Java Card Technology Ch07: Applet Instructors: Fu-Chiung Cheng ( 鄭福炯 ) Associate Professor Computer Science & Engineering Computer Science & Engineering Tatung University
Applet Overview A java card applet is a smart card application written in the Java programming language and conforming to a set of conventions so that It can run within the JCRE. A java card applet is a smart card application written in the Java programming language and conforming to a set of conventions so that It can run within the JCRE. A running applet in JCRE is an instance of applet class that extends from javacard.framewrok.Applet. A running applet in JCRE is an instance of applet class that extends from javacard.framewrok.Applet. An applet is an persistent object and lives on through the entire lifetime of the card. An applet is an persistent object and lives on through the entire lifetime of the card. Each applet instance is uniquely identified by an AID (application identifier). Each applet instance is uniquely identified by an AID (application identifier).
Applet Installation Applet installation steps: Applet installation steps: Is loaded on Java smart card, Is linked with other packages Is created and registered with JCRE. JCRE is single thread environment. Only one applet is running at a time. JCRE is single thread environment. Only one applet is running at a time. When an applet is first installed, it is in an inactive. When an applet is first installed, it is in an inactive. The applet becomes active when it is explicitly selected by a host application The applet becomes active when it is explicitly selected by a host application
Applet Execution State inactive active create select deselect Process a command Applets are reactive applications Once selected, a typical applet waits for an application running on the host side to send a command The command-and-response dialogue continues until a new applet is selected or the card is removed from the CAD
Applet Communication The communication between an applet and a host application is achieved through exchanging APDUs. The communication between an applet and a host application is achieved through exchanging APDUs. An APDU contains either command or a response message An APDU contains either command or a response message command command command command APDU APDU APDU APDU A host the an A host the an application JCRE applet application JCRE applet response response response response APDU APDU APDU APDU
Applet Communication A host application sends a command to an applet and the applet returns a response A host application sends a command to an applet and the applet returns a response When the host application wants to select an applet to run, it sends an APDU that specifies the SELECT command and the AID for the requested applet When the host application wants to select an applet to run, it sends an APDU that specifies the SELECT command and the AID for the requested applet The JCRE searches its internal table for an applet whose AID matches the one specified in the command The JCRE searches its internal table for an applet whose AID matches the one specified in the command
Applet Communication If a match is found, the JCRE selects that applet to run. If a match is found, the JCRE selects that applet to run. All subsequent APDUs are forwarded to the current applet until a new applet is selected All subsequent APDUs are forwarded to the current applet until a new applet is selected
javacard.framewrok.Applet Every applet is implemented by creating a subclass of javacard.framework.Applet Every applet is implemented by creating a subclass of javacard.framework.Applet The JCRE invokes the methods install, select, process, or deselect which are defined in the Applet class when it wants to install, select or deselect the applet or to ask the applet to process an APDU command The JCRE invokes the methods install, select, process, or deselect which are defined in the Applet class when it wants to install, select or deselect the applet or to ask the applet to process an APDU command JCRE calls the install method to create an applet instance JCRE calls the install method to create an applet instance The Applet instance is registered with the JCRE with register method. The Applet instance is registered with the JCRE with register method.
