Class SmartCardHSMCardService
- java.lang.Object
-
- opencard.core.service.CardService
-
- opencard.opt.applet.BasicAppletCardService
-
- de.cardcontact.opencard.service.smartcardhsm.SmartCardHSMCardService
-
- All Implemented Interfaces:
CHVCardServiceWithControl
,CHVManagementCardService
,FileSystemSendAPDU
,RemoteUpdateService
,DecipherCardService
,KeyGenerationCardServiceWithSpec
,FileAccessCardService
,FileSystemCardService
,CHVCardService
,SecureService
,CardServiceInterface
,KeyGenerationCardService
,SignatureCardService
,APDUInterface
public class SmartCardHSMCardService extends BasicAppletCardService implements FileSystemCardService, CHVCardServiceWithControl, CHVManagementCardService, SecureService, KeyGenerationCardServiceWithSpec, DecipherCardService, FileSystemSendAPDU, RemoteUpdateService, APDUInterface
Class implementing a SmartCard HSM card service- Author:
- lew
-
-
Nested Class Summary
-
Nested classes/interfaces inherited from interface de.cardcontact.opencard.service.isocard.CHVCardServiceWithControl
CHVCardServiceWithControl.PasswordStatus
-
-
Field Summary
Fields Modifier and Type Field Description static java.lang.String
ALGO_PADDING_PKCS1_PSS
static byte
CACERTIFICATEPREFIX
Prefix for CA certificatesstatic byte
CERTDESCRIPTIONPREFIX
Prefix for CA certificates descriptionstatic byte
EECERTIFICATEPREFIX
Prefix for EE certificatesstatic ObjectIdentifier
ID_KEY_DOMAIN_UID
static byte
KEYPREFIX
Prefix for private keysstatic byte
PRKDPREFIX
Prefix for private key description-
Fields inherited from interface de.cardcontact.opencard.service.smartcardhsm.DecipherCardService
RSA_DECRYPTION_OAEP, RSA_DECRYPTION_PLAIN, RSA_DECRYPTION_V15
-
Fields inherited from interface opencard.opt.iso.fs.FileAccessCardService
READ_SEVERAL
-
-
Constructor Summary
Constructors Constructor Description SmartCardHSMCardService()
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Deprecated Methods Modifier and Type Method Description void
addCertToMap(java.security.cert.Certificate cert, boolean isEECertificate, byte id, java.lang.String label)
Add a certificate to the mapvoid
addDeviceCertificateToAliases(boolean addDeviceCertificateToAliases)
Enable or disable adding the Device Authentication Certificates to the aliasesSmartCardHSMKey
addKey(byte kid)
Add a key from device including a certificatevoid
addKeyToMap(SmartCardHSMKey key)
Add a new key to the map of keysvoid
appendRecord(CardFilePath file, byte[] data)
Deprecated.void
cancel()
Cancel pending requestboolean
changeReferenceData()
Get both passwords, the current password and the new one from a callback mechanism and send it to the card.boolean
changeReferenceData(SecurityDomain domain, int number, CHVControl cc, byte[] currentPassword, byte[] newPassword)
Change the User PIN or SO PIN.protected void
checkSelectResponse(AppletInfo info)
Process response to applet selection and extract version numbervoid
closeApplication(SecurityDomain domain)
Reselect applet, thus removing any authentication state and secure channelboolean
containsLabel(java.lang.String label)
Check if the label exists.void
create(CardFilePath parent, byte[] data)
Create a new file.void
deactivateSecureMessaging()
Deactivate the use of secure messaging.byte[]
decipher(SmartCardHSMKey privateKey, byte[] cryptogram)
The device decrypts using the private key a cryptogram enciphered with the public key and returns the plain value.byte[]
decipher(SmartCardHSMKey privateKey, byte[] cryptogram, byte algorithmID)
The device decrypts using the private key a cryptogram enciphered with the public key and returns the plain value.void
delete(CardFilePath file)
Delete elementary files or key objectsboolean
deleteKeyDomain(KeyDomain kd)
byte[]
deriveSymmetricKey(byte keyId, byte algo, byte[] data)
Use the secret key referenced in keyId to derive a secret using the algorithm selected in algo and the derivation parameter in datavoid
deriveXKEK(byte keyId, CardVerifiableCertificate puk)
Derive XKEK usingt the exchange key referenced by keyId and the peer public key The device certificate for validating the public key must have been selected with verifyCertificateChain() before.byte
determineFreeCAId()
Determine an unused CA identifierbyte
determineFreeKeyId()
Determine an unused key identifierbyte[]
enumerateObjects()
Enumerate all currently used file and key identifier.boolean
exists(CardFilePath file)
Determine if file exists.boolean
externalAuthenticate(byte[] signature)
Public Key Authentication is the mechanism by which an external entity can use its private key to authenticate.byte[]
generalAuthenticate(byte[] data)
The GENERAL AUTHENTICATE command allows the terminal to perform an explicit authentication of the device and agree secret session keys KS_ENC and KS_MAC for secure messaging.byte[]
generateKey(byte newKeyId, SmartCardHSMSecretKeySpec spec)
Generate a new symmetric keybyte[]
generateKeyPair(byte keyId, byte signingId, SmartCardHSMPrivateKeySpec spec)
Deprecated.Signing with key other than PrK.DevAur dropped in firmware 3.0byte[]
generateKeyPair(byte keyId, SmartCardHSMPrivateKeySpec spec)
Initiate the generation of a fresh key pair for the selected key object.void
generateKeyPair(PrivateKeyRef privateDest, PublicKeyRef publicDest, int strength, java.lang.String keyAlgorithm)
Deprecated.byte[]
generateRandom(int length)
Request random byte values generated by the build in random number generator.java.util.Vector<java.lang.String>
getAliases()
Return a Vector containing all aliases that are used on the SmartCardHSM.ChangeReferenceDataDialog
getChangeReferenceDataDialog()
java.security.interfaces.ECPublicKey
getDevAutPK()
CardFileInfo
getFileInfo(CardFilePath file)
Queries information about a file.java.lang.String
getId()
Return the unique id for the SmartCard-HSM The ID is only available after the secure channel has been establishedjava.util.List<KeyDomain>
getKeyDomains()
protected static int
getLengthFieldSizeHelper(int length)
Helper function for getSize() and getLengthFieldSize()int
getPasswordLength(SecurityDomain domain, int number)
Not implementedCHVCardServiceWithControl.PasswordStatus
getPasswordStatus(SecurityDomain domain, int number)
Get the smartcard's password status.java.lang.String
getProvisioningURL()
CardFilePath
getRoot()
Return the application path.boolean
getSecurityStatus()
Get the card's security statusSmartCardHSMEntry
getSmartCardHSMEntry(java.lang.String label)
Get a Entry objectTrustStore
getTrustStore()
int
getVersion()
byte[]
importDKEKShare(byte[] keyShare)
Import a single key share of the Device Encryption Key.byte[]
importPublicKey(CardVerifiableCertificate cert)
Import public keys for authentication.void
initialize(byte[] config, byte[] initPin, byte[] initCode, byte retryCounter)
Initialize the SmartCard-HSM.void
initialize(byte[] config, byte[] initPin, byte[] initCode, byte retryCounter, byte noOfShares)
Initialize the SmartCard-HSM.void
initialize(InitializeConfiguration config)
Initialize the SmartCard-HSM.protected void
initialize(CardServiceScheduler scheduler, SmartCard card, boolean blocking)
Instantiates a BasicAppletCardService and tie it both to its CardServiceScheduler and its using SmartCard object.void
initSecureMessaging()
Calculate credential and set the flag for secure messagingvoid
invalidate(CardFilePath file)
Deprecated.protected boolean
isSelected(CardChannel channel)
Allow derived class to veto select if applet is already selected, e.g.protected static void
lengthToByteArrayOutputStream(int length, java.io.ByteArrayOutputStream bos)
Encode length field in byte arrayvoid
manageSE(byte[] data)
Select algorithms and keys for security operations.boolean
manageSE(byte p1, byte p2, byte[] cdata)
