Summary of the invention
In view of this, the invention provides a kind of multi-application smart card, can control application program and dynamic-configuration application program operation authority in the multi-application smart card.
The present invention also provides a kind of smart card methods of using that realize more, can control application program and dynamic-configuration application program operation authority in the multi-application smart card.
For achieving the above object, the technical scheme of the embodiment of the invention specifically is achieved in that
A kind of multi-application smart card, this multi-application smart card comprises: application manager and Authorization Manager, wherein,
Described application manager is used for sending application program mandate analysis request to described Authorization Manager; Whether decision allows this application program operation according to the application program mandate analysis result that returns, and the application builds runtime environment for being allowed to move, and loads and starts this application program;
Described Authorization Manager is used for resolving the authorization message of this application program, and returning application program mandate analysis result according to the described application program mandate analysis request that receives.
Preferably, described Authorization Manager comprises authorizes resolution unit and authorizes storage unit, wherein,
Described mandate resolution unit is used for according to the mandate analysis request that receives, and inquires about and obtain the authorization message of corresponding application program from described mandate storage unit, resolves the authorization message and the return authorization information analysis result that are obtained;
Described mandate storage unit is used to preserve the authorization message of application program.
Preferably, the authorization message of described application program comprises the application license grant clause, or, use license grant clause and module license grant clause.
Preferably, described mandate resolution unit receives the application mandate analysis request from application manager, inquiry and obtain the corresponding license grant clause of using from described mandate storage unit is resolved the license grant clause that obtained and to the analysis result of application manager return authorization clause;
Preserve the application license grant clause of this application program in the described mandate storage unit.
Preferably, when described mandate resolution unit does not inquire the application license grant clause of corresponding application program in described mandate storage unit, further return the undelegated sign of this application program of expression to application manager;
Described application manager is forbidden the operation of corresponding application program according to described sign.
Preferably, described mandate resolution unit further receives the module mandate analysis request of the designated module that described application program sends by application runtime, from described mandate storage unit query and obtain the module license grant clause of the correspondence of this application program, resolve this module license grant clause and return module license grant clause analysis result to corresponding application program;
Described mandate storage unit is preserved the module license grant clause of this application program designated module.
Preferably, when described mandate resolution unit fails to inquire the module license grant clause of respective modules in described mandate storage unit, further return the sign that does not find the module license grant clause to using journey.
Preferably, described Authorization Manager further comprises: authorize load units, be used for verifying from the authorization message installation kit of outside to receiving, if the verification passes, from the authorization message installation kit, obtain authorization message, and the authorization message after will verifying is sent to described mandate cell stores.
Preferably, described authorization message installation kit comprises: authorization message, card image and authorization information.
Preferably, described mandate load units further receives the authorization message unload request from the outside, inquires the authorization message and the deletion of corresponding application program from authorize storer;
Further preserve the summary of the authorization message of being deleted in the described mandate storage unit.
Preferably, described Authorization Manager further comprises the authorization query unit, is used to receive the authorization query request from the outside, and the authorization message of described authorization query request corresponding application program is obtained in inquiry, and the authorization message of described application program is exported.
Preferably, described application license grant clause/module license grant clause comprises the combination in any of access times, service time and system resource access authority of access times, service time or system resource access authority or this application program of the designated module of this application program/this application program.
A kind of smart card methods of using that realize more, this method comprises:
Application manager sends application program mandate analysis request to Authorization Manager, and Authorization Manager is resolved the authorization message of this application program and returned application program mandate analysis result to application manager;
Application manager determines whether to allow the operation of this application program according to application program mandate analysis result, and the application builds runtime environment for being allowed to move, and loads and starts this application program.
Preferably, the authorization message of described this application program of parsing comprises:
According to the application program mandate analysis request that receives, the application license grant clause that is obtained is resolved in inquiry and obtain the application license grant clause of corresponding application program from the authorization message of each application program of preserving.
