipher(SmartCardHSMKey privateKey,
                       byte[] cryptogram)
                throws CardTerminalException,
                       CardServiceException

The device decrypts using the private key a cryptogram enciphered with the public key and returns the plain value.

Specified by:

decipher in interface DecipherCardService

Parameters:

privateKey - the private SmartCardHSMKey

cryptogram -

Returns:

the plain value

Throws:

CardTerminalException

CardServiceException

performECCDH

public byte[] performECCDH(SmartCardHSMKey privateKey,
                           byte[] pkComponents)
                    throws CardServiceException,
                           CardTerminalException

The device calculates a shared secret point using an EC Diffie-Hellman operation. The public key of the sender must be provided as input to the command. The device returns the resulting point on the curve associated with the private key.

Specified by:

performECCDH in interface DecipherCardService

Parameters:

privateKey - Key identifier of the SmartCardHSM private key

pkComponents - Concatenation of '04' || x || y point coordinates of ECC public Key

Returns:

Concatenation of '04' || x || y point coordinates on EC curve

Throws:

CardServiceException

CardTerminalException

verifyCertificate

public void verifyCertificate(CardVerifiableCertificate cvc)
                       throws CardTerminalException,
                              CardServiceException

Present a card verifiable certificate in order to establish a trusted public key in the device.

Throws:

CardServiceException

CardTerminalException

selectPubKeyForSignature

public boolean selectPubKeyForSignature(PublicKeyReference chr)
                                 throws OpenCardException

Manage Security Environment APDU for Certificate and Public Key Verification

Parameters:

chr -

Throws:

OpenCardException

verifyCertificateChain

public void verifyCertificateChain(CardVerifiableCertificate[] chain)
                            throws OpenCardException

Ensure that the issuer of the certificate or request in chain[0] is validated. The issuer public key is selected as result of performing chain validation

Parameters:

chain - the list of authenticated public key (CSR), device certificate and device issuer CA certificate

Throws:

OpenCardException

selectPubKeyForAuthentication

public boolean selectPubKeyForAuthentication(byte[] chr)
                                      throws CardTerminalException,
                                             CardServiceException

Manage Security Environment APDU for External Authenticate

Parameters:

chr -

Throws:

TLVEncodingException

CardTerminalException

CardServiceException

manageSE

public boolean manageSE(byte p1,
                        byte p2,
                        byte[] cdata)
                 throws CardTerminalException,
                        CardServiceException

Select algorithms and keys for security operations.

Parameters:

data -

Throws:

InvalidCardChannelException

CardTerminalException

CardServiceException

manageSE

public void manageSE(byte[] data)
              throws CardTerminalException,
                     CardServiceException

Select algorithms and keys for security operations.

Parameters:

data -

Throws:

InvalidCardChannelException

CardTerminalException

CardServiceException

deriveXKEK

public void deriveXKEK(byte keyId,
                       CardVerifiableCertificate puk)
                throws OpenCardException

Derive XKEK usingt the exchange key referenced by keyId and the peer public key The device certificate for validating the public key must have been selected with verifyCertificateChain() before.

Parameters:

keyId - the key id of the EC exchange private key

puk - the public key of the peer

Throws:

OpenCardException

importPublicKey

public byte[] importPublicKey(CardVerifiableCertificate cert)
                       throws CardTerminalException,
                              CardServiceException

Import public keys for authentication. Public keys can only be imported after initialization of the device. Once the number of different public keys defined in the INITIALIZE DEVICE command are imported, then further imports are impossible. Until all public keys are imported, public key authentication is disabled. Only ECC keys can be imported as public keys for authentication. Before importing the key, the public key used to verify the signature applied to the public key must be selected using the selectPubKeyForSignature method.

Parameters:

cert - an Authenticated Certificate Signing Request

Returns:

the import status as returned by the card

Throws:

CardTerminalException

CardServiceException

externalAuthenticate

public boolean externalAuthenticate(byte[] signature)
                             throws CardTerminalException,
                                    CardServiceException

Public Key Authentication is the mechanism by which an external entity can use its private key to authenticate. Public key authentication is an alternative to user authentication using the PIN. Public key authentication is the basis for n-of-m authentication, which requires that n of the previously register m public keys have performed the authentication procedure within the current session. The external entity needs to obtain an 8 byte challenge, and sign the concatenation of device id and the challenge. The device id must be extracted from the CHR field of the device certificate.

Parameters:

signature - over the concatenation of the device id and an 8 byte challenge

Returns:

true is authentication successful

Throws:

CardTerminalException

CardServiceException

generalAuthenticate

public byte[] generalAuthenticate(byte[] data)
                           throws CardTerminalException,
                                  CardServiceException

The GENERAL AUTHENTICATE command allows the terminal to perform an explicit authentication of the device and agree secret session keys KS_ENC and KS_MAC for secure messaging.

Parameters:

data - the dynamic authentication data template

Returns:

Dynamic Authentication Template

Throws:

CardTerminalException

CardServiceException

deriveSymmetricKey

public byte[] deriveSymmetricKey(byte keyId,
                                 byte algo,
                                 byte[] data)
                          throws CardTerminalException,
                                 CardServiceException

Use the secret key referenced in keyId to derive a secret using the algorithm selected in algo and the derivation parameter in data

Parameters:

keyId - the secret key id

algo - the derivation algorithm

data - the derivation data

Returns:

Throws:

CardTerminalException

CardServiceException

getAliases

public java.util.Vector<java.lang.String> getAliases()
                                              throws OpenCardException,
                                                     java.security.cert.CertificateException,
                                                     TLVEncodingException

Return a Vector containing all aliases that are used on the SmartCardHSM.

