summaryrefslogtreecommitdiffstats
path: root/dom/secureelement/gonk
diff options
context:
space:
mode:
authorMatt A. Tobin <mattatobin@localhost.localdomain>2018-02-02 04:16:08 -0500
committerMatt A. Tobin <mattatobin@localhost.localdomain>2018-02-02 04:16:08 -0500
commit5f8de423f190bbb79a62f804151bc24824fa32d8 (patch)
tree10027f336435511475e392454359edea8e25895d /dom/secureelement/gonk
parent49ee0794b5d912db1f95dce6eb52d781dc210db5 (diff)
downloadUXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar
UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar.gz
UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar.lz
UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar.xz
UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.zip
Add m-esr52 at 52.6.0
Diffstat (limited to 'dom/secureelement/gonk')
-rw-r--r--dom/secureelement/gonk/ACEService.js139
-rw-r--r--dom/secureelement/gonk/ACEService.manifest2
-rw-r--r--dom/secureelement/gonk/GPAccessRulesManager.js436
-rw-r--r--dom/secureelement/gonk/GPAccessRulesManager.manifest2
-rw-r--r--dom/secureelement/gonk/SecureElement.js514
-rw-r--r--dom/secureelement/gonk/SecureElement.manifest18
-rw-r--r--dom/secureelement/gonk/UiccConnector.js360
-rw-r--r--dom/secureelement/gonk/UiccConnector.manifest17
-rw-r--r--dom/secureelement/gonk/gp_consts.js62
-rw-r--r--dom/secureelement/gonk/nsIAccessControlEnforcer.idl32
-rw-r--r--dom/secureelement/gonk/nsIAccessRulesManager.idl50
-rw-r--r--dom/secureelement/gonk/nsISecureElementConnector.idl124
-rw-r--r--dom/secureelement/gonk/se_consts.js68
13 files changed, 1824 insertions, 0 deletions
diff --git a/dom/secureelement/gonk/ACEService.js b/dom/secureelement/gonk/ACEService.js
new file mode 100644
index 000000000..b52ba5fab
--- /dev/null
+++ b/dom/secureelement/gonk/ACEService.js
@@ -0,0 +1,139 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/* Copyright © 2015, Deutsche Telekom, Inc. */
+
+"use strict";
+
+const { classes: Cc, interfaces: Ci, utils: Cu } = Components;
+Cu.import("resource://gre/modules/XPCOMUtils.jsm");
+Cu.import("resource://gre/modules/Promise.jsm");
+Cu.import("resource://gre/modules/Services.jsm");
+
+XPCOMUtils.defineLazyModuleGetter(this, "SEUtils",
+ "resource://gre/modules/SEUtils.jsm");
+
+XPCOMUtils.defineLazyGetter(this, "SE", function() {
+ let obj = {};
+ Cu.import("resource://gre/modules/se_consts.js", obj);
+ return obj;
+});
+
+var DEBUG = SE.DEBUG_ACE;
+function debug(msg) {
+ if (DEBUG) {
+ dump("ACEservice: " + msg + "\n");
+ }
+}
+
+/**
+ * Implements decision making algorithm as described in GPD specification,
+ * mostly in 3.1, 3.2 and 4.2.3.
+ *
+ * TODO: Bug 1137533: Implement GPAccessRulesManager APDU filters
+ */
+function GPAccessDecision(rules, certHash, aid) {
+ this.rules = rules;
+ this.certHash = certHash;
+ this.aid = aid;
+}
+
+GPAccessDecision.prototype = {
+ isAccessAllowed: function isAccessAllowed() {
+ // GPD SE Access Control v1.1, 3.4.1, Table 3-2: (Conflict resolution)
+ // If a specific rule allows, all other non-specific access is denied.
+ // Conflicting specific rules will resolve to the first Allowed == "true"
+ // match. Given no specific rule, the global "All" rules will determine
+ // access. "Some", skips further processing if access Allowed == "true".
+ //
+ // Access must be decided before the SE connector openChannel, and the
+ // exchangeAPDU call.
+ //
+ // NOTE: This implementation may change with the introduction of APDU
+ // filters.
+ let decision = this.rules.some(this._decideAppAccess.bind(this));
+ return decision;
+ },
+
+ _decideAppAccess: function _decideAppAccess(rule) {
+ let appMatched, appletMatched;
+
+ // GPD SE AC 4.2.3: Algorithm for Applying Rules
+ // Specific rule overrides global rule.
+ //
+ // DeviceAppID is the application hash, and the AID is SE Applet ID:
+ //
+ // GPD SE AC 4.2.3 A:
+ // SearchRuleFor(DeviceAppID, AID)
+ // GPD SE AC 4.2.3 B: If no rule fits A:
+ // SearchRuleFor(<AllDeviceApplications>, AID)
+ // GPD SE AC 4.2.3 C: If no rule fits A or B:
+ // SearchRuleFor(DeviceAppID, <AllSEApplications>)
+ // GPD SE AC 4.2.3 D: If no rule fits A, B, or C:
+ // SearchRuleFor(<AllDeviceApplications>, <AllSEApplications>)
+
+ // Device App
+ appMatched = Array.isArray(rule.application) ?
+ // GPD SE AC 4.2.3 A and 4.2.3 C (DeviceAppID rule)
+ this._appCertHashMatches(rule.application) :
+ // GPD SE AC 4.2.3 B and 4.2.3 D (All Device Applications)
+ rule.application === Ci.nsIAccessRulesManager.ALLOW_ALL;
+
+ if (!appMatched) {
+ return false; // bail out early.
+ }
+
+ // SE Applet
+ appletMatched = Array.isArray(rule.applet) ?
+ // GPD SE AC 4.2.3 A and 4.2.3 B (AID rule)
+ SEUtils.arraysEqual(rule.applet, this.aid) :
+ // GPD SE AC 4.2.3 C and 4.2.3 D (All AID)
+ rule.applet === Ci.nsIAccessRulesManager.ALL_APPLET;
+
+ return appletMatched;
+ },
+
+ _appCertHashMatches: function _appCertHashMatches(hashArray) {
+ if (!Array.isArray(hashArray)) {
+ return false;
+ }
+
+ return !!(hashArray.find((hash) => {
+ return SEUtils.arraysEqual(hash, this.certHash);
+ }));
+ }
+};
+
+function ACEService() {
+ this._rulesManagers = new Map();
+
+ this._rulesManagers.set(
+ SE.TYPE_UICC,
+ Cc["@mozilla.org/secureelement/access-control/rules-manager;1"]
+ .createInstance(Ci.nsIAccessRulesManager));
+}
+
+ACEService.prototype = {
+ _rulesManagers: null,
+
+ isAccessAllowed: function isAccessAllowed(localId, seType, aid) {
+ if(!Services.prefs.getBoolPref("devtools.debugger.forbid-certified-apps")) {
+ debug("Certified apps debug enabled, allowing access");
+ return Promise.resolve(true);
+ }
+
+ throw Components.results.NS_ERROR_NOT_IMPLEMENTED;
+ },
+
+ _getDevCertHashForApp: function getDevCertHashForApp(manifestURL) {
+ throw Components.results.NS_ERROR_NOT_IMPLEMENTED;
+ },
+
+ classID: Components.ID("{882a7463-2ca7-4d61-a89a-10eb6fd70478}"),
+ contractID: "@mozilla.org/secureelement/access-control/ace;1",
+ QueryInterface: XPCOMUtils.generateQI([Ci.nsIAccessControlEnforcer])
+};
+
+this.NSGetFactory = XPCOMUtils.generateNSGetFactory([ACEService]);
+
diff --git a/dom/secureelement/gonk/ACEService.manifest b/dom/secureelement/gonk/ACEService.manifest
new file mode 100644
index 000000000..40949c83d
--- /dev/null
+++ b/dom/secureelement/gonk/ACEService.manifest
@@ -0,0 +1,2 @@
+component {882a7463-2ca7-4d61-a89a-10eb6fd70478} ACEService.js
+contract @mozilla.org/secureelement/access-control/ace;1 {882a7463-2ca7-4d61-a89a-10eb6fd70478} \ No newline at end of file
diff --git a/dom/secureelement/gonk/GPAccessRulesManager.js b/dom/secureelement/gonk/GPAccessRulesManager.js
new file mode 100644
index 000000000..dce11ec09
--- /dev/null
+++ b/dom/secureelement/gonk/GPAccessRulesManager.js
@@ -0,0 +1,436 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/* Copyright © 2015, Deutsche Telekom, Inc. */
+
+"use strict";
+
+const Ci = Components.interfaces;
+const Cu = Components.utils;
+
+Cu.import("resource://gre/modules/XPCOMUtils.jsm");
+Cu.import("resource://gre/modules/Promise.jsm");
+Cu.import("resource://gre/modules/Task.jsm");
+Cu.import("resource://gre/modules/systemlibs.js");
+
+XPCOMUtils.defineLazyServiceGetter(this, "UiccConnector",
+ "@mozilla.org/secureelement/connector/uicc;1",
+ "nsISecureElementConnector");
+
+XPCOMUtils.defineLazyModuleGetter(this, "SEUtils",
+ "resource://gre/modules/SEUtils.jsm");
+
+XPCOMUtils.defineLazyGetter(this, "SE", function() {
+ let obj = {};
+ Cu.import("resource://gre/modules/se_consts.js", obj);
+ return obj;
+});
+
+XPCOMUtils.defineLazyGetter(this, "GP", function() {
+ let obj = {};
+ Cu.import("resource://gre/modules/gp_consts.js", obj);
+ return obj;
+});
+
+var DEBUG = SE.DEBUG_ACE;
+function debug(msg) {
+ if (DEBUG) {
+ dump("-*- GPAccessRulesManager " + msg);
+ }
+}
+
+/**
+ * Based on [1] - "GlobalPlatform Device Technology
+ * Secure Element Access Control Version 1.0".
