Open Source Smart Card Operating Systems for Smartcards

Java Card™

Sun is in the smart-card business by virtue of its Java programming language, which can be overlaid on any computer operating system. Java became the language of choice when the U.S. Government Services Authority (GSA) specified in its smart-card contract that an open architecture be used. This was so the government could choose several vendors while ensuring the products could operate together.

Java Card™ technology permits the development of smart card applications in the well-known Java™ programming language. This combines the merits of Java™ technology such as platform independence, easy code maintenance, productivity and tool availability with the outstanding benefits of smart cards, e.g. security, portability and one-to-one personalisation.

Sun Microsystems JavaCard website

Open source smart card developer resources links from Gemplus.

PC/SC (personal computer/smart card)

For Microsoft platforms, the preferred interface is PC/SC (personal computer/smart card). Generic PC/SC support is built in all recent Microsoft Windows versions.

The Interoperability Specification for ICCs and Personal Computer Systems (PC/SC) has been developed to ease the introduction of smart cards into the world of PCs. The main advantage of PC/SC is that applications do not have to be aware of the details regarding the smart card reader in order to communicate with the smart card. Moreover, the application can function with any reader complying with the PC/SC standard.

Gemplus PC/SC info

OpenCard Framework

OCF, the OpenCard Framework is a standard Java framework for working with Smart Cards.

OpenCard Framework is Java in the computer or terminal talking to the smartcard, JavaCard is a special, stripped-down version of Java that runs on the smartcard itself. Java applications running on the PC can use OpenCard to access JavaCard smartcards and standard smartcards. If you want to write Java applets (also known as cardlets) to run on the smartcard itself, you have to use a smartcard which is compliant with the JavaCard standard. One exception to this is MULTOS. MULTOS now offers the ability to write your applications in Java and then cross compile them into MEL prior to loading onto the MULTOS smart card. In this case you are not using a true Java Card according to the Java Card Specifications.

The general view on the relationship between the OCF and PC/SC standardization efforts is such that these efforts are considered complementary rather than competing - complementary with respect to the scope of their objectives as well as to the environments in which they will be deployed. In view of the fact that, in a broad sense, they both address the communication of computing devices and smartcards, some overlapping between them seems only natural.

Besides PCs, many systems ( (e.g. a POS terminal, set-top box, or a smart phone) that use smartcards today do not currently run Windows NT/95 and will, for various reasons (e.g. resource requirements) probably not do so in the future. Smartcard solutions developed for those systems currently only have two choices, they can either be tailored in an inflexible way to a given reader and card or they can be based on the Java platform and make use of OCF.

OpenCard Framework Website

OpenCard FAQ

Sourceforge OpenCard Project Forum

Gemplus OpenCard Information page.

OpenCard Smart Card Java Developers Manual

Visa Open Platform Terminal API

To hasten worldwide smartcard acceptance, Visa is currently working on an Open Platform Terminal API. This API enhances software development for smartcard acceptance. This API is not in competition but complementary to similar industry initiatives such as PC/SC and OpenCard Framework. Either one of these initiatives- PC/SC and OpenCard- are focusing on specific target platforms. The Visa Open Platform Terminal API is being developed having a wide range of devices in mind such as PC's, NC's, and EFT/POS, etc. The API and services offered by PC/SC and OpenCard can be utilized by Visa Open Platform Terminal API if available in the environment.

MUSCLE - Movement for the Use of Smart Cards in a Linux Environment

MUSCLE is a project to coordinate the development of smart cards and applications under Linux. The purpose is to develop a set of compliant drivers, API's, and a resource manager for various smart cards and readers for the GNU environment. Source code is now available which supports the Schlumbeger Reflex 60 line of reader and all ISO-7816-4 compliant smart cards.

Their goal is to promote smart card and cryptographic support for Unix based operating systems. Drivers for PCSC-lite for Linux, Solaris, MAC OS X and others. With the MuscleCard Applet or Cryptoflex you can begin using smartcards on over 7 platforms.

Their downloadable framework gives you everything you need to use smartcards across multiple platforms. In the package you will find management utilities, PKCS#11 support for SMIME, SSL authentication.

