- html - 出于某种原因,IE8 对我的 Sass 文件中继承的 html5 CSS 不友好?
- JMeter 在响应断言中使用 span 标签的问题
- html - 在 :hover and :active? 上具有不同效果的 CSS 动画
- html - 相对于居中的 html 内容固定的 CSS 重复背景?
我的问题是是否有可能从小程序本身的代码中锁定小程序,作为对代码中检测到的操作的对策。
显而易见的选择是使用 GPSystem.lockCard();
它有效,但是我想知道是否可以只锁定小程序。我还可以从相关安全域的经过身份验证的 session 中锁定小程序本身。但是从小程序代码本身是否可能。看来,鉴于 GPSystem.setCardContentState();
与 GPSystem.APPLICATION_LOCKED
一起使用的方法,所以我也测试过,但它不起作用。
重读GP卡规范2.2 PDF的说明:
The OPEN shall reject any transition request from the Life Cycle State LOCKED;
The OPEN shall reject any transition request to the Life Cycle State LOCKED
最佳答案
看看这个机制如何从 GlobalPlatform Card 规范 2.1.1 演变到 2.2.1(在 2.3 中仍然相同)很有趣:
The Card Issuer has a mechanism to disable the continued execution status of an on-card Application. This mechanism may be invoked from within the OPEN based on exceptions handled by the OPEN or from the use of externally invoked commands. The Card Issuer is the only entity that may initiate the locking of an Application.
GPSystem.setCardContentState()
明确定义为仅允许更改应用程序特定的生命周期状态(值介于 0x07
和 0x7F
之间,最低 3 位设置)。由于APPLICATION_LOCKED
的常数在后面的规范中是 0x80
不允许设置此状态。在此方法的注释中也明确说明了这一点:
- The OPEN shall reject any transition request to the Life Cycle States INSTALLED or LOCKED.
The card has a mechanism to disable and subsequently re-enable the continued execution status of an on-card Application. This mechanism may be invoked from within the OPEN based on exceptions handled by the OPEN or from the use of externally invoked commands. An Application with Global Lock privilege, the Application itself or a directly or indirectly associated Security Domain are the only entities that may initiate the locking of an Application.
GPSystem.setCardContentState()
还是不太清楚。首先,该方法的描述仍然指出只有 0x07
之间的值。和 0x7F
必须允许设置最低 3 位:This method sets the Application specific Life Cycle State of the current applet context. Application specific Life Cycle States range from 0x07 to 0x7F as long as the 3 low order bits are set.
- The OPEN shall reject any transition request to the Life Cycle State INSTALLED;
- The OPEN shall reject any transition request from the Life Cycle State LOCKED;
APPLICATION_LOCKED
.GPRegistryEntry.setState()
.此方法的文档指出:
- A transition request to Life Cycle state other than APPLICATION_LOCKED and APPLICATION_UNLOCKED shall be accepted only if the invoking Application corresponds to this GPRegistryEntry;
- An Application shall be able to lock and shall not be able to unlock itself;
setCardContentState()
的同一张卡上工作会很有趣。失败的:GPSystem.getRegistryEntry(null).setState(GPSystem.APPLICATION_LOCKED);
null
似乎没有什么区别或 JCSystem.getAID()
用作 getRegistryEntry()
的参数.APPLICATION_LOCKED
成功地将状态设置为锁定(0x80)。然后将状态设置为 previous_state | 0x80
.尝试设置具有高位设置的其他状态值(例如 0x8F)不起作用(正如我预期的那样)。GPSystem.setCardContentState()
被改变(再次)。更改说明清楚地表明该方法已更新,现在允许应用程序锁定自身(导出文件版本 1.5。映射到 GP 2.2.1):
- export file version 1.5: this method now allows the application associated with the current applet context to lock itself.
This method allows the application associated with the current applet context to change its state to an application specific life cycle state or to lock itself. An application cannot unlock itself using this method.
APPLICATION_LOCKED
:
bState
- an application specific life cycle state (0x07 to 0x7F with 3 low order bits set), orAPPLICATION_LOCKED
(0x80).
GPSystem.setCardContentState()
将它们自己的生命周期状态更改为锁定。 .APPLICATION_LOCKED
成功地将状态设置为锁定(0x80)。然后将状态设置为 previous_state | 0x80
.尝试设置具有高位设置的其他状态值(例如 0x8F)不起作用(正如我预期的那样)。APPLICATION_LOCKED
的情况下,您可以采取哪些措施来克服您的问题, 是使用特定于应用程序的生命周期状态:
public class LockableApplet extends Applet {
[... applet installation / instantiation code ...]
private static final byte APPLICATION_STATE_UNLOCKED = (byte)0x07;
private static final byte APPLICATION_STATE_LOCKED = (byte)0x7F;
public boolean select() {
if (GPSystem.getCardContentState() == APPLICATION_STATE_LOCKED) {
return false;
}
return true;
}
public void process(APDU apdu) {
if (selectingApplet()) {
return;
}
if (GPSystem.getCardContentState() == APPLICATION_STATE_LOCKED) {
ISOException.throwIt(ISO7816.SW_SECURITY_STATUS_NOT_SATISFIED);
}
[... applet logic code ...]
}
}
GPSystem.setCardContentState(APPLICATION_STATE_LOCKED);
关于security - 如何自锁 Javacard 小程序,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/37143978/
我是一名优秀的程序员,十分优秀!