4.4.4 Contents of files at the MexE level

31.1023GPPCharacteristics of the Universal Subscriber Identity Module (USIM) applicationRelease 17TS

This clause specifies the Efs in the dedicated file DF_MexE. It only applies if the USIM supports MexE (see TS 23.057 [30]).

The presence of this DF is indicated in the ‘USIM Service Table’ as service no. ’41’ being available.

The Efs in the Dedicated File DF_MexE contain execution environment related information.

4.4.4.1 EF_MexE-ST (MexE Service table)

If service n°41 is "available", this file shall be present.

This EF indicates which MexE services are available. If a service is not indicated as available in the USIM, the ME shall not select this service.

Identifier: ‘4F40’		Structure: transparent			Optional
File size: X bytes, X 1			Update activity: low
Access Conditions: READ PIN UPDATE ADM DEACTIVATE ADM ACTIVATE ADM
Bytes	Description			M/O		Length
1	Services n1 to n8			M		1 byte
2	Services n9 to n16			O		1 byte
etc.
X	Services (8X‑7) to (8X)			O		1 byte

‑Services
Contents:	Service n°1:	Operator Root Public Key
	Service n°2:	Administrator Root Public Key
	Service n°3:	Third Party Root Public Key
	Service n°4:	RFU

Coding:

the coding rules of the USIM Service Table apply to this table.

4.4.4.2 EF_ORPK (Operator Root Public Key)

If service n°41 is "available", this file shall be present.

This EF contains the descriptor(s) of certificates containing the Operator Root Public Key. This EF shall only be allocated if the operator wishes to verify applications and certificates in the MexE operator domain using a root public key held in the USIM. Each record of this EF contains one certificate descriptor.

For example, an operator may provide a second key for recover disaster procedure in order to limit OTA data to load.

Identifier: ‘4F41’		Structure: linear fixed			Optional
Record length: X + 10 bytes			Update activity: low
Access Conditions: READ PIN UPDATE ADM DEACTIVATE ADM ACTIVATE ADM
Bytes	Description			M/O	Length
1	Parameters indicator			M	1 byte
2	Flags			M	1 byte
3	Type of certificate			M	1 byte
4 to 5	Key/certificate file identifier			M	2 bytes
6 to 7	Offset into key/certificate file			M	2 bytes
8 to 9	Length of key/certificate data			M	2 bytes
10	Key identifier length (X)			M	1 byte
11 to 10+X	Key identifier			M	X bytes

‑ Parameter indicator

Contents:
The parameter indicator indicates if record is full and which optional parameters are present

Coding: bit string

b8

b7

b6

b5

b4

b3

b2

b1

Certificate descriptor is valid (bit1=0 key descriptor is valid)

Reserved bit set to 1 (bitx=0 optional parameter present)

‑ Flags

Contents:
The authority flag indicates whether the certificate identify an authority (i.e. CA or AA) or not.

Coding: bit string

b8

b7

b6

b5

b4

b3

b2

b1

Authority certificate (bit=1 certificate of an authority)

RFU

RFU

‑ Type of certificate

Contents:
This field indicates the type of certificate containing the key.

Coding: binary:
0 : WTLS
1 : X509
2 : X9.68
Other values are reserved for further use

– Key/certificate File Identifier

Contents:

these bytes identify an EF which is the key/certificate data file (see clause 4.4.4.5), holding the actual key/certificate data for this record.

Coding:

byte 4: high byte of Key/certificate File Identifier;

byte 5: low byte of Key/certificate File Identifier.

– Offset into Key/certificate File

Contents:

these bytes specify an offset into the transparent key/certificate data File identified in bytes 4 and 5.

Coding:

byte 6: high byte of offset into Key/certificate Data File;

byte 7: low byte of offset into Key/certificate Data File

– Length of Key/certificate Data

Contents:

these bytes yield the length of the key/certificate data, starting at the offset identified in "Offset into Key/certificate File" field.

Coding:

byte 8: high byte of Key/certificate Data length;

byte 9: low byte of Key/certificate Data length.

