GP: Rework security/protocol policy handling

promovicz · promovicz · commit c84874e50384 · 2021-03-19T02:42:46.000+01:00
Simpler API, easier reuse.
diff --git a/globalplatform/src/main/java/org/openjavacard/gp/client/GPCard.java b/globalplatform/src/main/java/org/openjavacard/gp/client/GPCard.java
@@ -381,7 +381,9 @@ public void connect() throws CardException {
             mCardKeyInfo.checkKeysetForUsage(mKeys);
 
             // create a secure channel object
-            mSecureChannel = new GPSecureChannel(mContext, mBasicChannel, mKeys, mDiversification, mProtocolPolicy, mSecurityPolicy);
+            mSecureChannel = new GPSecureChannel(mContext, mBasicChannel, mKeys, mDiversification);
+            mSecureChannel.setProtocolPolicy(mProtocolPolicy);
+            mSecureChannel.setSecurityPolicy(mSecurityPolicy);
 
             // set protocol expectation of secure channel
             if (mCardData != null) {
diff --git a/globalplatform/src/main/java/org/openjavacard/gp/client/GPContext.java b/globalplatform/src/main/java/org/openjavacard/gp/client/GPContext.java
@@ -19,6 +19,8 @@
 
 package org.openjavacard.gp.client;
 
+import org.openjavacard.gp.scp.SCPProtocolPolicy;
+import org.openjavacard.gp.scp.SCPSecurityPolicy;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -28,6 +30,12 @@ public class GPContext {
 
     private boolean mKeyLoggingEnabled = false;
 
+    private SCPProtocolPolicy mProtocolPolicy = SCPProtocolPolicy.PERMISSIVE;
+    private SCPSecurityPolicy mSecurityPolicy = SCPSecurityPolicy.CMAC;
+
+    /**
+     * Main constructor
+     */
     public GPContext() {
     }
 
@@ -36,6 +44,24 @@ public boolean isKeyLoggingEnabled() {
         return mKeyLoggingEnabled;
     }
 
+    public SCPProtocolPolicy getProtocolPolicy() {
+        return mProtocolPolicy;
+    }
+
+    public SCPSecurityPolicy getSecurityPolicy() {
+        return mSecurityPolicy;
+    }
+
+    public void setProtocolPolicy(SCPProtocolPolicy protocolPolicy) {
+        LOG.info("new protocol policy " + protocolPolicy);
+        mProtocolPolicy = protocolPolicy;
+    }
+
+    public void setSecurityPolicy(SCPSecurityPolicy securityPolicy) {
+        LOG.info("new protocol policy " + securityPolicy);
+        mSecurityPolicy = securityPolicy;
+    }
+
     /**
      * Enable logging of keys
      */
diff --git a/globalplatform/src/main/java/org/openjavacard/gp/scp/GPSecureChannel.java b/globalplatform/src/main/java/org/openjavacard/gp/scp/GPSecureChannel.java
@@ -63,10 +63,11 @@ public class GPSecureChannel extends CardChannel {
     private final GPKeySet mStaticKeys;
     /** Key diversification to apply */
     private final GPKeyDiversification mDiversification;
+
     /** Protocol policy in effect */
-    private final SCPProtocolPolicy mProtocolPolicy;
+    private SCPProtocolPolicy mProtocolPolicy;
     /** Security policy in effect */
-    private final SCPSecurityPolicy mSecurityPolicy;
+    private SCPSecurityPolicy mSecurityPolicy;
 
     /** Expected SCP protocol - 0 means ANY */
     private int mExpectedProtocol = 0;
@@ -89,19 +90,19 @@ public class GPSecureChannel extends CardChannel {
      * @param context for this secure channel
      * @param channel to communicate through
      * @param keys to use
-     * @param protocolPolicy to conform to
-     * @param securityPolicy to conform to
      */
     public GPSecureChannel(GPContext context, CardChannel channel,
-                           GPKeySet keys, GPKeyDiversification diversification,
-                           SCPProtocolPolicy protocolPolicy, SCPSecurityPolicy securityPolicy) {
+                           GPKeySet keys, GPKeyDiversification diversification) {
+        // final fields
         mRandom = new SecureRandom();
         mContext = context;
         mChannel = channel;
         mStaticKeys = keys;
         mDiversification = diversification;
-        mProtocolPolicy = protocolPolicy;
-        mSecurityPolicy = securityPolicy;
+        // config fields
+        mProtocolPolicy = context.getProtocolPolicy();
+        mSecurityPolicy = context.getSecurityPolicy();
+        // state fields
         reset();
     }
 
@@ -122,11 +123,37 @@ public SCPParameters getActiveProtocol() {
         return mActiveProtocol;
     }
 
+    /** @return the protocol policy in effect on this channel */
+    public SCPProtocolPolicy getProtocolPolicy() {
+        return mProtocolPolicy;
+    }
+
+    /** @return the security policy in effect on this channel */
+    public SCPSecurityPolicy getSecurityPolicy() {
+        return mSecurityPolicy;
+    }
+
     /** @return true if the channel is established */
     public boolean isEstablished() {
         return mIsEstablished;
     }
 
+    /**
+     * Set the protocol policy to be used for this channel
+     * @param protocolPolicy
+     */
+    public void setProtocolPolicy(SCPProtocolPolicy protocolPolicy) {
+        mProtocolPolicy = protocolPolicy;
+    }
+
+    /**
+     * Set the security policy to be used for this channel
+     * @param securityPolicy
+     */
+    public void setSecurityPolicy(SCPSecurityPolicy securityPolicy) {
+        mSecurityPolicy = securityPolicy;
+    }
+
     /**
      * Inform the secure channel about the protocol to be used
      * <p/>
@@ -266,6 +293,10 @@ private ResponseAPDU transmitInternal(CommandAPDU command) throws CardException
     public void open() throws CardException {
         LOG.debug("opening secure channel");
 
+        // log policies
+        LOG.debug("using protocol policy " + mProtocolPolicy);
+        LOG.debug("using security policy " + mSecurityPolicy);
+
         // generate the host challenge
         byte[] hostChallenge = generateChallenge();
 
