CTS test for Secure Element

To provide better security, some devices have an embedded Secure Element (SE), which is dedicated, separate tamper-resistant hardware to store cryptographic data. Open Mobile API is a standard API used to communicate with a device's Secure Element. Android 9 introduces support for this API and provides a backend implementation including Secure Element Service and SE HAL.

Secure Element Service checks support for Global platform-supported Secure Elements (essentially checks if devices have SE HAL implementation and if yes, how many). This is used as the basis to test the API and the underlying Secure Element implementation.

Open Mobile API test cases

Open Mobile API (OMAPI) test cases are used to enforce API guidelines and to confirm the underlying implementation of Secure Elements meets the Open Mobile API specification. These test cases require installation of a special applet, a Java Card application on Secure Element, that is used by the CTS application for communication. For installation, use the sample applet found in google-cardlet.cap.

To pass OMAPI test cases, the underlying Secure Element Service and the SE should be capable of the following:

  1. All Secure Element Reader names should start with SIM, eSE, or SD.
  2. Non-SIM based readers should be capable of opening basic channels.
  3. CtsOmapiTestCases.apk should not be capable of selecting the A000000476416E64726F6964435453FF AID:
  4. CtsOmapiTestCases.apk should be capable of selecting an applet with the following application identifiers (AIDs):
    1. 0xA000000476416E64726F696443545331
      1. The applet should throw a Security Exception when it receives the following application protocol data unit (APDUs) in android.se.omapi.Channel.Transmit (Transmit):
        1. 0x00700000
        2. 0x00708000
        3. 0x00A40404104A535231373754657374657220312E30
      2. The applet should return no data when it receives the following APDUs in Transmit:
        1. 0x00060000
        2. 0x80060000
        3. 0xA0060000
        4. 0x94060000
        5. 0x000A000001AA
        6. 0x800A000001AA
        7. 0xA00A000001AA
        8. 0x940A000001AA
      3. The applet should return 256-byte data for the following Transmit APDUs:
        1. 0x0008000000
        2. 0x8008000000
        3. 0xA008000000
        4. 0x9408000000
        5. 0x000C000001AA00
        6. 0x800C000001AA00
        7. 0xA00C000001AA00
        8. 0x940C000001AA00
      4. The applet should return the following status word responses for the respective Transmit APDU:
        Transmit APDU Status word Data
        0x00F30106 0x6200 No
        0x00F30206 0x6281 No
        0x00F30306 0x6282 No
        0x00F30406 0x6283 No
        0x00F30506 0x6285 No
        0x00F30606 0x62F1 No
        0x00F30706 0x62F2 No
        0x00F30806 0x63F1 No
        0x00F30906 0x63F2 No
        0x00F30A06 0x63C2 No
        0x00F30B06 0x6202 No
        0x00F30C06 0x6280 No
        0x00F30D06 0x6284 No
        0x00F30E06 0x6286 No
        0x00F30F06 0x6300 No
        0x00F31006 0x6381 No
        0x00F3010A01AA 0x6200 No
        0x00F3020A01AA 0x6281 No
        0x00F3030A01AA 0x6282 No
        0x00F3040A01AA 0x6283 No
        0x00F3050A01AA 0x6285 No
        0x00F3060A01AA 0x62F1 No
        0x00F3070A01AA 0x62F2 No
        0x00F3080A01AA 0x63F1 No
        0x00F3090A01AA 0x63F2 No
        0x00F30A0A01AA 0x63C2 No
        0x00F30B0A01AA 0x6202 No
        0x00F30C0A01AA 0x6280 No
        0x00F30D0A01AA 0x6284 No
        0x00F30E0A01AA 0x6286 No
        0x00F30F0A01AA 0x6300 No
        0x00F3100A01AA 0x6381 No
        0x00F3010800 0x6200 Yes
        0x00F3020800 0x6281 Yes
        0x00F3030800 0x6282 Yes
        0x00F3040800 0x6283 Yes
        0x00F3050800 0x6285 Yes
        0x00F3060800 0x62F1 Yes
        0x00F3070800 0x62F2 Yes
        0x00F3080800 0x63F1 Yes
        0x00F3090800 0x63F2 Yes
        0x00F30A0800 0x63C2 Yes
        0x00F30B0800 0x6202 Yes
        0x00F30C0800 0x6280 Yes
        0x00F30D0800 0x6284 Yes
        0x00F30E0800 0x6286 Yes
        0x00F30F0800 0x6300 Yes
        0x00F3100800 0x6381 Yes
        0x00F3010C01AA00 0x6200 Yes*
        0x00F3020C01AA00 0x6281 Yes*
        0x00F3030C01AA00 0x6282 Yes*
        0x00F3040C01AA00 0x6283 Yes*
        0x00F3050C01AA00 0x6285 Yes*
        0x00F3060C01AA00 0x62F1 Yes*
        0x00F3070C01AA00 0x62F2 Yes*
        0x00F3080C01AA00 0x63F1 Yes*
        0x00F3090C01AA00 0x63F2 Yes*
        0x00F30A0C01AA00 0x63C2 Yes*
        0x00F30B0C01AA00 0x6202 Yes*
        0x00F30C0C01AA00 0x6280 Yes*
        0x00F30D0C01AA00 0x6284 Yes*
        0x00F30E0C01AA00 0x6286 Yes*
        0x00F30F0C01AA00 0x6300 Yes*
        0x00F3100C01AA00 0x6381 Yes*
        *The response should contain data that is the same as input APDU, except the first byte is 0x01 instead of 0x00.
      5. The applet should return segmented responses with 0xFF as the last data byte and have the respective status words and response lengths for the following APDUs.
        APDU Status word Response length (bytes)
        0x00C2080000 0x9000 2048
        0x00C4080002123400 0x9000 2048
        0x00C6080000 0x9000 2048
        0x00C8080002123400 0x9000 2048
        0x00C27FFF00 0x9000 32767
        0x00CF080000 0x9000 2048
        0x94C2080000 0x9000 2048
      6. The applet should return the value of P2 received in the SELECT command + the success status word (i.e 0x009000) for the given APDU: 0x00F4000000
    2. A000000476416E64726F696443545332
      1. When selected, this AID should return a select response greater than 2 bytes that are correctly formatted using Basic Encoding Rules (BER) and tag-length-value (TLV).

CtsOmapiTestCases

  • Hash of the APK: 0x5cc49e0bc83927486fbb3a17ed37276cbbceb290

Access Control test cases

Access Control uses configured in the Secure Element ensure that only the application with access to an applet can communicate with it. Additionally, Android supports configuring rules for specific APDUs that can be exchanged by the APK.

To pass these tests, configure special Access Control Rules, either Access Rule Application Master (ARA) or Access Rule File (ARF). You should use the applet that is used for OMAPI tests as the same commands need to be supported to pass the Access Control tests.

Create an instance of the applet under these AIDs:

  • 0xA000000476416E64726F696443545340
  • 0xA000000476416E64726F696443545341
  • 0xA000000476416E64726F696443545342
  • 0xA000000476416E64726F696443545343
  • 0xA000000476416E64726F696443545344
  • 0xA000000476416E64726F696443545345
  • 0xA000000476416E64726F696443545346
  • 0xA000000476416E64726F696443545347
  • 0xA000000476416E64726F696443545348
  • 0xA000000476416E64726F696443545349
  • 0xA000000476416E64726F69644354534A
  • 0xA000000476416E64726F69644354534B
  • 0xA000000476416E64726F69644354534C
  • 0xA000000476416E64726F69644354534D
  • 0xA000000476416E64726F69644354534E
  • 0xA000000476416E64726F69644354534F

When selected, any of these AIDs should return a select response greater than 2 bytes that are correctly formatted using BER and TLV.

