java/com/android/libraries/entitlement/eapaka/EapAkaChallenge.java - platform/frameworks/libs/service_entitlement - Git at Google

 /*
  * Copyright (C) 2021 The Android Open Source Project
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 package com.android.libraries.entitlement.eapaka;

 import static com.android.libraries.entitlement.ServiceEntitlementException.ERROR_ICC_AUTHENTICATION_NOT_AVAILABLE;

 import static java.nio.charset.StandardCharsets.UTF_8;

 import android.util.Base64;
 import android.util.Log;

 import androidx.annotation.Nullable;

 import com.android.libraries.entitlement.ServiceEntitlementException;

 /**
  * Parses EAP-AKA challenge from server. Refer to RFC 4187 Section 8.1 Message
  * Format/RFC 3748 Session 4 EAP Packet Format.
  */
 public class EapAkaChallenge {
     private static final String TAG = "ServiceEntitlement";

     private static final int EAP_AKA_HEADER_LENGTH = 8;
     private static final byte CODE_REQUEST = 0x01;
     static final byte TYPE_EAP_AKA = 0x17;
     static final byte SUBTYPE_AKA_CHALLENGE = 0x01;
     private static final byte ATTRIBUTE_RAND = 0x01;
     private static final byte ATTRIBUTE_AUTN = 0x02;
     private static final int ATTRIBUTE_LENGTH = 20;
     private static final int RAND_LENGTH = 16;
     private static final int AUTN_LENGTH = 16;

     // The identifier of Response must same as Request
     private byte mIdentifier = -1;
     // The value of AT_AUTN, network authentication token
     private byte[] mAutn;
     // The value of AT_RAND, random challenge
     private byte[] mRand;

     // Base64 encoded 3G security context for SIM Authentication request
     private String mSimAuthenticationRequest;

     private EapAkaChallenge() {}

     /** Parses a EAP-AKA challenge request message encoded in base64. */
     public static EapAkaChallenge parseEapAkaChallenge(String challenge)
             throws ServiceEntitlementException {
         byte[] data;
         try {
             data = Base64.decode(challenge.getBytes(UTF_8), Base64.DEFAULT);
         } catch (IllegalArgumentException illegalArgumentException) {
             throw new ServiceEntitlementException(
                     ERROR_ICC_AUTHENTICATION_NOT_AVAILABLE,
                     "EAP-AKA challenge is not a valid base64!");
         }
         EapAkaChallenge result = new EapAkaChallenge();
         if (result.parseEapAkaHeader(data) && result.parseRandAndAutn(data)) {
             result.mSimAuthenticationRequest = result.getSimAuthChallengeData();
             return result;
         } else {
             throw new ServiceEntitlementException(
                     ERROR_ICC_AUTHENTICATION_NOT_AVAILABLE,
                     "EAP-AKA challenge message is not valid");
         }
     }

     /**
      * Returns the base64 encoded 3G security context for SIM Authentication request,
      * or {@code null} if the EAP-AKA challenge is not valid.
      */
     @Nullable
     public String getSimAuthenticationRequest() {
         return mSimAuthenticationRequest;
     }

     /** Returns the EAP package identifier in the EAP-AKA challenge. */
     public byte getIdentifier() {
         return mIdentifier;
     }

     /**
      * Parses EAP-AKA header, 8 bytes including 2 reserved bytes.
      *
      * @return {@code true} if success to parse the header of request data.
      */
     private boolean parseEapAkaHeader(byte[] data) {
         if (data.length < EAP_AKA_HEADER_LENGTH) {
             return false;
         }
         // Code for EAP-request should be CODE_REQUEST
         byte code = data[0];
         // EAP package identifier
         mIdentifier = data[1];
         // Total length of full EAP-AKA message, include code, identifier, ...
         int length = ((data[2] & 0xff) << 8) | (data[3] & 0xff);
         // Type for EAP-AKA should be TYPE_EAP_AKA
         byte type = data[4];
         // SubType for AKA-Challenge should be SUBTYPE_AKA_CHALLENGE
         byte subType = data[5];

         // Validate header
         if (code != CODE_REQUEST
                 || length != data.length
                 || type != TYPE_EAP_AKA
                 || subType != SUBTYPE_AKA_CHALLENGE) {
             Log.d(
                     TAG,
                     "Invalid EAP-AKA Header, code="
                             + code
                             + ", length="
                             + length
                             + ", real length="
                             + data.length
                             + ", type="
                             + type
                             + ", subType="
                             + subType);
             return false;
         }

         return true;
     }

     /**
      * Parses AT_RAND and AT_AUTN. Refer to RFC 4187 section 10.6 AT_RAND/section 10.7 AT_AUTN.
      *
      * @return {@code true} if success to parse the RAND and AUTN data.
      */
     private boolean parseRandAndAutn(byte[] data) {
         int index = EAP_AKA_HEADER_LENGTH;
         while (index < data.length) {
             int remainsLength = data.length - index;
             if (remainsLength <= 2) {
                 Log.d(TAG, "Error! remainsLength = " + remainsLength);
                 return false;
             }

             byte attributeType = data[index];

