1 /*
2  * Copyright (C) 2017 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 /*
17  * Copyright (c) 2014-2017, The Linux Foundation.
18  */
19 
20 /*
21  * Copyright 2012 Giesecke & Devrient GmbH.
22  *
23  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
24  * use this file except in compliance with the License. You may obtain a copy of
25  * the License at
26  *
27  * http://www.apache.org/licenses/LICENSE-2.0
28  *
29  * Unless required by applicable law or agreed to in writing, software
30  * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
31  * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
32  * License for the specific language governing permissions and limitations under
33  * the License.
34  */
35 
36 package com.android.se.security;
37 
38 import android.content.pm.PackageInfo;
39 import android.content.pm.PackageManager;
40 import android.content.pm.PackageManager.NameNotFoundException;
41 import android.content.pm.Signature;
42 import android.os.Build;
43 import android.os.SystemProperties;
44 import android.util.Log;
45 
46 import com.android.se.Channel;
47 import com.android.se.SecureElementService;
48 import com.android.se.Terminal;
49 import com.android.se.internal.ByteArrayConverter;
50 import com.android.se.security.ChannelAccess.ACCESS;
51 import com.android.se.security.ara.AraController;
52 import com.android.se.security.arf.ArfController;
53 
54 import java.io.IOException;
55 import java.io.PrintWriter;
56 import java.security.AccessControlException;
57 import java.security.MessageDigest;
58 import java.security.NoSuchAlgorithmException;
59 import java.util.ArrayList;
60 import java.util.List;
61 import java.util.MissingResourceException;
62 import java.util.NoSuchElementException;
63 
64 /** Reads and Maintains the ARF and ARA access control for a particular Secure Element */
65 public class AccessControlEnforcer {
66 
67     private final String mTag = "SecureElement-AccessControlEnforcer";
68     private static final boolean DEBUG = Build.isDebuggable();
69     private PackageManager mPackageManager = null;
70     private boolean mNoRuleFound = false;
71     private AraController mAraController = null;
72     private boolean mUseAra = true;
73     private ArfController mArfController = null;
74     private boolean mUseArf = false;
75     private AccessRuleCache mAccessRuleCache = null;
76     private boolean mRulesRead = false;
77     private Terminal mTerminal = null;
78     private ChannelAccess mInitialChannelAccess = new ChannelAccess();
79     private boolean mFullAccess = false;
80 
AccessControlEnforcer(Terminal terminal)81     public AccessControlEnforcer(Terminal terminal) {
82 
83         mTerminal = terminal;
84         mAccessRuleCache = new AccessRuleCache();
85     }
86 
getDefaultAccessControlAid()87     public byte[] getDefaultAccessControlAid() {
88         if (mAraController != null) {
89             return mAraController.getAccessControlAid();
90         }
91         return AraController.getAraMAid();
92     }
93 
getPackageManager()94     public PackageManager getPackageManager() {
95         return mPackageManager;
96     }
97 
setPackageManager(PackageManager packageManager)98     public void setPackageManager(PackageManager packageManager) {
99         mPackageManager = packageManager;
100     }
101 
getTerminal()102     public Terminal getTerminal() {
103         return mTerminal;
104     }
105 
getAccessRuleCache()106     public AccessRuleCache getAccessRuleCache() {
107         return mAccessRuleCache;
108     }
109 
110     /** Resets the Access Control for the Secure Element */
reset()111     public synchronized void reset() {
112         // Destroy any previous Controler
113         // in order to reset the ACE
114         Log.i(mTag, "Reset the ACE for terminal:" + mTerminal.getName());
115         mAccessRuleCache.reset();
116         mAraController = null;
117         mArfController = null;
118     }
119 
120     /** Initializes the Access Control for the Secure Element */
initialize()121     public synchronized void initialize() throws IOException, MissingResourceException {
122         boolean status = true;
123         String denyMsg = "";
124         // allow access to set up access control for a channel
125         mInitialChannelAccess.setApduAccess(ChannelAccess.ACCESS.ALLOWED);
126         mInitialChannelAccess.setNFCEventAccess(ChannelAccess.ACCESS.ALLOWED);
127         mInitialChannelAccess.setAccess(ChannelAccess.ACCESS.ALLOWED, "");
128 
129         readSecurityProfile();
130         mNoRuleFound = false;
131 
132         // 1 - Let's try to use ARA
133         if (mUseAra && mAraController == null) {
134             mAraController = new AraController(mAccessRuleCache, mTerminal);
135         }
136 
137         if (mUseAra && mAraController != null) {
138             try {
139                 mAraController.initialize();
140                 Log.i(mTag, "ARA applet is used for:" + mTerminal.getName());
141                 // disable other access methods
142                 mUseArf = false;
143                 mFullAccess = false;
144             } catch (IOException | MissingResourceException e) {
145                 throw e;
146             } catch (Exception e) {
147                 // ARA cannot be used since we got an exception during initialization
148                 mUseAra = false;
149                 denyMsg = e.getLocalizedMessage();
150                 if (e instanceof NoSuchElementException) {
151                     Log.i(mTag, "No ARA applet found in: " + mTerminal.getName());
152                     if (!mUseArf) {
153                         // ARA does not exist on the secure element right now,
154                         // but it might be installed later.