Select algorithms and keys for security operations.byte[]
performECCDH(SmartCardHSMKey privateKey, byte[] pkComponents)
The device calculates a shared secret point using an EC Diffie-Hellman operation.void
provideCredentials(SecurityDomain domain, CredentialBag creds)
Deprecated.byte[]
read(CardFilePath file, int offset, int length)
READ BINARYjava.security.PublicKey
readPublicKey(PublicKeyRef pulicKey, java.lang.String keyAlgorithm)
Deprecated.byte[]
readRecord(CardFilePath file, int recordNumber)
Deprecated.byte[][]
readRecords(CardFilePath file, int number)
Deprecated.void
rehabilitate(CardFilePath file)
Deprecated.void
removeEntry(java.lang.String label)
Remove an entry both from map and card.void
renameEntry(java.lang.String oldlabel, java.lang.String newlabel)
boolean
resetRetryCounter(SecurityDomain domain, int number, CHVControl cc, byte[] unblockingCode, byte[] newPassword)
The device is initialized with a User PIN during device initialization.boolean
selectPubKeyForAuthentication(byte[] chr)
Manage Security Environment APDU for External Authenticateboolean
selectPubKeyForSignature(PublicKeyReference chr)
Manage Security Environment APDU for Certificate and Public Key VerificationResponseAPDU
sendCommandAPDU(CommandAPDU com)
Send a command to the card, potentially using secure messagingResponseAPDU
sendCommandAPDU(CardFilePath path, CommandAPDU com, int usageQualifier)
Send APDU making sure that the object referenced by path is selectedvoid
setChangeReferenceDataDialog(ChangeReferenceDataDialog dialog)
void
setFastDeleteThreshold(int threshold)
Enable fast delete operation without garbage collecting freed memory.void
setHttpURLConnectionFactory(HttpURLConnectionFactory factory)
Set an HttpURLConnectionFactory which creates preconfigured HttpURLConnectionsbyte[]
signData(PrivateKeyRef privateKey, java.lang.String signAlgorithm, byte[] data)
Generate a digital Signature.byte[]
signData(PrivateKeyRef privateKey, java.lang.String signAlgorithm, java.lang.String padAlgorithm, byte[] data)
Create a signature.byte[]
signHash(PrivateKeyRef privateKey, java.lang.String signAlgorithm, byte[] hash)
Create a signature.byte[]
signHash(PrivateKeyRef privateKey, java.lang.String signAlgorithm, java.lang.String padAlgorithm, byte[] hash)
Create a signature.void
storePRKD(byte kid, KeyDescription prkd)
Store the private key description on the cardboolean
unwrapKey(byte kid, byte[] key)
The Unwrap command allows the terminal to import a private or secret key value and meta data encrypted under the Device Key Encryption Key.void
update(java.lang.String url, java.lang.String sessionId, RemoteNotificationListener notificationListener)
Update the card by obtaining command APDUs from a remote administration server.void
useClassThreePinPad(boolean usePinPad)
Enable or disable the pin padboolean
verifyBio(byte id, byte[] template)
Verify biometric templatevoid
verifyCertificate(CardVerifiableCertificate cvc)
Present a card verifiable certificate in order to establish a trusted public key in the device.void
verifyCertificateChain(CardVerifiableCertificate[] chain)
Ensure that the issuer of the certificate or request in chain[0] is validated.boolean
verifyPassword()
Get password from a callback mechanism or from a terminal pin pad and send it to the card.boolean
verifyPassword(SecurityDomain domain, int number, byte[] password)
Checks a password for card holder verification.boolean
verifyPassword(SecurityDomain domain, int number, CHVControl cc, byte[] password)
If there is a class 3 card terminal the pin will be entered on the terminal's pin pad.boolean
verifySignedData(PublicKeyRef publicKey, java.lang.String signAlgorithm, byte[] data, byte[] signature)
Deprecated.boolean
verifySignedData(PublicKeyRef publicKey, java.lang.String signAlgorithm, java.lang.String padAlgorithm, byte[] data, byte[] signature)
Deprecated.boolean
verifySignedHash(PublicKeyRef publicKey, java.lang.String signAlgorithm, byte[] hash, byte[] signature)
Deprecated.boolean
verifySignedHash(PublicKeyRef publicKey, java.lang.String signAlgorithm, java.lang.String padAlgorithm, byte[] hash, byte[] signature)
Deprecated.byte[]
wrapKey(byte kid)
The Wrap command allows the terminal to extract a private or secret key value encrypted under the Device Key Encryption Key.void
write(CardFilePath file, int offset, byte[] data)
Writes data to a transparent file, using a complete array.void
write(CardFilePath file, int foffset, byte[] source, int soffset, int length)
Deprecated.void
writeRecord(CardFilePath file, int recordNumber, byte[] data)
Deprecated.-
Methods inherited from class opencard.opt.applet.BasicAppletCardService
getAppletSelector, getCardState, sendCommandAPDU, sendCommandAPDU, sendVerifiedAPDU, setAppletSelector
-
Methods inherited from class opencard.core.service.CardService
allocateCardChannel, getCard, getCardChannel, getCHVDialog, releaseCardChannel, setCardChannel, setCHVDialog
-
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
-
Methods inherited from interface opencard.opt.service.CardServiceInterface
getCard, setCHVDialog
-
-
-
-
Field Detail
-
ALGO_PADDING_PKCS1_PSS
public static final java.lang.String ALGO_PADDING_PKCS1_PSS
- See Also:
- Constant Field Values
-
KEYPREFIX
public static final byte KEYPREFIX
Prefix for private keys- See Also:
- Constant Field Values
-
PRKDPREFIX
public static final byte PRKDPREFIX
Prefix for private key description- See Also:
- Constant Field Values
-
EECERTIFICATEPREFIX
public static final byte EECERTIFICATEPREFIX
Prefix for EE certificates- See Also:
- Constant Field Values
-
CACERTIFICATEPREFIX
public static final byte CACERTIFICATEPREFIX
Prefix for CA certificates- See Also:
- Constant Field Values
-
CERTDESCRIPTIONPREFIX
public static final byte CERTDESCRIPTIONPREFIX
Prefix for CA certificates description- See Also:
- Constant Field Values
-
ID_KEY_DOMAIN_UID
public static final ObjectIdentifier ID_KEY_DOMAIN_UID
-
-
Method Detail
-
initialize
protected void initialize(CardServiceScheduler scheduler, SmartCard card, boolean blocking) throws CardServiceException
Description copied from class:BasicAppletCardService
Instantiates a BasicAppletCardService and tie it both to its CardServiceScheduler and its using SmartCard object.- Overrides:
initialize
in classBasicAppletCardService
- Parameters:
scheduler
- The scheduler of this CardExecutiveCardService.card
- The controlling SmartCard object.blocking
- Specify the wait behavior for obtaining a CardChannel from the CardServiceScheduler.- Throws:
CardServiceException
- if the service could not be initialized. The object created via the default constructor may not be used if this happens.- See Also:
CardServiceFactory
-
checkSelectResponse
protected void checkSelectResponse(AppletInfo info)
Process response to applet selection and extract version number- Overrides:
checkSelectResponse
in classBasicAppletCardService
- Parameters:
info
- The application info returned from the AppletSelector
-
useClassThreePinPad
public void useClassThreePinPad(boolean usePinPad)
Enable or disable the pin pad- Parameters:
usePinPad
-
-
addDeviceCertificateToAliases
public void addDeviceCertificateToAliases(boolean addDeviceCertificateToAliases)
Enable or disable adding the Device Authentication Certificates to the aliases- Parameters:
usePinPad
-
-
isSelected
protected boolean isSelected(CardChannel channel) throws CardTerminalException
Description copied from class:BasicAppletCardService
Allow derived class to veto select if applet is already selected, e.g. because the applet is already active and a re-select would clear the security status- Overrides:
isSelected
in classBasicAppletCardService
- Parameters:
channel
- The CardChannel to be used for sending the select command to the card.- Returns:
- true is applet is already selected and select should be skipped
- Throws:
CardTerminalException
-
initSecureMessaging
public void initSecureMessaging() throws CardServiceException, CardTerminalException, java.security.cert.CertPathBuilderException
Calculate credential and set the flag for secure messaging- Throws:
CardServiceException
CardTerminalException
java.security.cert.CertPathBuilderException
-
getId
public java.lang.String getId() throws OpenCardException, java.security.cert.CertPathBuilderException
Return the unique id for the SmartCard-HSM The ID is only available after the secure channel has been established- Returns:
- the id or null if secure messaging has not been started yet
- Throws:
java.security.cert.CertPathBuilderException
OpenCardException
-
getProvisioningURL
public java.lang.String getProvisioningURL()
-
getVersion
public int getVersion() throws CardTerminalException, CardServiceException
-
deactivateSecureMessaging
public void deactivateSecureMessaging()
Deactivate the use of secure messaging. All further APDUs will be send in plain until invocation of initSecureMessaging()
-
sendCommandAPDU
public ResponseAPDU sendCommandAPDU(CommandAPDU com) throws CardTerminalException, CardServiceException
Send a command to the card, potentially using secure messaging- Specified by:
sendCommandAPDU
in interfaceAPDUInterface
- Parameters:
com
- the command- Returns:
- the response
- Throws:
CardTerminalException
CardServiceException
-
closeApplication
public void closeApplication(SecurityDomain domain) throws CardServiceException, CardTerminalException
Reselect applet, thus removing any authentication state and secure channel- Specified by:
closeApplication
in interfaceCHVCardService
- Parameters:
domain
- the security domain for which to reset card holder verifications- Throws:
CardServiceException
- if this service, or the underlying implementation, encountered an errorCardTerminalException
- if the underlying terminal encountered an error while communicating with the smartcard
-
getPasswordLength
public int getPasswordLength(SecurityDomain domain, int number) throws CardServiceException, CardTerminalException
Not implemented- Specified by:
getPasswordLength
in interfaceCHVCardService
- Parameters:
domain
- The security domain in which the password resides. null can be passed to refer to the root domain on the smartcard.
For file system based smartcards, the security domain is specified as a CardFilePath. The root domain then corresponds to the master file.number
- The number of the password. This parameter is used to distinguish between different passwords in the same security domain.- Returns:
- the number of data bytes for the specified password
- Throws:
CardServiceException
- if this service encountered an error. This may occur if the service needs to contact the smartcard in order to determine the password length. An exception may also be thrown if the service is unable to locate the security domain.CardTerminalException
- if the underlying card terminal encountered an error when communicating with the smartcard
-
verifyBio
public boolean verifyBio(byte id, byte[] template) throws CardTerminalException, CardServiceException
Verify biometric template- Parameters:
id
- the template id (0x85 or 0x86)template
- the biometric template- Returns:
- true if authentication was successful
- Throws:
CardTerminalException
CardServiceException
-
verifyPassword
public boolean verifyPassword() throws CardServiceException, CardTerminalException
Get password from a callback mechanism or from a terminal pin pad and send it to the card. This method uses default CHVControl settings.- Returns:
- true if verification was successful
- Throws:
CardServiceException
CardTerminalException
CardServiceOperationFailedException
- is operation is cancelled by user or change PIN failed
-
getSecurityStatus
public boolean getSecurityStatus() throws CardServiceException, CardTerminalException
Get the card's security status- Returns:
- true if the card is in a verified state, false otherwise
- Throws:
CardServiceException
CardTerminalException
-
verifyPassword
public boolean verifyPassword(SecurityDomain domain, int number, byte[] password) throws CardServiceException, CardTerminalException
Description copied from interface:CHVCardService
Checks a password for card holder verification. Note that repeated verification of a wrong password will typically block that password on the smartcard.- Specified by:
verifyPassword
in interfaceCHVCardService
- Parameters:
domain
- not in use, set to nullnumber
- not in use, set to 0password
- The password data that has to be verified or null- Throws:
CardServiceException
- if this service encountered an error. In this context, it is not considered an error if the password to be verified is wrong. However, if the password is blocked on the smartcard, an exception will be thrown.CardTerminalException
- if the underlying card terminal encountered an error when communicating with the smartcard
-
verifyPassword
public boolean verifyPassword(SecurityDomain domain, int number, CHVControl cc, byte[] password) throws CardServiceException, CardTerminalException
If there is a class 3 card terminal the pin will be entered on the terminal's pin pad. Otherwise a callback mechanism will be used. To guarantee the functionality of the class 3 terminal the command apdu will never send with secure messaging.- Specified by:
verifyPassword
in interfaceCHVCardServiceWithControl
- Parameters:
domain
- not in use, set to nullnumber
- not in use, set to 0password
- not in use, set to nullcc
- Control parameter defined by the application- Throws:
CardServiceException
- if this service encountered an error. In this context, it is not considered an error if the password to be verified is wrong. However, if the password is blocked on the smartcard, an exception will be thrown.CardTerminalException
- if the underlying card terminal encountered an error when communicating with the smartcard
-
getPasswordStatus
public CHVCardServiceWithControl.PasswordStatus getPasswordStatus(SecurityDomain domain, int number) throws CardServiceException, CardTerminalException
Description copied from interface:CHVCardServiceWithControl
Get the smartcard's password status.- Specified by:
getPasswordStatus
in interfaceCHVCardServiceWithControl
- Parameters:
domain
- not in use, set to nullnumber
- not in use, set to 0- Returns:
- The password status
- Throws:
CardServiceException
- if this service encountered an error.CardTerminalException
- if the underlying card terminal encountered an error when communicating with the smartcard
-
appendRecord
@Deprecated public void appendRecord(CardFilePath file, byte[] data) throws CardServiceException, CardTerminalException
Deprecated.Not implemented- Specified by:
appendRecord
in interfaceFileAccessCardService
- Parameters:
file
- the path to the file to append todata
- the data to write to the new record- Throws:
CardServiceException
- if the service encountered an errorCardTerminalException
- if the terminal encountered an error- See Also:
FileAccessCardService.readRecord(opencard.opt.iso.fs.CardFilePath, int)
,FileAccessCardService.writeRecord(opencard.opt.iso.fs.CardFilePath, int, byte[])
-
exists
public boolean exists(CardFilePath file) throws CardServiceException, CardTerminalException
Determine if file exists.- Specified by:
exists
in interfaceFileAccessCardService
- Parameters:
file
- the path to the file- Returns:
- true or false if file doesn't exist
- Throws:
CardServiceException
- if the service encountered an errorCardTerminalException
- if the terminal encountered an error- See Also:
