[go: up one dir, main page]

CN103455349B - Method and device for application program to access smart card - Google Patents

Method and device for application program to access smart card Download PDF

Info

Publication number
CN103455349B
CN103455349B CN201310379209.9A CN201310379209A CN103455349B CN 103455349 B CN103455349 B CN 103455349B CN 201310379209 A CN201310379209 A CN 201310379209A CN 103455349 B CN103455349 B CN 103455349B
Authority
CN
China
Prior art keywords
application program
smart card
information
agent
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201310379209.9A
Other languages
Chinese (zh)
Other versions
CN103455349A (en
Inventor
刘诚明
严斌峰
张成岩
姜琳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN201310379209.9A priority Critical patent/CN103455349B/en
Publication of CN103455349A publication Critical patent/CN103455349A/en
Application granted granted Critical
Publication of CN103455349B publication Critical patent/CN103455349B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Stored Programmes (AREA)

Abstract

The present invention provides the method and apparatus that a kind of application program accesses smart card, the method includes: Agent reception application program is by calling the operational order that opening API interface function sends, and described opening API interface function is formed by the standard APDU instruction encapsulation corresponding with described operational order;Operation information in described operational order is added in the standard APDU instruction corresponding with described opening API interface function by Agent, and the instruction of this standard APDU is sent to smart card, so that described smart card operates according to the instruction of described standard APDU.Its operational order is sent to Agent by the opening API interface function that application program only needs to call Agent and provides, it is automatically performed the application program access to smart card by Agent, greatly reduces the development difficulty of the Capability Requirement to developer and application program.

Description

应用程序访问智能卡的方法和装置Method and device for application program to access smart card

技术领域technical field

本发明属于通信技术领域,具体是涉及一种应用程序访问智能卡的方法和装置。The invention belongs to the technical field of communication, and in particular relates to a method and a device for an application program to access a smart card.

背景技术Background technique

随着智能卡处理能力的增强、存储空间的扩大以及移动增值业务的发展,智能卡不再仅作为移动通信网络的接入鉴权模块,而是可以为诸如移动支付、近距离通信等应用提供相关存储、鉴权等功能。With the enhancement of smart card processing capabilities, the expansion of storage space and the development of mobile value-added services, smart cards are no longer only used as access authentication modules for mobile communication networks, but can provide relevant storage for applications such as mobile payment and short-distance communication. , authentication and other functions.

目前,很多智能手机都采用Android系统平台,第三方Android应用程序开发者在开发新的增值业务应用或者对现有的增值业务进行升级改进时,都需要与智能卡进行交互,以调用智能卡中与该增值业务应用相关的应用程序块(Applet)完成相应的存储、更新等处理。为了使Android应用程序能够与智能卡中的相关Applet实现交互,SIM卡联盟提出了OpenMobile API标准,根据该标准定义的接口,Android应用程序可以通过该与智能卡交互的标准Android API函数来发送标准的应用协议数据单元(Application Protocol data unit,以下简称APDU)指令,调用相关的Applet,从而实现与智能卡的交互。At present, many smart phones use the Android system platform. When third-party Android application developers develop new value-added service applications or upgrade and improve existing value-added services, they need to interact with the smart card to call the smart card. The application block (applet) related to the value-added service application completes the corresponding storage, update and other processing. In order to enable Android applications to interact with related Applets in smart cards, the SIM Card Alliance has proposed the OpenMobile API standard. According to the interface defined by this standard, Android applications can send standard applications through the standard Android API functions that interact with smart cards. The protocol data unit (Application Protocol data unit, hereinafter referred to as APDU) command calls the relevant Applet to realize the interaction with the smart card.

但上述方案中,开发者要想实现其Android应用程序与智能卡的交互,需要知道与智能卡交互所涉及的标准APDU指令的交互流程与数据格式定义。另外,由于不同终端厂商对上述Open Mobile API标准的实现不同,开发者还需了解不同厂商的具体实现方式,以使其应用程序与终端设备相适应,这对开发者的能力提出了较高的要求,使应用程序的开发难度大大提高。However, in the above solution, if the developer wants to realize the interaction between his Android application program and the smart card, he needs to know the interaction process and data format definition of the standard APDU command involved in the interaction with the smart card. In addition, since different terminal manufacturers have different implementations of the above-mentioned Open Mobile API standards, developers need to understand the specific implementation methods of different manufacturers in order to adapt their applications to terminal devices. Requirements greatly increase the difficulty of application development.

发明内容Contents of the invention

针对现有技术中存在的问题,本发明提供一种应用程序访问智能卡的方法和装置,用以克服现有技术中通过标准Android API函数调用智能卡中与应用程序相关的Applet而导致的对开发者要求高、应用开发难度大的缺陷。Aiming at the problems existing in the prior art, the present invention provides a method and device for an application program to access a smart card, so as to overcome the inconvenience caused by calling the Applet related to the application program in the smart card through the standard Android API function in the prior art. Defects with high requirements and difficult application development.

本发明提供了一种应用程序访问智能卡的方法,包括:The invention provides a method for an application program to access a smart card, comprising:

代理程序接收应用程序通过调用开放API接口函数发送的操作指令,所述开放API接口函数由与所述操作指令相对应的标准APDU指令封装而成;The agent program receives the operation instruction sent by the application program by calling the open API interface function, and the open API interface function is encapsulated by a standard APDU instruction corresponding to the operation instruction;

代理程序将所述操作指令中的操作信息添加到与所述开放API接口函数对应的标准APDU指令中,并将该标准APDU指令发送给智能卡,以使所述智能卡根据所述标准APDU指令进行操作。The agent program adds the operation information in the operation instruction to the standard APDU instruction corresponding to the open API interface function, and sends the standard APDU instruction to the smart card, so that the smart card operates according to the standard APDU instruction .