Preferably, the authorization message of described application program comprises the application license grant clause, or, use license grant clause and module license grant clause.
Preferably, receive the application mandate analysis request from application manager, inquiry and obtain the corresponding license grant clause of using from authorize storage unit is resolved the license grant clause that obtained and to the analysis result of application manager return authorization clause.
Preferably, the described inquiry from the authorization message of each application program of preserving further comprises: if do not inquire the application license grant clause of corresponding application program, return to application manager and to represent the undelegated sign of this application program;
Described application manager is forbidden the operation of corresponding application program according to described sign.
Preferably, the authorization message of described this application program of parsing further comprises: receive the module mandate analysis request that sends from described application program, from the authorization message of each application program of preserving, search the module license grant clause of the designated module of this application program, obtain and resolve the module license grant clause that finds and return module license grant clause analysis result to corresponding application program.
Preferably, further comprise: when failing in the authorization message of each application program of described preservation, to find the module license grant clause of designated module of this application program, return the sign that does not find the module license grant clause to using journey.
Preferably, further comprise: Authorization Manager is verified from the authorization message installation kit of outside receiving, and if the verification passes, obtains authorization message from the authorization message installation kit, and preserves the authorization message after the checking.
Preferably, described authorization message installation kit comprises: authorization message, card image and authorization information.
Preferably, further comprise: Authorization Manager receives the authorization message unload request from the outside, inquires the authorization message of corresponding application program from the authorization message of preserving, and deletes this authorization message and preserves the summary of the authorization message of being deleted.
Preferably, further comprise: Authorization Manager receives the authorization query request from the outside, and the authorization message of described authorization query request corresponding application program is obtained in inquiry, and the authorization message of described application program is exported.
Preferably, described application license grant clause/module license grant clause comprises the combination in any of access times, service time and system resource access authority of access times, service time or system resource access authority or this application program of the designated module of this application program/this application program.
As seen from the above technical solution, in the embodiment of the invention, Authorization Manager (LM, LicenseManager) receive the application program mandate analysis request that application manager sends, according to storage in advance is the authorization message of each application maintenance in the multi-application smart card, resolve the authorization message of corresponding application program, and return application program mandate analysis result to application manager, application manager is the application initialization runtime environment according to application program mandate analysis result.Further, application program can also inquire about and obtain the module license grant clause of corresponding application program by LM when operation, resolve the module license grant clause obtained and return module license grant clause analysis result, be used for the operation authority that application program is provided with corresponding application module to corresponding application program.Because the runtime environment of the application program in the multi-application smart card has been implemented authorization control, thereby can control the operation of each application program, the application program that assurance only is authorized to can be moved in multi-application smart card, and guarantees that application program can only be in the resource of using multi-application smart card within the scope of authority of dynamic-configuration.
Embodiment
For making purpose of the present invention, technical scheme and advantage clearer, below with reference to the accompanying drawing embodiment that develops simultaneously, the present invention is further elaborated.
In the embodiment of the invention, LM receives the application program mandate analysis request that application manager sends, according to storage in advance is the authorization message of each application maintenance in the multi-application smart card, resolve the authorization message of corresponding application program, return application program mandate analysis result to application manager, application manager is the application initialization runtime environment according to application program mandate analysis result, authority when realizing the operation of controlling application program and dynamic-configuration application program.
Fig. 1 is multi-application smart card structural representation among the present invention.As shown in Figure 1, dotted line is represented control relation among the figure, and solid line is represented dependence, and this multi-application smart card comprises: application manager and LM, wherein,
Application manager is used to receive the startup application request that the user imports, and generates application program mandate analysis request, sends to LM; The application program mandate analysis result that returns according to LM is provided with the runtime environment of corresponding application program, loads also to start application program;
In the practical application, application manager can also be when creating runtime environment for application program, and the application mandate analysis result that returns according to LM is provided with the mapping that the system resource in the runtime environment is served.On this runtime environment, start application program then.Runtime environment by application programs applies authorization control, thus the operation of controlling application program.The runtime environment of application program is the mapping of application providing system resource service, make that its system resource service that provides was provided environment when application program can be by the runtime environment utilization and operation, application program can be called the interface that LM provides the application module mandate to resolve by runtime environment, wherein
System resource map of services module is used to shine upon system resource and service that application program and system resource service provide.
