jcrespec06firewall.html

JAVA CARD 开发包规格说明,版本为2.2.2

</P>
<P CLASS="Paragraph"><A NAME="pgfId-415116"></A>Objects referenced in static fields are just regular objects. They are owned by whomever created them and standard firewall access rules apply. If it is necessary to share them across multiple contexts, these objects need to be <A NAME="marker-416924"></A>Shareable Interface Objects (SIOs), see <A HREF="JCRESpec06firewall.html#54737" CLASS="XRef">Section 6.2.4, Shareable Interfaces</A>.
</P>
<P CLASS="Paragraph"><A NAME="pgfId-415120"></A>Of course, the conventional Java technology protections are still enforced for static fields and methods. In addition, when applets are installed, the Installer verifies that each attempt to link to an external static field or method is permitted. Installation and specifics about linkage are beyond the scope of this specification.
</P><H4 CLASS="Head3"><A NAME="pgfId-415121"></A>6.1.6.1	Optional Static Access Checks</H4>
<P CLASS="Paragraph"><A NAME="pgfId-415096"></A>The Java Card RE may perform optional runtime checks that are redundant with the constraints enforced by a verifier. A Java Card VM may detect when code violates fundamental language restrictions, such as invoking a private method in another class, and report or otherwise address the violation.
</P><H2 CLASS="Head1"><A NAME="pgfId-406603"></A>
<DIV>
<HR ALIGN=left SIZE=6 WIDTH=15% noshade>
</DIV>6.2	Object <A NAME="marker-416925"></A>Access Across Contexts</H2>
<P CLASS="Paragraph"><A NAME="pgfId-406605"></A>The applet firewall confines an applets actions to its designated context. To enable applets to interact with each other and with the Java Card RE, some well-defined yet secure mechanisms are provided so one context can access an object belonging to another context. 
</P>
<P CLASS="Paragraph"><A NAME="pgfId-406607"></A>These mechanisms are provided in the Java Card API and are discussed in the following sections:
</P>
<UL>
<LI CLASS="Bullet1"><A NAME="pgfId-406609"></A><A HREF="JCRESpec06firewall.html#45517" CLASS="XRef">Section 6.2.1, Java Card RE Entry Point Objects</A>
</LI>
<P CLASS="Linebreak">
</P>
<LI CLASS="Bullet1-"><A NAME="pgfId-406611"></A><A HREF="JCRESpec06firewall.html#53873" CLASS="XRef">Section 6.2.2, Global Arrays</A>
</LI>
<P CLASS="Linebreak">
</P>
<LI CLASS="Bullet1-"><A NAME="pgfId-406613"></A><A HREF="JCRESpec06firewall.html#76678" CLASS="XRef">Section 6.2.3, Java Card RE Privileges</A>
</LI>
<P CLASS="Linebreak">
</P>
<LI CLASS="Bullet1-"><A NAME="pgfId-406615"></A><A HREF="JCRESpec06firewall.html#54737" CLASS="XRef">Section 6.2.4, Shareable Interfaces</A>
</LI>
<P CLASS="Linebreak">
</P>
</UL><H3 CLASS="Head2"><A NAME="pgfId-406625"></A>6.2.1	<A NAME="45517"></A>Java Card RE Entry Point <A NAME="marker-416926"></A>Objects</H3>
<P CLASS="Paragraph"><A NAME="pgfId-406627"></A>Secure computer systems must have a way for non-privileged user processes (that are restricted to a subset of resources) to request system services performed by privileged &quot;system&quot; routines.
</P>
<P CLASS="Paragraph"><A NAME="pgfId-406629"></A>In the Java Card API, this is accomplished using Java Card RE Entry Point Objects. These are objects owned by the Java Card RE context, but they are flagged as containing entry point methods. 
</P>
<P CLASS="Paragraph"><A NAME="pgfId-406631"></A>The firewall protects these objects from access by applets. The entry point designation allows the methods of these objects to be invoked from any context. When that occurs, a context switch to the Java Card RE context is performed. These methods are the gateways through which applets request privileged Java Card RE system services. The requested service is performed by the entry point method after verifying that the method parameters are within bounds and all objects passed in as parameters are accessible from the caller's context.