FileAccessCardService.exists(CardFilePath)
-
getFileInfo
public CardFileInfo getFileInfo(CardFilePath file) throws CardServiceException, CardTerminalException
Queries information about a file. If the file doesn't exists throws a CardServiceObjectNotAvailableException If the file is an AID, this operation will reset the card's security state.- Specified by:
getFileInfo
in interfaceFileAccessCardService
- Parameters:
file
- the path to the file to query- Returns:
- information about the file
- Throws:
CardServiceObjectNotAvailableException
- if the file doesn't existsCardServiceException
- if the service encountered an errorCardTerminalException
- if the terminal encountered an error- See Also:
FileAccessCardService.getFileInfo(opencard.opt.iso.fs.CardFilePath)
-
getRoot
public CardFilePath getRoot()
Return the application path.- Specified by:
getRoot
in interfaceFileAccessCardService
- Returns:
- the path to the master file
- See Also:
FileAccessCardService.getRoot()
-
read
public byte[] read(CardFilePath file, int offset, int length) throws CardServiceException, CardTerminalException
READ BINARY- Specified by:
read
in interfaceFileAccessCardService
- Parameters:
file
- the path to the fileoffset
-length
-- Returns:
- an array holding the data read from the file, or null if a read with length READ_SEVERAL has been performed at the end of the file
- Throws:
CardServiceException
- if the service encountered an errorCardTerminalException
- if the terminal encountered an error- See Also:
FileAccessCardService.READ_SEVERAL
-
readRecord
@Deprecated public byte[] readRecord(CardFilePath file, int recordNumber) throws CardServiceException, CardTerminalException
Deprecated.Not implemented- Specified by:
readRecord
in interfaceFileAccessCardService
- Parameters:
file
- the path to the file to read fromrecordNumber
- the index of the record to read (0 for first)- Returns:
- an array holding the record read. If the record has length 0, which may happen with linear variable files, an array of length 0 is returned.
- Throws:
CardServiceException
- if the service encountered an errorCardTerminalException
- if the terminal encountered an error- See Also:
FileAccessCardService.readRecords(opencard.opt.iso.fs.CardFilePath, int)
-
readRecords
@Deprecated public byte[][] readRecords(CardFilePath file, int number) throws CardServiceException, CardTerminalException
Deprecated.Not implemented- Specified by:
readRecords
in interfaceFileAccessCardService
- Parameters:
file
- the path to the file to read fromnumber
- the number of records to read, or READ_SEVERAL. If 0 is passed, the behavior is implementation dependent.- Returns:
- an array holding the records read, where the records are arrays themselves
- Throws:
CardServiceException
- if the service encountered an errorCardTerminalException
- if the terminal encountered an error- See Also:
FileAccessCardService.readRecord(opencard.opt.iso.fs.CardFilePath, int)
,FileAccessCardService.READ_SEVERAL
-
write
@Deprecated public void write(CardFilePath file, int foffset, byte[] source, int soffset, int length) throws CardServiceException, CardTerminalException
Deprecated.Not implemented, use write(CardFilePath file, int offset, byte[] data)- Specified by:
write
in interfaceFileAccessCardService
- Parameters:
file
- the path to the file to write tofoffset
- the file index of the first byte to overwrite (0 for first byte in file)source
- an array holding the data to writesoffset
- the array index of the first byte to writelength
- the number of bytes to write- Throws:
CardServiceException
- if the service encountered an errorCardTerminalException
- if the terminal encountered an error- See Also:
FileAccessCardService.read(opencard.opt.iso.fs.CardFilePath, int, int)
,FileAccessCardService.write(opencard.opt.iso.fs.CardFilePath, int, byte[])
-
write
public void write(CardFilePath file, int offset, byte[] data) throws CardServiceException, CardTerminalException
Description copied from interface:FileAccessCardService
Writes data to a transparent file, using a complete array. This is a convenience method for write with five arguments. It does not allow to specify an array index and the number of bytes to write. Instead, it always writes the complete array passed. Typically, this method will be implemented as follows:final public void write(CardFilePath file, int offset, byte[] data) { write(file, offset, data, 0, data.length); }
- Specified by:
write
in interfaceFileAccessCardService
- Parameters:
file
- the path to the fileoffset
-data
-- Throws:
CardServiceException
- if the service encountered an errorCardTerminalException
- if the terminal encountered an error- See Also:
FileAccessCardService.write(opencard.opt.iso.fs.CardFilePath, int, byte[], int, int)
-
writeRecord
@Deprecated public void writeRecord(CardFilePath file, int recordNumber, byte[] data) throws CardServiceException, CardTerminalException
Deprecated.Not implemented- Specified by:
writeRecord
in interfaceFileAccessCardService
- Parameters:
file
- the path to the file to write torecordNumber
- the index of the record to overwrite (0 for first)data
- the data to write to the file- Throws:
CardServiceException
- if the service encountered an errorCardTerminalException
- if the terminal encountered an error- See Also:
FileAccessCardService.readRecord(opencard.opt.iso.fs.CardFilePath, int)
,FileAccessCardService.appendRecord(opencard.opt.iso.fs.CardFilePath, byte[])
-
provideCredentials
@Deprecated public void provideCredentials(SecurityDomain domain, CredentialBag creds) throws CardServiceException
Deprecated.Not implemented- Specified by:
provideCredentials
in interfaceSecureService
- Parameters:
domain
- the security domain for which to provide credentialscreds
- the credentials for that domain- Throws:
CardServiceException
- If the card service could not process the credentials, if the SecurityDomain is invalid.- See Also:
CardService
-
getLengthFieldSizeHelper
protected static int getLengthFieldSizeHelper(int length)
Helper function for getSize() and getLengthFieldSize()- Parameters:
length
-- Returns:
- the size of the length field
-
lengthToByteArrayOutputStream
protected static void lengthToByteArrayOutputStream(int length, java.io.ByteArrayOutputStream bos)
Encode length field in byte array- Parameters:
length
- Length to be encodedbos
- ByteArrayOutputStream to copy length into
-
create
public void create(CardFilePath parent, byte[] data) throws CardServiceException, CardTerminalException
Create a new file. Internal use of write(CardFilePath path, int offset, byte[] data)- Specified by:
create
in interfaceFileSystemCardService
- Parameters:
parent
- The parent CardFilePathdata
- File identifier encoded as FCP data object- Throws:
CardServiceException
- if the service encountered an errorCardTerminalException
- if the terminal encountered an error- See Also:
FileAccessCardService.getFileInfo(opencard.opt.iso.fs.CardFilePath)
,CardFileInfo.getHeader()
,CardID
,SmartCard.getCardID()
-
setFastDeleteThreshold
public void setFastDeleteThreshold(int threshold)
Enable fast delete operation without garbage collecting freed memory. The garbage collector in the JCVM is triggered if memory is running low or if an out of memory condition occurs. However, garbage collection only occurs before executing the next command, so the OOM error is always reported to the application and must be handled accordingly. As a default setting, the DELETE command will trigger garbage collection on every invocation. By setting a threshold, the specified number of delete operations will be performed without garbage collection.- Parameters:
threshold
- the number of delete operations without garbage collection.
