Allow only signed applets to be installed on a JavaCard managed by GlobalPlatform 2.2.1

4
votes

I'd like to provision a JavaCard so that it only allows the installation of applets that are signed by a certain key. I am not sure whether this signature is part of the cap file format. I can already install a cap file from an Android device via code taken from GlobalPlatformPro. The GlobalPlatformPro README (https://github.com/martinpaljak/GlobalPlatformPro/blob/master/README.md) mentions application signing. But I am not sure this is the way to accomplish what I need to do. I am not even sure this is possible at all.

  1. How do I need to prepare a card to only allow installation of signed cap files?
  2. How do I create such a cap file?

I can already lock a card with a certain key, and then this key is needed to install any cap file. But this would mean that I need to distribute the key with the cap files, so it can be installed. That is not an option as it would compromise the key.

1
javacardglobalplatform
If you downvote please add a comment explaining why and how I can or should improve this question.Dirk Jäckel
the question is not really a programming question, so it doesn't exactly fit to SO, nontheless I wrote a little answer. this topic might be tough if you haven't done anything with javacard as it is kind of a niche topic to my knowledgePaul Bastian
Which Stackexchange would be more appropriate for this question?Dirk Jäckel
probably none ;)Paul Bastian
@vojta & PaulBastian I guess we are grown up enough in our little niche to make our own rules to a certain degree. It's not like this has an impact on the overall quality of the site, or have a major impact on the DB or something. And moderation is kind-of absent anyway, hardly any security topic will be closed - even if off topic - due to lack of traffic.Maarten Bodewes

1 Answers

5
votes

You should read the Global Platform Specification, all information is given there. Points to look out for that should match your requirements:

  • Mandated DAP Verification
  • Delegated Management Tokens

You will still probably need to check that your Java Card supports the given feature(at least Tokens are optional for card manufacturers) and you will need a terminal software that supports this feature(which might be difficult, as it is not very commonly used).