IoT Smartcard Project

A secure smartcard system with a terminal interface and a verification server.

⚡ Requirements

• Python 3.10+ 🐍
• JavaCard-compatible smartcard 💳
• pip for Python dependencies 📦

🚀 Getting Started

1️⃣ Run the Verification Server

The server verifies transactions from terminals.

cd server
pip install -r requirements.txt
python verification_server.py

• Runs on localhost:5000 🌐
• Blocks the shell while listening for requests 🛑

2️⃣ Run a Terminal

The terminal interacts with the smartcard and server 💳➡️🖥️

cd terminal
pip install -r requirements.txt
python terminal.py

• Run multiple terminals in separate shells 🔄

3️⃣ Run Tests

Python unittest

cd test
pip install -r requirements.txt
python main.py

Make sure the smartcard is plugged in 💳⚡

Or, using an emulated smartcard:

./gradlew clean test

✨ Features

• 🔑 Smartcard Applet – Generates keys & handles transactions
• 💳 Terminal Interface – Payment device simulator
• 🖥️ Verification Server – Validates transaction requests
• ✅ Testing Suite – Unit tests

🛠️ Scripts

• build.sh – Build smartcard applet
• upload.sh – Upload applets to smartcard
• test-card.sh – Pytest-based card tests
• list-applets.sh – List installed applets

⚠️ Notes

• Smartcard must be connected for terminal & test usage 💳
• Server must be running before terminal(s) 🚦
• Tested with Python 3.10+, JavaCard 2.1.1 SDK ✅

Integration tests

Scenario A — Card registration

1. Start the verification server

2. With the physical smartcard inserted in the reader, run the terminal

3. On startup the terminal performs "Updating public key" and calls /api/card/register automatically (the terminal uses INS_SEND_PUB_KEY).

4. Verify registration on the server:

   • Check the key file: ls -l server/card_public_keys/

Scenario B — Payment test

1. With the server running, run terminal.py and choose "Send Transaction".

   • Enter PIN when prompted (default in applet is 0000).
   • Select items to buy in the interactive prompt.

2. Terminal flow (what happens):

   • Builds the transaction bytes from selected items.
   • Sends INS_RECEIVE_TRANSACTION to the real card.
   • Receives back transaction || signature.
   • POSTs JSON to /api/transaction.

3. Expected server response in terminal:

   • "Transaction signed by card"
   • "Transaction verified and stored: tx_..." printed after verification success.

4. Manual verification (server side):

   • List stored files: ls server/stored_transactions
   • Inspect a saved transaction: cat server/stored_transactions/tx_*.json | jq .

   Expected: JSON with transaction_id, card_id, items array and verified: true.

Scenario C — Listing requests

1. Query server endpoint to list stored transactions: curl -s http://localhost:5000/api/transactions | jq .

2. Expected JSON shape:

   {
    "success": true,
    "transactions": [
      {
        "transaction_id": "tx_1617181920",
        "card_id": "card_001",
        "timestamp": "2025-01-01T12:00:00",
        "verified": true,
        "items": [["Coca-Cola",2],["Sandwich",5]]
      },
      ...
    ],
    "count": N
   }