OwnerPIN problem !
Hi
I use an OnwerPIN object to prevent RFID reader device from executing particular instruction of the applet.
It is created in the applet constructor.
it is initiated in the intall() method with a defaut PIN code.
a verifyPIN() instruction is used for the user to validate the PIN object.
the OwnerPIN.reset() is called once a sequence a instruction has been correctly completed (thus enabling the user not to re enter the PIN code if the sequence has to be replayed due to an interruption).
So theorically, one can enter the pin code, thus activating it, go out of field, then come back back and play the sequence of instruction. But it doesn't work. The pin code seems reseted, I have to re enter it, in order to correctly play this sequence. It works fine if within the same session. (I'm using JCOP).
My goal is to write a midlet that allow the service to be activated by a PIN code. I correctly activate the PIN code (return apdu indicates me that), but can't play the sequence of instruction afterwards...
Could it come from the implementation of the PIN interface? I'll try to write my own, but in the same time, i'll appreciate an answer to this question :) .
thanks!
[1242 byte] By [
jillemasha] at [2007-11-27 2:35:30]
# 2
ok, here's the source...
Declarations
private final static byte INS_VERIFY = (byte) 0x20;
private static byte MAX_TRIES = 0x03;
private static byte PIN_SIZE = 0x04;
private static OwnerPIN pin;
private static byte[] defaultPIN = { 0x30, 0x30, 0x30, 0x30 };
/** status echec pr閟entation PIN */
private final static short SW_VERIFICATION_FAILED = 0x6300;
/** status echec pr閟entation PIN */
private final static short SW_PIN_BLOCKED = 0x6302;
/** statut pr閟entation PIN n閏essaire */
private final static short SW_PIN_VERIFICATION_REQUIRED = 0x6301;
constructor :
pin = new OwnerPIN(MAX_TRIES, PIN_SIZE);
install()
pin.update(defaultPIN, (short) 0, PIN_SIZE);
process()
...
case INS_1:
if (!pin.isValidated()) {
ISOException.throwIt(SW_PIN_VERIFICATION_REQUIRED);
}
process1(apdu);
break;
case INS_2:
if (!pin.isValidated()) {
ISOException.throwIt(SW_PIN_VERIFICATION_REQUIRED);
}
process2(apdu);
break;
case INS_VERIFY:
processVerifyPIN(apdu);
break;
...
at the end of process2() :
pin.reset();
there...
by the way, I wrote my own PIN object, and now it works fine... so it was indeed due to OwnerPIN implementation...
# 3
This is how SUN implemented the PIN. Check Java Card API, javacard.famework.PIN or OwnerPIN.isValidated() :.. Returns true if a valid PIN has been presented since the last card reset or last call to reset().
So you see that there are two conditions when the PIN is reset. You cannot carry on after a hard reset. So, as you already did, you need your own implementation for the PIN. But beware, there are security risks regarding your implementation.
# 4
oops sorry,
I can't believe I didn't see that,...
i've read the javadoc while implementing my own class, though :P hehe ...
in order to stick to specifications...
Ok thanks!
I totally agree for the security matter, but I'm not the one who wrote the specs ;), so...
^_^