+ * GPAccessRulesManager reads and parses access rules from SE file system
+ * as defined in section #7 of [1]: "Structure of Access Rule Files (ARF)".
+ * Rules retrieval from ARA-M applet is not implmented due to lack of
+ * commercial implemenations of ARA-M.
+ * @todo Bug 1137537: Implement ARA-M support according to section #4 of [1]
+ */
+function GPAccessRulesManager() {}
+
+GPAccessRulesManager.prototype = {
+ // source [1] section 7.1.3 PKCS#15 Selection
+ PKCS_AID: "a000000063504b43532d3135",
+
+ // APDUs (ISO 7816-4) for accessing rules on SE file system
+ // see for more details: http://www.cardwerk.com/smartcards/
+ // smartcard_standard_ISO7816-4_6_basic_interindustry_commands.aspx
+ READ_BINARY: [GP.CLA_SM, GP.INS_RB, GP.P1_RB, GP.P2_RB],
+ GET_RESPONSE: [GP.CLA_SM, GP.INS_GR, GP.P1_GR, GP.P2_GR],
+ SELECT_BY_DF: [GP.CLA_SM, GP.INS_SF, GP.P1_SF_DF, GP.P2_SF_FCP],
+
+ // Non-null if there is a channel open
+ channel: null,
+
+ // Refresh tag path in the acMain file as described in GPD spec,
+ // sections 7.1.5 and C.1.
+ REFRESH_TAG_PATH: [GP.TAG_SEQUENCE, GP.TAG_OCTETSTRING],
+ refreshTag: null,
+
+ // Contains rules as read from the SE
+ rules: [],
+
+ // Returns the latest rules. Results are cached.
+ getAccessRules: function getAccessRules() {
+ debug("getAccessRules");
+
+ return new Promise((resolve, reject) => {
+ this._readAccessRules(() => resolve(this.rules));
+ });
+ },
+
+ _readAccessRules: Task.async(function*(done) {
+ try {
+ yield this._openChannel(this.PKCS_AID);
+
+ let odf = yield this._readODF();
+ let dodf = yield this._readDODF(odf);
+
+ let acmf = yield this._readACMF(dodf);
+ let refreshTag = acmf[this.REFRESH_TAG_PATH[0]]
+ [this.REFRESH_TAG_PATH[1]];
+
+ // Update cached rules based on refreshTag.
+ if (SEUtils.arraysEqual(this.refreshTag, refreshTag)) {
+ debug("_readAccessRules: refresh tag equals to the one saved.");
+ yield this._closeChannel();
+ return done();
+ }
+
+ this.refreshTag = refreshTag;
+ debug("_readAccessRules: refresh tag saved: " + this.refreshTag);
+
+ let acrf = yield this._readACRules(acmf);
+ let accf = yield this._readACConditions(acrf);
+ this.rules = yield this._parseRules(acrf, accf);
+
+ DEBUG && debug("_readAccessRules: " + JSON.stringify(this.rules, 0, 2));
+
+ yield this._closeChannel();
+ done();
+ } catch (error) {
+ debug("_readAccessRules: " + error);
+ this.rules = [];
+ yield this._closeChannel();
+ done();
+ }
+ }),
+
+ _openChannel: function _openChannel(aid) {
+ if (this.channel !== null) {
+ debug("_openChannel: Channel already opened, rejecting.");
+ return Promise.reject();
+ }
+
+ return new Promise((resolve, reject) => {
+ UiccConnector.openChannel(aid, {
+ notifyOpenChannelSuccess: (channel, openResponse) => {
+ debug("_openChannel/notifyOpenChannelSuccess: Channel " + channel +
+ " opened, open response: " + openResponse);
+ this.channel = channel;
+ resolve();
+ },
+ notifyError: (error) => {
+ debug("_openChannel/notifyError: failed to open channel, error: " +
+ error);
+ reject(error);
+ }
+ });
+ });
+ },
+
+ _closeChannel: function _closeChannel() {
+ if (this.channel === null) {
+ debug("_closeChannel: Channel not opened, rejecting.");
+ return Promise.reject();
+ }
+
+ return new Promise((resolve, reject) => {
+ UiccConnector.closeChannel(this.channel, {
+ notifyCloseChannelSuccess: () => {
+ debug("_closeChannel/notifyCloseChannelSuccess: chanel " +
+ this.channel + " closed");
+ this.channel = null;
+ resolve();
+ },
+ notifyError: (error) => {
+ debug("_closeChannel/notifyError: error closing channel, error" +
+ error);
+ reject(error);
+ }
+ });
+ });
+ },
+
+ _exchangeAPDU: function _exchangeAPDU(bytes) {
+ DEBUG && debug("apdu " + JSON.stringify(bytes));
+
+ let apdu = this._bytesToAPDU(bytes);
+ return new Promise((resolve, reject) => {
+ UiccConnector.exchangeAPDU(this.channel, apdu.cla,
+ apdu.ins, apdu.p1, apdu.p2, apdu.data, apdu.le,
+ {
+ notifyExchangeAPDUResponse: (sw1, sw2, data) => {
+ debug("APDU response is " + sw1.toString(16) + sw2.toString(16) +
+ " data: " + data);
+
+ // 90 00 is "success"
+ if (sw1 !== 0x90 && sw2 !== 0x00) {
+ debug("rejecting APDU response");
+ reject(new Error("Response " + sw1 + "," + sw2));
+ return;
+ }
+
+ resolve(this._parseTLV(data));
+ },
+
+ notifyError: (error) => {
+ debug("_exchangeAPDU/notifyError " + error);
+ reject(error);
+ }
+ }
+ );
+ });
+ },
+
+ _readBinaryFile: function _readBinaryFile(selectResponse) {
+ DEBUG && debug("Select response: " + JSON.stringify(selectResponse));
+ // 0x80 tag parameter - get the elementary file (EF) length
+ // without structural information.
+ let fileLength = selectResponse[GP.TAG_FCP][0x80];
+
+ // If file is empty, no need to attempt to read it.
+ if (fileLength[0] === 0 && fileLength[1] === 0) {
+ return Promise.resolve(null);
+ }
+
+ // TODO READ BINARY with filelength not supported
+ // let readApdu = this.READ_BINARY.concat(fileLength);
+ return this._exchangeAPDU(this.READ_BINARY);
+ },
+
+ _selectAndRead: function _selectAndRead(df) {
+ return this._exchangeAPDU(this.SELECT_BY_DF.concat(df.length & 0xFF, df))
+ .then((resp) => this._readBinaryFile(resp));
+ },
+
+ _readODF: function _readODF() {
+ debug("_readODF");
+ return this._selectAndRead(GP.ODF_DF);
+ },
+
+ _readDODF: function _readDODF(odfFile) {
+ debug("_readDODF, ODF file: " + odfFile);
+
+ // Data Object Directory File (DODF) is used as an entry point to the
+ // Access Control data. It is specified in PKCS#15 section 6.7.6.
+ // DODF is referenced by the ODF file, which looks as follows:
+ // A7 06
+ // 30 04
+ // 04 02 XY WZ
+ // where [0xXY, 0xWZ] is a DF of DODF file.
+ let DODF_DF = odfFile[GP.TAG_EF_ODF][GP.TAG_SEQUENCE][GP.TAG_OCTETSTRING];
+ return this._selectAndRead(DODF_DF);
+ },
+
+ _readACMF: function _readACMF(dodfFile) {
+ debug("_readACMF, DODF file: " + dodfFile);
+
+ // ACMF file DF is referenced in DODF file, which looks like this:
+ //
+ // A1 29
+ // 30 00
+ // 30 0F
+ // 0C 0D 47 50 20 53 45 20 41 63 63 20 43 74 6C
+ // A1 14
+ // 30 12
+ // 06 0A 2A 86 48 86 FC 6B 81 48 01 01 <-- GPD registered OID
+ // 30 04
+ // 04 02 AB CD <-- ACMF DF
+ // A1 2B
+ // 30 00
+ // 30 0F
+ // 0C 0D 53 41 54 53 41 20 47 54 4F 20 31 2E 31
+ // A1 16
+ // 30 14
+ // 06 0C 2B 06 01 04 01 2A 02 6E 03 01 01 01 <-- some other OID
+ // 30 04
+ // 04 02 XY WZ <-- some other file's DF
+ //
+ // DODF file consists of DataTypes with oidDO entries. Entry with OID
+ // equal to "1.2.840.114283.200.1.1" ("2A 86 48 86 FC 6B 81 48 01 01")
+ // contains DF of the ACMF. In the file above, it means that ACMF DF
+ // equals to [0xAB, 0xCD], and not [0xXY, 0xWZ].
