阅读说明：本技术 访问控制方法及访问控制装置 (Access control method and access control device ) 是由 刘煜 翟京卿 于 2021-06-22 设计创作，主要内容包括：本发明公开了一种访问控制方法及访问控制装置,该方法包括：响应于接收到第一应用发送的访问通用集成电路卡UICC请求,读取UICC中的访问控制条件文件和访问控制扩展文件；其中,所述访问控制扩展文件至少用于指示是否允许已授权访问UICC的应用提供访问控制条件；根据所述访问控制条件文件和访问控制扩展文件,确定第一访问控制条件；根据所述第一访问控制条件处理所述第一应用的访问UICC请求。不仅能够实现基于UICC的访问控制,还能够实现基于已授权访问UICC的应用的访问控制,提供了更高效更灵活的访问控制机制。(The invention discloses an access control method and an access control device, wherein the method comprises the following steps: reading an access control condition file and an access control extension file in a Universal Integrated Circuit Card (UICC) in response to receiving a UICC access request sent by a first application; wherein the access control extension file is at least used to indicate whether an application authorized to access the UICC is allowed to provide access control conditions; determining a first access control condition according to the access control condition file and the access control extension file; and processing the UICC access request of the first application according to the first access control condition. Not only can access control based on the UICC be realized, but also access control based on application authorized to access the UICC can be realized, and a more efficient and flexible access control mechanism is provided.)

1. An access control method, characterized in that the method comprises:

reading an access control condition file and an access control extension file in a Universal Integrated Circuit Card (UICC) in response to receiving a UICC access request sent by a first application; wherein the access control extension file is at least used to indicate whether an application authorized to access the UICC is allowed to provide access control conditions;

determining a first access control condition according to the access control condition file and the access control extension file;

and processing the UICC access request of the first application according to the first access control condition.

2. The method of claim 1, wherein the access control extension file is further used to indicate whether the second access control condition provided by the UICC is used exclusively.

3. The method according to claim 2, wherein the access control extension file comprises an access control body extension indication and an access control body priority indication, wherein the access control body extension indication comprises at least a first preset field for indicating whether an application authorized to access the UICC is allowed to provide access control conditions, and wherein the access control body priority indication comprises at least a second preset field for indicating whether a second access control condition provided by the UICC is used exclusively.

4. The method of claim 2, wherein determining the first access control condition based on the access control condition file and the access control extension file comprises:

and under the condition that the access control condition file comprises a second access control condition and the access control extension file indicates that the second access control condition provided by the UICC is not exclusively used, determining a first access control condition according to the second access control condition and a locally stored third access control condition.

5. The method of claim 4, wherein determining the first access control condition based on the second access control condition and a locally stored third access control condition comprises:

and merging the second access control condition and the third access control condition, and determining the merged access control condition as the first access control condition.

6. The method of claim 2, wherein determining the first access control condition based on the access control condition file and the access control extension file comprises:

and determining that the second access control condition is the first access control condition under the condition that the second access control condition is included in the access control condition file and the access control extension file indicates that the second access control condition provided by the UICC is used only.

7. The method of claim 1, wherein determining the first access control condition based on the access control condition file and the access control extension file comprises:

and determining that the locally stored third access control condition is the first access control condition when the second access control condition is not included in the access control condition file and the access control extension file indicates that an application authorized to access the UICC is allowed to provide the access control condition.

8. An access control method, characterized in that the method comprises:

and in response to receiving a reading instruction sent by the access control device for reading the access control condition file and the access control extension file, returning the access control condition file and the access control extension file in the local UICC to the access control device, wherein the access control extension file is at least used for indicating whether an application authorized to access the local UICC is allowed to provide access control conditions.

9. An access control device, characterized in that the access control device comprises:

a receiving module, configured to receive a UICC access request sent by a first application;

the reading module is used for responding to the UICC access request sent by the first application received by the receiving module, and reading the access control condition file and the access control extension file in the UICC; wherein the access control extension file is at least used to indicate whether an application authorized to access the UICC is allowed to provide access control conditions;

the first processing module is used for determining a first access control condition according to the access control condition file and the access control extended file;

and the second processing module is used for processing the UICC access request of the first application according to the first access control condition.

