jcrespec06firewall.html

JAVA CARD 开发包规格说明,版本为2.2.2

</P><H3 CLASS="Head2"><A NAME="pgfId-406711"></A>6.2.4	<A NAME="54737"></A>Shareable <A NAME="marker-416930"></A>Interfaces</H3>
<P CLASS="Paragraph"><A NAME="pgfId-406713"></A>Shareable interfaces are a feature in the Java Card API to enable applet interaction. A shareable interface defines a set of shared interface methods. These interface methods can be invoked from one context even if the object implementing them is owned by an applet in another context. 
</P>
<P CLASS="Paragraph"><A NAME="pgfId-406715"></A>In this specification, an object instance of a class implementing a shareable interface is called a <A NAME="marker-416932"></A>Shareable Interface Object (SIO).
</P>
<P CLASS="Paragraph"><A NAME="pgfId-406717"></A>To the owning context, the SIO is a normal object whose fields and methods can be accessed. To any other context, the SIO is an instance of the shareable interface, and only the methods defined in the shareable interface are accessible. All other fields and methods of the SIO are protected by the firewall.
</P>
<P CLASS="Paragraph"><A NAME="pgfId-409628"></A>Shareable interfaces provide a secure mechanism for inter-applet communication, as described in the following sections.
</P><H4 CLASS="Head3"><A NAME="pgfId-409629"></A>6.2.4.1	Server Applet A Builds a Shareable Interface Object</H4>
<P CLASS="List1"><A NAME="pgfId-409630"></A>1.	To make an object available for sharing with another applet in a different context, applet A first defines a shareable interface, SI. A shareable interface extends the interface <KBD CLASS="Filename-Command">javacard.framework.Shareable</KBD>. The methods defined in the shareable interface, SI, represent the services that applet A makes accessible to other applets.
</P>
<P CLASS="List1-"><A NAME="pgfId-406725"></A>2. 	Applet A then defines a class C that implements the shareable interface SI. C implements the methods defined in SI. C may also define other methods and fields, but these are protected by the applet firewall. Only the methods defined in SI are accessible to other applets.
</P>
<P CLASS="List1-"><A NAME="pgfId-406727"></A>3. 	Applet A creates an object instance O of class C. O belongs to applet A, and the firewall allows A to access any of the fields and methods of O.
</P><H4 CLASS="Head3"><A NAME="pgfId-409635"></A>6.2.4.2	Client Applet B Obtains the Shareable Interface Object</H4>
<P CLASS="List1"><A NAME="pgfId-409636"></A>1.	To access applet A's object O, applet B creates an object reference SIO of type SI.
</P>
<P CLASS="List1-"><A NAME="pgfId-409637"></A>2. 	Applet B invokes a special method (<KBD CLASS="Filename-Command">JCSystem.getAppletShareableInterfaceObject</KBD>, described in <A HREF="JCRESpec06firewall.html#13023" CLASS="XRef">Section 6.2.7.2, JCSystem.getAppletShareableInterfaceObject Method</A>) to request a shared interface object reference from applet A.
</P>
<P CLASS="List1-"><A NAME="pgfId-406735"></A>3. 	Applet A receives the request and the AID of the requester (B) via <KBD CLASS="Filename-Command">Applet.getShareableInterfaceObject</KBD>, and determines whether it will share object O with applet B. A's implementation of the <KBD CLASS="Filename-Command">getShareableInterfaceObject</KBD> method executes in A's context.
</P>
<P CLASS="List1-"><A NAME="pgfId-406737"></A>4. 	If applet A agrees to share with applet B, A responds to the request with a reference to O. As this reference is returned as type <KBD CLASS="Filename-Command">Shareable</KBD>, none of the fields or methods of O are visible.
</P>
<P CLASS="List1-"><A NAME="pgfId-406739"></A>5. 	Applet B receives the object reference from applet A, casts it to the interface type SI, and stores it in object reference variable SIO. Even though SIO actually refers to A's object O, SIO is an interface of type SI. Only the shareable interface methods defined in SI are visible to B. The firewall prevents the other fields and methods of O from being accessed by B.
</P>
<P CLASS="Paragraph"><A NAME="pgfId-406741"></A>In this sequence, applet B initiates communication with applet A using the special system method in the <KBD CLASS="Filename-Command">JCSystem</KBD> class to request a Shareable Interface Object from applet A. Once this communication is established, applet B can obtain other Shareable Interface Objects from applet A using normal parameter passing and return mechanisms. It can also continue to use the special <KBD CLASS="Filename-Command">JCSystem</KBD> method described above to obtain other Shareable Interface Objects.