+ //
+ // Algorithm used to encode OID to an byte array:
+ // http://www.snmpsharpnet.com/?p=153
+
+ let gpdOid = [0x2A, // 1.2
+ 0x86, 0x48, // 840
+ 0x86, 0xFC, 0x6B, // 114283
+ 0x81, 0x48, // 129
+ 0x01, // 1
+ 0x01]; // 1
+
+ let records = SEUtils.ensureIsArray(dodfFile[GP.TAG_EXTERNALDO]);
+
+ // Look for the OID registered for GPD SE.
+ let gpdRecords = records.filter((record) => {
+ let oid = record[GP.TAG_EXTERNALDO][GP.TAG_SEQUENCE][GP.TAG_OID];
+ return SEUtils.arraysEqual(oid, gpdOid);
+ });
+
+ // [1] 7.1.5: "There shall be only one ACMF file per Secure Element.
+ // If a Secure Element contains several ACMF files, then the security shall
+ // be considered compromised and the Access Control enforcer shall forbid
+ // access to all (...) apps."
+ if (gpdRecords.length !== 1) {
+ return Promise.reject(new Error(gpdRecords.length + " ACMF files found"));
+ }
+
+ let ACMain_DF = gpdRecords[0][GP.TAG_EXTERNALDO][GP.TAG_SEQUENCE]
+ [GP.TAG_SEQUENCE][GP.TAG_OCTETSTRING];
+ return this._selectAndRead(ACMain_DF);
+ },
+
+ _readACRules: function _readACRules(acMainFile) {
+ debug("_readACRules, ACMain file: " + acMainFile);
+
+ // ACMF looks like this:
+ //
+ // 30 10
+ // 04 08 XX XX XX XX XX XX XX XX
+ // 30 04
+ // 04 02 XY WZ
+ //
+ // where [XY, WZ] is a DF of ACRF, and XX XX XX XX XX XX XX XX is a refresh
+ // tag.
+
+ let ACRules_DF = acMainFile[GP.TAG_SEQUENCE][GP.TAG_SEQUENCE][GP.TAG_OCTETSTRING];
+ return this._selectAndRead(ACRules_DF);
+ },
+
+ _readACConditions: function _readACConditions(acRulesFile) {
+ debug("_readACCondition, ACRules file: " + acRulesFile);
+
+ let acRules = SEUtils.ensureIsArray(acRulesFile[GP.TAG_SEQUENCE]);
+ if (acRules.length === 0) {
+ debug("No rules found in ACRules file.");
+ return Promise.reject(new Error("No rules found in ACRules file"));
+ }
+
+ // We first read all the condition files referenced in the ACRules file,
+ // because ACRules file might reference one ACCondition file more than
+ // once. Since reading it isn't exactly fast, we optimize here.
+ let acReadQueue = Promise.resolve({});
+
+ acRules.forEach((ruleEntry) => {
+ let df = ruleEntry[GP.TAG_SEQUENCE][GP.TAG_OCTETSTRING];
+
+ // Promise chain read condition entries:
+ let readAcCondition = (acConditionFiles) => {
+ if (acConditionFiles[df] !== undefined) {
+ debug("Skipping previously read acCondition df: " + df);
+ return acConditionFiles;
+ }
+
+ return this._selectAndRead(df)
+ .then((acConditionFileContents) => {
+ acConditionFiles[df] = acConditionFileContents;
+ return acConditionFiles;
+ });
+ }
+
+ acReadQueue = acReadQueue.then(readAcCondition);
+ });
+
+ return acReadQueue;
+ },
+
+ _parseRules: function _parseRules(acRulesFile, acConditionFiles) {
+ DEBUG && debug("_parseRules: acConditionFiles " + JSON.stringify(acConditionFiles));
+ let rules = [];
+
+ let acRules = SEUtils.ensureIsArray(acRulesFile[GP.TAG_SEQUENCE]);
+ acRules.forEach((ruleEntry) => {
+ DEBUG && debug("Parsing one rule: " + JSON.stringify(ruleEntry));
+ let rule = {};
+
+ // 0xA0 and 0x82 tags as per GPD spec sections C.1 - C.3. 0xA0 means
+ // that rule describes access to one SE applet only (and its AID is
+ // given). 0x82 means that rule describes acccess to all SE applets.
+ let oneApplet = ruleEntry[GP.TAG_GPD_AID];
+ let allApplets = ruleEntry[GP.TAG_GPD_ALL];
+
+ if (oneApplet) {
+ rule.applet = oneApplet[GP.TAG_OCTETSTRING];
+ } else if (allApplets) {
+ rule.applet = Ci.nsIAccessRulesManager.ALL_APPLET;
+ } else {
+ throw Error("Unknown applet definition");
+ }
+
+ let df = ruleEntry[GP.TAG_SEQUENCE][GP.TAG_OCTETSTRING];
+ let condition = acConditionFiles[df];
+ if (condition === null) {
+ rule.application = Ci.nsIAccessRulesManager.DENY_ALL;
+ } else if (condition[GP.TAG_SEQUENCE]) {
+ if (!Array.isArray(condition[GP.TAG_SEQUENCE]) &&
+ !condition[GP.TAG_SEQUENCE][GP.TAG_OCTETSTRING]) {
+ rule.application = Ci.nsIAccessRulesManager.ALLOW_ALL;
+ } else {
+ rule.application = SEUtils.ensureIsArray(condition[GP.TAG_SEQUENCE])
+ .map((conditionEntry) => {
+ return conditionEntry[GP.TAG_OCTETSTRING];
+ });
+ }
+ } else {
+ throw Error("Unknown application definition");
+ }
+
+ DEBUG && debug("Rule parsed, adding to the list: " + JSON.stringify(rule));
+ rules.push(rule);
+ });
+
+ DEBUG && debug("All rules parsed, we have those in total: " + JSON.stringify(rules));
+ return rules;
+ },
+
+ _parseTLV: function _parseTLV(bytes) {
+ let containerTags = [
+ GP.TAG_SEQUENCE,
+ GP.TAG_FCP,
+ GP.TAG_GPD_AID,
+ GP.TAG_EXTERNALDO,
+ GP.TAG_INDIRECT,
+ GP.TAG_EF_ODF
+ ];
+ return SEUtils.parseTLV(bytes, containerTags);
+ },
+
+ // TODO consider removing if better format for storing
+ // APDU consts will be introduced
+ _bytesToAPDU: function _bytesToAPDU(arr) {
+ let apdu = {
+ cla: arr[0] & 0xFF,
+ ins: arr[1] & 0xFF,
+ p1: arr[2] & 0xFF,
+ p2: arr[3] & 0xFF,
+ p3: arr[4] & 0xFF,
+ le: 0
+ };
+
+ let data = (apdu.p3 > 0) ? (arr.slice(5)) : [];
+ apdu.data = (data.length) ? SEUtils.byteArrayToHexString(data) : null;
+ return apdu;
+ },
+
+ classID: Components.ID("{3e046b4b-9e66-439a-97e0-98a69f39f55f}"),
+ contractID: "@mozilla.org/secureelement/access-control/rules-manager;1",
+ QueryInterface: XPCOMUtils.generateQI([Ci.nsIAccessRulesManager])
+};
+
+this.NSGetFactory = XPCOMUtils.generateNSGetFactory([GPAccessRulesManager]);
diff --git a/dom/secureelement/gonk/GPAccessRulesManager.manifest b/dom/secureelement/gonk/GPAccessRulesManager.manifest
new file mode 100644
index 000000000..2d7ea038b
--- /dev/null
+++ b/dom/secureelement/gonk/GPAccessRulesManager.manifest
@@ -0,0 +1,2 @@
+component {3e046b4b-9e66-439a-97e0-98a69f39f55f} GPAccessRulesManager.js
+contract @mozilla.org/secureelement/access-control/rules-manager;1 {3e046b4b-9e66-439a-97e0-98a69f39f55f}
diff --git a/dom/secureelement/gonk/SecureElement.js b/dom/secureelement/gonk/SecureElement.js
new file mode 100644
index 000000000..144c6d8d6
--- /dev/null
+++ b/dom/secureelement/gonk/SecureElement.js
@@ -0,0 +1,514 @@
+/* Copyright 2012 Mozilla Foundation and Mozilla contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/* Copyright © 2014, Deutsche Telekom, Inc. */
+
+"use strict";
+
+/* globals dump, Components, XPCOMUtils, SE, Services, UiccConnector,
+ SEUtils, ppmm, gMap, UUIDGenerator */
+
+const { classes: Cc, interfaces: Ci, utils: Cu } = Components;
+
+Cu.import("resource://gre/modules/XPCOMUtils.jsm");
+Cu.import("resource://gre/modules/Services.jsm");
+Cu.import("resource://gre/modules/systemlibs.js");
+
+XPCOMUtils.defineLazyGetter(this, "SE", () => {
+ let obj = {};
+ Cu.import("resource://gre/modules/se_consts.js", obj);
+ return obj;
+});
+
+// set to true in se_consts.js to see debug messages
+var DEBUG = SE.DEBUG_SE;
+function debug(s) {
+ if (DEBUG) {
+ dump("-*- SecureElement: " + s + "\n");
+ }
+}
+
+const SE_IPC_SECUREELEMENT_MSG_NAMES = [
+ "SE:GetSEReaders",
+ "SE:OpenChannel",
+ "SE:CloseChannel",
+ "SE:TransmitAPDU"
+];
+
+const SECUREELEMENTMANAGER_CONTRACTID =
+ "@mozilla.org/secureelement/parent-manager;1";
+const SECUREELEMENTMANAGER_CID =
+ Components.ID("{48f4e650-28d2-11e4-8c21-0800200c9a66}");
+const NS_XPCOM_SHUTDOWN_OBSERVER_ID = "xpcom-shutdown";
+
+XPCOMUtils.defineLazyServiceGetter(this, "ppmm",
+ "@mozilla.org/parentprocessmessagemanager;1",
+ "nsIMessageBroadcaster");
+
+XPCOMUtils.defineLazyServiceGetter(this, "UUIDGenerator",
+ "@mozilla.org/uuid-generator;1",
+ "nsIUUIDGenerator");
+
+XPCOMUtils.defineLazyModuleGetter(this, "SEUtils",
+ "resource://gre/modules/SEUtils.jsm");
+
+XPCOMUtils.defineLazyGetter(this, "UiccConnector", () => {
+ let uiccClass = Cc["@mozilla.org/secureelement/connector/uicc;1"];
+ return uiccClass ? uiccClass.getService(Ci.nsISecureElementConnector) : null;
+});
+
+function getConnector(type) {
+ switch (type) {
+ case SE.TYPE_UICC:
+ return UiccConnector;
+ case SE.TYPE_ESE:
+ default:
+ debug("Unsupported SEConnector : " + type);
+ return null;
+ }
+}
+
+/**
+ * 'gMap' is a nested dictionary object that manages all the information
+ * pertaining to channels for a given application (appId). It manages the
+ * relationship between given application and its opened channels.
