Project: /_project.yaml Book: /_book.yaml
{% include “_versions.html” %}
To provide better security, some devices have an embedded Secure Element (SE), which is dedicated, separate tamper-resistant hardware to store cryptographic data. Open Mobile API is a standard API{: .external} used to communicate with a device's Secure Element. Android {{ androidPVersionNumber }} introduces support for this API and provides a backend implementation including Secure Element Service and SE HAL.
Secure Element Service checks support for Global platform-supported Secure Elements (essentially checks if devices have SE HAL implementation and if yes, how many). This is used as the basis to test the API and the underlying Secure Element implementation.
Open Mobile API (OMAPI) test cases are used to enforce API guidelines and to confirm the underlying implementation of Secure Elements meets the Open Mobile API specification. These test cases require installation of a special applet, a Java Card application on Secure Element, that is used by the CTS application for communication. For installation, use the sample applet found in google-cardlet.cap{: .external}.
To pass OMAPI test cases, the underlying Secure Element Service and the SE should be capable of the following:
<table>
<thead>
<tr>
<th>APDU</th>
<th>Status word</th>
<th>Response length (bytes)</th>
</tr>
</thead>
<tbody>
<tr>
<td>0x00C2080000</td>
<td>0x9000</td>
<td>2048</td>
</tr>
<tr>
<td>0x00C4080002123400</td>
<td>0x9000</td>
<td>2048</td>
</tr>
<tr>
<td>0x00C6080000</td>
<td>0x9000</td>
<td>2048</td>
</tr>
<tr>
<td>0x00C8080002123400</td>
<td>0x9000</td>
<td>2048</td>
</tr>
<tr>
<td>0x00C27FFF00</td>
<td>0x9000</td>
<td>2048</td>
</tr>
<tr>
<td>0x00CF080000</td>
<td>0x9000</td>
<td>32767</td>
</tr>
<tr>
<td>0x94C2080000</td>
<td>0x9000</td>
<td>2048</td>
</tr>
</tbody>
</table>
</li>
<li>The applet should return success status word <code>0x9000</code> for
the given
APDU: 0x00F40000</li>
</ol>
Access Control uses configured in the Secure Element ensure that only the application with access to an applet can communicate with it. Additionally, Android supports configuring rules for specific APDUs that can be exchanged by the APK.
To pass these tests, configure special Access Control Rules, either Access Rule Application Master (ARA) or Access Rule File (ARF). You should use the applet that is used for OMAPI tests as the same commands need to be supported to pass the Access Control tests.
Create an instance of the applet under these AIDs:
CtsSecureElementAccessControlTestCases1Hash of the APK: 0x4bbe31beb2f753cfe71ec6bf112548687bb6c34e
Authorized AIDs
0xA000000476416E64726F696443545340
Authorized APDUs:
Unauthorized APDUs:
0xA000000476416E64726F696443545341
Authorized APDUs:
Unauthorized APDUs:
0xA000000476416E64726F696443545342
0xA000000476416E64726F696443545344
0xA000000476416E64726F696443545345
0xA000000476416E64726F696443545347
0xA000000476416E64726F696443545348
0xA000000476416E64726F696443545349
0xA000000476416E64726F69644354534A
0xA000000476416E64726F69644354534B
0xA000000476416E64726F69644354534C
0xA000000476416E64726F69644354534D
0xA000000476416E64726F69644354534E
0xA000000476416E64726F69644354534F
Unauthorized AIDs
CtsSecureElementAccessControlTestCases2Hash of the APK: 0x93b0ff2260babd4c2a92c68aaa0039dc514d8a33
Authorized AIDs:
0xA000000476416E64726F696443545340
Authorized APDUs:
Unauthorized APDUs:
0xA000000476416E64726F696443545341
Authorized APDUs:
Unauthorized APDUs:
0xA000000476416E64726F696443545343
0xA000000476416E64726F696443545345
0xA000000476416E64726F696443545346
Unauthorized AIDs
CtsSecureElementAccessControlTestCases3Hash of the APK: 0x5528ca826da49d0d7329f8117481ccb27b8833aa
Authorized AIDs:
0xA000000476416E64726F696443545340
Authorized APDUs:
0xA000000476416E64726F696443545341
Authorized APDUs:
Unauthorized APDUs:
0xA000000476416E64726F696443545345
0xA000000476416E64726F696443545346
Unauthorized AIDs
File name: google-cardlet.cap
Package AID: 6F 6D 61 70 69 63 61 72 64 6C 65 74
Version: 1.63
Hash: 5F72E0A073BA9E61A7358F2FE3F031A99F3F81E9
Applets:
6F 6D 61 70 69 4A 53 52 31 37 37 = SelectResponse module
6F 6D 61 70 69 43 61 63 68 69 6E 67 = XXLResponse module
Imports:
javacard.framework v1.3 - A0000000620101
java.lang v1.0 - A0000000620001
uicc.hci.framework v1.0 - A0000000090005FFFFFFFF8916010000
uicc.hci.services.cardemulation v1.0 - A0000000090005FFFFFFFF8916020100
uicc.hci.services.connectivity v1.0 - A0000000090005FFFFFFFF8916020200
Size on card: 39597
Load the google-cardlet.cap{: .external} file to the SIM card using the appropriate procedure (check with your SE manufacturers).
Run installation command for each applet.
Command to install applet
80E60C00300C6F6D617069636172646C65740Bmodule_AID10AID010002C90000
Module_AID: 6F 6D 61 70 69 4A 53 52 31 37 37
AID: A000000476416E64726F696443545331
80E60C00310C6F6D617069636172646C65740Bmodule_AID10AID010002C9000
Module_AID: 6F 6D 61 70 69 43 61 63 68 69 6E 67
AID: A000000476416E64726F696443545332
80E60C003C0C6F6D617069636172646C65740Bmodule_AID10AID01000EEF0AA008810101A5038201C0C90000
Module_AID: 6F 6D 61 70 69 4A 53 52 31 37 37
AIDs:
For step-by-step commands to set up the PKCS#15 structure matching the CTS tests, see Commands for PKCS#15.