-
delete
public void delete(CardFilePath file) throws CardServiceException, CardTerminalException
Delete elementary files or key objects- Specified by:
delete
in interfaceFileSystemCardService
- Parameters:
file
- the path to the file to delete- Throws:
CardServiceException
- if the service encountered an errorCardTerminalException
- if the terminal encountered an error
-
invalidate
@Deprecated public void invalidate(CardFilePath file) throws CardServiceInabilityException, CardServiceException, CardTerminalException
Deprecated.Not implemented- Specified by:
invalidate
in interfaceFileSystemCardService
- Parameters:
file
- the path to the file to invalidate- Throws:
CardServiceInabilityException
- if the service does not support this operationCardServiceException
- if the service encountered an errorCardTerminalException
- if the terminal encountered an error
-
rehabilitate
@Deprecated public void rehabilitate(CardFilePath file) throws CardServiceInabilityException, CardServiceException, CardTerminalException
Deprecated.Not implemented- Specified by:
rehabilitate
in interfaceFileSystemCardService
- Parameters:
file
- the path to the file to rehabilitate- Throws:
CardServiceInabilityException
- if the service does not support this operationCardServiceException
- if the service encountered an errorCardTerminalException
- if the terminal encountered an error
-
changeReferenceData
public boolean changeReferenceData() throws CardServiceException, CardTerminalException
Get both passwords, the current password and the new one from a callback mechanism and send it to the card. This method uses default CHVControl settings.- Returns:
- true if verification was successful
- Throws:
CardServiceException
CardTerminalException
-
changeReferenceData
public boolean changeReferenceData(SecurityDomain domain, int number, CHVControl cc, byte[] currentPassword, byte[] newPassword) throws CardTerminalException, CardServiceException
Change the User PIN or SO PIN.- Specified by:
changeReferenceData
in interfaceCHVManagementCardService
- Parameters:
domain
- Not usednumber
- Must be one of 0x81 for User PIN or 0x88 for SO PINcc
- Not usedcurrentPassword
-newPassword
-- Throws:
CardServiceException
CardTerminalException
-
resetRetryCounter
public boolean resetRetryCounter(SecurityDomain domain, int number, CHVControl cc, byte[] unblockingCode, byte[] newPassword) throws CardTerminalException, CardServiceException
The device is initialized with a User PIN during device initialization. If this User PIN is blocked it can be reset using the SO PIN (initialization code) of the device.- Specified by:
resetRetryCounter
in interfaceCHVManagementCardService
- Parameters:
domain
- Not in usenumber
- Set to local PIN '81'cc
- Not in useunblockingCode
- The code to unblock the cardnewPassword
- The new password or null- Throws:
CardServiceException
CardTerminalException
-
initialize
public void initialize(byte[] config, byte[] initPin, byte[] initCode, byte retryCounter) throws CardTerminalException, CardServiceException, TLVEncodingException
Initialize the SmartCard-HSM. This clears all cryptographic material and transparent files. It also sets the user PIN, generate a random Device Key Encryption Key and defines the basic configuration options.- Parameters:
config
- The configuration options (default '0001')initPin
- Set the user pininitCode
- 8 byte code that protects unauthorized re-initializationretryCounter
- Initial value for the retry counter- Throws:
CardTerminalException
CardServiceException
TLVEncodingException
-
initialize
public void initialize(byte[] config, byte[] initPin, byte[] initCode, byte retryCounter, byte noOfShares) throws CardTerminalException, CardServiceException, TLVEncodingException
Initialize the SmartCard-HSM. This clears all cryptographic material and transparent files. It also sets the user PIN, defines the basic configuration options and the number of Device Key Encryption Key shares for key wrapping/unwrapping.- Parameters:
config
- the configuration options (default '0001')initPin
- Set the user pininitCode
- 8 byte code that protects unauthorized re-initializationretryCounter
- Initial value for the retry counternoOfShares
- Number of Device Key Encryption Key shares- Throws:
CardTerminalException
CardServiceException
TLVEncodingException
-
initialize
public void initialize(InitializeConfiguration config) throws CardTerminalException, CardServiceException, TLVEncodingException
Initialize the SmartCard-HSM. This clears all cryptographic material and transparent files except for the Device Authentication key and its certificate. Device initialization allows resetting the User PIN to an initial value or switching between User PIN and public key authentication. The first device initialization also sets an Initialization Code to prevent unauthorized re-initialization. Device Initialization allows the user to define that a Device Key Encryption Key is used and how many key shares are used to split the secret between key custodians. Device Initialization allows to enable n-of-m authentication using a threshold scheme by defining the number (m) of key custodians and the required quota to authentication (n). User PIN and n-of-m authentication are mutually exclusive. A successful device authentication sets the security state to authenticated until the next applet select or card reset.- Parameters:
config
- how the SmartCard-HSM shall be initialized- Throws:
CardTerminalException
CardServiceException
TLVEncodingException
-
generateKeyPair
@Deprecated public byte[] generateKeyPair(byte keyId, byte signingId, SmartCardHSMPrivateKeySpec spec) throws CardTerminalException, CardServiceException, TLVEncodingException
Deprecated.Signing with key other than PrK.DevAur dropped in firmware 3.0Initiate the generation of a fresh key pair for the selected key object. Generating a new key pair requires a successful verification of the User PIN.- Parameters:
keyId
- the ID for the key to be generatedsigningId
- the ID for signing authenticated requestspec
- the AlgorithmParameterSpec containing the domain parameter- Throws:
CardTerminalException
CardServiceException
TLVEncodingException
-
generateKeyPair
public byte[] generateKeyPair(byte keyId, SmartCardHSMPrivateKeySpec spec) throws OpenCardException
Initiate the generation of a fresh key pair for the selected key object. Generating a new key pair requires a successful verification of the User PIN.- Specified by:
generateKeyPair
in interfaceKeyGenerationCardServiceWithSpec
- Parameters:
keyId
- the ID for the key to be generatedspec
- the AlgorithmParameterSpec containing the domain parameter- Throws:
OpenCardException
-
generateKey
public byte[] generateKey(byte newKeyId, SmartCardHSMSecretKeySpec spec) throws OpenCardException
Generate a new symmetric key- Specified by:
generateKey
in interfaceKeyGenerationCardServiceWithSpec
- Parameters:
newKeyId
- the id for the key to be generatedspec
- the key specification- Returns:
- Throws:
OpenCardException
-
importDKEKShare
public byte[] importDKEKShare(byte[] keyShare) throws CardTerminalException, CardServiceException
Import a single key share of the Device Encryption Key.- Returns:
- The total number of shares, outstanding shares and the KCV
- Throws:
CardServiceException
CardTerminalException
-
wrapKey
public byte[] wrapKey(byte kid) throws CardTerminalException, CardServiceException
The Wrap command allows the terminal to extract a private or secret key value encrypted under the Device Key Encryption Key.- Parameters:
kid
- The key identifier- Returns:
- the wrapped key
- Throws:
CardServiceException
CardTerminalException
-
unwrapKey
public boolean unwrapKey(byte kid, byte[] key) throws CardTerminalException, CardServiceException
The Unwrap command allows the terminal to import a private or secret key value and meta data encrypted under the Device Key Encryption Key.- Parameters:
kid
- The key identifier- Throws:
CardServiceException
CardTerminalException
-
generateKeyPair
@Deprecated public void generateKeyPair(PrivateKeyRef privateDest, PublicKeyRef publicDest, int strength, java.lang.String keyAlgorithm) throws CardServiceException, java.security.InvalidKeyException, CardTerminalException
Deprecated.Not implemented- Specified by:
generateKeyPair
in interfaceKeyGenerationCardService
- Parameters:
privateDest
- Location on card where the private key should be stored.publicDest
- Location on card where the public key should be storedstrength
- number of bits in the generated keykeyAlgorithm
- Standard Algorithm names as defined in the Java Cryptography Architecture API Specification & Reference for example DSA: Digital Signature Algorithm, as defined in Digital Signature Standard, NIST FIPS 186. RSA: The Rivest, Shamir and Adleman AsymmetricCipher algorithm.- Throws:
CardServiceException
- Thrown when the card does not support the requested strength or algorithm.java.security.InvalidKeyException
- Thrown when the key files do not match the requested strength or algorithm.CardTerminalException
- any subclass of CardTerminalException
-
readPublicKey
@Deprecated public java.security.PublicKey readPublicKey(PublicKeyRef pulicKey, java.lang.String keyAlgorithm) throws CardServiceException, java.security.InvalidKeyException, CardTerminalException
Deprecated.Not implemented- Specified by:
readPublicKey
in interfaceKeyGenerationCardService
- Parameters:
pulicKey
- Reference to the key on card that should be read.keyAlgorithm
- Standard Algorithm names as defined in the Java Cryptography Architecture API Specification & Reference for example DSA: Digital Signature Algorithm, as defined in Digital Signature Standard, NIST FIPS 186. RSA: The Rivest, Shamir and Adleman AsymmetricCipher algorithm.- Returns:
- key The public key
- Throws:
CardServiceException
- access conditions do not allow reading the key, key is not foundjava.security.InvalidKeyException
- Thrown when the key file does not match the requested algorithm.CardTerminalException
- any subclass of CardTerminalException
-
signData
public byte[] signData(PrivateKeyRef privateKey, java.lang.String signAlgorithm, byte[] data) throws CardServiceException, CardTerminalException
Description copied from interface:SignatureCardService
Generate a digital Signature. First hash the data, then pad the hash and then apply the PKA algorithm to the padded hash.The padding algorithm is chosen as defined in the Java Cryptography Architecture Specification.
The standard algorithm name must be specified as defined in the Java Cryptography Architecture API Specification & Reference, for example
- MD5withRSA
- The Signature algorithm obtained by combining the RSA AsymmetricCipher algorithm with the MD5 MessageDigest Algorithm.
- MD2withRSA
- The Signature algorithm obtained by combining the RSA AsymmetricCipher algorithm with the MD2 MessageDigest Algorithm.
- SHA1withRSA
- The Signature algorithm obtained by combining the RSA AsymmetricCipher algorithm with the SHA-1 MessageDigest Algorithm.
- SHA1withDSA
- Digital Signature Algorithm, as defined in Digital Signature Standard, NIST FIPS 186. This standard defines a digital signature algorithm that uses the RawDSA asymmetric transformation along with the SHA-1 message digest algorithm.
- Specified by:
signData
in interfaceSignatureCardService
- Parameters:
privateKey
- a reference to the private key on card to be used for signingsignAlgorithm
- standard digital signature algorithm namedata
- data to be signed- Returns:
- signature
- Throws:
CardServiceException
- any subclass of CardServiceExceptionCardTerminalException
- any subclass of CardTerminalException- See Also:
JCAStandardNames
-
signData
public byte[] signData(PrivateKeyRef privateKey, java.lang.String signAlgorithm, java.lang.String padAlgorithm, byte[] data) throws CardServiceException, CardTerminalException
Create a signature.- Specified by:
signData
in interfaceSignatureCardService
- Parameters:
privateKey
- a reference to the private key on card to be used for signingsignAlgorithm
- standard digital signature algorithm namepadAlgorithm
- padding algorithm name, for example one of ISO9796, PKCS#1, ZEROPADDINGdata
- data to be signed- Returns:
- signature
- Throws:
CardServiceException
- any subclass of CardServiceExceptionCardTerminalException
- any subclass of CardTerminalException- See Also:
JCAStandardNames
-
signHash
public byte[] signHash(PrivateKeyRef privateKey, java.lang.String signAlgorithm, byte[] hash) throws CardServiceException, java.security.InvalidKeyException, CardTerminalException
Create a signature. If the referenced key type is RSA then the hash will be padded according to the EMSA-PKCS1-v1_5 encoding. The data will be send to the card which performs a Plain RSA signature operation. If the key is of type ECC then the hash will be send to the card which performs a Plain ECDSA operation.- Specified by:
signHash
in interfaceSignatureCardService
- Parameters:
privateKey
- the SmartCardHSMKeysignAlgorithm
- String containing the signing algorithmhash
-- Returns:
- signature
- Throws:
CardServiceException
- any subclass of CardServiceExceptionjava.security.InvalidKeyException
- Thrown when the key is not valid or does not match the requested algorithm.CardTerminalException
- any subclass of CardTerminalException- See Also:
JCAStandardNames
-
signHash
public byte[] signHash(PrivateKeyRef privateKey, java.lang.String signAlgorithm, java.lang.String padAlgorithm, byte[] hash) throws CardServiceException, CardTerminalException
Create a signature. RSASSA-PSS: If using a SmartCard-HSM with version 2.00 or newer, PSS padding performed by the card is supported. The SmartCard-HSM supports padding according to PSS for the hash algorithm SHA1 and SHA256. SHA384 and SHA512 hashes will still be padded externally by this card service. If the key is of type ECC then the hash will be send to the card which performs a Plain ECDSA operation.- Specified by:
