I want to blacklist an applet from being selected through certain interfaces. I have blocked the use of the select APDU, but i want to make sure that there are no other ways to select the applet. Are there any APDUs I can send that select an applet as a side effect?
2
votes
2 Answers
3
votes
If the applet is marked as the default selected applet, then the applet is automatically selected after an ATR/ATS. If you block the entire SELECT command on the reader side then your other applets might stop working because you cannot select them anymore either.
If you only block the SELECT command for this given applet by matching the APDU header and AID, then you should make sure that:
- INS byte is A4
- P1 is 04 (Select by DF-name)
- The Lc byte and command data matches the AID
- The Lc byte and command data matches any substring prefix of the AID
The last point is called SELECT by partial AID which selects the first applet that matches the substring of the AID (and the next one after that).
[Edit]: Rereading the question I'm not sure if you might mean blocking the selection from within the applet. My solution is meant to be used from a PCD point of view.
2
votes
Generally NO, unless the Applet is default selected, selection of an Applet is always performed using SELECT by Name (where the name is an Application Identifier or AID). This can be detected using Applet#selectingApplet() which should work even if selection takes place through another APDU. After that you can use the static APDU.getProtocol() method to filter out the unwanted protocols.
However, the applet cannot stop being selected by the platform even when you return a bad status word from within the process method. So really the only meaningful answer to the selection is SW_NO_ERROR (that's SW 9000 of course). So the previous solution doesn't get you anywhere.
Before the SELECT APDU is handled by the process method, Java Card applets also will receive a call to Applet.select(). However, you cannot yet make a decision about the protocol / media within this call; the static methods in the APDU interface aren't yet available for use. If that was possible then it would be possible to block selection through a specific interface. So this won't get you anywhere either.
In the end it may be more practical to simply call APDU.getProtocol() for each and every APDU that you receive. Then throw an ISOException with SW_CONDITIONS_NOT_SATISFIED or any similar acceptable status word (ISO/IEC doesn't specify which status words to throw, unfortunately, only which ones exist).
