5

The Guide to Common Personalization describes the following process for Personlalization:

  • Reset
  • Atr
  • Select AID to personalize
  • initiate Secure Channel
  • multiple Store-data commands

The Secure Channel is established with the Security Domain and Store-data commands holding DGIs are forwarded to the Applet. The Applet has the Application and the Personalization interface from org.globalplatform package and inherits processData methods to make use of the Store-data commands.

The question now is if I have to implement the init-update and external-authenticate command in my applet myself as the Security Domain is not selected anymore and my applet does not know these INS? Does the JCRE automatically detect these GlobalPlatform APDUs and forward them to the SecurityDomain? If not why isn't this hidden/filtered by the JCRE?

e: I have found an old example on the Global Platform website from 2006 called CPSDemonstrator: http://www.globalplatform.org/specificationform.asp?fid=6596 Beside deprecated API calls is this still the standard way to do it?

Paul Bastian
  • 2,597
  • 11
  • 26

1 Answers1

4

No, you don't need to implement the secure channel functions yourself: you can use the Security Domain for that. It is often a business decision: do you control the keys to that Security Domain yourself, or a trusted partner?

Let's say that you do. Then, the Secure Channel can be established to the Security Domain (selecting the Secure Channel's AID), which already implements all the necessary functionality. Once established, you can send STORE DATA APDUs to your applet if you first send an INSTALL[for personalization] APDU to the Security Domain, indicating your applet's AID within the command parameters. Step-by-step:

  1. SELECT the Security Domain
  2. Establish Secure Channel to the SD: INITIALIZE_UPDATE, EXTERNAL_AUTHENTICATE
  3. INSTALL[for personalization]. In the command's data field, send your applet's AID
  4. STORE DATA - it will be forwarded to your applet

Internally, inside the card, the Security Domain will decrypt these STORE DATA APDUs and forward them to your applet, calling its processData method.

INSTALL[for personalization] is meant to be used if you want to personalize your application before it has been "made selectable". Once the applet is selectable, you can set up a secure channel towards the applet's AID. The applet just needs to implement the SecureChannel interface (http://www.win.tue.nl/pinpasjc/docs/apis/gp211/org/globalplatform/SecureChannel.html) to delegate authentication and encryption to its associated Security Domain.

To answer your question: you DO NOT need to implement the security commands in your applet.

mictter
  • 1,358
  • 1
  • 10
  • 13
  • Thanks mictter, apparently my JCOP documentation says: "The INSTALL [for personalization] command is not supported". Does it mean there is no Specification compliant way for GP personalization? – Paul Bastian Dec 16 '14 at 12:14
  • I just rechecked the spec: supporting INSTALL[for personalization] is not mandatory for GP 2.1.1 cards, so it may not support it while being compliant to the spec. – mictter Dec 17 '14 at 08:34
  • But then how does the Security Domain know to which applet it needs to forward the store-data command? Do i need to send select my applet and implement extAuth using org.globalplatform.SecureChannel Object? – Paul Bastian Dec 17 '14 at 14:28
  • 1
    If your card does not implement INSTALL[for perso], the Security Domain will just not forward the STORE DATA to any applet. So the only way to send data to your applet will be to make it selectable and set up the secure channel to it - but you can still reuse the security domain's implementation. I have edited my answer to reflect this. – mictter Dec 17 '14 at 15:13
  • So it seems that it is impossible to get into the ProcessData() method and I am looking for Store-Data tag 'E2' in the normal prcoess tree. Because the documentation for processData says: "This method processes application specific data received from another entity on the card. If this other entity is the Application's associated Security Domain, this data is the APDU buffer." As I cannot delegate APDUs directly from the SD to the Applet because [INSTALL for personalization] is revoked, I think its either not possible or there must be a substitute for this.Can anybody confirm this? – Paul Bastian Dec 18 '14 at 14:34
  • i was looking through my profile and just found that the answer turned out to be true so here is my late upvote – Paul Bastian Sep 14 '15 at 15:27