The system resource service is used to application program to provide operation required system resource and service, and uses these resources and service method and interface.
LM, be used to store, manage and resolve the authorization message of application program, receive the application program mandate analysis request that application manager sends, according to the authorization message that is used for maintenance applications that sets in advance, resolve the authorization message of corresponding application program, return application program mandate analysis result to application manager.
In the practical application, can upgrade the authorization message that is used for maintenance applications that sets in advance.
In the embodiment of the invention, application manager is meant that to the control relation of runtime environment application manager can create, and destroys runtime environment, and some parameters of runtime environment are set.
Application manager is meant that to the control of working procedure application manager can start, and stops application program.
Dependence is meant that the work of a module depends on the another one module and provides service to it, and for example: the operation of application program depends on runtime environment its environment that provides is provided.
Fig. 2 is LM structural representation among the present invention.As shown in Figure 2, this LM comprises the mandate resolution unit, authorizes load units, authorizes storage unit and authorization query unit, wherein,
Authorize resolution unit, be used to application manager to provide and authorize the parsing interface, resolve the application program mandate analysis request that interface receives the application manager transmission by authorizing, from authorize storage unit, inquire about and obtain the corresponding license grant clause of using, the license grant clause that parsing is obtained, and to the analysis result of application manager return authorization clause;
In the practical application, if authorize resolution unit from authorize storage unit, not inquire the application license grant clause that comprises in the authorization message of corresponding application program, judge that then this application program is not authorized to, return the undelegated sign of this application program of expression to application manager, application manager is forbidden the operation of corresponding application program according to the sign that receives.
The application license grant clause that comprises in the authorization message of application program is used to retrain the operation authority of the corresponding application program of this authorization message.
Use the combination in any that license grant clause can comprise access times, service time and the system resource access authority of information such as the access times of this application program or service time or system resource access authority or this application program.
Authorize resolution unit, also be used to application program to provide and authorize the interface of resolving, resolve the module license grant clause in the authorization message of application program: resolve the module mandate analysis request that interface receives the designated module that application program sends by application runtime by authorizing, from authorize storage unit, inquire about and obtain the authorization message of this application module corresponding application program, resolve the module license grant clause of this module that comprises in the authorization message of this application program, and return module license grant clause analysis result to corresponding application program, application program can be provided with the operation authority of corresponding application module according to the module license grant clause analysis result that returns, also can be according to actual needs or configuration in advance decide the operation authority or the disabled module operation of module.
In the practical application,, then return the sign that does not find the module mandate to application program if authorize resolution unit from authorize storage unit, not inquire the module license grant clause of respective modules in the authorization message of corresponding application program.Application program can be according to actual needs or configuration in advance decide the operation authority or the disabled module operation of module, correspondingly,
License grant clause in the authorization message of application program can also comprise the module license grant clause, is used to application program that the foundation of the operation authority of the corresponding module of this module license grant clause in the constraint applies program is provided.
In the practical application, application program also can be according to the actual needs or configuration in advance decide the operation authority of application module in its sole discretion, for example, application program can be provided with the operation authority of corresponding application module by application runtime to the module mandate analysis request of authorizing resolution unit transmission designated module according to the module license grant clause analysis result that returns; Also can directly determine the operation authority of application module, and not need to send the module mandate analysis request of designated module according to configuration in advance.Therefore, authorizing resolution unit in fact just for application program provides the approach that can conveniently manage application module operation authority, is not a necessary process.
In the practical application, application module is the part of application program, so the operation action of the module of application program also is subjected to the constraint of the application license grant clause in the authorization message.
Using license grant clause is the license grant clause that is used to control whole application behavior.
The module license grant clause is the license grant clause that is used for the module behavior of controlling application program.
Authorize load units, be used to application program to provide and authorize installation and unloading interface, by authorizing mounting interface to receive application program authorization message installation kit, legitimacy, integrality and the validity of checking authorization message installation kit, if the verification passes, from the authorization message installation kit, obtain authorization message, and the authorization message after will verifying is sent to and authorizes storage unit to store; By authorizing the unloading interface to receive application program authorization message unload request, from authorize storer, inquire the authorization message and the deletion of this application program correspondence;
Authorization message is corresponding with application program, each authorization message corresponding an application program, the i.e. authorization message of application program.
In the practical application, authorize load units can also authorize the binding of application program, and the Unloading Control strategy that when the unloading authorization message, can implement this authorization message, for example, in authorizing storage unit, keep or write down the summary of this authorization message, be used to prevent reusing of this authorization message.
Authorize storage unit, be used to preserve summary and other information of the authorization message of application program, deleted authorization message, the version relevant as authorization message;
In the practical application, can be as required the authorization message of the application program of preserving be upgraded.
The authorization query unit, be used to provide the authorization message query interface, receive the authorization query request by the authorization message query interface, the authorization message of this authorization query request corresponding application program is obtained in inquiry from authorize storage unit, and the authorization message of application program all or part of returned to the inquiry.
Fig. 3 is the structural representation of authorization message installation kit of the present invention.Referring to Fig. 3, this authorization message installation kit comprises: authorization message, card image and authorization information, wherein,
The authorization message form comprises the header of mandate and authorizes concrete clause.
The mandate sequence number that includes this authorization message corresponding application program information and this authorization message in the header of authorizing, wherein,
Application information is used to identify this authorization message corresponding application program;
The policy control of authorizing sequence number to be used to authorize for example, prevents the repeated use of authorization message, and authorizing sequence number can be the issuing time of authorization message; Also can be authorize the publisher and authorize that load units consults one group data clocklike.
In the practical application,, show that then this authorization message is effective if authorization message to be installed does not have the mandate sequence number of corresponding mounted application program.
Card image is used to identify corresponding one or more multi-application smart card of authorization message.
Below legitimacy, integrality and the validity of authorizing load units checking authorization message installation kit is described.
The legitimacy of authorization message installation kit and completeness check are meant by the authorization information in the cryptographic algorithm check authorization message installation kit, verify whether publisher's identity of authorization message installation kit is legal, and whether the authorization message installation kit are correct and complete.
Cryptographic algorithm can be Message Authentication Code (MAC, a Message Authentication Code) algorithm, also can be ashed information identifying code (HMAC, Keyed-Hash Message AuthenticationCode) algorithm, can also be asymmetric arithmetic.
If utilize MAC algorithm or hmac algorithm that the legitimacy and the integrality of authorization message installation kit are carried out verification, need in advance the publisher of authorization message installation kit and authorize and share a key K between the load units, key K can be obtained by existing method, does not repeat them here.The publisher of authorization message installation kit uses key K to calculate the card image in the authorization message installation kit and the MAC value or the HMAC value M of authorization message, as the authorization information of authorization message installation kit.Authorize load units to receive also to use behind the authorization message installation kit key K to calculate card image and authorization message in the authorization message installation kit, obtain MAC or HMAC value M ', and compare M and M '.If M is identical with M ', show that then the data that the publisher of authorization message installation kit has in legal identity and this authorization message installation kit are correct and complete.
If use the legitimacy and the integrality of asymmetric arithmetic verification authorization message installation kit, need in the publisher of authorization message installation kit, preserve a private key Ks, in authorizing load units, preserve corresponding PKI Kp.Similar ground, PKI Kp and private key Ks also can obtain by prior art.The publisher of authorization message installation kit uses private key Ks that the card image in the authorization message installation kit and authorization message are signed and obtains signature S, as the authorization information of authorization message installation kit.After authorizing load units to receive the authorization message installation kit, the Kp that uses public-key verifies signature S, if the verification passes, show that then the data that the publisher of authorization message installation kit has in legal identity and this authorization message installation kit are correct and complete.
In the practical application, key management for convenience, the infrastructure that can also use public-key (PKI, PublicKey Infrastructure) system is carried out the legitimacy and the completeness check of authorization message installation kit.In the PKI system, the authorization information of authorization message installation kit is partly formed by two, and a part is publisher's certificate of authorization message installation kit, and another part is the signature S of the publisher of authorization message installation kit to card image and authorization message.The legitimacy verification of authorization message installation kit is meant that the publisher's certificate that utilizes the authorization message installation kit that carries in the authorization message installation kit verifies whether publisher's identity of authorization message installation kit is legal; The completeness check of authorization message installation kit is to use publisher's certificate of authorization message installation kit to verify the signature S of the publisher of authorization message installation kit to card image and authorization message, guarantees the correct and complete of authorization message installation kit.
The validity check of authorization message installation kit is meant whether the checking authorization message can be applied on the multi-application smart card, for example, if this authorization message is subjected to the constraint of certain strategy, for instance, under the situation that does not allow authorization message to be repeated to use, and this authorization message was mounted, and then this authorization message is subjected to policy constraints, can not be applied on this multi-application smart card; Or verify whether this authorization message corresponding application program installs.
Specifically, authorize the load units can be according to the mandate sequence number of the mandate sequence number of mounted application program in the multi-application smart card and corresponding application program to be installed, whether the mandate sequence number of judging application program to be installed is effective: if the mandate sequence number of application program to be installed is after the mandate sequence number of mounted application program, the authorization message that shows application program to be installed is effectively, otherwise thinks that this authorization message is invalid.
Fig. 4 is kept at the structural representation of authorizing the authorization message form in the storage unit for the present invention.Referring to Fig. 4,, comprising with authorization message structure similar in Fig. 3 authorization message installation kit: the header of mandate, application license grant clause and module license grant clause, wherein,
The mandate sequence number and other information that comprise this authorization message corresponding application program information, this authorization message in the header of authorizing, wherein, application information and authorize among sequence number and Fig. 3 application information identical with mandate sequence number content does not repeat them here.
Use license grant clause, comprise the one or more license grant clauses of same application and the application license grant clause of different application.
The module license grant clause comprises the one or more license grant clauses of the module in the same application and the license grant clause of different application module.
In the practical application, can comprise one or more application modules in the application program, the license grant clause of application module is subjected to the constraint of its respective application license grant clause.
Fig. 5 is the structural representation of a preferred embodiment of multi-application smart card of the present invention.Referring to Fig. 5, this multi-application smart card comprises: external interface, application manager and LM, wherein,
External interface is used for carrying out alternately with the outside, for external call provides interface, receives the startup application request of user's input, sends to application manager; Receive authorization message installation kit or application program authorization message unload request, send to LM; Receive the application program operation result, send to the outside;
Application manager is used for receiving the startup application request, generates application program mandate analysis request, sends to LM; According to the application program mandate analysis result that receives, the runtime environment of application program is set, load and start this application program;
In the practical application, application manager can also be when creating runtime environment for application program, and the application mandate analysis result that returns according to LM is provided with the mapping that the system resource in the runtime environment is served.On this runtime environment, start application program then.Runtime environment by application programs applies authorization control, thus the operation of controlling application program.The runtime environment of application program is the mapping of application providing system resource service, make that its system resource service that provides was provided environment when application program can be by the runtime environment utilization and operation, and operation result is sent to external interface, application program can be called the interface that LM provides the application module mandate to resolve by runtime environment;
System service and resource are used to application program to provide operation required system resource and service, and use these resources and service method and interface.