One software package includes everything you need to start using smartcards on a variety of platforms, including PKCS#11 support, smartcard authentication with PAM, and card administration. Start signing, encrypting, and authenticating with your smartcard with this easy to use package.

Another program with a complete installer comes with everything you need to get working with MuscleCard on Windows based platforms. Comes with a CSP for doing Windows Login, email signing/decryption, and web authentication. Applet loading and management for several Java Cards and PKCS#11 support too.

MuscleCard is a part of the MUSCLE project (Movement For The Use Of Smart Cards In A Linux Environment). MuscleCard defines an API for accessing smart card services through MuscleCard Plug-Ins, which implement the actual functionality for a set of cards. With MuscleCard you get a powerful key and object storage solution on smart cards with cryptographic functionality which can be used for a wide range of applications like logon purposes or document signatures.

MuscleCard Article

MuscleCard Files

OpenPGP Card - The OpenPGP Card from G10code in Germany is a specification of an ISO 7816-4,-8 compatible smartcard and also an actually available implementation of this specification as a standard sized card.

Features of this card are:

* 3 independent 1024 bit RSA keys (signing, encryption, authentication).
* Key generation on card or import of existing keys.
* Signature counter.
* Data object to store an URL to access the full OpenPGP public key.
* Data objects for card holder name etc.
* Data object for login specific data.
* Length of PIN between 6 and 254 characters; not restricted to numbers.
* T=1 protocol; compatible with most readers.
* 40mm * 10mm sized writable field on the front matter.
* Specification freely available and usable without any constraints.
* Reasonably priced.

GNU Privacy Guard - GnuPG is a complete and free replacement for PGP. Because it does not use the patented IDEA algorithm, it can be used without any restrictions. GnuPG is a RFC2440 (OpenPGP) compliant application.

Functional Specification of the OpenPGP Application on ISO Smart Card Operating Systems - PDF

This functional specification describes the OpenPGP application based on the functionality of ISO smart card operating systems. In principle it defines the interface of the application between card and terminal, in this context the OpenPGP software with a standard card reader on PC/SC basis.

The solution takes care of

· use of international standards,
· avoiding of patents,
· free usage under GNU General Public License,
· independence from specific smart card operating systems (second source),
· easy enhancement for future functionality,
· international use.

Consequently this specification does not deal with the description of the global commands and data fields of the card, the security functions generally provided by the card, any features that apply to more than one application, such as transmission protocols, nor with the description of the general mechanical and electrical characteristics of the card.

In particular, the specification provides a detailed description of the data objects directly related to the applications and their respective content formats. Contents of the application data are only prescribed if they represent a constant factor of the application.

The encoding values mentioned in the specification are stated in hexadecimal form, unless otherwise indicated.

The OpenPGP application is designed to run under several ISO compatible card operating systems. So the application can be developed on several chips and from different manufacturers.

How To OpenPGP Card - screenshots of experimental use.

opensc-project.org Home of open source smart card solutions

OpenSC
With OpenSC you can use many smart cards on Linux, Mac OS X and Windows. OpenSC supports many national signature cards as well as blank smart cards. With an PKCS#11 interface many applications can use opensc right out of the box.

OpenSC provides a set of libraries and utilities to access smart cards. Its main focus is on cards that support cryptographic operations, and facilitate their use in security applications such as mail encryption, authentication, and digital signature. OpenSC implements the PKCS#11 API so applications supporting this API such as Mozilla Firefox and Thunderbird can use it. OpenSC implements the PKCS#15 standard and aims to be compatible with every software that does so, too.

