How can I check the validity of a certificate on a Java card?
I know how to validate certificates using Java, but I don't know how to do it in a java map due to the limitations of the Java APIs (no java.io/ other classes, only javacard APIs + Object + Throwable are allowed).
I have not found a javacard compatible library for certificates. Did I miss something?
I need to check that the certificate is signed by the CA and also check the validity of the certificate.
source to share
Usually, certificate validation is a tough job for a smart card. These certificates are often larger than the 2KiB size. While these are peanuts for general-purpose PCs, they are not for smart cards, in which high-end cards often only include 8KB of RAM. And what's shared between the OS, the crypto APDU buffer coprocessors and of course your applet.
There is another problem: usually a smart card does not contain a watch. This makes it difficult to verify that the certificate is valid for the duration; basically you want a reliable way to save time.
Then there is the fact that certificate validation often uses CRL or OCSP to check the status of the certificate. As you can imagine, performing OCSP lookups or even just parsing CRLs is not easy on such a limited platform.
Verifying the CA signature over a certificate is certainly possible if you program it wisely. But in general, Verifiable Card Certificates (CVC or CV Certificates) . These are "flattened" certificates with fewer rings and whistles, and are easier to disassemble in a smart card.
Using the start date of new, verified certificates, you can use some sort of date ratchet where the watch is updated using the date in the certificates themselves. But keep in mind that you still won't be able to detect outdated certificates if the new certificates haven't been validated for a while. CV certificates do not usually use CRLs, so you will either have to trust each certificate or you may need to blacklist some certificates if and when they are compromised.
While there is a bit more support in the Java Card Connected version, I don't think it will help you at all, as the linked edition is rarely seen in the wild.
The original specifications for CVC can be found in ISO / IEC 7816-8: Identity Cards - Integrated Circuit Cards - Part 8: Commands and Mechanisms for Security Operation , Appendices A and B. Note that this standard is subject to a charge .
ICAO eMRTD and BSI TR 03110 also define these types of certificates, so you would be better off using any certificate specifications if you like free software.
source to share