Bugzilla

Jonas Sicking (:sicking) No longer reading bugmail consistently

Assignee

Updated

•

11 years ago

Blocks: 884594

Comment 3

•

11 years ago

Is there any documentation for how these "secure elements" work? Like what use cases they are trying to address, and a high level description of how they address them?

arno

Comment 4

•

11 years ago

very high-level blurb: http://www.globalplatform.org/mediaguideSE.asp On a technical level, a SE is a tamper-resistent Java Card platform. They are often used in payment solutions (e.g., Google Wallet). The payment process is handled by a Cardlet running on the SE that communicates directly with the POS (Point of Sales) terminal via NFC. SE can also be used for other applications such as secure vaults. We implement part of the Global Platform API for APDU exchange with the SE.

Paul Theriault [:pauljt] (no longer reading bugmail)

Assignee

Comment 5

•

11 years ago

Some more information here , SE on Android http://nelenkov.blogspot.nl/2012/08/accessing-embedded-secure-element-in.html

Updated

•

11 years ago

Depends on: 749325

Kai-Chih Hu [:khu]

Updated

•

11 years ago

Blocks: 894691
No longer blocks: b2g-nfc

Jason Smith [:jsmith]

Updated

•

11 years ago

Component: DOM: Device Interfaces → NFC

Product: Core → Boot2Gecko

Version: Trunk → unspecified

Paul Theriault [:pauljt] (no longer reading bugmail)

Updated

•

11 years ago

No longer depends on: 749325

Comment 6

•

11 years ago

Attached file API Proposal for various secure elements (obsolete) — Details

Comment 7

•

11 years ago

At this moment, I'm focusing on the UICC secure element, but in the future, the platform should be able to treat dual sims and other elements in a consistent manner. To enable us to develop step-by-step, I'd like to propose the API attached. (I'll revise it to webidl format soon)

Yoshi Cheng-Hao Huang [:allstars.chh][:allstarschh][:yoshi]

Comment 8

•

11 years ago

Attached file API Proposal for various secure elements — Details

The attached file is a proposal for SecureElement API in webidl format. It consists of (1)MozSeManger, SecureElement and SeChannel definition and (2)modification on the MozIccManger. Taking into consideration on private comments and https://bugzilla.mozilla.org/show_bug.cgi?id=894691, I omitted the basic-channel access. Any comments are highly appreciated.

Attachment #804860 - Attachment is obsolete: true

Updated

•

11 years ago

Attachment #806426 - Attachment is patch: true

Yoshi Cheng-Hao Huang [:allstars.chh][:allstarschh][:yoshi]

Updated

•

11 years ago

Attachment #806426 - Attachment is patch: false

Yoshi Cheng-Hao Huang [:allstars.chh][:allstarschh][:yoshi]

Comment 9

•

11 years ago

Hi, Junichi-san If you're purposing an API for SE, maybe we need to file another bug for that, because this bug is focus on the 'NFC' secure element. For the file you uploaded, you can format it as a patch. see https://developer.mozilla.org/en-US/docs/Mercurial_FAQ#How_can_I_generate_a_patch_for_somebody_else_to_check-in_for_me.3F Using a patch here is easier to comment on the particular line. So I don't have to copy & paste the code into this comment again. And split it to two parts. 1. remove the API from IccManager 2. SE API And for the newer API, we no longer prefix with 'Moz', see https://wiki.mozilla.org/User:Overholt/APIExposurePolicy (nsIDOMMozIccManager is landed before this annoucement) Back to your patch partial interface nsIDOMMozIccManager { /** * Returns SecureElement object belonging UICC * * Returned object should be identical to an element of mozSeManager.getSecureElements('SIM'); */ SecureElement getSecureElement(); Why do we need this? Can't this be done by your SE-API? /** * SeManger * Manages all secure elements on the platform */ interface MozSeManager { We prefer full name in the interface, SecureElementManager is more clear here. /** * Select a secure element for NFC card-emulation mode */ attribute MozSecureElement cardEmulator; is this card emulation mode NFC-only? For example UICC and ASSD won't have this mode ? if it's nfc-only, we should consider do it in this bug. (We'd like to divide things into small parts to make it easier) interface MozSecureElement { /* e.g. 'SIM***', 'eSE***' or 'SD***' */ readonly attribute DOMString name; You could use an enum for that. But if we're not going to implement ASSD(Secure Element on SDcard), we shouldn't list it here, or need to file another bug for it. /** * Opens channel and select the specified application. * * @param ApplicationId is application id expressed in a hex string, e.g. 'ff00dd11bb22..' * * @return req.result will be a Channel object if succeeded. * * Note: We shortened manager-provider-session-channel sequence presented at * https://bugzilla.mozilla.org/show_bug.cgi?id=840780#c27 */ DOMRequest openChannel(DOMString applicationId); How do you get applicationId here? For UICC I know we still need to expose it to Web and I will work on that soon, but how about NFC? And do we need TransactionListener here?

Yoshi Cheng-Hao Huang [:allstars.chh][:allstarschh][:yoshi]

•

11 years ago

Attached 4 IDLs, main one being nsISecureElementInterface.idl. These are initial (draft version) IDLs on FxOS. Using these interfaces, we were able to access UICC and embedded SE on our prototype implementation.

Updated

•

11 years ago

Blocks: b2g-nfc

Kai-Chih Hu [:khu]

Updated

•

11 years ago

blocking-b2g: --- → 1.4+

Yoshi Cheng-Hao Huang [:allstars.chh][:allstarschh][:yoshi]

Comment 17

•

11 years ago

removing 1.4+ flag.

blocking-b2g: 1.4+ → ---

Assignee

Comment 18

•

11 years ago

Attached image FxOS_SecureElement_Architecture_v1.png — Details

Firefox Secure Element Architecture Updated (As per the consensus arrived during Poland Work Week)

Attachment #758660 - Attachment is obsolete: true

Assignee

Comment 19

•

11 years ago

Attached file MozSecureElementManager.webidl (obsolete) — Details

Attachment #809313 - Attachment is obsolete: true

Attachment #809314 - Attachment is obsolete: true

Attachment #809315 - Attachment is obsolete: true

Attachment #809317 - Attachment is obsolete: true

Assignee

Comment 20

•

11 years ago

Attached file MozSecureElementObjects.webidl (obsolete) — Details

Assignee

Updated

•

11 years ago

Depends on: 979158

Assignee

Updated

•

11 years ago

Attachment #8374418 - Flags: feedback?(jonas)

Yoshi Cheng-Hao Huang [:allstars.chh][:allstarschh][:yoshi]

Assignee

Updated

•

11 years ago

Attachment #8374419 - Flags: feedback?(jonas)

Updated

•

11 years ago

Blocks: 979158

No longer depends on: 979158

Ming Yin

Updated

•

11 years ago

Blocks: 979767

Yoshi Cheng-Hao Huang [:allstars.chh][:allstarschh][:yoshi]

Updated

•

11 years ago

Depends on: 921320

Jonas Sicking (:sicking) No longer reading bugmail consistently

Comment 21

•

Comment 27

•

11 years ago

Attached file MozSecureElementManager.webidl (obsolete) — Details

Attachment #8374418 - Attachment is obsolete: true

Attachment #8374418 - Flags: feedback?(jonas)

Assignee

Comment 28

•

11 years ago

Attached file MozSecureElementObjects.webidl (obsolete) — Details

Attachment #8374419 - Attachment is obsolete: true

Attachment #8374419 - Flags: feedback?(jonas)

Attachment #8396844 - Flags: feedback?(jonas)

Jonas Sicking (:sicking) No longer reading bugmail consistently

Assignee

Updated

•

Updated

•

11 years ago

Attachment #8396844 - Flags: feedback?(jonas) → feedback?(allstars.chh)

Yoshi Cheng-Hao Huang [:allstars.chh][:allstarschh][:yoshi]

•

11 years ago

(In reply to Yoshi Huang[:allstars.chh] from comment #44) > >[JSImplementation="@mozilla.org/secureelement/SecureElement;1"] > >interface MozSecureElement { > > This should be named MozReader > Or MozSecureElementReader

Sandip Kamat

Comment 46

•

11 years ago

Quick Note: Currently all NFC payment user stories are covered under: Bug 979152, Bug 979154, Bug 979157, Bug 979158, 884478. All the dependencies for those should be marked in those meta bugs.

Yoshi Cheng-Hao Huang [:allstars.chh][:allstarschh][:yoshi]

Assignee

Comment 47

•

11 years ago

Attached patch (v1.1) Secure Element APIs - Inital Draft (obsolete) — Details — Splinter Review

Attachment #8396843 - Attachment is obsolete: true

Attachment #8396844 - Attachment is obsolete: true

Attachment #8396852 - Attachment is obsolete: true

Attachment #8438175 - Flags: feedback?(allstars.chh)

•

10 years ago

Sid, there is a copy/paste error in MozSecureElement.webidl. The attribute 'isBasicChannel' should be defined in MozSEChannel interface, instead of MozSESession interface.

Comment 52

•

10 years ago

Comment on attachment 8438779 [details] [diff] [review] (v1.2) Secure Element APIs - Inital Draft Review of attachment 8438779 [details] [diff] [review]: ----------------------------------------------------------------- ::: dom/webidl/MozSecureElement.webidl @@ +5,5 @@ > +[JSImplementation="@mozilla.org/secureelement/SEReader;1"] > +interface MozSEReader { > + > + // 'true' if a secure element is present > + readonly attribute boolean sePresent; For boolean, prefix with 'is'. extra space before sePresent. @@ +32,5 @@ > +[JSImplementation="@mozilla.org/secureelement/SESession;1"] > +interface MozSESession { > + > + // Status of current session > + readonly attribute boolean isActive; When will it be 'inactive'? Or this variable will be false when we call reader.close() ? then it seems 'isClosed' is more appropriate. @@ +34,5 @@ > + > + // Status of current session > + readonly attribute boolean isActive; > + > + // is it a basic channel ? Is @@ +35,5 @@ > + // Status of current session > + readonly attribute boolean isActive; > + > + // is it a basic channel ? > + readonly attribute boolean isBasicChannel; What's this? @@ +38,5 @@ > + // is it a basic channel ? > + readonly attribute boolean isBasicChannel; > + > + // Answer to Reset provided by the secure element, null if not provided > + readonly attribute octet[] atr; extra spaces before attr. @@ +62,5 @@ > + * @return If the operation is successful the promise is resolved with an instance of MozSEChannel. > + * NOTE: Some secure elements may deny opening a basic channel. In such a scenario, promise is resolved with SEIoError. > + */ > + // Promise<MozSEChannel> > + Promise<Channel> openBasicChannel (octet[] aid); remove <Channel>, and extra space before (octet[] aid) @@ +65,5 @@ > + // Promise<MozSEChannel> > + Promise<Channel> openBasicChannel (octet[] aid); > + > + /** > + * Close the active communication channel to the application on Secure Element. This will also Closes. @@ +76,5 @@ > +}; > + > +[JSImplementation="@mozilla.org/secureelement/SEChannel;1"] > +interface MozSEChannel { > + you don't have isClosed(). @@ +78,5 @@ > +[JSImplementation="@mozilla.org/secureelement/SEChannel;1"] > +interface MozSEChannel { > + > + // Handle of current channel that represents a logical connection with the SE > + readonly attribute long channel; Is this a channel ID? Why do web apps needs to know the channelId given that we already have a MozSEChannel object? Also why doesn't other objects like Reader, Session doesn't have a 'id'? @@ +87,5 @@ > + * @param apdu > + * MozSECommand to be sent to secure element > + * > + * @return If success, the promise is resolved with the new created > + * MozSEResponse object. Otherwise, rejected with an error. Can't MozSEResponse be used for error? @@ +90,5 @@ > + * @return If success, the promise is resolved with the new created > + * MozSEResponse object. Otherwise, rejected with an error. > + */ > + // Promise<MozSEResponse> > + Promise transmit(MozSECommand apdu); s/apdu/command/ @@ +93,5 @@ > + // Promise<MozSEResponse> > + Promise transmit(MozSECommand apdu); > + > + /** > + * Close the active channel Closes, and add '.' at the end. @@ +104,5 @@ > + > +[Constructor(octet data, octet ins, octet p1, octet p2, optional ArrayBufferView data, optional octet le)] > +interface MozSECommand { > + > + // Interface that represents an APDU command to be sent to a secure element. This comment should be moved to before 'Constructor'. @@ +114,5 @@ > + attribute unsigned short le; // The length of the expected > + // response data or -1 if none is expected - len > +}; > + > +[Constructor(Uint8Array data)] When wll this cstor be used? ::: dom/webidl/MozSecureElementManager.webidl @@ +12,5 @@ > + "SEIoError", // I/O Error while communicating with the secure element > + "SEBadStateError", // Error occuring as a result of bad state > + "SEInvalidChannelError, // Opening a channel failed because no channel is available > + "SEInvalidApplicationError", // The requested application was not found on the secure element > + "SEGenericError" // Generic failures Add '.' for all the comments above. @@ +21,5 @@ > + Func="Navigator::HasSecureElementManagerSupport"] > +interface MozSEManager : EventTarget { > + > + /** > + * Retrieves the secure element of a given type. s/secure element/reader/ @@ +27,5 @@ > + * @return If success, the promise is resolved with the new created > + * MozSEReader object of requested type. Otherwise, rejected with an error. > + */ > + // Promise<MozSEReader> > + Promise getSEReader(SEType seType); This interface totally looks useless to me. How does web app know what seType are supported? Doesn't it still need to call getSEReaders() to enumerate all the readers? Then it could just get the reader in the array, why does it still need to call this API? Unless you forgot to add a method 'getSupportedSETypes()', but still, getSEReaders seems enough for us. @@ +29,5 @@ > + */ > + // Promise<MozSEReader> > + Promise getSEReader(SEType seType); > + > + extra line @@ +31,5 @@ > + Promise getSEReader(SEType seType); > + > + > + /** > + * Retrieves all the secure elements available on the device. s/secure elemenets/readers/ @@ +41,5 @@ > + Promise getSEReaders(); > + > + // Event handlers that listen on Secure element presence events > + attribute EventHandler onsepresent; > + attribute EventHandler onseremoval; It looks to me this should be 'onsereaderpresent', insteadof 'onsepresent'. Also what are the arguments containing in this callbacks? How does we know which reader is added or removed? @@ +42,5 @@ > + > + // Event handlers that listen on Secure element presence events > + attribute EventHandler onsepresent; > + attribute EventHandler onseremoval; > + extra line.

Attachment #8438779 - Flags: feedback?(allstars.chh) → feedback-

Yoshi Cheng-Hao Huang [:allstars.chh][:allstarschh][:yoshi]

Comment 53

•

10 years ago

•

10 years ago

Attached patch (v1.3) Secure Element APIs - Inital Draft (obsolete) — Details — Splinter Review

Attachment #8440342 - Attachment is obsolete: true

Attachment #8440342 - Flags: feedback?(allstars.chh)

Attachment #8440343 - Flags: feedback?(allstars.chh)

Yoshi Cheng-Hao Huang [:allstars.chh][:allstarschh][:yoshi]

Comment 58

•

10 years ago

(In reply to Siddartha P from comment #55) > Created attachment 8440341 [details] [diff] [review] > (v1.3) Secure Element APIs - Inital Draft > > > @@ +32,5 @@ > > +[JSImplementation="@mozilla.org/secureelement/SESession;1"] > > +interface MozSESession { > > + > > + // Status of current session > > + readonly attribute boolean isActive; > > >> When will it be 'inactive'? > >> Or this variable will be false when we call reader.close() ? > >> then it seems 'isClosed' is more appropriate. > > Yes the reader.close(), the boolean 'isActive' flag will be set to false. > Typically a reader may have several opened sessions. Intent was to have this > flag set to 'inactive' > when gaia apps do reader.openSession(); but when apps perform > session.OpenLogicalChannel() , set this > to true. Also readers.close() should close all readers and descendent > Session and Channel objects. Why don't we call it isClosed() to make it more clear? > @@ +76,5 @@ > > +}; > > + > > +[JSImplementation="@mozilla.org/secureelement/SEChannel;1"] > > +interface MozSEChannel { > > + > > >> you don't have isClosed(). > > I think we will maintain an internal state of SEChannel (whether it is > 'closed' or 'active' etc..) > Do you think there is a need to expose it to App users ? > Yes, otherwise why there's is isClosed for Session however there's no isClosed() for Channel? > @@ +87,5 @@ > > + * @param apdu > > + * MozSECommand to be sent to secure element > > + * > > + * @return If success, the promise is resolved with the new created > > + * MozSEResponse object. Otherwise, rejected with an error. > > > > + > > +[Constructor(Uint8Array data)] > > >> When wll this cstor be used? > When Gecko receives a Response Apdu ('data') to say, transmit() command (its > equivalent on baseband cmd is AT+CSIM) > we will have to perform somthing like below > sw1 = 0x00FF & data[data.length - 2]; > sw2 = 0x00FF & data[data.length - 1]; > So sw1 & sw2 will be filled up subsequently in the constructor function of > SEResponse object Why can't we have something like Constructor(octet sw1, octet sw2, Uint8Array data) > > @@ +27,5 @@ > > + * @return If success, the promise is resolved with the new created > > + * MozSEReader object of requested type. Otherwise, rejected with an error. > > + */ > > + // Promise<MozSEReader> > > + Promise getSEReader(SEType seType); > > > >> This interface totally looks useless to me. > >> How does web app know what seType are supported? > One way , with existing API proposals is to do the following > arrReaders[] = mozSEMgr.getSEReaders() or use mozSEMgr.getSEReader('type') > if one wants to know if SE is present for a specific type > arrReaders[0] // say is UICC > arrReaders[1] // say is eSE > arrReaders[0].isSEPresent will tell the apps. Moreover this boolean state > will also indicate the right values given the removable nature of some SEs > (such as UICC or sdCard) > if UICC is removed, 'isSEPresent' will be false > I don't think you answer the question. To me isSEPresenet is totally different from getSEReader() You still get a SEReader even its SE is not present, right? > >> Doesn't it still need to call getSEReaders() to enumerate all the readers? > >> Then it could just get the reader in the array, why does it still need to call this API? > getSEReader() is just a helper API (easy to use one). Yes, it's just a helper API and we could add it until we really need this, right now I think we should focus on the necessary interfaces first, also you didn't provide implementation for this. I'll suggest you add this interface later and focus on what we should do in this first version first.

Yoshi Cheng-Hao Huang [:allstars.chh][:allstarschh][:yoshi]

Updated

•

10 years ago

Attachment #8440343 - Flags: feedback?(allstars.chh)

Assignee

Comment 59

•

10 years ago

Attached patch (v1.4) Secure Element APIs - Inital Draft (obsolete) — Details — Splinter Review

Attachment #8440343 - Attachment is obsolete: true

Attachment #8441580 - Flags: feedback?(allstars.chh)

Yoshi Cheng-Hao Huang [:allstars.chh][:allstarschh][:yoshi]

Assignee

Attachment #8444259 - Flags: review?(allstars.chh)

Comment 66

•

•

10 years ago

Attached patch (v1.6) Secure Element APIs - Inital Draft (obsolete) — Details — Splinter Review

Hi Ehsan, Sorry, I was late in responding to your feedback. I noticed your comments much later. I have uploaded another patch for your review. I have addressed most of your comments except couple of them maybe. Yoshi, I have also added you to provide your feedback as well as you were the original reviewer.