本发明提供了一种应用程序访问智能卡的装置,包括:The invention provides a device for an application program to access a smart card, comprising:

接收模块,用于接收应用程序通过调用代理程序提供的开放API接口函数发送的操作指令,所述开放API接口函数由与所述操作指令相对应的标准APDU指令封装而成;The receiving module is used to receive the operation instruction sent by the application program by calling the open API interface function provided by the agent program, and the open API interface function is encapsulated by the standard APDU instruction corresponding to the operation instruction;

发送模块,用于将所述操作指令中的操作信息添加到与所述开放API接口函数对应的标准APDU指令中,并将该标准APDU指令发送给智能卡,以使所述智能卡根据所述标准APDU指令进行操作。A sending module, configured to add the operation information in the operation instruction to the standard APDU instruction corresponding to the open API interface function, and send the standard APDU instruction to the smart card, so that the smart card can transmit the information according to the standard APDU command to operate.

本发明提供的应用程序访问智能卡的方法和装置,通过在Android终端中置入代理程序,由该代理程序将与应用程序的操作指令对应标准APDU指令进行封装,封装成供应用程序调用的开放API接口函数,使得应用程序在需要访问智能卡时,仅需从代理程序提供的开放API接口函数中调用其需要的API接口函数来将其操作指令发送给代理程序,而由代理程序将从操作指令中获取的操作信息添加到与该API接口函数对应的标准APDU指令中,并将该标准APDU指令发送给智能卡,从而使得应用程序无需知道访问智能卡所需的标准APDU指令以及该标准APDU指令的格式定义,由代理程序自动完成应用程序对智能卡的访问,大大降低了对开发者的能力要求以及应用程序的开发难度。In the method and device for accessing smart cards by application programs provided by the present invention, an agent program is embedded in an Android terminal, and the agent program encapsulates the standard APDU instructions corresponding to the operation instructions of the application program into an open API called by the application program. Interface function, so that when the application program needs to access the smart card, it only needs to call the API interface function it needs from the open API interface function provided by the agent program to send its operation instructions to the agent program, and the agent program will read the information from the operation instructions The obtained operation information is added to the standard APDU command corresponding to the API interface function, and the standard APDU command is sent to the smart card, so that the application program does not need to know the standard APDU command required to access the smart card and the format definition of the standard APDU command , the agent program automatically completes the access of the application program to the smart card, which greatly reduces the ability requirements of the developer and the difficulty of developing the application program.

附图说明Description of drawings

图1为本发明应用程序访问智能卡的方法实施例一的流程图;Fig. 1 is the flow chart of Embodiment 1 of the method for accessing the smart card by the application program of the present invention;

图2为本发明应用程序访问智能卡的方法实施例二的流程图;Fig. 2 is the flowchart of Embodiment 2 of the method for accessing the smart card by the application program of the present invention;

图3为本发明应用程序访问智能卡的装置实施例一的示意图;FIG. 3 is a schematic diagram of Embodiment 1 of a device for accessing a smart card by an application program of the present invention;

图4为本发明应用程序访问智能卡的装置实施例二的示意图。FIG. 4 is a schematic diagram of Embodiment 2 of the device for accessing a smart card by an application program in the present invention.

具体实施方式detailed description

图1为本发明应用程序访问智能卡的方法实施例一的流程图,如图1所示,本实施例提供的应用程序访问智能卡的方法尤其适用于第三方Android应用程序需要访问智能卡的场景。所述智能卡具体承载于诸如智能手机、掌上电脑、平板电脑等具有Android系统的终端设备中,智能卡中包括有运营商置入的多种应用程序块(Applet),如存储、运算等,Android应用程序的开发过程中,需要访问智能卡中的这些Applet来完成相应的操作。而要想实现对智能卡中Applet的访问,需要使用与智能卡相适应的标准APDU指令完成与智能卡的交互。现有技术中,Android应用程序开发者需要掌握为了完成其操作,需要使用哪些标准APDU指令以及各标准APDU指令的格式定义,才能将其操作信息构造成标准APDU指令,进而发送给智能卡,而本实施例提供的方案,则是通过在终端设备中引入代理程序,由代理程序将要完成应用程序的操作所需的标准APDU指令封装为一开放API接口函数,供应用程序调用,由于该开放API接口函数的通用性,方便应用程序开发者的开发工作,并由该代理程序代为完成与智能卡的标准APDU指令交互。Fig. 1 is a flow chart of Embodiment 1 of the method for accessing a smart card by an application program of the present invention. As shown in Fig. 1 , the method for accessing a smart card by an application program provided in this embodiment is especially suitable for a scenario where a third-party Android application program needs to access a smart card. The smart card is specifically carried in terminal devices with an Android system such as smart phones, palmtop computers, and tablet computers. The smart card includes various application program blocks (applets) placed by operators, such as storage, computing, etc., and Android applications During the development of the program, it is necessary to access these Applets in the smart card to complete corresponding operations. In order to realize the access to the Applet in the smart card, it is necessary to use the standard APDU command compatible with the smart card to complete the interaction with the smart card. In the prior art, the Android application developer needs to know which standard APDU instructions and the format definition of each standard APDU instruction to use in order to complete its operation, so as to construct its operation information into a standard APDU instruction, and then send it to the smart card. The solution provided by the embodiment is to introduce an agent program in the terminal device, and the agent program will encapsulate the standard APDU instructions required to complete the operation of the application program into an open API interface function for the application program to call, because the open API interface The versatility of the function facilitates the development work of the application program developer, and the agent program completes the interaction with the standard APDU command of the smart card on its behalf.

