diff options
| author | android-build-team Robot <android-build-team-robot@google.com> | 2020-04-28 20:27:14 +0000 |
|---|---|---|
| committer | android-build-team Robot <android-build-team-robot@google.com> | 2020-04-28 20:27:14 +0000 |
| commit | 46b7896b5622bcc11143500058fe68f93746177d (patch) | |
| tree | b5f1104729419d0841e74f56c04f42cea8fd67b6 | |
| parent | 1b0cbfdc408d968028928c235cf506889eb33b5c (diff) | |
| parent | c3f935b630910cb90e96da1484f02ef49f9e1013 (diff) | |
| download | SecureElement-android10-mainline-tzdata-release.tar.gz | |
Snap for 6439596 from c3f935b630910cb90e96da1484f02ef49f9e1013 to qt-aml-tzdata-releaseq_tzdata_aml_297100400q_tzdata_aml_297100300q_tzdata_aml_297100000q_tzdata_aml_296200000q_tzdata_aml_295600118q_tzdata_aml_295600110q_tzdata_aml_295500002q_tzdata_aml_295500001q_tzdata_aml_294400310android-mainline-12.0.0_r54android-mainline-12.0.0_r111android-mainline-10.0.0_r13android-mainline-10.0.0_r12android-mainline-10.0.0_r11q_tzdata_aml_297100000android12-mainline-tzdata-releaseandroid10-mainline-tzdata-releaseandroid10-android13-mainline-tzdata-release
Change-Id: I4fb702cd0fa7f3f0d3a85c291d10804638f0cf21
| -rwxr-xr-x | AndroidManifest.xml | 5 | ||||
| -rw-r--r-- | res/values/config.xml | 6 | ||||
| -rw-r--r-- | src/com/android/se/Terminal.java | 32 | ||||
| -rw-r--r-- | src/com/android/se/security/AccessControlEnforcer.java | 13 | ||||
| -rw-r--r-- | src/com/android/se/security/AccessRuleCache.java | 114 | ||||
| -rw-r--r-- | src/com/android/se/security/ara/AraController.java | 51 | ||||
| -rwxr-xr-x | src/com/android/se/security/gpac/AR_DO.java | 44 | ||||
| -rw-r--r-- | src/com/android/se/security/gpac/PERM_AR_DO.java | 88 | ||||
| -rw-r--r-- | src/com/android/se/security/gpac/PKG_REF_DO.java | 143 | ||||
| -rw-r--r-- | src/com/android/se/security/gpac/REF_DO.java | 55 |
10 files changed, 99 insertions, 452 deletions
diff --git a/AndroidManifest.xml b/AndroidManifest.xml index f63a1aa..3412d66 100755 --- a/AndroidManifest.xml +++ b/AndroidManifest.xml @@ -4,11 +4,10 @@ android:sharedUserId="android.uid.se"> <application android:name=".SEApplication" android:label="SecureElementApplication" - android:persistent="true" - android:directBootAware="true"> + android:persistent="true"> <service android:name=".SecureElementService"> <intent-filter> - <action android:name="android.se.omapi.ISecureElementService"/> + <action android:name="android.omapi.ISecureElementService"/> </intent-filter> </service> </application> diff --git a/res/values/config.xml b/res/values/config.xml deleted file mode 100644 index cc310a0..0000000 --- a/res/values/config.xml +++ /dev/null @@ -1,6 +0,0 @@ -<?xml version="1.0" encoding="utf-8"?> -<resources> - <!-- The list of AIDs are the candidate of the ARA AID in ESE. - The first available AID will be taken as the ARA AID. --> - <string-array name="config_ara_aid_candidate_list_ese" translatable="false" /> -</resources> diff --git a/src/com/android/se/Terminal.java b/src/com/android/se/Terminal.java index 45b8bac..521d696 100644 --- a/src/com/android/se/Terminal.java +++ b/src/com/android/se/Terminal.java @@ -247,22 +247,22 @@ public class Terminal { if (channel == null) { return; } - if (mIsConnected) { - try { - byte status = mSEHal.closeChannel((byte) channel.getChannelNumber()); - /* For Basic Channels, errors are expected. - * Underlying implementations use this call as an indication when there - * aren't any users actively using the channel, and the chip can go - * into low power state. - */ - if (!channel.isBasicChannel() && status != SecureElementStatus.SUCCESS) { - Log.e(mTag, "Error closing channel " + channel.getChannelNumber()); + synchronized (mLock) { + if (mIsConnected) { + try { + byte status = mSEHal.closeChannel((byte) channel.getChannelNumber()); + /* For Basic Channels, errors are expected. + * Underlying implementations use this call as an indication when there + * aren't any users actively using the channel, and the chip can go + * into low power state. + */ + if (!channel.isBasicChannel() && status != SecureElementStatus.SUCCESS) { + Log.e(mTag, "Error closing channel " + channel.getChannelNumber()); + } + } catch (RemoteException e) { + Log.e(mTag, "Exception in closeChannel() " + e); } - } catch (RemoteException e) { - Log.e(mTag, "Exception in closeChannel() " + e); } - } - synchronized (mLock) { mChannels.remove(channel.getChannelNumber(), channel); if (mChannels.get(channel.getChannelNumber()) != null) { Log.e(mTag, "Removing channel failed"); @@ -713,10 +713,6 @@ public class Terminal { return mAccessControlEnforcer; } - public Context getContext() { - return mContext; - } - /** Dump data for debug purpose . */ public void dump(PrintWriter writer) { writer.println("SECURE ELEMENT SERVICE TERMINAL: " + mName); diff --git a/src/com/android/se/security/AccessControlEnforcer.java b/src/com/android/se/security/AccessControlEnforcer.java index a4ceb70..79252bd 100644 --- a/src/com/android/se/security/AccessControlEnforcer.java +++ b/src/com/android/se/security/AccessControlEnforcer.java @@ -84,10 +84,7 @@ public class AccessControlEnforcer { mAccessRuleCache = new AccessRuleCache(); } - public byte[] getDefaultAccessControlAid() { - if (mAraController != null) { - return mAraController.getAccessControlAid(); - } + public static byte[] getDefaultAccessControlAid() { return AraController.getAraMAid(); } @@ -457,14 +454,6 @@ public class AccessControlEnforcer { writer.println("mUseArf: " + mUseArf); writer.println("mUseAra: " + mUseAra); - if (mUseAra && mAraController != null) { - if (getDefaultAccessControlAid() == null) { - writer.println("AraInUse: default applet"); - } else { - writer.println("AraInUse: " + ByteArrayConverter.byteArrayToHexString( - getDefaultAccessControlAid())); - } - } writer.println("mInitialChannelAccess:"); writer.println(mInitialChannelAccess.toString()); writer.println(); diff --git a/src/com/android/se/security/AccessRuleCache.java b/src/com/android/se/security/AccessRuleCache.java index 6d854c0..2d3763b 100644 --- a/src/com/android/se/security/AccessRuleCache.java +++ b/src/com/android/se/security/AccessRuleCache.java @@ -78,17 +78,13 @@ public class AccessRuleCache { private static ChannelAccess mapArDo2ChannelAccess(AR_DO arDo) { ChannelAccess channelAccess = new ChannelAccess(); - // Missing access rule attribute shall be interpreted as ALWAYS or NEVER - // after the result of the rule conflict resolution and combination is processed. - // See Table G-1 in GP SEAC v1.1 Annex G. - // - // GP SEAC v1.0 also indicates the same rule in Annex D. - // Combined rule of APDU (ALWAYS) and NFC (ALWAYS) shall be APDU (ALWAYS) + NFC (ALWAYS). - // check apdu access allowance if (arDo.getApduArDo() != null) { + // first if there is a rule for access, reset the general deny flag. + channelAccess.setAccess(ChannelAccess.ACCESS.ALLOWED, ""); + channelAccess.setUseApduFilter(false); + if (arDo.getApduArDo().isApduAllowed()) { - channelAccess.setAccess(ChannelAccess.ACCESS.ALLOWED, ""); // check the apdu filter ArrayList<byte[]> apduHeaders = arDo.getApduArDo().getApduHeaderList(); ArrayList<byte[]> filterMasks = arDo.getApduArDo().getFilterMaskList(); @@ -107,12 +103,10 @@ public class AccessRuleCache { } } else { // apdu access is not allowed at all. - channelAccess.setAccess(ChannelAccess.ACCESS.DENIED, - "NEVER is explicitly specified as the APDU access rule policy"); channelAccess.setApduAccess(ChannelAccess.ACCESS.DENIED); } } else { - // It is too early to interpret the missing APDU access rule attribute as NEVER. + channelAccess.setAccess(ChannelAccess.ACCESS.DENIED, "No APDU access rule available.!"); } // check for NFC Event allowance @@ -122,9 +116,9 @@ public class AccessRuleCache { ? ChannelAccess.ACCESS.ALLOWED : ChannelAccess.ACCESS.DENIED); } else { - // It is too early to interpret the missing NFC access rule attribute. Keep UNDEFINED. + // GP says that by default NFC should have the same right as for APDU access + channelAccess.setNFCEventAccess(channelAccess.getApduAccess()); } - return channelAccess; } @@ -159,47 +153,72 @@ public class AccessRuleCache { ChannelAccess ca = mRuleCache.get(refDo); // if new ac condition is more restrictive then use their settings - // DENIED > ALLOWED > UNDEFINED - if (ca.getAccess() != ChannelAccess.ACCESS.DENIED) { - if (channelAccess.getAccess() == ChannelAccess.ACCESS.DENIED) { - ca.setAccess(ChannelAccess.ACCESS.DENIED, channelAccess.getReason()); - } else if (channelAccess.getAccess() == ChannelAccess.ACCESS.ALLOWED) { - ca.setAccess(ChannelAccess.ACCESS.ALLOWED, ""); - } + if ((channelAccess.getAccess() == ChannelAccess.ACCESS.DENIED) + || (ca.getAccess() == ChannelAccess.ACCESS.DENIED)) { + ca.setAccess(ChannelAccess.ACCESS.DENIED, channelAccess.getReason()); + } else if ((channelAccess.getAccess() == ChannelAccess.ACCESS.UNDEFINED) + && (ca.getAccess() != ChannelAccess.ACCESS.UNDEFINED)) { + ca.setAccess(ca.getAccess(), ca.getReason()); + } else if ((channelAccess.getAccess() != ChannelAccess.ACCESS.UNDEFINED) + && (ca.getAccess() == ChannelAccess.ACCESS.UNDEFINED)) { + ca.setAccess(channelAccess.getAccess(), channelAccess.getReason()); + } else { + ca.setAccess(ChannelAccess.ACCESS.ALLOWED, ca.getReason()); } - // Only the rule with the highest priority shall be applied if the rules conflict. - // NFC (NEVER) > NFC (ALWAYS) > No NFC attribute - - if (ca.getNFCEventAccess() != ChannelAccess.ACCESS.DENIED) { - if (channelAccess.getNFCEventAccess() == ChannelAccess.ACCESS.DENIED) { - ca.setNFCEventAccess(ChannelAccess.ACCESS.DENIED); - } else if (channelAccess.getNFCEventAccess() == ChannelAccess.ACCESS.ALLOWED) { - ca.setNFCEventAccess(ChannelAccess.ACCESS.ALLOWED); - } + // if new rule says NFC is denied then use it + // if current rule as undefined NFC rule then use setting of new rule. + // current NFC new NFC resulting NFC + // UNDEFINED x x + // ALLOWED !DENIED ALLOWED + // ALLOWED DENIED DENIED + // DENIED !DENIED DENIED + // DENIED DENIED DENIED + + if ((channelAccess.getNFCEventAccess() == ChannelAccess.ACCESS.DENIED) + || (ca.getNFCEventAccess() == ChannelAccess.ACCESS.DENIED)) { + ca.setNFCEventAccess(ChannelAccess.ACCESS.DENIED); + } else if ((channelAccess.getNFCEventAccess() == ChannelAccess.ACCESS.UNDEFINED) + && (ca.getNFCEventAccess() != ChannelAccess.ACCESS.UNDEFINED)) { + ca.setNFCEventAccess(ca.getNFCEventAccess()); + } else if ((channelAccess.getNFCEventAccess() != ChannelAccess.ACCESS.UNDEFINED) + && (ca.getNFCEventAccess() == ChannelAccess.ACCESS.UNDEFINED)) { + ca.setNFCEventAccess(channelAccess.getNFCEventAccess()); + } else { + ca.setNFCEventAccess(ChannelAccess.ACCESS.ALLOWED); } - - // Only the rule with the highest priority shall be applied if the rules conflict. - // APDU (NEVER) > APDU (Filter) > APDU (ALWAYS) > No APDU attribute - - if (ca.getApduAccess() != ChannelAccess.ACCESS.DENIED) { - if (channelAccess.getApduAccess() == ChannelAccess.ACCESS.DENIED) { - ca.setApduAccess(ChannelAccess.ACCESS.DENIED); - } else if (ca.isUseApduFilter() || channelAccess.isUseApduFilter()) { - // In order to differentiate APDU (Filter) from APDU (ALWAYS) clearly, - // check if the combined rule will have APDU filter here - // and avoid changing APDU access from UNDEFINED in APDU (Filter) case. - // APDU filters combination itself will be done in the next process below. - } else if (channelAccess.getApduAccess() == ChannelAccess.ACCESS.ALLOWED) { - ca.setApduAccess(ChannelAccess.ACCESS.ALLOWED); - } + // if new rule says APUD is denied then use it + // if current rule as undefined APDU rule then use setting of new rule. + // current APDU new APDU resulting APDU + // UNDEFINED x x + // ALLOWED !DENIED ALLOWED + // ALLOWED DENIED DENIED + // DENIED !DENIED DENIED + // DENEID DENIED DENIED + + if ((channelAccess.getApduAccess() == ChannelAccess.ACCESS.DENIED) + || (ca.getApduAccess() == ChannelAccess.ACCESS.DENIED)) { + ca.setApduAccess(ChannelAccess.ACCESS.DENIED); + } else if ((channelAccess.getApduAccess() == ChannelAccess.ACCESS.UNDEFINED) + && (ca.getApduAccess() != ChannelAccess.ACCESS.UNDEFINED)) { + ca.setApduAccess(ca.getApduAccess()); + } else if ((channelAccess.getApduAccess() == ChannelAccess.ACCESS.UNDEFINED) + && (ca.getApduAccess() == ChannelAccess.ACCESS.UNDEFINED) + && !channelAccess.isUseApduFilter()) { + ca.setApduAccess(ChannelAccess.ACCESS.DENIED); + } else if ((channelAccess.getApduAccess() != ChannelAccess.ACCESS.UNDEFINED) + && (ca.getApduAccess() == ChannelAccess.ACCESS.UNDEFINED)) { + ca.setApduAccess(channelAccess.getApduAccess()); + } else { + ca.setApduAccess(ChannelAccess.ACCESS.ALLOWED); } - // put APDU filter together if resulting APDU access is not denied. - if (ca.getApduAccess() != ChannelAccess.ACCESS.DENIED) { + // put APDU filter together if resulting APDU access is allowed. + if ((ca.getApduAccess() == ChannelAccess.ACCESS.ALLOWED) + || (ca.getApduAccess() == ChannelAccess.ACCESS.UNDEFINED)) { + Log.i(mTag, "Merged Access Rule: APDU filter together"); if (channelAccess.isUseApduFilter()) { - Log.i(mTag, "Merged Access Rule: APDU filter together"); ca.setUseApduFilter(true); ApduFilter[] filter = ca.getApduFilter(); ApduFilter[] filter2 = channelAccess.getApduFilter(); @@ -245,7 +264,6 @@ public class AccessRuleCache { // All the APDU access requests shall never be allowed in this case. // This missing rule resolution is valid for both ARA and ARF // if the supported GP SEAC version is v1.1 or later. - ca.setAccess(ChannelAccess.ACCESS.DENIED, "No APDU access rule is available"); ca.setApduAccess(ChannelAccess.ACCESS.DENIED); } if (ca.getNFCEventAccess() == ChannelAccess.ACCESS.UNDEFINED) { diff --git a/src/com/android/se/security/ara/AraController.java b/src/com/android/se/security/ara/AraController.java index 52223b6..bc4ea19 100644 --- a/src/com/android/se/security/ara/AraController.java +++ b/src/com/android/se/security/ara/AraController.java @@ -35,15 +35,10 @@ package com.android.se.security.ara; -import android.content.Context; -import android.text.TextUtils; import android.util.Log; import com.android.se.Channel; -import com.android.se.R; -import com.android.se.SecureElementService; import com.android.se.Terminal; -import com.android.se.internal.ByteArrayConverter; import com.android.se.security.AccessRuleCache; import com.android.se.security.ChannelAccess; import com.android.se.security.gpac.BerTlv; @@ -78,65 +73,27 @@ public class AraController { private AccessRuleCache mAccessRuleCache = null; private Terminal mTerminal = null; private AccessRuleApplet mApplet = null; - private Context mContext = null; - private String[] mAids = new String[0]; - private byte[] mAccessControlAid = ARA_M_AID; public AraController(AccessRuleCache cache, Terminal terminal) { mAccessRuleCache = cache; mTerminal = terminal; - mContext = mTerminal.getContext(); - if (mTerminal.getName().startsWith(SecureElementService.ESE_TERMINAL)) { - mAids = mContext.getResources().getStringArray( - R.array.config_ara_aid_candidate_list_ese); - } } public static byte[] getAraMAid() { return ARA_M_AID; } - public byte[] getAccessControlAid() { - return mAccessControlAid; - } - /** * Initialize the AraController, reads the refresh tag. * and fetch the access rules */ public synchronized void initialize() throws IOException, NoSuchElementException { - Channel channel = null; - byte[] aid = null; - - // try to fetch access rules from ARA Aid list - for (String araAid : mAids) { - if (!TextUtils.isEmpty(araAid)) { - aid = ByteArrayConverter.hexStringToByteArray(araAid); - } else { - aid = null; - } - try { - channel = mTerminal.openLogicalChannelWithoutChannelAccess(aid); - if (channel == null) { - throw new MissingResourceException("could not open channel", "", ""); - } - mAccessControlAid = aid; - break; - } catch (NoSuchElementException e) { - Log.i(mTag, "applet:" + araAid + " is not accessible"); - continue; - } - } - - // try to fetch access rules from ARA-M if all ARA in Aid list is not accessible + Channel channel = mTerminal.openLogicalChannelWithoutChannelAccess(getAraMAid()); if (channel == null) { - channel = mTerminal.openLogicalChannelWithoutChannelAccess(getAraMAid()); - if (channel == null) { - throw new MissingResourceException("could not open channel", "", ""); - } + throw new MissingResourceException("could not open channel", "", ""); } - // set access conditions to access ARA. + // set access conditions to access ARA-M. ChannelAccess araChannelAccess = new ChannelAccess(); araChannelAccess.setAccess(ChannelAccess.ACCESS.ALLOWED, ""); araChannelAccess.setApduAccess(ChannelAccess.ACCESS.ALLOWED); @@ -147,7 +104,7 @@ public class AraController { mApplet = new AccessRuleApplet(channel); byte[] tag = mApplet.readRefreshTag(); // if refresh tag is equal to the previous one it is not - // necessary to read all rules again. + // neccessary to read all rules again. if (mAccessRuleCache.isRefreshTagEqual(tag)) { Log.i(mTag, "Refresh tag unchanged. Using access rules from cache."); return; diff --git a/src/com/android/se/security/gpac/AR_DO.java b/src/com/android/se/security/gpac/AR_DO.java index 491b099..ebb5a6e 100755 --- a/src/com/android/se/security/gpac/AR_DO.java +++ b/src/com/android/se/security/gpac/AR_DO.java @@ -49,31 +49,15 @@ public class AR_DO extends BerTlv { private APDU_AR_DO mApduAr = null; private NFC_AR_DO mNfcAr = null; - private PERM_AR_DO mPermAr = null; public AR_DO(byte[] rawData, int valueIndex, int valueLength) { super(rawData, TAG, valueIndex, valueLength); } - public AR_DO(APDU_AR_DO apduArDo, NFC_AR_DO nfcArDo, PERM_AR_DO permArDo) { - super(null, TAG, 0, 0); - mApduAr = apduArDo; - mNfcAr = nfcArDo; - mPermAr = permArDo; - } - public AR_DO(APDU_AR_DO apduArDo, NFC_AR_DO nfcArDo) { super(null, TAG, 0, 0); mApduAr = apduArDo; mNfcAr = nfcArDo; - mPermAr = null; - } - - public AR_DO(PERM_AR_DO permArDo) { - super(null, TAG, 0, 0); - mApduAr = null; - mNfcAr = null; - mPermAr = permArDo; } public APDU_AR_DO getApduArDo() { @@ -84,27 +68,19 @@ public class AR_DO extends BerTlv { return mNfcAr; } - public PERM_AR_DO getPermArDo() { - return mPermAr; - } - @Override /** * Interpret value. * * <p>Tag: E3 * - * <p>Value: - * 1. Value can contain APDU-AR-DO or NFC-AR-DO or APDU-AR-DO | NFC-AR-DO A - * concatenation of one or two AR-DO(s). If two AR-DO(s) are present these must have - * different types. - * 2. PERM-AR-DO + * <p>Value: Value can contain APDU-AR-DO or NFC-AR-DO or APDU-AR-DO | NFC-AR-DO A concatenation + * of one or two AR-DO(s). If two AR-DO(s) are present these must have different types. */ public void interpret() throws ParserException { this.mApduAr = null; this.mNfcAr = null; - this.mPermAr = null; byte[] data = getRawData(); int index = getValueIndex(); @@ -122,9 +98,6 @@ public class AR_DO extends BerTlv { } else if (temp.getTag() == NFC_AR_DO.TAG) { // NFC-AR-DO mNfcAr = new NFC_AR_DO(data, temp.getValueIndex(), temp.getValueLength()); mNfcAr.interpret(); - } else if (temp.getTag() == PERM_AR_DO.TAG) { // PERM-AR-DO - mPermAr = new PERM_AR_DO(data, temp.getValueIndex(), temp.getValueLength()); - mPermAr.interpret(); } else { // un-comment following line if a more restrictive // behavior is necessary. @@ -133,7 +106,7 @@ public class AR_DO extends BerTlv { index = temp.getValueIndex() + temp.getValueLength(); } while (getValueIndex() + getValueLength() > index); - if (mApduAr == null && mNfcAr == null && mPermAr == null) { + if (mApduAr == null && mNfcAr == null) { throw new ParserException("No valid DO in AR-DO!"); } } @@ -144,11 +117,8 @@ public class AR_DO extends BerTlv { * * <p>Tag: E3 * - * <p>Value: - * 1. Value can contain APDU-AR-DO or NFC-AR-DO or APDU-AR-DO | NFC-AR-DO A - * concatenation of one or two AR-DO(s). If two AR-DO(s) are present these must have - * different types. - * 2. PERM-AR-DO + * <p>Value: Value can contain APDU-AR-DO or NFC-AR-DO or APDU-AR-DO | NFC-AR-DO A concatenation + * of one or two AR-DO(s). If two AR-DO(s) are present these must have different types. */ public void build(ByteArrayOutputStream stream) throws DO_Exception { @@ -164,10 +134,6 @@ public class AR_DO extends BerTlv { mNfcAr.build(temp); } - if (mPermAr != null) { - mPermAr.build(temp); - } - BerTlv.encodeLength(temp.size(), stream); try { stream.write(temp.toByteArray()); diff --git a/src/com/android/se/security/gpac/PERM_AR_DO.java b/src/com/android/se/security/gpac/PERM_AR_DO.java deleted file mode 100644 index f927042..0000000 --- a/src/com/android/se/security/gpac/PERM_AR_DO.java +++ /dev/null @@ -1,88 +0,0 @@ -/* - * Copyright (C) 2019 The Android Open Source Project - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package com.android.se.security.gpac; - -import java.io.ByteArrayOutputStream; -import java.io.IOException; - -/** - * PERM-AR-DO: The access rule for Device API control consists of a permission bit mask of 8 bytes. - */ -public class PERM_AR_DO extends BerTlv { - - public static final int TAG = 0xDB; - - public static final int PERM_MASK_LEN = 8; - - private byte[] mPermissionMask = new byte[0]; - - public PERM_AR_DO(byte[] rawData, int valueIndex, int valueLength) { - super(rawData, TAG, valueIndex, valueLength); - } - - public PERM_AR_DO(byte[] permissionMask) { - super(permissionMask, TAG, 0, (permissionMask == null ? 0 : permissionMask.length)); - if (permissionMask != null) mPermissionMask = permissionMask; - } - - public byte[] getPermissionMask() { - return mPermissionMask; - } - - @Override - /** - * Tag: DB Length: 8 Value: Contains a permission mask - */ - public void interpret() throws ParserException { - mPermissionMask = new byte[0]; - - byte[] data = getRawData(); - int index = getValueIndex(); - int length = getValueLength(); - - if (index + getValueLength() > data.length) { - throw new ParserException("Not enough data for PERM-AR-DO!"); - } - - if (length == PERM_MASK_LEN) { - mPermissionMask = new byte[length]; - System.arraycopy(data, index, mPermissionMask, 0, length); - } else { - throw new ParserException("Invalid length of PERM-AR-DO!"); - } - } - - @Override - /** - * Tag: DB Length: 8 Value: Contains a permission mask - */ - public void build(ByteArrayOutputStream stream) throws DO_Exception { - - // sanity checks - if (mPermissionMask.length != PERM_MASK_LEN) { - throw new DO_Exception("Invalid value length for PERM-AR-DO!"); - } - - // write tag - stream.write(getTag()); - try { - stream.write(mPermissionMask.length); - stream.write(mPermissionMask); - } catch (IOException ioe) { - throw new DO_Exception("PERM could not be written!"); - } - } -} diff --git a/src/com/android/se/security/gpac/PKG_REF_DO.java b/src/com/android/se/security/gpac/PKG_REF_DO.java deleted file mode 100644 index a35415a..0000000 --- a/src/com/android/se/security/gpac/PKG_REF_DO.java +++ /dev/null @@ -1,143 +0,0 @@ -/* - * Copyright (C) 2018 The Android Open Source Project - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package com.android.se.security.gpac; - -import java.io.ByteArrayOutputStream; -import java.io.IOException; -import java.util.Arrays; - -/** - * PKG-REF-DO: The PKG-REF-DO is used for retrieving and storing the corresponding access rules - * for a device application (which is identified by the package name) from and to - * the ARA - */ -public class PKG_REF_DO extends BerTlv { - - public static final int TAG = 0xCA; - - private String mPackageName = null; - - public PKG_REF_DO(byte[] rawData, int valueIndex, int valueLength) { - super(rawData, TAG, valueIndex, valueLength); - } - - public PKG_REF_DO(byte[] pkg) { - super(pkg, TAG, 0, (pkg == null ? 0 : pkg.length)); - if (pkg != null) { - mPackageName = new String(pkg); - } - } - - public PKG_REF_DO() { - super(null, TAG, 0, 0); - } - - /** - * Comapares two PKG_REF_DO objects and returns true if they are equal - */ - public static boolean equals(PKG_REF_DO obj1, PKG_REF_DO obj2) { - if (obj1 == null) { - return (obj2 == null) ? true : false; - } - return obj1.equals(obj2); - } - - public String getPackageName() { - return mPackageName; - } - - @Override - public String toString() { - return new String("PKG_REF_DO: " + mPackageName); - } - - /** - * Tags: CA Length: max length is 128 bytes - * - * <p>Value: pkg: identifies ASCII encoded package name - * - */ - @Override - public void interpret() throws ParserException { - byte[] data = getRawData(); - int index = getValueIndex(); - - // sanity checks - if (getValueLength() > 128) { - throw new ParserException("Invalid value length for PKG-REF-DO!"); - } - - if (index + getValueLength() > data.length) { - throw new ParserException("Not enough data for PKG-REF-DO!"); - } - - byte[] pkg = new byte[getValueLength()]; - System.arraycopy(data, index, pkg, 0, getValueLength()); - mPackageName = new String(pkg); - } - - /** - * Tags: CA Length: max length is 128 bytes - * - * <p>Value: pkg: identifies ASCII encoded package name - * - */ - @Override - public void build(ByteArrayOutputStream stream) throws DO_Exception { - byte[] pkg = mPackageName.getBytes(); - // sanity checks - if (pkg.length > 128) { - throw new DO_Exception("Invalid value length for PKG-REF-DO!"); - } - - stream.write(getTag()); - - try { - stream.write(pkg.length); - stream.write(pkg); - } catch (IOException ioe) { - throw new DO_Exception("PKG could not be written!"); - } - } - - @Override - public boolean equals(Object obj) { - if (obj instanceof PKG_REF_DO) { - PKG_REF_DO pkg_ref_do = (PKG_REF_DO) obj; - if (getTag() == pkg_ref_do.getTag()) { - if (mPackageName != null) { - return mPackageName.equals(pkg_ref_do.mPackageName); - } else { - return (pkg_ref_do.mPackageName == null); - } - } - } - return false; - } - - @Override - public int hashCode() { - ByteArrayOutputStream stream = new ByteArrayOutputStream(); - try { - this.build(stream); - } catch (DO_Exception e) { - return 1; - } - byte[] data = stream.toByteArray(); - int hash = Arrays.hashCode(data); - return hash; - } -} diff --git a/src/com/android/se/security/gpac/REF_DO.java b/src/com/android/se/security/gpac/REF_DO.java index 0400e96..7ccf547 100644 --- a/src/com/android/se/security/gpac/REF_DO.java +++ b/src/com/android/se/security/gpac/REF_DO.java @@ -47,24 +47,15 @@ public class REF_DO extends BerTlv { private AID_REF_DO mAidDo = null; private Hash_REF_DO mHashDo = null; - private PKG_REF_DO mPkgDo = null; public REF_DO(byte[] rawData, int valueIndex, int valueLength) { super(rawData, TAG, valueIndex, valueLength); } - public REF_DO(AID_REF_DO aidRefDo, Hash_REF_DO hashRefDo, PKG_REF_DO pkgRefDo) { - super(null, TAG, 0, 0); - mAidDo = aidRefDo; - mHashDo = hashRefDo; - mPkgDo = pkgRefDo; - } - public REF_DO(AID_REF_DO aidRefDo, Hash_REF_DO hashRefDo) { super(null, TAG, 0, 0); mAidDo = aidRefDo; mHashDo = hashRefDo; - mPkgDo = null; } @Override @@ -77,10 +68,6 @@ public class REF_DO extends BerTlv { } if (mHashDo != null) { b.append(mHashDo.toString()); - b.append(' '); - } - if (mPkgDo != null) { - b.append(mPkgDo.toString()); } return b.toString(); } @@ -93,19 +80,12 @@ public class REF_DO extends BerTlv { return mHashDo; } - public PKG_REF_DO getPkgDo() { - return mPkgDo; - } - /** * Interpret data. * * <p>Tags: E1 -> Length: n * - * <p>Value: - * 1. AID-REF-DO | Hash-REF-DO: A concatenation of an AID-REF-DO and a Hash-REF-DO. - * 2. Hash-REF-DO or Hash-REF-DO | PKG-REF-DO A concatenation of a Hash-REF-DO and a - * PKG-REF-DO. + * <p>Value: AID-REF-DO | Hash-REF-DO: A concatenation of an AID-REF-DO and a Hash-REF-DO. * * <p>Length: n bytes. */ @@ -114,7 +94,6 @@ public class REF_DO extends BerTlv { mAidDo = null; mHashDo = null; - mPkgDo = null; byte[] data = getRawData(); int index = getValueIndex(); @@ -134,9 +113,6 @@ public class REF_DO extends BerTlv { } else if (temp.getTag() == Hash_REF_DO.TAG) { // Hash-REF-DO mHashDo = new Hash_REF_DO(data, temp.getValueIndex(), temp.getValueLength()); mHashDo.interpret(); - } else if (temp.getTag() == PKG_REF_DO.TAG) { // PKG-REF-DO - mPkgDo = new PKG_REF_DO(data, temp.getValueIndex(), temp.getValueLength()); - mPkgDo.interpret(); } else { // uncomment following line if a more restrictive // behaviour is necessary. @@ -145,10 +121,6 @@ public class REF_DO extends BerTlv { index = temp.getValueIndex() + temp.getValueLength(); } while (getValueIndex() + getValueLength() > index); - if (mAidDo != null && !mAidDo.isCarrierPrivilege() && mHashDo != null && mPkgDo != null) { - throw new ParserException("Unexpected combination of SEAC DOs and DAC DO"); - } - // A rule without AID is a Carrier Privilege Rule. // Enforces the AID to be the Carrier Privilege AID to avoid a null AID. if (mAidDo == null && mHashDo != null) { @@ -166,30 +138,19 @@ public class REF_DO extends BerTlv { } /** - * Tag: E1 Length: n Value: - * 1. AID-REF-DO | Hash-REF-DO: A concatenation of an AID-REF-DO and a Hash-REF-DO. - * 2. Hash-REF-DO or Hash-REF-DO | PKG-REF-DO A concatenation of a Hash-REF-DO and a - * PKG-REF-DO. + * Tag: E1 Length: n Value: AID-REF-DO | Hash-REF-DO: A concatenation of an AID-REF-DO and a + * Hash-REF-DO. */ @Override public void build(ByteArrayOutputStream stream) throws DO_Exception { ByteArrayOutputStream temp = new ByteArrayOutputStream(); - if (mHashDo == null) { + if (mAidDo == null || mHashDo == null) { throw new DO_Exception("REF-DO: Required DO missing!"); } - if (mAidDo != null) { - mAidDo.build(temp); - } - - if (mHashDo != null) { - mHashDo.build(temp); - } - - if (mPkgDo != null) { - mPkgDo.build(temp); - } + mAidDo.build(temp); + mHashDo.build(temp); byte[] data = temp.toByteArray(); BerTlv tlv = new BerTlv(data, getTag(), 0, data.length); @@ -203,9 +164,7 @@ public class REF_DO extends BerTlv { if (getTag() == ref_do.getTag()) { if (AID_REF_DO.equals(mAidDo, ref_do.mAidDo)) { if (Hash_REF_DO.equals(mHashDo, ref_do.mHashDo)) { - if (PKG_REF_DO.equals(mPkgDo, ref_do.mPkgDo)) { - return true; - } + return true; } } } |