155                         mNoRuleFound = true;
156                         status = mFullAccess;
157                     }
158                 } else if (mTerminal.getName().startsWith(SecureElementService.UICC_TERMINAL)) {
159                     // A possible explanation could simply be due to the fact that the UICC is old
160                     // and does not support logical channel (and is not compliant with GP spec).
161                     // We should simply act as if no ARA was available in this case.
162                     if (!mUseArf) {
163                         // Only ARA was the candidate to retrieve access rules,
164                         // but it is not 100% sure if the expected ARA really does not exist.
165                         // Full access should not be granted in this case.
166                         mFullAccess = false;
167                         status = false;
168                     }
169                 } else {
170                     // ARA is available but doesn't work properly.
171                     // We are going to disable everything per security req.
172                     mUseArf = false;
173                     mFullAccess = false;
174                     status = false;
175                     Log.i(mTag, "Problem accessing ARA, Access DENIED "
176                             + e.getLocalizedMessage());
177                 }
178             }
179         }
180 
181         // 2 - Let's try to use ARF since ARA cannot be used
182         if (mUseArf && mArfController == null) {
183             mArfController = new ArfController(mAccessRuleCache, mTerminal);
184         }
185 
186         if (mUseArf && mArfController != null) {
187             try {
188                 mArfController.initialize();
189                 // disable other access methods
190                 Log.i(mTag, "ARF rules are used for:" + mTerminal.getName());
191                 mFullAccess = false;
192             } catch (IOException | MissingResourceException e) {
193                 throw e;
194             } catch (Exception e) {
195                 // ARF cannot be used since we got an exception
196                 mUseArf = false;
197                 denyMsg = e.getLocalizedMessage();
198                 Log.e(mTag, e.getMessage());
199                 if (e instanceof NoSuchElementException) {
200                     Log.i(mTag, "No ARF found in: " + mTerminal.getName());
201                     // ARF does not exist on the secure element right now,
202                     // but it might be added later.
203                     mNoRuleFound = true;
204                     status = mFullAccess;
205                 } else {
206                     // It is not 100% sure if the expected ARF really does not exist.
207                     // No ARF might be due to a kind of temporary problem,
208                     // so full access should not be granted in this case.
209                     mFullAccess = false;
210                     status = false;
211                 }
212             }
213         }
214 
215         /* 4 - Let's block everything since neither ARA, ARF or fullaccess can be used */
216         if (!mUseArf && !mUseAra && !mFullAccess) {
217             mInitialChannelAccess.setApduAccess(ChannelAccess.ACCESS.DENIED);
218             mInitialChannelAccess.setNFCEventAccess(ChannelAccess.ACCESS.DENIED);
219             mInitialChannelAccess.setAccess(ChannelAccess.ACCESS.DENIED, denyMsg);
220             Log.i(mTag, "Deny any access to:" + mTerminal.getName());
221         }
222 
223         mRulesRead = status;
224     }
225 
226     /**
227      * Returns the result of the previous attempt to select ARA and/or ARF.
228      *
229      * @return true if no rule was found in the previous attempt.
