1 /******************************************************************************
2  *
3  *  Copyright (C) 2018 ST Microelectronics S.A.
4  *
5  *  Licensed under the Apache License, Version 2.0 (the "License");
6  *  you may not use this file except in compliance with the License.
7  *  You may obtain a copy of the License at:
8  *
9  *  http://www.apache.org/licenses/LICENSE-2.0
10  *
11  *  Unless required by applicable law or agreed to in writing, software
12  *  distributed under the License is distributed on an "AS IS" BASIS,
13  *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  *  See the License for the specific language governing permissions and
15  *  limitations under the License.
16  *
17  *
18  ******************************************************************************/
19 #define LOG_TAG "StEse-SecureElement"
20 #include <android_logmsg.h>
21 
22 #include <stdlib.h>
23 #include <string.h>
24 #include "SecureElement.h"
25 
26 extern bool ese_debug_enabled;
27 static bool OpenLogicalChannelProcessing = false;
28 static bool OpenBasicChannelProcessing = false;
29 
30 namespace android {
31 namespace hardware {
32 namespace secure_element {
33 namespace V1_1 {
34 namespace implementation {
35 
36 sp<V1_1::ISecureElementHalCallback> SecureElement::mCallbackV1_1 = nullptr;
37 sp<V1_0::ISecureElementHalCallback> SecureElement::mCallbackV1_0 = nullptr;
38 
SecureElement()39 SecureElement::SecureElement()
40     : mOpenedchannelCount(0), mOpenedChannels{false, false, false, false} {}
41 
init(const sp<::android::hardware::secure_element::V1_0::ISecureElementHalCallback> & clientCallback)42 Return<void> SecureElement::init(
43     const sp<
44         ::android::hardware::secure_element::V1_0::ISecureElementHalCallback>&
45         clientCallback) {
46   ESESTATUS status = ESESTATUS_SUCCESS;
47   STLOG_HAL_D("%s: Enter", __func__);
48   if (clientCallback == nullptr) {
49     return Void();
50   } else {
51     mCallbackV1_0 = clientCallback;
52     mCallbackV1_1 = nullptr;
53     if (!mCallbackV1_0->linkToDeath(this, 0 /*cookie*/)) {
54       STLOG_HAL_E("%s: Failed to register death notification", __func__);
55     }
56   }
57 
58   if (isSeInitialized()) {
59     clientCallback->onStateChange(true);
60     return Void();
61   }
62 
63   status = seHalInit();
64   if (status != ESESTATUS_SUCCESS) {
65     clientCallback->onStateChange(false);
66     return Void();
67   } else {
68     clientCallback->onStateChange(true);
69     return Void();
70   }
71 }
init_1_1(const sp<::android::hardware::secure_element::V1_1::ISecureElementHalCallback> & clientCallback)72 Return<void> SecureElement::init_1_1(
73     const sp<
74         ::android::hardware::secure_element::V1_1::ISecureElementHalCallback>&
75         clientCallback) {
76   ESESTATUS status = ESESTATUS_SUCCESS;
77   STLOG_HAL_D("%s: Enter", __func__);
78   if (clientCallback == nullptr) {
79     return Void();
80   } else {
81     mCallbackV1_1 = clientCallback;
82     mCallbackV1_0 = nullptr;
83     if (!mCallbackV1_1->linkToDeath(this, 0 /*cookie*/)) {
84       STLOG_HAL_E("%s: Failed to register death notification", __func__);
85     }
86   }
87 
88   if (isSeInitialized()) {
89     clientCallback->onStateChange_1_1(true, "SE already initialized");
90     return Void();
91   }
92 
93   status = seHalInit();
94   if (status != ESESTATUS_SUCCESS) {
