1 /* 2 * Copyright (C) 2017 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 /* 17 * Copyright (c) 2014-2017, The Linux Foundation. 18 */ 19 20 /* 21 * Copyright 2012 Giesecke & Devrient GmbH. 22 * 23 * Licensed under the Apache License, Version 2.0 (the "License"); you may not 24 * use this file except in compliance with the License. You may obtain a copy of 25 * the License at 26 * 27 * http://www.apache.org/licenses/LICENSE-2.0 28 * 29 * Unless required by applicable law or agreed to in writing, software 30 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 31 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 32 * License for the specific language governing permissions and limitations under 33 * the License. 34 */ 35 36 package com.android.se.security; 37 38 import android.content.pm.PackageInfo; 39 import android.content.pm.PackageManager; 40 import android.content.pm.PackageManager.NameNotFoundException; 41 import android.content.pm.Signature; 42 import android.os.Build; 43 import android.os.SystemProperties; 44 import android.util.Log; 45 46 import com.android.se.Channel; 47 import com.android.se.SecureElementService; 48 import com.android.se.Terminal; 49 import com.android.se.internal.ByteArrayConverter; 50 import com.android.se.security.ChannelAccess.ACCESS; 51 import com.android.se.security.ara.AraController; 52 import com.android.se.security.arf.ArfController; 53 54 import java.io.IOException; 55 import java.io.PrintWriter; 56 import java.security.AccessControlException; 57 import java.security.MessageDigest; 58 import java.security.NoSuchAlgorithmException; 59 import java.util.ArrayList; 60 import java.util.List; 61 import java.util.MissingResourceException; 62 import java.util.NoSuchElementException; 63 64 /** Reads and Maintains the ARF and ARA access control for a particular Secure Element */ 65 public class AccessControlEnforcer { 66 67 private final String mTag = "SecureElement-AccessControlEnforcer"; 68 private static final boolean DEBUG = Build.isDebuggable(); 69 private PackageManager mPackageManager = null; 70 private boolean mNoRuleFound = false; 71 private AraController mAraController = null; 72 private boolean mUseAra = true; 73 private ArfController mArfController = null; 74 private boolean mUseArf = false; 75 private AccessRuleCache mAccessRuleCache = null; 76 private boolean mRulesRead = false; 77 private Terminal mTerminal = null; 78 private ChannelAccess mInitialChannelAccess = new ChannelAccess(); 79 private boolean mFullAccess = false; 80 AccessControlEnforcer(Terminal terminal)81 public AccessControlEnforcer(Terminal terminal) { 82 83 mTerminal = terminal; 84 mAccessRuleCache = new AccessRuleCache(); 85 } 86 getDefaultAccessControlAid()87 public byte[] getDefaultAccessControlAid() { 88 if (mAraController != null) { 89 return mAraController.getAccessControlAid(); 90 } 91 return AraController.getAraMAid(); 92 } 93 getPackageManager()94 public PackageManager getPackageManager() { 95 return mPackageManager; 96 } 97 setPackageManager(PackageManager packageManager)98 public void setPackageManager(PackageManager packageManager) { 99 mPackageManager = packageManager; 100 } 101 getTerminal()102 public Terminal getTerminal() { 103 return mTerminal; 104 } 105 getAccessRuleCache()106 public AccessRuleCache getAccessRuleCache() { 107 return mAccessRuleCache; 108 } 109 110 /** Resets the Access Control for the Secure Element */ reset()111 public synchronized void reset() { 112 // Destroy any previous Controler 113 // in order to reset the ACE 114 Log.i(mTag, "Reset the ACE for terminal:" + mTerminal.getName()); 115 mAccessRuleCache.reset(); 116 mAraController = null; 117 mArfController = null; 118 } 119 120 /** Initializes the Access Control for the Secure Element */ initialize()121 public synchronized void initialize() throws IOException, MissingResourceException { 122 boolean status = true; 123 String denyMsg = ""; 124 // allow