java/com/android/libraries/entitlement/eapaka/EapAkaSecurityContext.java

/*
 * Copyright (C) 2021 The Android Open Source Project
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package com.android.libraries.entitlement.eapaka;

import static com.android.libraries.entitlement.ServiceEntitlementException.ERROR_ICC_AUTHENTICATION_NOT_AVAILABLE;

import static java.nio.charset.StandardCharsets.UTF_8;

import android.util.Base64;
import android.util.Log;

import androidx.annotation.Nullable;

import com.android.libraries.entitlement.ServiceEntitlementException;

/**
 * Provides format to handle request/response SIM Authentication with GSM/3G security context.
 *
 * <p>Reference ETSI TS 131 102, Section 7.1.2.1 GSM/3G security context.
 */
class EapAkaSecurityContext {
    private static final String TAG = "ServiceEntitlement";

    private static final byte RESPONSE_TAG_SUCCESS = (byte) 0xDB;
    private static final byte RESPONSE_TAG_SYNC_FAILURE = (byte) 0xDC;

    private boolean mValid;

    // User response, populated on successful authentication
    private byte[] mRes;
    // Cipher Key, populated on successful authentication
    private byte[] mCk;
    // Integrity Key, populated on successful authentication
    private byte[] mIk;
    // AUTS, populated on synchronization failure
    private byte[] mAuts;

    private EapAkaSecurityContext() {}

    /**
     * Provide {@link EapAkaSecurityContext} from response data.
     */
    public static EapAkaSecurityContext from(String response)
            throws ServiceEntitlementException {
        EapAkaSecurityContext securityContext = new EapAkaSecurityContext();
        securityContext.parseResponseData(response);
        if (!securityContext.isValid()) {
            throw new ServiceEntitlementException(
                ERROR_ICC_AUTHENTICATION_NOT_AVAILABLE,
                "Invalid SIM EAP-AKA authentication response!");
        }
        return securityContext;
    }

    /**
     * Parses SIM EAP-AKA Authentication responded data.
     */
    private void parseResponseData(String response) {
        byte[] data = null;

        try {
            data = Base64.decode(response.getBytes(UTF_8), Base64.DEFAULT);
            Log.d(TAG, "Decoded response data length = " + data.length + " bytes");
        } catch (IllegalArgumentException e) {
            Log.e(TAG, "Response is not a valid base-64 content");
            return;
        }
        if (data.length == 0) {
            return;
        }

        // Check tag, the initial byte
        int index = 0;
        if (data[index] == RESPONSE_TAG_SUCCESS) {
            // Parse RES
            index++; // move to RES length byte
            mRes = parseTag(index, data);
            if (mRes == null) {
                Log.d(TAG, "Invalid data: can't parse RES!");
                return;
            }
            // Parse CK
            index += mRes.length + 1; // move to CK length byte
            mCk = parseTag(index, data);
            if (mCk == null) {
                Log.d(TAG, "Invalid data: can't parse CK!");
                return;
            }
            // Parse IK
            index += mCk.length + 1; // move to IK length byte
            mIk = parseTag(index, data);
            if (mIk == null) {
                Log.d(TAG, "Invalid data: can't parse IK!");
                return;
            }
            mValid = true;
        } else if (data[index] == RESPONSE_TAG_SYNC_FAILURE) {
            // Parse AUTS
            index++; // move to AUTS length byte
            mAuts = parseTag(index, data);
            if (mAuts == null) {
                Log.d(TAG, "Invalid data: can't parse AUTS!");
                return;
            }
            mValid = true;
        } else {
            Log.d(TAG, "Not a valid tag, tag=" + data[index]);
            return;
        }
    }

    private byte[] parseTag(int index, byte[] src) {
        // index at the length byte
        if (index >= src.length) {
            Log.d(TAG, "No length byte!");
            return null;
        }
        int length = src[index] & 0xff;
        if (index + length >= src.length) {
            Log.d(TAG, "Invalid data length!");
            return null;
        }
        index++; // move to first byte of tag value
        byte[] dest = new byte[length];
        System.arraycopy(src, index, dest, 0, length);

        return dest;
    }

    private boolean isValid() {
        return mValid;
    }

    /**
     * Returns RES, or {@code null} for a synchronization failure.
     */
    @Nullable
    public byte[] getRes() {
        return mRes;
    }

    /**
     * Returns CK, or {@code null} for a synchronization failure.
     */
    @Nullable
    public byte[] getCk() {
        return mCk;
    }

    /**
     * Returns IK, or {@code null} for a synchronization failure.
     */
    @Nullable
    public byte[] getIk() {
        return mIk;
    }

    /**
     * Returns AUTS, or {@code null} for a successful authentication.
     */
    @Nullable
    public byte[] getAuts() {
        return mAuts;
    }
}