|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
This interface may be used by an applet wishing to delegate the handling of entity
authentication and APDU security to its associated Security Domain.
This interface is designed to offer interoperability to the applet in that it requires no
knowledge of the mechanisms used to perform the authentication or of the scheme used for
APDU security and shall allow an applet to interface correctly with a Security Domain
immaterial of the mechanisms or schemes used. Prior to using this interface, an Application
is required to obtain a handle to its associated Security Domain by invoking the
GPSystem.getSecureChannel()
method. The Secure Channel Interface shall only be
exposed through the GPSystem.getSecureChannel
method
The byte value returned by the getSecurityLevel()
method is a bit map indicating
whether Entity Authentication has occurred and what level of security will be applied when
invoking the wrap
and unwrap
methods. This byte value is coded according
to table A-1. Note that more than one security level may be set.
Field Summary | |
static byte |
ANY_AUTHENTICATED
Entity Any Authentication has occurred (0x40). |
static byte |
AUTHENTICATED
Entity Authentication has occurred as Application Provider (0x80). |
static byte |
C_DECRYPTION
The unwrap method will decrypt incoming command data (0x02).
|
static byte |
C_MAC
The unwrap method will verify the MAC on an incoming command (0x01).
|
static byte |
NO_SECURITY_LEVEL
Entity Authentication has not occurred (0x00). |
static byte |
R_ENCRYPTION
The wrap method will encrypt the outgoing response data (0x20).
|
static byte |
R_MAC
The wrap method will generate a MAC for the outgoing response data (0x10).
|
Method Summary | |
short |
decryptData(byte[] baBuffer,
short sOffset,
short sLength)
This method is used to decrypt data located in the input buffer. |
short |
encryptData(byte[] baBuffer,
short sOffset,
short sLength)
This method is used to encrypt data located in the input buffer. |
byte |
getSecurityLevel()
This method is used to determine whether the Security Domain has performed authentication and to determine what level of security will be applied by the wrap and unwrap
methods.
|
short |
processSecurity(APDU apdu)
Processes security related APDU commands. |
void |
resetSecurity()
This method is used to reset information relating to the current Secure Channel. |
short |
unwrap(byte[] baBuffer,
short sOffset,
short sLength)
This method is used to process and verify the secure messaging of an incoming command according to the security level. |
short |
wrap(byte[] baBuffer,
short sOffset,
short sLength)
This method is used to apply additional security processing to outgoing response data and Status Words according to the security level. |
Field Detail |
public static final byte AUTHENTICATED
Note:
wrap
and unwrap
methods are not necessarily related. A Security Domain, by default, could
verify the MAC on any command passed as a parameter in the unwrap
method without
entity authentication previously having occurred.
public static final byte C_DECRYPTION
unwrap
method will decrypt incoming command data (0x02).
Note:
public static final byte C_MAC
unwrap
method will verify the MAC on an incoming command (0x01).
Note:
unwrap
method will decrypt the command data of incoming commands
and verify the MAC on incoming commands.
public static final byte R_ENCRYPTION
wrap
method will encrypt the outgoing response data (0x20).
Note:
public static final byte R_MAC
wrap
method will generate a MAC for the outgoing response data (0x10).
Note:
unwrap
method will verify the MAC on incoming commands and that the
wrap
method will generate a MAC on outgoing response data.
public static final byte NO_SECURITY_LEVEL
Note:
wrap
and unwrap
methods are not necessarily related. A
Security Domain, by default, could verify the MAC on any command passed as a parameter in
the unwrap
method without entity authentication previously having occurred.
wrap
and unwrap
methods will not apply any cryptographic
processing to command or response data.
public static final byte ANY_AUTHENTICATED
Note:
wrap
and unwrap
methods are not necessarily related. A Security Domain, by default, could
verify the MAC on any command passed as a parameter in the unwrap
method without
entity authentication previously having occurred.
Method Detail |
public short processSecurity(APDU apdu) throws ISOException
This method is used by an applet to process APDU commands that possibly relate to the security mechanism used by the Security Domain. As the intention is to allow an applet to be associated with a Security Domain without having any knowledge of the security mechanisms used by the Security Domain, the applet assumes that APDU commands that it does not recognize are part of the security mechanism and will be recognized by the Security Domain. The applet can either invoke this method prior to determining if it recognizes the instruction or only invoke this method for instructions it does not recognize.
Notes:
APDU
buffer at
offset ISO7816.OFFSET_CDATA
. The return value indicates the length and the applet is
responsible for outputting this data if necessary.
ISOException
- with the following reason codes (other security mechanism
related status words may be returned):ISO7816.SW_CLA_NOT_SUPPORTED
class byte is not recognized by the method.ISO7816.SW_INS_NOT_SUPPORTED
instruction byte is not recognized by the method.public short wrap(byte[] baBuffer, short sOffset, short sLength) throws java.lang.ArrayIndexOutOfBoundsException, ISOException
Notes:
R_MAC, R_ENCRYPTION
)
will be applied by invoking the getSecurityLevel()
method.
getSecurityLevel()
method invocation may also indicate that entity authentication
(AUTHENTICATED
) or (ANY_AUTHENTICATED
) has previously occurred.
NO_SECURITY_LEVEL
is indicated, this method will do no processing.
ISOException
- security mechanism related status words might be returned.
java.lang.ArrayIndexOutOfBoundsException
- if wrapping produces data outside array bounds.public short unwrap(byte[] baBuffer, short sOffset, short sLength) throws ISOException
Notes:
C_MAC, C_DECRYPTION
)
to be present by the Security Domain by invoking the getSecurityLevel()
method.
getSecurityLevel()
method invocation may also indicate that entity authentication
(AUTHENTICATED
) or (ANY_AUTHENTICATED
) has previously occurred.
NO_SECURITY_LEVEL
is indicated, this method will do no processing.
unwrap
method will result in the incoming command being reformatted
within the incoming APDU
object with all data relating to the Secure Messaging removed.
unwrap
method will result in the information relating to the current
Secure Channel being reset.
ISOException
- with the following reason code (other security mechanism related
status words may be returned):ISO7816.SW_CLA_NOT_SUPPORTED
class byte is not recognized by the method.public short decryptData(byte[] baBuffer, short sOffset, short sLength) throws ISOException
Notes:
ISOException
- if the length of data to be decrypted is not valid.public short encryptData(byte[] baBuffer, short sOffset, short sLength) throws java.lang.ArrayIndexOutOfBoundsException
Notes:
java.lang.ArrayIndexOutOfBoundsException
- if enciphering produces data outside array bounds.public void resetSecurity()
Notes:
Applet.deselect()
method.
public byte getSecurityLevel()
wrap
and unwrap
methods.
Notes:
wrap
and unwrap
methods will not apply any cryptographic
processing to command or response data, or a bitmap of the security level as follows:unwrap
method will verify the MAC on the incoming command.
wrap
method will generate a MAC for the outgoing response data.
unwrap
method will decrypt the incoming command data.
wrap
method will encrypt the outgoing response data.
|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |