3

SO JCRE specification mentions that, the currently selected applets "deselect" method is called if there is a new selection apdu for another applet. What about selecting a file from the file system? does selecting a file causes calling of deselect method of currently selected applet?

Ishwar Chandra
  • 109
  • 7
  • 1
    I'm a little bit puzzled: Javacards typically have only applets to select and if there are elementary files you typically have no Javacard. – guidot Oct 24 '18 at 20:05
  • there's no such restriction as such. I have seen s smart card containing both applets and file system. Ex eSIM, ePassport etc. – Ishwar Chandra Oct 30 '18 at 08:49

3 Answers3

5

No, selecting the file does not deselect the applet if the file is belong to that applet. But if you select other applet means you deselect the current applet.

jiten
  • 5,128
  • 4
  • 44
  • 73
  • suppose i select an applet A and then select a file x in it. and then send any command other than select apdu, will this command still be processed by same applet? – Ishwar Chandra Oct 23 '18 at 11:09
  • 6
    As per my knowledge, until you select another applet, all the apdu will processed by previously selected applet. – jiten Oct 23 '18 at 11:13
3

No, selection of a file does not deselect an applet. The currently active context remains active. The Java Card runtime of a system catches any SELECT by Name APDU and handles it. This means that only XX A4 04 YY APDU's followed by an AID are capable of applet selection and therefore deselection (I'm ignoring channels in this answer).

This has some - possibly unexpected - issues:

  • it is impossible to select files using an encrypted SELECT by Name APDU (no support for secure channels);
  • it is impossible to select an applet using SELECT by File ID or SELECT by Path;
  • it is impossible to select a default selected applet using SELECT MF or similar commands;
  • selection by name will deselect and then select (i.e. reselect) an applet even if it is already the current selected applet.

Although Java Card uses APDU's it is rather different from file system cards. Initially Java Card's came with a file system API making it easier to mimic a full ISO 7816-4 file system card. That's however long gone; basically Java Card now just uses SELECT by Name for Applet selection.

If there are any other file system features on the card then they are either part of an extended runtime - there are file system card / Java Card hybrids out there - or the file system features are simply implemented within an applet. One applet can be installed as default selected applet that gets selected after power on or a card reset. This applet can also implement a file system, but it will still be deselected after the runtime handles a (successful) SELECT by Name command.

A relatively special applet in that sense is the Card Manager, which also implements a security domain. And that brings me to the final point to make: to understand how all this works it is probably best to read the right sections in the freely available Global Platform on card specification rather than just the Java Card specs. Note that GP only (used to?) define short length APDU's, which means that SELECT by Name APDU's that use extended length may well fail.

Note that SELECT by Name APDU's are always passed to the currently active applet (if any) after the runtime has handled it. This allows the applet to handle SELECT by Name for unregistered AID's. It also allows the applet to return File Control Information in case P2 is not set to 0C (in which case the applet should not return any info).

Due to changes in my work environment I wasn't able to join the Global Platform group to make changes on how Java Card applet selection works. It is exceedingly difficult to implement protocols that rely on a file system that includes many files in the MF. Clearly a more focused approach is required that does allow more room for applet selection / deselection using different means such as SELECT by Path.

Unfortunately protocols such as ePassport do use some pretty nasty ISO 7816-4 specified features including extensive use of the MF. That is as much a mistake in the ePassport protocol as a Java Card issue though. The fact that ISO 7816-4 leaves a lot of details to the protocol / file system implementation doesn't help. It may just be the worst defined standard out there; its unclarity and ambiguousness is only matched by its popularity.

Maarten Bodewes
  • 90,524
  • 13
  • 150
  • 263
  • Thank you for the detailed answer, but what made you to say "It is exceedingly difficult to implement protocols that rely on a file system that includes many files in the MF"? Is there any issue with number of files under MF and Selection of applet? – Ishwar Chandra Nov 07 '18 at 08:28
  • @IshwarChandra No it has mainly to do with state. The problem is that your applet gets deselected if selection by name takes place. I'd secure messaging is implemented then selection cannot take place because the default applet cannot select other applets. The state cannot be shared either. Selection of the MF from other athletes is impossible, etc. ... – Maarten Bodewes Nov 07 '18 at 10:31
1

I will answer based on my experience and I'm open to discussion as this is an issue I always find quite strange. The command for selecting an applet and a DF is very very similar although the select DF you can implement whatever INS you like in you application ;)

00 A4 04 00 LC AID/DFID

Suppose you have two applications on the card:

  • AppA - AID 0102030405060A with DF ABABABABABAB
  • AppB - AID 0102030405060B with DF 0102030405060A

The APDU trace will be something like that:

> 00 A4 04 00 07 0102030405060A
< 90 00 --> AppA selected
> 00 A4 04 00 06 ABABABABABAB
< 90 00 --> DF within AppA selected
> 00 A4 04 00 07 0102030405060B
> 90 00 --> AppB selected
> 00 A4 04 00 07 0102030405060A
< 90 00 --> AppA selected

At least on some test I did a while ago the behavior was like that. The Select Command A4 is first handle by the Card Manager and afterwards if there is no application matching the ID, it is redirected to the current selected application.

I will try to repeat that tests if I have some time available and let you know.

P.S.: I'm usually working with Optelio cards and I don't know if this behavior is card card dependent.

jlanza
  • 1,208
  • 3
  • 23
  • 43