‑ Key identifier length

Contents:
This field gives length of key identifier

Coding:
binary

‑ Key identifier

Contents:
This field provides a means of identifying certificates that contain a particular public key (chain building) and linking the public key to its corresponding private key. For more information about value and using see TS 23.057 [30].

Coding:
octet string

NOTE: transparent key/certificate data longer than 256 bytes may be read using successive READ BINARY commands.

4.4.4.3 EF_ARPK (Administrator Root Public Key)

If service n°41 is "available", this file shall be present.

This EF contains the descriptor(s) of certificates containing the Administrator Root Public Key. This EF shall only be allocated if the SIM issuer wishes to control the Third Party certificates on the terminal using an Administrator root public key held in the USIM. Each record of this EF contents one certificate descriptor.

This file shall contain only one record.

Identifier: ‘4F42’		Structure: linear fixed			Optional
Record length: X + 10 bytes			Update activity: low
Access Conditions: READ PIN UPDATE ADM DEACTIVATE ADM ACTIVATE ADM
Bytes	Description			M/O	Length
1	Parameters indicator			M	1 byte
2	Flags			M	1 byte
3	Type of certificate			M	1 byte
4 to 5	Key/certificate file identifier			M	2 bytes
6 to 7	Offset into key/certificate file			M	2 bytes
8 to 9	Length of key/certificate data			M	2 bytes
10	Key identifier length (X)			M	1 byte
11 to 10+X	Key identifier			M	X bytes

For contents and coding of all data items see the respective data items of the EF_ORPK (clause 4.4.4.2).

4.4.4.4 EF_TPRPK (Third Party Root Public Key)

If service n°41 is "available", this file shall be present.

This EF contains descriptor(s) of certificates containing the Third Party root public key (s). This EF shall only be allocated if the USIM issuer wishes to verify applications and certificates in the MexE Third Party domain using root public key(s) held in the USIM. This EF can contain one or more root public keys. Each record of this EF contains one certificate descriptor.

For example, an operator may provide several Third Party Root Public Keys.

Identifier:’4F43′		Structure: linear fixed			Optional
Record length: X + Y + 11 bytes			Update activity: low
Access Conditions: READ PIN UPDATE ADM DEACTIVATE ADM ACTIVATE ADM
Bytes	Description			M/O	Length
1	Parameters indicator			M	1 byte
2	Flags			M	1 byte
3	Type of certificate			M	1 byte
4 to 5	Key/certificate file identifier			M	2 bytes
6 to 7	Offset into key/certificate file			M	2 bytes
8 to 9	Length of key/certificate data			M	2 bytes
10	Key identifier length (X)			M	1 byte
11 to 10+X	Key identifier			M	X bytes
11+X	Certificate identifier length (Y)			M	1 byte
12+X to 11+X+Y	Certificate identifier			M	Y bytes

‑ Certificate identifier length

Contents:
This field gives the length of the certificate identifier

Coding:
binary

‑ Certificate identifier

Contents:
This field identifies the issuer and provides an easy way to find a certificate. For more information about the value and usage see TS 23.057 [30].

Coding:
Octet string

For contents and coding of all other data items see the respective data items of the EF_ORPK (clause 4.4.4.2).

4.4.4.5 EF_TKCDF (Trusted Key/Certificates Data Files)

Residing under DF_MexE, there may be several key/certificates data files. These Efs containing key/certificates data shall have the following attributes:

Identifier: ‘4FXX’		Structure: transparent			Optional
File size: Y bytes			Update activity: low
Access Conditions: READ PIN UPDATE ADM DEACTIVATE ADM ACTIVATE ADM
Bytes	Description			M/O		Length
1 to Y	Key/Certificate Data			M		Y bytes

Contents and coding:

Key/certificate data are accessed using the key/certificates descriptors provided by EF_TPRPK (see clause 4.4.4.4).

The identifier ‘4FXX’ shall be different from one key/certificate data file to another. For the range of ‘XX’, see TS 31.101 [11]. The length Y may be different from one key/certificate data file to another.