access to set up access control for a channel 125 mInitialChannelAccess.setApduAccess(ChannelAccess.ACCESS.ALLOWED); 126 mInitialChannelAccess.setNFCEventAccess(ChannelAccess.ACCESS.ALLOWED); 127 mInitialChannelAccess.setAccess(ChannelAccess.ACCESS.ALLOWED, ""); 128 129 readSecurityProfile(); 130 mNoRuleFound = false; 131 132 // 1 - Let's try to use ARA 133 if (mUseAra && mAraController == null) { 134 mAraController = new AraController(mAccessRuleCache, mTerminal); 135 } 136 137 if (mUseAra && mAraController != null) { 138 try { 139 mAraController.initialize(); 140 Log.i(mTag, "ARA applet is used for:" + mTerminal.getName()); 141 // disable other access methods 142 mUseArf = false; 143 mFullAccess = false; 144 } catch (IOException | MissingResourceException e) { 145 throw e; 146 } catch (Exception e) { 147 // ARA cannot be used since we got an exception during initialization 148 mUseAra = false; 149 denyMsg = e.getLocalizedMessage(); 150 if (e instanceof NoSuchElementException) { 151 Log.i(mTag, "No ARA applet found in: " + mTerminal.getName()); 152 if (!mUseArf) { 153 // ARA does not exist on the secure element right now, 154 // but it might be installed later. 155 mNoRuleFound = true; 156 status = mFullAccess; 157 } 158 } else if (mTerminal.getName().startsWith(SecureElementService.UICC_TERMINAL)) { 159 // A possible explanation could simply be due to the fact that the UICC is old 160 // and does not support logical channel (and is not compliant with GP spec). 161 // We should simply act as if no ARA was available in this case. 162 if (!mUseArf) { 163 // Only ARA was the candidate to retrieve access rules, 164 // but it is not 100% sure if the expected ARA really does not exist. 165 // Full access should not be granted in this case. 166 mFullAccess = false; 167 status = false; 168 } 169 } else { 170 // ARA is available but doesn't work properly. 171 // We are going to disable everything per security req. 172 mUseArf = false; 173 mFullAccess = false; 174 status = false; 175 Log.i(mTag, "Problem accessing ARA, Access DENIED " 176 + e.getLocalizedMessage()); 177 } 178 } 179 } 180 181 // 2 - Let's try to use ARF since ARA cannot be used 182 if (mUseArf && mArfController == null) { 183 mArfController = new ArfController(mAccessRuleCache, mTerminal); 184 } 185 186 if (mUseArf && mArfController != null) { 187 try { 188 mArfController.initialize(); 189 // disable other access methods 190 Log.i(mTag, "ARF rules are used for:" + mTerminal.getName()); 191 mFullAccess = false; 192 } catch (IOException | MissingResourceException e) { 193 throw e; 194 } catch (Exception e) { 195 // ARF cannot be used since we got an exception 196 mUseArf = false; 197 denyMsg = e.getLocalizedMessage(); 198 Log.e(mTag, e.getMessage()); 199 if (e instanceof NoSuchElementException) { 200 Log.i(mTag, "No ARF found in: " + mTerminal.getName()); 201 // ARF does not exist on the secure element right now, 202 // but it might be added later. 203 mNoRuleFound = true; 204 status = mFullAccess; 205 } else { 206 // It is not 100% sure if the expected ARF really does not exist. 207 // No ARF might be due to a kind of temporary problem, 208 // so full access should not be granted in this case. 209 mFullAccess = false; 210 status = false; 211 } 212 } 213 } 214 215 /* 4 - Let's block everything since neither ARA, ARF or fullaccess can be used */ 216 if (!mUseArf && !mUseAra && !mFullAccess) { 217 mInitialChannelAccess.setApduAccess(ChannelAccess.ACCESS.DENIED); 218 mInitialChannelAccess.setNFCEventAccess(ChannelAccess.ACCESS.DENIED); 219 mInitialChannelAccess.setAccess(ChannelAccess.ACCESS.DENIED, denyMsg); 220 Log.i(mTag, "Deny any access to:" + mTerminal.getName()); 221 } 222 223 mRulesRead = status; 224 } 225 226 /** 227 * Returns the result of the previous attempt to select ARA and/or ARF. 228 * 229 * @return true if no rule was found in the previous attempt. 