230      */
isNoRuleFound()231     public boolean isNoRuleFound() {
232         return mNoRuleFound;
233     }
234 
235     /** Check if the Channel has permission for the given APDU */
checkCommand(Channel channel, byte[] command)236     public synchronized void checkCommand(Channel channel, byte[] command) {
237         ChannelAccess ca = channel.getChannelAccess();
238         if (ca == null) {
239             throw new AccessControlException(mTag + "Channel access not set");
240         }
241         String reason = ca.getReason();
242         if (reason.length() == 0) {
243             reason = "Unspecified";
244         }
245         if (DEBUG) {
246             Log.i(mTag, "checkCommand() : Access = " + ca.getAccess() + " APDU Access = "
247                     + ca.getApduAccess() + " Reason = " + reason);
248         }
249         if (ca.getAccess() != ACCESS.ALLOWED) {
250             throw new AccessControlException(mTag + reason);
251         }
252         if (ca.isUseApduFilter()) {
253             ApduFilter[] accessConditions = ca.getApduFilter();
254             if (accessConditions == null || accessConditions.length == 0) {
255                 throw new AccessControlException(mTag + "Access Rule not available:"
256                         + reason);
257             }
258             for (ApduFilter ac : accessConditions) {
259                 if (CommandApdu.compareHeaders(command, ac.getMask(), ac.getApdu())) {
260                     return;
261                 }
262             }
263             throw new AccessControlException(mTag + "Access Rule does not match: "
264                     + reason);
265         }
266         if (ca.getApduAccess() == ChannelAccess.ACCESS.ALLOWED) {
267             return;
268         } else {
269             throw new AccessControlException(mTag + "APDU access NOT allowed");
270         }
271     }
272 
273     /** Sets up the Channel Access for the given Package */
setUpChannelAccess(byte[] aid, String packageName, byte[] uuid, boolean checkRefreshTag)274     public ChannelAccess setUpChannelAccess(byte[] aid, String packageName, byte[] uuid,
275             boolean checkRefreshTag) throws IOException, MissingResourceException {
276         ChannelAccess channelAccess = null;
277         // check result of channel access during initialization procedure
278         if (mInitialChannelAccess.getAccess() == ChannelAccess.ACCESS.DENIED) {
279             throw new AccessControlException(
280                     mTag + " access denied: " + mInitialChannelAccess.getReason());
281         }
282         // this is the new GP Access Control Enforcer implementation
283         if (mUseAra || mUseArf) {
284             channelAccess = internal_setUpChannelAccess(aid, packageName, uuid,
285                     checkRefreshTag);
286         }
287         if (channelAccess == null || (channelAccess.getApduAccess() != ChannelAccess.ACCESS.ALLOWED
288                 && !channelAccess.isUseApduFilter())) {
289             if (mFullAccess) {
290                 // if full access is set then we reuse the initial channel access,
291                 // since we got so far it allows everything with a descriptive reason.
292                 channelAccess = mInitialChannelAccess;
293             } else {
294                 throw new AccessControlException(mTag + "no APDU access allowed!");
295             }
296         }
297         channelAccess.setPackageName(packageName);
298         return channelAccess.clone();
299     }
300 
internal_setUpChannelAccess(byte[] aid, String packageName, byte[] uuid, boolean checkRefreshTag)301     private synchronized ChannelAccess internal_setUpChannelAccess(byte[] aid,
302             String packageName, byte[] uuid, boolean checkRefreshTag) throws IOException,
303             MissingResourceException {
304         if (uuid == null && (packageName == null || packageName.isEmpty())) {
305             throw new AccessControlException("package names must be specified");
306         }
307         try {
308             // estimate SHA-1 and SHA-256 hash values of the device application's certificate.
309             List<byte[]> appCertHashes = null;
310             if (packageName != null) {
311                 appCertHashes = getAppCertHashes(packageName);
312             } else {
313                 if (uuid != null) {
314                     appCertHashes = new ArrayList<byte[]>();
315                     appCertHashes.add(uuid);
316                 }
317             }
318 
319             // APP certificates must be available => otherwise Exception
320             if (appCertHashes == null || appCertHashes.size() == 0) {
321                 throw new AccessControlException(
322                         "Application certificates are invalid or do not exist.");
323             }
324             if (checkRefreshTag) {
325                 updateAccessRuleIfNeed();
326             }
327             return getAccessRule(aid, appCertHashes);
328         } catch (IOException | MissingResourceException e) {
329             throw e;
330         } catch (Throwable exp) {
331             throw new AccessControlException(exp.getMessage());
332         }
333     }
334 
335     /** Fetches the Access Rules for the given application and AID pair */
getAccessRule( byte[] aid, List<byte []> appCertHashes)336     public ChannelAccess getAccessRule(
337             byte[] aid, List<byte []> appCertHashes)
338             throws AccessControlException {
339         if (DEBUG) {
340             for (byte[] appCertHash : appCertHashes) {
341                 Log.i(mTag, "getAccessRule() appCert = "
342                         + ByteArrayConverter.byteArrayToHexString(appCertHash));
343             }
344         }
345         ChannelAccess channelAccess = null;
346         // if read all is true get rule from cache.
347         if (mRulesRead) {
348             // get rules from internal storage
349             channelAccess = mAccessRuleCache.findAccessRule(aid, appCertHashes);
350         }
351         // if no rule was found return an empty access rule
352         // with all access denied.
353         if (channelAccess == null) {
354             channelAccess = new ChannelAccess();
355             channelAccess.setAccess(ChannelAccess.ACCESS.DENIED, "no access rule found!");
356             channelAccess.setApduAccess(ChannelAccess.ACCESS.DENIED);
357             channelAccess.setNFCEventAccess(ChannelAccess.ACCESS.DENIED);
358         }
359         return channelAccess;
360     }
361 
362     /**
363      * Returns hashes of certificate chain for one package.
364      */
getAppCertHashes(String packageName)365     private List<byte[]> getAppCertHashes(String packageName)
366             throws NoSuchAlgorithmException, AccessControlException {
367         if (packageName == null || packageName.length() == 0) {
368             throw new AccessControlException("Package Name not defined");
369         }
370         PackageInfo foundPkgInfo;
371         try {
372             foundPkgInfo = mPackageManager.getPackageInfo(packageName,
373                     PackageManager.GET_SIGNATURES);
374         } catch (NameNotFoundException ne) {
375             throw new AccessControlException("Package does not exist");
376         }
377         if (foundPkgInfo == null) {
378             throw new AccessControlException("Package does not exist");
379         }
380         MessageDigest md = MessageDigest.getInstance("SHA");
381         MessageDigest md256 = MessageDigest.getInstance("SHA-256");
382         if (md == null || md256 == null) {
383             throw new AccessControlException("Hash can not be computed");
384         }
385         List<byte[]> appCertHashes = new ArrayList<byte[]>();
386         for (Signature signature : foundPkgInfo.signatures) {
387             appCertHashes.add(md.digest(signature.toByteArray()));
388             appCertHashes.add(md256.digest(signature.toByteArray()));
389         }
390         return appCertHashes;
391     }
392 
393     /** Returns true if the given application is allowed to recieve NFC Events */
isNfcEventAllowed(byte[] aid, String[] packageNames)394     public synchronized boolean[] isNfcEventAllowed(byte[] aid,
395             String[] packageNames) {
396         if (mUseAra || mUseArf) {
397             return internal_isNfcEventAllowed(aid, packageNames);
398         } else {
399             // if ARA and ARF is not available and
400             // - terminal DOES NOT belong to a UICC -> mFullAccess is true
401             // - terminal belongs to a UICC -> mFullAccess is false
402             boolean[] ret = new boolean[packageNames.length];
403             for (int i = 0; i < ret.length; i++) {
404                 ret[i] = mFullAccess;
405             }
406             return ret;
407         }
408     }
409 
internal_isNfcEventAllowed(byte[] aid, String[] packageNames)410     private synchronized boolean[] internal_isNfcEventAllowed(byte[] aid,
411             String[] packageNames) {
412         int i = 0;
413         boolean[] nfcEventFlags = new boolean[packageNames.length];
414         for (String packageName : packageNames) {
415             // estimate hash value of the device application's certificate.
416             try {
417                 List<byte[]> appCertHashes = getAppCertHashes(packageName);
418                 // APP certificates must be available => otherwise Exception
419                 if (appCertHashes == null || appCertHashes.size() == 0) {
420                     nfcEventFlags[i] = false;
421                 } else {
422                     ChannelAccess channelAccess = getAccessRule(aid, appCertHashes);
423                     nfcEventFlags[i] =
424                             (channelAccess.getNFCEventAccess() == ChannelAccess.ACCESS.ALLOWED);
425                 }
426             } catch (Exception e) {
427                 Log.w(mTag, " Access Rules for NFC: " + e.getLocalizedMessage());
428                 nfcEventFlags[i] = false;
429             }
430             i++;
431         }
432         return nfcEventFlags;
433     }
434 
updateAccessRuleIfNeed()435     private void updateAccessRuleIfNeed() throws IOException {
436         if (mUseAra && mAraController != null) {
437             try {
438                 mAraController.initialize();
439                 mUseArf = false;
440                 mFullAccess = false;
441             } catch (IOException | MissingResourceException e) {
442                 // There was a communication error between the terminal and the secure element
443                 // or failure in retrieving rules due to the lack of a new logical channel.
444                 // These errors must be distinguished from other ones.
445                 throw e;
446             } catch (Exception e) {
447                 throw new AccessControlException("No ARA applet found in " + mTerminal.getName());
448             }
449         } else if (mUseArf && mArfController != null) {
450             try {
451                 mArfController.initialize();
452             } catch (IOException | MissingResourceException e) {
453                 // There was a communication error between the terminal and the secure element
454                 // or failure in retrieving rules due to the lack of a new logical channel.
455                 // These errors must be distinguished from other ones.
456                 throw e;
457             } catch (Exception e) {
458                 throw new AccessControlException("No ARF found in " + mTerminal.getName());
459             }
460         }
461     }
462 
463     /** Returns true if the given package has Carrier Privileges */
checkCarrierPrivilege(PackageInfo pInfo, boolean checkRefreshTag)464     public synchronized boolean checkCarrierPrivilege(PackageInfo pInfo, boolean checkRefreshTag) {
465         if (!mUseAra && !mUseArf) {
466             return false;
467         }
468         if (checkRefreshTag) {
469             try {
470                 updateAccessRuleIfNeed();
471             } catch (IOException | MissingResourceException e) {
472                 throw new AccessControlException("Access-Control not found in "
473                         + mTerminal.getName());
474             }
475         }
476         if (!mRulesRead) {
477             return false;
478         }
479         try {
480             List<byte[]> appCertHashes = getAppCertHashes(pInfo.packageName);
481             if (appCertHashes == null || appCertHashes.size() == 0) {
482                 return false;
483             }
484 
485             return mAccessRuleCache.checkCarrierPrivilege(pInfo.packageName, appCertHashes);
486         } catch (Exception e) {
487             Log.w(mTag, " checkCarrierPrivilege: " + e.getLocalizedMessage());
488         }
489         return false;
490     }
491 
492     /** Debug information to be used by dumpsys */
dump(PrintWriter writer)493     public void dump(PrintWriter writer) {
494         writer.println(mTag + ":");
495 
496         writer.println("mUseArf: " + mUseArf);
497         writer.println("mUseAra: " + mUseAra);
498         if (mUseAra && mAraController != null) {
499             if (getDefaultAccessControlAid() == null) {
500                 writer.println("AraInUse: default applet");
501             } else {
502                 writer.println("AraInUse: " + ByteArrayConverter.byteArrayToHexString(
503                         getDefaultAccessControlAid()));
504             }
505         }
506         writer.println("mInitialChannelAccess:");
507         writer.println(mInitialChannelAccess.toString());
508         writer.println();
509 
510         /* Dump the access rule cache */
511         if (mAccessRuleCache != null) mAccessRuleCache.dump(writer);
512     }
513 
readSecurityProfile()514     private void readSecurityProfile() {
515         if (!Build.isDebuggable()) {
516             mUseArf = true;
517             mUseAra = true;
518             mFullAccess = false; // Per default we don't grant full access.
519         } else {
520             String level = SystemProperties.get("service.seek", "useara usearf");
521             level = SystemProperties.get("persist.service.seek", level);
522 
523             if (level.contains("usearf")) {
524                 mUseArf = true;
525             } else {
526                 mUseArf = false;
527             }
528             if (level.contains("useara")) {
529                 mUseAra = true;
530             } else {
531                 mUseAra = false;
532             }
533             if (level.contains("fullaccess")) {
534                 mFullAccess = true;
535             } else {
536                 mFullAccess = false;
537             }
538         }
539         if (!mTerminal.getName().startsWith(SecureElementService.UICC_TERMINAL)) {
540             // ARF is supported only on UICC.
541             mUseArf = false;
542         }
543         Log.i(
544                 mTag,
545                 "Allowed ACE mode: ara=" + mUseAra + " arf=" + mUseArf + " fullaccess="
546                         + mFullAccess);
547     }
548 }
549