src/com/android/se/security/gpac/APDU_AR_DO.java - platform/packages/apps/SecureElement - Git at Google

 /*
  * Copyright (C) 2017 The Android Open Source Project
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 /*
  * Copyright (c) 2017, The Linux Foundation.
  */

 /*
  * Copyright 2012 Giesecke & Devrient GmbH.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 package com.android.se.security.gpac;

 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.util.ArrayList;

 /**
  * APDU-AR-DO: An APDU access rule data object defines an access rule for APDU access. The APDU
  * access can either be restricted by a general rule based on an access is NEVER/ ALWAYS allowed
  * policy or by a specific rule based on APDU filters which defines the range of allowed APDUs more
  * precisely.
  */
 public class APDU_AR_DO extends BerTlv {

     public static final int TAG = 0xD0;

     private boolean mApduAllowed = false;
     private ArrayList<byte[]> mApduHeader = new ArrayList<byte[]>();
     private ArrayList<byte[]> mFilterMask = new ArrayList<byte[]>();

     public APDU_AR_DO(byte[] rawData, int valueIndex, int valueLength) {
         super(rawData, TAG, valueIndex, valueLength);
     }

     public APDU_AR_DO(boolean allowed) {
         super(null, TAG, 0, 0);
         mApduAllowed = allowed;
     }

     public APDU_AR_DO(ArrayList<byte[]> apduHeader, ArrayList<byte[]> filterMask) {
         super(null, TAG, 0, 0);
         mApduHeader = apduHeader;
         mFilterMask = filterMask;
     }

     public boolean isApduAllowed() {
         return mApduAllowed;
     }

     public ArrayList<byte[]> getApduHeaderList() {
         return mApduHeader;
     }

     public ArrayList<byte[]> getFilterMaskList() {
         return mFilterMask;
     }

     @Override
     /**
      * Tag: D0 Length: 1 or n*8 1 if value contains a general APDU access rule. n*8 if value
      * contains
      * a specific APDU access rule.
      *
      * <p>Value: Contains a general APDU access rule: NEVER (00): APDU access is not allowed
      * ALWAYS(01): APDU access is allowed or contains a specific APDU access rule based on one or
      * more
      * APDU filter(s): APDU filter: 8 bytes APDU filter mask consists of: 4 bytes APDU header
      * (defines
      * the header of allowed APDUs) 4 bytes APDU mask (bit set defines the bits which shall be
      * considered for the APDU header comparison) An APDU filter has to be applied as follows:
      * if((APDUHeader & FilterMask) == FilterAPDUHeader) then allow APDU
      */
     public void interpret() throws ParserException {

         mApduAllowed = false;
         mApduHeader.clear();
         mFilterMask.clear();

         byte[] data = getRawData();
         int index = getValueIndex();

         if (index + getValueLength() > data.length) {
             throw new ParserException("Not enough data for APDU_AR_DO!");
         }

         // APDU-AR-DO contains either a flag which allows/disallows APDU communication
         // or
         // it contains APDU filter (APDUHeader | FilterMask) which should have length n*8.
         if (getValueLength() == 1) {
             if ((data[index] != 0x00) && (data[index] != 0x01)) {
                 // Undefined value cannot be treated as a general APDU access rule.
                 // Access to the SE shall not be allowed when the interpretation error occurs.
                 throw new ParserException("Invalid value of APDU-AR-DO : " + String.format("%02x",
                         data[index] & 0xff));
             }
             mApduAllowed = (data[index] == 0x01);
         } else if ((getValueLength() % 8 == 0) && (getValueLength() != 0)) {
             mApduAllowed = true;

             for (int i = index; i < index + getValueLength(); i += 8) {
                 byte[] apduHeader = new byte[4];
                 byte[] filterMask = new byte[4];

                 apduHeader[0] = data[i + 0];
                 apduHeader[1] = data[i + 1];
                 apduHeader[2] = data[i + 2];
                 apduHeader[3] = data[i + 3];
                 filterMask[0] = data[i + 4];
                 filterMask[1] = data[i + 5];
                 filterMask[2] = data[i + 6];
                 filterMask[3] = data[i + 7];

                 mApduHeader.add(apduHeader);
                 mFilterMask.add(filterMask);
             }
         } else if (getValueLength() == 0) {
             mApduAllowed = false;
         } else {
             throw new ParserException("Invalid length of APDU-AR-DO!");
         }
     }