230 */ isNoRuleFound()231 public boolean isNoRuleFound() { 232 return mNoRuleFound; 233 } 234 235 /** Check if the Channel has permission for the given APDU */ checkCommand(Channel channel, byte[] command)236 public synchronized void checkCommand(Channel channel, byte[] command) { 237 ChannelAccess ca = channel.getChannelAccess(); 238 if (ca == null) { 239 throw new AccessControlException(mTag + "Channel access not set"); 240 } 241 String reason = ca.getReason(); 242 if (reason.length() == 0) { 243 reason = "Unspecified"; 244 } 245 if (DEBUG) { 246 Log.i(mTag, "checkCommand() : Access = " + ca.getAccess() + " APDU Access = " 247 + ca.getApduAccess() + " Reason = " + reason); 248 } 249 if (ca.getAccess() != ACCESS.ALLOWED) { 250 throw new AccessControlException(mTag + reason); 251 } 252 if (ca.isUseApduFilter()) { 253 ApduFilter[] accessConditions = ca.getApduFilter(); 254 if (accessConditions == null || accessConditions.length == 0) { 255 throw new AccessControlException(mTag + "Access Rule not available:" 256 + reason); 257 } 258 for (ApduFilter ac : accessConditions) { 259 if (CommandApdu.compareHeaders(command, ac.getMask(), ac.getApdu())) { 260 return; 261 } 262 } 263 throw new AccessControlException(mTag + "Access Rule does not match: " 264 + reason); 265 } 266 if (ca.getApduAccess() == ChannelAccess.ACCESS.ALLOWED) { 267 return; 268 } else { 269 throw new AccessControlException(mTag + "APDU access NOT allowed"); 270 } 271 } 272 273 /** Sets up the Channel Access for the given Package */ setUpChannelAccess(byte[] aid, String packageName, byte[] uuid, boolean checkRefreshTag)274 public ChannelAccess setUpChannelAccess(byte[] aid, String packageName, byte[] uuid, 275 boolean checkRefreshTag) throws IOException, MissingResourceException { 276 ChannelAccess channelAccess = null; 277 // check result of channel access during initialization procedure 278 if (mInitialChannelAccess.getAccess() == ChannelAccess.ACCESS.DENIED) { 279 throw new AccessControlException( 280 mTag + " access denied: " + mInitialChannelAccess.getReason()); 281 } 282 // this is the new GP Access Control Enforcer implementation 283 if (mUseAra || mUseArf) { 284 channelAccess = internal_setUpChannelAccess(aid, packageName, uuid, 285 checkRefreshTag); 286 } 287 if (channelAccess == null || (channelAccess.getApduAccess() != ChannelAccess.ACCESS.ALLOWED 288 && !channelAccess.isUseApduFilter())) { 289 if (mFullAccess) { 290 // if full access is set then we reuse the initial channel access, 291 // since we got so far it allows everything with a descriptive reason. 292 channelAccess = mInitialChannelAccess; 293 } else { 294 throw new AccessControlException(mTag + "no APDU access allowed!"); 295 } 296 } 297 channelAccess.setPackageName(packageName); 298 return channelAccess.clone(); 299 } 300 internal_setUpChannelAccess(byte[] aid, String packageName, byte[] uuid, boolean checkRefreshTag)301 private synchronized ChannelAccess internal_setUpChannelAccess(byte[] aid, 302 String packageName, byte[] uuid, boolean checkRefreshTag) throws IOException, 303 MissingResourceException { 304 if (uuid == null && (packageName == null || packageName.isEmpty())) { 305 throw new AccessControlException("package names must be specified"); 306 } 307 try { 308 // estimate SHA-1 and SHA-256 hash values of the device application's certificate. 309 List<byte[]> appCertHashes = null; 310 if (packageName != null) { 311 appCertHashes = getAppCertHashes(packageName); 312 } else { 313 if (uuid != null) { 314 appCertHashes = new ArrayList<byte[]>(); 315 appCertHashes.add(uuid); 316 } 317 } 318 319 // APP certificates must be available => otherwise Exception 320 if (appCertHashes == null || appCertHashes.size() == 0) { 321 throw new AccessControlException( 322 "Application certificates are invalid or do not exist."); 323 } 324 if (checkRefreshTag) { 325 updateAccessRuleIfNeed(); 326 } 327 return getAccessRule(aid, appCertHashes); 328 } catch (IOException | MissingResourceException e) { 329 throw e; 330 } catch (Throwable exp) { 331 throw new AccessControlException(exp.getMessage()); 332 } 333 } 334 335 /** Fetches the Access Rules for the given application and AID pair */ getAccessRule( byte[] aid, List<byte []> appCertHashes)336 public ChannelAccess getAccessRule( 337 byte[] aid, List<byte []> appCertHashes) 338 throws AccessControlException { 339 if (DEBUG) { 340 for (byte[] appCertHash : appCertHashes) { 341 Log.i(mTag, "getAccessRule() appCert = " 342 + ByteArrayConverter.byteArrayToHexString(appCertHash)); 343 } 344 } 345 ChannelAccess channelAccess = null; 346 // if read all is true get rule from cache. 347 if (mRulesRead) { 348 // get rules from internal storage 349 channelAccess = mAccessRuleCache.findAccessRule(aid, appCertHashes); 350 } 351 // if no rule was found return an empty access rule 352 // with all access denied. 353 if (channelAccess == null) { 354 channelAccess = new ChannelAccess(); 355 channelAccess.setAccess(ChannelAccess.ACCESS.DENIED, "no access rule found!"); 356 channelAccess.setApduAccess(ChannelAccess.ACCESS.DENIED); 357 channelAccess.setNFCEventAccess(ChannelAccess.ACCESS.DENIED); 358 } 359 return channelAccess; 360 } 361 362 /** 363 * Returns hashes of certificate chain for one package. 364 */ getAppCertHashes(String packageName)365 private List<byte[]> getAppCertHashes(String packageName) 366 throws NoSuchAlgorithmException, AccessControlException { 367 if (packageName == null || packageName.length() == 0) { 368 throw new AccessControlException("Package Name not defined"); 369 } 370 PackageInfo foundPkgInfo; 371 try { 372 foundPkgInfo = mPackageManager.getPackageInfo(packageName, 373 PackageManager.GET_SIGNATURES); 374 } catch (NameNotFoundException ne) { 375 throw new AccessControlException("Package does not exist"); 376 } 377 if (foundPkgInfo == null) { 378 throw new AccessControlException("Package does not exist"); 379 } 380 MessageDigest md = MessageDigest.getInstance("SHA"); 381 MessageDigest md256 = MessageDigest.getInstance("SHA-256"); 382 if (md == null || md256 == null) { 383 throw new AccessControlException("Hash can not be computed"); 384 } 385 List<byte[]> appCertHashes = new ArrayList<byte[]>(); 386 for (Signature signature : foundPkgInfo.signatures) { 387 appCertHashes.add(md.digest(signature.toByteArray())); 388 appCertHashes.add(md256.digest(signature.toByteArray())); 389 } 390 return appCertHashes; 391 } 392 393 /** Returns true if the given application is allowed to recieve NFC Events */ isNfcEventAllowed(byte[] aid, String[] packageNames)394 public synchronized boolean[] isNfcEventAllowed(byte[] aid, 395 String[] packageNames) { 396 if (mUseAra || mUseArf) { 397 return internal_isNfcEventAllowed(aid, packageNames); 398 } else { 399 // if ARA and ARF is not available and 400 // - terminal DOES NOT belong to a UICC -> mFullAccess is true 401 // - terminal belongs to a UICC -> mFullAccess is false 402 boolean[] ret = new boolean[packageNames.length]; 403 for (int i = 0; i < ret.length; i++) { 404 ret[i] = mFullAccess; 405 } 406 return ret; 407 } 408 } 409 internal_isNfcEventAllowed(byte[] aid, String[] packageNames)410 private synchronized boolean[] internal_isNfcEventAllowed(byte[] aid, 411 String[] packageNames) { 412 int i = 0; 413 boolean[] nfcEventFlags = new boolean[packageNames.length]; 414 for (String packageName : packageNames) { 415 // estimate hash value of the device application's certificate. 