This is an attempt at making a PIV (NIST SP 800-73-4) compatible JavaCard applet. Current target is JavaCard 2.2.2, with 2-3k of transient memory.

What works:

• OpenSC, MacOS (piv.tokend for login), Windows PIV

• RSA-1024 and -2048 key generation on card, signing

• EC P-256 key generation (but no ECDSA)

• EC Diffie-Hellman on P-256

• PINs and change of PIN, PUK reset

• Some YubiKeyPIV-compatible extensions are implemented and working:

  • PIN policy

  • Version indicator (we pretend to be a YK4)

  • Set management key

  • Import asymmetric key

What doesn’t work:

• ECDSA (probably not fixable without JavaCard 3.0.5 or proprietary APIs)

  • There is partial support for it in the code, but it will not work without a client that is specifically aware of the double-hashing issue.

• Yubikey extensions (TODO):

  • Reset after PUK blocked

The pre-built .cap files for each release can be found on the project release page.

You can use the Global Platform command-line tool (gp) to upload the applet to your JavaCard:

Now you have a PIV card ready to initialise. It’s easiest to do the initialisation with the yubico-piv-tool:

Now your PIV token is set up with a self-signed Card Authentication (9e) key. You can generate keys and certificates in the other slots in a similar fashion (remember that most other slots default to requiring a PIN entry, which you have to do with -a verify-pin -a selfsign-certificate …​ when using yubico-piv-tool).

Sample output of yubico-piv-tool -a status:

Default PIN

123456

Default PUK

12345678

Default card administration (9B) key

01 02 03 04 05 06 07 08 01 02 03 04 05 06 07 08 …​

(This is the default used by Yubikeys, so that the yubico-piv-tool will work with PivApplet.)

The applet supports an extension for doing ECDSA with hash-on-card, which client software will have to specifically add support for if it wants to use ECDSA signing with this applet.

Unfortunately, regular PIV ECDSA signing is not possible with the JavaCard standard crypto functions, which only support a single operation that combines hashing and signing. The current PIV standard demands that the data to be signed is hashed by the host, and then the hash is sent to the card.

In addition to the algorithm ID 0x11 for ECCP256, we introduce two new IDs, ECCP256-SHA1 (0xF0) and ECCP256-SHA256 (0xF1). For key generation the client should continue to use ECCP256 (as well as for ECDH), but for signing one of the two new algorithm IDs must be used (ECCP256 will be rejected).

These two new algorithms are "hash-on-card" algorithms, where the "challenge" tag sent by the host to the card should include the full data to be signed without any hashing applied. The card will hash the data and return the signature in the same was as a normal EC signature.

For example, to sign the payload "foo\n" with the Card Authentication (9e) key, with SHA-256, the host could send the following APDU:

This extension, naturally, will not work with existing PIV host software that is not aware of it. It is supported as a workaround for users who are ok with customising their host software who really want to use ECDSA.

Support for these new algorithms is advertised in the 0xAC (supported algorithms) tag in the response to INS_SELECT. Client software may detect it there to decide whether to attempt use hash-on-card or not.

We use ant-javacard for builds.

The capfile will be output in the ./bin directory, along with the .class files (which can be used with jCardSim).