+ */
+XPCOMUtils.defineLazyGetter(this, "gMap", function() {
+ return {
+ // example structure of AppInfoMap
+ // {
+ // "appId1": {
+ // target: target1,
+ // channels: {
+ // "channelToken1": {
+ // seType: "uicc",
+ // aid: "aid1",
+ // channelNumber: 1
+ // },
+ // "channelToken2": { ... }
+ // }
+ // },
+ // "appId2": { ... }
+ // }
+ appInfoMap: {},
+
+ registerSecureElementTarget: function(appId, target) {
+ if (this.isAppIdRegistered(appId)) {
+ debug("AppId: " + appId + "already registered");
+ return;
+ }
+
+ this.appInfoMap[appId] = {
+ target: target,
+ channels: {}
+ };
+
+ debug("Registered a new SE target " + appId);
+ },
+
+ unregisterSecureElementTarget: function(target) {
+ let appId = Object.keys(this.appInfoMap).find((id) => {
+ return this.appInfoMap[id].target === target;
+ });
+
+ if (!appId) {
+ return;
+ }
+
+ debug("Unregistered SE Target for AppId: " + appId);
+ delete this.appInfoMap[appId];
+ },
+
+ isAppIdRegistered: function(appId) {
+ return this.appInfoMap[appId] !== undefined;
+ },
+
+ getChannelCountByAppIdType: function(appId, type) {
+ return Object.keys(this.appInfoMap[appId].channels)
+ .reduce((cnt, ch) => ch.type === type ? ++cnt : cnt, 0);
+ },
+
+ // Add channel to the appId. Upon successfully adding the entry
+ // this function will return the 'token'
+ addChannel: function(appId, type, aid, channelNumber) {
+ let token = UUIDGenerator.generateUUID().toString();
+ this.appInfoMap[appId].channels[token] = {
+ seType: type,
+ aid: aid,
+ channelNumber: channelNumber
+ };
+ return token;
+ },
+
+ removeChannel: function(appId, channelToken) {
+ if (this.appInfoMap[appId].channels[channelToken]) {
+ debug("Deleting channel with token : " + channelToken);
+ delete this.appInfoMap[appId].channels[channelToken];
+ }
+ },
+
+ getChannel: function(appId, channelToken) {
+ if (!this.appInfoMap[appId].channels[channelToken]) {
+ return null;
+ }
+
+ return this.appInfoMap[appId].channels[channelToken];
+ },
+
+ getChannelsByTarget: function(target) {
+ let appId = Object.keys(this.appInfoMap).find((id) => {
+ return this.appInfoMap[id].target === target;
+ });
+
+ if (!appId) {
+ return [];
+ }
+
+ return Object.keys(this.appInfoMap[appId].channels)
+ .map(token => this.appInfoMap[appId].channels[token]);
+ },
+
+ getTargets: function() {
+ return Object.keys(this.appInfoMap)
+ .map(appId => this.appInfoMap[appId].target);
+ },
+ };
+});
+
+/**
+ * 'SecureElementManager' is the main object that handles IPC messages from
+ * child process. It interacts with other objects such as 'gMap' & 'Connector
+ * instances (UiccConnector, eSEConnector)' to perform various
+ * SE-related (open, close, transmit) operations.
+ * @TODO: Bug 1118097 Support slot based SE/reader names
+ * @TODO: Bug 1118101 Introduce SE type specific permissions
+ */
+function SecureElementManager() {
+ this._registerMessageListeners();
+ this._registerSEListeners();
+ Services.obs.addObserver(this, NS_XPCOM_SHUTDOWN_OBSERVER_ID, false);
+ this._acEnforcer =
+ Cc["@mozilla.org/secureelement/access-control/ace;1"]
+ .getService(Ci.nsIAccessControlEnforcer);
+}
+
+SecureElementManager.prototype = {
+ QueryInterface: XPCOMUtils.generateQI([
+ Ci.nsIMessageListener,
+ Ci.nsISEListener,
+ Ci.nsIObserver]),
+ classID: SECUREELEMENTMANAGER_CID,
+ classInfo: XPCOMUtils.generateCI({
+ classID: SECUREELEMENTMANAGER_CID,
+ classDescription: "SecureElementManager",
+ interfaces: [Ci.nsIMessageListener,
+ Ci.nsISEListener,
+ Ci.nsIObserver]
+ }),
+
+ // Stores information about supported SE types and their presence.
+ // key: secure element type, value: (Boolean) is present/accessible
+ _sePresence: {},
+
+ _acEnforcer: null,
+
+ _shutdown: function() {
+ this._acEnforcer = null;
+ this.secureelement = null;
+ Services.obs.removeObserver(this, NS_XPCOM_SHUTDOWN_OBSERVER_ID);
+ this._unregisterMessageListeners();
+ this._unregisterSEListeners();
+ },
+
+ _registerMessageListeners: function() {
+ ppmm.addMessageListener("child-process-shutdown", this);
+ for (let msgname of SE_IPC_SECUREELEMENT_MSG_NAMES) {
+ ppmm.addMessageListener(msgname, this);
+ }
+ },
+
+ _unregisterMessageListeners: function() {
+ ppmm.removeMessageListener("child-process-shutdown", this);
+ for (let msgname of SE_IPC_SECUREELEMENT_MSG_NAMES) {
+ ppmm.removeMessageListener(msgname, this);
+ }
+ ppmm = null;
+ },
+
+ _registerSEListeners: function() {
+ let connector = getConnector(SE.TYPE_UICC);
+ if (!connector) {
+ return;
+ }
+
+ this._sePresence[SE.TYPE_UICC] = false;
+ connector.registerListener(this);
+ },
+
+ _unregisterSEListeners: function() {
+ Object.keys(this._sePresence).forEach((type) => {
+ let connector = getConnector(type);
+ if (connector) {
+ connector.unregisterListener(this);
+ }
+ });
+
+ this._sePresence = {};
+ },
+
+ notifySEPresenceChanged: function(type, isPresent) {
+ // we need to notify all targets, even those without open channels,
+ // app could've stored the reader without actually using it
+ debug("notifying DOM about SE state change");
+ this._sePresence[type] = isPresent;
+ gMap.getTargets().forEach(target => {
+ let result = { type: type, isPresent: isPresent };
+ target.sendAsyncMessage("SE:ReaderPresenceChanged", { result: result });
+ });
+ },
+
+ _canOpenChannel: function(appId, type) {
+ let opened = gMap.getChannelCountByAppIdType(appId, type);
+ let limit = SE.MAX_CHANNELS_ALLOWED_PER_SESSION;
+ // UICC basic channel is not accessible see comment in se_consts.js
+ limit = type === SE.TYPE_UICC ? limit - 1 : limit;
+ return opened < limit;
+ },
+
+ _handleOpenChannel: function(msg, callback) {
+ if (!this._canOpenChannel(msg.appId, msg.type)) {
+ debug("Max channels per session exceed");
+ callback({ error: SE.ERROR_GENERIC });
+ return;
+ }
+
+ let connector = getConnector(msg.type);
+ if (!connector) {
+ debug("No SE connector available");
+ callback({ error: SE.ERROR_NOTPRESENT });
+ return;
+ }
+
+ this._acEnforcer.isAccessAllowed(msg.appId, msg.type, msg.aid)
+ .then((allowed) => {
+ if (!allowed) {
+ callback({ error: SE.ERROR_SECURITY });
+ return;
+ }
+ connector.openChannel(SEUtils.byteArrayToHexString(msg.aid), {
+
+ notifyOpenChannelSuccess: (channelNumber, openResponse) => {
+ // Add the new 'channel' to the map upon success
+ let channelToken =
+ gMap.addChannel(msg.appId, msg.type, msg.aid, channelNumber);
+ if (channelToken) {
+ callback({
+ error: SE.ERROR_NONE,
+ channelToken: channelToken,
+ isBasicChannel: (channelNumber === SE.BASIC_CHANNEL),
+ openResponse: SEUtils.hexStringToByteArray(openResponse)
+ });
+ } else {
+ callback({ error: SE.ERROR_GENERIC });
+ }
+ },
+
+ notifyError: (reason) => {
+ debug("Failed to open the channel to AID : " +
+ SEUtils.byteArrayToHexString(msg.aid) +
+ ", Rejected with Reason : " + reason);
+ callback({ error: SE.ERROR_GENERIC, reason: reason, response: [] });
+ }
+ });
+ })
+ .catch((error) => {
+ debug("Failed to get info from accessControlEnforcer " + error);
+ callback({ error: SE.ERROR_SECURITY });
+ });
+ },
+
+ _handleTransmit: function(msg, callback) {
+ let channel = gMap.getChannel(msg.appId, msg.channelToken);
+ if (!channel) {
+ debug("Invalid token:" + msg.channelToken + ", appId: " + msg.appId);
+ callback({ error: SE.ERROR_GENERIC });
+ return;
+ }
+
+ let connector = getConnector(channel.seType);
+ if (!connector) {
+ debug("No SE connector available");
+ callback({ error: SE.ERROR_NOTPRESENT });
+ return;
+ }
+
+ // Bug 1137533 - ACE GPAccessRulesManager APDU filters
+ connector.exchangeAPDU(channel.channelNumber, msg.apdu.cla, msg.apdu.ins,
+ msg.apdu.p1, msg.apdu.p2,
+ SEUtils.byteArrayToHexString(msg.apdu.data),
+ msg.apdu.le, {
+ notifyExchangeAPDUResponse: (sw1, sw2, response) => {
+ callback({
+ error: SE.ERROR_NONE,
+ sw1: sw1,
+ sw2: sw2,
+ response: SEUtils.hexStringToByteArray(response)
+ });
+ },
+
+ notifyError: (reason) => {
+ debug("Transmit failed, rejected with Reason : " + reason);
+ callback({ error: SE.ERROR_INVALIDAPPLICATION, reason: reason });
+ }
+ });
+ },
+
+ _handleCloseChannel: function(msg, callback) {
+ let channel = gMap.getChannel(msg.appId, msg.channelToken);
+ if (!channel) {
+ debug("Invalid token:" + msg.channelToken + ", appId:" + msg.appId);
+ callback({ error: SE.ERROR_GENERIC });
+ return;
+ }
+
+ let connector = getConnector(channel.seType);
+ if (!connector) {
+ debug("No SE connector available");
+ callback({ error: SE.ERROR_NOTPRESENT });
+ return;
+ }
+
+ connector.closeChannel(channel.channelNumber, {
+ notifyCloseChannelSuccess: () => {
+ gMap.removeChannel(msg.appId, msg.channelToken);
+ callback({ error: SE.ERROR_NONE });
+ },
+
+ notifyError: (reason) => {
+ debug("Failed to close channel with token: " + msg.channelToken +
+ ", reason: "+ reason);
+ callback({ error: SE.ERROR_BADSTATE, reason: reason });
+ }
+ });
+ },
+
+ _handleGetSEReadersRequest: function(msg, target, callback) {
+ gMap.registerSecureElementTarget(msg.appId, target);
+ let readers = Object.keys(this._sePresence).map(type => {
+ return { type: type, isPresent: this._sePresence[type] };
+ });
+ callback({ readers: readers, error: SE.ERROR_NONE });
+ },
+
+ _handleChildProcessShutdown: function(target) {
+ let channels = gMap.getChannelsByTarget(target);
+
+ let createCb = (seType, channelNumber) => {
+ return {
+ notifyCloseChannelSuccess: () => {
+ debug("closed " + seType + ", channel " + channelNumber);
+ },
+
+ notifyError: (reason) => {
+ debug("Failed to close " + seType + " channel " +
+ channelNumber + ", reason: " + reason);
+ }
+ };
+ };
+
+ channels.forEach((channel) => {
+ let connector = getConnector(channel.seType);
+ if (!connector) {
+ return;
+ }
+
+ connector.closeChannel(channel.channelNumber,
+ createCb(channel.seType, channel.channelNumber));
+ });
+
+ gMap.unregisterSecureElementTarget(target);
+ },
+
+ _sendSEResponse: function(msg, result) {
+ let promiseStatus = (result.error === SE.ERROR_NONE) ? "Resolved" : "Rejected";
+ result.resolverId = msg.data.resolverId;
+ msg.target.sendAsyncMessage(msg.name + promiseStatus, {result: result});
+ },
+
+ _isValidMessage: function(msg) {
+ let appIdValid = gMap.isAppIdRegistered(msg.data.appId);
+ return msg.name === "SE:GetSEReaders" ? true : appIdValid;
+ },
+
+ /**
+ * nsIMessageListener interface methods.
+ */
+
+ receiveMessage: function(msg) {
+ DEBUG && debug("Received '" + msg.name + "' message from content process" +
+ ": " + JSON.stringify(msg.data));
+
+ if (msg.name === "child-process-shutdown") {
+ this._handleChildProcessShutdown(msg.target);
+ return null;
+ }
+
+ if (SE_IPC_SECUREELEMENT_MSG_NAMES.indexOf(msg.name) !== -1) {
+ if (!msg.target.assertPermission("secureelement-manage")) {
+ debug("SecureElement message " + msg.name + " from a content process " +
+ "with no 'secureelement-manage' privileges.");
+ return null;
+ }
+ } else {
+ debug("Ignoring unknown message type: " + msg.name);
+ return null;
+ }
+
+ let callback = (result) => this._sendSEResponse(msg, result);
+ if (!this._isValidMessage(msg)) {
+ debug("Message not valid");
+ callback({ error: SE.ERROR_GENERIC });
+ return null;
+ }
+
+ switch (msg.name) {
+ case "SE:GetSEReaders":
+ this._handleGetSEReadersRequest(msg.data, msg.target, callback);
+ break;
+ case "SE:OpenChannel":
+ this._handleOpenChannel(msg.data, callback);
+ break;
+ case "SE:CloseChannel":
+ this._handleCloseChannel(msg.data, callback);
+ break;
+ case "SE:TransmitAPDU":
+ this._handleTransmit(msg.data, callback);
+ break;
+ }
+ return null;
+ },
+
+ /**
+ * nsIObserver interface methods.
+ */
+
+ observe: function(subject, topic, data) {
+ if (topic === NS_XPCOM_SHUTDOWN_OBSERVER_ID) {
+ this._shutdown();
+ }
+ }
+};
+
+this.NSGetFactory = XPCOMUtils.generateNSGetFactory([SecureElementManager]);
diff --git a/dom/secureelement/gonk/SecureElement.manifest b/dom/secureelement/gonk/SecureElement.manifest
new file mode 100644
index 000000000..a76fcfc11
--- /dev/null
+++ b/dom/secureelement/gonk/SecureElement.manifest
@@ -0,0 +1,18 @@
+# Copyright 2012 Mozilla Foundation and Mozilla contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# SecureElementManager
+component {48f4e650-28d2-11e4-8c21-0800200c9a66} SecureElement.js
+contract @mozilla.org/secureelement/parent-manager;1 {48f4e650-28d2-11e4-8c21-0800200c9a66}
+category profile-after-change SecureElementManager @mozilla.org/secureelement/parent-manager;1
diff --git a/dom/secureelement/gonk/UiccConnector.js b/dom/secureelement/gonk/UiccConnector.js
new file mode 100644
index 000000000..517303de2
--- /dev/null
+++ b/dom/secureelement/gonk/UiccConnector.js
@@ -0,0 +1,360 @@
+/* Copyright 2012 Mozilla Foundation and Mozilla contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/* Copyright © 2014, Deutsche Telekom, Inc. */
+
+"use strict";
+
+/* globals Components, XPCOMUtils, SE, dump, libcutils, Services,
+ iccService, SEUtils */
+
+const { interfaces: Ci, utils: Cu, results: Cr } = Components;
+
+Cu.import("resource://gre/modules/XPCOMUtils.jsm");
+Cu.import("resource://gre/modules/Services.jsm");
+Cu.import("resource://gre/modules/systemlibs.js");
+
+XPCOMUtils.defineLazyGetter(this, "SE", function() {
+ let obj = {};
+ Cu.import("resource://gre/modules/se_consts.js", obj);
+ return obj;
+});
+
+// set to true in se_consts.js to see debug messages
+var DEBUG = SE.DEBUG_CONNECTOR;
+function debug(s) {
+ if (DEBUG) {
+ dump("-*- UiccConnector: " + s + "\n");
+ }
+}
+
+XPCOMUtils.defineLazyModuleGetter(this, "SEUtils",
+ "resource://gre/modules/SEUtils.jsm");
+
+XPCOMUtils.defineLazyServiceGetter(this, "iccService",
+ "@mozilla.org/icc/iccservice;1",
+ "nsIIccService");
+
+const UICCCONNECTOR_CONTRACTID =
+ "@mozilla.org/secureelement/connector/uicc;1";
+const UICCCONNECTOR_CID =
+ Components.ID("{8e040e5d-c8c3-4c1b-ac82-c00d25d8c4a4}");
+const NS_XPCOM_SHUTDOWN_OBSERVER_ID = "xpcom-shutdown";
+
+// TODO: Bug 1118099 - Add multi-sim support.
+// In the Multi-sim, there is more than one client.
+// For now, use default clientID as 0. Ideally, SE parent process would like to
+// know which clients (uicc slot) are connected to CLF over SWP interface.
+const PREFERRED_UICC_CLIENTID =
+ libcutils.property_get("ro.moz.se.def_client_id", "0");
+
+/**
+ * 'UiccConnector' object is a wrapper over iccService's channel management
+ * related interfaces that implements nsISecureElementConnector interface.
+ */
+function UiccConnector() {
+ this._init();
+}
+
+UiccConnector.prototype = {
+ QueryInterface: XPCOMUtils.generateQI([Ci.nsISecureElementConnector,
+ Ci.nsIIccListener]),
+ classID: UICCCONNECTOR_CID,
+ classInfo: XPCOMUtils.generateCI({
+ classID: UICCCONNECTOR_CID,
+ contractID: UICCCONNECTOR_CONTRACTID,
+ classDescription: "UiccConnector",
+ interfaces: [Ci.nsISecureElementConnector,
+ Ci.nsIIccListener,
+ Ci.nsIObserver]
+ }),
+
+ _SEListeners: [],
+ _isPresent: false,
+
+ _init: function() {
+ Services.obs.addObserver(this, NS_XPCOM_SHUTDOWN_OBSERVER_ID, false);
+ let icc = iccService.getIccByServiceId(PREFERRED_UICC_CLIENTID);
+ icc.registerListener(this);
+
+ // Update the state in order to avoid race condition.
+ // By this time, 'notifyCardStateChanged (with proper card state)'
+ // may have occurred already before this module initialization.
+ this._updatePresenceState();
+ },
+
+ _shutdown: function() {
+ Services.obs.removeObserver(this, NS_XPCOM_SHUTDOWN_OBSERVER_ID);
+ let icc = iccService.getIccByServiceId(PREFERRED_UICC_CLIENTID);
+ icc.unregisterListener(this);
+ },
+
+ _updatePresenceState: function() {
+ let uiccNotReadyStates = [
+ Ci.nsIIcc.CARD_STATE_UNKNOWN,
+ Ci.nsIIcc.CARD_STATE_ILLEGAL,
+ Ci.nsIIcc.CARD_STATE_PERSONALIZATION_IN_PROGRESS,
+ Ci.nsIIcc.CARD_STATE_PERMANENT_BLOCKED,
+ Ci.nsIIcc.CARD_STATE_UNDETECTED
+ ];
+
+ let cardState = iccService.getIccByServiceId(PREFERRED_UICC_CLIENTID).cardState;
+ let uiccPresent = cardState !== null &&
+ uiccNotReadyStates.indexOf(cardState) == -1;
+
+ if (this._isPresent === uiccPresent) {
+ return;
+ }
+
+ debug("Uicc presence changed " + this._isPresent + " -> " + uiccPresent);
+ this._isPresent = uiccPresent;
+ this._SEListeners.forEach((listener) => {
+ listener.notifySEPresenceChanged(SE.TYPE_UICC, this._isPresent);
+ });
+ },
+
+ // See GP Spec, 11.1.4 Class Byte Coding
+ _setChannelToCLAByte: function(cla, channel) {
+ if (channel < SE.LOGICAL_CHANNEL_NUMBER_LIMIT) {
+ // b7 = 0 indicates the first interindustry class byte coding
+ cla = (cla & 0x9C) & 0xFF | channel;
+ } else if (channel < SE.SUPPLEMENTARY_LOGICAL_CHANNEL_NUMBER_LIMIT) {
+ // b7 = 1 indicates the further interindustry class byte coding
+ cla = (cla & 0xB0) & 0xFF | 0x40 | (channel - SE.LOGICAL_CHANNEL_NUMBER_LIMIT);
+ } else {
+ debug("Channel number must be within [0..19]");
+ return SE.ERROR_GENERIC;
+ }
+ return cla;
+ },
+
+ _doGetOpenResponse: function(channel, length, callback) {
+ // Le value is set. It means that this is a request for all available
+ // response bytes.
+ let cla = this._setChannelToCLAByte(SE.CLA_GET_RESPONSE, channel);
+ this.exchangeAPDU(channel, cla, SE.INS_GET_RESPONSE, 0x00, 0x00,
+ null, length, {
+ notifyExchangeAPDUResponse: function(sw1, sw2, response) {
+ debug("GET Response : " + response);
+ if (callback) {
+ callback({
+ error: SE.ERROR_NONE,
+ sw1: sw1,
+ sw2: sw2,
+ response: response
+ });
+ }
+ },
+
+ notifyError: function(reason) {
+ debug("Failed to get open response: " +
+ ", Rejected with Reason : " + reason);
+ if (callback) {
+ callback({ error: SE.ERROR_INVALIDAPPLICATION, reason: reason });
+ }
+ }
+ });
+ },
+
+ _doIccExchangeAPDU: function(channel, cla, ins, p1, p2, p3,
+ data, appendResp, callback) {
+ let icc = iccService.getIccByServiceId(PREFERRED_UICC_CLIENTID);
+ icc.iccExchangeAPDU(channel, cla & 0xFC, ins, p1, p2, p3, data, {
+ notifyExchangeAPDUResponse: (sw1, sw2, response) => {
+ debug("sw1 : " + sw1 + ", sw2 : " + sw2 + ", response : " + response);
+
+ // According to ETSI TS 102 221 , Section 7.2.2.3.1,
+ // Enforce 'Procedure bytes' checks before notifying the callback.
+ // Note that 'Procedure bytes'are special cases.
+ // There is no need to handle '0x60' procedure byte as it implies
+ // no-action from SE stack perspective. This procedure byte is not
+ // notified to application layer.
+ if (sw1 === 0x6C) {
+ // Use the previous command header with length as second procedure
+ // byte (SW2) as received and repeat the procedure.
+
+ // Recursive! and Pass empty response '' as args, since '0x6C'
+ // procedure does not have to deal with appended responses.
+ this._doIccExchangeAPDU(channel, cla, ins, p1, p2,
+ sw2, data, "", callback);
+ } else if (sw1 === 0x61) {
+ // Since the terminal waited for a second procedure byte and
+ // received it (sw2), send a GET RESPONSE command header to the UICC
+ // with a maximum length of 'XX', where 'XX' is the value of the
+ // second procedure byte (SW2).
+
+ let claWithChannel = this._setChannelToCLAByte(SE.CLA_GET_RESPONSE,
+ channel);
+
+ // Recursive, with GET RESPONSE bytes and '0x61' procedure IS interested
+ // in appended responses. Pass appended response and note that p3=sw2.
+ this._doIccExchangeAPDU(channel, claWithChannel, SE.INS_GET_RESPONSE,
+ 0x00, 0x00, sw2, null,
+ (response ? response + appendResp : appendResp),
+ callback);
+ } else if (callback) {
+ callback.notifyExchangeAPDUResponse(sw1, sw2, response);
+ }
+ },
+
+ notifyError: (reason) => {
+ debug("Failed to trasmit C-APDU over the channel # : " + channel +
+ ", Rejected with Reason : " + reason);
+ if (callback) {
+ callback.notifyError(reason);
+ }
+ }
+ });
+ },
+
+ /**
+ * nsISecureElementConnector interface methods.
