Writing and Reading certificates from smartcard

Question

We want to build a module in our application which allows the user to sign pdf/word documents by using a smartcard or usb token. Our application is written in Java so a solution with java would be nice but if it is easier with another language I wont mind using it as long as it works on windows.

Are there any libraries that allow me to read and write certificates from a smart card. I want to avoid going low level and sending all these bytestreams to the card. But if this is the only way of doing this I would appreciate it if somone could give me a link to a good tutorial/example.

Also I have seen in some tutorials, that people are importing certificates from smartcards into their local keystore. Why are they doing that? Can't I use the certificate from the card directly?

Thanks in advance for your help.

Answer 1

Certificates on smartcards are usually accessed via PKCS#11 API (cross-platform way) and on Windows they can be accessed via Windows Certificate Store. As mentioned in comments, Java supports both ways natively, though there exist some restrictions/bugs in Java providers.

Access to the certificates themselves, though, is not enough to sign PDF or Word documents -- both these formats include signing as their integral part and you need to either write code to sign documents in these formats, or use existing libraries. For PDF it can be iText (watch the license!) or our SecureBlackbox. Both support PKCS#11. For Office documents I don't know alternatives to SecureBlackbox. Our library supports both Java-provided interfaces to PKCS11 and Windows CertStore and our own JNI modules for the same.

About "importing certificates to the key store" -- this is done to enumerate and search certificates. Those keystores are "virtual", as they map smartcard certificates. Also, when such mapping is done, the private key remains on the hardware device and is not copied (this is technically not possible in most cases). So cryptographic operations which require a private key are performed on the device anyway.