416 try { 417 List<byte[]> appCertHashes = getAppCertHashes(packageName); 418 // APP certificates must be available => otherwise Exception 419 if (appCertHashes == null || appCertHashes.size() == 0) { 420 nfcEventFlags[i] = false; 421 } else { 422 ChannelAccess channelAccess = getAccessRule(aid, appCertHashes); 423 nfcEventFlags[i] = 424 (channelAccess.getNFCEventAccess() == ChannelAccess.ACCESS.ALLOWED); 425 } 426 } catch (Exception e) { 427 Log.w(mTag, " Access Rules for NFC: " + e.getLocalizedMessage()); 428 nfcEventFlags[i] = false; 429 } 430 i++; 431 } 432 return nfcEventFlags; 433 } 434 updateAccessRuleIfNeed()435 private void updateAccessRuleIfNeed() throws IOException { 436 if (mUseAra && mAraController != null) { 437 try { 438 mAraController.initialize(); 439 mUseArf = false; 440 mFullAccess = false; 441 } catch (IOException | MissingResourceException e) { 442 // There was a communication error between the terminal and the secure element 443 // or failure in retrieving rules due to the lack of a new logical channel. 444 // These errors must be distinguished from other ones. 445 throw e; 446 } catch (Exception e) { 447 throw new AccessControlException("No ARA applet found in " + mTerminal.getName()); 448 } 449 } else if (mUseArf && mArfController != null) { 450 try { 451 mArfController.initialize(); 452 } catch (IOException | MissingResourceException e) { 453 // There was a communication error between the terminal and the secure element 454 // or failure in retrieving rules due to the lack of a new logical channel. 455 // These errors must be distinguished from other ones. 456 throw e; 457 } catch (Exception e) { 458 throw new AccessControlException("No ARF found in " + mTerminal.getName()); 459 } 460 } 461 } 462 463 /** Returns true if the given package has Carrier Privileges */ checkCarrierPrivilege(PackageInfo pInfo, boolean checkRefreshTag)464 public synchronized boolean checkCarrierPrivilege(PackageInfo pInfo, boolean checkRefreshTag) { 465 if (!mUseAra && !mUseArf) { 466 return false; 467 } 468 if (checkRefreshTag) { 469 try { 470 updateAccessRuleIfNeed(); 471 } catch (IOException | MissingResourceException e) { 472 throw new AccessControlException("Access-Control not found in " 473 + mTerminal.getName()); 474 } 475 } 476 if (!mRulesRead) { 477 return false; 478 } 479 try { 480 List<byte[]> appCertHashes = getAppCertHashes(pInfo.packageName); 481 if (appCertHashes == null || appCertHashes.size() == 0) { 482 return false; 483 } 484 485 return mAccessRuleCache.checkCarrierPrivilege(pInfo.packageName, appCertHashes); 486 } catch (Exception e) { 487 Log.w(mTag, " checkCarrierPrivilege: " + e.getLocalizedMessage()); 488 } 489 return false; 490 } 491 492 /** Debug information to be used by dumpsys */ dump(PrintWriter writer)493 public void dump(PrintWriter writer) { 494 writer.println(mTag + ":"); 495 496 writer.println("mUseArf: " + mUseArf); 497 writer.println("mUseAra: " + mUseAra); 498 if (mUseAra && mAraController != null) { 499 if (getDefaultAccessControlAid() == null) { 500 writer.println("AraInUse: default applet"); 501 } else { 502 writer.println("AraInUse: " + ByteArrayConverter.byteArrayToHexString( 503 getDefaultAccessControlAid())); 504 } 505 } 506 writer.println("mInitialChannelAccess:"); 507 writer.println(mInitialChannelAccess.toString()); 508 writer.println(); 509 510 /* Dump the access rule cache */ 511 if (mAccessRuleCache != null) mAccessRuleCache.dump(writer); 512 } 513 readSecurityProfile()514 private void readSecurityProfile() { 515 if (!Build.isDebuggable()) { 516 mUseArf = true; 517 mUseAra = true; 518 mFullAccess = false; // Per default we don't grant full access. 519 } else { 520 String level = SystemProperties.get("service.seek", "useara usearf"); 521 level = SystemProperties.get("persist.service.seek", level); 522 523 if (level.contains("usearf")) { 524 mUseArf = true; 525 } else { 526 mUseArf = false; 527 } 528 if (level.contains("useara")) { 529 mUseAra = true; 530 } else { 531 mUseAra = false; 532 } 533 if (level.contains("fullaccess")) { 534 mFullAccess = true; 535 } else { 536 mFullAccess = false; 537 } 538 } 539 if (!mTerminal.getName().startsWith(SecureElementService.UICC_TERMINAL)) { 540 // ARF is supported only on UICC. 541 mUseArf = false; 542 } 543 Log.i( 544 mTag, 545 "Allowed ACE mode: ara=" + mUseAra + " arf=" + mUseArf + " fullaccess=" 546 + mFullAccess); 547 } 548 } 549