javacard.framewrok.Applet When receiving a SELECT APDU, the JCRE first checks whether an applet is already selected. If so the JCRE deselects the current applet by invoking the deselect method. When receiving a SELECT APDU, the JCRE first checks whether an applet is already selected. If so the JCRE deselects the current applet by invoking the deselect method. In the deselect method, the applet performs any cleanup or bookkeeping work before it becomes inactive In the deselect method, the applet performs any cleanup or bookkeeping work before it becomes inactive The JCRE select the new applet by invoking the select method The JCRE select the new applet by invoking the select method The applet performs any initialization in the select method The applet performs any initialization in the select method
javacard.framewrok.Applet After successful selection, each APDU is delivered to the active applet via a call to its process method After successful selection, each APDU is delivered to the active applet via a call to its process method The process method is an essential method in applet class that processes APDU commands and thus provides an applet’s functions The process method is an essential method in applet class that processes APDU commands and thus provides an applet’s functions The methods install, select, deselect and process are applet entry point methods The methods install, select, deselect and process are applet entry point methods They are invoked by the JCRE at the appropriate state of applet creation and execution They are invoked by the JCRE at the appropriate state of applet creation and execution
javacard.framewrok.Applet See Table 7.1 on page 73 See Table 7.1 on page 73 public static void install (byte[] bArray, short bOffset, byte bLength) protected final void register ( ) protected final void register (byte[] bArray, short bOffset, byte bLength) public boolean select ( ) public abstract void process (APDU apdu) public void deselect ( )
Install method The install method is typically called by the JCRE as the last step during applet installation to create an applet instance The install method is typically called by the JCRE as the last step during applet installation to create an applet instance The arguments to install method carry the applet installation parameters (command-line arguments) The arguments to install method carry the applet installation parameters (command-line arguments)
Install method The install method creates an applet instance by using new operator and the constructor typically performs the following tasks: The install method creates an applet instance by using new operator and the constructor typically performs the following tasks: Creates objects that the applet needs during its lifetime. Initializes objects and the applet’s internal variable. Registers the applet instance with the JCRE by calling one of the two register methods defined in the base Applets class.
public class WalletApp extends Applet { private log transaction_log; private log transaction_log; private byte[] wallet_id; private byte[] wallet_id; private byte wallet_balance; private byte wallet_balance; public static void install (byte[] bArray, short bOffset, byte bLength) { public static void install (byte[] bArray, short bOffset, byte bLength) { new walletApp(); new walletApp(); } private WalletApp() { private WalletApp() { //create a transaction log with specified number //create a transaction log with specified number //of transaction records //of transaction records transaction_log = new log(TRAN_RECORD_NUM); transaction_log = new log(TRAN_RECORD_NUM); //create a byte array to store the wallet ID //create a byte array to store the wallet ID wallet_id = new byte[ID_LENGTH]; wallet_id = new byte[ID_LENGTH]; //initialize the wallet balance //initialize the wallet balance wallet_balance = INITIAL_BALANCE; wallet_balance = INITIAL_BALANCE; //register the applet instance with the JCRE //register the applet instance with the JCRE register(); register(); }}
Creating Objects in the Applet’s Constructor Although objects and arrays can be created at any point in the execution of an applet, it is recommended that, when possible, such allocation occur only during the initialization of the applet Although objects and arrays can be created at any point in the execution of an applet, it is recommended that, when possible, such allocation occur only during the initialization of the applet Any objects that might be required during execution of an applet should be preallocated in the constructor, to ensure that the applet will never fail due to lack of memory. Any objects that might be required during execution of an applet should be preallocated in the constructor, to ensure that the applet will never fail due to lack of memory. If the JCRE detects there’s no enough space for an applet creating objects, it will delete the applet. If the JCRE detects there’s no enough space for an applet creating objects, it will delete the applet.
Registering the Applet Instance with the JCRE To register an applet with the JCRE To register an applet with the JCRE protected final void register ( ),and protected final void register (byte[] bArray, short bOffset, byte bLength) The first register method registers the applet with the JCRE using the default AID from the CAP file. The first register method registers the applet with the JCRE using the default AID from the CAP file. The second register method registers the applet instance with the JCRE using the AID specified in the argument bArray. The second register method registers the applet instance with the JCRE using the AID specified in the argument bArray.
Processing the Installation Parameters The installation parameters are sent to the card along with the CAP files that define an applet. The installation parameters are sent to the card along with the CAP files that define an applet. The JCRE then provides the installation parameters to the applet via the install method. The JCRE then provides the installation parameters to the applet via the install method. The install method accepts three arguments: The install method accepts three arguments: byte[] bArray--Array containing installation parameters. Short bOffset—Starting offset in bArray. Byte bLenght—Length in bytes of the parameter data in bArray.
