×

Discussion Board

Page 1 of 2 12 LastLast
Results 1 to 15 of 16
  1. #1
    Registered User
    Join Date
    Jan 2007
    Posts
    6

    Application access set to not allowed testing APDUMIDlet

    Hi, I am new to developing for Nokia mobile phones, however I've had expertise working with smart cards before.

    I downloaded and installed the Series 40 SDK 3rd Edition Feature Pack 2. After some issues with my installed ant version, I managed to make the helloworldplus midlet compile and work. As I am most interested in SATSA JSR 177 APIs I'm trying also to make the APDUMIDlet work. It compiles and loads into the simulator nicely. However when trying to run it I get a message telling "Application access set to not allowed" followed by a security exception.

    Looking at the source code I find out the exception is launched while running:

    cardConnection0 = (APDUConnection)Connector.open(CardSlot0);

    CardSlot0 is defined as this:

    private final String CardSlot0 = "apdu:0;target=a0.00.00.00.62.03.01.0c.02.01";

    I am trying with a GSM card which don't have any application with that AID instantiated inside. I assumed that in this case any APDU would simply return status words meaning error. Could it be the case that the security exception is being launched because of the wrong AID?

    If then, which is the AID to be used to "talk" with the default GSM/UMTS application? (In a GSM card the application is usually selected by default, any "default" CardSlot0 can be used in this case?)

    Any ideas very welcome.

  2. #2
    Registered User
    Join Date
    Jan 2007
    Posts
    6

    Re: Application access set to not allowed testing APDUMIDlet

    Further info: The same problem if I try selecting explicitly the GSM applet:

    private final String CardSlot0 = "apdu:0;target=A0.00.00.00.03.00.00";

  3. #3
    Super Contributor
    Join Date
    Apr 2003
    Location
    USA, CA
    Posts
    7,191

    Re: Application access set to not allowed testing APDUMIDlet

    Have you checked the emulator preferences. In preferences on the MIDP sheet you should set the Security Domain to maximum.

    Note: On real devices smart card access is not available for unsigned MIDlets or MIDlets signed to trusted 3rd party domain.

    Hartti

  4. #4
    Registered User
    Join Date
    Jan 2007
    Posts
    6

    Re: Application access set to not allowed testing APDUMIDlet

    Thanks, that helped. I am new to J2ME so sorry in advance if I ask something obvious.

    Which is the meaning of each one of the "Security Domain" option?

    How do I sign the midlet in order to use it with a real phone?

    Now, back to the midlet I am trying. If I try to select the GSM AID I get ConnectionNotFoundException:

    private final String CardSlot0 = "apdu:0;target=A0.00.00.00.03.00.00";

    Something that could be reasonable as this is a UMTS card. But if I try to select the UMTS AID I get SecurityException:

    private final String CardSlot0 = "apdu:0;target=A0.00.00.00.87.10.02.FF.34.FF.07.89.31.2E.30.FF";

    Docs say:

    "If the card application selection fails because the J2ME application is not allowed to access the application with the specified application identifier a SecurityException is thrown."

    Why could the J2ME midlet not be allowed? That AID is the one selected by default when card is powered on!

    Which leads me to the question, how can I build a CardSlot0 definition that simply opens a logical channel to the currently selected AID, something like target=default?

    Any ideas gloriously welcome so thanks in advance!

  5. #5
    Super Contributor
    Join Date
    Apr 2003
    Location
    USA, CA
    Posts
    7,191

    Re: Application access set to not allowed testing APDUMIDlet

    "How do I sign the midlet in order to use it with a real phone?"

    As this specific feature requires operator/manufacturer signing, it is very challenging. All operators and manufacturers have different requirementes for signing an app with their certificate. Usually it requires close collaboration and partnership. There can be some other requirements like code review, branding, partnering agreement, following some guidelines etc.

    The JSR-177 spec lists in appendix A some additional requirements to get the APDU commands to work. Have you checked those?

    Hartti

  6. #6
    Registered User
    Join Date
    Jan 2007
    Posts
    6

    Re: Application access set to not allowed testing APDUMIDlet

    Thanks for the pointer. Indeed I was trying to do something which requires a lot more prerrequisites than initially suspected.