signHash
in interfaceSignatureCardService
- Parameters:
privateKey
- the SmartCardHSMKeysignAlgorithm
- String containing the signing algorithmpadAlgorithm
- String containing the padding algorithmhash
-- Returns:
- signature
- Throws:
CardServiceException
- any subclass of CardServiceExceptionCardTerminalException
- any subclass of CardTerminalException- See Also:
JCAStandardNames
-
verifySignedData
@Deprecated public boolean verifySignedData(PublicKeyRef publicKey, java.lang.String signAlgorithm, byte[] data, byte[] signature) throws CardServiceException, java.security.InvalidKeyException, CardTerminalException
Deprecated.Not implemented- Specified by:
verifySignedData
in interfaceSignatureCardService
- Parameters:
publicKey
- a reference to the public key on card to be used for signature validationsignAlgorithm
- standard digital signature algorithm namedata
- the data for which the signature should be verifiedsignature
- signature to be verified- Returns:
- True if signature valdidation was successfull
- Throws:
CardServiceException
- any subclass of CardServiceExceptionjava.security.InvalidKeyException
- Thrown when the key is not valid or does not match the requested algorithm.CardTerminalException
- any subclass of CardTerminalException- See Also:
JCAStandardNames
-
verifySignedData
@Deprecated public boolean verifySignedData(PublicKeyRef publicKey, java.lang.String signAlgorithm, java.lang.String padAlgorithm, byte[] data, byte[] signature) throws CardServiceException, java.security.InvalidKeyException, CardTerminalException
Deprecated.Not implemented- Specified by:
verifySignedData
in interfaceSignatureCardService
- Parameters:
publicKey
- a reference to the public key on card to be used for signature validationsignAlgorithm
- standard digital signature algorithm namepadAlgorithm
- padding algorithm name, for example one of ISO9796, PKCS#1, ZEROPADDINGdata
- the data for which the signature should be verifiedsignature
- signature to be verified- Returns:
- True if signature valdidation was successfull
- Throws:
CardServiceException
- any subclass of CardServiceExceptionjava.security.InvalidKeyException
- Thrown when the key is not valid or does not match the requested algorithm.CardTerminalException
- any subclass of CardTerminalException- See Also:
JCAStandardNames
-
verifySignedHash
@Deprecated public boolean verifySignedHash(PublicKeyRef publicKey, java.lang.String signAlgorithm, byte[] hash, byte[] signature) throws CardServiceException, java.security.InvalidKeyException, CardTerminalException
Deprecated.Not implemented- Specified by:
verifySignedHash
in interfaceSignatureCardService
- Parameters:
publicKey
- a reference to the public key on card to be used for signature validationsignAlgorithm
- standard key algorithm namehash
- The hash for which the signature should be verified.signature
- signature to be verified- Returns:
- True if signature valdidation was successfull
- Throws:
CardServiceException
- any subclass of CardServiceExceptionjava.security.InvalidKeyException
- Thrown when the key is not valid or does not match the requested algorithm.CardTerminalException
- any subclass of CardTerminalException- See Also:
JCAStandardNames
-
verifySignedHash
@Deprecated public boolean verifySignedHash(PublicKeyRef publicKey, java.lang.String signAlgorithm, java.lang.String padAlgorithm, byte[] hash, byte[] signature) throws CardServiceException, java.security.InvalidKeyException, CardTerminalException
Deprecated.Not implemented- Specified by:
verifySignedHash
in interfaceSignatureCardService
- Parameters:
publicKey
- a reference to the public key on card to be used for signature validationsignAlgorithm
- standard key algorithm namepadAlgorithm
- padding algorithm name, for example one of ISO9796, PKCS#1, ZEROPADDINGhash
- The hash for which the signature should be verified.signature
- signature to be verified- Returns:
- True if signature valdidation was successfull
- Throws:
CardServiceException
- any subclass of CardServiceExceptionjava.security.InvalidKeyException
- Thrown when the key is not valid or does not match the requested algorithm.CardTerminalException
- any subclass of CardTerminalException- See Also:
JCAStandardNames
-
enumerateObjects
public byte[] enumerateObjects() throws CardTerminalException, CardServiceException
Enumerate all currently used file and key identifier.- Returns:
- Even number of bytes that compose a list of 16 bit file identifier
- Throws:
CardTerminalException
CardServiceException
-
generateRandom
public byte[] generateRandom(int length) throws CardTerminalException, CardServiceException
Request random byte values generated by the build in random number generator.- Parameters:
length
-- Returns:
- Random bytes
- Throws:
CardTerminalException
CardServiceException
-
decipher
public byte[] decipher(SmartCardHSMKey privateKey, byte[] cryptogram, byte algorithmID) throws CardTerminalException, CardServiceException
The device decrypts using the private key a cryptogram enciphered with the public key and returns the plain value.- Specified by:
decipher
in interfaceDecipherCardService
- Parameters:
privateKey
- the private SmartCardHSMKeycryptogram
-algorithmID
- one of RSA_DECRYPTION_Plain, RSA_DECRYPTION_V15 or RSA_DECRYPTION_OAEP- Returns:
- the plain value
- Throws:
CardTerminalException
CardServiceException
-
decipher
public byte[] decipher(SmartCardHSMKey privateKey, byte[] cryptogram) throws CardTerminalException, CardServiceException
The device decrypts using the private key a cryptogram enciphered with the public key and returns the plain value.- Specified by:
decipher
in interfaceDecipherCardService
- Parameters:
privateKey
- the private SmartCardHSMKeycryptogram
-- Returns:
- the plain value
- Throws:
CardTerminalException
CardServiceException
-
performECCDH
public byte[] performECCDH(SmartCardHSMKey privateKey, byte[] pkComponents) throws CardServiceException, CardTerminalException
The device calculates a shared secret point using an EC Diffie-Hellman operation. The public key of the sender must be provided as input to the command. The device returns the resulting point on the curve associated with the private key.- Specified by:
performECCDH
in interfaceDecipherCardService
- Parameters:
privateKey
- Key identifier of the SmartCardHSM private keypkComponents
- Concatenation of '04' || x || y point coordinates of ECC public Key- Returns:
- Concatenation of '04' || x || y point coordinates on EC curve
- Throws:
CardServiceException
CardTerminalException
-
verifyCertificate
public void verifyCertificate(CardVerifiableCertificate cvc) throws CardTerminalException, CardServiceException
Present a card verifiable certificate in order to establish a trusted public key in the device.
