-
Type:
Bug
-
Resolution: Duplicate
-
Priority:
P2
-
None
-
Affects Version/s: 6
-
Component/s: security-libs
-
None
-
generic
-
generic
Problem description:
====================
specification for
javax.smartcardio (package summary)
javax.smartcardio.CommandAPDU
javax.smartcardio.ResponseAPDU
javax.smartcardio.ATR
mentions that listed classes conforms to ISO/IEC 7816-4 standard.
But actually they conforms only partially. They conforms from data structures point of view but they allow to put invalid (according to ISO/IEC 7816-4 standard) data to such structures.
Example:
Ctors of javax.smartcardio.CommandAPDU class takes any value of instruction byte without any rescrictions but ISO/IEC 7816-4 (clause 5.4.2, table 10) says clear that for example all odd values are invalid.
The same situation in other classes - they check only format of incoming data, but do't check is the content of that data valid according to ISO/IEC 7816.
So, specification for listed above classes should clarify that it conforms to ISO/IEC 7816-4 only partially (from data structures point of view).
====================
specification for
javax.smartcardio (package summary)
javax.smartcardio.CommandAPDU
javax.smartcardio.ResponseAPDU
javax.smartcardio.ATR
mentions that listed classes conforms to ISO/IEC 7816-4 standard.
But actually they conforms only partially. They conforms from data structures point of view but they allow to put invalid (according to ISO/IEC 7816-4 standard) data to such structures.
Example:
Ctors of javax.smartcardio.CommandAPDU class takes any value of instruction byte without any rescrictions but ISO/IEC 7816-4 (clause 5.4.2, table 10) says clear that for example all odd values are invalid.
The same situation in other classes - they check only format of incoming data, but do't check is the content of that data valid according to ISO/IEC 7816.
So, specification for listed above classes should clarify that it conforms to ISO/IEC 7816-4 only partially (from data structures point of view).
- duplicates
-
-
- Resolved
-