Returns:

Vector of aliases

Throws:

TLVEncodingException

java.security.cert.CertificateException

OpenCardException

addKeyToMap

public void addKeyToMap(SmartCardHSMKey key)

Add a new key to the map of keys

Parameters:

key - the SmartCardHSMKey

addCertToMap

public void addCertToMap(java.security.cert.Certificate cert,
                         boolean isEECertificate,
                         byte id,
                         java.lang.String label)

Add a certificate to the map

Parameters:

cert - the certificate

isEECertificate - true for EE certificates, false for CA certificates

id -

label -

removeEntry

public void removeEntry(java.lang.String label)
                 throws CardServiceException,
                        CardTerminalException,
                        CardIOException

Remove an entry both from map and card.

Parameters:

label -

Throws:

CardServiceException

CardTerminalException

CardIOException

renameEntry

public void renameEntry(java.lang.String oldlabel,
                        java.lang.String newlabel)
                 throws CardServiceResourceNotFoundException

Throws:

CardServiceResourceNotFoundException

containsLabel

public boolean containsLabel(java.lang.String label)
                      throws OpenCardException

Check if the label exists.

Parameters:

label - the key label

Returns:

true if label is available

Throws:

OpenCardException

getSmartCardHSMEntry

public SmartCardHSMEntry getSmartCardHSMEntry(java.lang.String label)

Get a Entry object

Parameters:

label -

Returns:

SmartCardHSMEntry

addKey

public SmartCardHSMKey addKey(byte kid)
                       throws OpenCardException

Add a key from device including a certificate

Parameters:

kid - the key id

Throws:

OpenCardException

determineFreeCAId

public byte determineFreeCAId()
                       throws OpenCardException

Determine an unused CA identifier

Returns:

a free CA identifier or -1 if all identifier in use

Throws:

TLVEncodingException

java.security.cert.CertificateException

OpenCardException

determineFreeKeyId

public byte determineFreeKeyId()
                        throws OpenCardException

Determine an unused key identifier

Returns:

a free key identifier or -1 if all key identifier in use

Throws:

OpenCardException

storePRKD

public void storePRKD(byte kid,
                      KeyDescription prkd)
               throws CardServiceException,
                      CardTerminalException,
                      CardIOException

Store the private key description on the card

Throws:

CardIOException

CardTerminalException

CardServiceException

getKeyDomains

public java.util.List<KeyDomain> getKeyDomains()
                                        throws OpenCardException

Throws:

OpenCardException

deleteKeyDomain

public boolean deleteKeyDomain(KeyDomain kd)
                        throws OpenCardException

Throws:

OpenCardException

sendCommandAPDU

public ResponseAPDU sendCommandAPDU(CardFilePath path,
                                    CommandAPDU com,
                                    int usageQualifier)
                             throws CardServiceException,
                                    CardTerminalException

Description copied from interface: FileSystemSendAPDU

Send APDU making sure that the object referenced by path is selected

Specified by:

sendCommandAPDU in interface FileSystemSendAPDU

Parameters:

path - the DF which should be the active DF for this APDU

com - the command APDU

usageQualifier - a combination of SecureChannel.CPRO / CENC / RPRO / RENC to control the transformation of the APDU for secure messaging. Use 0 for plain transmission.

Returns:

Response APDU the response from the card

Throws:

CardServiceException

CardTerminalException

getTrustStore

public TrustStore getTrustStore()

getDevAutPK

public java.security.interfaces.ECPublicKey getDevAutPK()
                                                 throws CardServiceException,
                                                        CardTerminalException,
                                                        java.security.cert.CertPathBuilderException

Throws:

CardServiceException

CardTerminalException

java.security.cert.CertPathBuilderException

getChangeReferenceDataDialog

public ChangeReferenceDataDialog getChangeReferenceDataDialog()

setChangeReferenceDataDialog

public void setChangeReferenceDataDialog(ChangeReferenceDataDialog dialog)

update

public void update(java.lang.String url,
                   java.lang.String sessionId,
                   RemoteNotificationListener notificationListener)
            throws CardServiceException

Description copied from interface: RemoteUpdateService

Update the card by obtaining command APDUs from a remote administration server.

Specified by:

update in interface RemoteUpdateService

Parameters:

url - the url of the remote administration server

sessionId - the session Id to be included as JSESSION cookie or null

notificationListener - the listener receiving notifications from the server or null

Throws:

CardServiceException

cancel

public void cancel()

Description copied from interface: RemoteUpdateService

Cancel pending request

Specified by:

cancel in interface RemoteUpdateService

setHttpURLConnectionFactory

public void setHttpURLConnectionFactory(HttpURLConnectionFactory factory)

Description copied from interface: RemoteUpdateService

Set an HttpURLConnectionFactory which creates preconfigured HttpURLConnections

Specified by:

setHttpURLConnectionFactory in interface RemoteUpdateService