本实施例提供的应用程序访问智能卡的方法,具体包括:The method for an application program accessing a smart card provided in this embodiment specifically includes:

步骤101、代理程序接收应用程序通过调用开放API接口函数发送的操作指令,所述开放API接口函数由与所述操作指令相对应的标准APDU指令封装而成;Step 101, the agent program receives the operation instruction sent by the application program by calling the open API interface function, and the open API interface function is encapsulated by a standard APDU instruction corresponding to the operation instruction;

本实施例中,运营商可以在使用Android系统的终端设备中置入代理程序,该代理程序可以根据应用程序普遍进行的智能卡访问操作,如添加、读取、更新、删除等操作,预先定义多种可供第三方Android应用程序调用的开放API接口函数,比如添加函数、读取函数、更新函数、删除函数等,并将完成对智能卡访问所需的相应标准APDU指令封装在该开放API接口函数中,比如,若完成更新操作需要用到的标准APDU指令包括:通道建立指令、数据处理指令、通道关闭指令,那么代理程序提供的更新函数中即封装了这三种标准APDU指令。In this embodiment, the operator can insert an agent program in the terminal device using the Android system. The agent program can pre-define multiple card access operations according to the smart card access operations generally performed by the application program, such as adding, reading, updating, and deleting. An open API interface function that can be called by a third-party Android application program, such as add function, read function, update function, delete function, etc., and encapsulate the corresponding standard APDU instructions required to complete the access to the smart card in the open API interface function Among them, for example, if the standard APDU instructions needed to complete the update operation include: channel establishment instructions, data processing instructions, and channel closing instructions, then the update function provided by the agent program encapsulates these three standard APDU instructions.

具体地,当应用程序需要对智能卡进行访问时,该应用程序会通过调用相应的开放API接口函数将其操作指令发送给代理程序。具体来说,每个开放API接口函数可以以函数名作为标识,以使应用程序能够调用与其操作指令相适应的接口函数。Specifically, when the application program needs to access the smart card, the application program will send its operation instruction to the agent program by calling the corresponding open API interface function. Specifically, each open API interface function can be identified by a function name, so that the application program can call the interface function suitable for its operation instruction.

步骤102、代理程序将所述操作指令中的操作信息添加到与所述开放API接口函数对应的标准APDU指令中,并将该标准APDU指令发送给智能卡,以使所述智能卡根据所述标准APDU指令进行操作。Step 102, the agent program adds the operation information in the operation instruction to the standard APDU instruction corresponding to the open API interface function, and sends the standard APDU instruction to the smart card, so that the smart card can be processed according to the standard APDU command to operate.

具体地,代理程序在接收到应用程序通过调用开放API接口函数发送的操作指令后,会从该操作指令中提取获取该操作指令的操作信息,如操作类型、数据内容等,并将这些操作信息添加到与调用的开放API接口函数相对应的标准APDU指令中,相当于对该标准APDU指令写入其所需的参数信息,之后便将该添加入操作信息的标准APDU指令发送给智能卡,使得智能卡可以根据该标准APDU指令完成相应的操作。Specifically, after the agent program receives the operation instruction sent by the application program by calling the open API interface function, it will extract and obtain the operation information of the operation instruction from the operation instruction, such as operation type, data content, etc., and store the operation information Adding to the standard APDU instruction corresponding to the open API interface function called is equivalent to writing the required parameter information to the standard APDU instruction, and then sending the standard APDU instruction added into the operation information to the smart card, so that The smart card can complete corresponding operations according to the standard APDU command.

本实施例提供的应用程序访问智能卡的方法,通过在Android终端设备中引入代理程序,由该代理程序将与应用程序的操作指令对应标准APDU指令进行封装,封装成供应用程序调用的开放API接口函数,使得应用程序在需要访问智能卡时,仅需以调用开放API接口函数的方式将其操作指令发送给代理程序,而由代理程序通过与被调用的开放API接口函数对应的标准APDU指令来自动完成应用程序对智能卡的访问,使得应用程序无需知道访问智能卡所需的标准APDU指令以及该标准APDU指令的格式定义,大大降低了对开发者的能力要求以及应用程序的开发难度。The application program access smart card method provided in this embodiment, by introducing an agent program in the Android terminal device, the agent program encapsulates the standard APDU instruction corresponding to the operation instruction of the application program, and encapsulates it into an open API interface for the application program to call Function, so that when the application needs to access the smart card, it only needs to send its operation instructions to the agent program by calling the open API interface function, and the agent program automatically uses the standard APDU instruction corresponding to the called open API interface function. The access of the application program to the smart card is completed, so that the application program does not need to know the standard APDU instruction required to access the smart card and the format definition of the standard APDU instruction, which greatly reduces the ability requirements for developers and the development difficulty of application programs.

图2为本发明应用程序访问智能卡的方法实施例二的流程图,如图2所示,该方法包括:Fig. 2 is the flowchart of the second embodiment of the method for accessing the smart card by the application program of the present invention. As shown in Fig. 2, the method includes:

步骤201、终端访问控制程序根据智能卡中的访问控制文件对所述代理程序进行鉴权,以确定所述代理程序是否能够访问智能卡,所述访问控制文件为预置入所述智能卡中的包含所述代理程序身份信息的只读文件,若鉴权通过,则执行步骤202,否则,结束;Step 201, the terminal access control program authenticates the agent program according to the access control file in the smart card to determine whether the agent program can access the smart card. Describe the read-only file of the identity information of the agent program, if the authentication is passed, then execute step 202, otherwise, end;

本实施例中,代理程序作为一种终端设备中、智能卡外的特殊应用程序,为了保证智能卡访问的安全性,一般需要对代理程序进行鉴权,以确定该代理程序是否是运营商置入的合法代理程序。In this embodiment, the agent program is a special application program in the terminal device and outside the smart card. In order to ensure the security of the smart card access, it is generally necessary to authenticate the agent program to determine whether the agent program is placed by the operator. Legal agency.

对代理程序的鉴权,采用与现有技术中对第三方应用程序进行鉴权相类似的方案,现简要介绍如下:The authentication of the agent program adopts a scheme similar to that of the third-party application program in the prior art, which is briefly introduced as follows:

在运营商在终端设备中预置入代理程序时,便在智能卡中创建一个与该代理程序相对应的访问控制文件(Access Rule File,以下简称ARF),该访问控制文件为一个只读文件,其内部存储着运营商置入的合法代理程序的身份信息,该身份信息例如可以是代理程序的包名、数字摘要签名。When the operator presets the agent program in the terminal device, an access control file (Access Rule File, hereinafter referred to as ARF) corresponding to the agent program is created in the smart card. The access control file is a read-only file. It internally stores the identity information of the legitimate agent program placed by the operator, and the identity information may be, for example, the package name and digital digest signature of the agent program.