</P>
<P CLASS="Paragraph"><A NAME="pgfId-406633"></A>Following are the two categories of Java Card RE Entry Point Objects: 
</P>
<UL>
<LI CLASS="Bullet1"><A NAME="pgfId-406635"></A>Temporary Java Card RE Entry Point Objects 
</LI>
<P CLASS="Linebreak">
</P>
</UL>
<P CLASS="ParaIndent1"><A NAME="pgfId-406637"></A>Like all Java Card RE Entry Point Objects, methods of temporary Java Card RE Entry Point Objects can be invoked from any context. However, references to these objects cannot be stored in class variables, instance variables or array components. The Java Card RE detects and restricts attempts to store references to these objects as part of the firewall functionality to prevent unauthorized reuse. 
</P>
<P CLASS="ParaIndent1"><A NAME="pgfId-406639"></A>The APDU object and all Java Card RE owned exception objects are examples of temporary Java Card RE Entry Point Objects.
</P>
<UL>
<LI CLASS="Bullet1-"><A NAME="pgfId-406641"></A>Permanent Java Card RE Entry Point Objects
</LI>
<P CLASS="Linebreak">
</P>
</UL>
<P CLASS="ParaIndent1"><A NAME="pgfId-406643"></A>Like all Java Card RE Entry Point Objects, methods of permanent Java Card RE Entry Point Objects can be invoked from any context. Additionally, references to these objects can be stored and freely re-used.
</P>
<P CLASS="ParaIndent1"><A NAME="pgfId-406645"></A>Java Card RE owned AID instances are examples of permanent Java Card RE Entry Point Objects.
</P>
<P CLASS="Paragraph"><A NAME="pgfId-422781"></A>The Java Card RE is responsible for the following tasks:
</P>
<UL>
<LI CLASS="Bullet1"><A NAME="pgfId-406649"></A>Determining what privileged services are provided to applets
</LI>
<P CLASS="Linebreak">
</P>
<LI CLASS="Bullet1-"><A NAME="pgfId-406651"></A>Defining classes containing the entry point methods for those services
</LI>
<P CLASS="Linebreak">
</P>
<LI CLASS="Bullet1-"><A NAME="pgfId-406653"></A>Creating one or more object instances of those classes
</LI>
<P CLASS="Linebreak">
</P>
<LI CLASS="Bullet1-"><A NAME="pgfId-406655"></A>Designating those instances as Java Card RE Entry Point Objects
</LI>
<P CLASS="Linebreak">
</P>
<LI CLASS="Bullet1-"><A NAME="pgfId-406657"></A>Designating Java Card RE Entry Point Objects as temporary or permanent
</LI>
<P CLASS="Linebreak">
</P>
<LI CLASS="Bullet1-"><A NAME="pgfId-406659"></A>Making references to those objects available to applets as needed
</LI>
<P CLASS="Linebreak">
</P>
</UL>
<BR>
<HR NOSHADE SIZE=1>
<TABLE CLASS="TipNote" DIR="LTR" WIDTH="100%" SUMMARY="TipNote">
<COLGROUP SPAN="1" WIDTH="100%">
<TR ALIGN="left" VALIGN="top">
<TD ROWSPAN="1" COLSPAN="1" ABBR="TipNoteText">
<P CLASS="TipNote"><B CLASS="TipNote">Note - </B><A NAME="pgfId-406661"></A>Only the methods of these objects are accessible through the firewall. The fields of these objects are still protected by the firewall and can only be accessed by the Java Card RE context.
</P>
</TD>
</TR>
</TABLE>
<HR NOSHADE SIZE=1>
<BR>
<P CLASS="Paragraph"><A NAME="pgfId-406663"></A>Only the Java Card RE itself can designate Entry Point Objects and whether they are temporary or permanent. Java Card RE implementers are responsible for implementing the mechanism by which Java Card RE Entry Point Objects are designated and how they become temporary or permanent.
</P><H3 CLASS="Head2"><A NAME="pgfId-406673"></A>6.2.2	<A NAME="53873"></A>Global <A NAME="marker-416927"></A>Arrays</H3>
<P CLASS="Paragraph"><A NAME="pgfId-406675"></A>The global nature of some objects requires that they be accessible from any context. The firewall would ordinarily prevent these objects from being used in a flexible manner. The Java Card VM allows an object to be designated as global.
</P>
<P CLASS="Paragraph"><A NAME="pgfId-406677"></A>All global arrays are temporary global array objects. These objects are owned by the Java Card RE context, but can be accessed from any context. However, references to these objects cannot be stored in class variables, instance variables or array components. The Java Card RE detects and restricts attempts to store references to these objects as part of the firewall functionality to prevent unauthorized reuse.
</P>
<P CLASS="Paragraph"><A NAME="pgfId-406679"></A>For added security, only arrays can be designated as global and only the Java Card RE itself can designate global arrays. Because applets cannot create them, no API methods are defined. Java Card RE implementers are responsible for implementing the mechanism by which global arrays are designated.
</P>
<P CLASS="Paragraph"><A NAME="pgfId-406681"></A>At the time of publication of this specification, the only global arrays required in the Java Card API are the APDU buffer and the byte array input parameter (<KBD CLASS="Filename-Command">bArray</KBD>) to the applet's <KBD CLASS="Filename-Command">install</KBD> method. 
</P>
<BR>
<HR NOSHADE SIZE=1>
<TABLE CLASS="TipNote" DIR="LTR" WIDTH="100%" SUMMARY="TipNote">
<COLGROUP SPAN="1" WIDTH="100%">
<TR ALIGN="left" VALIGN="top">
<TD ROWSPAN="1" COLSPAN="1" ABBR="TipNoteText">
<P CLASS="TipNote"><B CLASS="TipNote">Note - </B><A NAME="pgfId-406683"></A>Because of the global status of the APDU buffer, the <EM CLASS="Emphasis">Application Programming Interface, Java Card Platform, Version 2.2.2</EM> specifies that this buffer is cleared to zeroes whenever an applet is selected, before the Java Card RE accepts a new APDU command. This is to prevent an applet's potentially sensitive data from being &quot;leaked&quot; to another applet via the global APDU buffer. The APDU buffer can be accessed from a shared interface object context and is suitable for passing data across different contexts. The applet is responsible for protecting secret data that may be accessed from the APDU buffer. 
</P>
</TD>
</TR>
</TABLE>
<HR NOSHADE SIZE=1>
<BR><H3 CLASS="Head2"><A NAME="pgfId-406693"></A>6.2.3	<A NAME="76678"></A>Java Card RE <A NAME="marker-416928"></A>Privileges</H3>
<P CLASS="Paragraph"><A NAME="pgfId-406695"></A>Because it is the &quot;system&quot; <A NAME="marker-416929"></A>context, the Java Card RE context has a special privilege. It can invoke a method of any object on the card. For example, assume that object X is owned by applet A. Normally, only the context of A can access the fields and methods of X. But the Java Card RE context is allowed to invoke any of the methods of X. During such an invocation, a context switch occurs from the Java Card RE context to the context of the applet that owns X.
</P>
<P CLASS="Paragraph"><A NAME="pgfId-409837"></A>Again, because it is the &quot;system&quot; context, the Java Card RE context can access fields and components of any object on the card including <KBD CLASS="Filename-Command">CLEAR_ON_DESELECT</KBD> transient objects owned by the currently selected applet.
</P>
<BR>
<HR NOSHADE SIZE=1>
<TABLE CLASS="TipNote" DIR="LTR" WIDTH="100%" SUMMARY="TipNote">
<COLGROUP SPAN="1" WIDTH="100%">
<TR ALIGN="left" VALIGN="top">
<TD ROWSPAN="1" COLSPAN="1" ABBR="TipNoteText">
<P CLASS="TipNote"><B CLASS="TipNote">Note - </B><A NAME="pgfId-406697"></A>The Java Card RE can access both methods and fields of X. Method access is the mechanism by which the Java Card RE enters the context of an applet. Although the Java Card RE could invoke any method through the firewall, it shall only invoke the <KBD CLASS="Filename-Command">select</KBD>, <KBD CLASS="Filename-Command">process</KBD>, <KBD CLASS="Filename-Command">deselect</KBD>, and <KBD CLASS="Filename-Command">getShareableInterfaceObject</KBD> (see <A HREF="JCRESpec06firewall.html#48770" CLASS="XRef">Section 6.2.7.1, Applet.getShareableInterfaceObject(AID, byte) Method</A>) methods defined in the Applet class, and methods on the objects passed to the API as parameters.
</P>
</TD>
</TR>
</TABLE>
<HR NOSHADE SIZE=1>
<BR>
<P CLASS="Paragraph"><A NAME="pgfId-406699"></A>The Java Card RE context is the currently active context when the VM begins running after a card reset. The Java Card RE context is the &quot;root&quot; context and is always either the currently active context or the bottom context saved on the stack.