CtsSecureElementAccessControlTestCases1

  • Hash of the APK: 0x4bbe31beb2f753cfe71ec6bf112548687bb6c34e

  • Authorized AIDs

    • 0xA000000476416E64726F696443545340

      1. Authorized APDUs:

        1. 0x00060000
        2. 0xA0060000

      2. Unauthorized APDUs:

        1. 0x0008000000
        2. 0x80060000
        3. 0xA008000000
        4. 0x9406000000

    • 0xA000000476416E64726F696443545341

      1. Authorized APDUs:

        1. 0x94060000
        2. 0x9408000000
        3. 0x940C000001AA00
        4. 0x940A000001AA

      2. Unauthorized APDUs:

        1. 0x00060000
        2. 0x80060000
        3. 0xA0060000
        4. 0x0008000000
        5. 0x000A000001AA
        6. 0x800A000001AA
        7. 0xA00A000001AA
        8. 0x8008000000
        9. 0xA008000000
        10. 0x000C0000001AA00
        11. 0x800C000001AA00
        12. 0xA00C000001AA00

    • 0xA000000476416E64726F696443545342

    • 0xA000000476416E64726F696443545344

    • 0xA000000476416E64726F696443545345

    • 0xA000000476416E64726F696443545347

    • 0xA000000476416E64726F696443545348

    • 0xA000000476416E64726F696443545349

    • 0xA000000476416E64726F69644354534A

    • 0xA000000476416E64726F69644354534B

    • 0xA000000476416E64726F69644354534C

    • 0xA000000476416E64726F69644354534D

    • 0xA000000476416E64726F69644354534E

    • 0xA000000476416E64726F69644354534F

  • Unauthorized AIDs

    • 0xA000000476416E64726F696443545343
    • 0xA000000476416E64726F696443545346

CtsSecureElementAccessControlTestCases2

  • Hash of the APK: 0x93b0ff2260babd4c2a92c68aaa0039dc514d8a33

  • Authorized AIDs:

    • 0xA000000476416E64726F696443545340

      1. Authorized APDUs:

        1. 0x00060000
        2. 0xA0060000

      2. Unauthorized APDUs:

        1. 0x0008000000
        2. 0x80060000
        3. 0xA008000000
        4. 0x9406000000

    • 0xA000000476416E64726F696443545341

      1. Authorized APDUs:

        1. 0x94060000
        2. 0x9408000000
        3. 0x940C000001AA00
        4. 0x940A000001AA

      2. Unauthorized APDUs:

        1. 0x0006000
        2. 0x80060000
        3. 0xA0060000
        4. 0x0008000000
        5. 0x000A000001AA
        6. 0x800A000001AA
        7. 0xA00A000001AA
        8. 0x8008000000
        9. 0xA008000000
        10. 0x000C000001AA00
        11. 0x800C000001AA00
        12. 0xA00C000001AA00

    • 0xA000000476416E64726F696443545343

    • 0xA000000476416E64726F696443545345

    • 0xA000000476416E64726F696443545346

  • Unauthorized AIDs

    • 0xA000000476416E64726F696443545342
    • 0xA000000476416E64726F696443545344
    • 0xA000000476416E64726F696443545347
    • 0xA000000476416E64726F696443545348
    • 0xA000000476416E64726F696443545349
    • 0xA000000476416E64726F69644354534A
    • 0xA000000476416E64726F69644354534B
    • 0xA000000476416E64726F69644354534C
    • 0xA000000476416E64726F69644354534D
    • 0xA000000476416E64726F69644354534E
    • 0xA000000476416E64726F69644354534F

CtsSecureElementAccessControlTestCases3

  • Hash of the APK: 0x5528ca826da49d0d7329f8117481ccb27b8833aa

  • Authorized AIDs:

    • 0xA000000476416E64726F696443545340

      1. Authorized APDUs:

        1. 0x00060000
        2. 0x80060000
        3. 0xA0060000
        4. 0x94060000
        5. 0x000A000001AA
        6. 0x800A000001AA
        7. 0xA00A000001AA
        8. 0x940A000001AA
        9. 0x0008000000
        10. 0x8008000000
        11. 0xA008000000
        12. 0x9408000000
        13. 0x000C000001AA00
        14. 0x800C000001AA00
        15. A00C000001AA00
        16. 940C000001AA00