LM is used to install, unload, store, manage and resolve the authorization message of application program, receives the authorization message installation kit, set up applications, or receive application program authorization message unload request, the unloading application program; Receive the application program mandate analysis request that application manager sends,, resolve the authorization message of application program, return application program mandate analysis result to application manager according to the authorization message that is used for maintenance applications that sets in advance.Because application program moves in runtime environment, so the operation action that runtime environment can controlling application program.In addition, the analysis result of the runtime environment application license grant clause that to be application manager return according to LM is set up, so the operation action of application program also is controlled by the application license grant clause.
By as seen above-mentioned, the header that in LM, comprises mandate in advance for each application storage in the multi-application smart card, the authorization message of application program license grant clause and module license grant clause, when receiving the application program mandate analysis request of application manager transmission, according to storage is the authorization message inquiry of application maintenance and the authorization message of obtaining corresponding application program, resolve the application program license grant clause that comprises in the authorization message of this correspondence application program, return application program mandate analysis result to application manager, application manager is the application initialization runtime environment according to application program mandate analysis result, loads and the startup application program.Further, in service in application program, can also and call LM and authorize resolution unit by the service of runtime environment access system resources, authorize resolution unit to inquire about and obtain the authorization message of corresponding application program, resolve the module license grant clause that comprises in the authorization message of this correspondence application program, application program can be determined the operation authority of corresponding application module in the application program according to analysis result.Realized the application implementation authorization control in the multi-application smart card, thereby control each application program operation, and operation authority that can application programs and the operation authority of application module carry out dynamic-configuration, in the resource of using multi-application smart card within the scope of authority of dynamic-configuration.
Fig. 6 realizes the smart card method flow synoptic diagram of using for the present invention more.Referring to Fig. 6, this flow process comprises:
Step 601, application manager receives the user starts application request;
In this step, each uses corresponding application program, and application manager receives the user starts application request, inquires about this application corresponding application program, generates application program mandate analysis request.
Step 602, application manager sends the application program mandate analysis request that generates to LM;
Step 603, LM receives application program mandate analysis request, according to the authorization message that is used for maintenance applications that sets in advance, returns application program mandate analysis result to application manager;
In this step, the authorization message that is used for maintenance applications that sets in advance comprises the header and the application program license grant clause of mandate, and the application program license grant clause is used to retrain the operation action of the authorization message corresponding application program of this application program.
LM obtains and gets the authorization message of corresponding application program according to the authorization message inquiry that is used for maintenance applications that is provided with, resolve the application license grant clause that comprises in the authorization message of this correspondence application program, return application program license grant clause analysis result to application manager.
Step 604, the application program license grant clause analysis result that application manager returns according to LM determine whether to allow this application program operation, and the application initialization runtime environment for being allowed to move.
In this step, the initialization runtime environment comprises, application manager is provided with the runtime environment of application program according to the application program license grant clause analysis result that receives, and loads also to start application program.
Application manager is when creating runtime environment for application program, and the application mandate analysis result that returns according to LM is provided with the mapping that the system resource in the runtime environment is served.On this runtime environment, start application program then.Runtime environment by application programs applies authorization control, thus the operation of controlling application program.After starting application program, application program is obtained required system resource and service by the service of runtime environment access system resources, makes that its system resource service that provides was provided environment when application program can be by the runtime environment utilization and operation,
In the practical application, when application program is moved, can also call the interface that LM provides the application module mandate to resolve, execution in step 605 by runtime environment.
Step 605, application program sends application module mandate analysis request by runtime environment to LM, and can determine the operation authority of application module according to the module license grant clause analysis result that returns.
In this step, authorize resolution unit among system resource that application program provides by runtime environment and the service call LM, authorize resolution unit to receive application module mandate analysis request, the authorization message of corresponding application program is obtained in inquiry from authorize storage unit, resolve the module license grant clause that comprises in the authorization message of this correspondence application program, and return module license grant clause analysis result to application program.
If the module license grant clause that the authorization message of authorizing resolution unit not inquire corresponding application program from authorize storage unit comprises, be application program before receiving module license grant clause analysis result, application program can be decided the operation action of application module according to setting in advance in its sole discretion.
