OpenCard Framework 1.2 Programmer's Guide - OpenSCDP
OpenCard Framework 1.2 Programmer's Guide - OpenSCDP
OpenCard Framework 1.2 Programmer's Guide - OpenSCDP
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
work with smart card<br />
try {<br />
// wait for smart card<br />
SmartCard sc = SmartCard.waitForCard(<br />
new CardRequest(opencard.opt.iso.fs.FileAccessCardService.class));<br />
// get file system card service<br />
FileAccessCardService fscs =<br />
card.getCardService(opencard.opt.iso.fs.FileAccessCardService.class, false);<br />
// for file oriented card use a path as security domain<br />
CardFilePath domain = new CardFilePath(":3F00:C110");<br />
// add root key bag<br />
fscs.provideCredentials(domain, credBag);<br />
// keep going<br />
// ...<br />
} catch <strong>OpenCard</strong> Exceptions {<br />
// ...<br />
}<br />
Observe that the Key and KeyStore classes in the code sample are fictitious; look<br />
into the documentations provided by your card service provider to find out the<br />
proper classes to use with your card services.<br />
Performing cardholder verification<br />
The card-resident component of a smart card application typically resides within a<br />
directory (DF) of the smart card file system. Access to this application directory is<br />
usually granted only if the cardholder’s identity can be successfully verified. This<br />
verification process is called cardholder verification (CHV) and is commonly based<br />
on a secret shared between the card-resident application and the cardholder. The<br />
secret is called CHV data and can be a PIN code or password that the cardholder<br />
must provide after being prompted for input.<br />
The prompting of the cardholder and the acquisition of the CHV data can be<br />
performed in one of two ways:<br />
GUI-based<br />
The cardholder is presented with a GUI that prompts for input of the CHV<br />
data. The assumption here is that the application is running in a general<br />
purpose computing device with display and keyboard or pen input and a<br />
smart card reader attached to it.<br />
Terminal-based<br />
The cardholder is prompted for input by the card terminal. The<br />
assumption here is that the card terminal has a built-in (simple) display<br />
and keyboard or PIN pad.<br />
Both approaches have their pluses and minuses. The GUI-based CHV acquisition<br />
gives the application programmer complete freedom in forming the visual<br />
appearance of the dialog with the user; this may be desirable if company branding<br />
is important for all interactions with a cardholder. The disadvantage is that the<br />
sensitive CHV data is entered via a normal keyboard and is maintained in the<br />
computer’s memory and, therefore, is subject to eavesdropping attacks. In contrast,<br />
the terminal-based approach keeps the sensitive data within the security perimeter<br />
of card terminal devices, which are often designed and manufactured to meet<br />
certain security criteria. The drawback of these devices is that they typically offer<br />
only simple text-based dialog capability.<br />
Chapter 5. Advanced programming with OCF 39