Verifying CAP Files

The verifycap tool is used to verify a CAP file within the context of package's export file (if any) and the export files of imported packages. This verification confirms whether a CAP file is internally consistent, as defined in the Virtual Machine Specification, Java Card Platform, Version 3.0.5, Classic Edition, and consistent with a context in which it can reside in a Java Card technology-enabled device.

To ensure the integrity of the CAP file to be downloaded on a card, the verifier computes and outputs hash values for each of the required CAP file components. To output the hash values in a text file, specify the command line parameter -outfile hash-file-path. If the -outfile parameter is not specified, the verifier outputs the hash values on the console output. A CAP file loader should compute the hash values for each of the required CAP components and verify them against the hash values produced by the verifier to assert the integrity of the CAP file being loaded on the card. The scriptgen tool in the Java Card Development kit performs the hash computation and comparison before generating the download script for a CAP file. For more information about the scriptgen tool, see Running scriptgen.

Each individual export file is verified as a single unit. The scenario is shown in Figure 13-1. In the figure, the package p2 CAP file is being verified. Package p2 has a dependency on package p1, so the export file from package p1 is also input. The p2.exp file is only required if p2.cap exports any of its elements.

Figure 13-1 Verifying a CAP file

Description of Figure 13-1 follows
Description of "Figure 13-1 Verifying a CAP file"

Running verifycap

The file to invoke verifycap is a batch file (verifycap.bat) that you must run from a working directory of JC_CLASSIC_HOME\bin in order for the code to execute properly.

To run verifycap:

  1. Enter the following command (Table 13-1 describes the available options):

    verifycap.bat [options] export-files CAP-file

Table 13-1 verifycap Command Line Arguments

Argument Description

export-files

A list of export files of the packages that this CAP file uses.

CAP-files

Name of the CAP file to be verified.

-digest digest-algorithm-name

Specifies the digest algorithm to use for computing hash values for required CAP components. If this option is not specified or an invalid algorithm name is specified, the verifier uses SHA-256 as the default algorithm.

-outfile hash-output-file-path

Specifies the path to the text file that the verifier uses to output the computed hash values for the required CAP components. If this option is not specified, hash values are output to the system console.

Command Line Options for Off-Card Verifier Tools describes additional verifycap options.