95     clientCallback->onStateChange_1_1(false, "SE initialization failed");
96     return Void();
97   } else {
98     clientCallback->onStateChange_1_1(true, "SE initialized");
99     return Void();
100   }
101 }
102 
getAtr(getAtr_cb _hidl_cb)103 Return<void> SecureElement::getAtr(getAtr_cb _hidl_cb) {
104   STLOG_HAL_D("%s: Enter", __func__);
105   hidl_vec<uint8_t> response;
106   uint8_t* ATR;
107   ATR = StEse_getAtr();
108   if (ATR != nullptr) {
109     uint8_t len = *ATR;
110     if (len) {
111       response.resize(len);
112       memcpy(&response[0], ATR, len);
113     }
114   }
115   _hidl_cb(response);
116   return Void();
117 }
118 
isCardPresent()119 Return<bool> SecureElement::isCardPresent() { return true; }
120 
transmit(const hidl_vec<uint8_t> & data,transmit_cb _hidl_cb)121 Return<void> SecureElement::transmit(const hidl_vec<uint8_t>& data,
122                                      transmit_cb _hidl_cb) {
123   ESESTATUS status = ESESTATUS_FAILED;
124   StEse_data cmdApdu;
125   StEse_data rspApdu;
126   memset(&cmdApdu, 0x00, sizeof(StEse_data));
127   memset(&rspApdu, 0x00, sizeof(StEse_data));
128 
129   STLOG_HAL_D("%s: Enter", __func__);
130   cmdApdu.len = data.size();
131   if (cmdApdu.len >= MIN_APDU_LENGTH) {
132     cmdApdu.p_data = (uint8_t*)malloc(data.size() * sizeof(uint8_t));
133     memcpy(cmdApdu.p_data, data.data(), cmdApdu.len);
134     status = StEse_Transceive(&cmdApdu, &rspApdu);
135   }
136 
137   hidl_vec<uint8_t> result;
138   if (status != ESESTATUS_SUCCESS) {
139     STLOG_HAL_E("%s: transmit failed!!!", __func__);
140     seHalResetSe();
141   } else {
142     result.resize(rspApdu.len);
143     memcpy(&result[0], rspApdu.p_data, rspApdu.len);
144   }
145   _hidl_cb(result);
146   free(cmdApdu.p_data);
147   free(rspApdu.p_data);
148   return Void();
149 }
150 
openLogicalChannel(const hidl_vec<uint8_t> & aid,uint8_t p2,openLogicalChannel_cb _hidl_cb)151 Return<void> SecureElement::openLogicalChannel(const hidl_vec<uint8_t>& aid,
152                                                uint8_t p2,
153                                                openLogicalChannel_cb _hidl_cb) {
154   hidl_vec<uint8_t> manageChannelCommand = {0x00, 0x70, 0x00, 0x00, 0x01};
155   OpenLogicalChannelProcessing = true;
156   LogicalChannelResponse resApduBuff;
157   resApduBuff.channelNumber = 0xff;
158   memset(&resApduBuff, 0x00, sizeof(resApduBuff));
159   STLOG_HAL_D("%s: Enter", __func__);
160 
161   if (aid.size() > 16) {
162     STLOG_HAL_E("%s: Invalid AID size: %u", __func__, (unsigned)aid.size());
163     _hidl_cb(resApduBuff, SecureElementStatus::FAILED);
164     OpenLogicalChannelProcessing = false;
165     return Void();
166   }
167 
168   if (!isSeInitialized()) {
169     STLOG_HAL_D("%s: Enter SeInitialized", __func__);
170     ESESTATUS status = seHalInit();
171     if (status != ESESTATUS_SUCCESS) {
172       STLOG_HAL_E("%s: seHalInit Failed!!!", __func__);
173       _hidl_cb(resApduBuff, SecureElementStatus::IOERROR);
174       OpenLogicalChannelProcessing = false;
175       return Void();
176     }
177   }
178 
179   SecureElementStatus sestatus = SecureElementStatus::FAILED;
180   ESESTATUS status = ESESTATUS_FAILED;
181   StEse_data cmdApdu;
182   StEse_data rspApdu;
183 
184   memset(&cmdApdu, 0x00, sizeof(StEse_data));
185   memset(&rspApdu, 0x00, sizeof(StEse_data));
186 