Further Applet Initialization More complex applets might need further personalization information before they are ready to execute normally. More complex applets might need further personalization information before they are ready to execute normally. Such as information might not all be available at applet creation time or might exceed the capacity of the installation parameters(32 bytes). Such as information might not all be available at applet creation time or might exceed the capacity of the installation parameters(32 bytes).
Select Method In select method, the applet can check whether its conditions for selection have been met, and if so, it can set internal variables and states necessary to handle subsequent APDUs. In select method, the applet can check whether its conditions for selection have been met, and if so, it can set internal variables and states necessary to handle subsequent APDUs. If selection fails, the JCRE returns the status word 0x6999 of respond APDU. If selection fails, the JCRE returns the status word 0x6999 of respond APDU. A successful selection involves A successful selection involves Deselecting the current applet Selecting the new applet Sending the SELECT APDU to the new applet’s process method
SELECT APDU format The SELECT APDU command is the only APDU command that is standardized on the Java card platform. The SELECT APDU command is the only APDU command that is standardized on the Java card platform. CLAINSP1P2Lc Data Field 0x00xA40x40x0 Length of AID AID bytes
APDU command processing See Fig 7.3 on page 81
Default Applet Some smart card systems require a default applet that is implicitly selected after every card reset. Some smart card systems require a default applet that is implicitly selected after every card reset. Because no SELECT APDU is required, the applet’s process method is not called. Because no SELECT APDU is required, the applet’s process method is not called. If the default applet’s select method throw an exception or returns false, no applet is selected until the next SELECT APDU is processed. If the default applet’s select method throw an exception or returns false, no applet is selected until the next SELECT APDU is processed.
Deselect Method The deselect method allows the applet to perform any cleanup operations to prepare itself to go inactive state. The deselect method allows the applet to perform any cleanup operations to prepare itself to go inactive state. Deselect method is empty method. Deselect method is empty method. Applet should should implementation it. Applet should should implementation it. For example, the wallet might need to reset the security condition or the transaction state, which is valid only during one selection period. For example, the wallet might need to reset the security condition or the transaction state, which is valid only during one selection period.
Deselect method The deselect method might fail. Even so, the current applet is deselected and a new applet is selected despite the result of executing the deselected method. The deselect method might fail. Even so, the current applet is deselected and a new applet is selected despite the result of executing the deselected method. The JCRE also ignores any exceptions thrown from the deselect method. The JCRE also ignores any exceptions thrown from the deselect method. Furthermore, on reset or power loss, the applet is automatically deselected the JCRE without its deselect method being called. Furthermore, on reset or power loss, the applet is automatically deselected the JCRE without its deselect method being called.
Process Method The process method in the base Applet class is an abstract method. The process method in the base Applet class is an abstract method. An applet must directly or indirectly override this method. An applet must directly or indirectly override this method. On receiving an APDU command, the method decodes the APDU header and calls a service method to execute. On receiving an APDU command, the method decodes the APDU header and calls a service method to execute.
Other Methods in the Class javacard.framework.Applet selectingApplet selectingApplet getShareableInterfaceObject getShareableInterfaceObject
selectingApplet Traditional smart card is file system oriented. Traditional smart card is file system oriented. The SELECT APDU is the ISO command select DF(dedicate file). The SELECT APDU is the ISO command select DF(dedicate file). The applet call the method to distinguish whether the SELECT APDU command is used to select this applet, or whether it is attempting to select a DF of this applet. The applet call the method to distinguish whether the SELECT APDU command is used to select this applet, or whether it is attempting to select a DF of this applet.
getShareableInterfaceObject The method is intended for object sharing among applets. The method is intended for object sharing among applets. It is invoked by the JCRE when another applet requests a shareable interface object form this applet. It is invoked by the JCRE when another applet requests a shareable interface object form this applet. This method if further described in chapter9. This method if further described in chapter9.