How to verify a certificate validity on a Java Card?

Question

I know how to verify certificates with Java, but I am unaware of how to do it on a java card due to the restrictions of the java card APIs (no java.io/ other classes, only javacard APIs + Object + Throwable allowed).

I didn't find any javacard compatible library for certificates. Did I miss anything?

I need to verify that the certificate is signed by the CA as well as I need to verify the certificate's validity.

Answer 1

Generally verifying a certificate is hard work for a smart card. These certificates are often larger than 2KiB in size. Although that is peanuts for a general purpose PC, it's not for a smart card, in which high end cards often only pack 8 KiB of RAM. And that's shared between the OS, the crypto coprocessors the APDU buffer and - of course - your applet.

There is another issue: generally a smart card doesn't contain a clock. This makes validating that the cert is within the validity period a tricky thing to do; basically you need some trusted way of keeping time.

Then there is the fact that certificate validation often uses CRL's or OCSP to check the status of the certificate. As you may understand, performing an OCSP lookup or even just parsing a CRL is not easy for such a limited platform.

Verifying the signature of the CA over the certificate is certainly possible if you program it smartly. But in general Card Verifiable Certificates (CVC's or CV-certificates) are used. These are "flattened" certificates with fewer bells and whistles, that are easier to parse within a smart card.

By using the start date of newer, verified certificates you can use some kind of date ratchet where the clock is updated using the date in the certificates themselves. But note that you would still not be able to detect out of date certificates if new certificates haven't been validated for a while. CV certificates generally don't use a CRL, so you will either have to trust each certificate or you may need to blacklist some certs if and when they are compromised.

Although there is likely a bit more support in Java Card Connected edition, I don't think this will help you at all, as the connected edition is rarely spotted in the wild.

---

The original specs for CVC's can be found in the ISO/IEC 7816-8 standard: Identification cards — Integrated circuit cards — Part 8: Commands and mechanisms for security operations, Annex A & B. Note that this standard is payware.

The ICAO eMRTD and BSI TR 03110 documents also define these kinds of certificates, so you'd be better off basing any certificate specs on that if you like freeware better.