All geek questions in one place

Java map: can applets be installed by other applets?

In a Java map, is it usually possible for new applications to be installed from the context of an existing application on the map, for example, by sending a new code via the messaging format defined in the application, and then creating a new application instance using the API for the card manager?

Or is it only possible externally using the appropriate APDUs?

If this does not apply to the Java map and / or the GlobalPlatform specification, can this be done using vendor-specific methods?

+5
source share
2 answers

No, It is Immpossible.

You cannot send APDUs from the applet to the Card Manager applet, which is what you need to install a new applet. The map manager also does not provide any Shareable interface for this task (usually).

The only way is to send the APDUs through the terminal, but that is not what you probably want. This method would be easy: your applet would need to save the full binary file of the newly installed applet and map manager keys.

But!

You can install the applet with another applet on the SIM card using the so-called proactive commands, see this SO answer . If the device allows this, you can send the PERFORM CARD APDU from the first SIM card slot to the second SIM card slot and install a new applet in this way. Then you can use this new applet on SIM2 to install another applet on SIM1.

In addition, you can send OTA commands using proactive commands and install a new instance of the applet remotely. I tried this a few years ago with a very simple pair of applets and a test SIM, and it worked.

It is theoretically possible to implement a Java Card applet that will be distributed over the mobile network if you have all the necessary keys. However, this is closely related to the quine Java map, which, to my knowledge, has not been resolved.

+5
source
Theoretically, this is possible for regular Java maps, given that:
  • You can install the applet with the security domain privilege (support for this is optional);
  • The security domain has the ability to execute INSTALL [for download] (support for this is optional);
  • the applet can receive and modify the APDU buffer before the Security Domain functionality is activated (using SecureChannel.processSecurity ) - since processSecurity itself must receive these commands in accordance with the specifications, this is hardly possible, you might think first; / li>
  • the applet was granted access to the keys for recounting the MAC (these keys are hidden from the applet itself), assuming that the card is in GP_SECURE mode.

In this case, you can convert your own APDU to a specific APDU that meets the GP specifications, and simply call SecureChannel.processSecurity to process them.

I practically donโ€™t think it will ever be, but you never know. You are clearly looking at the security protocols specific to the implementation of the card, so Iโ€™m sure that you will be asked very clear questions, someone is checking the solution.

Now, if you just want to install applets through your own security domain, this is clearly covered by the global platform. You just check the product manuals if the security domains and INSTALL [for download] are supported, and you are good to go.

As vojta already pointed out, there is no API for passing INSTALL [for Load] commands, so you are stuck programmatically.

An incredibly stupid way to do this is to program your own virtual machine and install it as an applet. This is probably not practical in 99.999% of cases. Of course, it will be available only as the virtual machine itself, it will not be provided with its own application identifier (AID).

+5
source

Source: https://habr.com/ru/post/1260307/

More articles:


All Articles