Thanks for your answer, Mohammed. I am doing my tests with GPK 4000 and GPK
8000 cards. GPK 4000 has 6 manuals full of instructions, but this looks
much like assembly programming. Do I have to assemble APDUs to send to the
card myself or are there any ready calls in OCF that I can use to generate
keys, get public key out of the card, store certificates inside the card
and sign data. Also, I am a little confused by the file naming scheme. Are
there any well-known file names under which I should store my certificate
or is it just a matter of conventioning some file for my application? I
have read the manuals for GPK and they talk about master file, dedicated
files and elementary files, and these can be of various types.
Could you clarify this some more to me?
Regards,
Douglas
[EMAIL PROTECTED]
06/10/2000 04:01
To: Douglas Atique/BR/ABNAMRO/NL@ABNAMRO
cc: [EMAIL PROTECTED]
Subject: RE: [OCF] Certificate requests
Please see my reply below. All the card related explanations are for GPK...
Warm Regards
----------
Trust, but verify.
- Anonymous
>-----Original Message-----
>
>Hi, folks.
>I am new to OCF and smart cards, but I already have a big assignment on them. I
>am trying to devise a process in which a client receives an empty smart card and
>"initializes" his/her card through the Internet on a server. The idea is that a
>web page downloads an applet on the client and the applet generates (or asks the
>card to generate) a key pair (if the card generates it, better)
Possible. You can use OCF and GPK card to achieve this. The card has the capability to
generate keys 'onboard'.
>and the applet generates a PKCS#10 CSR (certificate signing request) and
>sends it to the server to sign. Then the server signs it and returns a complete
>certificate that the applet asks the card to store.
>The problem is, the Java 1.2.2 APIs don't seem to have anything similar to a CSR
>class or generator. I think I saw something about a sun.security package that
>would have it. Also keytool can do it on a command line, but I would rather do
>it inside the applet. I am coming to the conclusion that I will have to create a
>CSR "by hand", i.e. following the PKCS#10 recipe, and ASN.1 DER seems so complicated!
Yeah! You have to weave it(the CSR) by hand. There are a few ASN.1 libraries available
using which you can do it but yeah! it is tedious, I have tried
it. I succeeded in sending a request and obtaining a certificate, but I got stranded
in signing some data ;-).
If you are looking for libraries, you can try the one which I used, and which can be
obtained from
http://www.forge.com.au/products/crypto/forge-1_32.zip. I will leave the license
aspects to yourselves.
If you are looking ofr info on ASN.1 DER codings, a nice way to start is to read the
docs
(1) A Layman's Guide to a Subset of ASN.1, BER, and DER
(2) Some Examples of the PKCS Standards
from RSA which are very helpful.
>Any help appreciated. Also please point out any security flaws anyone sees in the
>process.
>Regards,
>Douglas
>
---
> Visit the OpenCard web site at http://www.opencard.org/ for more
> information on OpenCard---binaries, source code, documents.
> This list is being archived at http://www.opencard.org/archive/opencard/
! To unsubscribe from the [EMAIL PROTECTED] mailing list send an email
! to
! [EMAIL PROTECTED]
! containing the word
! unsubscribe
! in the body.