</P><H4 CLASS="Head3"><A NAME="pgfId-406743"></A>6.2.4.3	Client Applet B Requests Services from Applet A</H4>
<P CLASS="List1"><A NAME="pgfId-406745"></A>1.	Applet B can request service from applet A by invoking one of the shareable interface methods of SIO. During the invocation the Java Card VM performs a context switch. The original currently active context (B) is saved on a stack and the context of the owner (A) of the actual object (O) becomes the new currently active context. A's implementation of the shareable interface method (SI method) executes in A's context.
</P>
<P CLASS="List1-"><A NAME="pgfId-406747"></A>2. 	The SI method can determine the AID of its client (B) via the <KBD CLASS="Filename-Command">JCSystem.getPreviousContextAID</KBD> method. This is described in <A HREF="JCRESpec06firewall.html#90229" CLASS="XRef">Section 6.2.5, Determining the Previous Context</A>. The method determines whether or not it will perform the service for applet B.
</P>
<P CLASS="List1-"><A NAME="pgfId-406749"></A>3. 	Because of the context switch, the firewall allows the SI method to access all the fields and methods of object O and any other object in the context of A. At the same time, the firewall prevents the method from accessing non-shared objects in the context of B.
</P>
<P CLASS="List1-"><A NAME="pgfId-412978"></A>4. 	The SI method can access the parameters passed by B and can provide a return value to B.
</P>
<P CLASS="List1-"><A NAME="pgfId-412979"></A>5. 	During the return, the Java Card VM performs a restoring context switch. The original currently active context (B) is popped from the stack, and again becomes the currently active context.
</P>
<P CLASS="List1-"><A NAME="pgfId-406755"></A>6. 	Because of the context switch, the firewall again allows B to access any of its objects and prevents B from accessing non-shared objects in the context of A.
</P><H3 CLASS="Head2"><A NAME="pgfId-406767"></A>6.2.5	<A NAME="90229"></A>Determining the Previous <A NAME="marker-416933"></A>Context</H3>
<P CLASS="Paragraph"><A NAME="pgfId-406769"></A>When an applet calls <KBD CLASS="Filename-Command">JCSystem.getPreviousContextAID</KBD>, the Java Card RE shall return the instance AID of the applet instance active at the time of the last context switch.
</P><H4 CLASS="Head3"><A NAME="pgfId-406773"></A>6.2.5.1	Java Card RE Context</H4>
<P CLASS="Paragraph"><A NAME="pgfId-406775"></A>The Java Card RE context does not have an AID. If an applet calls the <KBD CLASS="Filename-Command">getPreviousContextAID</KBD> method when the context of the applet was entered directly from the Java Card RE context, this method returns null.
</P>
<P CLASS="Paragraph"><A NAME="pgfId-406777"></A>If the applet calls <KBD CLASS="Filename-Command">getPreviousContextAID</KBD> from a method that may be accessed either from within the applet itself or when accessed via a shareable interface from an external applet, it shall check for <KBD CLASS="Filename-Command">null</KBD> return before performing caller AID authentication.
</P><H3 CLASS="Head2"><A NAME="pgfId-406787"></A>6.2.6	Shareable <A NAME="marker-416934"></A>Interface Details</H3>
<P CLASS="Paragraph"><A NAME="pgfId-409649"></A>A shareable interface is simply one that extends (either directly or indirectly) the tagging interface <KBD CLASS="Filename-Command">javacard.framework.Shareable</KBD>. This <KBD CLASS="Filename-Command">Shareable</KBD> interface is similar in concept to the <KBD CLASS="Filename-Command">Remote</KBD> interface used by the RMI facility, in which calls to the interface methods take place across a local/remote boundary.
</P><H4 CLASS="Head3"><A NAME="pgfId-409650"></A>6.2.6.1	Java Card API Shareable Interface</H4>
<P CLASS="Paragraph"><A NAME="pgfId-409651"></A>Interfaces extending the <KBD CLASS="Filename-Command">Shareable</KBD> tagging interface have this special property: Calls to the interface methods take place across Java Card platform's applet firewall boundary by means of a context switch.
</P>
<P CLASS="Paragraph"><A NAME="pgfId-406795"></A>The <KBD CLASS="Filename-Command">Shareable</KBD> interface serves to identify all shared objects. Any object that needs to be shared through the applet firewall shall directly or indirectly implement this interface. Only those methods specified in a shareable interface are available through the firewall.
</P>
<P CLASS="Paragraph"><A NAME="pgfId-406797"></A>Implementation classes can implement any number of shareable interfaces and can extend other shareable implementation classes.
</P>
<P CLASS="Paragraph"><A NAME="pgfId-406799"></A>Like any Java platform interface, a shareable interface simply defines a set of service methods. A service provider class declares that it &quot;implements&quot; the shareable interface and provides implementations for each of the service methods of the interface. A service client class accesses the services by obtaining an object reference, casting it to the shareable interface type, and invoking the service methods of the interface.