Attachment #8444259 - Attachment is obsolete: true

Attachment #8465143 - Flags: feedback?(ehsan)

Attachment #8465143 - Flags: feedback?(allstars.chh)

Yoshi Cheng-Hao Huang [:allstars.chh][:allstarschh][:yoshi]

Assignee

Comment 80

•

10 years ago

Comment on attachment 8444259 [details] [diff] [review] [diff] [review] (v1.5) Secure Element APIs - Inital Draft Review of attachment 8444259 [details] [diff] [review] [diff] [review]: ----------------------------------------------------------------- > +[JSImplementation="@mozilla.org/secureelement/SEReader;1"] >> What kinds of apps is this going to be exposed to? Please use [AvailableIn] or [CheckPermission] as appropriate. Same for other interfaces defined in this file. Applications such as Payment, Couponing, Ticketing, loyalty cards that wish to avail secure element on UICC or emebedded chip will use these interfaces. These applications should be certified / privileged only. We are proposing to introduce the permission 'secureelement-manage' (available to only certified & privileged). Added [AvailableIn] keyword twice , one for certified and another for privileged. > +[JSImplementation="@mozilla.org/secureelement/SEReader;1"] > +interface MozSEReader { >> Please don't use Moz prefixes. Ok. Any reasons why 'Moz' should not be using as a prefix. @@ +22,5 @@ > + > + /** > + * Closes all sessions associated with this Reader and its associated channels. > + * > + * @return If success, the promise is resolved to current instance of MozSEReader object that is closed . >> Why do you need to resolve the promise to the MozSEReader when the caller presumably had access to the MozSEReader instance so that they would be able to call close? The first part (Why resolved to 'MozSEReader') of question is answered @ [1]. Second question is what if apps directly instantiate 'MozSEReader' and call close() ? I thought the answer to the second part lies in the implementation details of 'MozSEReader' and other objects' JS implementation. Say, In the implementation of MozSEReader object, by not exposing 'init()' . By ensuring this way Gaia apps may not be able to instantiate using something like var reader = window.navigator.mozSEReader; What do you think? Please suggest if thats not the case. @@ +25,5 @@ > + * > + * @return If success, the promise is resolved to current instance of MozSEReader object that is closed . > + */ > + // Promise<MozSEReader> > + Promise close(); >> Call this closeAll perhaps? Maybe 'close()' seems to be ok to me. A SEReader object may have multiple opened sessions (SESession), which may in turn have several opened channels (SEChannel) . Each interface object has an associated close () method to release all resources associated to the object, and also triggers close() method on all underlying objects that it owns down its chain. What do you think ? @@ +29,5 @@ > + Promise close(); > +}; > + > +[JSImplementation="@mozilla.org/secureelement/SESession;1"] > +interface MozSESession { >> Nit: I think our build system expects each interface to go into its own .webidl file. Actually I was able to compile with multiple interfaces in one webidl file. @@ +34,5 @@ > + > + // Status of current session > + readonly attribute boolean isClosed; > + > + // Answer to Reset provided by the secure element, null if not provided >> This property is not nullable... I had compile issues with 'octet[]'. Instead , I have now changed this type to [Cached, Pure] readonly attribute sequence<octet> atr; . Is this property nullable ? Please suggest. @@ +35,5 @@ > + // Status of current session > + readonly attribute boolean isClosed; > + > + // Answer to Reset provided by the secure element, null if not provided > + readonly attribute octet[] atr; >> Why are you using cotet[] here and below? I think we should use TypedArrays here. Ok. Agreed. Do you think "[Cached, Pure] readonly attribute sequence<octet> atr;" would suffice here ? I couldn't use Uint8Array as this typed array is not implemented for JS. It gave me compile errors, however sequence of octets did not give one. I also had to prefix the attribute 'cached' as compiler was forcing me to add one to sequence attributes. @@ +59,5 @@ > + * @return If the operation is successful the promise is resolved with an instance of MozSEChannel. > + * NOTE: Some secure elements may deny opening a basic channel. In such a scenario, promise is resolved with SEIoError. > + */ > + // Promise<MozSEChannel> > + Promise openBasicChannel(octet[] aid); >> What is the difference between a basic channel and a logical channel? The difference should be explained in the prose. Ok. Added the key difference (mainly for security reasons on an UICC card, generally access to basic channel is disallowed.) between basic & logical channels @ openBasicChannel(..) & openLogicalChannel(..) respectively. @@ +65,5 @@ > + /** > + * Closes the active communication channel to the application on Secure Element. This will also > + * close all other active channels associated with this session. > + * > + * @return If success, the promise is resolved to current instance of MozSESession object that is closed. >> Why do you need to resolve the promise to the MozSESession? Please review my answer provided @ [1]. @@ +78,5 @@ > + // Status of channel > + readonly attribute boolean isClosed; > + > + // Is it a basic channel ? > + readonly attribute boolean isBasicChannel; >> Should we instead do: >> enum SEChannelType { "basic", "logical" }; >> readonly attribute SEChannelType type; Ok. @@ +90,5 @@ > + * @return If success, the promise is resolved with the new created > + * MozSEResponse object. Otherwise, rejected with the error of type 'SEError'. > + */ > + // Promise<MozSEResponse> > + Promise transmit(MozSECommand command); >> You should probably specify when the contents of |command| are read. For example, what is the effect of this code? >> var cmd = new MozSECommand(...); >> channel.transmit(cmd); >> cmd.ins++; I think, when Gaia apps call transmit(cmd), the 'cmd' details would be sent over socket to ril daemon (in case of UICC) and the contents are then subsequently transmitted transparently to the baseband as one atomic operation. The response of this operation is abstracted in the object 'MozSEResponse'. Upon further modification of the 'cmd' details (cmd.ins++), no further effect will occur. I added few notes on the need to synchronoize this command for the sake of clarity. Hope it helps. @@ +95,5 @@ > + > + /** > + * Closes the active channel. > + * > + * @return If success, the promise is resolved to current instance of MozSEChannel object that is closed. >> Again, why? *[1] This is also the answer to one of your earlier questions (Why resolve to 'MozSEReader' & 'MozSESession' ?) Here class relationships of various secure element interfaces in MozSecureElement.webidl. [Navigator]--> [MozSEManager]--> [MozSEReader]--> [MozSESession]--> [MozSEChannel] 0-1 0-n 0-n 0-n MozSEChannel represents an object that provides access to Gaia apps to send APDU commands using 'transmit()' API. This object also indicates the type of channel it is. By designing APIs this way, Gaia apps can nicely chain the functionality --------------------------------------------------------------------------------- var mastercardAid = [0, 1, 2, 3]; var getUiccReader = function(readers) { var uiccReader = readers.filter(function (reader) { return reader.type === 'uicc'; })[0]; if (!uiccReader) { throw new Error('No UICC SE reader found.'); } return uiccReader; }; var SEManager = navigator.mozSecureElement; if (!SEManager) { // Error Msg } SEManager.getSEReaders() .then(getUiccReader) .then(function(reader) { return reader.openSession(); }) .then(function(session) { return session.openLogicalChannel(mastercardAid); }) .then(function (channel) { // Some values here. var command = new MozSECommand(0, 0, 0, 0, [], 10); return channel.transmit(command); }) .then(function (response) { console.log('Received from applet:', response.data); }) // TODO: close and cleanup .catch(function (err) { console.error('Could not communicate with applet:', err); }); --------------------------------------------------------------------------------- @@ +102,5 @@ > + Promise close(); > +}; > + > +// Interface that represents an APDU command to be sent to a secure element. > +[Constructor(octet data, octet ins, octet p1, octet p2, optional ArrayBufferView data, optional octet le)] >> Do these two optionals have default values? If no, you may want to make the corresponding attributes nullable. Ok. Done. @@ +105,5 @@ > +// Interface that represents an APDU command to be sent to a secure element. > +[Constructor(octet data, octet ins, octet p1, octet p2, optional ArrayBufferView data, optional octet le)] > +interface MozSECommand { > + > + attribute octet cla; // 1 Byte : Class Byte >> Does this map to the first |data| in the constructor? If yes, please rename that to cla. At any rate, you shouldn't reuse those names! Ok. corrected. @@ +114,5 @@ > + attribute unsigned short le; // The length of the expected > + // response data or -1 if none is expected - len > +}; > + > +[Constructor(octet sw1, octet sw2, Uint8Array data)] >> Are you sure that you want a Uint8Array here and not a view? In latest version of webidl, I have removed 'Uint8Array' ,instead used sequnce of octets. >> Also, why is it useful for this interface to have a constructor? > When Gecko receives a Response Apdu ('data') to say, an earlier 'transmit()' command (its equivalent on the baseband cmd is AT+CSIM) > we may have to do something like this > sw1 = 0x00FF & data[data.length - 2]; > sw2 = 0x00FF & data[data.length - 1]; > So sw1 & sw2 will be filled up subsequently in the constructor function of SEResponse object ::: dom/webidl/MozSecureElementManager.webidl @@ +13,5 @@ > + "SEBadStateError", // Error occuring as a result of bad state. > + "SEInvalidChannelError, // Opening a channel failed because no channel is available. > + "SEInvalidApplicationError", // The requested application was not found on the secure element. > + "SEGenericError" // Generic failures. > +}; >> It would be nice if you could move these enums to the other webidl file. Ok. done! @@ +17,5 @@ > +}; > + > +[JSImplementation="@mozilla.org/navigatorSEManager;1", > + NavigatorProperty="mozSEManager", > + Func="Navigator::HasSecureElementManagerSupport"] >> What is this function supposed to check? This is a utility/helper function implemented in Navigator.cpp. It will check if the current device / FFOS builds have 'SecureElement' support or not. There are few such HasXXXSupport helper functions in Navigator.cpp. @@ +26,5 @@ > + * > + * @return If success, the promise is resolved to an array of instances > + * of MozSEReaders Otherwise, rejected with an error. > + */ > + // Promise<MozSEReaders> >> Did you mean MozSEReader here? Or is there an interface missing from these WebIDL files? Corrected! @@ +27,5 @@ > + * @return If success, the promise is resolved to an array of instances > + * of MozSEReaders Otherwise, rejected with an error. > + */ > + // Promise<MozSEReaders> > + Promise getSEReaders(); > Why not move getSEReaders on Navigator and remove MozSEManager? MozSecureElementManager.webidl currently exposes only one API and provides the basic access to underlying to secure element h/w. However in future there will be a need to add new APIs and support 'Card Emulation modes' etc. In the initial draft these APIs have been deliberately omitted.

Comment 81

•

10 years ago

Comment on attachment 8465143 [details] [diff] [review] (v1.6) Secure Element APIs - Inital Draft Review of attachment 8465143 [details] [diff] [review]: ----------------------------------------------------------------- eshan's feedback is enough.

Attachment #8465143 - Flags: feedback?(allstars.chh)

Comment 82

•

10 years ago

Comment on attachment 8465143 [details] [diff] [review] (v1.6) Secure Element APIs - Inital Draft Review of attachment 8465143 [details] [diff] [review]: ----------------------------------------------------------------- I'm repeating all of the questions I asked before which are not answered yet. Please address all of them in the next iteration, I don't want to keep copy and pasting my previous comments. :-) ::: dom/webidl/MozSecureElement.webidl @@ +21,5 @@ > + "logical" > +}; > + > +[CheckPermissions="secureelement-manage", > + AvailableIn="CertifiedApps", You don't need to mention certified apps. Anything that is available in privileged apps will be available to certified apps as well. @@ +24,5 @@ > +[CheckPermissions="secureelement-manage", > + AvailableIn="CertifiedApps", > + AvailableIn="PrivilegedApps", > + JSImplementation="@mozilla.org/secureelement/SEReader;1"] > +interface MozSEReader { Repeat: Please don't use Moz prefixes. @@ +45,5 @@ > + > + /** > + * Closes all sessions associated with this Reader and its associated channels. > + * > + * @return If success, the promise is resolved to current instance of MozSEReader object that is closed . Repeat: Why do you need to resolve the promise to the MozSEReader when the caller presumably had access to the MozSEReader instance so that they would be able to call close? @@ +49,5 @@ > + * @return If success, the promise is resolved to current instance of MozSEReader object that is closed . > + */ > + // Promise<MozSEReader> > + [Throws] > + Promise close(); Repeat: Call this closeAll perhaps? @@ +53,5 @@ > + Promise close(); > +}; > + > +[CheckPermissions="secureelement-manage", > + AvailableIn="CertifiedApps", Ditto. @@ +56,5 @@ > +[CheckPermissions="secureelement-manage", > + AvailableIn="CertifiedApps", > + AvailableIn="PrivilegedApps", > + JSImplementation="@mozilla.org/secureelement/SESession;1"] > +interface MozSESession { Repeat: Nit: I think our build system expects each interface to go into its own .webidl file. @@ +61,5 @@ > + > + // Status of current session > + readonly attribute boolean isClosed; > + > + // Answer to Reset provided by the secure element, null if not provided Repeat: This property is not nullable... @@ +62,5 @@ > + // Status of current session > + readonly attribute boolean isClosed; > + > + // Answer to Reset provided by the secure element, null if not provided > + [Cached, Pure] readonly attribute sequence<octet> atr; Why does this need to be [Cached, Pure]? @@ +98,5 @@ > + /** > + * Closes the active communication channel to the application on Secure Element. This will also > + * close all other active channels associated with this session. > + * > + * @return If success, the promise is resolved to current instance of MozSESession object that is closed. Repeat: Why do you need to resolve the promise to the MozSESession? @@ +106,5 @@ > + Promise close(); > +}; > + > +[CheckPermissions="secureelement-manage", > + AvailableIn="CertifiedApps", Same. @@ +130,5 @@ > + * MozSEResponse object. Otherwise, rejected with the error of type 'SEError'. > + */ > + // Promise<MozSEResponse> > + [Throws] > + Promise transmit(MozSECommand command); Repeat: You should probably specify when the contents of |command| are read. For example, what is the effect of this code? var cmd = new MozSECommand(...); channel.transmit(cmd); cmd.ins++; @@ +135,5 @@ > + > + /** > + * Closes the active channel. > + * > + * @return If success, the promise is resolved to current instance of MozSEChannel object that is closed. Repeat: Again, why? @@ +144,5 @@ > +}; > + > +// Interface that represents an APDU command to be sent to a secure element. > +[CheckPermissions="secureelement-manage", > + AvailableIn="CertifiedApps", And here. @@ +147,5 @@ > +[CheckPermissions="secureelement-manage", > + AvailableIn="CertifiedApps", > + AvailableIn="PrivilegedApps", > + JSImplementation="@mozilla.org/secureelement/SECommand;1", > + Constructor(octet cla, octet ins, octet p1, octet p2, optional sequence<octet>? data = null, optional short le= -1)] Why did you switch away from using a typed array here? @@ +154,5 @@ > + attribute octet cla; // 1 Byte : Class Byte > + attribute octet ins; // 1 Byte : Instruction Byte > + attribute octet p1; // 1 Byte : First Octet of Parameters Byte > + attribute octet p2; // 1 Byte : Second Octet of Parameters Byte > + [Cached, Pure] attribute sequence<octet> data; // Sequence of octets Why did you switch away from using a typed array here? @@ +160,5 @@ > + // response data or -1 if none is expected > +}; > + > +[CheckPermissions="secureelement-manage", > + AvailableIn="CertifiedApps", Here too. @@ +163,5 @@ > +[CheckPermissions="secureelement-manage", > + AvailableIn="CertifiedApps", > + AvailableIn="PrivilegedApps", > + JSImplementation="@mozilla.org/secureelement/SEResponse;1", > + Constructor(octet sw1, octet sw2, sequence<octet> data)] typed array... Also, repeat: Also, why is it useful for this interface to have a constructor? @@ +173,5 @@ > + // Second octet of response's status word > + readonly attribute octet sw2; > + > + // The response's data field bytes > + [Cached, Pure] readonly attribute sequence<octet> data; here too. ::: dom/webidl/MozSecureElementManager.webidl @@ +3,5 @@ > + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ > + > +[JSImplementation="@mozilla.org/navigatorSEManager;1", > + NavigatorProperty="mozSEManager", > + Func="Navigator::HasSecureElementManagerSupport"] Repeated question: What is this function supposed to check? @@ +12,5 @@ > + * > + * @return If success, the promise is resolved to an array of instances > + * of MozSEReaders Otherwise, rejected with an error. > + */ > + // Promise<MozSEReader[]> You probably want Promise<sequence<MozSEReader>> instead, see http://heycam.github.io/webidl/#idl-sequence. @@ +14,5 @@ > + * of MozSEReaders Otherwise, rejected with an error. > + */ > + // Promise<MozSEReader[]> > + [Throws] > + Promise getSEReaders(); Repeated question: Why not move getSEReaders on Navigator and remove MozSEManager?

Attachment #8465143 - Flags: feedback?(ehsan) → feedback-

Assignee

•

10 years ago

Attached patch (v1.7) Secure Element APIs - Inital Draft (obsolete) — Details — Splinter Review

Attachment #8465143 - Attachment is obsolete: true

Attachment #8466403 - Flags: feedback?(ehsan)

Comment 87

•

10 years ago

Comment on attachment 8465143 [details] [diff] [review] (v1.6) Secure Element APIs - Inital Draft Review of attachment 8465143 [details] [diff] [review]: ----------------------------------------------------------------- ::: dom/webidl/MozSecureElement.webidl @@ +45,5 @@ > + > + /** > + * Closes all sessions associated with this Reader and its associated channels. > + * > + * @return If success, the promise is resolved to current instance of MozSEReader object that is closed . With promises, resolving the promise itself is considered as a sign of the operation completing successfully. To signal failures, you reject the promise. So I don't think we need to resolve these to booleans. @@ +61,5 @@ > + > + // Status of current session > + readonly attribute boolean isClosed; > + > + // Answer to Reset provided by the secure element, null if not provided No, sequences do not use typed arrays under the hood. I think you should look into whether we can fix the WebIDL issue which prevents typed arrays from being used on JS implemnented interfaces, and use them in this API. ::: dom/webidl/MozSecureElementManager.webidl @@ +3,5 @@ > + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ > + > +[JSImplementation="@mozilla.org/navigatorSEManager;1", > + NavigatorProperty="mozSEManager", > + Func="Navigator::HasSecureElementManagerSupport"] OK, then a simple [CheckPermission] should suffice.

Comment 88

•

10 years ago

Comment on attachment 8466403 [details] [diff] [review] (v1.7) Secure Element APIs - Inital Draft Review of attachment 8466403 [details] [diff] [review]: ----------------------------------------------------------------- (See the previous comment please.)

Attachment #8466403 - Flags: feedback?(ehsan) → feedback-

Assignee

Attachment #8480077 - Flags: review?(ehsan)

Comment 92

•

10 years ago

Comment on attachment 8480077 [details] [diff] [review] (v1.8) Secure Element APIs - Inital Draft Review of attachment 8480077 [details] [diff] [review]: ----------------------------------------------------------------- Please provide an interdiff. Thanks.

Attachment #8480077 - Flags: review?(ehsan)

Assignee

Comment 93

•

10 years ago

Hopefully this diff should help. https://bugzilla.mozilla.org/attachment.cgi?oldid=8466403&action=interdiff&newid=8480077&headers=1 Here are the changes between previous version (1.7) and current one (1.8) 1) Use TypedArrays 'Uint8Array' instead of 'sequence<octet>' : One of the review comments - openLogicalChannel - openBasicChannel - readonly attribute Unit8Array atr 2) 'close()' & 'closeAll()' interfaces do not resolve to a 'boolean' any more. ('void' instead) : One of the review comments 3) 'interface SEManager' has the property 'CheckPermissions="secureelement-manage"' instead of 'Func="Navigator::HasSecureElementManagerSupport"' : One of the review comments 4) Modified all interface definitions to be in consistent with other webidl definitions (across all subsystems) on Mainline. Example: Instead of declaring an interface: 'Promise openSession()', in the latest iteration it gets modified to 'Promise<SESession> openSession()' The above change is applicable to all the interfaces across MozSecureElement.webidl & MozSecureElementManager.webidl

Assignee

Updated

•

10 years ago

Flags: needinfo?(ehsan.akhgari)

Updated

•

10 years ago

Attachment #8480077 - Flags: review+

Kamil Leszczuk [:kamituel]

Updated

•

10 years ago

Flags: needinfo?(ehsan.akhgari)

Comment 94

•

Yoshi Cheng-Hao Huang [:allstars.chh][:allstarschh][:yoshi]

Assignee

Comment 100

•

10 years ago

Attached patch (v1.9) Secure Element APIs - Inital Draft (obsolete) — Details — Splinter Review

Attachment #8486041 - Attachment is obsolete: true

Attachment #8486041 - Flags: review?(ehsan.akhgari)

Attachment #8486156 - Flags: review?(ehsan.akhgari)

Comment 101

•

10 years ago

(In reply to Kamil Leszczuk [:kamituel] from comment #94) > > var sendFirstAPDU = function(_channel) { > > // We need to store this to be able to send multiple APDU's > > channel = _channel; > > return channel.transmit(...); > > }; > > > > var sendSecondAPDU = function(response) { > > // Here we use the previously saved channel reference > > return channel.transmit(...); > > }; > > You should pass 'channel' not 'response'. (In reply to :Ehsan Akhgari (not reading bugmail, needinfo? me!) from comment #95) > partial interface SEChannel { > readonly attribute SEReader reader; > }; > The attribute should be 'session'. And session should have an attribute 'reader'. And OpenMobileAPI has already defined these getters. > partial interface SEResponse { > readonly attribute SEChannel channel; > }; > The SEResponse/SECommand should implement ISO 7816-4, however they doesn't have any context of 'Channel'. Also with what I've replied to Kamil, do we still need to add this attribute? And why these attributes are defined in 'partial' interface?

Flags: needinfo?(allstars.chh)

Yoshi Cheng-Hao Huang [:allstars.chh][:allstarschh][:yoshi]

Comment 102

•

10 years ago

Comment on attachment 8486156 [details] [diff] [review] (v1.9) Secure Element APIs - Inital Draft Review of attachment 8486156 [details] [diff] [review]: ----------------------------------------------------------------- ::: dom/webidl/SecureElement.webidl @@ +2,5 @@ > + * License, v. 2.0. If a copy of the MPL was not distributed with this > + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ > + > +enum SEType { > + "uicc", From Bug 979767, it's called 'SIM'. Please make the naming consistent

Assignee

•

10 years ago

(In reply to Kamil Leszczuk [:kamituel] from comment #104) > Some more notes regarding API usage: > > 1) Currently, once we call session.openLogicalChannel(), we will get a > promise which will get resolved to the SEChannel instance. In case of SIM > based secure element, this command will map to the RIL SELECT command being > send to the SIM card. Response to this command will contain some data in > addition to the (hopefully) 9000 status code. > > As it turns out, data from the response could be application specific, so > the Gaia app should have a way of retrieving it once the channel is opened. > In the Open Mobile API, there is a |byte[] Channel.getSelectResponse()| > method specifically used for that. We should probably have something similar > as well. OK, sounds good. If I understand things correctly, this data is sent back as part of the response, so it should be available as soon as we resolve the promise. If that is correct, then we can expose this as a nullable readonly typed array property on SEChannel (it would be null for other types of channels.) > 2) There are some non-9000 success responses - i.e. some responses mean that > there client should issue more command to fetch rest of the data. How would > we handle them? > > Couple of ideas: > > a) we could not handle them. I.e. if response is 9Fxx, we would pass it to > the Gaia app as it is, and let developer handle it. > - Pros: simple implementation on our side. > - Cons: developer has to worry about some really low level stuff, like > concatenating single piece of data coming in multiple messages. > > b) we could handle those in a SE DOM implementation and pass the already > concatenated data to the Gaia app. > - Pros: easy for the developer > - Cons: harder on us ;) > > c) we could not handle them in the SE DOM impl, pass as they are to the Gaia > app, but also provide developers with the shared/se_utils.js library which > would help with that. > - Pros: stil quite simple for the developer. We're not making the SE DOM > impl complex > - Cons: it'd be good if we would develop that library. > > Of course, there could be some other success responses than the ones > requiring fetching more data. The above points would apply to them as well, > probably. > > What do you think? How hard would it be to deal with these extra status codes inside the DOM implementation? I think if it's not prohibitively complicated, I would prefer to deal with these types of details in the implementation of the API, and try to remove as much of the burden from the consumer of the API as possible.

