changeset 14 04becd199f91
equal deleted inserted replaced
13:f5050f1da672 14:04becd199f91
     1 /*
     2 * Copyright (c) 2008 Nokia Corporation and/or its subsidiary(-ies).
     3 * All rights reserved.
     4 * This component and the accompanying materials are made available
     5 * under the terms of "Eclipse Public License v1.0"
     6 * which accompanies this distribution, and is available
     7 * at the URL "".
     8 *
     9 * Initial Contributors:
    10 * Nokia Corporation - initial contribution.
    11 *
    12 * Contributors:
    13 *
    14 * Description:
    15  *
    16 */
    19 //  INCLUDE FILES
    20 #include "cstsaccesscontrol.h"
    21 #include "cstspkcs15reader.h"
    22 #include "cstsauthtype.h"
    23 #include "cstsace.h"
    24 #include "cstsprincipal.h"
    25 #include "cstsapdumaskpermission.h"
    26 #include "cstsuserauth.h"
    27 #include "cstsmidletinfo.h"
    28 #include "cstspinattributes.h"
    29 #include "logger.h"
    31 namespace java
    32 {
    33 namespace satsa
    34 {
    36 //  CONSTANTS
    37 const TInt KSTSAidFirstBytesLength = 7;
    39 //3GPP standard AIDs
    40 _LIT8(KUiccAidFirstBytes, "\xA0\x00\x00\x00\x87\x10\x01");
    41 _LIT8(KUsimAidFirstBytes, "\xA0\x00\x00\x00\x87\x10\x02");
    42 _LIT8(KUsimToolkitAidFirstBytes, "\xA0\x00\x00\x00\x87\x10\x03");
    43 _LIT8(KIsimAidFirstBytes, "\xA0\x00\x00\x00\x87\x10\x04");
    44 _LIT8(KUsimApiMAidFirstBytes, "\xA0\x00\x00\x00\x87\x10\x05");
    46 //ETSI standard AIDs
    47 _LIT8(KGsmAisFirstBytes, "\xA0\x00\x00\x00\x09\x00\x01");
    48 _LIT8(KGsmSimToolkitAidFirstBytes, "\xA0\x00\x00\x00\x09\x00\x02");
    49 _LIT8(KGsmSimApiAidFirstBytes, "\xA0\x00\x00\x00\x09\x00\x03");
    50 _LIT8(KTetraAidFirstBytes, "\xA0\x00\x00\x00\x09\x00\x04");
    51 _LIT8(KUiccApiAidFirstBytes, "\xA0\x00\x00\x00\x09\x00\x05");
    53 _LIT8(KSTSPkcs15Aid, "\xA0\x00\x00\x00\x63\x50\x4B\x43\x53\x2D\x31\x35");
    54 _LIT8(KSTSWimAid, "\xA0\x00\x00\x00\x63\x57\x41\x50\x2D\x57\x49\x4D");
    56 // ============================ MEMBER FUNCTIONS ===============================
    58 // -----------------------------------------------------------------------------
    59 // CSTSAccessControl::CSTSAccessControl
    60 // C++ default constructor can NOT contain any code, that
    61 // might leave.
    62 // -----------------------------------------------------------------------------
    63 //
    64 CSTSAccessControl::CSTSAccessControl(CSTSMidletInfo* aMidletInfo)
    65 {
    66     iMidletInfo = aMidletInfo;
    67 }
    69 // -----------------------------------------------------------------------------
    70 // CSTSAccessControl::ConstructL
    71 // Symbian 2nd phase constructor can leave.
    72 // -----------------------------------------------------------------------------
    73 //
    74 void CSTSAccessControl::ConstructL()
    75 {
    76     iPKCS15Reader = CSTSPKCS15Reader::NewL();
    77     iAuthType = CSTSAuthType::NewL();
    79     iAces = new(ELeave) CArrayPtrFlat<CSTSAce> (1);  //must be atleast one
    80     iAuthTypes = new(ELeave) CArrayPtrFlat<CSTSAuthType> (1);  //must be atleast one
    81     iApduHeader = HBufC8::NewL(KSTSApduMandatoryHeaderLen);
    83 }
    85 // -----------------------------------------------------------------------------
    86 // CSTSAccessControl::NewL
    87 // Two-phased constructor.