</P>
<P CLASS="Paragraph"><A NAME="pgfId-406801"></A>The shareable interfaces within the Java Card technology shall have the following properties:
</P>
<UL>
<LI CLASS="Bullet1"><A NAME="pgfId-406803"></A>When a method in a shareable interface is invoked, a context switch occurs to the context of the object's owner.
</LI>
<P CLASS="Linebreak">
</P>
<LI CLASS="Bullet1"><A NAME="pgfId-409232"></A>When the method exits, the context of the caller is restored.
</LI>
<P CLASS="Linebreak">
</P>
<LI CLASS="Bullet1"><A NAME="pgfId-409233"></A>Exception handling is enhanced so that the currently active context is correctly restored during the stack frame unwinding that occurs as an exception is thrown.
</LI>
<P CLASS="Linebreak">
</P>
</UL><H3 CLASS="Head2"><A NAME="pgfId-406817"></A>6.2.7	Obtaining <A NAME="marker-416936"></A>Shareable Interface Objects</H3>
<P CLASS="Paragraph"><A NAME="pgfId-406819"></A>Inter-applet communication is accomplished when a client applet invokes a shareable interface method of a SIO belonging to a server applet. For this to work, there must be a way for the client applet to obtain the SIO from the server applet in the first place. The Java Card RE provides a mechanism to make this possible. The <KBD CLASS="Filename-Command">Applet</KBD> class and the <KBD CLASS="Filename-Command">JCSystem</KBD> class provide methods to enable a client to request services from the server.
</P><H4 CLASS="Head3"><A NAME="pgfId-406821"></A>6.2.7.1	<A NAME="48770"></A><KBD CLASS="Filename-Command">Applet.getShareableInterfaceObject(AID, byte)</KBD> Method</H4>
<P CLASS="Paragraph"><A NAME="pgfId-406823"></A>This method is implemented by the server applet instance. It shall be called by the Java Card RE to mediate between a client applet that requests to use an object belonging to another applet, and the server applet that makes its objects available for sharing.
</P>
<P CLASS="Paragraph"><A NAME="pgfId-406825"></A>The default behavior shall return <KBD CLASS="Filename-Command">null</KBD>, which indicates that an applet does not participate in inter-applet communication.
</P>
<P CLASS="Paragraph"><A NAME="pgfId-406827"></A>A server applet that is intended to be invoked from another applet needs to override this method. This method should examine the <KBD CLASS="Filename-Command">clientAID</KBD> and the parameter. If the <KBD CLASS="Filename-Command">clientAID</KBD> is not one of the expected AIDs, the method should return <KBD CLASS="Filename-Command">null</KBD>. Similarly, if the parameter is not recognized or if it is not allowed for the <KBD CLASS="Filename-Command">clientAID</KBD>, the method also should return <KBD CLASS="Filename-Command">null</KBD>. Otherwise, the applet should return an SIO of the shareable interface type that the client has requested.
</P>
<P CLASS="Paragraph"><A NAME="pgfId-406829"></A>The server applet need not respond with the same SIO to all clients. The server can support multiple types of shared interfaces for different purposes and use <KBD CLASS="Filename-Command">clientAID</KBD> and <KBD CLASS="Filename-Command">parameter</KBD> to determine which kind of SIO to return to the client.
</P><H4 CLASS="Head3"><A NAME="pgfId-406831"></A>6.2.7.2	<A NAME="13023"></A><KBD CLASS="Filename-Command">JCSystem.getAppletShareableInterfaceObject</KBD> Method</H4>
<P CLASS="Paragraph"><A NAME="pgfId-406833"></A>The <KBD CLASS="Filename-Command">JCSystem</KBD> class contains the method <KBD CLASS="Filename-Command">getAppletShareableInterfaceObject</KBD>, which is invoked by a client applet to communicate with a server applet.
</P>
<P CLASS="Paragraph"><A NAME="pgfId-406835"></A>The Java Card RE shall implement this method to behave as follows:
</P>
<P CLASS="List1"><A NAME="pgfId-424624"></A>1.	The Java Card RE searches its internal applet table which lists all successfully installed applets on the card for one with <KBD CLASS="Filename-Command">serverAID</KBD>. If not found, <KBD CLASS="Filename-Command">null</KBD> is returned.
</P>
<P CLASS="List1-"><A NAME="pgfId-424625"></A>2. 	If the server applet instance is not a multiselectable applet instance and is currently active on another logical channel, a <KBD CLASS="Filename-Command">SecurityException</KBD> is thrown. See <A HREF="JCRESpec04selection.html#32535" CLASS="XRef">Section 4.2, Multiselectable Applets</A>.
</P>
<P CLASS="List1-"><A NAME="pgfId-424603"></A>3. 	The Java Card RE invokes this applet's <KBD CLASS="Filename-Command">getShareableInterfaceObject</KBD> method, passing the <KBD CLASS="Filename-Command">clientAID</KBD> of the caller and the parameter. 