Flags: needinfo?(ehsan.akhgari)

Assignee

Comment 106

•

10 years ago

(In reply to :Ehsan Akhgari (not reading bugmail, needinfo? me!) from comment #105) > (In reply to Kamil Leszczuk [:kamituel] from comment #104) > > Some more notes regarding API usage: > > > > 1) Currently, once we call session.openLogicalChannel(), we will get a > > promise which will get resolved to the SEChannel instance. In case of SIM > > based secure element, this command will map to the RIL SELECT command being > > send to the SIM card. Response to this command will contain some data in > > addition to the (hopefully) 9000 status code. > > > > As it turns out, data from the response could be application specific, so > > the Gaia app should have a way of retrieving it once the channel is opened. > > In the Open Mobile API, there is a |byte[] Channel.getSelectResponse()| > > method specifically used for that. We should probably have something similar > > as well. > > OK, sounds good. If I understand things correctly, this data is sent back > as part of the response, so it should be available as soon as we resolve the > promise. If that is correct, then we can expose this as a nullable readonly > typed array property on SEChannel (it would be null for other types of > channels.) > Quick note. 'openLogicalChannel' will be mapped to 'AT+CCHO' on the vendor RIL side. This is in turn broken down into two APDU commands that are executed on the baseband side. APDU COMMAND 1: MANAGE OPEN CHANNEL APDU COMMAND 2: SELECT COMMAND (0x00, 0xA4, 0x04, 0x00) + passed in 'aid' of the applet in +CCHO command. As a consequence of first command, a 'session ID' ('Session' object encapsulates it) is returned, while second command yields the result of optional 'getSelectResponse()' (or) "nullable readonly typed array property". Please note that this is an optional response by the baseband. (Mostly 'null' for Logical channels. Earlier experiments on Nexus-S device gave us 'null' for logical channels. However note that for the basic channel, the response could be a non-null value. (Basic channel access may not be honored on Qualcomm basebands for security reasons). In the current iteration, since we are dealing with UICC SE (and logical channels) mostly, we have not considered adding the 'response' attribute). If we plan to support this attribute we should also request Qualcomm to see if they indeed support such on the flame reference and release device. Also if the point is for the sake of completion of the API, we should go ahead and add it. > > 2) There are some non-9000 success responses - i.e. some responses mean that > > there client should issue more command to fetch rest of the data. How would > > we handle them? > > > > Couple of ideas: > > > > a) we could not handle them. I.e. if response is 9Fxx, we would pass it to > > the Gaia app as it is, and let developer handle it. > > - Pros: simple implementation on our side. > > - Cons: developer has to worry about some really low level stuff, like > > concatenating single piece of data coming in multiple messages. > > > > b) we could handle those in a SE DOM implementation and pass the already > > concatenated data to the Gaia app. > > - Pros: easy for the developer > > - Cons: harder on us ;) > > > > c) we could not handle them in the SE DOM impl, pass as they are to the Gaia > > app, but also provide developers with the shared/se_utils.js library which > > would help with that. > > - Pros: stil quite simple for the developer. We're not making the SE DOM > > impl complex > > - Cons: it'd be good if we would develop that library. > > > > Of course, there could be some other success responses than the ones > > requiring fetching more data. The above points would apply to them as well, > > probably. > > > > What do you think? > > How hard would it be to deal with these extra status codes inside the DOM > implementation? I think if it's not prohibitively complicated, I would > prefer to deal with these types of details in the implementation of the API, > and try to remove as much of the burden from the consumer of the API as > possible. In the current prototype impl. responses such as 9x00 and 6x00 (generally errors) are all handled in DOM implementation and returned transparently in SW1 & SW2 values of SEResponse interface. Since these code are pretty much standard error codes, we have not added any extra helper functions. Sure we could add extra helper function like getStatus() or 'readonly attribute status' or some such to ease the burden of the API users

Yoshi Cheng-Hao Huang [:allstars.chh][:allstarschh][:yoshi]

Comment 107

•

10 years ago

(In reply to Siddartha P from comment #106) > (In reply to :Ehsan Akhgari (not reading bugmail, needinfo? me!) from > comment #105) > > (In reply to Kamil Leszczuk [:kamituel] from comment #104) > > > Some more notes regarding API usage: > > > > > > 1) Currently, once we call session.openLogicalChannel(), we will get a > > > promise which will get resolved to the SEChannel instance. In case of SIM > > > based secure element, this command will map to the RIL SELECT command being > > > send to the SIM card. Response to this command will contain some data in > > > addition to the (hopefully) 9000 status code. > > > > > > As it turns out, data from the response could be application specific, so > > > the Gaia app should have a way of retrieving it once the channel is opened. > > > In the Open Mobile API, there is a |byte[] Channel.getSelectResponse()| > > > method specifically used for that. We should probably have something similar > > > as well. > > > > OK, sounds good. If I understand things correctly, this data is sent back > > as part of the response, so it should be available as soon as we resolve the > > promise. If that is correct, then we can expose this as a nullable readonly > > typed array property on SEChannel (it would be null for other types of > > channels.) > > > > Quick note. 'openLogicalChannel' will be mapped to 'AT+CCHO' on the vendor > RIL side. This is in turn broken down into two APDU commands that are > executed on the baseband side. > APDU COMMAND 1: MANAGE OPEN CHANNEL > APDU COMMAND 2: SELECT COMMAND (0x00, 0xA4, 0x04, 0x00) + passed in 'aid' of > the applet in +CCHO command. > > As a consequence of first command, a 'session ID' ('Session' object > encapsulates it) is returned, while second command yields the result of > optional 'getSelectResponse()' (or) "nullable readonly > typed array property". Please note that this is an optional response by the > baseband. (Mostly 'null' for Logical channels. Earlier experiments on > Nexus-S device gave us 'null' for logical channels. However note that for > the basic channel, the response could be a non-null value. (Basic channel > access may not be honored on Qualcomm basebands for security reasons). In > the current iteration, since we are dealing with UICC SE (and logical > channels) mostly, we have not considered adding the 'response' attribute). > If we plan to support this attribute we should also request Qualcomm to see > if they indeed support such on the flame reference and release device. > Also if the point is for the sake of completion of the API, we should go > ahead and add it. Hmm, so assuming I understand the above correctly, does this mean that the response property may not work on some chipsets/drivers? > > > 2) There are some non-9000 success responses - i.e. some responses mean that > > > there client should issue more command to fetch rest of the data. How would > > > we handle them? > > > > > > Couple of ideas: > > > > > > a) we could not handle them. I.e. if response is 9Fxx, we would pass it to > > > the Gaia app as it is, and let developer handle it. > > > - Pros: simple implementation on our side. > > > - Cons: developer has to worry about some really low level stuff, like > > > concatenating single piece of data coming in multiple messages. > > > > > > b) we could handle those in a SE DOM implementation and pass the already > > > concatenated data to the Gaia app. > > > - Pros: easy for the developer > > > - Cons: harder on us ;) > > > > > > c) we could not handle them in the SE DOM impl, pass as they are to the Gaia > > > app, but also provide developers with the shared/se_utils.js library which > > > would help with that. > > > - Pros: stil quite simple for the developer. We're not making the SE DOM > > > impl complex > > > - Cons: it'd be good if we would develop that library. > > > > > > Of course, there could be some other success responses than the ones > > > requiring fetching more data. The above points would apply to them as well, > > > probably. > > > > > > What do you think? > > > > How hard would it be to deal with these extra status codes inside the DOM > > implementation? I think if it's not prohibitively complicated, I would > > prefer to deal with these types of details in the implementation of the API, > > and try to remove as much of the burden from the consumer of the API as > > possible. > > In the current prototype impl. responses such as 9x00 and 6x00 (generally > errors) are all handled in DOM implementation and returned transparently in > SW1 & SW2 values of SEResponse interface. Since these code are pretty much > standard error codes, we have not added any extra helper functions. Sure we > could add extra helper function like getStatus() or 'readonly attribute > status' or some such to ease the burden of the API users My suggestion is to not put that burden on the consumer of the API.

Comment 108

•

10 years ago

(In reply to Kamil Leszczuk [:kamituel] from comment #103) > (In reply to Yoshi Huang[:allstars.chh] from comment #101) > > > You should pass 'channel' not 'response'. > > Hm, I think response will be passed to that method, not a channel. Consider > this more complete example: > https://gist.github.com/kamituel/264ee1683c5a3f805be0 - note that this is a > handler for a second APDU being transmitted, not the first. It seems to me sendFirstAPDU should return a promise resolved to 'channel' since 'response' isn't used in your sendSecondAPDU. var sendFirstAPDU = function(channel) { var apdu = new SECommand('A', 'B', 'C', 'D'); return channel.transmit(apdu); }; Also I think this should be handled in the application layer, originally the intention of this bug is to implement the SE API which comforms to OpenMobile API, adding an attribute which isn't included in the original OpenMobileAPI needs more discussions and I'd prefer file another bug for this.

Flags: needinfo?(allstars.chh)

Updated

•

10 years ago

No longer blocks: 979158

•

10 years ago

Attached patch (v1.9) Secure Element APIs - Inital Draft (obsolete) — Details — Splinter Review

Changes : - Renamed navigator property from 'MozSEManager' to 'seManager'. - Renamed files : Removed 'moz' prefix. - Added the parent object as 'readonly attribute' to Child interfaces. - Renamed the enum "uicc" to "SIM" to be inconsistent with the spec.

Attachment #8486156 - Attachment is obsolete: true

Attachment #8491514 - Flags: review?(ehsan.akhgari)

opoto

Comment 111

•

10 years ago

My suggestions: - yes, the parent reference is good to add - "UICC" is better than "SIM". UICC is the mobile's smart card (ie secure element), which is what you identify here. SIM is only one of the possible applications in that card, and furthermore a legacy one. See http://en.wikipedia.org/wiki/Universal_Integrated_Circuit_Card for more details. - the Channel interface should have an "openResponse" readonly field to get the response from the select command which was used during the openChannel operation. This is in the W3C proposal http://opoto.github.io/secure-element/ - it might be useful to also add the selectNext() method to support openChannel operations on partial AIDs. This allows to select a set of SE applications and iterate over them. This is also in the W3C proposal. - this Channel object should not interpret the response from the secure element, as there are may be many cases that may require incompatible behaviors. It will be easy to provide (in the platform, or by 3rd parties) helpers in the form of Promise objects, that will handle each of these particular cases. The application would use something like: var apdu = new SECommand('1', '2', '3', '4'); channel.transmit(apdu).then(aSpecificResponseHelper) .then(doMyBusiness)

Assignee

Updated

•

•

10 years ago

Comment on attachment 8491514 [details] [diff] [review] (v1.9) Secure Element APIs - Inital Draft I have some questions when reviewing the test case for SE API. >+ [Throws] >+ Promise<SEChannel> openLogicalChannel(Uint8Array aid); >+ nit, an extra ws before 'aid', same for below in openBasicChannel. >+ /** >+ * Closes the active communication channel to the application on Secure Element. This will also >+ * close all other active channels associated with this session. >+ * Can these two lines be merged into "Close all active channels associated with this session." ? or what's the difference between the first and the second sentences? Also does this method close the session itself? >+ */ >+ [Throws] >+ Promise<void> closeAll(); >+}; >+

Yoshi Cheng-Hao Huang [:allstars.chh][:allstarschh][:yoshi]

Assignee

Comment 116

•

10 years ago

(In reply to Yoshi Huang[:allstars.chh] from comment #115) > Comment on attachment 8491514 [details] [diff] [review] > (v1.9) Secure Element APIs - Inital Draft > > I have some questions when reviewing the test case for SE API. > > >+ [Throws] > >+ Promise<SEChannel> openLogicalChannel(Uint8Array aid); > >+ > nit, an extra ws before 'aid', same for below in openBasicChannel. > ok . I will fix this in the next iteration. > >+ /** > >+ * Closes the active communication channel to the application on Secure Element. This will also > >+ * close all other active channels associated with this session. > >+ * > Can these two lines be merged into > "Close all active channels associated with this session." ? > or what's the difference between the first and the second sentences? > I think we can merge the two lines as you said > Also does this method close the session itself? > >+ */ > >+ [Throws] > >+ Promise<void> closeAll(); > >+}; > >+ Yes the session will become invalid after this statement.

Comment 117

•

10 years ago

(In reply to Siddartha P from comment #116) > > Also does this method close the session itself? > > >+ */ > > >+ [Throws] > > >+ Promise<void> closeAll(); > > >+}; > > >+ > Yes the session will become invalid after this statement. Then please update the comment as well, comments doesn't mention this session will be closed. There will be one test case from QA side to verify this.

Comment 118

•

10 years ago

Hi Sid, When are you planning to upload patch? Yoshi will be the one to do first review.

Flags: needinfo?(psiddh)

Target Milestone: --- → 2.2 S2 (19dec)

Assignee

Comment 119

•

10 years ago

Hi Wesley, I am in final stages of preparing the patches. By end of this week (12/ 05 or 12 / 06) , I'd be able to get the patches out for initial feedback / review. In total we have 5 patches - WebIDL (Another iteration on top of draft proposal so far reviewed by Ehsan) - DOM Implementation DOMSecureElement.js - Parent Process Implementation SecureElement.js - Build files to enable SecureElement in FxOS - RIL Patch to be reviewed . (This is already uplpoaded @ https://bugzilla.mozilla.org/show_bug.cgi?id=1081789 for HsinYi review) - ACE patch (Kamil should be able to share more details about it).

Assignee

Updated

•

10 years ago

Flags: needinfo?(psiddh)

Assignee

Comment 120

•

10 years ago

Attached patch Patch 1 : (v1.10) Secure Element APIs - Inital Draft (obsolete) — Details — Splinter Review

Based on the various comments posted so far on SE webidl proposal, the latest patch tries to incorporate all the suggestions in v1.10 patch. 1) 'uicc' vs'sim', Naming convetion ? Discussion so far: Based on comment# 111 from Olivier it is better to name SE type as 'uicc' Also as per Yoshi's comment#102, Bug 979767 uses the naming convention of 'SIM' leading to inconsistency. Current changes: Retained the naming convention as 'uicc' and request Garner to make changes accordingly as a follow-up to Bug 979767. Yoshi, I hope you are ok with this. 2) Holding a reference of parent obj in SESession , SEChannel & SEResponse Discussion so far: This point was raised by Kamil earlier and there was follow-up discussion on this with Ehsan. Yoshi also pointed out to 'OpenMobileAPI' implementation in this regard. Also as per comment#101, why do they have to 'Partial interfaces' ? Current changes: In the current patch, no partial interfaces are used. Instead the parent reference is a readonly attribute in interfaces directly. Ehsan, I hope you are ok with it. Per comment#95 , it seems that you are inclined to have them defined in 'partial interfaces'. Please review the changes and let us know your thoughts 3) Added openResponse attribute to SEChannel: Discussion so far: OpenResponse is required by Gaia Wallet developers to retreive some useful info , as Krzysztof suggested. I also wondered if this supported by the baseband. Current changes: Based on the Qualcomm image that we received, upon few trials and testing it is found that 'openResponse' is indeed supported by the baseband. We have been testing this interface for the last month and a half and it seems to give the desired results. 4) In SECommand, 'data' attribute should be Nullable. As per the spec, this attribute may or may not be set (null). Therefore added '?' 5) openLogicalChannel() argument should be 'Nullable' as per spec. Again added '?' 6) Other minor changes such as adding copyright text, addressing the 'comments' of closeAll() API in SESession. I hope I have taken into consideration all the comments / concerns. If I have missed out on something, please do raise the flag. As a follow-up to this patch, I will shortly attach othe supporting patches as well. Thanks, Sid

Attachment #8491514 - Attachment is obsolete: true

Attachment #8533051 - Flags: review?(ehsan.akhgari)

Assignee

Updated

•

10 years ago

Attachment #8533051 - Attachment description: (v1.10) Secure Element APIs - Inital Draft → Patch 1 : (v1.10) Secure Element APIs - Inital Draft

Assignee

Comment 121

•

10 years ago

Attached patch Patch 2: (v2.1) Secure Element DOM Implementation (obsolete) — Details — Splinter Review

Based on comment#118, adding Yoshi as the first reviewer.

Attachment #8533057 - Flags: review?(allstars.chh)

Assignee

Comment 122

•

10 years ago

Attached patch Patch 3: (v3.1) Secure Element Parent process Implementation. r=yoshi (obsolete) — Details — Splinter Review

Attachment #8533065 - Flags: review?(allstars.chh)

Assignee

Comment 123

•

10 years ago

Attached patch Patch 4: (v4.1) Add new permission to table - 'secureelement-manage' (obsolete) — Details — Splinter Review

Attachment #8533068 - Flags: review?(allstars.chh)

Yoshi Cheng-Hao Huang [:allstars.chh][:allstarschh][:yoshi]

Assignee

Comment 124

•

10 years ago

Comment 130

•

10 years ago

(In reply to Yoshi Huang[:allstars.chh] from comment #129) > Comment on attachment 8533065 [details] [diff] [review] > Patch 3: (v3.1) Secure Element Parent process Implementation. r=yoshi > > Review of attachment 8533065 [details] [diff] [review]: > ----------------------------------------------------------------- > > I'll stop in the middle as I find out this patch is hard to know what's > going on and hard for review. > Please consider using more abstractions here, or maybe some IDL, or more > documentations. > > Please make your code more modularized. > Most code should be moved into SecureManager, however they are located in > gSEMessageManager. Thanks for your feedback. I was half way through making Parent process more modular when I uploaded these patches. Hopefully I should have something for your review again in next couple of days. Please treat this as acknowledgement to all your comments thus far. I will ping you on IRC for clarifications if any. > All functions are prefix with _, which means private. > > Please make those related functions together. > > Like > > // Impl for SEReader > ... > > // Impl for SESession > ... > > // Impl for SEChannel. > ... > > And above functions should not prefix with _ > > only prefix _ with some helper functions. > > Or using '_' more appropriately. Using it in all functions is the same > thing as not using it at all. > > Also there should be some nsISecureElement idl, so RIL part, NFC part could > implement this interface. > And SecureElement should call that interface accordingly with the reader > type. > > ::: dom/system/gonk/SecureElement.js > @@ +108,5 @@ > > +XPCOMUtils.defineLazyGetter(this, "gSEMessageManager", function() { > > + return { > > + QueryInterface: XPCOMUtils.generateQI([Ci.nsIMessageListener, > > + Ci.nsIObserver, > > + Ci.nsIIccListener]), > > IccListener should be implemented by some object that implements > SecureElement. > You're making this 'gSEMessageManager' more complicated for what it is doing > here. > > @@ +172,5 @@ > > + } > > + } ] > > + ] > > + } > > + */ > > please indent this, it's hard to read this. > > @@ +175,5 @@ > > + } > > + */ > > + appInfoMap: {}, > > + > > + cardReady: null, > > I think you mean 'isSEPresent'. > > But this attribute should be moved to some nsISecureElement, which could be > implemented by ICC or EmbeddedSE. > > @@ +209,5 @@ > > + } > > + ppmm = null; > > + }, > > + > > + _initializeSEListeners: function() { > > This should not be done in here. (gSEMessageManager). > > @@ +220,5 @@ > > + // Detach the listener to UICC state changes > > + iccProvider.unregisterIccMsg(PREFERRED_UICC_CLIENTID, this); > > + }, > > + > > + _registerSETarget: function(message, readers) { > > I don't understand what's this for and what's the purpose of storing target > here. > > @@ +256,5 @@ > > + } > > + } > > + }, > > + > > + _removeAllSessions: function(msg) { > > This should NOT be defined here. > > @@ +259,5 @@ > > + > > + _removeAllSessions: function(msg) { > > + let allSessions = this.appInfoMap[msg.appId].sessions; > > + // reset all sessions > > + if (allSessions) > > the if check makes non-sense here. > in line 236 you already allocate it as an plain object. > > @@ +278,5 @@ > > + }, > > + > > + _removeSession: function(msg) { > > + let sessions = this.appInfoMap[msg.appId].sessions; > > + if (sessions && sessions[msg.sessionId].type === msg.type) > > 'sessions' check seems not neccesary, as it initializes as a plain object. > Or you have to refactor your data structure. > > @@ +284,5 @@ > > + }, > > + > > + _addChannel: function(channelInfo, msg) { > > + let appId = msg.appId; > > + let token = channelInfo.token; > > What does a token mean? > > Or you're refering to some ChannelID? > > @@ +364,5 @@ > > + }); // End of AppId keys > > + debug("----------------------------------------------------------------------------------------"); > > + }, > > +*/ > > + _isChannelRegistered: function(channel, msg) { > > Who calls this? > > @@ +664,5 @@ > > + let cla = apduCmd[SE.CLA_BYTE_OFFSET] & 0xFF; > > + let ins = apduCmd[SE.INS_BYTE_OFFSET] & 0xFF; > > + let p1 = apduCmd[SE.P1_BYTE_OFFSET] & 0xFF; > > + let p2 = apduCmd[SE.P2_BYTE_OFFSET] & 0xFF; > > + let p3 = !apduCmd[SE.P3_BYTE_OFFSET] ? 0 : apduCmd[SE.P3_BYTE_OFFSET] & 0xFF; > > In Content side you should just pass an object > { > cla: ..., > ins: .. > }; > > so you don't have to encode/decode it as TypedArray twice. > > @@ +831,5 @@ > > + let cardState = iccProvider.getCardState(PREFERRED_UICC_CLIENTID); > > + return (((cardState !== null) && (notReadyStates.indexOf(cardState) == -1)) ? true : false); > > + }, > > + > > + _checkAndRetrieveAvailableReaders: function() { > > this method should query modules that implements nsISecureElement. > And if SE is not present, should we return the reader? > > For example, if SIM is not inserted, or in AirPlane mode, should we return > reader of ICC?

