OpenSC (including initialization) works with JavaCards if you have a supported applet on the card. OpenSC 0.11.2 and later support the open source MuscleApplet which can be loaded to virtually any blank JavaCard.
!JavaCards can come in different flavors: empty (preferred), pre-loaded with an applet in EEPROM, with an applet in ROM, with a pre-loaded applet in a finalized state (applets can’t be deleted or added). Some cards, for example older IBM JCOP or older Cyberflex, come pre-loaded with a filesystem (PKCS#15) applet, which are of no interest in the broader context of JavaCards.
The core of OpenSC is a bunch of card drivers, both read-only drivers as well as PKCS#15 initialization drivers. It is important to realize, that all of the initialization drivers target a single card (usually proprietary) which is closely tied to the card vendor. Open source is all about providing options and being tied to a card vendor (even if the card comes with good documentation) has the same advantages and disadvantages as some popular binary-only display drivers provided by the vendor: it is not possible to change the way the card behaves. Therefore it is admirable to have open source code both inside the card and on the host computer and use JavaCards.
The main difference between “native” cards and JavaCards is the requirement to install the proper application to the card before continuing with OpenSC, which has historically been a somewhat complicated procedure and what this page tried to demystify.
List of applets OpenSC supports (can be read-only and locked cards):
- [[SmartCardHsm|SmartCardHSM]]
- [[MyEID|Aventra-MyEID-PKI-card]]
- [[Oberthur|Oberthur-AuthentIC-applet-v2.2]]
- [[MuscleApplet|Muscle-applet]]
Things to consider when buying JavaCards
- EEPROM size. 32K, 64K, 72K and 128K sizes are common. Bigger is better.
- JavaCard version: 2.1.1, 2.2.1, 2.2.2. Older API versions don’t support fancier features. Bigger is better.
- GlobalPlatform version: 2.0.1 and 2.1.1. GP deals with loading applets onto cards, choose 2.1.1 whenever possible.
| Card | JavaCard | !GlobalPlatform | Notes | Where to buy |
| OberthurCosmo v7 | 2.2.2 | 2.1.1 | FIPS doc | Smartcard Focus |
| Cyberflex Access 32k e-gate | 2.1.1 | 2.0.1 | Requires captransf.jar | ? |
| Cyberflex Access v2 64K | 2.2.1 | 2.0.1 | Requires captransf.jar | ? |
| RSA SID800 TOTP USB hw authenticator 64k | 2.1.1 | 2.0.1 | does not work; PKCS#11 and MSCAPI, ANSI X9.31 PRNG, DES/3DES and RSA 1024 bit, SHA-1 | ? |
For now, only MuscleApplet open source applet is supported with OpenSC
After you have fetched a suitable applet for your card (pay attention to JavaCard version and card peculiarities like Cyberflex cards), you need to load the software to the card. Here’s how to do it.
A GlobalPlatform compliant software is needed for loading the applet to the card. Card vendors also provide tools for loading applets but also open source alternatives exist, what is covered here.
- GPJ which is in Java (cross-platform) and easier to use than gpshell. A version of gpj.jar is also attached to this page. NB! You need Java 1.6+ to use this software!
- GlobalPlatform C library + GPShell is a library and shell written in C (requires compilation) and has a more powerful but also harder to use interface.
- http://code.google.com/p/gpcomm/ (maybe useful for developers)
If unsure, GPJ should work for most recent cards and is easier to use, thus the following examples use GPJ.
List the current contents of the smart card
$ java -jar gpj.jar -list
Found terminals: [PC/SC terminal OmniKey CardMan 3821 00 00]
Found card in terminal: OmniKey CardMan 3821 00 00
ATR: 3B DB 18 00 80 B1 FE 45 1F 83 00 31 C0 64 C7 FC 10 00 01 90 00 FA
AID: A0 00 00 01 51 00 00 |....Q..| ISD LC: 1 PR: 0x9E
$ java -jar gpj.jar -list
Found terminals: [PC/SC terminal OmniKey CardMan 3821 00 00]
Found card in terminal: OmniKey CardMan 3821 00 00
ATR: 3B DB 18 00 80 B1 FE 45 1F 83 00 31 C0 64 C7 FC 10 00 01 90 00 FA
AID: A0 00 00 01 51 00 00 |....Q..| ISD LC: 1 PR: 0x9E
AID: A0 00 00 00 03 53 50 |…..SP| ExM LC: 1 PR: 0×00
A0 00 00 01 51 00 00 |….Q..|
A0 00 00 00 03 53 50 41 |…..SPA|
A0 00 00 00 03 00 00 |…….|
Load and install as the default applet MuscleApplet CAP file and list the contents of the card:
$ java -jar gpj.jar -load CardEdge.cap -install -priv 4 -list Found terminals: [PC/SC terminal OmniKey CardMan 3821 00 00] Found card in terminal: OmniKey CardMan 3821 00 00 ATR: 3B DB 18 00 80 B1 FE 45 1F 83 00 31 C0 64 C7 FC 10 00 01 90 00 FA AID: A0 00 00 01 51 00 00 |....Q..| ISD LC: 1 PR: 0x9AAID: A0 00 00 00 01 01 |……| App LC: 7 PR: 0×04
AID: A0 00 00 00 03 53 50 |…..SP| ExM LC: 1 PR: 0×00
A0 00 00 01 51 00 00 |….Q..|
A0 00 00 00 03 53 50 41 |…..SPA|
A0 00 00 00 03 00 00 |…….|
AID: A0 00 00 00 01 |…..| ExM LC: 1 PR: 0×00
A0 00 00 00 01 01 |……|
As you can see, a new AID is available on the card (A0 00 00 00 01 01) which is also the default selected applet.
Open source applets possibly usable (with some work) with OpenSC:
- CoolKey Applet (MuscleApplet fork): http://directory.fedoraproject.org/wiki/CoolKey#CoolKey_Java_Applet
- JavaCardSign PKCS#15 applet: http://sourceforge.net/projects/javacardsign/
- [[OpenPGP|OpenPGP-card]] applet: http://sourceforge.net/projects/jopenpgpcard/ (and a somewhat matching javax.smartcardio GUI http://sourceforge.net/projects/javaopenpgpcard/))
Other interesting applets: - MRTD (biometric passport) applet, from JMRTD: http://sourceforge.net/projects/jmrtd/
- Trusted Execution Module prototype (related paper)
- PLAID (explanation)
- ISO18013 driving license applet
- Wiki in JavaCard
- .be eID emulation
- Web server in Java Card