2 * Copyright (c) 2012, 2013 Samsung Electronics Co., Ltd.
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
17 /* standard library header */
20 /* SLP library header */
24 #include "AccessControlList.h"
27 namespace smartcard_service_api
29 const unsigned char all_se_apps[] = { 0x00, 0x00 };
30 const unsigned char default_se_app[] = { 0x00, 0x01 };
31 const unsigned char all_device_apps[] = { 0x00, 0x02 };
33 ByteArray AccessControlList::ALL_SE_APPS(ARRAY_AND_SIZE(all_se_apps));
34 ByteArray AccessControlList::DEFAULT_SE_APP(ARRAY_AND_SIZE(default_se_app));
35 ByteArray AccessControlList::ALL_DEVICE_APPS(ARRAY_AND_SIZE(all_device_apps));
37 AccessControlList::AccessControlList() : allGranted(false)
41 AccessControlList::~AccessControlList()
46 void AccessControlList::releaseACL()
48 mapConditions.clear();
52 AccessCondition &AccessControlList::getAccessCondition(const ByteArray &aid)
54 map<ByteArray, AccessCondition>::iterator item;
56 item = mapConditions.find(aid);
57 if (item == mapConditions.end())
59 AccessCondition condition;
60 pair<ByteArray, AccessCondition> temp(aid, condition);
61 mapConditions.insert(temp);
63 item = mapConditions.find(aid);
69 const AccessRule *AccessControlList::findAccessRule(const ByteArray &aid,
70 const ByteArray &hash) const
72 const AccessRule *result = NULL;
73 map<ByteArray, AccessCondition>::const_iterator item;
75 item = mapConditions.find(aid);
76 if (item != mapConditions.end()) {
77 result = item->second.getAccessRule(hash);
83 bool AccessControlList::isAuthorizedAccess(const ByteArray &aid,
84 const ByteArray &certHash) const
86 vector<ByteArray> hashes;
88 hashes.push_back(certHash);
90 return isAuthorizedAccess(aid, hashes);
93 bool AccessControlList::isAuthorizedAccess(const unsigned char *aidBuffer,
94 unsigned int aidLength, const unsigned char *certHashBuffer,
95 unsigned int certHashLength) const
97 ByteArray aid(aidBuffer, aidLength);
98 ByteArray certHash(certHashBuffer, certHashLength);
100 return isAuthorizedAccess(aid, certHash);
103 bool AccessControlList::isAuthorizedAccess(const ByteArray &aid,
104 const vector<ByteArray> &certHashes) const
106 return isAuthorizedAccess(aid, certHashes, ByteArray::EMPTY);
109 bool AccessControlList::isAuthorizedAccess(const ByteArray &aid,
110 const vector<ByteArray> &certHashes, const ByteArray &command) const
112 bool result = allGranted;
113 vector<ByteArray>::const_reverse_iterator item;
114 const AccessRule *rule = NULL;
116 if (result == true) {
120 /* Step A, find with aid and cert hashes */
121 for (item = certHashes.rbegin(); item != certHashes.rend(); item++) {
122 rule = findAccessRule(aid, *item);
124 if (command.isEmpty()) {
125 result = rule->isAuthorizedAccess();
127 result = rule->isAuthorizedAPDUAccess(command);
129 _INFO("rule found (%s): [%s:%s]", result ? "accept" : "deny", aid.toString().c_str(), (*item).toString().c_str());
134 /* Step B, find with aid and ALL_DEVICES_APPS */
135 rule = findAccessRule(aid, ALL_DEVICE_APPS);
137 if (command.isEmpty()) {
138 result = rule->isAuthorizedAccess();
140 result = rule->isAuthorizedAPDUAccess(command);
142 _INFO("rule found (%s): [%s:%s]", result ? "accept" : "deny", aid.toString().c_str(), ALL_DEVICE_APPS.toString().c_str());
146 /* Step C, find with ALL_SE_APPS and hashes */
147 for (item = certHashes.rbegin(); item != certHashes.rend(); item++) {
148 rule = findAccessRule(ALL_SE_APPS, *item);
150 if (command.isEmpty()) {
151 result = rule->isAuthorizedAccess();
153 result = rule->isAuthorizedAPDUAccess(command);
155 _INFO("rule found (%s): [%s:%s]", result ? "accept" : "deny", "All SE Applications", (*item).toString().c_str());
160 /* Step D, find with ALL_SE_APPS and ALL_DEVICES_APPS */
161 rule = findAccessRule(ALL_SE_APPS, ALL_DEVICE_APPS);
163 if (command.isEmpty()) {
164 result = rule->isAuthorizedAccess();
166 result = rule->isAuthorizedAPDUAccess(command);
168 _INFO("rule found (%s): [%s:%s]", result ? "accept" : "deny", "All SE Applications", "All device applications");
175 bool AccessControlList::isAuthorizedNFCAccess(const ByteArray &aid,
176 const vector<ByteArray> &certHashes) const
178 bool result = allGranted;
179 vector<ByteArray>::const_reverse_iterator item;
180 const AccessRule *rule = NULL;
182 if (result == true) {
186 /* Step A, find with aid and cert hashes */
187 for (item = certHashes.rbegin(); item != certHashes.rend(); item++) {
188 rule = findAccessRule(aid, *item);
190 result = rule->isAuthorizedNFCAccess();
191 _INFO("rule found (%s): [%s:%s]", result ? "accept" : "deny", aid.toString().c_str(), (*item).toString().c_str());
196 /* Step B, find with aid and ALL_DEVICES_APPS */
197 rule = findAccessRule(aid, ALL_DEVICE_APPS);
199 result = rule->isAuthorizedNFCAccess();
200 _INFO("rule found (%s): [%s:%s]", result ? "accept" : "deny", aid.toString().c_str(), "All device applications");
204 /* Step C, find with ALL_SE_APPS and hashes */
205 for (item = certHashes.rbegin(); item != certHashes.rend(); item++) {
206 rule = findAccessRule(ALL_SE_APPS, *item);
208 result = rule->isAuthorizedNFCAccess();
209 _INFO("rule found (%s): [%s:%s]", result ? "accept" : "deny", "All SE Applications", (*item).toString().c_str());
214 /* Step D, find with ALL_SE_APPS and ALL_DEVICES_APPS */
215 rule = findAccessRule(ALL_SE_APPS, ALL_DEVICE_APPS);
217 result = rule->isAuthorizedNFCAccess();
218 _INFO("rule found (%s): [%s:%s]", result ? "accept" : "deny", "All SE Applications", "All device applications");
224 } /* namespace smartcard_service_api */