Fig. 7 the present invention is based on Fig. 6 to realize the smart card method idiographic flow synoptic diagram of using more.There are two kinds of relations in flow process among the figure, and a kind of is dependence between the flow process, and another kind is the data stream relation between the flow process, and referring to Fig. 7, this flow process comprises:
Step 701, application manager receives the user starts application request;
Step 702, application manager generate application program mandate analysis request according to the user starts application request that receives, to authorizing resolution unit to send;
Step 703 authorizes resolution unit to receive application program mandate analysis request, and the authorization message of corresponding application program is obtained in inquiry from authorize storage unit;
Step 704 is resolved the application license grant clause that comprises in the authorization message of this correspondence application program of obtaining;
Step 705 generates application program license grant clause analysis result;
Step 706, application manager receive application program license grant clause analysis result;
Step 707, application manager are judged application program license grant clause analysis result, if application program license grant clause analysis result is correct, and execution in step 708; Otherwise, do not allow this application program operation;
Environment when step 708, application manager are the application program generating run that can move according to application program license grant clause analysis result;
Step 709 loads in runtime environment and the startup application program;
Step 710, the application program operation is to authorizing resolution unit to send application module mandate analysis request;
In this step, application program operates in the runtime environment of setting, and the service of runtime environment access system resources is also obtained system resource and service.
Step 711 authorizes resolution unit to receive application module mandate analysis request, and the authorization message of corresponding application program is obtained in inquiry from authorize storage unit;
Step 712 is resolved the module license grant clause that comprises in the authorization message of this correspondence application program of obtaining;
Step 713, generation module license grant clause analysis result;
Step 714, application program are determined the operation action of application module according to the module license grant clause analysis result that returns.
Step 710 is optional to step 714, if application program need use LM to assist it that operation action of the module of application program is set, then these steps need, if application program is determined the operation action of the module of application program according to actual conditions or configuration in advance, then these steps can be omitted.
Fig. 8 resolves the schematic flow sheet of authorization message for mandate resolution unit of the present invention.Referring to Fig. 8, this flow process comprises:
Step 801 receives to use and authorizes analysis request;
In this step, use and authorize analysis request to comprise application program mandate analysis request and application module mandate analysis request.
Step 802, corresponding authorization message is used in inquiry, if inquire, execution in step 803, otherwise, return corresponding error information;
Step 803, definite authorization message type of resolving is if be application program, execution in step 804; If be application module, execution in step 814;
Step 804 judges whether to exist and uses license grant clause, if there is execution in step 805; If there is no, then return corresponding error information;
Step 805 is resolved and is used license grant clause;
Step 806 is returned application program license grant clause analysis result to application manager;
Step 814 judges whether to exist the module license grant clause of this module, if there is execution in step 815; If there is no, then return corresponding error information;
Step 815, the parsing module license grant clause;
Step 816 is returned module license grant clause analysis result to application program.
Fig. 9 is an authorization message installation kit installation procedure synoptic diagram of the present invention.Referring to Fig. 9, this flow process comprises:
Step 901 authorizes load units to receive the authorization message installation kit;
Step 902, the legitimacy of checking authorization message installation kit, if the verification passes, execution in step 903, otherwise, do not preserve authorization message, and return corresponding error information;
Step 903, the integrality of checking authorization message installation kit, if the verification passes, execution in step 904, otherwise, do not preserve authorization message, and return corresponding error information;
Step 904, the validity of checking authorization message installation kit, if the verification passes, execution in step 905, otherwise, do not preserve authorization message, and return corresponding error information;
Step 905 stores authorization message into the mandate storage unit, and returns successful installation information;
The above is preferred embodiment of the present invention only, is not to be used to limit protection scope of the present invention.Within the spirit and principles in the present invention all, any modification of being done, be equal to and replace and improvement etc., all should be included within protection scope of the present invention.