10. A UICC, wherein the UICC comprises:

the receiving module is used for receiving a reading instruction which is sent by the access control device and used for reading the access control condition file and the access control extended file;

and a sending module, configured to return the access control condition file and the access control extension file in the UICC to the access control apparatus in response to a reading instruction sent by the access control apparatus and used for reading the access control condition file and the access control extension file, where the access control extension file is at least used to indicate whether to allow an application authorized to access the UICC to provide access control conditions.

Technical Field

The present invention relates to the field of communications technologies, and in particular, to an access control method and an access control apparatus.

Background

The UICC (Universal Integrated Circuit Card) is a Universal smart Card platform on which a USIM (Universal Subscriber Identity Module), a bank Card, a ticket Card, and other various applications may reside. The UICC is installed in the terminal equipment, and the terminal equipment can manage various applications residing on the UICC through terminal applications. UICC as a kind of security device, terminal applications should have necessary security protection mechanism for accessing UICC, and the most basic security protection mechanism is to verify whether the terminal application is provided by a legitimate developer and is authorized to access UICC, usually verifying the certificate digest of the terminal application.

The certificate digest of the terminal application requesting access to the UICC can be verified, usually in two access control ways. One is to compare the certificate digest of the terminal application requesting access to the UICC with the obtained reference digest (which can be obtained by presetting or downloading) by other terminal applications authorized to access the UICC on the terminal device based on the access control of the terminal application authorized to access the UICC, and determine whether the two are consistent, so as to verify whether the terminal application requesting access to the UICC is a trusted application, and if the verification is passed, the terminal application requesting access to the UICC can access the UICC through the other terminal applications authorized to access the UICC. The second is access control based on the UICC, in which the UICC provides a reference digest (stored in an access rule file ARF or an access rule application ARA-M), the terminal equipment needs to obtain the reference digest from the UICC, compare the certificate digest of the terminal application requesting access to the UICC with the reference digest obtained from the UICC, and determine whether the two are consistent, so as to verify whether the terminal application requesting access to the UICC is a trusted application, and if the verification is passed, the terminal equipment allows the terminal application requesting access to the UICC to access the UICC.

In real business, the policy required for a terminal application to access the UICC tends to be relatively complex, for example, UICC-based access control is a more standard solution but may not be universally supported by the terminal device, whereas access control based on a terminal application that has been granted access to the UICC may be perhaps more highly supported by the terminal device but is a less standard solution. Currently, only one access control mode is usually adopted by a terminal device.

Therefore, there is a need for a more efficient and flexible access control mechanism to enable simultaneous UICC-based access control and access control based on applications authorized to access the UICC.

Disclosure of Invention

Therefore, the present invention provides an access control method and an access control device to solve the above-mentioned disadvantages.

In order to achieve the above object, a first aspect of the present invention provides an access control method, including:

reading an access control condition file and an access control extension file in the UICC in response to receiving an UICC access request sent by a first application; wherein the access control extension file is at least used to indicate whether an application authorized to access the UICC is allowed to provide access control conditions;

determining a first access control condition according to the access control condition file and the access control extension file;

and processing the UICC access request of the first application according to the first access control condition.

In some embodiments, the access control extension file is further used to indicate whether the second access control condition provided by the UICC is used exclusively.

In some embodiments, the access control extension file comprises an access control body extension indication and an access control body priority indication, the access control body extension indication comprising at least a first preset field for indicating whether an application authorized to access the UICC is allowed to provide access control conditions, the access control body priority indication comprising at least a second preset field for indicating whether a second access control condition provided by the UICC is used exclusively.

In some embodiments, the determining a first access control condition from the access control condition file and the access control extension file comprises:

and under the condition that the access control condition file comprises a second access control condition and the access control extension file indicates that the second access control condition provided by the UICC is not exclusively used, determining a first access control condition according to the second access control condition and a locally stored third access control condition.

In some embodiments, said determining a first access control condition based on said second access control condition and a locally stored third access control condition comprises:

and merging the second access control condition and the third access control condition, and determining the merged access control condition as the first access control condition.

In some embodiments, the determining a first access control condition from the access control condition file and the access control extension file comprises:

and determining that the second access control condition is the first access control condition under the condition that the second access control condition is included in the access control condition file and the access control extension file indicates that the second access control condition provided by the UICC is used only.

In some embodiments, the determining a first access control condition from the access control condition file and the access control extension file comprises:

and determining that the locally stored third access control condition is the first access control condition when the second access control condition is not included in the access control condition file and the access control extension file indicates that an application authorized to access the UICC is allowed to provide the access control condition.

In order to achieve the above object, a second aspect of the present invention provides an access control method, including:

and in response to receiving a reading instruction sent by the access control device for reading the access control condition file and the access control extension file, returning the access control condition file and the access control extension file in the local UICC to the access control device, wherein the access control extension file is at least used for indicating whether an application authorized to access the local UICC is allowed to provide access control conditions.

In order to achieve the above object, a third aspect of the present invention provides an access control device comprising:

a receiving module, configured to receive a UICC access request sent by a first application;

the reading module is used for responding to the UICC access request sent by the first application received by the receiving module, and reading the access control condition file and the access control extension file in the UICC; wherein the access control extension file is at least used to indicate whether an application authorized to access the UICC is allowed to provide access control conditions;

the first processing module is used for determining a first access control condition according to the access control condition file and the access control extended file;

and the second processing module is used for processing the UICC access request of the first application according to the first access control condition.

In some embodiments, the access control extension file is further used to indicate whether the second access control condition provided by the UICC is used exclusively.

In some embodiments, the first processing module is configured to:

and under the condition that the access control condition file comprises a second access control condition and the access control extension file indicates that the second access control condition provided by the UICC is not exclusively used, determining a first access control condition according to the second access control condition and a locally stored third access control condition.

In some embodiments, the first processing module is configured to:

and merging the second access control condition and the third access control condition, and determining the merged access control condition as the first access control condition.

In order to achieve the above object, a fourth aspect of the present invention provides a UICC comprising:

the receiving module is used for receiving a reading instruction which is sent by the access control device and used for reading the access control condition file and the access control extended file;

and a sending module, configured to return the access control condition file and the access control extension file in the UICC to the access control apparatus in response to a reading instruction sent by the access control apparatus and used for reading the access control condition file and the access control extension file, where the access control extension file is at least used to indicate whether to allow an application authorized to access the UICC to provide access control conditions.

The invention has the following advantages:

in the access control method provided by the embodiment of the invention, when the first application has a requirement for accessing the UICC, an access UICC request may be initiated to the access control means, in response to receiving the access UICC request sent by the first application, reads an access control condition file and an access control extension file in the UICC access control dedicated file, since the access control condition file is used to store the second access control conditions provided by the UICC, while the access control extension file is used at least to indicate whether applications (including the access control means) authorized to access the UICC are allowed to provide access control conditions, therefore, the access control device determines the first access control condition according to the access control condition file and the access control extension file, not only can realize access control based on the UICC, but also can realize access control based on the application authorized to access the UICC, and provides a more efficient and flexible access control mechanism.

Drawings

The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the principles of the invention and not to limit the invention.

Fig. 1 is a schematic flowchart of an access control method at an access control device side according to an embodiment of the present invention;

fig. 2 is a schematic structural diagram of an access control extension file according to an embodiment of the present invention;

fig. 3 is a schematic encoding diagram of an access control body extension indication provided in an embodiment of the present invention;

fig. 4 is a schematic encoding diagram of priority indication of an access control body according to an embodiment of the present invention;

fig. 5 is a flowchart illustrating a UICC side access control method according to an embodiment of the present invention;

fig. 6 is a schematic flowchart of an access control method according to an embodiment of the present invention;

fig. 7 is a block diagram of an access control device according to an embodiment of the present invention;

fig. 8 is a module diagram of a UICC according to an embodiment of the present invention.

Detailed Description

In order to make the technical solutions of the present invention better understood, the present invention will be described in further detail with reference to the accompanying drawings and specific embodiments.

It is to be understood that the specific embodiments and figures described herein are merely illustrative of the invention and are not limiting of the invention.

It is to be understood that the embodiments and features of the embodiments can be combined with each other without conflict.

It is to be understood that, for the convenience of description, only parts related to the present invention are shown in the drawings of the present invention, and parts not related to the present invention are not shown in the drawings.

It should be understood that each unit and module related in the embodiments of the present invention may correspond to only one physical structure, may also be composed of multiple physical structures, or multiple units and modules may also be integrated into one physical structure.

It will be understood that, without conflict, the functions, steps, etc. noted in the flowchart and block diagrams of the present invention may occur in an order different from that noted in the figures.

It is to be understood that the flowchart and block diagrams of the present invention illustrate the architecture, functionality, and operation of possible implementations of systems, apparatus, devices and methods according to various embodiments of the present invention. Each block in the flowchart or block diagrams may represent a unit, module, segment, code, which comprises executable instructions for implementing the specified function(s). Furthermore, each block or combination of blocks in the block diagrams and flowchart illustrations can be implemented by a hardware-based system that performs the specified functions or by a combination of hardware and computer instructions.

It is to be understood that the units and modules involved in the embodiments of the present invention may be implemented by software, and may also be implemented by hardware, for example, the units and modules may be located in a processor.

The access control method provided by the embodiment of the invention can be used for an access control device, and the access control device can be a computer program product, such as a terminal application.

As shown in fig. 1, an embodiment of the present invention provides an access control method, which may include the following steps:

and S11, in response to receiving the UICC access request sent by the first application, reading the access control condition file and the access control extension file in the UICC.

Wherein the access control extension file is at least for indicating whether an application authorized to access the UICC is allowed to provide the access control condition.

The "first application" is a terminal application that is not authorized to access the UICC, the access control apparatus may be one of terminal applications that are authorized to access the UICC, and the first application, the access control apparatus and the UICC all belong to the same terminal device.

In the embodiment of the present invention, the access control dedicated file may further include an access control extension file in addition to the existing access control main file, access control rule file, and access control condition file (including the reference digest).

In the embodiment of the present invention, when the first application has a requirement for accessing the UICC, an access UICC request may be initiated to the access control apparatus, and in response to receiving the access UICC request sent by the first application, the access control apparatus reads an access control condition file and an access control extension file in the UICC access control dedicated file, and the access control condition file and the access control extension file provide file contents in response to a read command of the access control apparatus.

S12, the first access control condition is determined based on the access control condition file and the access control extension file.

Since the access control condition file in the UICC is used to store the second access control condition provided by the UICC, and the access control extension file in the UICC is used at least to indicate whether an application (including the access control means) authorized to access the UICC is allowed to provide the access control condition, the access control means may determine the first access control condition based on the access control condition file and the access control extension file.

S13, processing the UICC access request of the first application according to the first access control condition.

After determining the first access control condition, the access control means may process a UICC access request for the first application according to the determined first access control condition.

As can be seen from the foregoing steps S11-S13, in the access control method provided in this embodiment of the present invention, when a first application has a requirement for accessing the UICC, an access UICC request may be initiated to the access control apparatus, in response to receiving the access UICC request sent by the first application, the access control apparatus reads the access control condition file and the access control extension file in the UICC access control dedicated file, since the access control condition file is used to store a second access control condition provided by the UICC, and the access control extension file is at least used to indicate whether an application (including the access control apparatus) authorized to access the UICC is allowed to provide the access control condition, so that the access control apparatus determines the first access control condition according to the access control condition file and the access control extension file, not only can access control based on the UICC be implemented, but also can implement access control based on the application authorized to access, a more efficient and flexible access control mechanism is provided.

In some embodiments, the access control extension file is further used to indicate whether the second access control condition provided by the UICC is used exclusively.

In some embodiments, the access control extension file comprises an access control body extension indication and an access control body priority indication, the access control body extension indication comprising at least a first preset field for indicating whether an application authorized to access the UICC is allowed to provide access control conditions, the access control body priority indication comprising at least a second preset field for indicating whether a second access control condition provided by the UICC is used exclusively.

The access control extension file may include an access control body extension indication and may further include an access control body priority indication, where the access control body extension indication may be used to indicate whether an application authorized to access the UICC is allowed to provide an access control condition, and in the case where the access control body extension indicates that an application authorized to access the UICC is allowed to provide an access control condition, the access control body priority indication may be used to indicate whether the second access control condition provided by the UICC is used only, and if the second access control condition provided by the UICC is not used only, the second access control condition provided by the UICC and the access control condition provided by the application authorized to access the UICC are used at the same time.

For example, a specific field (i.e., a first preset field) in the access control body extension indication may be encoded as 1 to indicate that an application authorized to access the UICC is allowed to provide an access control condition, i.e., to extend the application authorized to access the UICC as an access control body, and when the specific field (i.e., the first preset field) is encoded as 0, the specific field may be encoded as 0 to indicate that an application not authorized to access the UICC is not allowed to provide an access control condition, i.e., to not extend the application authorized to access the UICC as an access control body. A certain field (i.e., a second preset field) in the access control body priority indication may be encoded as 1 to indicate that the second access control condition provided by the UICC is not to be used exclusively, i.e., the second access control condition provided by the UICC and the access control condition provided by the application authorized to access the UICC are to be used simultaneously, and the second access control condition provided by the UICC and the access control condition provided by the application authorized to access the UICC are collocated, whereas when the certain field (i.e., the second preset field) is encoded as 0, the second access control condition provided by the UICC is to be used exclusively, i.e., the second access control condition provided by the UICC and the access control condition provided by the application authorized to access the UICC are not collocated. It should be noted that, in the case that the access control body extension indicates that an application authorized to access the UICC is not allowed to provide the access control condition, the specific field (i.e. the second preset field) in the access control body priority indication may be encoded as null, or may be encoded as any value except 0 and 1, and is not used for indicating that the second access control condition provided by the UICC is only used, or indicating that the second access control condition provided by the UICC is not only used.

In some embodiments, the determining the first access control condition according to the access control condition file and the access control extension file (i.e., S12) may include the steps of: and under the condition that the second access control condition is included in the access control condition file and the access control extension file indicates that the second access control condition provided by the UICC is not exclusively used, determining the first access control condition according to the second access control condition and a third access control condition stored locally.

When the access control extension file indicates that the second access control conditions provided by the UICC are not exclusively used, then the access control extension file necessarily indicates that applications authorized to access the UICC are allowed to provide the access control conditions.

In the case where the access control condition file read by the access control apparatus includes the second access control condition, and the access control extension file indicates that the application authorized to access the UICC is allowed to provide the access control condition and indicates that the second access control condition provided by the UICC is not exclusively used, the access control apparatus needs to perform access control using both the second access control condition provided by the UICC and the access control condition provided by the application authorized to access the UICC, and then the access control apparatus may determine the first access control condition according to the second access control condition (i.e., the second access control condition provided by the UICC) and the locally stored third access control condition (i.e., the access control condition provided by the application authorized to access the UICC, including the certificate digest, etc.).

In some embodiments, the determining the first access control condition according to the second access control condition and a locally stored third access control condition may include: and merging the second access control condition and the third access control condition, and determining the merged access control condition as the first access control condition.

Specifically, the access control device may combine the second access control condition and the third access control condition, and the combined access control condition is the determined first access control condition.

In some embodiments, the determining the first access control condition according to the access control condition file and the access control extension file (i.e., S12) may include the steps of: in a case where the second access control condition is included in the access control condition file and the access control extension file indicates that the second access control condition provided by the UICC is exclusively used, it is determined that the second access control condition is the first access control condition.

In the case where the second access control condition is included in the access control condition file and the access control extension file indicates that the second access control condition provided by the UICC is only used, it is explained that although the access control extension file indicates that the application authorized to access the UICC is allowed to provide the access control condition, since the UICC already provides the second access control condition and the access control extension file also indicates that the second access control condition provided by the UICC is only used, the access control apparatus can only use the second access control condition provided by the UICC for access control, and at this time, the second access control condition (i.e., the second access control condition provided by the UICC) can be directly determined as the first access control condition.

In some embodiments, the determining the first access control condition according to the access control condition file and the access control extension file (i.e., S12) may include the steps of: in the case where the second access control condition is not included in the access control condition file and the access control extension file indicates that an application authorized to access the UICC is allowed to provide the access control condition, determining the locally stored third access control condition to be the first access control condition.

When the access control condition file read by the access control device does not include the second access control condition, since the access control extension file indicates that the application authorized to access the UICC is allowed to provide the access control condition, the access control device may directly use the access control condition provided by the application authorized to access the UICC for access control, that is, may directly determine the locally stored third access control condition as the first access control condition.

In some embodiments, the determining the first access control condition according to the access control condition file and the access control extension file (i.e., S12) may include the steps of: in the case where the access control extension file indicates that an application authorized to access the UICC is not allowed to provide access control conditions, determining that the second access control condition in the access control condition file is the first access control condition.

When the access control extension file indicates that the application authorized to access the UICC is not allowed to provide the access control condition, the access control condition file of the UICC necessarily includes the second access control condition, otherwise, the access control apparatus cannot perform access control, and at this time, the access control apparatus may directly determine the second access control condition as the first access control condition.

As shown in fig. 2, in the embodiment of the present invention, the access control extension file may adopt the structure as shown in fig. 2, which may include an access control body extension indication with a length of 1 byte, and may further include an access control body priority indication with a length of 1 byte. As mentioned above, the content of the access control body extension indication may include an indication whether the application authorized to access the UICC is allowed to provide the access control condition, that is, whether the application authorized to access the UICC is extended to the access control body, and the access control body extension indication may be encoded as shown in fig. 3, and it can be seen that when the first preset field b1 is 0, the application not authorized to access the UICC is not allowed to provide the access control condition, that is, the application not authorized to access the UICC is not extended to be the access control body, and when the first preset field b1 is 1, the application authorized to access the UICC is allowed to provide the access control condition, that is, the application authorized to access the UICC is extended to be the access control body. In addition, b2 and b3 … … b8 are reserved fields.

While the content of the access control body priority indication may include a second access control condition indicating whether the UICC is used exclusively, that is, whether the access control of the terminal application (authorized to access the UICC) can be collocated (with the UICC access control), the access control body priority may be encoded as shown in fig. 4, and it can be seen that when the second preset field b1 is 0, the second access control condition provided by the UICC is used exclusively, that is, the terminal application access control is not collocated, and when the second preset field b1 is 1, the second access control condition provided by the UICC is not used exclusively, that is, the terminal application access control is collocated. In addition, b2 and b3 … … b8 are reserved fields.

As shown in fig. 5, an embodiment of the present invention further provides an access control method, which may be applied to a UICC, where the method may include the following steps:

s21, in response to receiving the reading instruction sent by the access control apparatus for reading the access control condition file and the access control extension file, returning the access control condition file and the access control extension file in the UICC to the access control apparatus.

Wherein the access control extension file is at least used to indicate whether an application authorized to access the local UICC is allowed to provide access control conditions.

In the embodiment of the present invention, the access control dedicated file may further include an access control extension file in addition to an existing access control master file, an access control rule file, and an access control condition file (including a reference digest). When the first application has a requirement for accessing the UICC, an access UICC request may be initiated to the access control apparatus, and in response to receiving the access UICC request sent by the first application, the access control apparatus sends, to the local UICC, a read instruction for reading an access control condition file and an access control extension file in the local UICC access control dedicated file, and the local UICC provides file content in response to receiving the read instruction.

As shown in fig. 6, the access control method provided by the present invention is described in detail below with reference to a specific embodiment.

S21, the terminal application a generates a request for accessing the UICC according to the application function, and sends a request for accessing the UICC to another terminal application B authorized to access the UICC.

The terminal application a is the first application, and the terminal application B is the access control device.

S22, the terminal application B reads the access control condition file and the access control extension file in the UICC in response to receiving the UICC access request sent by the terminal application a.

Wherein the access control extension file is used to indicate whether an application authorized to access the UICC is allowed to provide access control conditions and to indicate whether a second access control condition provided by the UICC is used exclusively.

S23, the terminal application B determines whether to extend the application authorized to access the UICC as the access control subject, if so, then S24 is executed, otherwise, S27 is executed.

Specifically, if the access control extension file indicates that the application authorized to access the UICC is allowed to provide the access control condition, i.e., the application authorized to access the UICC is extended to the access control subject, S24 is performed, otherwise S27 is performed.

S24, the terminal application B determines whether the access control condition file includes the second access control condition (i.e. whether the UICC provides the access control condition), if so, then S25 is executed, otherwise, S26 is executed.

S25, the terminal application B determines whether the second access control condition provided by the UICC and the access control condition provided by the application authorized to access the UICC can be aligned, if so, then S28 is executed, otherwise, S27 is executed.

If the access control extension file indicates that the second access control condition provided by the UICC is not exclusively used, indicating that the second access control condition provided by the UICC and the access control condition provided by the application authorized to access the UICC can be juxtaposed, then S28 is executed; otherwise, S27 is executed.

S26, the third access control condition stored locally is determined as the first access control condition. S29 is executed.

S27, the second access control condition in the access control condition file is determined as the first access control condition. S29 is executed.

S28, the second access control condition and the locally stored third access control condition are merged, and the merged access control condition is determined to be the first access control condition. S29 is executed.

And S29, the terminal application B processes the UICC access request of the terminal application A according to the determined first access control condition.

As shown in fig. 7, based on the same technical concept, an embodiment of the present invention further provides an access control apparatus for executing the above access control method, where the access control apparatus includes:

a receiving module 101, configured to receive a UICC access request sent by a first application.

A reading module 102, configured to read an access control condition file and an access control extension file in the UICC in response to the receiving module receiving an access UICC request sent by the first application; wherein the access control extension file is at least for indicating whether an application authorized to access the UICC is allowed to provide access control conditions.

The first processing module 103 is configured to determine a first access control condition according to the access control condition file and the access control extension file.

A second processing module 104, configured to process a UICC access request of the first application according to the first access control condition.

In some embodiments, the access control extension file is further used to indicate whether the second access control condition provided by the UICC is used exclusively.

In some embodiments, the access control extension file comprises an access control body extension indication and an access control body priority indication, the access control body extension indication comprising at least a first preset field for indicating whether an application authorized to access the UICC is allowed to provide access control conditions, the access control body priority indication comprising at least a second preset field for indicating whether a second access control condition provided by the UICC is used exclusively.

In some embodiments, the first processing module 103 is configured to:

and under the condition that the access control condition file comprises a second access control condition and the access control extension file indicates that the second access control condition provided by the UICC is not exclusively used, determining a first access control condition according to the second access control condition and a locally stored third access control condition.

In some embodiments, the first processing module 103 is configured to:

and merging the second access control condition and the third access control condition, and determining the merged access control condition as the first access control condition.

In some embodiments, the first processing module 103 is configured to:

and determining that the second access control condition is the first access control condition under the condition that the second access control condition is included in the access control condition file and the access control extension file indicates that the second access control condition provided by the UICC is used only.

In some embodiments, the first processing module 103 is configured to:

and determining that the locally stored third access control condition is the first access control condition when the second access control condition is not included in the access control condition file and the access control extension file indicates that an application authorized to access the UICC is allowed to provide the access control condition.

As shown in fig. 8, based on the same technical concept, an embodiment of the present invention further provides a UICC, configured to execute the access control method, where the UICC includes:

a receiving module 201, configured to receive a reading instruction sent by the access control apparatus for reading the access control condition file and the access control extension file.

A sending module 202, configured to return the access control condition file and the access control extension file in the local UICC to the access control apparatus in response to the receiving module receiving a read instruction sent by the access control apparatus to read the access control condition file and the access control extension file, where the access control extension file is at least used to indicate whether to allow an application authorized to access the local UICC to provide access control conditions.

It will be understood that the above embodiments are merely exemplary embodiments taken to illustrate the principles of the present invention, which is not limited thereto. It will be apparent to those skilled in the art that various modifications and improvements can be made without departing from the spirit and substance of the invention, and these modifications and improvements are also considered to be within the scope of the invention.