Missing NFC access rule shall be ALLOWED if APDU access rule is ALLOWED am: 8ded9d03a0 am: d6b8e64963

am: c634f39a0a Change-Id: I89348c192e4465c9d112fc0252f317541038d617
author: Yoshiaki Naka <yoshiaki.naka@sony.com> 2019-03-22 10:28:27 -0700
committer: android-build-merger <android-build-merger@google.com> 2019-03-22 10:28:27 -0700
commit: c32a36982c23869a218e81558456ca31bd136c26 (patch)
tree: a11fc03f5d42d3e8c5fd1d628a790a8eae16fb7f
parent: 5dba8500e0d816ae5aee8a4667e3ddb8b9a05cea (diff)
parent: c634f39a0ac26ddb6c4a128410ebdd5dbe0189f2 (diff)
download: SecureElement-c32a36982c23869a218e81558456ca31bd136c26.tar.gz
1 files changed, 25 insertions, 36 deletions
diff --git a/src/com/android/se/security/AccessRuleCache.java b/src/com/android/se/security/AccessRuleCache.java
index 8a74465..e129b9d 100644
--- a/src/com/android/se/security/AccessRuleCache.java
+++ b/src/com/android/se/security/AccessRuleCache.java
@@ -257,6 +257,31 @@ public class AccessRuleCache {
     /** Find Access Rule for the given AID and Application */
     public ChannelAccess findAccessRule(byte[] aid, List<byte[]> appCertHashes)
             throws AccessControlException {
+        ChannelAccess ca = findAccessRuleInternal(aid, appCertHashes);
+        if (ca != null) {
+            if ((ca.getApduAccess() == ChannelAccess.ACCESS.UNDEFINED) && !ca.isUseApduFilter()) {
+                // Rule for APDU access does not exist.
+                // All the APDU access requests shall never be allowed in this case.
+                // This missing rule resolution is valid for both ARA and ARF
+                // if the supported GP SEAC version is v1.1 or later.
+                ca.setApduAccess(ChannelAccess.ACCESS.DENIED);
+            }
+            if (ca.getNFCEventAccess() == ChannelAccess.ACCESS.UNDEFINED) {
+                // Missing NFC access rule shall be treated as ALLOWED
+                // if relevant APDU access rule is ALLOWED or APDU filter is specified.
+                if (ca.isUseApduFilter()) {
+                    ca.setNFCEventAccess(ChannelAccess.ACCESS.ALLOWED);
+                } else {
+                    ca.setNFCEventAccess(ca.getApduAccess());
+                }
+            }
+            // Note that the GP SEAC v1.1 has not been supported as GSMA TS.26 does not require it.
+        }
+        return ca;
+    }
+
+    private ChannelAccess findAccessRuleInternal(byte[] aid, List<byte[]> appCertHashes)
+            throws AccessControlException {
 
         // TODO: check difference between DeviceCertHash and Certificate Chain (EndEntityCertHash,
         // IntermediateCertHash (1..n), RootCertHash)
@@ -276,15 +301,6 @@ public class AccessRuleCache {
             ref_do = new REF_DO(aid_ref_do, hash_ref_do);
 
             if (mRuleCache.containsKey(ref_do)) {
-                // let's take care about the undefined rules, according to the GP specification:
-                ChannelAccess ca = mRuleCache.get(ref_do);
-                if (ca.getApduAccess() == ChannelAccess.ACCESS.UNDEFINED) {
-                    ca.setApduAccess(ChannelAccess.ACCESS.DENIED);
-                }
-                if ((ca.getNFCEventAccess() == ChannelAccess.ACCESS.UNDEFINED)
-                        && (ca.getApduAccess() != ChannelAccess.ACCESS.UNDEFINED)) {
-                    ca.setNFCEventAccess(ca.getApduAccess());
-                }
                 if (DEBUG) {
                     Log.i(mTag, "findAccessRule() " + ref_do.toString() + ", "
                             + mRuleCache.get(ref_do).toString());
@@ -313,15 +329,6 @@ public class AccessRuleCache {
         ref_do = new REF_DO(aid_ref_do, hash_ref_do);
 
         if (mRuleCache.containsKey(ref_do)) {
-            // let's take care about the undefined rules, according to the GP specification:
-            ChannelAccess ca = mRuleCache.get(ref_do);
-            if (ca.getApduAccess() == ChannelAccess.ACCESS.UNDEFINED) {
-                ca.setApduAccess(ChannelAccess.ACCESS.DENIED);
-            }
-            if ((ca.getNFCEventAccess() == ChannelAccess.ACCESS.UNDEFINED)
-                    && (ca.getApduAccess() != ChannelAccess.ACCESS.UNDEFINED)) {
-                ca.setNFCEventAccess(ca.getApduAccess());
-            }
             if (DEBUG) {
                 Log.i(mTag, "findAccessRule() " + ref_do.toString() + ", "
                         + mRuleCache.get(ref_do).toString());
@@ -336,15 +343,6 @@ public class AccessRuleCache {
             ref_do = new REF_DO(aid_ref_do, hash_ref_do);
 
             if (mRuleCache.containsKey(ref_do)) {
-                // let's take care about the undefined rules, according to the GP specification:
-                ChannelAccess ca = mRuleCache.get(ref_do);
-                if (ca.getApduAccess() == ChannelAccess.ACCESS.UNDEFINED) {
-                    ca.setApduAccess(ChannelAccess.ACCESS.DENIED);
-                }
-                if ((ca.getNFCEventAccess() == ChannelAccess.ACCESS.UNDEFINED)
-                        && (ca.getApduAccess() != ChannelAccess.ACCESS.UNDEFINED)) {
-                    ca.setNFCEventAccess(ca.getApduAccess());
-                }
                 if (DEBUG) {
                     Log.i(mTag, "findAccessRule() " + ref_do.toString() + ", "
                             + mRuleCache.get(ref_do).toString());
@@ -375,15 +373,6 @@ public class AccessRuleCache {
         ref_do = new REF_DO(aid_ref_do, hash_ref_do);
 
         if (mRuleCache.containsKey(ref_do)) {
-            // let's take care about the undefined rules, according to the GP specification:
-            ChannelAccess ca = mRuleCache.get(ref_do);
-            if (ca.getApduAccess() == ChannelAccess.ACCESS.UNDEFINED) {
-                ca.setApduAccess(ChannelAccess.ACCESS.DENIED);
-            }
-            if ((ca.getNFCEventAccess() == ChannelAccess.ACCESS.UNDEFINED)
-                    && (ca.getApduAccess() != ChannelAccess.ACCESS.UNDEFINED)) {
-                ca.setNFCEventAccess(ca.getApduAccess());
-            }
             if (DEBUG) {
                 Log.i(mTag, "findAccessRule() " + ref_do.toString() + ", "
                         + mRuleCache.get(ref_do).toString());
author	Yoshiaki Naka <yoshiaki.naka@sony.com>	2019-03-22 10:28:27 -0700
committer	android-build-merger <android-build-merger@google.com>	2019-03-22 10:28:27 -0700
commit	c32a36982c23869a218e81558456ca31bd136c26 (patch)
tree	a11fc03f5d42d3e8c5fd1d628a790a8eae16fb7f
parent	5dba8500e0d816ae5aee8a4667e3ddb8b9a05cea (diff)
parent	c634f39a0ac26ddb6c4a128410ebdd5dbe0189f2 (diff)
download	SecureElement-c32a36982c23869a218e81558456ca31bd136c26.tar.gz