现有技术中,对应用程序的鉴权是通过终端设备中的终端访问控制程序来执行的,在应用程序初始化时,启动对应用程序的鉴权。本实施例中,对代理程序的鉴权亦通过终端访问控制程序来执行,该终端访问控制程序根据智能卡中的访问控制文件对所述代理程序进行鉴权,以确定所述代理程序是否能够访问智能卡。具体地,终端访问控制程序获取所述代理程序的标识信息;终端访问控制程序确定所述访问控制文件中的代理程序身份信息与所述标识信息是否一致,若一致,则所述代理程序能够访问智能卡。In the prior art, the authentication of the application program is performed through the terminal access control program in the terminal device, and the authentication of the application program is started when the application program is initialized. In this embodiment, the authentication of the agent program is also performed by the terminal access control program, which authenticates the agent program according to the access control file in the smart card to determine whether the agent program can access smart card. Specifically, the terminal access control program obtains the identification information of the agent program; the terminal access control program determines whether the agent program identity information in the access control file is consistent with the identification information, and if they are consistent, the agent program can access smart card.

由于现有技术中,每一个应用程序均在智能卡中存在着一个与之一一对应的ARF,由于ARF不能修改,每当有一个新的应用程序时,都需要在智能卡中加入该应用程序对应的ARF,操作不便,且占用过多智能卡资源。而本申请中,理想情况下,运营商仅需要为具有Android系统的终端设备设置一个代理程序,相应地,在智能卡中,仅需要创建一个ARF,来完成对代理程序的鉴权即可。Because in the prior art, each application program has an ARF corresponding to one of them in the smart card, since the ARF cannot be modified, whenever there is a new application program, it is necessary to add the corresponding ARF of the application program in the smart card. The ARF is inconvenient to operate and takes up too many smart card resources. In this application, ideally, the operator only needs to set up an agent program for the terminal device with the Android system. Correspondingly, in the smart card, only one ARF needs to be created to complete the authentication of the agent program.

步骤202、代理程序接收应用程序通过调用开放API接口函数发送的操作指令,所述开放API接口函数由与所述操作指令相对应的标准APDU指令封装而成;Step 202, the agent program receives the operation instruction sent by the application program by calling the open API interface function, and the open API interface function is encapsulated by a standard APDU instruction corresponding to the operation instruction;

步骤203、代理程序调用智能卡中的访问控制程序块对所述应用程序进行鉴权,所述访问控制程序块为预置入智能卡中的包含已授权应用程序权限信息的可读写应用程序块,若鉴权通过,则执行步骤204,否则,结束;Step 203, the agent program calls the access control program block in the smart card to authenticate the application program, and the access control program block is a readable and writable application program block pre-installed in the smart card that contains authorized application program permission information, If the authentication is passed, then execute step 204, otherwise, end;

本实施例中,对应用程序的鉴权是通过运营商预置入智能卡中的一访问控制程序块来进行的。该访问控制程序块中存储有运营商已经授权的所有应用程序的权限信息,另外,由于该访问控制程序块允许进行读写操作,从而使得当有新的应用程序被授权访问智能卡时,运营商仅需要在该程序块中加入新的应用程序的权限信息即可。In this embodiment, the authentication of the application program is performed through an access control program block preset in the smart card by the operator. The access control program block stores the permission information of all applications authorized by the operator. In addition, because the access control program block allows read and write operations, when a new application program is authorized to access the smart card, the operator It is only necessary to add permission information of the new application program in the program block.

具体地,所述已授权应用程序权限信息包括:Specifically, the authorized application permission information includes:

已授权应用程序的身份信息、与所述身份信息对应的智能卡应用程序块信息和与所述智能卡应用程序块信息对应的访问类型信息。The identity information of the authorized application, the smart card application block information corresponding to the identity information, and the access type information corresponding to the smart card application block information.

本实施例中,所述已授权应用程序的身份信息,例如可以是应用程序的包名、数字摘要签名。实际上,应用程序访问智能卡,即是访问智能卡应用程序块,该智能卡应用程序块存在于智能卡中,是完成应用程序所需操作的执行功能单元,该智能卡应用程序块例如可以是完成数据更新、删除等操作的程序块,所述智能卡应用程序块信息例如包括智能卡应用程序块标识符。所述访问类型信息例如可以是更新、删除等。In this embodiment, the identity information of the authorized application program may be, for example, a package name and a digital abstract signature of the application program. In fact, when the application program accesses the smart card, it means accessing the smart card application program block. The smart card application program block exists in the smart card and is an execution function unit that completes the operations required by the application program. The smart card application program block can, for example, complete data update, A program block for operations such as deletion, the smart card application block information includes, for example, a smart card application block identifier. The access type information may be update, delete, etc., for example.

具体地,所述代理程序调用智能卡中的访问控制程序块对所述应用程序进行鉴权,包括:Specifically, the agent program calls the access control program block in the smart card to authenticate the application program, including:

代理程序将从所述操作指令中获取的鉴权信息发送给所述访问控制程序块,所述鉴权信息包括所述应用程序的标识信息、操作类型和待访问的智能卡应用程序块标识符;The agent program sends the authentication information obtained from the operation instruction to the access control program block, and the authentication information includes the identification information of the application program, the operation type and the identifier of the smart card application program block to be accessed;

所述访问控制程序块确定所述已授权应用程序的身份信息中是否包含所述应用程序的标识信息,以确定所述应用程序的身份合法性;The access control program block determines whether the identity information of the authorized application program includes the identification information of the application program, so as to determine the legality of the identity of the application program;

若合法,则所述访问控制程序块确定与所述身份信息对应的智能卡应用程序块信息中是否包含所述待访问的智能卡应用程序块标识符,以确定所述应用程序的访问合法性;If legal, the access control program block determines whether the smart card application block information corresponding to the identity information contains the smart card application block identifier to be accessed, so as to determine the legitimacy of the application program access;

若合法,则所述访问控制程序块确定与所述智能卡应用程序块信息对应的访问类型信息中是否包含所述操作类型,以确定所述应用程序的操作合法性。If it is legal, the access control program block determines whether the access type information corresponding to the smart card application program block information contains the operation type, so as to determine the legality of the operation of the application program.