187   cmdApdu.len = manageChannelCommand.size();
188   cmdApdu.p_data =
189       (uint8_t*)malloc(manageChannelCommand.size() * sizeof(uint8_t));
190   if (cmdApdu.p_data != NULL) {
191     memcpy(cmdApdu.p_data, manageChannelCommand.data(), cmdApdu.len);
192     status = StEse_Transceive(&cmdApdu, &rspApdu);
193   }
194   if (status != ESESTATUS_SUCCESS) {
195     /*Transceive failed*/
196     sestatus = SecureElementStatus::IOERROR;
197   } else if (rspApdu.p_data[rspApdu.len - 2] == 0x90 &&
198              rspApdu.p_data[rspApdu.len - 1] == 0x00) {
199     /*ManageChannel successful*/
200     resApduBuff.channelNumber = rspApdu.p_data[0];
201     mOpenedchannelCount++;
202     mOpenedChannels[resApduBuff.channelNumber] = true;
203     sestatus = SecureElementStatus::SUCCESS;
204   } else if (rspApdu.p_data[rspApdu.len - 2] == 0x6A &&
205              rspApdu.p_data[rspApdu.len - 1] == 0x81) {
206     sestatus = SecureElementStatus::CHANNEL_NOT_AVAILABLE;
207   } else if (((rspApdu.p_data[rspApdu.len - 2] == 0x6E) ||
208               (rspApdu.p_data[rspApdu.len - 2] == 0x6D)) &&
209              rspApdu.p_data[rspApdu.len - 1] == 0x00) {
210     sestatus = SecureElementStatus::UNSUPPORTED_OPERATION;
211   }
212   /*Free the allocations*/
213   free(cmdApdu.p_data);
214   cmdApdu.p_data = NULL;
215   free(rspApdu.p_data);
216   rspApdu.p_data = NULL;
217   if (sestatus != SecureElementStatus::SUCCESS) {
218     /* if the SE is unresponsive, reset it */
219     if (sestatus == SecureElementStatus::IOERROR) {
220       seHalResetSe();
221     }
222 
223     /*If manageChannel is failed in any of above cases
224     send the callback and return*/
225     _hidl_cb(resApduBuff, sestatus);
226     STLOG_HAL_E("%s: Exit - manage channel failed!!", __func__);
227     OpenLogicalChannelProcessing = false;
228     return Void();
229   }
230 
231   STLOG_HAL_D("%s: Sending selectApdu", __func__);
232   /*Reset variables if manageChannel is success*/
233   sestatus = SecureElementStatus::FAILED;
234   status = ESESTATUS_FAILED;
235 
236   memset(&cmdApdu, 0x00, sizeof(StEse_data));
237   memset(&rspApdu, 0x00, sizeof(StEse_data));
238 
239   cmdApdu.len = (int32_t)(6 + aid.size());
240   cmdApdu.p_data = (uint8_t*)malloc(cmdApdu.len * sizeof(uint8_t));
241   if (cmdApdu.p_data != NULL) {
242     uint8_t xx = 0;
243     cmdApdu.p_data[xx++] = resApduBuff.channelNumber;
244     cmdApdu.p_data[xx++] = 0xA4;        // INS
245     cmdApdu.p_data[xx++] = 0x04;        // P1
246     cmdApdu.p_data[xx++] = p2;          // P2
247     cmdApdu.p_data[xx++] = aid.size();  // Lc
248     memcpy(&cmdApdu.p_data[xx], aid.data(), aid.size());
249     cmdApdu.p_data[xx + aid.size()] = 0x00;  // Le
250     status = StEse_Transceive(&cmdApdu, &rspApdu);
251   }
252 
253   if (status != ESESTATUS_SUCCESS) {
254     /*Transceive failed*/
255     sestatus = SecureElementStatus::IOERROR;
256   } else {
257     uint8_t sw1 = rspApdu.p_data[rspApdu.len - 2];
258     uint8_t sw2 = rspApdu.p_data[rspApdu.len - 1];
259     /*Return response on success, empty vector on failure*/
260     /*Status is success*/
261     if (sw1 == 0x90 && sw2 == 0x00) {
262       /*Copy the response including status word*/
263       resApduBuff.selectResponse.resize(rspApdu.len);
264       memcpy(&resApduBuff.selectResponse[0], rspApdu.p_data, rspApdu.len);
265       sestatus = SecureElementStatus::SUCCESS;