</P>
<P CLASS="List1-"><A NAME="pgfId-406841"></A>4. 	A context switch occurs to the server applet, and its implementation of <KBD CLASS="Filename-Command">getShareableInterfaceObject</KBD> proceeds as described in the previous section. The server applet returns a SIO (or <KBD CLASS="Filename-Command">null</KBD>).
</P>
<P CLASS="List1-"><A NAME="pgfId-406843"></A>5. 	<KBD CLASS="Filename-Command">getAppletShareableInterfaceObject</KBD> returns the same SIO (or <KBD CLASS="Filename-Command">null</KBD>) to its caller.
</P>
<P CLASS="Paragraph"><A NAME="pgfId-406845"></A>For enhanced security, the implementation shall make it impossible for the client to tell which of the following conditions caused a <KBD CLASS="Filename-Command">null</KBD> value to be returned:
</P>
<UL>
<LI CLASS="Bullet1"><A NAME="pgfId-406847"></A>The <KBD CLASS="Filename-Command">serverAID</KBD> was not found.
</LI>
<P CLASS="Linebreak">
</P>
<LI CLASS="Bullet1"><A NAME="pgfId-406849"></A>The server applet does not participate in inter-applet communication.
</LI>
<P CLASS="Linebreak">
</P>
<LI CLASS="Bullet1"><A NAME="pgfId-406851"></A>The server applet does not recognize the <KBD CLASS="Filename-Command">clientAID</KBD> or the <KBD CLASS="Filename-Command">parameter</KBD>.
</LI>
<P CLASS="Linebreak">
</P>
<LI CLASS="Bullet1"><A NAME="pgfId-406853"></A>The server applet does not communicate with this client.
</LI>
<P CLASS="Linebreak">
</P>
<LI CLASS="Bullet1"><A NAME="pgfId-406855"></A>The server applet does not communicate with this client as specified by the <KBD CLASS="Filename-Command">parameter</KBD>.
</LI>
<P CLASS="Linebreak">
</P>
<LI CLASS="Bullet1"><A NAME="pgfId-424598"></A>The applet's <KBD CLASS="Filename-Command">getShareableInterfaceObject</KBD> method throws an uncaught exception.
</LI>
<P CLASS="Linebreak">
</P>
</UL><H3 CLASS="Head2"><A NAME="pgfId-406865"></A>6.2.8	<A NAME="75443"></A>Class and <A NAME="marker-416937"></A>Object Access Behavior</H3>
<P CLASS="Paragraph"><A NAME="pgfId-406867"></A>A static class field is accessed when one of the following Java programming language bytecodes is executed:
</P>
<PRE CLASS="Codeline"><A NAME="pgfId-406869"></A>getstatic, putstatic
</PRE>
<P CLASS="Paragraph"><A NAME="pgfId-412900"></A>An object is accessed when one of the following Java programming language bytecodes is executed using the object's reference:
</P>
<PRE CLASS="Codeline"><A NAME="pgfId-425609"></A>getfield, putfield, invokevirtual, invokeinterface, athrow, 
</PRE>
<PRE CLASS="Codeline"><A NAME="pgfId-415135"></A>&lt;T&gt;aload, &lt;T&gt;astore, arraylength, checkcast, instanceof
</PRE>
<P CLASS="Paragraph"><A NAME="pgfId-406881"></A>&lt;T&gt; refers to the various types of array bytecodes, such as <KBD CLASS="Filename-Command">baload</KBD>, <KBD CLASS="Filename-Command">sastore</KBD>, etc.
</P>
<P CLASS="Paragraph"><A NAME="pgfId-406883"></A>This list also includes any special or optimized forms of these bytecodes that can be implemented in the Java Card VM, such as <KBD CLASS="Filename-Command">getfield_b</KBD> and <KBD CLASS="Filename-Command">getfield_s_this</KBD>. 
</P>
<P CLASS="Paragraph"><A NAME="pgfId-406885"></A>Prior to performing the work of the bytecode as specified by the Java VM, the Java Card VM will perform an access check on the referenced object. If access is denied, a <KBD CLASS="Filename-Command">java.lang.SecurityException</KBD> is thrown. 
</P>
<P CLASS="Paragraph"><A NAME="pgfId-406887"></A>The access checks performed by the Java Card VM depend on the type and owner of the referenced object, the bytecode, and the currently active context. They are described in the following sections.
</P><H4 CLASS="Head3"><A NAME="pgfId-423172"></A>6.2.8.1	Accessing<A NAME="marker-423171"></A> Static Class Fields</H4>
<P CLASS="Paragraph"><A NAME="pgfId-423176"></A>Bytecodes: