diff options
author | Yoshiaki Naka <yoshiaki.naka@sony.com> | 2018-02-26 16:48:03 +0900 |
---|---|---|
committer | Ruchi Kandoi <kandoiruchi@google.com> | 2018-03-06 13:37:45 -0800 |
commit | b36dd054b47593b8a6b7d199aaf3336fe6ec70e8 (patch) | |
tree | 4efa4bdaa30ab427f37470d46872bccb17644bcb | |
parent | 3878ce67ae4810258882c749f4dcbf508e6ad9ed (diff) | |
download | SecureElement-b36dd054b47593b8a6b7d199aaf3336fe6ec70e8.tar.gz |
No channel is available while retrieving access rules
SecurityException shall never be thrown when the terminal cannnot
retrieve access rules due to the lack of a logical channel available.
Bug: 74094532
Test: OMAPI TC 6.4.7 ID5a and TC 6.4.10 ID5a pass with this change.
Change-Id: I95b1053dd61729f8ff3bce373b2df04a6e172273
(cherry picked from commit 888b773e2befa1024c8b5426bb4fe1bdc88b3b81)
-rw-r--r-- | src/com/android/se/Terminal.java | 16 | ||||
-rw-r--r-- | src/com/android/se/security/AccessControlEnforcer.java | 21 | ||||
-rw-r--r-- | src/com/android/se/security/ara/AraController.java | 3 | ||||
-rw-r--r-- | src/com/android/se/security/arf/ArfController.java | 3 | ||||
-rw-r--r-- | src/com/android/se/security/arf/PKCS15/PKCS15Handler.java | 18 | ||||
-rw-r--r-- | src/com/android/se/security/arf/SecureElement.java | 10 |
6 files changed, 47 insertions, 24 deletions
diff --git a/src/com/android/se/Terminal.java b/src/com/android/se/Terminal.java index 28f02bd..f4958de 100644 --- a/src/com/android/se/Terminal.java +++ b/src/com/android/se/Terminal.java @@ -48,6 +48,7 @@ import java.util.ArrayList; import java.util.Collection; import java.util.HashMap; import java.util.Map; +import java.util.MissingResourceException; import java.util.NoSuchElementException; /** @@ -248,7 +249,12 @@ public class Terminal { } Log.w(mTag, "Enable access control on basic channel for " + packageName); - ChannelAccess channelAccess = setUpChannelAccess(aid, packageName, true, pid); + ChannelAccess channelAccess; + try { + channelAccess = setUpChannelAccess(aid, packageName, true, pid); + } catch (MissingResourceException e) { + return null; + } synchronized (mLock) { if (mChannels.get(0) != null) { @@ -331,7 +337,11 @@ public class Terminal { ChannelAccess channelAccess = null; if (packageName != null) { Log.w(mTag, "Enable access control on logical channel for " + packageName); - channelAccess = setUpChannelAccess(aid, packageName, true, pid); + try { + channelAccess = setUpChannelAccess(aid, packageName, true, pid); + } catch (MissingResourceException e) { + return null; + } } synchronized (mLock) { @@ -530,6 +540,8 @@ public class Terminal { return channelAccess; } catch (IOException e) { throw e; + } catch (MissingResourceException e) { + throw e; } catch (Exception e) { throw new SecurityException("Exception in setUpChannelAccess()" + e); } diff --git a/src/com/android/se/security/AccessControlEnforcer.java b/src/com/android/se/security/AccessControlEnforcer.java index e6ce5b7..8c986b6 100644 --- a/src/com/android/se/security/AccessControlEnforcer.java +++ b/src/com/android/se/security/AccessControlEnforcer.java @@ -62,6 +62,7 @@ import java.security.cert.CertificateException; import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; import java.util.ArrayList; +import java.util.MissingResourceException; /** Reads and Maintains the ARF and ARA access control for a particular Secure Element */ public class AccessControlEnforcer { @@ -264,8 +265,8 @@ public class AccessControlEnforcer { } /** Sets up the Channel Access for the given Package */ - public ChannelAccess setUpChannelAccess( - byte[] aid, String packageName, boolean checkRefreshTag) throws IOException { + public ChannelAccess setUpChannelAccess(byte[] aid, String packageName, boolean checkRefreshTag) + throws IOException, MissingResourceException { ChannelAccess channelAccess = null; // check result of channel access during initialization procedure if (mInitialChannelAccess.getAccess() == ChannelAccess.ACCESS.DENIED) { @@ -292,7 +293,8 @@ public class AccessControlEnforcer { } private synchronized ChannelAccess internal_setUpChannelAccess(byte[] aid, - String packageName, boolean checkRefreshTag) throws IOException { + String packageName, boolean checkRefreshTag) throws IOException, + MissingResourceException { if (packageName == null || packageName.isEmpty()) { throw new AccessControlException("package names must be specified"); } @@ -310,6 +312,8 @@ public class AccessControlEnforcer { return getAccessRule(aid, appCerts); } catch (IOException e) { throw e; + } catch (MissingResourceException e) { + throw e; } catch (Throwable exp) { throw new AccessControlException(exp.getMessage()); } @@ -386,6 +390,9 @@ public class AccessControlEnforcer { } catch (IOException e) { throw new AccessControlException("Access-Control not found in " + mTerminal.getName()); + } catch (MissingResourceException e) { + throw new AccessControlException("Access-Control not found in " + + mTerminal.getName()); } } @@ -422,6 +429,10 @@ public class AccessControlEnforcer { // There was a communication error between the terminal and the SE. // IOError shall be notified to the client application in this case. throw e; + } catch (MissingResourceException e) { + // Failure in retrieving rules due to the lack of a new logical channel + // (and only this failure) should not result in a security exception. + throw e; } catch (Exception e) { throw new AccessControlException("No ARA applet found in " + mTerminal.getName()); } @@ -432,6 +443,10 @@ public class AccessControlEnforcer { // There was a communication error between the terminal and the SE. // IOError shall be notified to the client application in this case. throw e; + } catch (MissingResourceException e) { + // Failure in retrieving rules due to the lack of a new logical channel + // (and only this failure) should not result in a security exception. + throw e; } catch (Exception e) { Log.e(mTag, e.getMessage()); } diff --git a/src/com/android/se/security/ara/AraController.java b/src/com/android/se/security/ara/AraController.java index 543337a..055b287 100644 --- a/src/com/android/se/security/ara/AraController.java +++ b/src/com/android/se/security/ara/AraController.java @@ -51,6 +51,7 @@ import java.io.IOException; import java.security.AccessControlException; import java.util.ArrayList; import java.util.Iterator; +import java.util.MissingResourceException; /** Reads and Maintains the ARA access for the Secure Element */ public class AraController { @@ -88,7 +89,7 @@ public class AraController { public synchronized void initialize() throws IOException { Channel channel = mTerminal.openLogicalChannelWithoutChannelAccess(getAraMAid()); if (channel == null) { - throw new AccessControlException("could not open channel"); + throw new MissingResourceException("could not open channel", "", ""); } // set access conditions to access ARA-M. diff --git a/src/com/android/se/security/arf/ArfController.java b/src/com/android/se/security/arf/ArfController.java index adaf114..c8b7225 100644 --- a/src/com/android/se/security/arf/ArfController.java +++ b/src/com/android/se/security/arf/ArfController.java @@ -39,6 +39,7 @@ import com.android.se.security.AccessRuleCache; import com.android.se.security.arf.pkcs15.PKCS15Handler; import java.io.IOException; +import java.util.MissingResourceException; /** Initializes and maintains the ARF access rules of a Secure Element */ public class ArfController { @@ -54,7 +55,7 @@ public class ArfController { } /** Initializes the ARF Rules for the Secure Element */ - public synchronized boolean initialize() throws IOException { + public synchronized boolean initialize() throws IOException, MissingResourceException { if (mSecureElement == null) { mSecureElement = new SecureElement(this, mTerminal); } diff --git a/src/com/android/se/security/arf/PKCS15/PKCS15Handler.java b/src/com/android/se/security/arf/PKCS15/PKCS15Handler.java index f6e1b42..4d7f4b7 100644 --- a/src/com/android/se/security/arf/PKCS15/PKCS15Handler.java +++ b/src/com/android/se/security/arf/PKCS15/PKCS15Handler.java @@ -88,8 +88,8 @@ public class PKCS15Handler { } /** Updates "Access Control Rules" */ - private boolean updateACRules() throws CertificateException, IOException, PKCS15Exception, - SecureElementException { + private boolean updateACRules() throws CertificateException, IOException, + MissingResourceException, PKCS15Exception, SecureElementException { byte[] ACRulesPath = null; if (!mACMFfound) { mSEHandle.resetAccessRules(); @@ -141,7 +141,8 @@ public class PKCS15Handler { /** Initializes "Access Control" entry point [ACMain] */ private void initACEntryPoint() - throws IOException, PKCS15Exception, SecureElementException, CertificateException { + throws IOException, PKCS15Exception, MissingResourceException, SecureElementException, + CertificateException { byte[] DODFPath = null; for (int ind = 0; ind < CONTAINER_AIDS.length; ind++) { @@ -179,7 +180,7 @@ public class PKCS15Handler { * @return <code>true</code> when container is active; <code>false</code> otherwise */ private boolean selectACRulesContainer(byte[] aid) - throws IOException, PKCS15Exception, SecureElementException { + throws IOException, MissingResourceException, PKCS15Exception, SecureElementException { if (aid == null) { mArfChannel = mSEHandle.openLogicalArfChannel(new byte[]{}); if (mArfChannel != null) { @@ -224,7 +225,8 @@ public class PKCS15Handler { * * @return false if access rules where not read due to constant refresh tag. */ - public synchronized boolean loadAccessControlRules(String secureElement) throws IOException { + public synchronized boolean loadAccessControlRules(String secureElement) throws IOException, + MissingResourceException { mSELabel = secureElement; Log.i(mTag, "- Loading " + mSELabel + " rules..."); try { @@ -232,11 +234,9 @@ public class PKCS15Handler { return updateACRules(); } catch (IOException e) { throw e; + } catch (MissingResourceException e) { + throw e; } catch (Exception e) { - if (e instanceof MissingResourceException) { - // this indicates that no channel is left for accessing the SE element - throw (MissingResourceException) e; - } Log.e(mTag, mSELabel + " rules not correctly initialized! " + e.getLocalizedMessage()); throw new AccessControlException(e.getLocalizedMessage()); } finally { diff --git a/src/com/android/se/security/arf/SecureElement.java b/src/com/android/se/security/arf/SecureElement.java index 6323815..153f07c 100644 --- a/src/com/android/se/security/arf/SecureElement.java +++ b/src/com/android/se/security/arf/SecureElement.java @@ -103,20 +103,14 @@ public class SecureElement { try { mArfChannel = mTerminalHandle.openLogicalChannelWithoutChannelAccess(aid); if (mArfChannel == null) { - return null; + throw new MissingResourceException("No channel was available", "", ""); } setUpChannelAccess(mArfChannel); return mArfChannel; } catch (IOException e) { throw e; } catch (Exception e) { - if (e instanceof MissingResourceException) { - // this indicates that no channel is left for accessing the SE element - Log.e(mTag, "no channels left to access ARF: " + e.getMessage()); - throw (MissingResourceException) e; - } else { - Log.e(mTag, "Error opening logical channel " + e.getLocalizedMessage()); - } + Log.e(mTag, "Error opening logical channel " + e.getLocalizedMessage()); mArfChannel = null; return null; } |