JavaCard implementation of Global Platform Access Rule Application Master (ARA-M) applet according to Secure Element Access Control v1.1 specification.
ARA-M is an application (typically present on a SIM card) which manages access rules that are enforced by an Access Control Enforcer (typically present on Android device). The enforcer makes sure the rules from the ARAM are enforced. An access rule is composed of:
- an AID
- a certificate hash (SHA-1 or SHA-256 hash of the client application certificate)
- a set of rules
The Access Control enforcer will allow/deny a client application (for example an Android app) to send APDU to a SE applet based on these rules
More information : seek-for-android Access Control wiki
- get all
- get specific REF-DO
- get refresh tag
- get next
- store REF-AR-DO
- delete AID-REF-DO
- delete REF-DO
- delete REF-AR-DO
- update refresh tag
- store data can be accessed via install for personalization or via raw apdu STORE DATA
- get data length is coded on 2 bytes max
- get specific is not compatible with get next
- rules are not stored as data object but as plain apdu AR-DO
- format of APDU-AR-DO, NFC-AR-DO is not checked
- deleting specific rules is not implemented (only aid/hash)
git clone [email protected]:bertrandmartel/aram-applet.git
cd aram-applet
git submodule update --init
To build the applet, a valid combination of JDK and JAVA-card SDK must be used. This applet requires a combination of jc221_kit and jdk-8u421 (jdk1.8.0_421). A convenient way to select the JDK is to set the environment variable JAVA_HOME before calling ./gradlew.
-
A table with compatible JDK / JAVA-card SDK combinations can be found here:
https://github.com/martinpaljak/ant-javacard/wiki/JavaCard-SDK-and-JDK-version-compatibility -
Older JDK versions are available here:
https://www.oracle.com/de/java/technologies/javase/jdk11-archive-downloads.html
JAVA_HOME=/path/to/your/jdk1.8.0_421/ ./gradlew build
JAVA_HOME=/path/to/your/jdk1.8.0_421/ ./gradlew installJavaCard
JAVA_HOME=/path/to/your/jdk1.8.0_421/ ./gradlew test
JAVA_HOME=/path/to/your/jdk1.8.0_421/ ./gradlew test -DtestMode=smartcard
gp -acr-list
Use GlobalPlatformPro to send store data via the Security Domain with install comand + install for personalization :
gp -acr-add -acr-rule 01 -app D2760001180002FF49502589C0019B18 -acr-hash 1FA8CC6CE448894C7011E23BCF56DB9BD9097432
gp -acr-delete -app D2760001180002FF49502589C0019B18 -acr-hash 1FA8CC6CE448894C7011E23BCF56DB9BD9097432
JAVA_HOME=/path/to/your/jdk1.8.0_421/ ./gradlew list
The following task send store data command raw apdu via GlobalPlatformPro (for add & delete) :
./gradlew store
or
JAVA_HOME=/path/to/your/jdk1.8.0_421/ ./gradlew test --tests fr.bmartel.aram.AramTest.storeDataValid
./gradlew delete
or
JAVA_HOME=/path/to/your/jdk1.8.0_421/ ./gradlew test --tests fr.bmartel.aram.AramTest.deleteByAid
The MIT License (MIT) Copyright (c) 2017 Bertrand Martel