通过上述对应用程序的鉴权过程可知,本实施例中以一种层层递进的方式对应用程序进行鉴权。首先对应用程序的身份合法性进行鉴权,只有身份合法性通过鉴权后,才会触发对应用程序是否能够访问智能卡中的应用程序块进行鉴权,即确定访问控制程序块中与该应用程序身份信息对应的智能卡应用程序块信息中否是含有该应用程序操作指令中所携带的智能卡应用程序块标识符,若访问合法性通过,才进行操作合法性的鉴权。这种鉴权方式,当前一种鉴权不合法时,便无需进行后续鉴权,有利于提供鉴权处理效率。It can be known from the above authentication process for the application program that in this embodiment, the application program is authenticated in a layer-by-layer manner. Firstly, the identity legality of the application program is authenticated. Only after the identity legality passes the authentication, will it trigger the authentication of whether the application program can access the application program block in the smart card, that is, to determine whether the application program block in the access control program block is compatible with the application program Whether the smart card application block information corresponding to the program identity information contains the smart card application block identifier carried in the application operation command, and only if the access legitimacy is passed, the authentication of the operation legitimacy is performed. In this authentication method, when the previous authentication is invalid, subsequent authentication is not required, which is beneficial to improve authentication processing efficiency.

步骤204、代理程序根据所述开放API接口函数所描述的函数形式,从所述操作指令中获取所述操作信息,所述操作信息包括控制域信息和数据域信息,其中所述控制域信息中包含智能卡应用程序块标识符;Step 204, the agent program obtains the operation information from the operation instruction according to the function form described by the open API interface function, and the operation information includes control domain information and data domain information, wherein the control domain information includes Contains the smart card application block identifier;

步骤205、代理程序将所述控制域信息和数据域信息添加到所述开放API接口函数对应的标准APDU指令中,并将该标准APDU指令发送给与所述智能卡应用程序块标识符对应的智能卡应用程序块,以使所述智能卡应用程序块根据所述标准APDU指令进行操作。Step 205, the agent program adds the control domain information and data domain information to the standard APDU instruction corresponding to the open API interface function, and sends the standard APDU instruction to the smart card corresponding to the smart card application block identifier an application program block, so that the smart card application program block operates according to the standard APDU instruction.

本实施例中,当应用程序鉴权通过后,代理程序便会执行应用程序对智能卡访问的处理过程。具体地,代理程序根据应用程序所调用的开放API接口函数所描述的函数形式,从接收到的操作指令中获取操作信息,该操作信息包括控制域信息和数据域信息,其中所述控制域信息中包含智能卡应用程序块标识符。之后,代理程序将所述控制域信息和数据域信息添加到所述开放API接口函数对应的标准APDU指令中,并将该添入操作信息的标准APDU指令发送给与所述智能卡应用程序块标识符对应的智能卡应用程序块,以使所述智能卡应用程序块根据所述标准APDU指令进行操作。In this embodiment, after the application program is authenticated, the agent program will execute the process of the application program accessing the smart card. Specifically, the agent program obtains the operation information from the received operation instruction according to the function form described by the open API interface function called by the application program, and the operation information includes control domain information and data domain information, wherein the control domain information Contains the smart card application block identifier. Afterwards, the agent program adds the control field information and the data field information to the standard APDU instruction corresponding to the open API interface function, and sends the standard APDU instruction adding operation information to the smart card application block identifier The smart card application program block corresponding to the symbol, so that the smart card application program block operates according to the standard APDU instruction.

本实施例提供的应用程序访问智能卡的方法,应用程序仅需代理程序提供的调用开放API接口函数将其操作指令发送给代理程序,由代理程序完成该应用程序对智能卡应用程序块的访问,大大降低了对开发者的能力要求以及应用程序的开发难度;在智能卡中仅需创建与代理程序对应的访问控制文件,大大节省了访问控制文件对智能卡存储空间等资源的占用;通过智能卡中可读写的访问控制程序块来完成对应用程序的鉴权,既克服了访问控制文件的形式所导致的智能卡资源占用问题,又大大提高了应用程序鉴权的处理效率。The application program that present embodiment provides accesses the method for smart card, and application program only needs to call the open API interface function provided by agent program to send its operation instruction to agent program, and complete this application program to the access of smart card application block by agent program, greatly It reduces the ability requirements for developers and the difficulty of application development; only the access control file corresponding to the agent program needs to be created in the smart card, which greatly saves the occupation of resources such as the storage space of the smart card by the access control file; it can be read through the smart card The written access control program block is used to complete the authentication of the application program, which not only overcomes the resource occupation problem of the smart card caused by the form of the access control file, but also greatly improves the processing efficiency of the application program authentication.

图3为本发明应用程序访问智能卡的装置实施例一的示意图,如图3所示,该装置包括:Fig. 3 is a schematic diagram of Embodiment 1 of a device for accessing a smart card by an application program of the present invention. As shown in Fig. 3, the device includes:

接收模块11,用于接收应用程序通过调用代理程序提供的开放API接口函数发送的操作指令,所述开放API接口函数由与所述操作指令相对应的标准APDU指令封装而成;The receiving module 11 is used to receive the operation instruction sent by the application program by calling the open API interface function provided by the agent program, and the open API interface function is encapsulated by the standard APDU instruction corresponding to the operation instruction;

发送模块12,用于将所述操作指令中的操作信息添加到与所述开放API接口函数对应的标准APDU指令中,并将该标准APDU指令发送给智能卡,以使所述智能卡根据所述标准APDU指令进行操作。The sending module 12 is used to add the operation information in the operation instruction to the standard APDU instruction corresponding to the open API interface function, and send the standard APDU instruction to the smart card, so that the smart card according to the standard APDU command to operate.