	OpenCT While OpenSC for cards is, OpenCT is for card readers. OpenCT implements drivers for many card terminals, smart card readers, and usb crypto tokens. OpenCT can be used as CT-API or PC/SC Ifdhandler driver, but also directly.
Windows Installer SCB Smart Card Bundle - SCB is our binary installer package for Windows. It contains OpenSC, OpenSSL, Putty, Engine_pkcs11, and additional components needed to use smart cards under windows.	Pam PKCS#11 Pam PKCS#11 is a fully featured pam authentication module allowing login with smart cards and full verification of the card data - using certificate chains, certificate revocation lists, LDAP, Active Directory, Kerberos.
Apple Mac OS X Installer SCA Smart Card software for Apple Mac OS X - SCA is our binary installer package for Mac OS X. It contains OpenSC and an Token Daemon for use with native Mac OS X applications. It also comes with a version of OpenSSH with smart card support.	Pam P11 Pam P11 is a very simple pam authentication module for use with smart cards. However it only knows about plain simple files with keys or certificates. Perfect for the small and simple setup.
OpenSSL PKCS#11 Engine With this "engine" plugged into OpenSSL applications can make use of smart cards with no changes or only little changes needed.	Libp11 A small library for using PKCS#11 modules in an easy way.
GTK Card A simple GUI application for using smart cards.	OpenSC-Java Integration of smart cards into Java-1.5 or later

PKCS #11 PAM Login Module

This Linux-PAM login module allows a X.509 certificate based user login. The certificate and its dedicated private key are accessed by means of an appropriate PKCS #11 module. For the verification of the users' certificates, locally stored CA certificates as well as either online or locally accessible CRLs are used.

Detailed information about the Linux-PAM system along with the specification of the Cryptographic Token Interface Standard (PKCS #11) is available.

The PKCS #11 modules must full-fit the requirements given by the RSA Asymmetric Client Signing Profile, which has been specified in the PKCS #11 Conformance Profile Specification by RSA Laboratories.

PAM-PKCS#11 is a PAM ( Pluggable Authentication Module ) (updated version) plug-in which allows someone to login into a UNIX/Linux System that supports PAM by means of a Digital Certificates stored in a SmartCard.

To do this, a pkcs11 library is needed to access the Cards. Details on how certificates are stored/retrieved, etc are hidden to pam-pkcs11 and handled by the pkcs11 library. This allows independence of the module on an specific card PKCS #11 Module.

User matching approves the ownership of a certificate is to allow the owner of a certificate to login as a particular user.

OpenSC-Ceres pkcs11 Library - a derived work from OpenSC for Spanish CA Ceres Smart Cards

OpenSC API Reference Guide - Open Smart Card project coverage of Initialization, File Operations, ASN.1 Functions, Data Types.

OpenSC Project Supported cards

* Finnish FINEID (SetCOS)
* Swedish Posten eID (SetCOS)
* Cryptoflex 16k and 8k
* GPK 4K, 8K, 16K
* USB tokens based on CardOS/M4, such as Aladdin eToken PRO, etc.
* MioCOS 1.1
* TCOS 2.0
* Starcos SPK 2.3 (e.g. Rainbow iKey 3000)
* Micardo 2.1
* Oberthur AuthentIC
* OpenPGP 1.0
* JCOP 31bio
* Estonian ID card, EstEID (Micardo 2.1)

Builtin PKCS#15 initialization is supported for the following cards

* CryptoFlex 8K, 16K
* GPK 4K, 8K, 16K
* CardOS M4.00, M4.01a
* Starcos SPK 2.3
* JCOP 31bio
* MioCOS 1.1

Cryptoflex e-gate also work just fine, and the regular Cryptoflex 32K will probably work equally well.

Axalto sells the cards in packs of five for about $100, at www.scmegastore.com

Builtin PKCS#15 emulation is supported for the following non-PKCS#15 cards

* OpenPGP 1.0
* EstEID
* StarCert V2.2
* Italian Infocamere card (type 1202 and 1203)
* TeleSec NetKey
* Italian Postecert card

Note: the current PKCS#15 emulation support offers only a read-only access the card.

Open Signature

OpenSignature is an open source project for the digital signature of documents. It works with all cards supported by OpenSC and focuses on adding support for cards from accredited Italian CAs. The goal of the project is to provide a first single product capable of supporting cards from multiple vendors/countries. This contrasts the approach taken by card vendors/providers whose software follows an exclusive single-vendor approach. OpenSignature thus attempts to make a major contribution to interoperability in the digital signature domain and aims to greatly facilitate the setup of public access points that are currently the objective of several projects in Italy. Moreover, we hope that the peer-review of the open source approach will allow us to at least match the security level of competing single-card software.

OpenCT: 0.6.10 - From the Open Smart Card Project.