Comment 131

•

10 years ago

Comment on attachment 8533068 [details] [diff] [review] Patch 4: (v4.1) Add new permission to table - 'secureelement-manage' Review of attachment 8533068 [details] [diff] [review]: ----------------------------------------------------------------- This should go with Part 1.

Attachment #8533068 - Flags: review?(allstars.chh)

Comment 132

•

10 years ago

Comment on attachment 8533051 [details] [diff] [review] Patch 1 : (v1.10) Secure Element APIs - Inital Draft Review of attachment 8533051 [details] [diff] [review]: ----------------------------------------------------------------- *Please* submit interdiffs next time. Thanks! ::: dom/webidl/SecureElement.webidl @@ +109,5 @@ > + // 'session' obj this channel is bound to > + readonly attribute SESession session; > + > + // response to openBasicChannel / openLogicalChannel operation > + [Constant, Cached] readonly attribute Uint8Array? openResponse; I can't see why this should be [Constant, Cached]?

Attachment #8533051 - Flags: review?(ehsan.akhgari) → review+

Assignee

Comment 133

•

10 years ago

(In reply to Yoshi Huang[:allstars.chh] from comment #129) > Comment on attachment 8533065 [details] [diff] [review] > Patch 3: (v3.1) Secure Element Parent process Implementation. r=yoshi > > Review of attachment 8533065 [details] [diff] [review]: > ----------------------------------------------------------------- > > I'll stop in the middle as I find out this patch is hard to know what's > going on and hard for review. > Please consider using more abstractions here, or maybe some IDL, or more > documentations. > > Please make your code more modularized. > Most code should be moved into SecureManager, however they are located in > gSEMessageManager. In the latest refactored patch, it has mainly 3 objects. gMap , gSecureElementManager, SEConnectorFactory that gets the instance of Connector obj ('UiccConnector say) based on type ('uicc' / 'eSE'). Only the main object 'gSecureElementManager' which also acts as MessageManager talks to both 'gMap' and 'SEConnector obj'. 'gMap' and 'UiccConnector' doesn't have to talk to each other. > All functions are prefix with _, which means private. I think I have now made that differentiation in the latest patch. > Please make those related functions together. > > Like > > // Impl for SEReader > ... > > // Impl for SESession > ... > > // Impl for SEChannel. > ... > > And above functions should not prefix with _ > > only prefix _ with some helper functions. > > Or using '_' more appropriately. Using it in all functions is the same > thing as not using it at all. > > Also there should be some nsISecureElement idl, so RIL part, NFC part could > implement this interface. > And SecureElement should call that interface accordingly with the reader > type. > As discussed on IRC, though this is not implemented, this information needed is abstracted in 'UiccConnector' obj. It listens to uicc state changes by implementing 'nsIIccListener' interface. > ::: dom/system/gonk/SecureElement.js > @@ +108,5 @@ > > +XPCOMUtils.defineLazyGetter(this, "gSEMessageManager", function() { > > + return { > > + QueryInterface: XPCOMUtils.generateQI([Ci.nsIMessageListener, > > + Ci.nsIObserver, > > + Ci.nsIIccListener]), > > IccListener should be implemented by some object that implements > SecureElement. > You're making this 'gSEMessageManager' more complicated for what it is doing > here. > > @@ +172,5 @@ > > + } > > + } ] > > + ] > > + } > > + */ > > please indent this, it's hard to read this. > > @@ +175,5 @@ > > + } > > + */ > > + appInfoMap: {}, > > + > > + cardReady: null, > > I think you mean 'isSEPresent'. > > But this attribute should be moved to some nsISecureElement, which could be > implemented by ICC or EmbeddedSE. > > @@ +209,5 @@ > > + } > > + ppmm = null; > > + }, > > + > > + _initializeSEListeners: function() { > > This should not be done in here. (gSEMessageManager). > > @@ +220,5 @@ > > + // Detach the listener to UICC state changes > > + iccProvider.unregisterIccMsg(PREFERRED_UICC_CLIENTID, this); > > + }, > > + > > + _registerSETarget: function(message, readers) { > > I don't understand what's this for and what's the purpose of storing target > here. > As per open mobile spec, each application when registering shall be checked against possible readerTypes (ex: 'uicc' (or) 'eSE') that it has permissions to connect to. A certain wallet app can only have access to 'uicc' readerType and not to 'eSE'. Though this kind of enforcement doesn't happen in the existing patch, this may give us flexibility to do the same when multiple secure-elements are supported. > @@ +256,5 @@ > > + } > > + } > > + }, > > + > > + _removeAllSessions: function(msg) { > > This should NOT be defined here. > > @@ +259,5 @@ > > + > > + _removeAllSessions: function(msg) { > > + let allSessions = this.appInfoMap[msg.appId].sessions; > > + // reset all sessions > > + if (allSessions) > > the if check makes non-sense here. > in line 236 you already allocate it as an plain object. > There could be a possibility of 'msg.appId' not present in appInfoMap . In that case, this.appInfoMap[msg.appId] will become 'undefined' . Isn't ? I think if check ensures against such behavior that may break JS engine. Also since this 'appId' is coming from Content , it acts as another check anyways. What do you think ? > @@ +278,5 @@ > > + }, > > + > > + _removeSession: function(msg) { > > + let sessions = this.appInfoMap[msg.appId].sessions; > > + if (sessions && sessions[msg.sessionId].type === msg.type) > > 'sessions' check seems not neccesary, as it initializes as a plain object. > Or you have to refactor your data structure. > Ok. removed 'sessions' now > @@ +284,5 @@ > > + }, > > + > > + _addChannel: function(channelInfo, msg) { > > + let appId = msg.appId; > > + let token = channelInfo.token; > > What does a token mean? > > Or you're refering to some ChannelID? 'token' here refers to 'channelToken'. On opening a channel, say, channel# '2' is returned by RIL stack. This information is kept in parent process while only a unique uuid (token) is sent to DOM. For any further operations on this channel (#2), DOM content target should always pass this 'token' to parent process for validation. This 'token' however is not exposed to Gaia apps > > @@ +364,5 @@ > > + }); // End of AppId keys > > + debug("----------------------------------------------------------------------------------------"); > > + }, > > +*/ > > + _isChannelRegistered: function(channel, msg) { > > Who calls this? > Removed this now. > @@ +664,5 @@ > > + let cla = apduCmd[SE.CLA_BYTE_OFFSET] & 0xFF; > > + let ins = apduCmd[SE.INS_BYTE_OFFSET] & 0xFF; > > + let p1 = apduCmd[SE.P1_BYTE_OFFSET] & 0xFF; > > + let p2 = apduCmd[SE.P2_BYTE_OFFSET] & 0xFF; > > + let p3 = !apduCmd[SE.P3_BYTE_OFFSET] ? 0 : apduCmd[SE.P3_BYTE_OFFSET] & 0xFF; > > In Content side you should just pass an object > { > cla: ..., > ins: .. > }; > > so you don't have to encode/decode it as TypedArray twice. > Agreed. > @@ +831,5 @@ > > + let cardState = iccProvider.getCardState(PREFERRED_UICC_CLIENTID); > > + return (((cardState !== null) && (notReadyStates.indexOf(cardState) == -1)) ? true : false); > > + }, > > + > > + _checkAndRetrieveAvailableReaders: function() { > > this method should query modules that implements nsISecureElement. > And if SE is not present, should we return the reader? > Based on our IRC discussion, I hope you are ok with the latest changes. > For example, if SIM is not inserted, or in AirPlane mode, should we return > reader of ICC? I think we should still return the 'reader' in Airplane mode. If it is not inserted, then as per current design, we will not return 'uicc' based reader to DOM . Please note that I am only uploading Parent process (Patch#3) changes for now. DOM changes will soon follow this. Thanks for your time.

Assignee

Comment 134

•

10 years ago

Attached patch Part 3: (v3.2) Secure Element Parent process Implementation. r=yoshi (obsolete) — Details — Splinter Review

Attachment #8533065 - Attachment is obsolete: true

Attachment #8536941 - Flags: feedback?(allstars.chh)

Assignee

Comment 135

•

10 years ago

Attached patch Part 3: (v3.2) Secure Element Parent process Implementation. r=yoshi (obsolete) — Details — Splinter Review

Attachment #8536941 - Attachment is obsolete: true

Attachment #8536941 - Flags: feedback?(allstars.chh)

Attachment #8536977 - Flags: feedback?(allstars.chh)

Yoshi Cheng-Hao Huang [:allstars.chh][:allstarschh][:yoshi]

Assignee

Comment 136

•

10 years ago

(In reply to :Ehsan Akhgari (not reading bugmail, needinfo? me!) from comment #132) > Comment on attachment 8533051 [details] [diff] [review] > Patch 1 : (v1.10) Secure Element APIs - Inital Draft > > Review of attachment 8533051 [details] [diff] [review]: > ----------------------------------------------------------------- > > *Please* submit interdiffs next time. Thanks! > > ::: dom/webidl/SecureElement.webidl > @@ +109,5 @@ > > + // 'session' obj this channel is bound to > > + readonly attribute SESession session; > > + > > + // response to openBasicChannel / openLogicalChannel operation > > + [Constant, Cached] readonly attribute Uint8Array? openResponse; > > I can't see why this should be [Constant, Cached]? I am not sure if I have interpreted these attributes correctly. Per MDN, "Used to flag attributes that, when their getter is called, will cache the returned value on the JS object. This can be used to implement attributes whose value is a sequence or dictionary (which would otherwise end up returning a new object each time and hence not be allowed in WebIDL)." In order to avoid creation of 'new object' every-time it is called by Gaia apps. Also as [Cached] attributes must be [Pure] or [Constant], I chose [Constant] because it can return the same value every-time.

•

10 years ago

Attached patch Part 2: (v2.2) Secure Element DOM Implementation (obsolete) — Details — Splinter Review

Attachment #8533057 - Attachment is obsolete: true

Attachment #8539849 - Flags: review?(allstars.chh)

Assignee

Comment 142

•

10 years ago

Attached patch Part 3: (v3.3) Secure Element Parent process Implementation. r=yoshi (obsolete) — Details — Splinter Review

Attachment #8536977 - Attachment is obsolete: true

Attachment #8539852 - Flags: review?(allstars.chh)

Assignee

Comment 143

•

10 years ago

Attached patch Part 4: (v4.1) Add moz.build for SecureElement files required for part 2 & 3 patches. r=yoshi (obsolete) — Details — Splinter Review

Attachment #8533068 - Attachment is obsolete: true

Attachment #8539856 - Flags: review?(allstars.chh)

Assignee

Comment 144

•

10 years ago

(In reply to Yoshi Huang[:allstars.chh] from comment #127) > Comment on attachment 8533057 [details] [diff] [review] > Patch 2: (v2.1) Secure Element DOM Implementation > > Review of attachment 8533057 [details] [diff] [review]: > ----------------------------------------------------------------- > > ::: dom/secureelement/DOMSecureElement.js > @@ +26,5 @@ > > + "nsISyncMessageSender"); > > + > > +XPCOMUtils.defineLazyServiceGetter(this, "iccProvider", > > + "@mozilla.org/ril/content-helper;1", > > + "nsIIccProvider"); > > Who uses this? > Removed in the latest ver > @@ +38,5 @@ > > +/* > > + * Helper object that maintains sessionObj and its corresponding > > + * channelObj for a given SE type > > + */ > > +let SEStateHelper = { > > this helper deserves another part of patch. > I did not understand this. Are you suggesting this part of the code 'SEStateHelper' to be removed and upload another different patch ? (i;e; DOM patches will have two patches .) For now I still uploaded it as part of the same patch though. > @@ +190,5 @@ > > +/** > > + * ============================================== > > + * SECommand > > + * ============================================== > > + */ > > I don't see any documentation in this comment. > Same for below. Added some docs > > @@ +193,5 @@ > > + * ============================================== > > + */ > > +function SECommand() {} > > +SECommand.prototype = { > > + __init: function(cla, ins, p1, p2, data, le) { > > function name > > @@ +199,5 @@ > > + this.ins = ins; > > + this.p1 = p1; > > + this.p2 = p2; > > + this.data = data; > > + this.le = le; > > These members should also be defined in prototype. > I have initialized all the members in the cstor. cstor does not take any arguments. And in 'initialize' , initialize all the members appropriately! This is consistent across all other SExxx implementation in this file (and I guess with other DOM subsystems). > @@ +215,5 @@ > > + */ > > + > > +function SEResponse(aResponseInfo) { > > + this.sw1 = 0x00; > > + this.sw2 = 0x00; > > these two lines are useless. > Ok. > @@ +218,5 @@ > > + this.sw1 = 0x00; > > + this.sw2 = 0x00; > > + this.data = null; > > + > > + this.channel = SEStateHelper.getChannelObjByToken(aResponseInfo.token); > > data, and channel should be defined in prototype. > Hopefully I have addressed this in the earlier comment. > @@ +224,5 @@ > > + if (!apduResponse.simResponse || apduResponse.simResponse.length === 0) { > > + if (DEBUG) debug('APDU Response: Empty / Not Set!'); > > + } else { > > + this.data = apduResponse.simResponse.slice(0, apduResponse.length); > > + } > > Why so complicated? > aResponseInfo.response.simResponse? > Ok . Agreed! > @@ +248,5 @@ > > + this._aid = aChannelInfo.aid; > > + this._channelToken = aChannelInfo.token; > > + this._sessionId = aChannelInfo.sessionId; > > + this.session = null; > > + this.openResponse = null; > > define in prototype. > > @@ +260,5 @@ > > + classID: Components.ID("{181ebcf4-5164-4e28-99f2-877ec6fa83b9}"), > > + contractID: "@mozilla.org/secureelement/SEChannel;1", > > + QueryInterface: XPCOMUtils.generateQI([]), > > + > > + initialize: function ic_initialize(win, openResponse) { > > what's the ic_ in function name? Fixed the function name to be consistent across the file now. > And what is the difference between initialize and cstor? > cstor will take no arguments now. In cstor function, all the required private + public members get initialized. 'initialize' initializes all the members with the appropriate vals. > @@ +267,5 @@ > > + // Update 'session' obj > > + this.session = SEStateHelper.getSessionObjById(this._sessionId); > > + }, > > + > > + transmit: function(command) { > > function name > > @@ +275,5 @@ > > + if (typeof command.cla === 'undefined' || > > + typeof command.ins === 'undefined' || > > + typeof command.p1 === 'undefined' || > > + typeof command.p2 === 'undefined' || > > + !command) > > I think the command is type of SECommand, right? > Why can't these checks be done in SECommand cstor? > Ok. It looks like we may not need to check these conditions as webidl will ensure this for DOM impl. Since constructor of SECommand in webidl is as follows: - 'Constructor(octet cla, octet ins, octet p1, octet p2 ....' If there are any values missing, webidl itself will throw exception while accessing 'SECommand'. > @@ +276,5 @@ > > + typeof command.ins === 'undefined' || > > + typeof command.p1 === 'undefined' || > > + typeof command.p2 === 'undefined' || > > + !command) > > + return PromiseHelpers._rejectWithSEError('SEGenericError: ' + > > nit, add {}. > > { > > return Promise... > }; > > @@ +280,5 @@ > > + return PromiseHelpers._rejectWithSEError('SEGenericError: ' + > > + "Invalid APDU, Missing Mandatory headers!"); > > + > > + let le = -1; > > + let dataLen = -1; > > remove this line. > Ok > @@ +282,5 @@ > > + > > + let le = -1; > > + let dataLen = -1; > > + let offset = 0; > > + let apduFieldsLen = 4; // (CLA + INS + P1 + P2) > > Can we merge 'offset' and apduFieldsLen' into one variable? > I think after taking your other comment, we may not need these vars. It becomes little more straight-forward. > @@ +283,5 @@ > > + let le = -1; > > + let dataLen = -1; > > + let offset = 0; > > + let apduFieldsLen = 4; // (CLA + INS + P1 + P2) > > + dataLen = !command.data ? 0 : command.data.length; > > more straightforward. > > let dataLen = command.data ? command.data.length : 0; > > @@ +292,5 @@ > > + le = command.le; > > + apduFieldsLen++; // Le > > + } > > + > > + if ((apduFieldsLen + dataLen) > SE.MAX_APDU_LEN) > > nit, add {} > Ok > @@ +311,5 @@ > > + } > > + } > > + if (le !== -1) { > > + apduCommand[offset] = command.le; > > + } > > I think you should move these code to a helper that coverts SECommand to a > TypedArray. > I think after taking your other comment, we may not need these vars. It becomes little more straight-forward. > @@ +321,5 @@ > > + apdu: apduCommand, > > + channelToken: this._channelToken, > > + aid: this._aid, > > + sessionId: this._sessionId, > > + appId: this._window.document.nodePrincipal.appId > > Please explain why are these parameters for. > Ok > @@ +361,5 @@ > > + return ['basic', 'logical'][type]; > > + }, > > + > > + _checkClosed: function() { > > + if (this.isClosed === true) { > > When will this.isClosed be set to true? > When the user attempts to close the channel by using closeAll (in Session) or close (in Channel) > @@ +373,5 @@ > > + * SESession > > + * ============================================== > > + */ > > + > > +function SESession(aSessionInfo) { > > Please move these implementations by order. > SEReader, SESesssion, SEChannel. > Ok. > @@ +392,5 @@ > > + > > + openBasicChannel: function(aid) { > > + // Not Supported for now! > > + return PromiseHelpers._rejectWithSEError('SEGenericError: ' + > > + "OpenBasicChannel() is not supported for SE type : " + SE.TYPE_UICC); > > Should only reject when the type of READER is of UICC, > not reject directly. > Or if not supported for now, remove it. > Removed it from now! > @@ +401,5 @@ > > + // According to SIMalliance_OpenMobileAPI v3 draft: > > + // In case of UICC it is recommended to reject the opening of the logical > > + // channel without a specific AID. > > + if (!aid || aid.length === 0) { > > + if (this.reader.type === SE.TYPE_UICC) > > if (this.reader.type == UICC) should be moved to outter. > Ok > @@ +406,5 @@ > > + return PromiseHelpers._rejectWithSEError('SEGenericError: ' + > > + "AID is not specified!"); > > + } > > + > > + if (aid.length < SE.MIN_AID_LEN || aid.length > SE.MAX_AID_LEN) > > nit, {} Ok > > @@ +407,5 @@ > > + "AID is not specified!"); > > + } > > + > > + if (aid.length < SE.MIN_AID_LEN || aid.length > SE.MAX_AID_LEN) > > + return PromiseHelpers._rejectWithSEError('SEGenericError: ' + > > use double quotes. > Ok > @@ +410,5 @@ > > + if (aid.length < SE.MIN_AID_LEN || aid.length > SE.MAX_AID_LEN) > > + return PromiseHelpers._rejectWithSEError('SEGenericError: ' + > > + "Invalid AID length - " + aid.length); > > + > > + this._aid = Cu.waiveXrays(aid); > > Why does we need waiveXrays here? > Corrected this now. Now I just copy the aid to another private member. > @@ +444,5 @@ > > + }); > > + }, > > + > > + get atr() { > > + // 'Answer to Reset' is not supported for now, return null. > > remove it. Removed! > Add this when you plan to implement it. > Actually we need to have some discussion on how to retrieve 'atr value' from RIL stack. We may have to involve Qualcomm also here ? I will raise a CR to follow-up on this as well. > @@ +499,5 @@ > > + }); > > + }, > > + > > + get isSEPresent() { > > + return cpmm.sendSyncMessage("SE:CheckSEState", > > Sync? > Not needed now! > @@ +527,5 @@ > > + QueryInterface: XPCOMUtils.generateQI([Ci.nsIDOMGlobalPropertyInitializer, > > + Ci.nsISupportsWeakReference, > > + Ci.nsIObserver]), > > + > > + init: function SEManagerInit(win) { > > another style of function name. > Corrected it now. > @@ +530,5 @@ > > + > > + init: function SEManagerInit(win) { > > + this._window = win; > > + PromiseHelpers = new PromiseHelpersSubclass(this._window); > > + this.innerWindowID = win.QueryInterface(Ci.nsIInterfaceRequestor) > > What's this for? > Removed > @@ +539,5 @@ > > + let perm = Services.perms.testExactPermissionFromPrincipal(principal, > > + "secureelement-manage"); > > + if (perm === Ci.nsIPermissionManager.ALLOW_ACTION) { > > + this._isAllowed = true; > > + } > > I think WebIDL bindings could do this check for you. > Yes, you are right > @@ +543,5 @@ > > + } > > + > > + // Add the messages to be listened to. > > + const messages = ["SE:GetSEReadersResolved", > > + "SE:OpenSessionResolved", > > Why cannt we merge OpenSessionResolved and OpenSessionRejected into one > message? > Sorry, Couldn't understand this comment. > @@ +567,5 @@ > > + PromiseHelpers = null; > > + this._window = null; > > + }, > > + > > + _ensureAccess: function() { > > Who calls this function? > Removed > @@ +592,5 @@ > > + receiveMessage: function(aMessage) { > > + let data = aMessage.json; > > + let chromeObj = null; > > + let contentObj = null; > > + debug("receiveMessage(): " + aMessage.name + " " + JSON.stringify(data)); > > Don't use JSON.stringify. > Ok. > @@ +601,5 @@ > > + } > > + > > + switch (aMessage.name) { > > + case "SE:GetSEReadersResolved": > > + let availableReaders = this._window.Array(); > > []; Ok

Assignee

Comment 145

•

10 years ago

Attached patch Part 2: (v2.2) Secure Element DOM Implementation (obsolete) — Details — Splinter Review

Attachment #8539849 - Attachment is obsolete: true

Attachment #8539849 - Flags: review?(allstars.chh)

Attachment #8539867 - Flags: review?(allstars.chh)

Assignee

Comment 146

•

10 years ago

(In reply to Yoshi Huang[:allstars.chh] from comment #137) > (In reply to Siddartha P from comment #133) > > (In reply to Yoshi Huang[:allstars.chh] from comment #129) > > As per open mobile spec, each application when registering shall be checked > > against possible readerTypes (ex: 'uicc' (or) 'eSE') that it has permissions > > to connect to. A certain wallet app can only have access to 'uicc' > > readerType and not to 'eSE'. Though this kind of enforcement doesn't happen > > in the existing patch, > Remove this and file another bug for this. > Please don't add any code which won't be executed in this version. > Or implement it. > > And please file follow-up bugs you plan to fix and add them in the TODO in > your patch. Ok. We will soon raise bugs in next few and refer to them in code.

Assignee

Comment 147

•

10 years ago

(In reply to Yoshi Huang[:allstars.chh] from comment #138) > Comment on attachment 8536977 [details] [diff] [review] > Part 3: (v3.2) Secure Element Parent process Implementation. r=yoshi > > Review of attachment 8536977 [details] [diff] [review]: > ----------------------------------------------------------------- > > Why are these files in dom/system/gonk? > Shouldn't these be located in dom/secureelement/gonk? > Moved the files to 'dom/system/gonk'. > Also I still didn't review the gMap part as I asked to indent it last time. > But it's still the way it's. I have now done this, hopefully to your liking! > > ::: dom/system/gonk/SecureElement.js > @@ +57,5 @@ > > + "SE:GetChannelType", > > + "SE:IsChannelClosed" > > +]; > > + > > +const SE_CONTRACTID = "@mozilla.org/se;1"; > > use full name for se. > Ok > @@ +85,5 @@ > > + classID: SE_CID, > > + contractID: SE_CONTRACTID, > > + classDescription: "SecureElement", > > + interfaces: []}) > > +}; > > What is this SecureElement for actually? > In the recent patch, now 'SecureElement' is main object that combines with 'gSecureElementManager' (this is not a separate Lazygetter now). > @@ +91,5 @@ > > +// Factory constructor > > +function SEConnectorFactory() {} > > + > > +/** > > + * Factory like pattern for getting the Connector obj. > > What's a 'Connector' object? Added few comments, and refer to this as 'SEConnector object' such as 'UiccConnector' > and what's the difference between it and SecureElement? 'SEConnector object' such as 'UiccConnector' only deals with talking to 'iccProvider' and does operations / checks specific to the protocol. While 'SecureElement' (now 'SecureElementManager') deals with ipc message handling and bridges the functionality with 'gMap'. ('gMap' only deals with map management) > > @@ +103,5 @@ > > +SEConnectorFactory.prototype = { > > + > > + connectorClass: null, > > + > > + get: function(options) { > > get what? > Renamed to 'getConnector' > for the argument, use 'type' directly. > Ok > @@ +109,5 @@ > > + case SE.TYPE_ESE: > > + if (DEBUG) debug('UnSupported SEConnector : ' + SE.TYPE_ESE); > > + break; > > + case SE.TYPE_UICC: > > + default: // Default ConnectorClass is UiccConnector > > Why Uicc is default? > Addressed this now! > @@ +113,5 @@ > > + default: // Default ConnectorClass is UiccConnector > > + this.connectorClass = UiccConnector; > > + break; > > + } > > + return this.connectorClass; > > connectorClass seems useless. > Ok. > switch (type) { > case ESE: > return null; > case UICC: > return UiccConnector; > } > > @@ +190,5 @@ > > + ... > > + ... > > + ... > > + ] > > + } */ > > indent this, or I won't be able to review this. > Yep, I did it now! > @@ +439,5 @@ > > + isChannelClosed: function(data) { > > + return !this.appInfoMap[data.appId].sessions[data.sessionId].channels[data.channelToken]; > > + }, > > + > > + > > extra line. > Ok > @@ +464,5 @@ > > + * Private internal functions > > + */ > > + > > + // Retrieves all the channels for the given 'channels' object > > + _getChannels: function(channels) { > > Make it more easier to understand. > Added few comments with an example. > @@ +468,5 @@ > > + _getChannels: function(channels) { > > + if (!channels) > > + return null; > > + > > + let channelNumbers = new Array(); > > [] > Ok > @@ +526,5 @@ > > +XPCOMUtils.defineLazyGetter(this, "UiccConnector", function() { > > + return { > > + QueryInterface: XPCOMUtils.generateQI([Ci.nsIIccListener]), > > + > > + _isUiccSecureElementPresent: false, > > using shorter name > Ok > @@ +545,5 @@ > > + notifyIccInfoChanged: function() {}, > > + > > + // This function acts as a trigger to listen on 'nsIIccListener' callbacks > > + start: function() { > > + if (DEBUG) debug("Default Client ID " + PREFERRED_UICC_CLIENTID); > > remove this line. > Ok > @@ +566,5 @@ > > + doOpenChannel: function(aid, callback) { > > + if (!aid || aid.length === 0) { > > + // According to SIMalliance_OpenMobileAPI v3 draft, > > + // it is recommended not to support it. > > + debug('AID is not set. Reject the openChannel request!'); > > use double quote. > Ok > @@ +570,5 @@ > > + debug('AID is not set. Reject the openChannel request!'); > > + throw new Error(SE.ERROR_SECURITY); > > + } > > + > > + if (aid.length < SE.MIN_AID_LEN || aid.length > SE.MAX_AID_LEN) { > > let aidLen = aid ? aid.length : 0; > > then you can merge these two if checks. > Ok > Also I think this check should be done in DOM part. > Actually, DOM part has its side of checks in place. Since this is in parent process, maybe it is still better to be conservative (for security reasons perhaps) and perform the checks anyways since these IPC commands are coming from content. > @@ +602,5 @@ > > + doTransmit: function(command, callback) { > > + let cla = command.cla & 0xFF; > > + let ins = command.ins & 0xFF; > > + let p1 = command.p1 & 0xFF; > > + let p2 = command.p2 & 0xFF; > > Is these & 0xff neccesary? > If you have defined your WebIDL well, these should be done already. > Actually you are right. Maybe again for being conservative and making SecureElement parent process do its needed checks and perhaps not relying on DOM to do the checks only. Because after this, the stack directly talks to low level APIs. > @@ +619,5 @@ > > + } > > + else if (command.le !== -1) { > > + // Only le is set. 'p3=le'. Response expected! > > + p3 = command.le; > > + } > > let p3 = command.data ? > commmand.data.length : > (command.le != -1 ? command.le : 0x00); > let appendLe = (command.data != null) && (command.le != -1); > Ok > @@ +622,5 @@ > > + p3 = command.le; > > + } > > + > > + // At this point perform more sanity checks on the c-apdu > > + if (p3 + SE.APDU_HEADER_LEN > SE.MAX_APDU_LEN) { > > Do this in Content? > Also , did this in content. > @@ +635,5 @@ > > + typeof command.p1 === 'undefined' || > > + typeof command.p2 === 'undefined') { > > + debug('Mandatory command headers Missing! - Invalid Command'); > > + throw new Error(SE.ERROR_IO); > > + } > > Shouldn't this be done in Content side? > Actually, based on your earlier comment, I removed this completely. > @@ +651,5 @@ > > + } > > + if (DEBUG) debug("Attempting to transmit an ISO command"); > > + } else { > > + if (DEBUG) debug("Attempting to transmit GlobalPlatform command"); > > + } > > done in content ? > > @@ +674,5 @@ > > + let leHexStr = SE.gUtils.byteTohexString(le & 0xFF) + > > + SE.gUtils.byteTohexString((le >> 8) & 0xFF) ; > > + data += leHexStr; > > + } > > + let channel = this._getChannelNumber(cla & 0xFF); > > you already & 0xff in the beginning of this function. > Removed this though. > @@ +702,5 @@ > > + // TBD: Finally Perform checks with ACE module > > + > > + let count = 0; > > + for (let index = 0; index < channels.length; index++) { > > + let channelNumber = channels[index]; > > Can't we just call it 'channel'? Why 'channelNumber' ? > Renamed across the file, to just 'channel' > @@ +703,5 @@ > > + > > + let count = 0; > > + for (let index = 0; index < channels.length; index++) { > > + let channelNumber = channels[index]; > > + if (channelNumber === SE.TYPE_BASIC_CHANNEL) { > > This looks totally confusing. > if this is a type, then it should be named 'channelType'. Also same for the > channels. > My bad! Typo on my side. This should be 'BASIC_CHANNEL' only . Added this new constant in se_consts.js file, and removed TYPE_XXX_CHANNEL constants as these can be boolean (again based on one your earlier coments) > @@ +847,5 @@ > > + "personalizationInProgress", > > + "permanentBlocked" > > + ]; > > + let cardState = iccProvider.getCardState(PREFERRED_UICC_CLIENTID); > > + return (((cardState !== null) && (notReadyStates.indexOf(cardState) == -1)) ? true : false); > > can't we just compare cardState to CARD_STATE_READY? > Maybe. One of my testing SIMs is in 'pukblocked' state. As per the protocol, SE stack should still be able to talk to uicc SE normally. There are (as you may know) multiple such OK states other than just 'card ready' where SE operations should be permitted. Hence picked up the card states that are not suitable for SE operations and have the checks against such 'not ready states'. (as per spec) > @@ +861,5 @@ > > + * It mainly interacts with 'gMap' to query the state of Readers, Sessions, Channels, > > + * while it interacts with 'Connector instances' to perform low level SE-related > > + * (open,close,transmit) I/O operations. > > + */ > > +XPCOMUtils.defineLazyGetter(this, "gSecureElementManager", function() { > > I don't think this should be a lazy getter. > Ok. Agreed > @@ +876,5 @@ > > + Services.obs.addObserver(this, NS_XPCOM_SHUTDOWN_OBSERVER_ID, false); > > + this._registerMessageListeners(); > > + // This is needed for UiccConnector to start listening on uicc state changes > > + UiccConnector.start(); > > + this.connectorFactory = new SEConnectorFactory(); > > Given that you have ConnectorFactory, you should access UiccConnector > through that factory. > Otherwise your 'factory' will be useless. > Ok. Addressed this. > @@ +1070,5 @@ > > + */ > > + > > + receiveMessage: function(msg) { > > + if (DEBUG) debug("Received '" + msg.name + "' message from content process" + ": " + > > + JSON.stringify(msg.json)); > > use msg.data > Ok > @@ +1075,5 @@ > > + let status = SE.ERROR_GENERIC; > > + let message = msg; > > + let promiseStatus = "Rejected"; > > + let options = { status: status, > > + resolverId: msg.json ? msg.json.resolverId : null }; > > align. > Ok > @@ +1184,5 @@ > > + return gMap.isSessionClosed(msg.json); > > + case "SE:GetChannelType": > > + return gMap.getChannelType(msg.json); > > + case "SE:IsChannelClosed": > > + return gMap.isChannelClosed(msg.json); > > That should be some notifications back to the DOM part, like > notifySEPresent, notifSessionClosed, notifyChannelClosed, ... etc, > so these getters could be done in DOM layer. > Ok. Added 'notifySEPresent' in this patch. In my opinion, 'notifSessionClosed', 'notifyChannelClosed' may not be needed as the same purpose is served by 'closeAllChannelsBySessionResolved' & 'closeChannelResolved' IPC events. Also 'close operation' on say a 'session' / 'channel' or on 'array of channels' is pretty much a top-down operation. i;e; Gaia apps issue these commands in the form of 'closeAll (in SESession instance)' or 'close (in SEChannel instance)' or 'closeAll (in SEReader instance)'. SE stack (mainly SecureElement.js) in any case wouldn't know if the underlying opened channels get closed as there is no 'unsolicited event from RIL notifying it'. Hence the current solution. Hopefully you are ok with this approach > @@ +1187,5 @@ > > + case "SE:IsChannelClosed": > > + return gMap.isChannelClosed(msg.json); > > + default: > > + throw new Error("Don't know about this message: " + msg.name); > > + return; > > You already did this check in line 1095 > Ok. Got it. > @@ +1189,5 @@ > > + default: > > + throw new Error("Don't know about this message: " + msg.name); > > + return; > > + } > > + msg.target.sendAsyncMessage(msg.name + promiseStatus, options); > > move this line into cases, like GetSEReaders, OpenSession. > Ok. Infact in the latest patch, refactored the entire SE IPC commands into one handler 'handleDOMRequests'. This should take care of most of SE IPC commands handling. > @@ +1206,5 @@ > > + } > > + }; > > +}); > > + > > +this.NSGetFactory = XPCOMUtils.generateNSGetFactory([SecureElement]); > > Seems to me you should put SecureElementManager here. > Ok > ::: dom/system/gonk/moz.build > @@ +100,5 @@ > > + 'SecureElement.js', > > + 'SecureElement.manifest', > > +] > > +EXTRA_JS_MODULES += [ > > + 'se_consts.js', > > indent. > Ok > Also this should be moved to somewhere like dom/secureelement/gonk > Ok > ::: dom/system/gonk/se_consts.js > @@ +15,5 @@ > > + > > +/* Copyright © 2014, Deutsche Telekom, Inc. */ > > + > > +// Set to true to debug SecureElement (SE) stack > > +this.DEBUG_ALL = true; > > default to false. > Ok > @@ +18,5 @@ > > +// Set to true to debug SecureElement (SE) stack > > +this.DEBUG_ALL = true; > > + > > +// Set individually to debug specific layers > > +this.DEBUG_ACE = false || DEBUG_ALL; > > ? > remove this. > Ok > @@ +19,5 @@ > > +this.DEBUG_ALL = true; > > + > > +// Set individually to debug specific layers > > +this.DEBUG_ACE = false || DEBUG_ALL; > > +this.DEBUG_SE = false || DEBUG_ALL; > > reverse the order. > Ok > DEBUG_ALL || false; > > @@ +24,5 @@ > > + > > +// Ideally this should have been 3, as we do not allow basic channel' : 0 on 'uicc'. > > +// Max number of supplementary logical channels available would be : [1, 2, or 3]. > > +// Other SE types may support upto max 4. > > + > > extra line. > Ok > @@ +29,5 @@ > > +// Maximun logical channels per session. > > +this.MAX_CHANNELS_ALLOWED_PER_SESSION = 4; > > + > > +this.TYPE_BASIC_CHANNEL = 0; > > +this.TYPE_LOGICAL_CHANNEL = 1; > > Seems boolean is enough. > ok > @@ +61,5 @@ > > +this.ERROR_IO = 'SEIoError'; > > +this.ERROR_BADSTATE = 'SEBadStateError'; > > +this.ERROR_INVALIDCHANNEL = 'SEInvalidChannelError'; > > +this.ERROR_INVALIDAPPLICATION = 'SEInvalidApplicationError'; > > +this.ERROR_GENERIC = 'SEGenericError'; > > double quotes. > ok > @@ +64,5 @@ > > +this.ERROR_INVALIDAPPLICATION = 'SEInvalidApplicationError'; > > +this.ERROR_GENERIC = 'SEGenericError'; > > + > > +this.TYPE_UICC = 'uicc'; > > +this.TYPE_ESE = 'eSE'; > > ditto. > ok > @@ +66,5 @@ > > + > > +this.TYPE_UICC = 'uicc'; > > +this.TYPE_ESE = 'eSE'; > > + > > +this.gUtils = { > > move this to a JSM, and these functions should have tests. > Valid point. In our team we had a consensus, and Krzysztof is going to upload the lib very soon for your review in this bug itself. As you have already noted, this lib will then be used by both SE stack and ACE modules. Therefore I have not made any modifications for this for now. Please do review other parts. Thanks! > @@ +67,5 @@ > > +this.TYPE_UICC = 'uicc'; > > +this.TYPE_ESE = 'eSE'; > > + > > +this.gUtils = { > > + hexStringToBytes: function(hexString) { > > hexStringToByteArray > > @@ +69,5 @@ > > + > > +this.gUtils = { > > + hexStringToBytes: function(hexString) { > > + let bytes = []; > > + let length = hexString.length; > > what if hexString is null or undefined? > > @@ +78,5 @@ > > + > > + return bytes; > > + }, > > + > > + byteTohexString: function(array) { > > byteArrayToHexString > and using the same naming, 'array' or 'bytes'. > > @@ +80,5 @@ > > + }, > > + > > + byteTohexString: function(array) { > > + let hexString = ""; > > + let hex; > > move hex into for loop. > > @@ +83,5 @@ > > + let hexString = ""; > > + let hex; > > + > > + if (!array || array.length === 0) > > + return hexString; > > let length = array ? array.length : 0; > > for (let i = 0; i < length; i++) > > then the if check can be removed now. > > @@ +86,5 @@ > > + if (!array || array.length === 0) > > + return hexString; > > + > > + for (let i = 0; i < array.length; i++) { > > + hex = array[i].toString(16).toUpperCase(); > > If you want upperCase, do it in the return. > > return hexString.toUpperCase();

Assignee

Comment 148

•

10 years ago

Attached patch Part 3: (v3.3) Secure Element Parent process Implementation. r=yoshi (obsolete) — Details — Splinter Review

Obsoleting the just attached Part 3 (v3.3) patch and attaching a new one. The difference being in 'receiveMessage:' function. Removed all the local variables which are not being used.

Attachment #8539852 - Attachment is obsolete: true

Attachment #8539852 - Flags: review?(allstars.chh)

Attachment #8539927 - Flags: review?(allstars.chh)

Yoshi Cheng-Hao Huang [:allstars.chh][:allstarschh][:yoshi]

Comment 149

•

10 years ago

Attached patch Part 6: (v1) SEUtils.jsm, r=allstars.chh (obsolete) — Details — Splinter Review

This is SEUtils.jsm with utility functions which will be used by Secure Element API and ACE. Right now we don't run this code in emulator so it's hard to run xpcshell tests for it. Do you want me to also add xpcshell test for it in this bug or should this be raised as a followup once this will be landed?

