search

GlobalPlatform / WebApis-for-SE

Open source Apis to access a Secure Element from a Web application
Apache License 2.0
18 stars 5 forks source link

Open Channel instance transfer #48

Closed hchavers closed 8 years ago

hchavers commented 8 years ago

Comments from Trusted Computing Group - Item # 29

Section: 12.2 Methods

Comment: Re: “selectNext Updates the targeted on-card application of this channel to be the next one matching the partial Application Identifier passed when this channel was open.”

Proposed Resolution: Why? Passing an open channel from one application instance to another application instance sounds like a security vulnerability, easily exploited by attackers.

serianox commented 8 years ago

This method is a convenience for iterating over instances with matching partial AID, e.g. two applications from the same developer. It is necessary since it is not possible to manually send a SELECT NEXT command to bypass the Access Control.

However it is obvious that the Access Control will be triggered. The following should be added to the method description.

This method will trigger the Access Control Enforcer to check the requesting off-card application is authorized to change the applet currently selected on this channel.

opoto commented 8 years ago

The Access Control Enforcer is only invoked by the OpenChannel operation, not by selectNext. If partial AID is used, then ACE will ensure application has access to this partial AID. This will open access to all applets covered by this partial AID. From GP-AC:

When trying to find a rule corresponding to an SE application, the AID targeted can be a full AID or a partial AID. A partial AID is used to perform SELECT [by name] [first occurrence] command and then one or more SELECT [by name] [next occurrence] commands as defined in[ [7816 4]. In both cases, full AID and partial AID, the ARA M (when Access Control Enforcer uses deprecated GET DATA [Specific]) or the Access Control Enforcer (when using GET DATA [All]) shall only consider rules having an AID-REF-DO with an AID value matching exactly with the AID given in the AID-REF-DO of the deprecated GET DATA [Specific] or specified by the device application to the Access Control Enforcer through the SE Access API. Note: When a device application is selecting SE applications using selection by partial AID, access to the SE applications by the device application will only be granted if there is an access rule defined for this partial AID

serianox commented 8 years ago

This is coarse-grained, but since this is already specified in [GP-AC] this is how we should do it.