     @Override
     /**
      * Tag: D0 Length: 1 or n*8 1 if value contains a general APDU access rule. n*8 if value
      * contains
      * a specific APDU access rule.
      *
      * <p>Value: Contains a general APDU access rule: NEVER (00): APDU access is not allowed
      * ALWAYS(01): APDU access is allowed or contains a specific APDU access rule based on one or
      * more
      * APDU filter(s): APDU filter: 8 bytes APDU filter mask consists of: 4 bytes APDU header
      * (defines
      * the header of allowed APDUs) 4 bytes APDU mask (bit set defines the bits which shall be
      * considered for the APDU header comparison) An APDU filter has to be applied as follows:
      * if((APDUHeader & FilterMask) == FilterAPDUHeader) then allow APDU
      */
     public void build(ByteArrayOutputStream stream) throws DO_Exception {

         // APDU header and filter mask has to have the same size
         // even if they are not used (then size() == 0 ).
         if (mApduHeader.size() != this.mFilterMask.size()) {
             throw new DO_Exception("APDU filter is invalid");
         }

         // write tag
         stream.write(getTag());

         // check if APDU Flag shall be written
         if (mApduHeader.size() == 0) {
             stream.write(0x01);
             stream.write(this.mApduAllowed ? 0x01 : 0x00);
         } else {
             ByteArrayOutputStream temp = new ByteArrayOutputStream();
             for (int i = 0; i < mApduHeader.size(); i++) {
                 byte[] apduHeader = mApduHeader.get(i);
                 byte[] filterMask = mFilterMask.get(i);

                 if (apduHeader.length != 4 || filterMask.length != 4) {
                     throw new DO_Exception("APDU filter is invalid!");
                 }

                 try {
                     temp.write(apduHeader);
                     temp.write(filterMask);
                 } catch (IOException e) {
                     throw new DO_Exception("APDU Filter Memory IO problem! " + e.getMessage());
                 }
             }

             BerTlv.encodeLength(temp.size(), stream);
             try {
                 stream.write(temp.toByteArray());
             } catch (IOException e) {
                 throw new DO_Exception("APDU Filter Memory IO problem! " + e.getMessage());
             }
         }
     }
 }
	/*
	* Copyright (C) 2017 The Android Open Source Project
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/
	/*
	* Copyright (c) 2017, The Linux Foundation.
	*/

	/*
	* Copyright 2012 Giesecke & Devrient GmbH.
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/
	package com.android.se.security.gpac;

	import java.io.ByteArrayOutputStream;
	import java.io.IOException;
	import java.util.ArrayList;

	/**
	* APDU-AR-DO: An APDU access rule data object defines an access rule for APDU access. The APDU
	* access can either be restricted by a general rule based on an access is NEVER/ ALWAYS allowed
	* policy or by a specific rule based on APDU filters which defines the range of allowed APDUs more
	* precisely.
	*/
	public class APDU_AR_DO extends BerTlv {

	public static final int TAG = 0xD0;

	private boolean mApduAllowed = false;
	private ArrayList<byte[]> mApduHeader = new ArrayList<byte[]>();
	private ArrayList<byte[]> mFilterMask = new ArrayList<byte[]>();

	public APDU_AR_DO(byte[] rawData, int valueIndex, int valueLength) {
	super(rawData, TAG, valueIndex, valueLength);
	}

	public APDU_AR_DO(boolean allowed) {
	super(null, TAG, 0, 0);
	mApduAllowed = allowed;
	}

	public APDU_AR_DO(ArrayList<byte[]> apduHeader, ArrayList<byte[]> filterMask) {
	super(null, TAG, 0, 0);
	mApduHeader = apduHeader;
	mFilterMask = filterMask;
	}

	public boolean isApduAllowed() {
	return mApduAllowed;
	}

	public ArrayList<byte[]> getApduHeaderList() {
	return mApduHeader;
	}

	public ArrayList<byte[]> getFilterMaskList() {
	return mFilterMask;
	}

	@Override
	/**
	* Tag: D0 Length: 1 or n8 1 if value contains a general APDU access rule. n8 if value
	* contains
	* a specific APDU access rule.
	*
	* <p>Value: Contains a general APDU access rule: NEVER (00): APDU access is not allowed
	* ALWAYS(01): APDU access is allowed or contains a specific APDU access rule based on one or
	* more
	* APDU filter(s): APDU filter: 8 bytes APDU filter mask consists of: 4 bytes APDU header
	* (defines
	* the header of allowed APDUs) 4 bytes APDU mask (bit set defines the bits which shall be
	* considered for the APDU header comparison) An APDU filter has to be applied as follows:
	* if((APDUHeader & FilterMask) == FilterAPDUHeader) then allow APDU
	*/
	public void interpret() throws ParserException {

	mApduAllowed = false;
	mApduHeader.clear();
	mFilterMask.clear();

	byte[] data = getRawData();
	int index = getValueIndex();

	if (index + getValueLength() > data.length) {
	throw new ParserException("Not enough data for APDU_AR_DO!");
	}

	// APDU-AR-DO contains either a flag which allows/disallows APDU communication
	// or
	// it contains APDU filter (APDUHeader \| FilterMask) which should have length n*8.
	if (getValueLength() == 1) {
	if ((data[index] != 0x00) && (data[index] != 0x01)) {
	// Undefined value cannot be treated as a general APDU access rule.
	// Access to the SE shall not be allowed when the interpretation error occurs.
	throw new ParserException("Invalid value of APDU-AR-DO : " + String.format("%02x",
	data[index] & 0xff));
	}
	mApduAllowed = (data[index] == 0x01);
	} else if ((getValueLength() % 8 == 0) && (getValueLength() != 0)) {
	mApduAllowed = true;

	for (int i = index; i < index + getValueLength(); i += 8) {
	byte[] apduHeader = new byte[4];
	byte[] filterMask = new byte[4];

	apduHeader[0] = data[i + 0];
	apduHeader[1] = data[i + 1];
	apduHeader[2] = data[i + 2];
	apduHeader[3] = data[i + 3];
	filterMask[0] = data[i + 4];
	filterMask[1] = data[i + 5];
	filterMask[2] = data[i + 6];
	filterMask[3] = data[i + 7];

	mApduHeader.add(apduHeader);
	mFilterMask.add(filterMask);
	}
	} else if (getValueLength() == 0) {
	mApduAllowed = false;
	} else {
	throw new ParserException("Invalid length of APDU-AR-DO!");
	}
	}

	@Override
	/**
	* Tag: D0 Length: 1 or n8 1 if value contains a general APDU access rule. n8 if value
	* contains
	* a specific APDU access rule.
	*
	* <p>Value: Contains a general APDU access rule: NEVER (00): APDU access is not allowed
	* ALWAYS(01): APDU access is allowed or contains a specific APDU access rule based on one or
	* more
	* APDU filter(s): APDU filter: 8 bytes APDU filter mask consists of: 4 bytes APDU header
	* (defines
	* the header of allowed APDUs) 4 bytes APDU mask (bit set defines the bits which shall be
	* considered for the APDU header comparison) An APDU filter has to be applied as follows:
	* if((APDUHeader & FilterMask) == FilterAPDUHeader) then allow APDU
	*/
	public void build(ByteArrayOutputStream stream) throws DO_Exception {

	// APDU header and filter mask has to have the same size
	// even if they are not used (then size() == 0 ).
	if (mApduHeader.size() != this.mFilterMask.size()) {
	throw new DO_Exception("APDU filter is invalid");
	}

	// write tag
	stream.write(getTag());

	// check if APDU Flag shall be written
	if (mApduHeader.size() == 0) {
	stream.write(0x01);
	stream.write(this.mApduAllowed ? 0x01 : 0x00);
	} else {
	ByteArrayOutputStream temp = new ByteArrayOutputStream();
	for (int i = 0; i < mApduHeader.size(); i++) {
	byte[] apduHeader = mApduHeader.get(i);
	byte[] filterMask = mFilterMask.get(i);

	if (apduHeader.length != 4 \|\| filterMask.length != 4) {
	throw new DO_Exception("APDU filter is invalid!");
	}

	try {
	temp.write(apduHeader);
	temp.write(filterMask);
	} catch (IOException e) {
	throw new DO_Exception("APDU Filter Memory IO problem! " + e.getMessage());
	}
	}

	BerTlv.encodeLength(temp.size(), stream);
	try {
	stream.write(temp.toByteArray());
	} catch (IOException e) {
	throw new DO_Exception("APDU Filter Memory IO problem! " + e.getMessage());
	}
	}
	}
	}