The usage of PKI host application combined with PKIApplet in A40CR card
Posted: Fri Jan 29, 2016 2:50 am
This PKI host application only communicates on the contact interface of the A40CR card.
Preparation:
Using A40CR card create a PKI card
Load certificates from A40CR card
Preparation:
- 1.First, install JCIDE to configure Java Runtime Environment 1.8.
2.Use pyApdutool to download the PKIApplet into A40CR card, install and select the applet.
3.Go to the "lib" folder in your terminal/prompt window and enter "java -jar pkihost.jar" to start the PKI host application.
Using A40CR card create a PKI card
- 1. Remove and insert A40CR card to connect again. the PKI host will automatically connect to A40CR card.
2. Fill in the data in the first tab (Private Init tab). You need to load the three private keys and the four certificates. You can use the key files provided in the ".\javacardsign\files" folder.
Note:
>> The PUC has to be 8 bytes long and The PUC code lets you to unblock a forgotten PIN code.
>> Setting the historical bytes of the ATR is optional.
3. Through the "View" button to view the messages of certificate or private key.
4. Click "Initialize Applet", and all the required data will be written to the A40CR card, you can see the following figure 001.
5.After the applet is initialized successfully, the PKI card has been successfully created, you can use it.
Note:The PKI card stores three user certificates, one CA certificate that was used to sign user certificates, and three corresponding user private keys: for authentication, signing, and decryption. These keys are used with signing, decrypting, and authentication.
- In 'User Administration' tab, you can set a PIN for this PKI applet. Once you set the PIN, the following decrypt and sign operations you must enter the PIN to verify.
Load certificates from A40CR card
- In the certificates tab you can load all the certificates from the card and view it, and this is necessary to perform following operations later on, such as encryption, decryption, signature and authentication. The user certificates in our PKI applet are protected by a PIN, you will be asked every time.
Note:
If you don't load these certificates, the following operations will remind you "No User Decipher Certificate loaded".
- 1. In the "Decrypt" tab you can encrypt and decrypt any data.
Click "Encrypt Text..." or "Encrypt File..." button to encrypt data by PKI host. After encrypt successful, you can press "Decrypt" button to decrypt the data, which will appear in the "Result" box. In this process, you will be asked for a PIN, you can see the following figure 002.
Note: The text/file is encrypted to cipher text by PKI host application, and cipher text is decrypted to plain text by A40CR card with PKI applet.
2. The "Signature & Authentication" tab works in a similar way.
Select the signature/encryption algorithm with the radio buttons, and enter the data to be signed or encrypted in "Data to be signed/encrypted" input box. Click the "Sign" button to sign/encrypt data, The result will appear in the "Signature" box, you can see the following figure 003.
Here you can also verify the signature with using the card's certificate.
3. The "Challenge" tab can be used to get challenge with any length generated by PKI card. This challenge can be used as a data to be signed in the signature tab.