Java Card™ 3 Platform - · PDF fileIntroducing Java Card 3.0 ... Introducing Java Card 3.0 High Level Architecture. ... •Application components are either Java Card Applets or

Java Card™ 3 Platform

Peter Allenbach Sun Microsystems, Inc.

Copyright 2009 Sun Microsystems, Inc. All Rights Reserved. 2

Agenda

From plastic to Java Card 3.0Things to know about Java Card 3.0Introducing Java Card 3.0Java Card 3.0 vs. Java SEJava Card 3.0 vs. Java MEJava Card 3.0 vs. Java EEMore About Web ApplicationsReference Implementation (RI)Say Hello using Java Card 3.0 RIQ & A


Plastic cards• Introduced in the 50's• Cardholder identification and authentication

• Signature, then magstripe and PIN codes

Smart cards• Introduced in the 80's• Local authentication server, stored value

• On-card PIN verification• Storage of sensitive information• Later, cryptography

Original photo by Mitekhttp://www.flickr.com/photos/mikek/40737702/

From Plastic to Java Card 3.0The Beginning


A single chip in every cardVery limited resources• In particular, RAM

From Plastic to Java Card 3.0The Smart in the Card


Introduces applications to smart cards• Interoperability of platforms, portability of applications• Multiple applications, with security guarantees• Dynamic application management

Runs on low-end smart cards• Less memory (4-8K of RAM and 32-64K of EEPROM)• 8 Bit Processors (Slow)

Widely used technology for a decade• It is the dominant smart card technology today

Very limited subset of Java• Partial support of basic types (8/16-bit values, no float, no String)• Very small subset of the APIs• Specific and pre-processed binary file format (CAP file)• Single threaded, no garbage collection

From Plastic to Java Card 3.0Java Card 2


Major evolution of Java Card 2• Same principles: interoperability, security, multiple applications• Exploitation of new hardware features

• More memory, more processing power, enhanced communication

New capabilities for new use cases• A true personal Web server for enhanced user interaction• Possibility to initiate an action for more flexibility• Enhanced application model for more collaboration

Two editions• Classic Edition

• Supports only Classic Applets• Basically, Java Card 3.0 Classic is an evolution of Java Card 2

• Connected Edition• New and improved model, and the topic of this talk

From Plastic to Java Card 3.0Java Card 3.0


Most Important Thing About Java Card

Security is Paramount“Web Server in the Street”


Things to know about Java Card

Java Card is a ServerVM never exitsTwo heapsPersistent ObjectsFirewall between applicationsInter Application CommunicationAtomicity and Transactions


Things to know about Java Card

Java Card is a server• Process incoming requests, and send response back to client

Communication Protocols• APDUs (serial) is the traditional card-specific protocol• HTTP(S) for Java Card 3.0 Connected Edition using high speed

interfaces like USB

Two major communication interfaces• Contactless

• Just put the card close to the reader

• Contacted• Inserted into card reader• USB


Things to know about Java CardVM Never Exits

“Card Initialization” happens only once• This is when the VM initialization happens• All required static data structures are created at this time• Card starts listening for Incoming requests

“Card Reset” happens every time the card loses power• If card is taken out (card tear) – everything stops• When card is inserted again into card reader

• RAM heap is lost• System ensures that data is consistent across tears• Card starts listening for incoming requests


Things to know about Java CardTwo Heaps

Non-Volatile Heap Volatile Heap

Persistent Objects

Session Objects

Unlike standard Java, Java Card has two heaps• All Session Objects created in Volatile Memory• Objects that are reachable from root of persistence will be in Non-

Volatile Memory


Things to know about Java CardPersistent Objectspublic class PersistenceExample {

void aMethod() {

Vector<String> v = new Vector<String>(); v.addElement(new String(“1111”)); // String s1 v.addElement(new String(“2222”)); // String s2

someRootObject.addObject(v); // v is promoted }}




void aMethod() {



v




void aMethod() {



v s1




void aMethod() {



v s1

s2




void aMethod() {



v G G

G

s2

s1

G Garbage



Things to know about Java CardFirewall between applications

All applications run in the same VM, and exist in the same heap• Objects created by one application cannot be accessed by another

application• Every object access is checked by the firewall• SecurityException is thrown if access is not permitted

App2 ObjectsApp1 Objects

Firewall Check


Things to know about Java CardInter Application Communication

Applications can communicate with each other using Shared Interface Objects (SIO)• App1 defines and implements a Shareable Interface• App1 allows App2 to access this SIO• Firewall allows App2 to access the SIO object

SIO of App1

App2 ObjectsApp1 Objects

Firewall Check


Things to know about Java CardAtomicity and Transactions

Card Tear may happen at any time• Card can be pulled out of the card reader at any time• Java Card must guarantee the integrity of user data

Individual persistent writes are atomic• Every write into Non-Volatile memory is atomic

Transaction Facility• Transactions may be used to group persistent writes• The application specifies the start and end of transactions• Unfinished or aborted updates will be rolled back


Runs on recent (high-end) smart cards• More Memory (Approx 24K of Volatile and 128K of Non-Volatile)• 32 bit Processor (Fast)

Full Java Language Support• All data types except float and double • Multiple Threads• Extensive API support (java.lang, java.util, GCF, ...)• Handles class files directly, with all loading and linking on card• All new Java language syntax constructs, like enums, generics,

enhanced for loops, auto boxing/unboxing, etc.• Automatic Garbage Collection

The technology for the coming years

Introducing Java Card 3.0What's New


Introducing Java Card 3.0Connectivity Layers and Protocol Stack

New In Java Card 3.0Connected Edition


Introducing Java Card 3.0High Level Architecture


Classic Applets• Communication using APDU protocol• For backward compatibility• Java Card 2 limitations apply for these applications

Extended Applets• Communication using APDU protocol• Similar to Classic Applets, but can use all the new API, like Threads,

Strings, GCF, etc.