+ */
+
+ /**
+ * Opens a channel on a default clientId
+ */
+ openChannel: function(aid, callback) {
+ if (!this._isPresent) {
+ callback.notifyError(SE.ERROR_NOTPRESENT);
+ return;
+ }
+
+ // TODO: Bug 1118106: Handle Resource management / leaks by persisting
+ // the newly opened channel in some persistent storage so that when this
+ // module gets restarted (say after opening a channel) in the event of
+ // some erroneous conditions such as gecko restart /, crash it can read
+ // the persistent storage to check if there are any held resources
+ // (opened channels) and close them.
+ let icc = iccService.getIccByServiceId(PREFERRED_UICC_CLIENTID);
+ icc.iccOpenChannel(aid, {
+ notifyOpenChannelSuccess: (channel) => {
+ this._doGetOpenResponse(channel, 0x00, function(result) {
+ if (callback) {
+ callback.notifyOpenChannelSuccess(channel, result.response);
+ }
+ });
+ },
+
+ notifyError: (reason) => {
+ debug("Failed to open the channel to AID : " + aid +
+ ", Rejected with Reason : " + reason);
+ if (callback) {
+ callback.notifyError(reason);
+ }
+ }
+ });
+ },
+
+ /**
+ * Transmit the C-APDU (command) on default clientId.
+ */
+ exchangeAPDU: function(channel, cla, ins, p1, p2, data, le, callback) {
+ if (!this._isPresent) {
+ callback.notifyError(SE.ERROR_NOTPRESENT);
+ return;
+ }
+
+ if (data && data.length % 2 !== 0) {
+ callback.notifyError("Data should be a hex string with length % 2 === 0");
+ return;
+ }
+
+ cla = this._setChannelToCLAByte(cla, channel);
+ let lc = data ? data.length / 2 : 0;
+ let p3 = lc || le;
+
+ if (lc && (le !== -1)) {
+ data += SEUtils.byteArrayToHexString([le]);
+ }
+
+ // Pass empty response '' as args as we are not interested in appended
+ // responses yet!
+ debug("exchangeAPDU on Channel # " + channel);
+ this._doIccExchangeAPDU(channel, cla, ins, p1, p2, p3, data, "",
+ callback);
+ },
+
+ /**
+ * Closes the channel on default clientId.
+ */
+ closeChannel: function(channel, callback) {
+ if (!this._isPresent) {
+ callback.notifyError(SE.ERROR_NOTPRESENT);
+ return;
+ }
+
+ let icc = iccService.getIccByServiceId(PREFERRED_UICC_CLIENTID);
+ icc.iccCloseChannel(channel, {
+ notifyCloseChannelSuccess: function() {
+ debug("closeChannel successfully closed the channel # : " + channel);
+ if (callback) {
+ callback.notifyCloseChannelSuccess();
+ }
+ },
+
+ notifyError: function(reason) {
+ debug("Failed to close the channel # : " + channel +
+ ", Rejected with Reason : " + reason);
+ if (callback) {
+ callback.notifyError(reason);
+ }
+ }
+ });
+ },
+
+ registerListener: function(listener) {
+ if (this._SEListeners.indexOf(listener) !== -1) {
+ throw Cr.NS_ERROR_UNEXPECTED;
+ }
+
+ this._SEListeners.push(listener);
+ // immediately notify listener about the current state
+ listener.notifySEPresenceChanged(SE.TYPE_UICC, this._isPresent);
+ },
+
+ unregisterListener: function(listener) {
+ let idx = this._SEListeners.indexOf(listener);
+ if (idx !== -1) {
+ this._SEListeners.splice(idx, 1);
+ }
+ },
+
+ /**
+ * nsIIccListener interface methods.
+ */
+ notifyStkCommand: function() {},
+
+ notifyStkSessionEnd: function() {},
+
+ notifyIccInfoChanged: function() {},
+
+ notifyCardStateChanged: function() {
+ debug("Card state changed, updating UICC presence.");
+ this._updatePresenceState();
+ },
+
+ /**
+ * nsIObserver interface methods.
+ */
+
+ observe: function(subject, topic, data) {
+ if (topic === NS_XPCOM_SHUTDOWN_OBSERVER_ID) {
+ this._shutdown();
+ }
+ }
+};
+
+this.NSGetFactory = XPCOMUtils.generateNSGetFactory([UiccConnector]);
diff --git a/dom/secureelement/gonk/UiccConnector.manifest b/dom/secureelement/gonk/UiccConnector.manifest
new file mode 100644
index 000000000..5ac8b3b7b
--- /dev/null
+++ b/dom/secureelement/gonk/UiccConnector.manifest
@@ -0,0 +1,17 @@
+# Copyright 2012 Mozilla Foundation and Mozilla contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# UiccConnector
+component {8e040e5d-c8c3-4c1b-ac82-c00d25d8c4a4} UiccConnector.js
+contract @mozilla.org/secureelement/connector/uicc;1 {8e040e5d-c8c3-4c1b-ac82-c00d25d8c4a4}
diff --git a/dom/secureelement/gonk/gp_consts.js b/dom/secureelement/gonk/gp_consts.js
new file mode 100644
index 000000000..7c3bc7165
--- /dev/null
+++ b/dom/secureelement/gonk/gp_consts.js
@@ -0,0 +1,62 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/* Copyright © 2015, Deutsche Telekom, Inc. */
+
+/* Object Directory File (ODF) is an elementary file which contain
+ pointers to other EFs. It is specified in PKCS#15 section 6.7. */
+this.ODF_DF = [0x50, 0x31];
+
+/* ISO 7816-4: secure messaging */
+this.CLA_SM = 0x00;
+
+/* ISO 7816-4, 5.4.1 table 11 */
+this.INS_SF = 0xA4; // select file
+this.INS_GR = 0xC0; // get response
+this.INS_RB = 0xB0; // read binary
+
+/* ISO 7816-4: select file, see 6.11.3, table 58 & 59 */
+this.P1_SF_DF = 0x00; // select DF
+this.P2_SF_FCP = 0x04; // return FCP
+
+/* ISO 7816-4: read binary, 6.1.3. P1 and P2 describe offset of the first byte
+ to be read. We always read the whole files at the moment. */
+this.P1_RB = 0x00;
+this.P2_RB = 0x00;
+
+/* ISO 7816-4: get response, 7.1.3 table 74, P1-P2 '0000' (other values RFU) */
+this.P1_GR = 0x00;
+this.P2_GR = 0x00;
+
+/* ISO 7816-4: 5.1.5 File Control Information, Table 1. For FCP and FMD. */
+this.TAG_PROPRIETARY = 0x00;
+this.TAG_NON_TLV = 0x53;
+this.TAG_BER_TLV = 0x73;
+
+/* ASN.1 tags */
+this.TAG_SEQUENCE = 0x30;
+this.TAG_OCTETSTRING = 0x04;
+this.TAG_OID = 0x06; // Object Identifier
+
+/* ISO 7816-4: 5.1.5 File Control Information, Templates. */
+this.TAG_FCP = 0x62; // File control parameters template
+this.TAG_FMD = 0x64; // File management data template
+this.TAG_FCI = 0x6F; // File control information template
+
+/* EF_DIR tags */
+this.TAG_APPLTEMPLATE = 0x61;
+this.TAG_APPLIDENTIFIER = 0x4F;
+this.TAG_APPLLABEL = 0x50;
+this.TAG_APPLPATH = 0x51;
+
+this.TAG_GPD_ALL = 0x82; // EF-ACRules - GPD spec. "all applets"
+
+/* Generic TLVs that are parsed */
+this.TAG_GPD_AID = 0xA0; // AID in the EF-ACRules - GPD spec, "one applet"
+this.TAG_EXTERNALDO = 0xA1; // External data objects - PKCS#15
+this.TAG_INDIRECT = 0xA5; // Indirect value.
+this.TAG_EF_ODF = 0xA7; // Elemenetary File Object Directory File
+
+// Allow this file to be imported via Components.utils.import().
+this.EXPORTED_SYMBOLS = Object.keys(this);
diff --git a/dom/secureelement/gonk/nsIAccessControlEnforcer.idl b/dom/secureelement/gonk/nsIAccessControlEnforcer.idl
new file mode 100644
index 000000000..7ad1a97f6
--- /dev/null
+++ b/dom/secureelement/gonk/nsIAccessControlEnforcer.idl
@@ -0,0 +1,32 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/* Copyright © 2015, Deutsche Telekom, Inc. */
+
+#include "nsISupports.idl"
+
+interface nsIVariant;
+
+[scriptable, uuid(4994a960-26d9-4d71-82dd-4505bd97bf2a)]
+interface nsIAccessControlEnforcer : nsISupports
+{
+ /**
+ * Determines whether application identified by its ID should be allowed
+ * to access Secure Element's applet identified by its AID. Decision
+ * is made according to the GPD specification.
+ *
+ * @param localId
+ * ID of an application accessing SE
+ * @param seType
+ * Type of the SE.