Attachment #8540295 - Flags: review?(allstars.chh)

Comment 150

•

10 years ago

Comment on attachment 8539867 [details] [diff] [review] Part 2: (v2.2) Secure Element DOM Implementation Review of attachment 8539867 [details] [diff] [review]: ----------------------------------------------------------------- ::: dom/secureelement/DOMSecureElement.js @@ +41,5 @@ > + > + /* > + // Structure of '_stateInfoMap'. > + > + // 'sessionIds' and 'channelTokens' are uuids generated in parent process. I think both are generated from UUID, right? so either call them {sessionToken, channelToken} or {sessionId, channelId}. make the naming consistent. @@ +72,5 @@ > + */ > + _stateInfoMap: {}, > + > + addReaderObjs(readerObjs) { > + for (let index = 0; index < readerObjs.length; readerObjs++) { readerObjs++? @@ +73,5 @@ > + _stateInfoMap: {}, > + > + addReaderObjs(readerObjs) { > + for (let index = 0; index < readerObjs.length; readerObjs++) { > + let aReaderObj = readerObjs[index]; why prefix with a? @@ +83,5 @@ > + } > + }, > + > + getReaderObjByType(type) { > + let map = this._stateInfoMap[type]; map ? you called it sessionObj in line 82. @@ +90,5 @@ > + > + deleteReaderObjByType(type) { > + let sessions = this._stateInfoMap[type].sessions; > + Object.keys(sessions).forEach((sessionId) => { > + if (sessions[sessionId]) { is this 'if' check neccesary? @@ +96,5 @@ > + } > + }); > + }, > + > + addSessionObj(sessionObj, aSessionInfo) { either make it all prefix with a, or not at all. @@ +97,5 @@ > + }); > + }, > + > + addSessionObj(sessionObj, aSessionInfo) { > + this._stateInfoMap[aSessionInfo.type].sessions[aSessionInfo.sessionId] = { TODO @@ +106,5 @@ > + > + getSessionObjById(sessionId) { > + let keys = Object.keys(this._stateInfoMap); > + for (let i = 0; i < keys.length; i++) { > + let aKey = keys[i]; let key = ... @@ +165,5 @@ > + } > +}; > + > +function PromiseHelpersSubclass(win) { > + this._window = win; indent two spaces. @@ +173,5 @@ > + __proto__: DOMRequestIpcHelper.prototype, > + > + _window: null, > + > + _createSEPromise: function(aCallback) { Please use the same syntax for object method. Also why prefix with _? This is called by other objects. @@ +183,5 @@ > + aCallback(resolverId); > + }); > + }, > + > + extra line @@ +184,5 @@ > + }); > + }, > + > + > + _rejectWithSEError: function(aReason) { ditto, remove _ @@ +212,5 @@ > + classID: Components.ID("{1c7bdba3-cd35-4f8b-a546-55b3232457d5}"), > + contractID: "@mozilla.org/secureelement/SEReader;1", > + QueryInterface: XPCOMUtils.generateQI([]), > + > + initialize: function initialize(win) { now you add function name? Use consistent style. @@ +217,5 @@ > + this._window = win; > + this._isSEPresent = true; > + }, > + > + openSession: function openSession() { Shouldn't this check this._isSEPresent first? @@ +218,5 @@ > + this._isSEPresent = true; > + }, > + > + openSession: function openSession() { > + return PromiseHelpers._createSEPromise((aResolverId) => { I think you could just update your promiseHelper a bit, you could take 'reader' object when you new your promise, when the promise resolves you can get the 'reader' back. So no need to StateHelper. Same idea for object below. @@ +257,5 @@ > + }, > + > + set isSEPresent(isSEPresent) { > + this._isSEPresent = isSEPresent; > + } Wouldn't it be easier if you just define isSEPresent? @@ +258,5 @@ > + > + set isSEPresent(isSEPresent) { > + this._isSEPresent = isSEPresent; > + } > +}; Where is 'type' attribute? @@ +268,5 @@ > + * hosted by the Secure Element. > + */ > +function SESession() { > + this._sessionId = null; > + this.reader = null; move this to prototype. @@ +278,5 @@ > + classID: Components.ID("{2b1809f8-17bd-4947-abd7-bdef1498561c}"), > + contractID: "@mozilla.org/secureelement/SESession;1", > + QueryInterface: XPCOMUtils.generateQI([]), > + > + initialize: function initialize(win, result, data) { pass sessionId and type directly. @@ +292,5 @@ > + // According to SIMalliance_OpenMobileAPI v4 spec, > + // in case of UICC it is recommended to reject the opening of the logical > + // channel without a specific AID. > + if (this.reader.type === SE.TYPE_UICC) { > + if (!aid || aid.length === 0) { This check is totally not neccesary because you already check AID in line 302. @@ +300,5 @@ > + } > + > + if (aid.length < SE.MIN_AID_LEN || aid.length > SE.MAX_AID_LEN) { > + return PromiseHelpers._rejectWithSEError(SE.ERROR_GENERIC + > + " Invalid AID length - " + aid.length); The error message doesn't fully match WebIDL. @@ +304,5 @@ > + " Invalid AID length - " + aid.length); > + } > + > + // copy the aid > + this._aid = aid.subarray(0); define this in prototype. @@ +356,5 @@ > + if (this.isClosed) { > + throw new Error(SE.ERROR_BADSTATE + " Session Already Closed!"); > + } > + } > +}; remove atr/openBasicChannel from WebIDL. @@ +362,5 @@ > +/** > + * Instance of 'SECommand' dom object represent C-APDU to be sent to a > + * secure element. > + */ > +function SECommand() { nit, move SECommand after SEChannel @@ +368,5 @@ > + this.ins = 0x00; > + this.p1 = 0xFF; > + this.p2 = 0xFF; > + this.data = null; > + this.le = -1; move these to prototype. @@ +372,5 @@ > + this.le = -1; > +} > + > +SECommand.prototype = { > + __init: function __init(cla, ins, p1, p2, data, le) { check format. @@ +394,5 @@ > + */ > +function SEChannel() { > + this._aid = null; > + this._channelToken = null; > + this._sessionId = null; consistent naming for Token or id. @@ +395,5 @@ > +function SEChannel() { > + this._aid = null; > + this._channelToken = null; > + this._sessionId = null; > + this._channelType = "logical"; Why logical is default? @@ +397,5 @@ > + this._channelToken = null; > + this._sessionId = null; > + this._channelType = "logical"; > + this.session = null; > + this.openResponse = null; move these to prototype. @@ +409,5 @@ > + classID: Components.ID("{181ebcf4-5164-4e28-99f2-877ec6fa83b9}"), > + contractID: "@mozilla.org/secureelement/SEChannel;1", > + QueryInterface: XPCOMUtils.generateQI([]), > + > + initialize: function initialize(win, result, data) { pass aid, sessionId directly. @@ +417,5 @@ > + this._channelType = result.isBasicChannel ? "basic" : "logical"; > + // Update the 'channel token' that identifies and represents this > + // instance of the object > + this._channelToken = result.channelToken; > + this.openResponse = Cu.cloneInto(new Uint8Array(result.openResponse), win); Why cloneInto? @@ +425,5 @@ > + > + transmit: function transmit(command) { > + this._checkClosed(); > + > + let dataLen = (!command.data) ? 0 : command.data.length; check if command is null/undefined first. and let dataLen = command.data ? command.data.length : 0; @@ +437,5 @@ > + cla: command.cla, > + ins: command.ins, > + p1: command.p1, > + p2: command.p2, > + data: (!command.data) ? null : command.data, data: command.data || null @@ +510,5 @@ > + if (this.isClosed) { > + throw new Error(SE.ERROR_BADSTATE +" Channel Already Closed!"); > + } > + } > +}; Where is session defined? @@ +520,5 @@ > +function SEResponse() { > + this.sw1 = 0x00; > + this.sw2 = 0x00; > + this.data = null; > + this.channel = null; move these to prototype. @@ +529,5 @@ > + contractID: "@mozilla.org/secureelement/SEResponse;1", > + QueryInterface: XPCOMUtils.generateQI([]), > + > + initialize: function initialize(result, data) { > + this.data = result.simResponse ? the response should be conforming to ISO 7816-4, so 'sim' prefix should be removed. @@ +551,5 @@ > + > + _window: null, > + > + classID: Components.ID("{4a8b6ec0-4674-11e4-916c-0800200c9a66}"), > + contractID: "@mozilla.org/navigatorSEManager;1", @mozilla.org/secureelement/SEManager;1 @@ +554,5 @@ > + classID: Components.ID("{4a8b6ec0-4674-11e4-916c-0800200c9a66}"), > + contractID: "@mozilla.org/navigatorSEManager;1", > + QueryInterface: XPCOMUtils.generateQI([Ci.nsIDOMGlobalPropertyInitializer, > + Ci.nsISupportsWeakReference, > + Ci.nsIObserver]), where did you implement nsIObserver? @@ +580,5 @@ > + > + this.initDOMRequestHelper(win, messages); > + }, > + > + uninit: function uninit() { who calls this? @@ +604,5 @@ > + }, > + > + receiveMessage: function(aMessage) { > + let result = aMessage.json.result; > + let data = aMessage.json.metadata; aMessage.data @@ +619,5 @@ > + } > + > + switch (aMessage.name) { > + case "SE:GetSEReadersResolved": > + let availableReaders = []; why not just call it 'readers'? @@ +621,5 @@ > + switch (aMessage.name) { > + case "SE:GetSEReadersResolved": > + let availableReaders = []; > + for (let i = 0; i < result.readers.length; i++) { > + chromeObj = new SEReader(result.readers[i]); What's this? you forgot .type ? It doesn't match line 205. @@ +680,5 @@ > + case "SE:CloseChannelRejected": > + case "SE:TransmitAPDURejected": > + case "SE:CloseAllByReaderRejected": > + case "SE:CloseAllBySessionRejected": > + let error = data.error ? data.error : SE.ERROR_GENERIC; data.error || SE.ERROR_GENERIC @@ +683,5 @@ > + case "SE:CloseAllBySessionRejected": > + let error = data.error ? data.error : SE.ERROR_GENERIC; > + resolver.reject(error); > + break; > + case "SE:NotifySEPresent": check permission.

Attachment #8539867 - Flags: review?(allstars.chh) → review-

Yoshi Cheng-Hao Huang [:allstars.chh][:allstarschh][:yoshi]

Comment 151

•

Yoshi Cheng-Hao Huang [:allstars.chh][:allstarschh][:yoshi]

Comment 157

•

10 years ago

Comment on attachment 8541241 [details] [diff] [review] Part 6: (v1.1) SEUtils.jsm, r=allstars.chh Review of attachment 8541241 [details] [diff] [review]: ----------------------------------------------------------------- ::: dom/secureelement/tests/unit/test_SEUtils.js @@ +8,5 @@ > + > +Components.utils.import("resource://gre/modules/SEUtils.jsm"); > + > +const VALID_HEX_STR = "0123456789ABCDEF"; > +const VALID_HEX_STR_LC = "0123456789abcdef"; VALID_HEX_STR.toLowerCase() is enough. @@ +18,5 @@ > +} > + > +add_test(function test_byteArrayToHexString() { > + let hexStr = SEUtils.byteArrayToHexString(VALID_BYTE_ARR); > + ok(hexStr === VALID_HEX_STR, trailing ws

Attachment #8541241 - Flags: review?(allstars.chh) → review+

Assignee

Comment 158

•

10 years ago

(In reply to Yoshi Huang[:allstars.chh] from comment #150) > Comment on attachment 8539867 [details] [diff] [review] > Part 2: (v2.2) Secure Element DOM Implementation > > Review of attachment 8539867 [details] [diff] [review]: > ----------------------------------------------------------------- > > ::: dom/secureelement/DOMSecureElement.js > @@ +41,5 @@ > > + > > + /* > > + // Structure of '_stateInfoMap'. > > + > > + // 'sessionIds' and 'channelTokens' are uuids generated in parent process. > > I think both are generated from UUID, right? > so either call them {sessionToken, channelToken} or {sessionId, channelId}. > make the naming consistent. > Ok. > @@ +72,5 @@ > > + */ > > + _stateInfoMap: {}, > > + > > + addReaderObjs(readerObjs) { > > + for (let index = 0; index < readerObjs.length; readerObjs++) { > > readerObjs++? > This was a mistake / typo. Fixed it in the latest patch > @@ +73,5 @@ > > + _stateInfoMap: {}, > > + > > + addReaderObjs(readerObjs) { > > + for (let index = 0; index < readerObjs.length; readerObjs++) { > > + let aReaderObj = readerObjs[index]; > > why prefix with a? > Ok. Removed prefix 'a' now. > @@ +83,5 @@ > > + } > > + }, > > + > > + getReaderObjByType(type) { > > + let map = this._stateInfoMap[type]; > > map ? you called it sessionObj in line 82. Yes, fixed this as well. > > @@ +90,5 @@ > > + > > + deleteReaderObjByType(type) { > > + let sessions = this._stateInfoMap[type].sessions; > > + Object.keys(sessions).forEach((sessionId) => { > > + if (sessions[sessionId]) { > > is this 'if' check neccesary? Not needed. Removed it. > > @@ +96,5 @@ > > + } > > + }); > > + }, > > + > > + addSessionObj(sessionObj, aSessionInfo) { > > either make it all prefix with a, or not at all. > Removed prefix a > @@ +97,5 @@ > > + }); > > + }, > > + > > + addSessionObj(sessionObj, aSessionInfo) { > > + this._stateInfoMap[aSessionInfo.type].sessions[aSessionInfo.sessionId] = { > > TODO > > @@ +106,5 @@ > > + > > + getSessionObjById(sessionId) { > > + let keys = Object.keys(this._stateInfoMap); > > + for (let i = 0; i < keys.length; i++) { > > + let aKey = keys[i]; > > let key = ... > ok > @@ +165,5 @@ > > + } > > +}; > > + > > +function PromiseHelpersSubclass(win) { > > + this._window = win; > > indent two spaces. > Ok > @@ +173,5 @@ > > + __proto__: DOMRequestIpcHelper.prototype, > > + > > + _window: null, > > + > > + _createSEPromise: function(aCallback) { > > Please use the same syntax for object method. > Also why prefix with _? > ok > This is called by other objects. > > @@ +183,5 @@ > > + aCallback(resolverId); > > + }); > > + }, > > + > > + > > extra line > ok > @@ +184,5 @@ > > + }); > > + }, > > + > > + > > + _rejectWithSEError: function(aReason) { > > ditto, remove _ > ok > @@ +212,5 @@ > > + classID: Components.ID("{1c7bdba3-cd35-4f8b-a546-55b3232457d5}"), > > + contractID: "@mozilla.org/secureelement/SEReader;1", > > + QueryInterface: XPCOMUtils.generateQI([]), > > + > > + initialize: function initialize(win) { > > now you add function name? > Use consistent style. > Ok. As I interpreted your prev comment, I thought you wanted me to add 'function name' for all <identifier>: <function keyword> <function name> (args..) {.... } Across the DOMSecureElement.js, I have made this consistent with the above syntax. > @@ +217,5 @@ > > + this._window = win; > > + this._isSEPresent = true; > > + }, > > + > > + openSession: function openSession() { > > Shouldn't this check this._isSEPresent first? > Agreed. Added this check now > @@ +218,5 @@ > > + this._isSEPresent = true; > > + }, > > + > > + openSession: function openSession() { > > + return PromiseHelpers._createSEPromise((aResolverId) => { > > I think you could just update your promiseHelper a bit, > you could take 'reader' object when you new your promise, when the promise > resolves you can get the 'reader' back. > So no need to StateHelper. > > Same idea for object below. > Seems like a good suggestion. However I am still trying to understand your thoughts completely. Are you suggesting to completely remove 'SEStatehelper' ? Or are you suggesting to merge this helper to PromisHelper ? Also if I have understood your comment properly, Say, if we pass the 'reader' obj at the time 'PromiseHelpers.createSEPromise' and 'PromiseHelpers' can save this value and upon resolving we can get the object back. This means that we are persisting 'readerObj' for Session usecase , And 'sessionObj' for 'channel' etc.. temporarily till the promise is resolved or rejected. However we may also have cases like 'NotifySEPresent' scenarios for which we will have to update respective 'reader obj' state at a later stage. Also similarly for 'closeAll' operations when we have to update 'isClosed' state for a session / channel appropriately. For example if there are multiple channels opened and one of the channels get closed, how would SEManager (in receiveMessage) be able to update that 'channel' state only ? I guess there are ways of achieving this but I am trying to understand your suggestion completely for all use-cases. > @@ +257,5 @@ > > + }, > > + > > + set isSEPresent(isSEPresent) { > > + this._isSEPresent = isSEPresent; > > + } > > Wouldn't it be easier if you just define isSEPresent? > Actually, we defined this 'isSEPresent' as 'readonly attribute' in webidl. I think this may prevent us from setting the value to this attribute unless we have setter. Also when I looked at other subs-system implementations of getters and setters on variable, they usually operate on a private member as it happens here. > @@ +258,5 @@ > > + > > + set isSEPresent(isSEPresent) { > > + this._isSEPresent = isSEPresent; > > + } > > +}; > > Where is 'type' attribute? > Since 'this.type' is set in SEReader's 'initialize function, (one time operation ) whenever Gaia apps say reader.type, apps see the value that was set during 'initialize' operation. > @@ +268,5 @@ > > + * hosted by the Secure Element. > > + */ > > +function SESession() { > > + this._sessionId = null; > > + this.reader = null; > > move this to prototype. > Ok > @@ +278,5 @@ > > + classID: Components.ID("{2b1809f8-17bd-4947-abd7-bdef1498561c}"), > > + contractID: "@mozilla.org/secureelement/SESession;1", > > + QueryInterface: XPCOMUtils.generateQI([]), > > + > > + initialize: function initialize(win, result, data) { > > pass sessionId and type directly. > ok > @@ +292,5 @@ > > + // According to SIMalliance_OpenMobileAPI v4 spec, > > + // in case of UICC it is recommended to reject the opening of the logical > > + // channel without a specific AID. > > + if (this.reader.type === SE.TYPE_UICC) { > > + if (!aid || aid.length === 0) { > > This check is totally not neccesary because you already check AID in line > 302. > I have slightly modified the condition. We need to support following cases openLogicalChannel(null) // For 'uicc' do not permit this op openLogicalChannel(null) // For 'eSE' may permit this op and default card applet is selected > @@ +300,5 @@ > > + } > > + > > + if (aid.length < SE.MIN_AID_LEN || aid.length > SE.MAX_AID_LEN) { > > + return PromiseHelpers._rejectWithSEError(SE.ERROR_GENERIC + > > + " Invalid AID length - " + aid.length); > > The error message doesn't fully match WebIDL. > By modifying webidl comments to explicitly state that passing 'null' aid is allowable only for 'eSE' and not for 'uicc' , Is it ok ? > @@ +304,5 @@ > > + " Invalid AID length - " + aid.length); > > + } > > + > > + // copy the aid > > + this._aid = aid.subarray(0); > > define this in prototype. > ok > @@ +356,5 @@ > > + if (this.isClosed) { > > + throw new Error(SE.ERROR_BADSTATE + " Session Already Closed!"); > > + } > > + } > > +}; > > remove atr/openBasicChannel from WebIDL. > Ok. I will upload this soon. > @@ +362,5 @@ > > +/** > > + * Instance of 'SECommand' dom object represent C-APDU to be sent to a > > + * secure element. > > + */ > > +function SECommand() { > > nit, move SECommand after SEChannel > Done > @@ +368,5 @@ > > + this.ins = 0x00; > > + this.p1 = 0xFF; > > + this.p2 = 0xFF; > > + this.data = null; > > + this.le = -1; > > move these to prototype. > Done > @@ +372,5 @@ > > + this.le = -1; > > +} > > + > > +SECommand.prototype = { > > + __init: function __init(cla, ins, p1, p2, data, le) { > > check format. > Are you suggesting to not add 'function name' for '__init' ? > @@ +394,5 @@ > > + */ > > +function SEChannel() { > > + this._aid = null; > > + this._channelToken = null; > > + this._sessionId = null; > > consistent naming for Token or id. > Addressed > @@ +395,5 @@ > > +function SEChannel() { > > + this._aid = null; > > + this._channelToken = null; > > + this._sessionId = null; > > + this._channelType = "logical"; > > Why logical is default? > Made 'basic' the default > @@ +397,5 @@ > > + this._channelToken = null; > > + this._sessionId = null; > > + this._channelType = "logical"; > > + this.session = null; > > + this.openResponse = null; > > move these to prototype. > Done > @@ +409,5 @@ > > + classID: Components.ID("{181ebcf4-5164-4e28-99f2-877ec6fa83b9}"), > > + contractID: "@mozilla.org/secureelement/SEChannel;1", > > + QueryInterface: XPCOMUtils.generateQI([]), > > + > > + initialize: function initialize(win, result, data) { > > pass aid, sessionId directly. > Done > @@ +417,5 @@ > > + this._channelType = result.isBasicChannel ? "basic" : "logical"; > > + // Update the 'channel token' that identifies and represents this > > + // instance of the object > > + this._channelToken = result.channelToken; > > + this.openResponse = Cu.cloneInto(new Uint8Array(result.openResponse), win); > > Why cloneInto? > I think 'cloneInto' gives a better option for object defined in a privileged scope ('result.openResponse' ) and make a reference to it in a less-privileged scope. My two cents! In a way , I guess it is better than __exposed_props. > @@ +425,5 @@ > > + > > + transmit: function transmit(command) { > > + this._checkClosed(); > > + > > + let dataLen = (!command.data) ? 0 : command.data.length; > > check if command is null/undefined first. > and let dataLen = command.data ? command.data.length : 0; > Ok changes the condition. > @@ +437,5 @@ > > + cla: command.cla, > > + ins: command.ins, > > + p1: command.p1, > > + p2: command.p2, > > + data: (!command.data) ? null : command.data, > > data: command.data || null > Ok. Nice > @@ +510,5 @@ > > + if (this.isClosed) { > > + throw new Error(SE.ERROR_BADSTATE +" Channel Already Closed!"); > > + } > > + } > > +}; > > Where is session defined? > Not sure if I have understood this comment. > @@ +520,5 @@ > > +function SEResponse() { > > + this.sw1 = 0x00; > > + this.sw2 = 0x00; > > + this.data = null; > > + this.channel = null; > > move these to prototype. > ok > @@ +529,5 @@ > > + contractID: "@mozilla.org/secureelement/SEResponse;1", > > + QueryInterface: XPCOMUtils.generateQI([]), > > + > > + initialize: function initialize(result, data) { > > + this.data = result.simResponse ? > > the response should be conforming to ISO 7816-4, so 'sim' prefix should be > removed. > Removed! > @@ +551,5 @@ > > + > > + _window: null, > > + > > + classID: Components.ID("{4a8b6ec0-4674-11e4-916c-0800200c9a66}"), > > + contractID: "@mozilla.org/navigatorSEManager;1", > > @mozilla.org/secureelement/SEManager;1 > Ok. Will modify webidl suitably soon. > @@ +554,5 @@ > > + classID: Components.ID("{4a8b6ec0-4674-11e4-916c-0800200c9a66}"), > > + contractID: "@mozilla.org/navigatorSEManager;1", > > + QueryInterface: XPCOMUtils.generateQI([Ci.nsIDOMGlobalPropertyInitializer, > > + Ci.nsISupportsWeakReference, > > + Ci.nsIObserver]), > > where did you implement nsIObserver? > I think we need to implement 'nsIObserver' otherwise it will fail-safe. This is needed if we inherit from 'DOMRequestIPCHelper'. Other-wise if not inherited, I think it is better to handle 'inner-window-destroyed' topic etc.. but since DOMRequestIPCHelper takes care of these scenarios, and simply calls 'uninit()' it gives a way to gracefully clean-up things in DOM > @@ +580,5 @@ > > + > > + this.initDOMRequestHelper(win, messages); > > + }, > > + > > + uninit: function uninit() { > > who calls this? This function will be called from DOMRequestIPCHelper. > > @@ +604,5 @@ > > + }, > > + > > + receiveMessage: function(aMessage) { > > + let result = aMessage.json.result; > > + let data = aMessage.json.metadata; > > aMessage.data > ok > @@ +619,5 @@ > > + } > > + > > + switch (aMessage.name) { > > + case "SE:GetSEReadersResolved": > > + let availableReaders = []; > > why not just call it 'readers'? > Done > @@ +621,5 @@ > > + switch (aMessage.name) { > > + case "SE:GetSEReadersResolved": > > + let availableReaders = []; > > + for (let i = 0; i < result.readers.length; i++) { > > + chromeObj = new SEReader(result.readers[i]); > > What's this? you forgot .type ? > It doesn't match line 205. > Changed the naming convention > @@ +680,5 @@ > > + case "SE:CloseChannelRejected": > > + case "SE:TransmitAPDURejected": > > + case "SE:CloseAllByReaderRejected": > > + case "SE:CloseAllBySessionRejected": > > + let error = data.error ? data.error : SE.ERROR_GENERIC; > > data.error || SE.ERROR_GENERIC > Ok. > @@ +683,5 @@ > > + case "SE:CloseAllBySessionRejected": > > + let error = data.error ? data.error : SE.ERROR_GENERIC; > > + resolver.reject(error); > > + break; > > + case "SE:NotifySEPresent": > > check permission. Sorry, not sure if I have understood this comment. What permission should be enforced here?