-
selectPubKeyForSignature
public boolean selectPubKeyForSignature(PublicKeyReference chr) throws OpenCardException
Manage Security Environment APDU for Certificate and Public Key Verification- Parameters:
chr
-- Throws:
OpenCardException
-
verifyCertificateChain
public void verifyCertificateChain(CardVerifiableCertificate[] chain) throws OpenCardException
Ensure that the issuer of the certificate or request in chain[0] is validated. The issuer public key is selected as result of performing chain validation- Parameters:
chain
- the list of authenticated public key (CSR), device certificate and device issuer CA certificate- Throws:
OpenCardException
-
selectPubKeyForAuthentication
public boolean selectPubKeyForAuthentication(byte[] chr) throws CardTerminalException, CardServiceException
Manage Security Environment APDU for External Authenticate- Parameters:
chr
-- Throws:
TLVEncodingException
CardTerminalException
CardServiceException
-
manageSE
public boolean manageSE(byte p1, byte p2, byte[] cdata) throws CardTerminalException, CardServiceException
Select algorithms and keys for security operations.- Parameters:
data
-- Throws:
InvalidCardChannelException
CardTerminalException
CardServiceException
-
manageSE
public void manageSE(byte[] data) throws CardTerminalException, CardServiceException
Select algorithms and keys for security operations.- Parameters:
data
-- Throws:
InvalidCardChannelException
CardTerminalException
CardServiceException
-
deriveXKEK
public void deriveXKEK(byte keyId, CardVerifiableCertificate puk) throws OpenCardException
Derive XKEK usingt the exchange key referenced by keyId and the peer public key The device certificate for validating the public key must have been selected with verifyCertificateChain() before.- Parameters:
keyId
- the key id of the EC exchange private keypuk
- the public key of the peer- Throws:
OpenCardException
-
importPublicKey
public byte[] importPublicKey(CardVerifiableCertificate cert) throws CardTerminalException, CardServiceException
Import public keys for authentication. Public keys can only be imported after initialization of the device. Once the number of different public keys defined in the INITIALIZE DEVICE command are imported, then further imports are impossible. Until all public keys are imported, public key authentication is disabled. Only ECC keys can be imported as public keys for authentication. Before importing the key, the public key used to verify the signature applied to the public key must be selected using the selectPubKeyForSignature method.- Parameters:
cert
- an Authenticated Certificate Signing Request- Returns:
- the import status as returned by the card
- Throws:
CardTerminalException
CardServiceException
-
externalAuthenticate
public boolean externalAuthenticate(byte[] signature) throws CardTerminalException, CardServiceException
Public Key Authentication is the mechanism by which an external entity can use its private key to authenticate. Public key authentication is an alternative to user authentication using the PIN. Public key authentication is the basis for n-of-m authentication, which requires that n of the previously register m public keys have performed the authentication procedure within the current session. The external entity needs to obtain an 8 byte challenge, and sign the concatenation of device id and the challenge. The device id must be extracted from the CHR field of the device certificate.- Parameters:
signature
- over the concatenation of the device id and an 8 byte challenge- Returns:
- true is authentication successful
- Throws:
CardTerminalException
CardServiceException
-
generalAuthenticate
public byte[] generalAuthenticate(byte[] data) throws CardTerminalException, CardServiceException
The GENERAL AUTHENTICATE command allows the terminal to perform an explicit authentication of the device and agree secret session keys KS_ENC and KS_MAC for secure messaging.- Parameters:
data
- the dynamic authentication data template- Returns:
- Dynamic Authentication Template
- Throws:
CardTerminalException
CardServiceException
-
deriveSymmetricKey
public byte[] deriveSymmetricKey(byte keyId, byte algo, byte[] data) throws CardTerminalException, CardServiceException
Use the secret key referenced in keyId to derive a secret using the algorithm selected in algo and the derivation parameter in data- Parameters:
keyId
- the secret key idalgo
- the derivation algorithmdata
- the derivation data- Returns:
- Throws:
CardTerminalException
CardServiceException
-
getAliases
public java.util.Vector<java.lang.String> getAliases() throws OpenCardException, java.security.cert.CertificateException, TLVEncodingException
Return a Vector containing all aliases that are used on the SmartCardHSM.- Returns:
- Vector of aliases
- Throws:
TLVEncodingException
java.security.cert.CertificateException
OpenCardException
-
addKeyToMap
public void addKeyToMap(SmartCardHSMKey key)
Add a new key to the map of keys- Parameters:
key
- the SmartCardHSMKey
-
addCertToMap
public void addCertToMap(java.security.cert.Certificate cert, boolean isEECertificate, byte id, java.lang.String label)
Add a certificate to the map- Parameters:
cert
- the certificateisEECertificate
- true for EE certificates, false for CA certificatesid
-label
-
-
removeEntry
public void removeEntry(java.lang.String label) throws CardServiceException, CardTerminalException, CardIOException
Remove an entry both from map and card.- Parameters:
label
-- Throws:
CardServiceException
CardTerminalException
CardIOException
-
renameEntry
public void renameEntry(java.lang.String oldlabel, java.lang.String newlabel) throws CardServiceResourceNotFoundException
-
containsLabel
public boolean containsLabel(java.lang.String label) throws OpenCardException
Check if the label exists.- Parameters:
label
- the key label- Returns:
- true if label is available
- Throws:
OpenCardException
-
getSmartCardHSMEntry
public SmartCardHSMEntry getSmartCardHSMEntry(java.lang.String label)
Get a Entry object- Parameters:
label
-- Returns:
- SmartCardHSMEntry
-
addKey
public SmartCardHSMKey addKey(byte kid) throws OpenCardException
Add a key from device including a certificate- Parameters:
kid
- the key id- Throws:
OpenCardException
-
determineFreeCAId
public byte determineFreeCAId() throws OpenCardException
Determine an unused CA identifier- Returns:
- a free CA identifier or -1 if all identifier in use
- Throws:
TLVEncodingException
java.security.cert.CertificateException
OpenCardException
-
determineFreeKeyId
public byte determineFreeKeyId() throws OpenCardException
Determine an unused key identifier- Returns:
- a free key identifier or -1 if all key identifier in use
- Throws:
OpenCardException
-
storePRKD
public void storePRKD(byte kid, KeyDescription prkd) throws CardServiceException, CardTerminalException, CardIOException
Store the private key description on the card
-
getKeyDomains
public java.util.List<KeyDomain> getKeyDomains() throws OpenCardException
- Throws:
OpenCardException
-
deleteKeyDomain
public boolean deleteKeyDomain(KeyDomain kd) throws OpenCardException
- Throws:
OpenCardException
-
sendCommandAPDU
public ResponseAPDU sendCommandAPDU(CardFilePath path, CommandAPDU com, int usageQualifier) throws CardServiceException, CardTerminalException
Description copied from interface:FileSystemSendAPDU
Send APDU making sure that the object referenced by path is selected- Specified by:
sendCommandAPDU
in interfaceFileSystemSendAPDU
- Parameters:
path
- the DF which should be the active DF for this APDUcom
- the command APDUusageQualifier
- a combination of SecureChannel.CPRO / CENC / RPRO / RENC to control the transformation of the APDU for secure messaging. Use 0 for plain transmission.- Returns:
- Response APDU the response from the card
- Throws:
CardServiceException
CardTerminalException
-
getTrustStore
public TrustStore getTrustStore()
-
getDevAutPK
public java.security.interfaces.ECPublicKey getDevAutPK() throws CardServiceException, CardTerminalException, java.security.cert.CertPathBuilderException
- Throws:
CardServiceException
CardTerminalException
java.security.cert.CertPathBuilderException
-
getChangeReferenceDataDialog
public ChangeReferenceDataDialog getChangeReferenceDataDialog()
-
setChangeReferenceDataDialog
public void setChangeReferenceDataDialog(ChangeReferenceDataDialog dialog)
-
update
public void update(java.lang.String url, java.lang.String sessionId, RemoteNotificationListener notificationListener) throws CardServiceException
Description copied from interface:RemoteUpdateService
Update the card by obtaining command APDUs from a remote administration server.- Specified by:
update
in interfaceRemoteUpdateService
- Parameters:
url
- the url of the remote administration serversessionId
- the session Id to be included as JSESSION cookie or nullnotificationListener
- the listener receiving notifications from the server or null- Throws:
CardServiceException
-
cancel
public void cancel()
Description copied from interface:RemoteUpdateService
Cancel pending request- Specified by:
cancel
in interfaceRemoteUpdateService
-
setHttpURLConnectionFactory
public void setHttpURLConnectionFactory(HttpURLConnectionFactory factory)
Description copied from interface:RemoteUpdateService
Set an HttpURLConnectionFactory which creates preconfigured HttpURLConnections- Specified by:
setHttpURLConnectionFactory
in interfaceRemoteUpdateService
-
-