+ * @param aid
+ * AID of a SE applet
+ * @return Promise which is resolved to true if access should be allowed,
+ * false otherwise, and rejected if the application contains
+ * no developer certificate.
+ */
+ jsval isAccessAllowed(in unsigned long localId,
+ in DOMString seType,
+ in DOMString aid);
+};
diff --git a/dom/secureelement/gonk/nsIAccessRulesManager.idl b/dom/secureelement/gonk/nsIAccessRulesManager.idl
new file mode 100644
index 000000000..173f57c90
--- /dev/null
+++ b/dom/secureelement/gonk/nsIAccessRulesManager.idl
@@ -0,0 +1,50 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/* Copyright © 2015, Deutsche Telekom, Inc. */
+
+#include "nsISupports.idl"
+
+[scriptable, uuid(7baedd2a-3189-4b03-b2a3-34016043b5e2)]
+interface nsIAccessRulesManager : nsISupports
+{
+ /* Wildcard: rule allows all applications to access an SE applet */
+ const unsigned short ALLOW_ALL = 1;
+ /* Wildcard: rule denies all applications to access an SE applet */
+ const unsigned short DENY_ALL = 2;
+ /* Wildcard: rule allows application(s) access to all SE applets */
+ const unsigned short ALL_APPLET = 3;
+
+ /**
+ * Initiates Access Rules Manager, this should perform the initial
+ * reading of rules from access rule source
+ * @return Promise which is resolved if init is successful or rejected
+ * otherwise
+ */
+ jsval init();
+
+ /**
+ * Retrieves all access rules.
+ *
+ * Rules are stored in an array. Each rule contains the following properties:
+ * - applet - describes an SE applet referenced by this rule. Might equal
+ * to an applet AID (as a byte array), or to a wildcard "all"
+ * meaning all applets.
+ * - application - describes an application referenced by this rule. Might
+ * be an array of developer certificate hashes (each as
+ * a byte array) in which case it lists all applications
+ * allowed access. Alternatively, might equal to wildcard
+ * "allowed-all" or "denied-all".
+ *
+ * Example rule format:
+ * [{ applet: ALL_APPLET,
+ * application: [[0x01, 0x02, ..., 0x20],
+ * [0x20, 0x19, ...., 0x01]],
+ * { applet: [0x00, 0x01, ..., 0x05],
+ * application: ALLOW_ALL}}]
+ *
+ * @return Promise which resolves with Array containing parsed access rules
+ */
+ jsval getAccessRules();
+};
diff --git a/dom/secureelement/gonk/nsISecureElementConnector.idl b/dom/secureelement/gonk/nsISecureElementConnector.idl
new file mode 100644
index 000000000..92cc1eb2b
--- /dev/null
+++ b/dom/secureelement/gonk/nsISecureElementConnector.idl
@@ -0,0 +1,124 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsISupports.idl"
+
+[scriptable, uuid(1ff3f35a-1b6f-4e65-a89e-a363b8604cd7)]
+interface nsISEChannelCallback : nsISupports
+{
+ /**
+ * Callback function to notify on successfully opening a logical channel.
+ *
+ * @param channel
+ * The Channel Number/Handle that is successfully opened.
+ * @param openResponse
+ * Response from SE for OpenChannel operation.
+ */
+ void notifyOpenChannelSuccess(in long channel, in DOMString openResponse);
+
+ /**
+ * Callback function to notify on successfully closing the logical channel.
+ *
+ */
+ void notifyCloseChannelSuccess();
+
+ /**
+ * Callback function to notify the status of 'seExchangeAPDU' command.
+ *
+ * @param sw1
+ * Response's First Status Byte
+ * @param sw2
+ * Response's Second Status Byte
+ * @param data
+ * Response's data
+ */
+ void notifyExchangeAPDUResponse(in octet sw1,
+ in octet sw2,
+ in DOMString data);
+
+ /**
+ * Callback function to notify error
+ *
+ * @param error
+ * Error describing the reason for failure.
+ */
+ void notifyError(in DOMString error);
+};
+
+[scriptable, uuid(417f59ee-f582-45b9-9a4e-e9dcefecb4f7)]
+interface nsISEListener : nsISupports
+{
+ void notifySEPresenceChanged(in DOMString seType, in boolean isPresent);
+};
+
+[scriptable, uuid(3cef313a-1d01-432d-9cd2-6610a80911f3)]
+interface nsISecureElementConnector : nsISupports
+{
+ /**
+ * Open a logical communication channel with the specific secure element type
+ *
+ * @param aid
+ * Application Identifier of the Card Applet on the secure element.
+ * @param callback
+ * callback to notify the result of the operation.
+ */
+ void openChannel(in DOMString aid,
+ in nsISEChannelCallback callback);
+
+ /**
+ * Exchanges APDU channel with the specific secure element type
+ *
+ * @param channel
+ * Channel on which C-APDU to be transmitted.
+ * @param cla
+ Class Byte.
+ * @param ins
+ Instruction Byte
+ * @param p1
+ Reference parameter first byte
+ * @param p2
+ Reference parameter second byte
+ * Refer to 3G TS 31.101 , 10.2 'Command APDU Structure' for all the cases.
+ * @param data
+ Sequence of C-APDU data octets
+ * @param le [optional]
+ * le is the length of expected response. If the response is not expected,
+ it should be explicitly set to -1.
+ * @param callback
+ * callback to notify the result of the operation.
+ */
+ void exchangeAPDU(in long channel,
+ in octet cla,
+ in octet ins,
+ in octet p1,
+ in octet p2,
+ in DOMString data,
+ in short le,
+ in nsISEChannelCallback callback);
+
+ /**
+ * Closes the logical communication channel to the specific secure element type
+ *
+ * @param channel
+ * Channel to be closed.
+ * @param callback
+ * callback to notify the result of the operation.
+ */
+ void closeChannel(in long channel,
+ in nsISEChannelCallback callback);
+
+ /**
+ * Register a Secure Element listener
+ *
+ * @param listener
+ */
+ void registerListener(in nsISEListener listener);
+
+ /**
+ * Unregister a Secure Element listener
+ *
+ * @param listener
+ */
+ void unregisterListener(in nsISEListener listener);
+};
diff --git a/dom/secureelement/gonk/se_consts.js b/dom/secureelement/gonk/se_consts.js
new file mode 100644
index 000000000..13489b7ae
--- /dev/null
+++ b/dom/secureelement/gonk/se_consts.js
@@ -0,0 +1,68 @@
+/* Copyright 2012 Mozilla Foundation and Mozilla contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/* Copyright © 2014, Deutsche Telekom, Inc. */
+
+// Set to true to debug SecureElement (SE) stack
+this.DEBUG_ALL = false;
+
+// Set individually to debug specific layers
+this.DEBUG_CONNECTOR = DEBUG_ALL || false;
+this.DEBUG_ACE = DEBUG_ALL || false ;
+this.DEBUG_SE = DEBUG_ALL || false ;
+
+// Maximun logical channels per session.
+// For 'uicc' SE type this value is 3, as opening a basic channel' : 0
+// is not allowed for security reasons. In such scenarios, possible
+// supplementary logical channels available are : [1, 2, or 3].
+// However,Other SE types may support upto max 4 (including '0').
+this.MAX_CHANNELS_ALLOWED_PER_SESSION = 4;
+
+this.BASIC_CHANNEL = 0;
+
+// According GPCardSpec 2.2
+this.MAX_APDU_LEN = 255; // including APDU header
+
+// CLA (1 byte) + INS (1 byte) + P1 (1 byte) + P2 (1 byte)
+this.APDU_HEADER_LEN = 4;
+
+this.LOGICAL_CHANNEL_NUMBER_LIMIT = 4;
+this.SUPPLEMENTARY_LOGICAL_CHANNEL_NUMBER_LIMIT = 20;
+
+this.MIN_AID_LEN = 5;
+this.MAX_AID_LEN = 16;
+
+this.CLA_GET_RESPONSE = 0x00;
+
+this.INS_SELECT = 0xA4;
+this.INS_MANAGE_CHANNEL = 0x70;
+this.INS_GET_RESPONSE = 0xC0;
+
+// Match the following errors with SecureElement.webidl's SEError enum values
+this.ERROR_NONE = "";
+this.ERROR_SECURITY = "SESecurityError";
+this.ERROR_IO = "SEIoError";
+this.ERROR_BADSTATE = "SEBadStateError";
+this.ERROR_INVALIDCHANNEL = "SEInvalidChannelError";
+this.ERROR_INVALIDAPPLICATION = "SEInvalidApplicationError";
+this.ERROR_GENERIC = "SEGenericError";
+this.ERROR_NOTPRESENT = "SENotPresentError";
+this.ERROR_ILLEGALPARAMETER = "SEIllegalParameterError";
+
+this.TYPE_UICC = "uicc";
+this.TYPE_ESE = "eSE";
+
+// Allow this file to be imported via Components.utils.import().
+this.EXPORTED_SYMBOLS = Object.keys(this);