163 blogs的博客：[原]PKCS#15

如果有EF(DIR)的话，其中包含一个或者多个应用程序模板（Application templates），至少包含两项内容：

2. This provides a way for issuers to use non-standard file identifiers for these files without sacrificing interoperability. It also provides card issuers with the opportunity to share TokenInfo files between PKCS #15 applications, when several PKCS #15 applications reside on one card.

它算是个总目录，指向其余的EFs（PrKDFs, PuKDFs, SKDFs, CDFs, DODFs and AODFs）。指向的这些文件又是一些目录（算是二级目录）。

这个目录文件可以有多个，至少得有一个（通常情况的话，也就是一个）。They contain general key attributes such as labels, intended usage, identifiers, etc. When applicable, they also contain cross-reference pointers to authentication objects used to protect access to the keys. Furthermore, they contain pointers to the keys themselves.

和PrKDFs类似，要说明的是，公钥和私钥需要共享同一个identifier。通过EF(ODF)这张图，可以看到PrKDFs和PuKDFs有一条虚线。还有，如果此公钥还有对应的一个证书，那么对应的证书也要共享此id。图中也有虚线。They contain general key attributes such as labels, intended usage, identifiers, etc. Furthermore, they contain pointers to the keys themselves.

这个目录文件可以有多个，至少得有一个（通常情况的话，有一个或者是俩个）。原话这么说的：They contain general certificate attributes such as labels, identifiers, etc. When a certificate contains a public key whose private key also resides on the card, the certificate and the private key must share the same identifier. Furthermore, certificate directory files contain pointers to the certificates themselves.There can be any number of CDFs in a PKCS #15 DF, but it is anticipated that in the normal case there will only be one or two (one for trusted certificates and one which the cardholder may update).

这个目录文件可以有多个，至少得有一个（通常情况的话，也就是一个）。They contain general data object attributes such as identifiers of the application to which the data object belongs, whether it is a private or public object, etc. Furthermore, they contain pointers to the data objects themselves.

There can be any number of AODFs in a PKCS #15 DF, but it is anticipated that in most cases there will only be one or two. They contain generic authentication object attributes such as (in the case of PINs) allowed characters, PIN length, PIN padding character, etc. Furthermore, they contain pointers to the authentication objects themselves (e.g. in the case of PINs, pointers to the DF in which the PIN file resides).

The mandatory TokenInfo elementary file with transparent structure shall contain generic information about the card as such and it's capabilities, as seen by the PKCS15 application. This information includes the card serial number, supported file types, algorithms implemented on the card, etc.

The optional UnusedSpace elementary file with transparent structure is used to keep track of unused space in already created elementary files. When present, it must initially contain at least one record pointing to an empty space in a file that is possible to update by the cardholder.

These (optional) files will contain the actual values of objects (such as private keys, public keys, secret keys, certificates and application specific data) referenced from within PrKDFs, SKDFs, PuKDFs, CDFs or DODFs.

The following file identifiers are defined for the PKCS15 files. Note that the RID (see ISO/IEC 7816-5) is A0 00 00 00 63.

File	DF	File Identifier (relative to nearest DF)
MF	X	3F00₁₆ (ISO/IEC 7816-4)
DIR		2F00₁₆ (ISO/IEC 7816-4)
PKCS15	X	Decided by application issuer (AID is RID \|\| "PKCS-15")
ODF		5031₁₆ by default (but see also Section 6.4.1)
TokenInfo		5032₁₆ by default (but see also Section 6.4.1)
UnusedSpace		5033₁₆ by default (but see also Section 6.4.1)
AODFs		Decided by application issuer
PrKDFs		Decided by application issuer
PuKDFs		Decided by application issuer
SKDFs		Decided by application issuer
CDFs		Decided by application issuer
DODFs		Decided by application issuer
Other EFs		Decided by application issuer
- (Reserved)		5034₁₆ - 5100₁₆ (Reserved for future use)

[原]PKCS#15 - Overview