dexter has uploaded this change for review.

View Change

AccessRuleMaster: allow locking of STORE DATA commands

The ara-m applet has no security features whatsoever. The rules can
be edited by any user that has APDU access to the ARA-M application.

To add a bit of security for users who want to make sure that their
ARA-M rules are not edited by unauthorized partys, let's add a
propritary lock/unlock command that can be used to lock the access
to STORE DATA on the normal APDU interface of the application. Once
locked, the access to STORE DATA can only be unlocked via an INSTALL
for personalization command that is issued from the ISD on a secure
channel.

Related: SYS#7245
Change-Id: I86437844585c22fc4280cc48b99edbb56e3159db
---
M aram/src/main/java/fr/bmartel/aram/AccessRuleMaster.java
1 file changed, 16 insertions(+), 1 deletion(-)

git pull ssh://gerrit.osmocom.org:29418/aram-applet refs/changes/15/39615/1
diff --git a/aram/src/main/java/fr/bmartel/aram/AccessRuleMaster.java b/aram/src/main/java/fr/bmartel/aram/AccessRuleMaster.java
index bdce9c3..4e90f80 100644
--- a/aram/src/main/java/fr/bmartel/aram/AccessRuleMaster.java
+++ b/aram/src/main/java/fr/bmartel/aram/AccessRuleMaster.java
@@ -48,6 +48,9 @@
     public final static byte COMMAND_DELETE = (byte) 0xF1;
     public final static byte COMMAND_UPDATE_REFRESH_TAG = (byte) 0xF2;
 
+    public final static byte COMMAND_LOCK_ARAM = (byte) 0xA1;
+    public final static byte COMMAND_UNLOCK_ARAM = (byte) 0xA2;
+
     /**
      * APDU data size.
      */
@@ -70,6 +73,11 @@
      * current chunk index to send for next GET NEXT command.
      */
     private short currentNext;
+    /**
+     * lock status of the Access Rule Master. When set to true, it is no longer possible to issue
+     * STORE DATA commands to the applet through its process interface.
+     */
+    private boolean aram_lock_status;
 
     private AccessRuleMaster() {
         refreshTag = new byte[8];
@@ -94,7 +102,8 @@
             case INS_STORE_DATA:
                 if (apdu.setIncomingAndReceive() != (short) (buffer[ISO7816.OFFSET_LC] & 0xFF))
                     ISOException.throwIt(ISO7816.SW_WRONG_LENGTH);
-
+                if (this.aram_lock_status)
+                    ISOException.throwIt(ISO7816.SW_SECURITY_STATUS_NOT_SATISFIED);
                 processCmdStoreData(APDU.getCurrentAPDUBuffer());
                 break;
             case INS_GET_DATA:
@@ -291,6 +300,12 @@
                 deleteArDo(buf);
             } else if (buf[ofs] == AccessRuleMaster.COMMAND_UPDATE_REFRESH_TAG) {
                 updateRefreshTag();
+            } else if (buf[ofs] == AccessRuleMaster.COMMAND_LOCK_ARAM) {
+		this.aram_lock_status = true;
+		return;
+            } else if (buf[ofs] == AccessRuleMaster.COMMAND_UNLOCK_ARAM) {
+		this.aram_lock_status = false;
+		return;
             } else {
                 ISOException.throwIt(ISO7816.SW_DATA_INVALID);
             }

To view, visit change 39615. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-MessageType: newchange
Gerrit-Project: aram-applet
Gerrit-Branch: master
Gerrit-Change-Id: I86437844585c22fc4280cc48b99edbb56e3159db
Gerrit-Change-Number: 39615
Gerrit-PatchSet: 1
Gerrit-Owner: dexter <pmaier@sysmocom.de>