266     }
267     /*AID provided doesn't match any applet on the secure element*/
268     else if (sw1 == 0x6A && sw2 == 0x82) {
269       sestatus = SecureElementStatus::NO_SUCH_ELEMENT_ERROR;
270     }
271     /*Operation provided by the P2 parameter is not permitted by the applet.*/
272     else if (sw1 == 0x6A && sw2 == 0x86) {
273       sestatus = SecureElementStatus::UNSUPPORTED_OPERATION;
274     }
275   }
276 
277   if (sestatus != SecureElementStatus::SUCCESS) {
278     /* if the SE is unresponsive, reset it */
279     if (sestatus == SecureElementStatus::IOERROR) {
280       seHalResetSe();
281     } else {
282       STLOG_HAL_E("%s: Select APDU failed! Close channel..", __func__);
283       SecureElementStatus closeChannelStatus =
284           closeChannel(resApduBuff.channelNumber);
285       if (closeChannelStatus != SecureElementStatus::SUCCESS) {
286         STLOG_HAL_E("%s: closeChannel Failed", __func__);
287       } else {
288         resApduBuff.channelNumber = 0xff;
289       }
290     }
291   }
292   _hidl_cb(resApduBuff, sestatus);
293   free(cmdApdu.p_data);
294   free(rspApdu.p_data);
295   STLOG_HAL_V("%s: Exit", __func__);
296   OpenLogicalChannelProcessing = false;
297   return Void();
298 }
299 
openBasicChannel(const hidl_vec<uint8_t> & aid,uint8_t p2,openBasicChannel_cb _hidl_cb)300 Return<void> SecureElement::openBasicChannel(const hidl_vec<uint8_t>& aid,
301                                              uint8_t p2,
302                                              openBasicChannel_cb _hidl_cb) {
303   hidl_vec<uint8_t> result;
304   OpenBasicChannelProcessing = true;
305   STLOG_HAL_D("%s: Enter", __func__);
306 
307   if (aid.size() > 16) {
308     STLOG_HAL_E("%s: Invalid AID size: %u", __func__, (unsigned)aid.size());
309     _hidl_cb(result, SecureElementStatus::FAILED);
310     OpenBasicChannelProcessing = false;
311     return Void();
312   }
313 
314   if (!isSeInitialized()) {
315     ESESTATUS status = seHalInit();
316     if (status != ESESTATUS_SUCCESS) {
317       STLOG_HAL_E("%s: seHalInit Failed!!!", __func__);
318       _hidl_cb(result, SecureElementStatus::IOERROR);
319       OpenBasicChannelProcessing = false;
320       return Void();
321     }
322   }
323 
324   SecureElementStatus sestatus = SecureElementStatus::FAILED;
325   ESESTATUS status = ESESTATUS_FAILED;
326   StEse_data cmdApdu;
327   StEse_data rspApdu;
328 
329   memset(&cmdApdu, 0x00, sizeof(StEse_data));
330   memset(&rspApdu, 0x00, sizeof(StEse_data));
331 
332   cmdApdu.len = (int32_t)(6 + aid.size());
333   cmdApdu.p_data = (uint8_t*)malloc(cmdApdu.len * sizeof(uint8_t));
334   if (cmdApdu.p_data != NULL) {
335     uint8_t xx = 0;
336     cmdApdu.p_data[xx++] = 0x00;        // basic channel
337     cmdApdu.p_data[xx++] = 0xA4;        // INS
338     cmdApdu.p_data[xx++] = 0x04;        // P1
339     cmdApdu.p_data[xx++] = p2;          // P2
340     cmdApdu.p_data[xx++] = aid.size();  // Lc
341     memcpy(&cmdApdu.p_data[xx], aid.data(), aid.size());
342     cmdApdu.p_data[xx + aid.size()] = 0x00;  // Le
343 
344     status = StEse_Transceive(&cmdApdu, &rspApdu);
345   }
346 
347   if (status != ESESTATUS_SUCCESS) {
348     /* Transceive failed */
349     sestatus = SecureElementStatus::IOERROR;
350   } else {
351     uint8_t sw1 = rspApdu.p_data[rspApdu.len - 2];
352     uint8_t sw2 = rspApdu.p_data[rspApdu.len - 1];