    "The J2ME application is allowed to open a connection with an application in the SE if any one of the
    following conditions are satisfied:
    • The ACE principal identifies a domain category (CHOICE domain is used with the OID indicating
    ’operator’, ’manufacturer’, or ’trusted third party’) and the J2ME application belongs to the same domain
    category; or
    • The ACE principal identifies the domain root (CHOICE rootID is used) and the corresponding
    PrincipalID matches with the hash of the root certificate in the path used to sign the J2ME application; or
    • The ACE principal identifies an end-entity ( CHOICE endEntityID is used) and the corresponding
    PrincipalID matches with the end-entity certificate used to sign the J2ME application.
    • The J2ME application is allowed to send an APDU to an application in the SE if:
    • The APDU being sent by the J2ME application is specified by at least one of the ACE; and
    • The APDU being sent by the J2ME application is not one of those used for application selection and channel management."

    Time to do it hand in hand with our smartcard providers.

  7. #7
    Registered User
    Join Date
    Aug 2007
    Posts
    4

    Re: Application access set to not allowed testing APDUMIDlet

    Hi,

    I'm trying to use the SATSA-APDU on the phone "Nokia 7390". The phone has the "Series 40" platform and should support the JSR 177 SATSA-APDU. It works perfect to use the APDU's when running in the the EclipseMe emulator. The SIM card is then inserted into an external cardreader,

    When trying to execute the program on the phone it fails. SecurityException is thrown when trying to open the connection (APDUConnection.open(url))

    I've been reading and "JSR 118" and "JSR 177 Appendix A" to get some understanding. The information is a bit hard to interpret, but as far as I can see, the jar-file must be signed.

    I've described my interpretation of the procedure below. I would appreciate if anyone could have a look and give me feedback or corrections.


    Suggested solution: Signing the jar with "Trusted third Domain".
    1.
    Create a CA and save the CA certificate on the USIM according to standard for saving root cert on (U)SIM

    2.
    Generate a key pair using the "keytool". The "keytool" is included in JDK 5.

    3
    Generate a certificate request by the "keytool".

    4.
    Create a code signing certificate by the CA and the cert request.


    5.
    The code signing cert is imported to "keytool" and the jar is signed.


    WOULD THIS WORK?

    ARE THERE ANY OTHER SOLUTION?



    lombard

  8. #8
    Super Contributor
    Join Date
    Apr 2003
    Location
    USA, CA
    Posts
    7,191

    Re: Application access set to not allowed testing APDUMIDlet

    Trusted 3rd party signing is enough if you are not using the SAT communication (in which case you need to sign your MIDlet to operator domain)
    Also the APDU commands you are sending to the SIM card needs to be listed on the SIM card Acces Control Entries for the specific application you are targeting.

    For signing instructions see this doc
    http://www.forum.nokia.com/info/sw.n..._0_en.pdf.html

    Hartti

  9. #9
    Registered User
    Join Date
    Aug 2007
    Posts
    4

    Re: Application access set to not allowed testing APDUMIDlet

    I've read the document, and tried the"trusted third party" model but I'm still getting"SecurityException" when invoking APDUConnection.open(<url>).

    This is what I've done:

    1.
    Using EclipseMe I build and sign the package:
    I've follow the instructions provided at http://eclipseme.org/docs/refSigning.html carefully. Our code signer is issued by the VeriSign intermediate CA. When configuring the signing properties (project property->J2ME->MidletSuite Signing) the "Verify Settings" function was verifying successfully.
    I created the package successfully.

    2.
    I followed the tip provided at: http://ignisvulpis.blogspot.com/2007...-verisign.html and update the jad file:

    - The VeriSign intermediate CA certificate was included ("MIDLet-Certificate-1-2" attribute)

    - I added the "MIDLet-Permission-Opt: javax.microedition.apud.APDUConnection" to the jad


    3.
    The jar and jad file was installed successfully in the phone (Nokia 7390). An improvement since last attempt has happened regarding setting of the application options: Select the appl ->Option->Application access-> Data access->SmartCard: ALL ATTRIBUTES ARE UNGREYD NOW (wich they were not before). I select "Always allowed".