             // the length of this attribute in multiples of 4 bytes, include attribute type and
             // length
             int length = (data[index + 1] & 0xff) * 4;
             if (length > remainsLength) {
                 Log.d(TAG,
                         "Length Error! length is " + length + " but only remains " + remainsLength);
                 return false;
             }

             // see RFC 4187 section 11 for attribute type
             if (attributeType == ATTRIBUTE_RAND) {
                 if (length != ATTRIBUTE_LENGTH) {
                     Log.d(TAG, "AT_RAND length is " + length);
                     return false;
                 }
                 mRand = new byte[RAND_LENGTH];
                 System.arraycopy(data, index + 4, mRand, 0, RAND_LENGTH);
             } else if (attributeType == ATTRIBUTE_AUTN) {
                 if (length != ATTRIBUTE_LENGTH) {
                     Log.d(TAG, "AT_AUTN length is " + length);
                     return false;
                 }
                 mAutn = new byte[AUTN_LENGTH];
                 System.arraycopy(data, index + 4, mAutn, 0, AUTN_LENGTH);
             }

             index += length;
         }

         // check has AT_RAND and AT_AUTH
         if (mRand == null || mAutn == null) {
             Log.d(TAG, "Invalid Type Datas!");
             return false;
         }

         return true;
     }

     /**
      * Returns Base64 encoded 3G security context for SIM Authentication request.
      */
     @Nullable
     private String getSimAuthChallengeData() {
         byte[] challengeData = new byte[RAND_LENGTH + AUTN_LENGTH + 2];
         challengeData[0] = (byte) RAND_LENGTH;
         System.arraycopy(mRand, 0, challengeData, 1, RAND_LENGTH);
         challengeData[RAND_LENGTH + 1] = (byte) AUTN_LENGTH;
         System.arraycopy(mAutn, 0, challengeData, RAND_LENGTH + 2, AUTN_LENGTH);

         return Base64.encodeToString(challengeData, Base64.NO_WRAP).trim();
     }
 }
	/*
	* Copyright (C) 2021 The Android Open Source Project
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	package com.android.libraries.entitlement.eapaka;

	import static com.android.libraries.entitlement.ServiceEntitlementException.ERROR_ICC_AUTHENTICATION_NOT_AVAILABLE;

	import static java.nio.charset.StandardCharsets.UTF_8;

	import android.util.Base64;
	import android.util.Log;

	import androidx.annotation.Nullable;

	import com.android.libraries.entitlement.ServiceEntitlementException;

	/**
	* Parses EAP-AKA challenge from server. Refer to RFC 4187 Section 8.1 Message
	* Format/RFC 3748 Session 4 EAP Packet Format.
	*/
	public class EapAkaChallenge {
	private static final String TAG = "ServiceEntitlement";

	private static final int EAP_AKA_HEADER_LENGTH = 8;
	private static final byte CODE_REQUEST = 0x01;
	static final byte TYPE_EAP_AKA = 0x17;
	static final byte SUBTYPE_AKA_CHALLENGE = 0x01;
	private static final byte ATTRIBUTE_RAND = 0x01;
	private static final byte ATTRIBUTE_AUTN = 0x02;
	private static final int ATTRIBUTE_LENGTH = 20;
	private static final int RAND_LENGTH = 16;
	private static final int AUTN_LENGTH = 16;

	// The identifier of Response must same as Request
	private byte mIdentifier = -1;
	// The value of AT_AUTN, network authentication token
	private byte[] mAutn;
	// The value of AT_RAND, random challenge
	private byte[] mRand;

	// Base64 encoded 3G security context for SIM Authentication request
	private String mSimAuthenticationRequest;

	private EapAkaChallenge() {}

	/** Parses a EAP-AKA challenge request message encoded in base64. */
	public static EapAkaChallenge parseEapAkaChallenge(String challenge)
	throws ServiceEntitlementException {
	byte[] data;
	try {
	data = Base64.decode(challenge.getBytes(UTF_8), Base64.DEFAULT);
	} catch (IllegalArgumentException illegalArgumentException) {
	throw new ServiceEntitlementException(
	ERROR_ICC_AUTHENTICATION_NOT_AVAILABLE,
	"EAP-AKA challenge is not a valid base64!");
	}
	EapAkaChallenge result = new EapAkaChallenge();
	if (result.parseEapAkaHeader(data) && result.parseRandAndAutn(data)) {
	result.mSimAuthenticationRequest = result.getSimAuthChallengeData();
	return result;
	} else {
	throw new ServiceEntitlementException(
	ERROR_ICC_AUTHENTICATION_NOT_AVAILABLE,
	"EAP-AKA challenge message is not valid");
	}
	}

	/**
	* Returns the base64 encoded 3G security context for SIM Authentication request,
	* or {@code null} if the EAP-AKA challenge is not valid.
	*/
	@Nullable
	public String getSimAuthenticationRequest() {
	return mSimAuthenticationRequest;
	}

	/** Returns the EAP package identifier in the EAP-AKA challenge. */
	public byte getIdentifier() {
	return mIdentifier;
	}

	/**
	* Parses EAP-AKA header, 8 bytes including 2 reserved bytes.
	*
	* @return {@code true} if success to parse the header of request data.
	*/
	private boolean parseEapAkaHeader(byte[] data) {
	if (data.length < EAP_AKA_HEADER_LENGTH) {
	return false;
	}
	// Code for EAP-request should be CODE_REQUEST
	byte code = data[0];
	// EAP package identifier
	mIdentifier = data[1];
	// Total length of full EAP-AKA message, include code, identifier, ...
	int length = ((data[2] & 0xff) << 8) \| (data[3] & 0xff);
	// Type for EAP-AKA should be TYPE_EAP_AKA
	byte type = data[4];
	// SubType for AKA-Challenge should be SUBTYPE_AKA_CHALLENGE
	byte subType = data[5];

	// Validate header
	if (code != CODE_REQUEST
	\|\| length != data.length
	\|\| type != TYPE_EAP_AKA
	\|\| subType != SUBTYPE_AKA_CHALLENGE) {
	Log.d(
	TAG,
	"Invalid EAP-AKA Header, code="
	+ code
	+ ", length="
	+ length
	+ ", real length="
	+ data.length
	+ ", type="
	+ type
	+ ", subType="
	+ subType);
	return false;
	}

	return true;
	}

	/**
	* Parses AT_RAND and AT_AUTN. Refer to RFC 4187 section 10.6 AT_RAND/section 10.7 AT_AUTN.
	*
	* @return {@code true} if success to parse the RAND and AUTN data.
	*/
	private boolean parseRandAndAutn(byte[] data) {
	int index = EAP_AKA_HEADER_LENGTH;
	while (index < data.length) {
	int remainsLength = data.length - index;
	if (remainsLength <= 2) {
	Log.d(TAG, "Error! remainsLength = " + remainsLength);
	return false;
	}

	byte attributeType = data[index];

	// the length of this attribute in multiples of 4 bytes, include attribute type and
	// length
	int length = (data[index + 1] & 0xff) * 4;
	if (length > remainsLength) {
	Log.d(TAG,
	"Length Error! length is " + length + " but only remains " + remainsLength);
	return false;
	}

	// see RFC 4187 section 11 for attribute type
	if (attributeType == ATTRIBUTE_RAND) {
	if (length != ATTRIBUTE_LENGTH) {
	Log.d(TAG, "AT_RAND length is " + length);
	return false;
	}
	mRand = new byte[RAND_LENGTH];
	System.arraycopy(data, index + 4, mRand, 0, RAND_LENGTH);
	} else if (attributeType == ATTRIBUTE_AUTN) {
	if (length != ATTRIBUTE_LENGTH) {
	Log.d(TAG, "AT_AUTN length is " + length);
	return false;
	}
	mAutn = new byte[AUTN_LENGTH];
	System.arraycopy(data, index + 4, mAutn, 0, AUTN_LENGTH);
	}

	index += length;
	}

	// check has AT_RAND and AT_AUTH
	if (mRand == null \|\| mAutn == null) {
	Log.d(TAG, "Invalid Type Datas!");
	return false;
	}

	return true;
	}

	/**
	* Returns Base64 encoded 3G security context for SIM Authentication request.
	*/
	@Nullable
	private String getSimAuthChallengeData() {
	byte[] challengeData = new byte[RAND_LENGTH + AUTN_LENGTH + 2];
	challengeData[0] = (byte) RAND_LENGTH;
	System.arraycopy(mRand, 0, challengeData, 1, RAND_LENGTH);
	challengeData[RAND_LENGTH + 1] = (byte) AUTN_LENGTH;
	System.arraycopy(mAutn, 0, challengeData, RAND_LENGTH + 2, AUTN_LENGTH);

	return Base64.encodeToString(challengeData, Base64.NO_WRAP).trim();
	}
	}