353     /*Return response on success, empty vector on failure*/
354     /*Status is success*/
355     if ((sw1 == 0x90) && (sw2 == 0x00)) {
356       /*Copy the response including status word*/
357       result.resize(rspApdu.len);
358       memcpy(&result[0], rspApdu.p_data, rspApdu.len);
359       /*Set basic channel reference if it is not set */
360       if (!mOpenedChannels[0]) {
361         mOpenedChannels[0] = true;
362         mOpenedchannelCount++;
363       }
364       sestatus = SecureElementStatus::SUCCESS;
365     }
366     /*AID provided doesn't match any applet on the secure element*/
367     else if (sw1 == 0x6A && sw2 == 0x82) {
368       sestatus = SecureElementStatus::NO_SUCH_ELEMENT_ERROR;
369     }
370     /*Operation provided by the P2 parameter is not permitted by the applet.*/
371     else if (sw1 == 0x6A && sw2 == 0x86) {
372       sestatus = SecureElementStatus::UNSUPPORTED_OPERATION;
373     }
374   }
375 
376   /* if the SE is unresponsive, reset it */
377   if (sestatus == SecureElementStatus::IOERROR) {
378     seHalResetSe();
379   }
380 
381   if ((sestatus != SecureElementStatus::SUCCESS) && mOpenedChannels[0]) {
382     SecureElementStatus closeChannelStatus =
383         closeChannel(DEFAULT_BASIC_CHANNEL);
384     if (closeChannelStatus != SecureElementStatus::SUCCESS) {
385       STLOG_HAL_E("%s: closeChannel Failed", __func__);
386     }
387   }
388   _hidl_cb(result, sestatus);
389   free(cmdApdu.p_data);
390   free(rspApdu.p_data);
391   STLOG_HAL_V("%s: Exit", __func__);
392   OpenBasicChannelProcessing = false;
393   return Void();
394 }
395 
396 Return<::android::hardware::secure_element::V1_0::SecureElementStatus>
closeChannel(uint8_t channelNumber)397 SecureElement::closeChannel(uint8_t channelNumber) {
398   ESESTATUS status = ESESTATUS_FAILED;
399   SecureElementStatus sestatus = SecureElementStatus::FAILED;
400 
401   StEse_data cmdApdu;
402   StEse_data rspApdu;
403 
404   STLOG_HAL_D("%s: Enter : %d", __func__, channelNumber);
405 
406   if ((channelNumber < DEFAULT_BASIC_CHANNEL) ||
407       (channelNumber >= MAX_LOGICAL_CHANNELS) ||
408       (mOpenedChannels[channelNumber] == false)) {
409     STLOG_HAL_E("%s: invalid channel!!!", __func__);
410     sestatus = SecureElementStatus::FAILED;
411   } else if (channelNumber > DEFAULT_BASIC_CHANNEL) {
412     memset(&cmdApdu, 0x00, sizeof(StEse_data));
413     memset(&rspApdu, 0x00, sizeof(StEse_data));
414     cmdApdu.p_data = (uint8_t*)malloc(5 * sizeof(uint8_t));
415     if (cmdApdu.p_data != NULL) {
416       uint8_t xx = 0;
417 
418       cmdApdu.p_data[xx++] = channelNumber;
419       cmdApdu.p_data[xx++] = 0x70;           // INS
420       cmdApdu.p_data[xx++] = 0x80;           // P1
421       cmdApdu.p_data[xx++] = channelNumber;  // P2
422       cmdApdu.p_data[xx++] = 0x00;           // Lc
423       cmdApdu.len = xx;
424 
425       status = StEse_Transceive(&cmdApdu, &rspApdu);
426     }
427     if (status != ESESTATUS_SUCCESS) {
428       sestatus = SecureElementStatus::FAILED;
429     } else if ((rspApdu.p_data[rspApdu.len - 2] == 0x90) &&
430                (rspApdu.p_data[rspApdu.len - 1] == 0x00)) {
431       sestatus = SecureElementStatus::SUCCESS;
432     } else {
433       sestatus = SecureElementStatus::FAILED;
434     }
435     free(cmdApdu.p_data);
436     free(rspApdu.p_data);
437   }
438 
