2 * Copyright (c) 2012, 2013 Samsung Electronics Co., Ltd.
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
17 /* standard library header */
20 /* SLP library header */
24 #include "AccessControlList.h"
27 namespace smartcard_service_api
29 const unsigned char all_se_apps[] = { 0x00, 0x00 };
30 const unsigned char default_se_app[] = { 0x00, 0x01 };
31 const unsigned char all_device_apps[] = { 0x00, 0x02 };
33 ByteArray AccessControlList::ALL_SE_APPS(ARRAY_AND_SIZE(all_se_apps));
34 ByteArray AccessControlList::DEFAULT_SE_APP(ARRAY_AND_SIZE(default_se_app));
35 ByteArray AccessControlList::ALL_DEVICE_APPS(ARRAY_AND_SIZE(all_device_apps));
37 AccessControlList::AccessControlList() : allGranted(false)
41 AccessControlList::~AccessControlList()
46 void AccessControlList::releaseACL()
48 mapConditions.clear();
52 AccessCondition &AccessControlList::getAccessCondition(const ByteArray &aid)
54 map<ByteArray, AccessCondition>::iterator item;
56 item = mapConditions.find(aid);
57 if (item == mapConditions.end())
59 AccessCondition condition;
60 pair<ByteArray, AccessCondition> temp(aid, condition);
61 mapConditions.insert(temp);
63 item = mapConditions.find(aid);
69 const AccessRule *AccessControlList::findAccessRule(const ByteArray &aid,
70 const ByteArray &hash) const
72 const AccessRule *result = NULL;
73 map<ByteArray, AccessCondition>::const_iterator item;
75 item = mapConditions.find(aid);
76 if (item != mapConditions.end()) {
77 result = item->second.getAccessRule(hash);
83 bool AccessControlList::isAuthorizedAccess(const ByteArray &aid,
84 const ByteArray &certHash) const
86 vector<ByteArray> hashes;
88 hashes.push_back(certHash);
90 return isAuthorizedAccess(aid, hashes);
93 bool AccessControlList::isAuthorizedAccess(const unsigned char *aidBuffer,
94 unsigned int aidLength, const unsigned char *certHashBuffer,
95 unsigned int certHashLength) const
97 ByteArray aid(aidBuffer, aidLength);
98 ByteArray certHash(certHashBuffer, certHashLength);
100 return isAuthorizedAccess(aid, certHash);
103 bool AccessControlList::isAuthorizedAccess(const ByteArray &aid,
104 const vector<ByteArray> &certHashes) const
106 return isAuthorizedAccess(aid, certHashes, ByteArray::EMPTY);
109 bool AccessControlList::isAuthorizedAccess(const ByteArray &aid,
110 const vector<ByteArray> &certHashes, const ByteArray &command) const
112 bool result = allGranted;
113 vector<ByteArray>::const_reverse_iterator item;
114 const AccessRule *rule = NULL;
116 if (result == true) {
120 /* Step A, find with aid and cert hashes */
121 for (item = certHashes.rbegin(); item != certHashes.rend(); item++) {
122 rule = findAccessRule(aid, *item);
124 if (command.isEmpty()) {
125 result = rule->isAuthorizedAccess();
127 result = rule->isAuthorizedAPDUAccess(command);
129 _INFO("rule found (%s): [%s:%s]", result ? "accept" : "deny", aid.toString().c_str(), (*item).toString().c_str());
134 /* Step B, find with aid and ALL_DEVICES_APPS */
135 rule = findAccessRule(aid, ALL_DEVICE_APPS);
137 if (command.isEmpty()) {
138 result = rule->isAuthorizedAccess();
140 result = rule->isAuthorizedAPDUAccess(command);
142 _INFO("rule found (%s): [%s:%s]", result ? "accept" : "deny", aid.toString().c_str(), ALL_DEVICE_APPS.toString().c_str());
146 /* Step C, find with ALL_SE_APPS and hashes */
147 for (item = certHashes.rbegin(); item != certHashes.rend(); item++) {
148 rule = findAccessRule(ALL_SE_APPS, *item);
150 if (command.isEmpty()) {
151 result = rule->isAuthorizedAccess();
153 result = rule->isAuthorizedAPDUAccess(command);
155 _INFO("rule found (%s): [%s:%s]", result ? "accept" : "deny", "All SE Applications", (*item).toString().c_str());
160 /* Step D, find with ALL_SE_APPS and ALL_DEVICES_APPS */
161 rule = findAccessRule(ALL_SE_APPS, ALL_DEVICE_APPS);
163 if (command.isEmpty()) {
164 result = rule->isAuthorizedAccess();
166 result = rule->isAuthorizedAPDUAccess(command);
168 _INFO("rule found (%s): [%s:%s]", result ? "accept" : "deny", "All SE Applications", "All device applications");
174 _INFO("no rule found, aid [%s]", aid.toString().c_str());
176 for (i = 0; i < certHashes.size(); i++) {
177 _INFO(" hash[%d] [%s]", i, certHashes[i].toString().c_str());
184 bool AccessControlList::isAuthorizedNFCAccess(const ByteArray &aid,
185 const vector<ByteArray> &certHashes) const
187 bool result = allGranted;
188 vector<ByteArray>::const_reverse_iterator item;
189 const AccessRule *rule = NULL;
191 if (result == true) {
195 /* Step A, find with aid and cert hashes */
196 for (item = certHashes.rbegin(); item != certHashes.rend(); item++) {
197 rule = findAccessRule(aid, *item);
199 result = rule->isAuthorizedNFCAccess();
200 _INFO("rule found (%s): [%s:%s]", result ? "accept" : "deny", aid.toString().c_str(), (*item).toString().c_str());
205 /* Step B, find with aid and ALL_DEVICES_APPS */
206 rule = findAccessRule(aid, ALL_DEVICE_APPS);
208 result = rule->isAuthorizedNFCAccess();
209 _INFO("rule found (%s): [%s:%s]", result ? "accept" : "deny", aid.toString().c_str(), "All device applications");
213 /* Step C, find with ALL_SE_APPS and hashes */
214 for (item = certHashes.rbegin(); item != certHashes.rend(); item++) {
215 rule = findAccessRule(ALL_SE_APPS, *item);
217 result = rule->isAuthorizedNFCAccess();
218 _INFO("rule found (%s): [%s:%s]", result ? "accept" : "deny", "All SE Applications", (*item).toString().c_str());
223 /* Step D, find with ALL_SE_APPS and ALL_DEVICES_APPS */
224 rule = findAccessRule(ALL_SE_APPS, ALL_DEVICE_APPS);
226 result = rule->isAuthorizedNFCAccess();
227 _INFO("rule found (%s): [%s:%s]", result ? "accept" : "deny", "All SE Applications", "All device applications");
233 _INFO("no rule found, aid [%s]", aid.toString().c_str());
235 for (i = 0; i < certHashes.size(); i++) {
236 _INFO(" hash[%d] [%s]", i, certHashes[i].toString().c_str());
242 void AccessControlList::printAccessControlList() const
245 map<ByteArray, AccessCondition>::const_iterator iterMap;
247 _DBG("========================== Access Control Rules ============================");
248 for (iterMap = mapConditions.begin(); iterMap != mapConditions.end(); iterMap++)
250 temp = iterMap->first;
252 _DBG("+ aid : %s", (temp == DEFAULT_SE_APP) ? "Default Application" : (temp == ALL_SE_APPS) ? "All SE Applications" : temp.toString().c_str());
254 iterMap->second.printAccessConditions();
256 _DBG("============================================================================");
259 } /* namespace smartcard_service_api */