What does HackerNews think of GlobalPlatformPro?

🌐 🔐 Manage applets and keys on JavaCard-s like a pro (via command line or from your Java project)

Language: Java

#74 in Command line interface
#33 in Java
Tillitis Key – Mullvad spin-off inspired by measured boot and DICE | Sep 2022
JavaCard is the answer for smartcards. You can find example card software all over github, and you're looking for the JavaCard SDK from Oracle and GlobalPlatformPro to program them: https://github.com/martinpaljak/GlobalPlatformPro. There's even an ant task around somewhere that allows you to use ant tooling. Blank cards with "developer"/default keys can be picked up pretty much anywhere.

Buy blank cards, write your applet, test in an emulator if you want, push to card, test for real with your software that talks to the card, profit. Be aware that if your goal is to write custom cryptography implementations in Java on the Javacard, these will be prohibitively slow. No need to take my word for it, Niels Duif did exactly this: https://research.tue.nl/en/studentTheses/smart-card-implemen...

> Java Card proves to be a worthless platform for high-speed cryptography. Despite the > speedups, generating a signature takes more than 28 minutes for a private key of 254 > bits.

How is crypto done then? JavaCard provides APIs that do it, but these call implementations that either use coprocessors, or contain optimised implementations in the mask ROM. You can't program a mask ROM without doing a production run of smartcards in the hundreds of thousands. Small scale, this isn't possible.

HSM vendors will often sell SDKs for custom code, which you can add to certain models. The barrier to entry simply being that you need to buy an HSM, which isn't cheap. It can be done, however, and on the plus side in my experience of Thales HSMs this means actual C code, meaning performant implementation is possible.

Show HN: Kryptonite – a new home for your SSH private key | May 2017
Expand Context ↕
To read a bit of info about your credit card you can use this https://github.com/martinpaljak/GlobalPlatformPro, it will output something like

Card CPLC:

ICFabricator: 4790

ICType: 5049

OperatingSystemID: 8241

OperatingSystemReleaseDate: 2218

OperatingSystemReleaseLevel: 1520

ICFabricationDate: 3086

ICSerialNumber: 06575696

ICBatchIdentifier: 6664

ICModuleFabricator: 4810

ICModulePackagingDate: 3086

ICCManufacturer: 1180

ICEmbeddingDate: 3086

etc

I guess it's enough information to concoct some kind of 2-factor auth, but what is stopping you from promoting your real smart card into "always-with-me"? Or one of smartcards, since you can have many.

NFC-capable phones can act as a card reader for contactless smartcards AFAIK, so that's something you can look into also.
Ask HN: Why aren't there cheap, available smartcards? | Sep 2015
So it turns out the story is less grim: you can buy a blank JavaCard [0] and use GlobalPlatformPro [1] to load arbitrary applets. You can load gpgapplet, isoApplet, MuscleApplet, or any other JavaCard crypto software you like. This will be then be compatible with client-side software like OpenSC [2], at which point you get generic PKCS#11 or GPG functionality from it.

You can get FIPS 140-2 Level 3 cards for, like, $11.

Apparently there is some difficulty in correctly unlocking the card for applet loading,

[0] https://github.com/martinpaljak/GlobalPlatformPro/tree/maste... [1] https://github.com/martinpaljak/GlobalPlatformPro

I'll let you know how it goes :).