    88 // -----------------------------------------------------------------------------
    89 //
    90 CSTSAccessControl* CSTSAccessControl::NewL(CSTSMidletInfo* aMidletInfo)
    91 {
    92     CSTSAccessControl* self = new(ELeave) CSTSAccessControl(aMidletInfo);
    94     CleanupStack::PushL(self);
    95     self->ConstructL();
    97     CleanupStack::Pop(self);
    98     return self;
    99 }
   101 // Destructor
   102 CSTSAccessControl::~CSTSAccessControl()
   103 {
   104     //for safety, close is also called here
   105     if (iPKCS15Reader)
   106     {
   107         iPKCS15Reader->Close();
   108     }
   109     delete iApduHeader;
   111     if (iAuthTypes)
   112     {
   113         iAuthTypes->ResetAndDestroy();
   114         delete iAuthTypes;
   115     }
   117     if (iAces)
   118     {
   119         iAces->ResetAndDestroy();
   120         delete iAces;
   121     }
   122     delete iAuthType;
   123     delete iPKCS15Reader;
   124 }
   126 // -----------------------------------------------------------------------------
   127 // CSTSAccessControl::ReadFilesL
   128 // Fills midlet related info. Reads all Access Control related information from
   129 // the card. Opens connection to card, reads files and closes the connection.
   130 // (other items were commented in a header).
   131 // -----------------------------------------------------------------------------
   132 //
   133 void CSTSAccessControl::ReadFilesL()
   134 {
   135     iPKCS15Reader->OpenL();
   136     iPKCS15Reader->ReadACFL(iAces);
   137     iPKCS15Reader->ReadAuthObjectsL(iAuthTypes, *iAces);
   138     iPKCS15Reader->Close();
   140 }
   142 // -----------------------------------------------------------------------------
   143 // CSTSAccessControl::IsAllowedDomain
   144 // Domain checking is done acoording to document Security and Trust Services
   145 // API (SATSA), Appendix A Recommended Security Element Access Control,
   146 // chapter A.
   147 // (other items were commented in a header).
   148 // -----------------------------------------------------------------------------
   149 //
   150 TBool CSTSAccessControl::IsAllowedDomain()
   151 {
   152     TBool returnValue = EFalse;
   153     TInt acesCount = iAces->Count();
   155     for (TInt i = 0; i < acesCount && !returnValue; i++)
   156     {
   157         CSTSAce* ace = iAces->At(i);
   158         returnValue = IsProperAce(ace);
   159     }
   161     return returnValue;
   162 }
   164 // -----------------------------------------------------------------------------
   165 // CSTSAccessControl::IsAllowedApduL
   166 // APDU checking is done acoording to document Security and Trust Services
   167 // API (SATSA), Appendix A Recommended Security Element Access Control,
   168 // chapter A.
   169 // (other items were commented in a header).
   170 // -----------------------------------------------------------------------------
   171 //
   172 TBool CSTSAccessControl::IsAllowedApduL(const TDesC8& aMidletApduHeader)
   173 {
   174     TBool returnValue = EFalse;
   175     TInt acesCount = iAces->Count();
   176     for (TInt i = 0; i < acesCount && !returnValue; i++)
   177     {
   178         CSTSAce* ace = iAces->At(i);
   180         if (IsProperAce(ace))
   181         {
   182             TInt permissionCount = ace->APDUMaskPermissions().Count();
   183             for (TInt x = 0; x < permissionCount && !returnValue; x++)
   184             {
   185                 CSTSAPDUMaskPermission* permission =
   186                     ace->APDUMaskPermissions().At(x);
   188                 TPtrC8 apduMaskPtr(permission->ApduMask());
   189                 TPtrC8 apduHeaderPtr(permission->ApduHeader());
   191                 //If the bitwise AND between the MIDlet APDU header and the
   192                 //ACE mask equals to the ACE APDU header, return true.
   193                 HBufC8* resultBuf = HBufC8::NewLC(KSTSApduMandatoryHeaderLen);
   194                 TPtr8 resultPtr(resultBuf->Des());
   195                 resultPtr.FillZ(KSTSApduMandatoryHeaderLen);
   197                 //first we do bitwise AND for descriptors and save the result
   198                 for (TInt y = 0; y < KSTSApduMandatoryHeaderLen; y++)
   199                 {
   200                     TUint8 claMidlet = aMidletApduHeader[y];
   201                     TUint8 mask1 = apduMaskPtr[y];
   202                     TUint8 result = (TUint8)(claMidlet & mask1);
   203                     resultPtr[y] = result;
   204                 }
   206                 //then we compare result to apdu header found from ACE
   207                 if (resultPtr == apduHeaderPtr)
   208                 {
   209                     returnValue = ETrue;
   210                 }
   211                 CleanupStack::PopAndDestroy(resultBuf);
   212             }
   213             //If there is no permission, all operations are allowed
   214             if (permissionCount == 0)
   215             {
   216                 returnValue = ETrue;
   217             }
   218         }
   219     }
   221     return returnValue;
   222 }
   224 // -----------------------------------------------------------------------------
   225 // CSTSAccessControl::IsAllowedPinMethod
   226 // Checks whether there are appropriate permissions to execute pin methods
   227 // (other items were commented in a header).
   228 // -----------------------------------------------------------------------------
   229 //
   230 TBool CSTSAccessControl::IsAllowedPinMethod()
   231 {
   232     LOG(ESATSA, EInfo, "+ CSTSAccessControl::IsAllowedPinMethod");
   233     TInt allUserAuthentications = 0;
   234     TInt acesCount = iAces->Count();
   235     for (TInt i = 0; i < acesCount; i++)
   236     {
   237         CSTSAce* ace = iAces->At(i);
   238         if (IsProperAce(ace))
   239         {
   240             TInt count = ace->UserAuthentications().Count();
   241             allUserAuthentications += count;
   242         }
   243     }
   244     //Missing userAuthentications field indicates that PIN-related operations
   245     //are not allowed
   246     LOG1(ESATSA, EInfo, "-- CSTSAccessControl::IsAllowedPinMethod with %d",
   247          allUserAuthentications);
   248     return allUserAuthentications != 0;
   249 }
   251 // -----------------------------------------------------------------------------
   252 // CSTSAccessControl::GetPinHeaderL
   253 // Returns empty descriptor, if amount of Aces is zero.
   254 // (other items were commented in a header).
   255 // -----------------------------------------------------------------------------
   256 //
   257 const TDesC8& CSTSAccessControl::GetPinHeaderL(TInt aPinID,
   258         TPinApduType aPinApduType)
   259 {
   260     //empty pointer descriptor, which represents no data and it's lenght is 0
   261     TPtrC8 returnValue;
   263     FindAuthTypeL(aPinID);
   265     TInt acesCount = iAces->Count();
   267     for (TInt i = 0; i < acesCount; i++)
   268     {
   269         CSTSAce* ace = iAces->At(i);
   270         if (IsProperAce(ace))
   271         {
   272             TInt count = ace->UserAuthentications().Count();
   273             for (TInt x = 0; x < count; x++)
   274             {
   275                 CSTSUserAuth* userAuth = ace->UserAuthentications().At(x);
   276                 if ((userAuth->Type() == CSTSUserAuth::EAPDUPinEntry)
   277                         && (userAuth->AuthId() == iAuthType->AuthID())
   278                         && (userAuth->ApduPinHeaders().Count() > aPinApduType))
   279                 {
   280                     returnValue.Set(userAuth->ApduPinHeaders()[aPinApduType]);
   281                 }
   282                 //if pin header does not exist, we return empty descriptor
   283             }
   284         }
   285     }
   287     //copies header to the member buffer and replaces old data
   288     *iApduHeader = returnValue;
   289     return *iApduHeader;
   290 }
   292 // -----------------------------------------------------------------------------
   293 // CSTSAccessControl::GetPinAttributesL
   294 // Saves found authType to member variable, which will be returned
   295 // (other items were commented in a header).
   296 // -----------------------------------------------------------------------------
   297 //
   298 const CSTSAuthType& CSTSAccessControl::GetPinAttributesL(TInt aPinID)
   299 {
   300     FindAuthTypeL(aPinID);
   301     return *iAuthType;
   302 }
   304 // -----------------------------------------------------------------------------
   305 // CSTSAccessControl::TokenLabelL
   306 // Returns the PKCS15 token label
   307 // (other items were commented in a header).
   308 // -----------------------------------------------------------------------------
   309 //
   310 const TDesC& CSTSAccessControl::TokenLabelL()
   311 {
   312     return iPKCS15Reader->TokenLabelL();
   313 }
   315 // -----------------------------------------------------------------------------
   316 // CSTSAccessControl::SetAIDL
   317 // Used standard "ETSI TS 101 220 V7.0.0 (2004-12), Smart Cards;ETSI numbering
   318 // system for telecommunication application providers (Release 7)" for AIDs.
   319 // AIDs are specified to start as following: 3GPP RID 'A000000087', ETSI RID
   320 // 'A000000009'. After that is application code depending on application.
   321 // (other items were commented in a header).
   322 // -----------------------------------------------------------------------------
   323 //
   324 void CSTSAccessControl::SetAIDL(const TDesC8& aAID)
   325 {
   326     //check is aid restricted and leave if it is
   327     TPtrC8 aidFirstBytes(aAID.Ptr(), KSTSAidFirstBytesLength);
   328     if ((aidFirstBytes == KUiccAidFirstBytes()) || (aidFirstBytes
   329             == KUsimAidFirstBytes()) || (aidFirstBytes
   330                                          == KUsimToolkitAidFirstBytes()) || (aidFirstBytes
   331                                                                              == KIsimAidFirstBytes()) || (aidFirstBytes
   332                                                                                                           == KUsimApiMAidFirstBytes()) || (aidFirstBytes
   333                                                                                                                                            == KGsmAisFirstBytes()) || (aidFirstBytes
   334                                                                                                                                                                        == KGsmSimToolkitAidFirstBytes()) || (aidFirstBytes
   335                                                                                                                                                                                                              == KGsmSimApiAidFirstBytes()) || (aidFirstBytes
   336                                                                                                                                                                                                                                                == KTetraAidFirstBytes()) || (aidFirstBytes
   337                                                                                                                                                                                                                                                                              == KUiccApiAidFirstBytes()) || (aAID == KSTSPkcs15Aid()) || (aAID
   338                                                                                                                                                                                                                                                                                      == KSTSWimAid()))
   339     {
   340         User::Leave(KSTSErrSecurity + KSTSErrSECAccessNotAllowed);
   341     }
   342     iPKCS15Reader->SetAIDL(aAID);
   343 }
   345 // -----------------------------------------------------------------------------
   346 // CSTSAccessControl::FindAuthTypeL
   347 // Saves found authType to member variable, which will be returned
   348 // (other items were commented in a header).
   349 // -----------------------------------------------------------------------------
   350 //
   351 void CSTSAccessControl::FindAuthTypeL(TInt aPinID)
   352 {
   354     CSTSAuthType* authType = NULL;
   355     TPtrC8 authIdPtr;
   357     //go through all authTypes in loop and find correct authId
   358     TInt authTypesCount = iAuthTypes->Count();
   359     TBool authTypeNotFound = ETrue;
   360     for (TInt x = 0; x < authTypesCount && authTypeNotFound; x++)
   361     {
   363         //points to array's object
   364         authType = iAuthTypes->At(x);
   366         //get CommonAuthenticationObjectAttributes.authID
   367         authIdPtr.Set(authType->AuthID());
   368         if (authIdPtr.Length() != 0)
   369         {
   371             if (authIdPtr[0] == aPinID) //first value can be compared to PinID
   372             {
   373                 authTypeNotFound = EFalse;
   375                 CSTSAuthType* tmp = CSTSAuthType::NewLC();
   376                 tmp->CopyL(*authType);
   378                 CleanupStack::Pop(tmp);
   379                 delete iAuthType;
   380                 iAuthType = tmp;
   381             }
   382         }
   383     }
   384     if (authTypeNotFound)
   385     {
   386         User::Leave(KSTSErrSecurity);
   387     }
   388 }
   390 // -----------------------------------------------------------------------------
   391 // CSTSAccessControl::IsProperAce
   392 // Checks that is Ace entry meant for current domain, rootId or EndEntityId.
   393 // (other items were commented in a header).
   394 // -----------------------------------------------------------------------------
   395 //
   396 TBool CSTSAccessControl::IsProperAce(const CSTSAce* aAce) const
   397 {
   398     TBool returnValue = EFalse;
   399     TInt principalsCount = aAce->Principals().Count();
   400     for (TInt x = 0; x < principalsCount && !returnValue; x++)
   401     {
   402         CSTSPrincipal* principal = aAce->Principals().At(x);
   403         CSTSPrincipal::TType type = principal->Type();
   405         if (type == CSTSPrincipal::EDomain)
   406         {
   407             //if OID is indicating ’operator’, ’manufacturer’, or
   408             //’trusted third party’ and the application belongs to
   409             //the same domain category
   410             if (principal->Domain() == iMidletInfo->DomainOID())
   411             {
   412                 returnValue = ETrue;
   413             }
   414         }
   415         else if (type == CSTSPrincipal::ERootID)
   416         {
   417             //if principalID matches with the hash of the root
   418             //certificate in the path used to sign the J2ME application
   420             const TDesC& rootId = iMidletInfo->RootID();
   421             if (rootId == (TDesC&) principal->PrincipalID())
   422             {
   423                 returnValue = ETrue;
   424             }
   426         }
   427         else if (type == CSTSPrincipal::EEndEntityID)
   428         {
   429             //if principalID matches with the end-entity certificate
   430             //used to sign the J2ME application
   431             const TDesC& endEntityId = iMidletInfo->EndEntityID();
   432             if (endEntityId == (TDesC&) principal->PrincipalID())
   433             {
   434                 returnValue = ETrue;
   435             }
   437         }
   438         else
   439         {
   441         }
   442     }
   444     //A missing principals field indicates that the ACE applies to all
   445     //identified parties.
   446     if (principalsCount == 0)
   447     {
   448         returnValue = ETrue;
   449     }
   451     return returnValue;
   452 }
   454 // -----------------------------------------------------------------------------
   455 // CSTSAccessControl::Close
   456 // Closes pkcs15 reader
   457 // (other items were commented in a header).
   458 // -----------------------------------------------------------------------------
   459 //
   460 void CSTSAccessControl::Close()
   461 {
   463     if (iPKCS15Reader)
   464     {
   465         iPKCS15Reader->Close();
   466     }
   467 }
   469 // -----------------------------------------------------------------------------
   470 // CSTSAccessControl::CheckPinFlagsL
   471 // Checks from PIN flags is change disabled, unblock disabled or disable allowed.
   472 // Leaves for example if PIN apdu type is Change Pin and change is disabled with
   473 // security leave.
   474 // NOTE: GetPinHeaderL or GetPinAttributesL must be called before this method
   475 // because iAuthType is set there.
   476 // (other items were commented in a header).
   477 // -----------------------------------------------------------------------------
   478 //
   479 void CSTSAccessControl::CheckPinFlagsL(TPinApduType aPinApduType)
   480 {
   481     LOG(ESATSA, EInfo, "CSTSAccessControl::CheckPinFlagsL ++");
   482     if (aPinApduType == EChangePinAPDU)
   483     {
   484         // change is disabled
   485         if (iAuthType->PinAttributes().IsPinFlagSet(
   486                     CSTSPinAttributes::EChangeDisabled))
   487         {
   488             LOG(ESATSA, EInfo, "Change is disabled");
   489             User::Leave(KSTSErrSecurity + KSTSErrSECNoRightsPin);
   490         }
   491     }
   492     else if (aPinApduType == EUnblockPinAPDU)
   493     {
   494         // unblock is disabled
   495         if (iAuthType->PinAttributes().IsPinFlagSet(
   496                     CSTSPinAttributes::EUnblockDisabled))
   497         {
   498             LOG(ESATSA, EInfo, "unblock is disabled");
   499             User::Leave(KSTSErrSecurity + KSTSErrSECNoRightsPin);
   500         }
   501     }
   502     else if (aPinApduType == EDisablePinAPDU)
   503     {
   504         // disable is not allowed
   505         if (!iAuthType->PinAttributes().IsPinFlagSet(
   506                     CSTSPinAttributes::EDisableAllowed))
   507         {
   508             LOG(ESATSA, EInfo, "disable is not allowed");
   509             User::Leave(KSTSErrSecurity + KSTSErrSECNoRightsPin);
   510         }
   511     }
   512     //else no actions
   513 }
   515 } // namespace satsa
   516 } // namespace java
   517 //  End of File