4 Replies Latest reply: Mar 7, 2012 9:25 AM by 801926 RSS

    CVM

    Bluefairy
      Hi,
      I want to write an applet which creates a Global PIN. Just to get a general view, what are the steps?
      And by the way, where this Global PIN will actually be stored? In my applet or in the ISD?

      -Thanks in advance
        • 1. Re: CVM
          safarmer
          Hi,

          The global PIN is the GP CVM (GPSystem.getCVM(GPSystem.CVM_GLOBAL_PIN)). This is a single PIN instance that is stored in the card manager (OPEN). Your applet needs Manage CVM privileges to be able to set the PIN etc. Your applet would be able to set the PIN and others would be able to verify the PIN and interrogate the verification state.

          Cheers,
          Shane
          • 2. Re: CVM
            Bluefairy
            Hi Shane,
            I'm happy you're back. As you can see some questions stay not answered when you're not here, and that's sad. I hope you never leave Java Card world! :-)

            back to our main discussion, if I buy a GP support card and then write a for example a helloworld applet and just call GPSystem.getCVM(GPSystem.CVM_GLOBAL_PIN) method in my applet, this will give me the handle to the CVM of the card manager? (assuming that I have set CVM support privilege when installing my applet into the card) I mean the card manufacturer is whom that implements CVM and me as an app provider just use the method and use the Global PIN?

            I looked at the CVM in GP spec 2.2, but I didn't find a method or something which says what's the initial value of the GLOBAL_PIN. Does the card manufacturer- who in my assumption is whom that creates the Global PIN and thus knows this initial value- has to tell this to its customers?

            -Thanks as always
            • 3. Re: CVM
              safarmer
              Hi,
              I'm happy you're back. As you can see some questions stay not answered when you're not here, and that's sad. I hope you never leave Java Card world! :-)
              Yes, my posts have not been as frequent lately but that is due to doing more coding and learning so hopefully my answers are going to be getting better.
              back to our main discussion, if I buy a GP support card and then write a for example a helloworld applet and just call GPSystem.getCVM(GPSystem.CVM_GLOBAL_PIN) method in my applet, this will give me the handle to the CVM of the card manager? (assuming that I have set CVM support privilege when installing my applet into the card) I mean the card manufacturer is whom that implements CVM and me as an app provider just use the method and use the Global PIN?
              The CVM is implemented as a part of the GP API for the JCRE. The CVM is just a global object. You can think of it as a singleton PIN object accessible to all applets. You only need the CVM management privilege to update the PIN. You don't need this to verify a PIN or check the PIN verification state. As an applet developer you can simply call the methods provided. The card provider will implement the details of CVM for you.
              I looked at the CVM in GP spec 2.2, but I didn't find a method or something which says what's the initial value of the GLOBAL_PIN. Does the card manufacturer- who in my assumption is whom that creates the Global PIN and thus knows this initial value- has to tell this to its customers?
              There is no initial PIN set (as far as I know) but this could be implementation specific. You can check the state of the CVM and if it is active you can assume there is a PIN.

              As an applet developer, if your applet has CVM management then you can update the PIN without knowledge of the current PIN. You may be able to enforce a PIN can only be updated when the current PIN has been verified or if there is an active secure channel for security, but with management rights you can update the CVM at will.

              Cheers,
              Shane
              • 4. Re: CVM
                801926
                At least for JCOP there is a default CVM PIN set during production. Anyway, the one who knows the CM keys can install an applet with CVM privilege and override it without proof of knowledge of the previous CVM PIN.