Home

Awesome

SmartPGP applet

SmartPGP is a free and open source implementation of the OpenPGP card 3.4 specification in JavaCard.

The main improvement introduced in OpenPGP card 3.x specification from previous version is the support of elliptic curve cryptography with several existing curves (NIST P-256, NIST P-384, NIST P-521, brainpool p256r1, brainpool p384r1 and brainpool p512r1).

Features

The following features are implemented at the applet level, but some of them depend on underlying hardware support and available (non-)volatile memory resources:

Default values

The SmartPGP applet is configured with the following default values:

These values can be changed by modifying default values in the code (see the Constants class).

When the applet is installed, one can use the smartpgp-cli utility given in the bin directory to change these values. Keep in mind that when you change the algorithm attributes of a PGP key or of the secure messaging key, the key and the corresponding certificate are erased. Also note that hard coded default values will be restored upon a factory reset.

Compliance with OpenPGP card 3.4 specification

The SmartPGP applet implements the complete OpenPGP card 3.4 specification, except the secure messaging related features:

Application support

Tokens following the OpenPGP card 3.4 specification are not yet fully supported by most PGP applications.

GnuPG

OpenPGP card 3.x is supported by GnuPG starting from version 2.1.16.

The specific secure messaging of the SmartPGP applet is not supported at is not part of the OpenPGP card specification.

OpenKeychain

OpenPGP card 3.x is supported by OpenKeychain starting from version 4.2.

The secure messaging of the SmartPGP applet is fully supported in OpenKeychain. See the section below for more information on the setup process.

Content of the repository

The repository contains several directories:

Build and installation instructions

Prerequisites

Importing RSA keys above 2048 bits (3072 or 4096 bits)

The size of the internal buffer is set by default to a value that permits to import RSA 2048 bits. If your card is able to deal with RSA keys of 3072 or 4096 bits and you want to be able to import such keys, then you need to adjust the size of this buffer:

Reducing flash and/or RAM consumption

The applet allocates all its data structures to their maximal size at installation to avoid as much as possible runtime errors caused by memory allocation failure. If your device does not have enough flash and/or RAM available, or if you plan not to use some features (e.g. stored certificates), you can adjust the applet to reduce its resource consumption by tweaking the following variables:

Building the CAP file

Installing the CAP file

The CAP file installation depends on your device, so you have to refer to the instructions given by your device manufacturer. Most open cards relying on Global Platform with default keys are supported by GlobalPlatformPro.

Be careful to use a valid AID according to the OpenPGP card specification (see section 4.2.1) for each card (-create <AID> with GlobalPlatformPro)

Setting up secure messaging with OpenKeychain

Secure messaging without token authentication

Without token authentication, you are not protected against man-in-the-middle attack as your device cannot ensure it is communicating directly with a trusted token. Nevertheless, the communications with the token are still protected in confidentiality against passive attacks (i.e. trafic capture).

If you want to test secure messaging without token authentication, you can use the following command to order the token to generate its secure messaging key on-board.

./smartpgp-cli -r X -I generate-sm-key -o pubkey.raw

In this case, you have to deactivate the certificate verification in OpenKeychain: go to "Parameters" > "Experimental features" and deactivate the option called "SmartPGP verify certificate".

Secure messaging with token authentication

The secure_messaging directory contains a subdirectory called pki which contains two sample scripts to generate a certificate authority and token certificates.

The sample scripts are given only for test purposes of the secure messaging feature with certificate verification. They require openssl to be installed on your system.

If you want to use your own PKI, you have to generate a specific intermediate certificate authority to sign the certificates of your token(s). Then, you have to provision the complete certificate chain from this new intermediate CA to your root CA in OpenKeychain because the certificate verification implemented in the given patch does not rely on the system keystore.

Generate a sample CA key and certificate

Change your current directory to the pki directory and execute the script ./generate_ca.sh. It will produce a sample CA key in PKI/private/ca.key.pem and the corresponding certificate in PKI/certs/ca.cert.pem.

Generate a sample token key and certificate

Change your current directory to the pki directory and execute the script

./generate_token.sh mycard1

where mycard1 is some unique identifier for the token. It will produce a sample token key in PKI/private/mycard1.key.pem and the corresponding certificate in PKI/certs/mycard1.cert.pem.

Provision the token with its sample key and certificate

Change your current directory to the bin directory and execute the following commands after replacing the reader number X by the number of the reader that contains your token, and the path to the pki directory used in previous sections.

The following command imports the token key in the token.

./smartpgp-cli -r X -I -i path_to_the_pki_dir/PKI/private/mycard1.key.der put-sm-key

The following command imports the token certificate in the token.

./smartpgp-cli -r X -I -i path_to_the_pki_dir/PKI/certs/mycard1.cert.der put-sm-certificate

These commands have to be executed in this order because the key import clears any previously stored certificate.

Once the token key is imported, you should remove the token private key from you system as there is no need to keep it outside of your token.

Install the CA in OpenKeychain