本实施例的装置可以用于执行图1所示方法实施例的技术方案,其实现原理和技术效果类似,此处不再赘述。The device of this embodiment can be used to execute the technical solution of the method embodiment shown in FIG. 1 , and its implementation principle and technical effect are similar, and details are not repeated here.

图4为本发明应用程序访问智能卡的装置实施例二的示意图,如图4所示,该装置在图3所示实施例的基础上,所述发送模块12包括:Fig. 4 is a schematic diagram of the second embodiment of the device for accessing the smart card by the application program of the present invention. As shown in Fig. 4, the device is based on the embodiment shown in Fig. 3, and the sending module 12 includes:

获取单元121,用于根据所述开放API接口函数所描述的函数形式,从所述操作指令中获取所述操作信息,所述操作信息包括控制域信息和数据域信息,其中所述控制域信息中包含智能卡应用程序块标识符;The obtaining unit 121 is configured to obtain the operation information from the operation instruction according to the function form described by the open API interface function, the operation information includes control field information and data field information, wherein the control field information contains the smart card application block identifier;

添加单元122,用于将所述控制域信息和数据域信息添加到所述开放API接口函数对应的标准APDU指令中,并将该标准APDU指令发送给与所述智能卡应用程序块标识符对应的智能卡应用程序块,以使所述智能卡应用程序块根据所述标准APDU指令进行操作。The adding unit 122 is used to add the control field information and data field information to the standard APDU instruction corresponding to the open API interface function, and send the standard APDU instruction to the smart card application block identifier corresponding to the A smart card application program block, so that the smart card application program block operates according to the standard APDU instruction.

进一步地,所述装置还包括:Further, the device also includes:

第一鉴权模块21,用于根据智能卡中的访问控制文件对所述代理程序进行鉴权,以确定所述代理程序是否能够访问智能卡,所述访问控制文件为预置入所述智能卡中的包含所述代理程序身份信息的只读文件;The first authentication module 21 is configured to authenticate the agent program according to the access control file in the smart card, to determine whether the agent program can access the smart card, and the access control file is pre-installed in the smart card A read-only file containing the identity information of the agent in question;

所述第一鉴权模块21根据智能卡中的访问控制文件对所述代理程序进行鉴权,以确定所述代理程序是否能够访问智能卡,包括:The first authentication module 21 authenticates the agent program according to the access control file in the smart card to determine whether the agent program can access the smart card, including:

第一鉴权模块21获取所述代理程序的标识信息;The first authentication module 21 obtains the identification information of the agent program;

第一鉴权模块21确定所述访问控制文件中的代理程序身份信息与所述标识信息是否一致,若一致,则所述代理程序能够访问智能卡。The first authentication module 21 determines whether the identity information of the agent program in the access control file is consistent with the identification information, and if they are consistent, the agent program can access the smart card.

进一步地,所述装置还包括:Further, the device also includes:

第二鉴权模块22,用于调用智能卡中的访问控制程序块对所述应用程序进行鉴权,所述访问控制程序块为预置入智能卡中的包含已授权应用程序权限信息的可读写应用程序块;The second authentication module 22 is used to call the access control program block in the smart card to authenticate the application program. application block;

其中,所述已授权应用程序权限信息包括:Wherein, the authorized application permission information includes:

已授权应用程序的身份信息、与所述身份信息对应的智能卡应用程序块信息和与所述智能卡应用程序块信息对应的访问类型信息;Identity information of an authorized application, smart card application block information corresponding to the identity information, and access type information corresponding to the smart card application block information;

所述第二鉴权模块22调用智能卡中的访问控制程序块对所述应用程序进行鉴权,包括:The second authentication module 22 calls the access control program block in the smart card to authenticate the application program, including:

第二鉴权模块22将从所述操作指令中获取的鉴权信息发送给所述访问控制程序块,所述鉴权信息包括所述应用程序的标识信息、操作类型和待访问的智能卡应用程序块标识符;The second authentication module 22 sends the authentication information obtained from the operation instruction to the access control program block, and the authentication information includes the identification information of the application program, the operation type and the smart card application program to be accessed block identifier;

所述访问控制程序块确定所述已授权应用程序的身份信息中是否包含所述应用程序的标识信息,以确定所述应用程序的身份合法性;The access control program block determines whether the identity information of the authorized application program includes the identification information of the application program, so as to determine the legality of the identity of the application program;

若合法,则所述访问控制程序确定与所述身份信息对应的智能卡应用程序块信息中是否包含所述待访问的智能卡应用程序块标识符,以确定所述应用程序的访问合法性;If it is legal, the access control program determines whether the smart card application block information corresponding to the identity information contains the smart card application block identifier to be accessed, so as to determine the legitimacy of the application;

若合法,则所述访问控制程序确定与所述智能卡应用程序块对应的访问类型信息中是否包含所述操作类型,以确定所述应用程序的操作合法性。If it is legal, the access control program determines whether the access type information corresponding to the smart card application program block contains the operation type, so as to determine the operation validity of the application program.

本实施例的装置可以用于执行图2所示方法实施例的技术方案,其实现原理和技术效果类似,此处不再赘述。The device in this embodiment can be used to implement the technical solution of the method embodiment shown in FIG. 2 , and its implementation principle and technical effect are similar, and details are not repeated here.

本领域普通技术人员可以理解:实现上述方法实施例的全部或部分步骤可以通过程序指令相关的硬件来完成,前述的程序可以存储于一计算机可读取存储介质中,该程序在执行时,执行包括上述方法实施例的步骤;而前述的存储介质包括:ROM、RAM、磁碟或者光盘等各种可以存储程序代码的介质。Those of ordinary skill in the art can understand that all or part of the steps for realizing the above-mentioned method embodiments can be completed by hardware related to program instructions, and the aforementioned program can be stored in a computer-readable storage medium. When the program is executed, the It includes the steps of the above method embodiments; and the aforementioned storage medium includes: ROM, RAM, magnetic disk or optical disk and other various media that can store program codes.