Yoshi Cheng-Hao Huang [:allstars.chh][:allstarschh][:yoshi]

Assignee

Comment 159

•

10 years ago

Attached patch Part 2: (v2.2a) Secure Element DOM Implementation (obsolete) — Details — Splinter Review

Uploading DOM changes with comments addressed thus far. Parent process side changes will follow soon. Thanks

Attachment #8539867 - Attachment is obsolete: true

Attachment #8541403 - Flags: feedback?(allstars.chh)

Comment 160

•

10 years ago

(In reply to Siddartha P from comment #158) > > @@ +212,5 @@ > > > + classID: Components.ID("{1c7bdba3-cd35-4f8b-a546-55b3232457d5}"), > > > + contractID: "@mozilla.org/secureelement/SEReader;1", > > > + QueryInterface: XPCOMUtils.generateQI([]), > > > + > > > + initialize: function initialize(win) { > > > > now you add function name? > > Use consistent style. > > > Ok. As I interpreted your prev comment, I thought you wanted me to add > 'function name' for all > <identifier>: <function keyword> <function name> (args..) {.... } > Across the DOMSecureElement.js, I have made this consistent with the above > syntax. > I mean use whatever style you like, just use it consistenly. And in your latest patch you still use different style, please fix this. > > @@ +683,5 @@ > > > + case "SE:CloseAllBySessionRejected": > > > + let error = data.error ? data.error : SE.ERROR_GENERIC; > > > + resolver.reject(error); > > > + break; > > > + case "SE:NotifySEPresent": > > > > check permission. > Sorry, not sure if I have understood this comment. What permission should be > enforced here? I thought there are some onsepresent/onseremoved callbacks but it turns out it does not. So please removed this for this bug and file a seperate bug for this.

Yoshi Cheng-Hao Huang [:allstars.chh][:allstarschh][:yoshi]

Comment 161

•

10 years ago

Comment on attachment 8541403 [details] [diff] [review] Part 2: (v2.2a) Secure Element DOM Implementation Review of attachment 8541403 [details] [diff] [review]: ----------------------------------------------------------------- I'll review when you upload Parent process part and WebIDL part. I need to cross reference them. ::: dom/secureelement/DOMSecureElement.js @@ +596,5 @@ > + "SE:CloseChannelRejected", > + "SE:TransmitAPDURejected", > + "SE:CloseAllByReaderRejected", > + "SE:CloseAllBySessionRejected", > + "SE:NotifySEPresent"]; I think for the "SE:CloseXXX" messages, most of them could be removed. As SEReader, SESession are just objects on the DOM part, on the parent process it should just have information about reader type and channel ID. After all what the reader.close does is to close the sessions that reader opened, not actually *close* the reader. (And there's no reader.open() either) So SEReader should keep a list of sessions it opened, and in turn SESession should keep a list of channels opened. This should be done together with modifying your PromiseHelper as I said before. And when a reader.close() is called, the DOM side could just SEReader_Close() { for (let session of this.sessions) { session.close(); } } SESession_Close() { for (let channel of this.channels) { channel.close() } } SEChannel_Close() { SendAsyncMesage("SE:CloseChannel", { channelId: .... }); } And you could just maintain a list of open channels in DOM, instead of maintaining a table of reader, sessions, channels,... etc.

Attachment #8541403 - Flags: feedback?(allstars.chh)

Vincent Chang[:vchang][changyihsin]

Comment 162

•

10 years ago

Attached patch Part 6: (v1.2) SEUtils.jsm + nits, r=allstars.chh (obsolete) — Details — Splinter Review

Nits fixed. Setting to r+, since it was positively reviewed by Yoshi in comment 157.

Attachment #8541241 - Attachment is obsolete: true

Attachment #8542142 - Flags: review+

Kai-Chih Hu [:khu]

Comment 163

•

10 years ago

Can we update the target milestone and ETA? Thanks!

Flags: needinfo?(whuang)

Comment 164

•

10 years ago

Due to hardware limitation, we don't support embedded security element until we have a new reference device.

No longer depends on: 1030615

Assignee

Comment 165

•

10 years ago

Attached patch Part 1 : (v1.10a) Secure Element APIs - Inital Draft (obsolete) — Details — Splinter Review

Hi Ehsan, If I may request you to review the changes, one more time pls. - Removed the interface 'openBasicChannel' and 'atr' attribute as it is not supported by SE stack. We should hold discussions with vendor in order to support these. - Added explicit comments on 'aid' length + nits

Attachment #8533051 - Attachment is obsolete: true

Attachment #8544357 - Flags: review?(ehsan)

Assignee

Comment 166

•

10 years ago

(In reply to Siddartha P from comment #165) > Created attachment 8544357 [details] [diff] [review] > Patch 1 : (v1.10a) Secure Element APIs - Inital Draft > > Hi Ehsan, If I may request you to review the changes, one more time pls. > - Removed the interface 'openBasicChannel' and 'atr' attribute as it is not > supported by SE stack. We should hold discussions with vendor in order to > support these. > - Added explicit comments on 'aid' length + nits Here is the diff between this version and previous ver https://bugzilla.mozilla.org/attachment.cgi?oldid=8533051&action=interdiff&newid=8544357&headers=1

•

10 years ago

Attached patch Part 2: (v2.3) Secure Element DOM Implementation (obsolete) — Details — Splinter Review

I think I addressed almost all your comments. The main difference being, - Now CreateSEPromise() can hold the context and therefore there is no need of SEStateHelper at all. - Also updated 'close' behavior across instances. If the parent is closed, it notifies its children to update its 'state' as well. - Added 'isSEPresent' IPC (sendSyncMessage) to parent process. Since we may have to evaluate additions of a new idl 'onseremoved' 'onseadded', I hope this change is ok for now.

Attachment #8541403 - Attachment is obsolete: true

Attachment #8544366 - Flags: review?(allstars.chh)

Assignee

Comment 170

•

10 years ago

Attached patch Part 3: (v3.4) Secure Element Parent process Implementation. r=yoshi (obsolete) — Details — Splinter Review

Main differences between this version w.r.t previous one are:- - Added the new idl nsISecureElementConnector.idl that could be used by ACE module (or any other parent process module). - UiccConnector is 'clientId' aware - Modified isValidSession() and 'getChannel()' and removed isValidAID and added instead 'isValidChannelToken()' - All the UiccConnector public methods namely doOpenChannel() , doCloseChannel() and doTransmit() are consistent in their responses (through 'nsISEChannelCallback' ) to both external modules ('SecureElementConnector' that implements 'nsISecureElementConnector' ) AND internal module 'SecureElementManager' (Note that 'SecureElementManager' functions 'openChannel' , ' transmit' and 'closeChannel' call into UiccConnectors doOpenChannel() , doTransmit(), doCloseChannel() respectively.

Attachment #8539927 - Attachment is obsolete: true

Attachment #8544369 - Flags: review?(allstars.chh)

Assignee

Comment 171

•

10 years ago

•

10 years ago

Attached patch Part 6: (v1.3) SEUtils.jsm + nits, r=allstars.chh (obsolete) — Details — Splinter Review

Here is the rebased version of part 6. r+ was granted in comment 157 by Yoshi.

Flags: needinfo?(psiddh)

Attachment #8544705 - Flags: review+

Updated

•

10 years ago

Attachment #8542142 - Attachment is obsolete: true

Comment 176

•

10 years ago

Comment on attachment 8544358 [details] [diff] [review] Part 1.a: (v1) Add new permission to table - 'secureelement-manage' Review of attachment 8544358 [details] [diff] [review]: ----------------------------------------------------------------- ::: dom/apps/PermissionsTable.jsm @@ +423,5 @@ > additional: ["settings-api"] > + }, > + "secureelement-manage": { > + app: DENY_ACTION, > + privileged: ALLOW_ACTION, You also need a trusted entry which you probably want to set to deny. Looking at the context for the diff, it seems like you are on a very old tree, please rebase on top of a recent tree in order to avoid excessive issues and changes as you get closer to landing.

Attachment #8544358 - Flags: review?(ehsan) → review-

•

10 years ago

(In reply to Yoshi Huang[:allstars.chh] from comment #173) > Comment on attachment 8544366 [details] [diff] [review] > Part 2: (v2.3) Secure Element DOM Implementation > Acknowledging all the comments made so far , answering only some of them in-line while others will be fixed in the next patch. > Review of attachment 8544366 [details] [diff] [review]: > ----------------------------------------------------------------- > > ::: dom/secureelement/DOMSecureElement.js > @@ +80,5 @@ > > + > > + rejectWithSEError: function rejectWithSEError(aReason) { > > + return this.createSEPromise((aResolverId) => { > > + debug("SEError: " + aReason); > > + this.takePromiseResolver(aResolverId).reject(aReason); > > Should reject Error, not String. > See > https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/ > Global_Objects/Promise/reject > Ok . I do this now : reject (new error(aReason)). That said, I think it is syntactically ok to reject with simply a string, I guess. (Per Promise.webidl, the attribute is 'any'). Anyways I have now made the change as you suggested. > @@ +101,5 @@ > > + _window: null, > > + > > + _sessions: [], > > + > > + type: SE.TYPE_UICC, > > should be null. > Ok > @@ +104,5 @@ > > + > > + type: SE.TYPE_UICC, > > + > > + classID: Components.ID("{1c7bdba3-cd35-4f8b-a546-55b3232457d5}"), > > + contractID: "@mozilla.org/secureelement/SEReader;1", > > For contractID the style is all lower-case. > > @mozilla.org/secureelement/reader, > same for other objects. > Ok > @@ +127,5 @@ > > + * resolverId : ID that identifies this IPC request. > > + * type : Type identifying the session instance ('uicc' / 'eSE') > > + * appId : Current appId obtained from 'Principal' obj > > + */ > > + cpmm.sendAsyncMessage("SE:OpenSession", { > > Open Session shouldn't invoke IPC. > I think I mentioned this before. > I hope comment#180 , 1.b) clarifies your question. If we don't do a openSession, with parent process, the it may be difficult to manage channels that get opened in a session and book-keep in parent process. I am not sure if I am missing anything here. Please do correct. > @@ +144,5 @@ > > + * resolverId : ID that identifies this IPC request. > > + * type : Type identifying the session instance ('uicc' / 'eSE') > > + * appId : Current appId obtained from 'Principal' obj > > + */ > > + cpmm.sendAsyncMessage("SE:CloseAllByReader", { > > ditto, I think I mentioned this before. I hope comment#180 , 1.b) clarifies this as well. I understand your point here very well. But lets say we don't do IPC and on closeAll() op in SEReader, we iterate through all its children (SESession) and do session.close() and which in turn tries to close all its children (SEChannel) channel.close(). In all this flow, say if there are two channels to be closed by the reader, say if one is closed properly while other is not (for some reason), wouldn't it be more complicated to track from channel instance to reject closeAll() operation in SEReader(). By existing IPC mechanisms, closeAllByReader (or) closeAllBySession() will perform close on all the channels associated with reader (or) session and notifies DOM appropriately. Upon receiving say xxxResolved() event, these instances merely update the state of their children (Ex: this._channel.isClosed = true) > > @@ +156,5 @@ > > + get isSEPresent() { > > + return cpmm.sendSyncMessage("SE:IsSEPresent", { > > + type: this.type, > > + appId: this._window.document.nodePrincipal.appId > > + }); > > This shouldn't trigger IPC. > > For the simplest way, this value can be set in getSEReaders(); > and you can update that attribute in follow-up bug. > Ok. > @@ +159,5 @@ > > + appId: this._window.document.nodePrincipal.appId > > + }); > > + }, > > + > > + receiveMessage: function receiveMessage(aMessage) { > > message. > or make all arguments in this file prefix with 'a'. > Ok > This function shouldn't be named 'receiveMessage', as this object doesn't > process IPC at all, > it could be named like 'processMessage' to prevent confusion with > nsIMessageManager. > Ok > @@ +199,5 @@ > > + > > + reader: null, > > + > > + classID: Components.ID("{2b1809f8-17bd-4947-abd7-bdef1498561c}"), > > + contractID: "@mozilla.org/secureelement/SESession;1", > > ditto, lower-case. > Ok > @@ +227,5 @@ > > + if (this.reader.type === SE.TYPE_UICC) { > > + return PromiseHelpers.rejectWithSEError(SE.ERROR_GENERIC + > > + " AID is not specified!"); > > + } > > + } else if (aid.length < SE.MIN_AID_LEN || aid.length > SE.MAX_AID_LEN) { > > I think I mentioned this before. > The first 'if' seems not neccesary. Are you referring to 'if(!aid)' check. If so the 'aid' can be null. If aid is null, in cases of 'uicc' the request is rejected while for 'eSE' it a perfectly valid usecase. Therefore the checks > > @@ +229,5 @@ > > + " AID is not specified!"); > > + } > > + } else if (aid.length < SE.MIN_AID_LEN || aid.length > SE.MAX_AID_LEN) { > > + return PromiseHelpers.rejectWithSEError(SE.ERROR_GENERIC + > > + " Invalid AID length - " + aid.length); > > align " with P > Ok > @@ +232,5 @@ > > + return PromiseHelpers.rejectWithSEError(SE.ERROR_GENERIC + > > + " Invalid AID length - " + aid.length); > > + } else { > > + // copy the aid > > + this._aid = aid.subarray(0); > > Where is this._aid being used? > Actually we can remove it. > @@ +248,5 @@ > > + * appId : Current appId obtained from 'Principal' obj > > + */ > > + cpmm.sendAsyncMessage("SE:OpenChannel", { > > + resolverId: aResolverId, > > + aid: this._aid, > > if this._aid is not used, we could simply supply aid here. > Ok > @@ +293,5 @@ > > + channel.isClosed = true; > > + } > > + this._isClosed = isClosed; > > + // Reset the sessionToken > > + this._sessionToken = null; > > These attributes (_channels_, _sessionToken) shouldn't be done in setter. > Agreed > @@ +296,5 @@ > > + // Reset the sessionToken > > + this._sessionToken = null; > > + }, > > + > > + receiveMessage: function receiveMessage(aMessage) { > > ditto. rename function name and aMessage. > Ok > @@ +302,5 @@ > > + case "SE:OpenChannelResolved": > > + this._channels.push(aMessage.childContext); > > + break; > > + case "SE:CloseAllBySessionResolved": > > + this.isClosed = true; > > attributes should be set here. > Agreed > @@ +355,5 @@ > > + this._sessionToken = sessionToken; > > + this._aid = aid; > > + // Update 'session' obj > > + this.session = sessionCtx; > > + this.openResponse = Cu.cloneInto(new Uint8Array(openResponse), win); > > Is 'new Uint8Array' neccesary? > Yes as 'openResponse' is an octet array while 'cloneInto' takes typed array 'Uint8Array' type. > @@ +375,5 @@ > > + cla: command.cla, > > + ins: command.ins, > > + p1: command.p1, > > + p2: command.p2, > > + data: command.data || null, > > is || null neccesary? > Removed > @@ +439,5 @@ > > + > > + set isClosed(isClosed) { > > + this._isClosed = isClosed; > > + // Reset the channelToken > > + this._channelToken = null; > > ditto > Agreed > @@ +444,5 @@ > > + }, > > + > > + receiveMessage: function receiveMessage(aMessage) { > > + switch (aMessage.name) { > > + case "SE:TransmitAPDUResolved": // Do nothing > > nothing? > Removed this statement now. > From WebIDL it says Promise<SEResponse> > Where is the response ? > > Oh I found it in line 643. > So this is totally strange as it seems you process those messages twice. > > The messages should be processed once, and if it has some extra data needs > to be processed, you should add a method for that. Ok I will work on this to add a new dedicated method(s). In that case we may not need 'processMessage(...)'

Vincent Chang[:vchang][changyihsin]

Comment 182

•

10 years ago

As the patch is being reviewed actively, let's update the target milestone to Jan23.

Flags: needinfo?(whuang)

Whiteboard: [ETA: 12/15]

Target Milestone: 2.2 S2 (19dec) → 2.2 S4 (23jan)

Comment 183

•

10 years ago

> > > Ok. I will try to add more comments and try to explain things clearly. I > will also try to make it more simple as you said. Do you think some kind of > face-to-face video call or even an IRC chat session is a good idea ? > Because a lot of this is simply lost in translation or typing long > responses. Or do you think some kind of design doc is useful, I am not sure. > Please suggest. Hi Sid, thanks for your hard work. I have verified your patch together with test app, and it looks good. I can't wait to see the patches being landed. :-) Regarding to the review process, sometime it's really hard for the patches to get r+ if the reviewer can't fully understand your patches. That's why it's always good to break down the problem and separate the patches into smaller parts. Added the comments in the code is always important to get reviewer's better understanding and make review easier. I think it's mandatory to address 100% of reviewer's comment before submitting the new patch. If you think it's difficult to fix some issues at the moment, maybe we can add the TODO comments in the patch and open the follow-up bugs for that(with reviewer's agreement of course). If you find some review comments are unclear, it's always welcome to discuss with reviewer directly. I think IRC is really good place and tool for discussing these stuff. [1] https://developer.mozilla.org/en-US/docs/Mozilla/Developer_guide/Coding_Style [2] https://developer.mozilla.org/en-US/docs/Code_Review_FAQ

Vincent Chang[:vchang][changyihsin]

Comment 184

•

10 years ago

(In reply to :Ehsan Akhgari (not reading bugmail, needinfo? me!) from comment #176) > Comment on attachment 8544358 [details] [diff] [review] > Part 1.a: (v1) Add new permission to table - 'secureelement-manage' > > Review of attachment 8544358 [details] [diff] [review]: > ----------------------------------------------------------------- > > ::: dom/apps/PermissionsTable.jsm > @@ +423,5 @@ > > additional: ["settings-api"] > > + }, > > + "secureelement-manage": { > > + app: DENY_ACTION, > > + privileged: ALLOW_ACTION, > > You also need a trusted entry which you probably want to set to deny. > Looking at the context for the diff, it seems like you are on a very old > tree, please rebase on top of a recent tree in order to avoid excessive > issues and changes as you get closer to landing. Due to modem image and QC/Moz Ril limitation, the development process for security element is based on 2.1 branch. I am trying to figure out if we can develop security element based on m-c once bug 1091307 is fixed.

Ming Yin

Comment 185

•

10 years ago

(In reply to Vincent Chang[:vchang] from comment #184) > (In reply to :Ehsan Akhgari (not reading bugmail, needinfo? me!) from > comment #176) > > Comment on attachment 8544358 [details] [diff] [review] > > Part 1.a: (v1) Add new permission to table - 'secureelement-manage' > > > > Review of attachment 8544358 [details] [diff] [review]: > > ----------------------------------------------------------------- > > > > ::: dom/apps/PermissionsTable.jsm > > @@ +423,5 @@ > > > additional: ["settings-api"] > > > + }, > > > + "secureelement-manage": { > > > + app: DENY_ACTION, > > > + privileged: ALLOW_ACTION, > > > > You also need a trusted entry which you probably want to set to deny. > > Looking at the context for the diff, it seems like you are on a very old > > tree, please rebase on top of a recent tree in order to avoid excessive > > issues and changes as you get closer to landing. > > Due to modem image and QC/Moz Ril limitation, the development process for > security element is based on 2.1 branch. I am trying to figure out if we can > develop security element based on m-c once bug 1091307 is fixed. Good point! Question: Is it a precondition for landing the SE code into 2.2?

Assignee

Updated

•

10 years ago

Blocks: 1119152

•

10 years ago

(In reply to psiddh: On Leave Jan 14 _ Feb 13 from comment #188) > Created attachment 8548572 [details] [diff] [review] > Part 1 : (v1.10b) Secure Element APIs - Initial Draft Here is the diff : (Change: All the contract ids and lower cased) https://bugzilla.mozilla.org/attachment.cgi?oldid=8544357&action=interdiff&newid=8548572&headers=1

Assignee

Comment 190

•

10 years ago

Attached patch Part 2: (v2.4) Secure Element DOM Implementation (obsolete) — Details — Splinter Review

Attachment #8544366 - Attachment is obsolete: true

Attachment #8548576 - Flags: review?(allstars.chh)

Assignee

Comment 191

•

10 years ago

Attached patch Part 3: (v3.5) Secure Element Parent process Implementation. r=yoshi (obsolete) — Details — Splinter Review

Attachment #8544369 - Attachment is obsolete: true

Attachment #8548578 - Flags: review?(allstars.chh)

•

10 years ago

Attached patch Part 5: (v5.2) Add build support for SE feature (obsolete) — Details — Splinter Review

Attachment #8544370 - Attachment is obsolete: true

Attachment #8548586 - Flags: review?(allstars.chh)

Yoshi Cheng-Hao Huang [:allstars.chh][:allstarschh][:yoshi]

Assignee

•

10 years ago

Comment on attachment 8548579 [details] [diff] [review] Part 3a: (v1) Secure Element UiccConnector Implementation. r=yoshi Review of attachment 8548579 [details] [diff] [review]: ----------------------------------------------------------------- ::: dom/secureelement/gonk/UiccConnector.js @@ +42,5 @@ > + > +XPCOMUtils.defineLazyModuleGetter(this, "SEUtils", > + "resource://gre/modules/SEUtils.jsm"); > + > +XPCOMUtils.defineLazyServiceGetter(this, "iccProvider", Also there should be some check since IccProvider is only available when MOZ_B2G_RIL is enabled. Please define the behavior when MOZ_B2G_RIL is disable. For example, should UiccConnector.js be included in moz.build? or you should return error to SecureManager.js somewhere.

Comment 202

•

10 years ago

Comment on attachment 8548576 [details] [diff] [review] Part 2: (v2.4) Secure Element DOM Implementation Review of attachment 8548576 [details] [diff] [review]: ----------------------------------------------------------------- ::: dom/secureelement/DOMSecureElement.js @@ +61,5 @@ > + }); > + // Before calling the callback, save the context > + this._context[resolverId] = ctx; > + aCallback(resolverId); > + }); Oh these createSEPromise and createSEPromiseWithCtx could be merged into one createSEPromise: function(aCallback, /* optional */aCtxt) { function callback(resolverId) { if (aCtxt) { this._context[resolveId] = aCxt; } aCallback(resolverId); } return this.createPromise(...) => { ... callback(resolverId).bind(this); } }

Yoshi Cheng-Hao Huang [:allstars.chh][:allstarschh][:yoshi]

Comment 203

•

10 years ago

Comment on attachment 8548584 [details] [diff] [review] Part 3: (v3.5) Secure Element Parent process Implementation. r=yoshi Review of attachment 8548584 [details] [diff] [review]: ----------------------------------------------------------------- ::: dom/secureelement/gonk/SecureElement.js @@ +203,5 @@ > + // for the given (appId, channelToken) > + isValidChannelToken: function(data) { > + let { appId: appId, channelToken: chToken } = data; > + > + // appId needs to be present When will appId not be present?

•

10 years ago

Comment on attachment 8552539 [details] [diff] [review] Part 3: (v3.6) Secure Element Parent process Implementation. r=yoshi Review of attachment 8552539 [details] [diff] [review]: ----------------------------------------------------------------- mostly better, but there are still some minor questions. ::: dom/secureelement/gonk/SecureElement.js @@ +91,5 @@ > + // "appId1": { > + // target: target1, > + // readerType: ["uicc", "eSE"], > + // channels: { > + // "channelToken1": { See the comments below I am not sure channelToken is actually needed, it looks you just need readerType and channelNumer to identify a 'Channel' instance. @@ +104,5 @@ > + // } > + appInfoMap: {}, > + > + registerSecureElementTarget: function(appId, readers, target) { > + if (appId in this.appInfoMap) { if (this.appInfoMap[appId]) { ... } in is slow http://jsperf.com/in-vs-not-undefined @@ +119,5 @@ > + debug("Registered a new SE target " + appId); > + }, > + > + unregisterSecureElementTarget: function(appId) { > + if (appId in this.appInfoMap) { ditto @@ +147,5 @@ > + // this function will return the 'token' > + addChannel: function(appId, type, aid, channelNumber) { > + if (!(appId in this.appInfoMap)) { > + debug("Unable to add channel, no such appId: " + appId); > + return null; Here it returns null, and caller returns a 'null' token to child process, with ERROR_NONE, which is weird. @@ +165,5 @@ > + removeChannel: function(appId, channelNumber, type) { > + let channels = this.appInfoMap[appId].channels; > + let token = Object.keys(channels).find((ch) => { > + return channels[ch].channelNumber === channelNumber && > + channels[ch].seType === type; See the comments from caller below. It looks like you don't need sessionToken at all? @@ +175,5 @@ > + delete channels[token]; > + } > + }, > + > + // Get the 'channel' associated with (appId, channelToken) Get the channel or channel number? @@ +338,5 @@ > + return; > + } > + > + let connector = getConnector(msg.type); > + connector.closeChannel(channelNumber, { I am not quite sure what are channelToken for? It seems that you just need seType and channelNumber to indentify a 'Channel' instance on parent side. Or if you do need token, you already have it. So you call simply do gMap.removeChannel(msg.appId, channelToken); @@ +372,5 @@ > + if (!appId) { > + return; > + } > + > + let channelNumbers = gMap.getChannelNumbersByAppIdType(appId, SE.TYPE_UICC); This doesn't quite make sense. You should close all channels/readers owned by the app, right? Why should you care if it's UICC or not? @@ +375,5 @@ > + > + let channelNumbers = gMap.getChannelNumbersByAppIdType(appId, SE.TYPE_UICC); > + if (channelNumbers.length === 0) { > + debug("No channels to close."); > + return; you don't have to call gMap.unregisterSecureElementTarget(appId);? @@ +421,5 @@ > + debug("Ignoring unknown message type: " + msg.name); > + return null; > + } > + > + let callback = (result) => this.sendSEResponse(msg, result); you have provide callback here, so most of code above could remove 'if (callback)' check. @@ +441,5 @@ > + }, > + > + sendSEResponse: function(msg, result) { > + let promiseStatus = (result.error === SE.ERROR_NONE) ? "Resolved" : "Rejected"; > + let options = { result: result, metadata: msg.data }; If I understand this correctly, it looks you only use 'resovleId' and 'error' property in the metadata These two properties should be moved to the 'result', else it will be hard to find the result you want is stored in which property, result or metadata.

Attachment #8552539 - Flags: review?(allstars.chh) → feedback+

Yoshi Cheng-Hao Huang [:allstars.chh][:allstarschh][:yoshi]

Comment 210

•

10 years ago

Comment on attachment 8552536 [details] [diff] [review] Part 2: (v2.5) Secure Element DOM Implementation Review of attachment 8552536 [details] [diff] [review]: ----------------------------------------------------------------- Mostly ok, but I think there would be some consistent change with parent process patch(Part 3). For example, use of channelToken and the msg.metadata in IPC code.

Attachment #8552536 - Flags: review?(allstars.chh) → feedback+

Yoshi Cheng-Hao Huang [:allstars.chh][:allstarschh][:yoshi]

•

10 years ago

Attached patch Part 2: (v2.6) Secure Element DOM Implementation (obsolete) — Details — Splinter Review

This patch addresses issues related to SE parent changes requested in comment 209.

Attachment #8552536 - Attachment is obsolete: true

Attachment #8555040 - Flags: review?(allstars.chh)

Comment 215

•

10 years ago

Attached patch Part 3: (v3.7) Secure Element Parent process Implementation. r=yoshi (obsolete) — Details — Splinter Review

This patch addresses issues raised in comment 209 and comment 211. With the exception of channelToken removal.

Attachment #8552539 - Attachment is obsolete: true

Attachment #8555042 - Flags: review?(allstars.chh)

Comment 216

•

10 years ago

Attached patch Part 3a: (v1.2) Secure Element UiccConnector Implementation. r=yoshi (obsolete) — Details — Splinter Review

Addressed issues raised in comment 213 as suggested in comment 211.

Attachment #8552543 - Attachment is obsolete: true

Attachment #8555043 - Flags: review?(allstars.chh)

Yoshi Cheng-Hao Huang [:allstars.chh][:allstarschh][:yoshi]

Comment 217

•

•

10 years ago

(In reply to Krzysztof Mioduszewski[:kmioduszewski][:tauzen] from comment #218) ok

Flags: needinfo?(allstars.chh)

Comment 224

•

10 years ago

please move all moz.build patch into one patch. I don't know why you split that.

Comment 225

•

10 years ago

Comment on attachment 8555040 [details] [diff] [review] Part 2: (v2.6) Secure Element DOM Implementation Hello Ehsan, Yoshi requested in comment 221 to get a DOM peer review. Could you review this patch?

Attachment #8555040 - Flags: review?(ehsan)

Comment 226

•

10 years ago

Attached patch Part 1.a: (v1.1) Add new permission to table - 'secureelement-manage' (obsolete) — Details — Splinter Review

Making SE API certified until we land ACE, as requested by Yoshi in comment 219. I've added the 'trusted' property also, as requested in comment 176. Still this is not rebased, since we're waiting for bug 1091307 to be fixed.

Attachment #8544358 - Attachment is obsolete: true

Attachment #8555170 - Flags: review?(ehsan)

Updated

•

10 years ago

Depends on: 1091307

Comment 227

•

10 years ago

Comment on attachment 8548572 [details] [diff] [review] Part 1 : (v1.10b) Secure Element APIs - Initial Draft Setting to r+, since the previous version was approved by Ehsan in review (just after comment 176). The only changes in here are string changes: https://bugzilla.mozilla.org/attachment.cgi?oldid=8544357&action=interdiff&newid=8548572&headers=1

Attachment #8548572 - Flags: review+

Yoshi Cheng-Hao Huang [:allstars.chh][:allstarschh][:yoshi]

•

10 years ago

Attached patch Part 5 (v1): Build support for SecureElement (merged) (obsolete) — Details — Splinter Review

Merging all the build patches into one (previous part 4 and 5), as requested in comment 224. Once everything will be reviewed and rebased I'll fix naming and and ordering of all patches (SEUtils will be part 4.)

Attachment #8548586 - Attachment is obsolete: true

Attachment #8555044 - Attachment is obsolete: true

Attachment #8548586 - Flags: review?(allstars.chh)

Attachment #8555044 - Flags: review?(allstars.chh)

Attachment #8555327 - Flags: review?(allstars.chh)

Comment 231

•

10 years ago

Comment on attachment 8555327 [details] [diff] [review] Part 5 (v1): Build support for SecureElement (merged) Review of attachment 8555327 [details] [diff] [review]: ----------------------------------------------------------------- LGTM, however these need a build peer to review. Please ask a build peer to review this. ::: dom/secureelement/moz.build @@ +28,5 @@ > + XPCSHELL_TESTS_MANIFESTS += [ > + 'tests/unit/xpcshell.ini' > + ] > + > +if CONFIG['MOZ_WIDGET_TOOLKIT'] == 'gonk' and CONFIG['MOZ_SECUREELEMENT'] and CONFIG['MOZ_B2G_RIL']: Can't we move CONFIG['MOZ_B2G_RIL'] inside last if ?

Attachment #8555327 - Flags: review?(allstars.chh) → feedback+

Yoshi Cheng-Hao Huang [:allstars.chh][:allstarschh][:yoshi]

Comment 232

•

10 years ago

Attached patch Part 5 (v1.1): Build support for SecureElement (obsolete) — Details — Splinter Review

CONFIG['MOZ_B2G_RIL'] moved into the last 'if', as suggested in comment 231. Hello Gregory, could you review this patch?

Attachment #8555327 - Attachment is obsolete: true

Attachment #8555790 - Flags: review?(gps)

Gregory Szorc [:gps]

Comment 233

•

10 years ago

Comment on attachment 8555790 [details] [diff] [review] Part 5 (v1.1): Build support for SecureElement Review of attachment 8555790 [details] [diff] [review]: ----------------------------------------------------------------- ::: dom/secureelement/moz.build @@ +2,5 @@ > +# This Source Code Form is subject to the terms of the Mozilla Public > +# License, v. 2.0. If a copy of the MPL was not distributed with this > +# file, You can obtain one at http://mozilla.org/MPL/2.0/. > +# > +# Copyright © 2014 Deutsche Telekom, Inc. I thought this copyright statement in MPL files was bogus. Is this a cargo cult or is it needed?

Attachment #8555790 - Flags: review?(gps) → review+

•

10 years ago

Comment on attachment 8548572 [details] [diff] [review] Part 1 : (v1.10b) Secure Element APIs - Initial Draft >+interface SECommand { >+ >+ attribute octet cla; // 1 Byte : Class Byte >+ attribute octet ins; // 1 Byte : Instruction Byte >+ attribute octet p1; // 1 Byte : First Octet of Parameters Byte >+ attribute octet p2; // 1 Byte : Second Octet of Parameters Byte >+ [Cached, Pure] attribute sequence<octet>? data; // Sequence of octets >+ attribute short le; // The length of the expected >+ // response data or -1 if none is expected >+}; Do we really want this interface. Looks like SECommand is used only to pass data to a method, and in that case a dictionary would be better. >+ >+[CheckPermissions="secureelement-manage", >+ AvailableIn="PrivilegedApps", >+ JSImplementation="@mozilla.org/secureelement/response;1"] >+interface SEResponse { >+ // Response received on this 'channel' object. >+ readonly attribute SEChannel channel; >+ >+ // First octet of response's status word >+ readonly attribute octet sw1; >+ >+ // Second octet of response's status word >+ readonly attribute octet sw2; >+ Curious, why channel, sw1 and sw1 aren't constants? >+[CheckPermissions="secureelement-manage", >+ AvailableIn="PrivilegedApps", >+ JSImplementation="@mozilla.org/secureelement/manager;1", >+ NavigatorProperty="seManager"] >+interface SEManager { Missing NoInterfaceObject?

•

10 years ago

Comment on attachment 8557023 [details] [diff] [review] Part 3a: (v1.3) Secure Element UiccConnector Implementation. r=yoshi Review of attachment 8557023 [details] [diff] [review]: ----------------------------------------------------------------- ::: dom/secureelement/gonk/UiccConnector.js @@ +252,5 @@ > + return; > + } > + > + cla = this._setChannelToCLAByte(cla, channel); > + let lc = data ? data.length/2 : 0; nit, space for / Also you may need to check if data.length % 2 == 0, this is JS, lc could be a float, like 4.5, 5.5 @@ +255,5 @@ > + cla = this._setChannelToCLAByte(cla, channel); > + let lc = data ? data.length/2 : 0; > + let p3 = lc || le; > + > + if (lc && le !== -1) { add ()

Attachment #8557023 - Flags: review?(allstars.chh) → review+

Comment 242

Updated

•

10 years ago

Attachment #8559154 - Flags: review?(bugs) → review+

Yoshi Cheng-Hao Huang [:allstars.chh][:allstarschh][:yoshi]

Comment 248

•

10 years ago

Attached patch Part 7: Adding dom.secureelement.enabled pref, r=allstars.chh (obsolete) — Details — Splinter Review

As discussed on a call and via e-mail, I'm adding a dom.secureelement.enabled pref and setting it to false by default.

Attachment #8560383 - Flags: review?(allstars.chh)

Comment 249

•

10 years ago

Comment on attachment 8560383 [details] [diff] [review] Part 7: Adding dom.secureelement.enabled pref, r=allstars.chh Review of attachment 8560383 [details] [diff] [review]: ----------------------------------------------------------------- WebIDL change will need a review from DOM Peer.

Attachment #8560383 - Flags: review?(allstars.chh) → feedback+

Olli Pettay [:smaug][bugs@pettay.fi]

Comment 250

•

10 years ago

Comment on attachment 8558511 [details] [diff] [review] Part 2: (v2.7) Secure Element DOM Implementation >+ >+/* Copyright Â© 2014, Deutsche Telekom, Inc. */ You can probably drop this I don't really have much else to say about this. (hard to review as such. need to understand what is happening in the parent process too and heavy use of Promises makes following the code a bit hard, at least for me.) So mostly relying on Yoshi's r+ :) One possible simplification is that could we perhaps use dictionaries also for SEResponse.

Attachment #8558511 - Flags: review?(bugs) → review+

Olli Pettay [:smaug][bugs@pettay.fi]

Comment 251

•

10 years ago

Comment on attachment 8560383 [details] [diff] [review] Part 7: Adding dom.secureelement.enabled pref, r=allstars.chh Hi Olli, thank you very much for all the previous reviews. This should be the last patch here. It's a small change introducing dom.secureelement.enabled pref. Could you review it?

Attachment #8560383 - Flags: review?(bugs)

Updated

•

10 years ago

Attachment #8560383 - Flags: review?(bugs) → review+

•

10 years ago

Attached patch Part 6: (v1.1 rebased) Adding dom.secureelement.enabled pref, r=smaug — Details — Splinter Review

r+ from smaug after comment 251, rebased

Attachment #8562745 - Flags: review+

Updated

•

10 years ago

Attachment #8560383 - Attachment is obsolete: true

Updated

•

10 years ago

Depends on: 1132007

Comment 260

•

10 years ago

Try server build progressing: https://treeherder.mozilla.org/#/jobs?repo=try&revision=b219549fd423

Comment 261

•

10 years ago

Attached patch Part 5: (v1.3) Build support for SecureElement feature. r=gps — Details — Splinter Review

Fixed moz.build (moved XPIDL_MODULE into IF gonk) to prevent B2G DESKTOP builds from failing.

Attachment #8562905 - Flags: review+

https://hg.mozilla.org/mozilla-central/rev/e014c9f1d2fb https://hg.mozilla.org/mozilla-central/rev/7b877b26ddee https://hg.mozilla.org/mozilla-central/rev/9d71758c5f7d https://hg.mozilla.org/mozilla-central/rev/c46f53398982 https://hg.mozilla.org/mozilla-central/rev/1d8a6e33379e https://hg.mozilla.org/mozilla-central/rev/374b013116c2 https://hg.mozilla.org/mozilla-central/rev/93f03475e1ad https://hg.mozilla.org/mozilla-central/rev/2eda9bb510d8

•

10 years ago

Status: ASSIGNED → RESOLVED

Closed: 10 years ago

status-firefox38: --- → fixed

Resolution: --- → FIXED

Target Milestone: 2.2 S5 (6feb) → 2.2 S6 (20feb)

Comment 265

•

10 years ago

Attached patch Part 1a: (v1.3 - 2.2 version) Add new permission 'secureelement-manage'. r=ehsan — Details — Splinter Review

Comment 266

•

10 years ago

Attached patch Part 5: (v1.4 - 2.2 version) Build support for SecureElement feature. r=gps — Details — Splinter Review

Comment 267

•

10 years ago

Attached patch Part 6: (v1.2 - 2.2 version) Adding dom.secureelement.enabled pref, r=smaug — Details — Splinter Review

Comment 268

•

10 years ago

Comment on attachment 8559154 [details] [diff] [review] Part 1 : (v1.12b) Secure Element APIs, r=ehsan, r=smaug NOTE: Please see https://wiki.mozilla.org/Release_Management/B2G_Landing to better understand the B2G approval process and landings. [Approval Request Comment] Bug caused by (feature/regressing bug #): This is a new b2g 2.2 feature. User impact if declined: No Secure Element API feature. Testing completed: on device testing complete Risk to taking this patch (and alternatives if risky): none String or UUID changes made by this patch: none Part 1a, 5, 6 patches required rebasing. Other parts apply directly.

Attachment #8559154 - Flags: approval-mozilla-b2g37?