    4.
    I was allow to start the application, but I got the "SecurityException" when invoke APDUConnection.open(url)

    What could be wrong?
    I guess the phone says 'no' before any card access take place...

    PS: Our signing certificate has expired in July. It was not possible to install the application the first attempt. After setting the phone time to May it installs. That proves that the certificate was verified... Could the expiration date be a problem despite that the phone was set to May?

  10. #10
    Super Contributor
    Join Date
    Apr 2003
    Location
    USA, CA
    Posts
    7,191

    Re: Application access set to not allowed testing APDUMIDlet

    What is the target in the URL in the APDUConnection.open()?
    An <AID> or SAT?

    Is there a corresponding application on the card? Note also that the spec states that
    "If the card application selection fails because the J2ME application is not allowed to access the application with the specified application identifier a SecurityException is thrown."

    Hartti

  11. #11
    Registered User
    Join Date
    Aug 2007
    Posts
    4

    Re: Application access set to not allowed testing APDUMIDlet

    Yes, there is a corresponding application on the card. The card application executes perfect when running the MIDLet in the emulator and the card is inserted in a cardreader.

    Is there any known bug in Nokia 7390 that is related to the problem?

  12. #12
    Super Contributor
    Join Date
    Apr 2003
    Location
    USA, CA
    Posts
    7,191

    Re: Application access set to not allowed testing APDUMIDlet

    Not aware of any problems on 7390. However, I have not tested APDU on that specific device but on many other Series 40 3rd Ed FP2 phones with no problems (other than mistakes in the coding :-)

    Hartti

  13. #13
    Registered User
    Join Date
    Aug 2007
    Posts
    4

    Re: Application access set to not allowed testing APDUMIDlet

    Problem solved!

    I've read the article at http://developers.sun.com/mobility/a...ticles/satsa1/
    ..and found the following information:
    "
    :
    For SATSA communication, SATSA defines the following MIDP 2.0 permissions:

    - To open an APDU connection: javax.microedition.apdu.aid. This permission is only granted to applications in the operator, manufacturer, and third-party trusted domain.
    :
    "

    After that, I changed the jad-file:
    :
    MIDlet-Permission-Opt: javax.microedition.apdu.APDUConnection
    :
    to
    :
    MIDlet-Permission-Opt: javax.microedition.apdu.aid
    :

    That made it all work! APDUConncetion.open() works successfully. Succeeding exchangeAPDU execute successfully.

    Lombard

  14. #14
    Registered User
    Join Date
    Oct 2008
    Posts
    5

    Re: Application access set to not allowed testing APDUMIDlet

    So even if I was to buy a cert from; Thawte, Verisign, etc... my midlet would still have no access even though these domain have been installed on my phone?

  15. #15
    Super Contributor
    Join Date
    Apr 2003
    Location
    USA, CA
    Posts
    7,191

    Re: Application access set to not allowed testing APDUMIDlet

    If I understood you correctly (I do not exactly understand what you mean by "even though these domain have been installed on my phone?") then correct.

    You need to signe the MIDlet to trusted 3rd party domain (or operator domain for SAT access) and there has to correspoding entries in the Access COntrol List on the SIM card itself.

    Hartti

Similar Threads

  1. Connecting J2ME application to Internet using WAP access point?
    By khurshed79 in forum Mobile Java Networking & Messaging & Security
    Replies: 12
    Last Post: 2012-09-12, 09:53
  2. HTTP Application - Series 60 C++ - Connection using WAP Access Point Hangs/Times-Out?
    By symbian_ravi in forum Symbian Networking & Messaging (Closed)
    Replies: 15
    Last Post: 2008-10-04, 10:07
  3. Replies: 1
    Last Post: 2006-08-18, 09:03
  4. Replies: 4
    Last Post: 2006-08-17, 10:05
  5. How to Access 9210 Dbms file from my desktop application?
    By Nokia_Archive in forum Symbian Networking & Messaging (Closed)
    Replies: 0
    Last Post: 2002-06-03, 03:46

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
×