439   if ((channelNumber == DEFAULT_BASIC_CHANNEL) ||
440       (sestatus == SecureElementStatus::SUCCESS)) {
441     STLOG_HAL_D("%s: Closing channel : %d is successful ", __func__,
442                 channelNumber);
443     mOpenedChannels[channelNumber] = false;
444     mOpenedchannelCount--;
445     /*If there are no channels remaining close secureElement*/
446     if ((mOpenedchannelCount == 0) && !OpenLogicalChannelProcessing &&
447         !OpenBasicChannelProcessing) {
448       sestatus = seHalDeInit();
449     } else {
450       sestatus = SecureElementStatus::SUCCESS;
451     }
452   }
453 
454   STLOG_HAL_V("%s: Exit", __func__);
455   return sestatus;
456 }
457 
serviceDied(uint64_t,const wp<IBase> &)458 void SecureElement::serviceDied(uint64_t /*cookie*/, const wp<IBase>& /*who*/) {
459   STLOG_HAL_E("%s: SecureElement serviceDied!!!", __func__);
460   SecureElementStatus sestatus = seHalDeInit();
461   if (sestatus != SecureElementStatus::SUCCESS) {
462     STLOG_HAL_E("%s: seHalDeInit Faliled!!!", __func__);
463   }
464   if (mCallbackV1_1 != nullptr) {
465     mCallbackV1_1->unlinkToDeath(this);
466     mCallbackV1_1 = nullptr;
467   }
468 }
469 
isSeInitialized()470 bool SecureElement::isSeInitialized() { return StEseApi_isOpen(); }
471 
seHalInit()472 ESESTATUS SecureElement::seHalInit() {
473   ESESTATUS status = ESESTATUS_SUCCESS;
474 
475   STLOG_HAL_D("%s: Enter", __func__);
476   status = StEse_init();
477   if (status != ESESTATUS_SUCCESS) {
478     STLOG_HAL_E("%s: SecureElement open failed!!!", __func__);
479   }
480   STLOG_HAL_V("%s: Exit", __func__);
481   return status;
482 }
483 
seHalResetSe()484 void SecureElement::seHalResetSe() {
485   ESESTATUS status = ESESTATUS_SUCCESS;
486 
487   STLOG_HAL_D("%s: Enter", __func__);
488   if (!isSeInitialized()) {
489     ESESTATUS status = seHalInit();
490     if (status != ESESTATUS_SUCCESS) {
491       STLOG_HAL_E("%s: seHalInit Failed!!!", __func__);
492     }
493   }
494 
495   if (status == ESESTATUS_SUCCESS) {
496     mCallbackV1_1->onStateChange_1_1(false, "reset the SE");
497 
498     status = StEse_Reset();
499     if (status != ESESTATUS_SUCCESS) {
500       STLOG_HAL_E("%s: SecureElement reset failed!!", __func__);
501     } else {
502       for (uint8_t xx = 0; xx < MAX_LOGICAL_CHANNELS; xx++) {
503         mOpenedChannels[xx] = false;
504       }
505       mOpenedchannelCount = 0;
506       mCallbackV1_1->onStateChange_1_1(true, "SE initialized");
507     }
508   }
509   STLOG_HAL_V("%s: Exit", __func__);
510 }
511 
512 Return<::android::hardware::secure_element::V1_0::SecureElementStatus>
seHalDeInit()513 SecureElement::seHalDeInit() {
514   STLOG_HAL_D("%s: Enter", __func__);
515   ESESTATUS status = ESESTATUS_SUCCESS;
516   SecureElementStatus sestatus = SecureElementStatus::FAILED;
517   status = StEse_close();
518   if (status != ESESTATUS_SUCCESS) {
519     sestatus = SecureElementStatus::FAILED;
520   } else {
521     sestatus = SecureElementStatus::SUCCESS;
522 
523     for (uint8_t xx = 0; xx < MAX_LOGICAL_CHANNELS; xx++) {
524       mOpenedChannels[xx] = false;
525     }
526     mOpenedchannelCount = 0;
527   }
528   STLOG_HAL_V("%s: Exit", __func__);
529   return sestatus;
530 }
531 
532 }  // namespace implementation
533 }  // namespace V1_1
534 }  // namespace secure_element
535 }  // namespace hardware
536 }  // namespace android
537