laforge submitted this change.

View Change

AccessRuleMaster: allow locking of STORE DATA commands

The ara-m applet has no security features whatsoever. The rules can
be edited by any user that has APDU access to the ARA-M application.

To add a bit of security for users who want to make sure that their
ARA-M rules are not edited by unauthorized partys, let's add a
propritary lock/unlock command that can be used to lock the access
to STORE DATA on the normal APDU interface of the application. Once
locked, the access to STORE DATA can only be unlocked via an INSTALL
for personalization command that is issued from the ISD on a secure
channel.

Related: SYS#7245
Change-Id: I86437844585c22fc4280cc48b99edbb56e3159db
---
M aram/src/main/java/fr/bmartel/aram/AccessRuleMaster.java
1 file changed, 19 insertions(+), 2 deletions(-)

diff --git a/aram/src/main/java/fr/bmartel/aram/AccessRuleMaster.java b/aram/src/main/java/fr/bmartel/aram/AccessRuleMaster.java
index bdce9c3..4ebf704 100644
--- a/aram/src/main/java/fr/bmartel/aram/AccessRuleMaster.java
+++ b/aram/src/main/java/fr/bmartel/aram/AccessRuleMaster.java
@@ -48,6 +48,9 @@
     public final static byte COMMAND_DELETE = (byte) 0xF1;
     public final static byte COMMAND_UPDATE_REFRESH_TAG = (byte) 0xF2;
 
+    public final static byte COMMAND_LOCK_ARAM = (byte) 0xA1;
+    public final static byte COMMAND_UNLOCK_ARAM = (byte) 0xA2;
+
     /**
      * APDU data size.
      */
@@ -70,6 +73,11 @@
      * current chunk index to send for next GET NEXT command.
      */
     private short currentNext;
+    /**
+     * lock status of the Access Rule Master. When set to true, it is no longer possible to issue
+     * STORE DATA commands to the applet through its process interface.
+     */
+    private boolean aram_lock_status;
 
     private AccessRuleMaster() {
         refreshTag = new byte[8];
@@ -94,7 +102,8 @@
             case INS_STORE_DATA:
                 if (apdu.setIncomingAndReceive() != (short) (buffer[ISO7816.OFFSET_LC] & 0xFF))
                     ISOException.throwIt(ISO7816.SW_WRONG_LENGTH);
-
+                if (this.aram_lock_status)
+                    ISOException.throwIt(ISO7816.SW_SECURITY_STATUS_NOT_SATISFIED);
                 processCmdStoreData(APDU.getCurrentAPDUBuffer());
                 break;
             case INS_GET_DATA:
@@ -291,6 +300,12 @@
                 deleteArDo(buf);
             } else if (buf[ofs] == AccessRuleMaster.COMMAND_UPDATE_REFRESH_TAG) {
                 updateRefreshTag();
+            } else if (buf[ofs] == AccessRuleMaster.COMMAND_LOCK_ARAM) {
+                this.aram_lock_status = true;
+                return;
+            } else if (buf[ofs] == AccessRuleMaster.COMMAND_UNLOCK_ARAM) {
+                this.aram_lock_status = false;
+                return;
             } else {
                 ISOException.throwIt(ISO7816.SW_DATA_INVALID);
             }
@@ -425,7 +440,9 @@
     }
 
     /**
-     * Process data from install for personalization.
+     * Process data from install for personalization. Since this method is only called by the SD, no extra security
+     * checks are required (See also: GPC_SPE_034, section 11.5: "The INSTALL command is issued to a Security Domain
+     * to initiate or perform the various steps required for Card Content management.").
      *
      * @param data input data
      * @param ofs  data offset

To view, visit change 39615. To unsubscribe, or for help writing mail filters, visit settings.