Servlet Applications• Based on Servlet 2.4 API• Communication using standard HTTP/ HTTPS protocol

Introducing Java Card 3.0Application Models


Application start is not main() method• Java Card applications do not have main() method• “life cycle” model• Applet Container and Servlet Container• Application components are either Java Card Applets or Servlets

Network programming using GCF API• Connector.open(“http://.....”);• Connector.open(“socket://host:1234”);

Not Entire API is supported

Java Card 3.0 vs. Java SE


Java Card 3.0 is very close to Connected Limited Device Configuration (CLDC)

Class files compiled with JDK 6• Class file major version is 50

Class File Verification is same as in CLDC• But no preverifier, because JDK6 generates StackMapTables• JDK 6 Stackmaps are a little different than preverifier generated

Stackmaps, but the purpose is same

Not MIDlets, but Java Card Applets and Servlets

JAD file of MIDlet suite can be compared to Java Card Runtime Descriptor

Java Card 3.0 vs. Java ME


Servlet Container with full Servlet lifecycle support

WAR file format is supported with Java Card 3.0 specific information, like Java Card Runtime Descriptor

No JSP support• Just servlets (and static HTMLs) with listeners, filters

Transactions using Annotations• @TransactionSupport(TransactionSuportType.REQUIRED)

Per Application SSL is new in Java Card 3.0

Java Card 3.0 vs Java EE


Same as Standard Web Application formatNo lib folderSome additional Java Card Specific Information

More about Web ApplicationsFormat of the deployment unit


More about Web ApplicationsJava Card 3.0 specific information

Java Card Runtime DescriptorManifest-Version: 1.0Runtime-Descriptor-Version: 3.0Application-Type: webWeb-Context-Path: /hello


More about Web ApplicationsJava Card 3.0 specific information

Java Card Application Descriptor<javacard-app version="3.0"> <security-role> <role-name category="USER"> remote </role-name> </security-role></javacard-app>


Reference Implementation (RI)

2Q 09Contents of RI• Card Emulator• Tools to build and deploy

• Off-card installer• Packager• Converter• Normalizer

• Introductory How-TO samples• Documentation

NetBeans Plugin


Off-Card Installer

Reference Implementation (RI)

Sourcefiles

compile/build/IDE

Class files andOther resources

(or)WAR file

Packager

Ready to deploy Module

LoadCard

create

delete

unload

Browser/Client


import javax.servlet.*;import javax.servlet.http.*;import java.io.*;

public class HelloServlet extends HttpServlet { public void doGet(HttpServletRequest request, HttpServletResponse response) { PrintWriter out = request.getPrintWriter(); out.println(“<html><body>”); out.println(“<h1>Hello! JavaOne 2008</h1>”); out.println(“</body></html>”); }}

Say Hello using Java Card 3.0 RIHelloServlet.java


<web-app version="2.4"> <servlet> <servlet-name>helloservlet</servlet-name> <servlet-class> HelloServlet </servlet-class> </servlet>

<servlet-mapping> <servlet-name>helloservlet</servlet-name> <url-pattern>/*</url-pattern> </servlet-mapping>

</web-app>

Say Hello using Java Card 3.0 RIweb.xml


Manifest-Version: 1.0Runtime-Descriptor-Version: 3.0Application-Type: webWeb-Context-Path: /hello

Say Hello using Java Card 3.0 RIMANIFEST.MF (Java Card Runtime Descriptor)


Use the NetBeans Module; easy way to build everything

Use javac to compile the source code.• Sources must be compiled using Java Card API• Set bootclasspath to Java Card 3.0 API

• javac -bootclasspath jcapi.jar *.java

• Use provided annotation processor to detect float and double usages.• javac -processorpath jcapt.jar -processor

com.sun.javacard.apt.JCAnnotationProcessor -Amode=connected *.java

• Or - • Simply use the java card compiler script

• jcc_connected.bat *.java

Say Hello using Java Card 3.0 RICompiling Java Sources


Compiled class files and other resources need to be bundled together into WAR file format

Using NetBeans makes it a click away

Packager tool• can be used to create the final module file from raw WAR file or folder• can be used to validate pre-shipped application modules/WAR files

Say Hello using Java Card 3.0 RIBuilding Web Application Module


Deployment is a 2 step process• Load – loads the module onto the card• Create – creates a persistent instance of loaded module

Use off-card installer to load the Application Module

Use off-card installer to create the instance

Browse to the page• Ex: http://localhost:8019/hello/

Say Hello using Java Card 3.0 RILoad & Create the Application Module


If the application is no longer needed on the card, it can be removed completely

2 step process• Delete – deletes given persistent instance of the application• Unload – completely removes all class files and related resource files

from the card

Use off-card installer to delete the application instance

Use off-card installer to unload the application

Say Hello using Java Card 3.0 RIDelete & Unload the Application Module


Peter Allenbach Sun Microsystems

Q & A

Documents

Java Card™ 3 Platform - · PDF fileIntroducing Java Card 3.0 ... Introducing Java Card 3.0 High Level Architecture. ... •Application components are either Java Card Applets or