    • 0xA000000476416E64726F696443545341

      1. Authorized APDUs:

        1. 0x94060000
        2. 0x9408000000
        3. 0x940C000001AA00
        4. 0x940A00000aAA

      2. Unauthorized APDUs:

        1. 0x00060000
        2. 0x80060000
        3. 0xA0060000
        4. 0x0008000000
        5. 0x000A000001AA
        6. 0x800A000001AA
        7. 0xA00A000001AA
        8. 0x8008000000
        9. 0xA008000000
        10. 0x000C000001AA00
        11. 0x800C000001AA00
        12. 0xA00C000001AA00

    • 0xA000000476416E64726F696443545345

    • 0xA000000476416E64726F696443545346

  • Unauthorized AIDs

    • 0xA000000476416E64726F696443545342
    • 0xA000000476416E64726F696443545343
    • 0xA000000476416E64726F696443545344
    • 0xA000000476416E64726F696443545347
    • 0xA000000476416E64726F696443545348
    • 0xA000000476416E64726F696443545349
    • 0xA000000476416E64726F69644354534A
    • 0xA000000476416E64726F69644354534B
    • 0xA000000476416E64726F69644354534C
    • 0xA000000476416E64726F69644354534D
    • 0xA000000476416E64726F69644354534E
    • 0xA000000476416E64726F69644354534F

Appendix

Sample applet and installation steps for UMTS Integrated Circuit Card (UICC)

1. Package specification

File name: google-cardlet.cap

Package AID: 6F 6D 61 70 69 63 61 72 64 6C 65 74
Version: 1.63
Hash: 5F72E0A073BA9E61A7358F2FE3F031A99F3F81E9

Applets:
6F 6D 61 70 69 4A 53 52 31 37 37 = SelectResponse module
6F 6D 61 70 69 43 61 63 68 69 6E 67 = XXLResponse module

Imports:
javacard.framework v1.3 - A0000000620101
java.lang v1.0 - A0000000620001
uicc.hci.framework v1.0 - A0000000090005FFFFFFFF8916010000
uicc.hci.services.cardemulation v1.0 - A0000000090005FFFFFFFF8916020100
uicc.hci.services.connectivity v1.0 - A0000000090005FFFFFFFF8916020200

Size on card: 39597

2. Installation steps

Load the google-cardlet.cap file to the SIM card using the appropriate procedure (check with your SE manufacturers).

Run installation command for each applet.

OMAPI tests

Command to install applet

80E60C00300C6F6D617069636172646C65740Bmodule_AID10AID01000EEF0AA008810101A5038201C0C9000000
Module_AID: 6F 6D 61 70 69 4A 53 52 31 37 37
AID: A000000476416E64726F696443545331

80E60C00310C6F6D617069636172646C65740Bmodule_AID10AID010002C9000
Module_AID: 6F 6D 61 70 69 43 61 63 68 69 6E 67
AID: A000000476416E64726F696443545332

AccessControl tests (template using PKCS#15 structure)

80E60C003C0C6F6D617069636172646C65740Bmodule_AID10AID01000EEF0AA008810101A5038201C0C9000000
Module_AID: 6F 6D 61 70 69 4A 53 52 31 37 37

AIDs:

  • 0xA000000476416E64726F696443545340
  • 0xA000000476416E64726F696443545341
  • 0xA000000476416E64726F696443545342
  • 0xA000000476416E64726F696443545344
  • 0xA000000476416E64726F696443545345
  • 0xA000000476416E64726F696443545347
  • 0xA000000476416E64726F696443545348
  • 0xA000000476416E64726F696443545349
  • 0xA000000476416E64726F69644354534A
  • 0xA000000476416E64726F69644354534B
  • 0xA000000476416E64726F69644354534C
  • 0xA000000476416E64726F69644354534D
  • 0xA000000476416E64726F69644354534E
  • 0xA000000476416E64726F69644354534F

For step-by-step commands to set up the PKCS#15 structure matching the CTS tests, see Commands for PKCS#15.