How can I extract an X509 certificate from a smart card using Java?

Question

I use the OmniKey 3121 reader and can use the javax.smartcardio API to send APDU commands to the card reader. I'm not sure if there is a standard way to access the certificate stored on the card. Pointers to example code to read the certificate data would greatly help.

Also, can the SUN PKCS#11 library help in extracting the certificate from the smart card? It seems that this library can help with parsing the certificate and extracting field values, but can it also extract/export the certificate itself from the smart card?

Answer 1

I could extract the certificate using the SUN PKCS#11 provider library. Details provided in the following article helped: http://www.developer.com/java/other/article.php/10936_3587361_8/Java-Applet-for-Signing-with-a-Smart-Card.htm

Answer 2

A X.509 certificate is just passive data for the card. It is never evaluated by the card, but just send outside upon request. So the method for accessing a certificate is determined by the outside world, most likely according to PKCS 15 or ISO 7816-15 respectively. As already pointed out, additional documentation is at least useful or even necessary (if 7816-15 does not help).

Answer 3

[As far as I know] It highly depends on the applet implementation on the card and also the card implementation itself. I mean, the card-applet programmer specify the commands that you must send to work with his/her applet and the form of their response also. So without the documentation of the applet that generate/verify your X509 certificate, you can't write the client-side application.