最后应说明的是:以上各实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述各实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分或者全部技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的范围。Finally, it should be noted that: the above embodiments are only used to illustrate the technical solutions of the present invention, rather than limiting them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: It is still possible to modify the technical solutions described in the foregoing embodiments, or perform equivalent replacements for some or all of the technical features; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the technical solutions of the various embodiments of the present invention. scope.

Claims (8)

1. the method that an application program accesses smart card, it is characterised in that including:
Agent receives application program by calling the operational order that opening API interface function sends, institute State opening API interface function to be formed by the standard APDU instruction encapsulation corresponding with described operational order;
Operation information in described operational order is added to and described opening API interface function by Agent In corresponding standard APDU instruction, and the instruction of this standard APDU is sent to smart card, so that described Smart card operates according to the instruction of described standard APDU;
Operation information in described operational order is added to and described opening API interface by described Agent In the standard APDU instruction that function is corresponding, and the instruction of this standard APDU is sent to smart card, so that Described smart card operates according to the instruction of described standard APDU, including:
Agent, according to the functional form described by described opening API interface function, refers to from described operation Obtaining described operation information in order, described operation information includes controlling domain information and data domain information, wherein Described control domain information comprises application program of intelligent card block identifier;
Agent adds described control domain information and data domain information to described opening API interface function In corresponding standard APDU instruction, and the instruction of this standard APDU is sent to and described application of IC cards The application program of intelligent card block that brick identifier is corresponding, so that described application program of intelligent card tuber is according to institute State the instruction of standard APDU to operate.
Method the most according to claim 1, it is characterised in that described Agent receives application journey Before sequence is by calling the operational order that opening API interface function sends, also include:
Terminal access controls program and reflects described Agent according to the access control file in smart card Power, to determine whether described Agent is able to access that smart card, described access controls file for insert in advance The read-only file comprising described Agent identity information in described smart card.
Method the most according to claim 2, it is characterised in that described terminal access controls program root Control file according to the access in smart card described Agent to be authenticated, to determine described Agent Whether it is able to access that smart card, including:
Terminal access controls program and obtains the identification information of described Agent;
Terminal access controls program and determines that the described Agent identity information controlled in file that accesses is with described Identification information is the most consistent, if unanimously, the most described Agent is able to access that smart card.
Method the most according to claim 1, it is characterised in that described Agent is by described operation Operation information in instruction adds the standard APDU instruction corresponding with described opening API interface function to In, and the instruction of this standard APDU is sent to smart card, so that described smart card is according to described standard Before APDU instruction operates, also include:
Described application program is authenticated by the access control program block that Agent calls in smart card, institute State access control program block be pre-insert in smart card comprise the readable of authorized applications authority information Write application blocks.
Method the most according to claim 4, it is characterised in that the described authority of authorized applications Information includes:
The application program of intelligent card block that the identity information of authorized applications is corresponding with described identity information Information and the access type information corresponding with described application program of intelligent card block message;
Described application program is reflected by the access control program block that described Agent calls in smart card Power, including:
The authentication information obtained from described operational order is sent to described access control program by Agent Block, described authentication information includes the identification information of described application program, action type and intelligence to be visited Card application block identifier;
Described access control program block determine described in authorized applications identity information in whether comprise institute State the identification information of application program, to determine the identity legitimacy of described application program;
If legal, the most described access control program block determines the application of IC cards corresponding with described identity information Whether brick information comprises described application program of intelligent card block identifier to be visited, described to determine The access legitimacy of application program;
If legal, the most described access control program block determines corresponding with described application program of intelligent card block message Access type information in whether comprise described action type, legal to determine the operation of described application program Property.
6. the device of an application program access smart card, it is characterised in that including: receiver module, use Refer in the operation receiving the opening API interface function transmission that application program provides by calling Agent Order, described opening API interface function is by the standard APDU instruction encapsulation corresponding with described operational order Form;
Sending module, connects with described opening API for the operation information in described operational order being added to In the standard APDU instruction that mouth function is corresponding, and the instruction of this standard APDU is sent to smart card, with Described smart card is made to operate according to the instruction of described standard APDU;
Described sending module includes:
Acquiring unit, for according to the functional form described by described opening API interface function, from described Obtaining described operation information in operational order, described operation information includes controlling domain information and data domain information, Wherein said control domain information comprises application program of intelligent card block identifier;
Adding device, connects for adding described control domain information and data domain information to described opening API In the standard APDU instruction that mouth function is corresponding, and the instruction of this standard APDU is sent to and described intelligence The application program of intelligent card block that card application block identifier is corresponding, so that described application program of intelligent card block Operate according to the instruction of described standard APDU.
Device the most according to claim 6, it is characterised in that also include:
First authentication module, is carried out described Agent for controlling file according to the access in smart card Authentication, to determine whether described Agent is able to access that smart card, it is preset that described access controls file Enter the read-only file comprising described Agent identity information in described smart card;
Described first authentication module controls file according to the access in smart card and reflects described Agent Power, to determine whether described Agent is able to access that smart card, including:
First authentication module obtains the identification information of described Agent;
First authentication module determines the described Agent identity information and described mark accessing and controlling in file Information is the most consistent, if unanimously, the most described Agent is able to access that smart card.
Device the most according to claim 6, it is characterised in that also include:
Second authentication module, enters described application program for the access control program block called in smart card Row authentication, described access control program block be pre-insert in smart card comprise authorized applications authority The read-write application blocks of information;
Wherein, the described authority information of authorized applications includes:
The application program of intelligent card block that the identity information of authorized applications is corresponding with described identity information Information and the access type information corresponding with described application program of intelligent card block message;
Described application program is carried out by the access control program block that described second authentication module is called in smart card Authentication, including:
The authentication information obtained from described operational order is sent to described access and controls by the second authentication module Brick, described authentication information includes the identification information of described application program, action type and to be visited Application program of intelligent card block identifier;
Described access control program block determine described in authorized applications identity information in whether comprise institute State the identification information of application program, to determine the identity legitimacy of described application program;
If legal, the most described access control program determines the application of IC cards journey corresponding with described identity information Whether sequence block message comprises described application program of intelligent card block identifier to be visited, to determine described answering By the access legitimacy of program;
If legal, the most described access control program determines the access corresponding with described application program of intelligent card block Whether type information comprises described action type, to determine the operation validity of described application program.
CN201310379209.9A 2013-08-27 2013-08-27 Method and device for application program to access smart card Active CN103455349B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310379209.9A CN103455349B (en) 2013-08-27 2013-08-27 Method and device for application program to access smart card

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310379209.9A CN103455349B (en) 2013-08-27 2013-08-27 Method and device for application program to access smart card

Publications (2)

Publication Number Publication Date
CN103455349A CN103455349A (en) 2013-12-18
CN103455349B true CN103455349B (en) 2016-08-10

Family

ID=49737756

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310379209.9A Active CN103455349B (en) 2013-08-27 2013-08-27 Method and device for application program to access smart card

Country Status (1)

Country Link
CN (1) CN103455349B (en)

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105472605B (en) * 2014-08-15 2019-01-22 中国电信股份有限公司 Method for authenticating, multifunctional universal smart card and mobile terminal are called in mobile phone application
CN105243407B (en) * 2015-10-09 2018-12-07 腾讯科技(深圳)有限公司 Read and write the method and device of smart card
CN105426239A (en) * 2015-11-03 2016-03-23 大唐微电子技术有限公司 Method and device for invoking local method in Java card
CN106201573B (en) * 2016-06-23 2019-07-30 青岛海信移动通信技术股份有限公司 A kind of method and terminal for realizing OMAPI function
CN106899959B (en) * 2017-01-16 2020-09-25 腾讯科技(深圳)有限公司 Method, device, terminal and system for obtaining SIM card information
CN108733487A (en) * 2018-04-19 2018-11-02 深圳市文鼎创数据科技有限公司 The more application management methods of Java card and Java card
CN111125687A (en) * 2018-11-01 2020-05-08 北京润信恒达科技有限公司 Method and system for developing application program in secure element
CN111045750B (en) * 2019-12-19 2023-07-07 飞天诚信科技股份有限公司 Method for automatically matching application programs on multi-application device and electronic device
CN111711724A (en) * 2020-06-10 2020-09-25 中国联合网络通信集团有限公司 Rights management method, system, computer equipment and storage medium
CN113536294B (en) * 2021-07-13 2023-03-24 星汉智能科技股份有限公司 Method, device and readable medium for tracking card end and terminal instruction interaction
CN117098134B (en) * 2023-10-17 2024-01-26 湖北星纪魅族集团有限公司 Security control method, terminal, and non-transitory computer-readable storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101557442A (en) * 2008-04-08 2009-10-14 华为技术有限公司 Method and system for merging call center and third-party industry application server
CN101895883A (en) * 2010-06-04 2010-11-24 中国联合网络通信集团有限公司 Smart card supporting authentication arithmetic update and method for updating authentication arithmetic
CN102547661A (en) * 2011-12-16 2012-07-04 北京握奇数据系统有限公司 Method and device for establishing communication between Android system and telecommunications smart card
CN102740272A (en) * 2011-04-14 2012-10-17 北京中电华大电子设计有限责任公司 Method for realizing interaction of mobile phone application with SIM card through custom interface
CN102880897A (en) * 2011-07-14 2013-01-16 中国移动通信集团公司 Application data sharing method of smart card and smart card

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101557442A (en) * 2008-04-08 2009-10-14 华为技术有限公司 Method and system for merging call center and third-party industry application server
CN101895883A (en) * 2010-06-04 2010-11-24 中国联合网络通信集团有限公司 Smart card supporting authentication arithmetic update and method for updating authentication arithmetic
CN102740272A (en) * 2011-04-14 2012-10-17 北京中电华大电子设计有限责任公司 Method for realizing interaction of mobile phone application with SIM card through custom interface
CN102880897A (en) * 2011-07-14 2013-01-16 中国移动通信集团公司 Application data sharing method of smart card and smart card
CN102547661A (en) * 2011-12-16 2012-07-04 北京握奇数据系统有限公司 Method and device for establishing communication between Android system and telecommunications smart card

Also Published As

Publication number Publication date
CN103455349A (en) 2013-12-18

Similar Documents

Publication Publication Date Title
CN103455349B (en) Method and device for application program to access smart card
EP2988470B1 (en) Automatic purposed-application creation
EP3337219B1 (en) Carrier configuration processing method, device and system, and computer storage medium
US9973583B2 (en) Method for accessing a service, corresponding device and system
US10833715B2 (en) Embedded subscriber identity module including communication profiles
CN109474650B (en) A configuration file download method and terminal
CN111479259B (en) SIM card configuration distribution method and system
KR20130012243A (en) Method for changing mno of embedded sim based on privilege, embedded sim and recording medium for the same
CN104967997A (en) A wireless network access method, Wi-Fi equipment, terminal equipment and system
WO2018108132A1 (en) Access control method and system, electronic device, and computer storage medium
CN102149083A (en) Personalized card writing method, system and device
US9390259B2 (en) Method for activating an operating system in a security module
WO2019041086A1 (en) Information verification method and related equipment
CN103442012B (en) Method and device that CAMEL-Subscription-Information migrates is realized between internet of things equipment
WO2022165771A1 (en) Virtual electronic card management method and system, security chip, terminal, and storage medium
JP2019153310A (en) Information processing apparatus, information processing method, and program
CN106576239B (en) Method and device for content management in a security unit
US10531296B2 (en) Method for loading a subscription into an embedded security element of a mobile terminal
CN103595573B (en) Method and device for issuing strategy rules
CN112514323A (en) Electronic device for processing digital key and operation method thereof
CN109699030B (en) UAV authentication method, apparatus, device and computer readable storage medium
CN113993124B (en) Number portability method, number portability device, communication terminal and storage medium
CN102547661B (en) Method and device for establishing communication between Android system and telecommunications smart card
CN112464222B (en) Security device, corresponding system, method and computer program product
CN110366161B (en) Card opening method and device, related equipment and storage medium

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant