forked from GlobalPlatform/SERAM
-
Notifications
You must be signed in to change notification settings - Fork 0
/
gpseram.yaml
593 lines (569 loc) · 21 KB
/
gpseram.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
openapi: 3.0.3
info:
title: GP SERAM
version: 2.0.0
description: >-
This specification allows a Remote Agent to manage a Secure Element thanks
to a Local Agent.<br>
<br>
2 layers is provided here:<br>
- the data model which details messages which are exchanges. Refer to the
Schemas section below.<br>
- the HTTP REST binding, details in terms of HTTP GET and POST methods.
Refer to initialization and seApplicationManagement phase below.<br>
<br>
The Remote Agent is acting as an HTTP server and the Local Agent as an
HTTP Client. During the initialization phase, the local Agent provides a
list of supported data format and transport protocol. The server selects
the best option and continue with the selected binding.
This OpenAPI specification is self-documentated. Please refer to the
[GitHub of GP SERAM](http://github.com/slegouix/SERAM) for additional
information.
license:
name: MIT
url: 'https://opensource.org/licenses/MIT'
tags:
- name: seApplicationManagementService
description: >-
Remote Agent performs the remote management by sending orders to the
Local Agent
servers:
- url: '{protocol}://{domain}/gp/seram'
variables:
domain:
default: localhost
description: server domain
protocol:
enum:
- http
- https
default: https
paths:
/handshake:
post:
tags:
- seApplicationManagementService
summary: method used to negociate data format and the transport protocol
description: >-
This method shall be used by the HTTP client to tell which data
formats and which transport protocols it supports. In response, the
HTTP server shall tell which ones it selects.<br> <br> The DataFormat
describes which data format is used for message payloads.<br> <br> The
TransportProtocol describes the transport protocol binding. It details
how setting-up the transport layer (if required), exchanging the
messages payload between Remote Agent and Local Agent, keeping the
integrity of the remote management session and resuming communications
in case of a data exchange failure<br>
<br>
The HTTP client shall used the sessionId to allow the HTTP server to
track the remote management. The HTTP client shall reused the
sessionId in all subsequent HTTP request to the HTTP server
parameters:
- name: sessionId
in: query
required: true
schema:
$ref: '#/components/schemas/sessionId'
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/ramHandshakeCommand'
examples:
handshakeRequest:
summary: Handshake Command Message
value:
{
"secureElements": [
{
"seType": "eSE",
"seId": "89001012012341234012345678901224",
"seExtraInfo": "SAM"
}
],
"supportedTransportProtocols": [ "HTTPS" ],
"supportedDataFormats": [ "application/json" ],
"supportedVersion": [ "2.0.0" ]
}
responses:
'200':
description: OK
content:
application/json:
schema:
$ref: '#/components/schemas/ramHandshakeResponse'
examples:
handshakeResponse:
summary: Handshake Response Message
value:
{
"chosenTransportProtocol": "HTTPS",
"chosenDataFormat": "application/json",
"chosenVersion": "2.0.0"
}
'404':
description: sessionId not found
'406':
description: HTTP Server could not fulfill the client proposal
'500':
description: Unknown server error
/remoteManagement:
post:
tags:
- seApplicationManagementService
summary: Method used to respond to a remote management command.
description: >-
During Command Exchange Step, this endpoint is used to poll the HTTP
server and to exchange Command and Reponse Messages.<br>
The Remote Agent SHALL first sent a Start Command and SHALL uses
the Stop Command to terminate Management Session. During the Command
Exchange Step, it may send Notification Command or SE RAM Command to
the Local Agent.<br>
<br>
The Remote Management Session is identify by the sessionId
parameter.<br>
parameters:
- name: sessionId
in: query
required: true
schema:
$ref: '#/components/schemas/sessionId'
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/remoteManagementReport'
examples:
withoutResponse:
summary: Report Message to poll the Remote Agent
value:
{
"localAgentStatus": {
"localAgentStatusEnum": "POLLING",
"executeRamCommands": 0
}
}
seRamResponse:
summary: Report Message with SE RAM responses
value:
{
"localAgentStatus": {
"localAgentStatusEnum": "PROCESSED",
"executedSeRamCommands": 2
},
"ramResponses": [
{
"ramResponseType": "seRamResponse",
"listOfRAPDU": [ "9000", "9000" ]
},
{
"ramResponseType": "seRamResponse",
"listOfRAPDU": [ "9000" ]
}
]
}
responses:
'200':
description: OK
content:
application/json:
schema:
$ref: '#/components/schemas/remoteManagementOrder'
examples:
withoutCommand:
summary: Order Message without any Command (polling)
value:
{
"delay": 500
}
startCommand:
summary: Order Message with a Start Command
value:
{
"ramCommands": [
{
"ramCommandType": "startCommand"
}
]
}
seRamCommand:
summary: Order Message with a SE RAM Command
value:
{
"delay": 100,
"chosenSecureElement": {
"seType": "eSE",
"seId": "89001012012341234012345678901224",
"seExtraInfo": "SAM"
},
"ramCommands": [
{
"ramCommandType": "seRamCommand",
"listOfCAPDU": [ "00A40400OA0001020304050607080900A" ]
}
]
}
notificationCommand:
summary: Order Message with a Notification Command
value:
{
"ramCommands": [
{
"ramCommandType": "notificationCommand",
"deviceAppNotification": "step1/action2/OK"
}
]
}
stopCommand:
summary: Order Message with a Stop Command
value:
{
"ramCommands": [
{
"ramCommandType": "stopCommand"
}
]
}
allCommands:
summary: Order Message with a Start, SE RAM, Notification and Stop Command
value:
{
"delay": 0,
"chosenSecureElement": {
"seType": "eSE",
"seId": "89001012012341234012345678901224",
"seExtraInfo": "SAM"
},
"ramCommands": [
{
"ramCommandType": "startCommand"
},
{
"ramCommandType": "seRamCommand",
"listOfCAPDU": [ "00A40400OA0001020304050607080900A" ]
},
{
"ramCommandType": "notificationCommand",
"deviceAppNotification": "step1/action2/OK"
},
{
"ramCommandType": "stopCommand"
}
]
}
'404':
description: Session id not found
'500':
description: Unknown server error
components:
schemas:
ramHandshakeCommand:
description: >-
The Handshake Command is the Message used by the Local Agent
during the Handshake Step.<br>
<br>
If supportedTransportProtocol is not provided, HTTPS is assumed. If
supportedDataFormat is not provided, application/json is assumed.<br>
If supportedVersions is not provided, 2.0.0 is assumed. secureElements
shall be ordered by preference by the client.
type: object
required:
- 'secureElements'
properties:
secureElements:
description: A list of Secure Element available on Local Agent side.
type: array
items:
$ref: '#/components/schemas/secureElement'
supportedTransportProtocols:
description: >-
A list of Transport Protocol supported by the the Local Agent.
If not provided "HTTPS" is assumed.
type: array
items:
$ref: '#/components/schemas/transportProtocol'
supportedDataFormats:
description: >-
A list of Transport Data Format supported by the Local Agent.
If not provided, "application/json" if assumed.
type: array
items:
$ref: '#/components/schemas/dataFormat'
supportedVersions:
description: >-
A list of version of GP SERAM supported by the Local Agent.
If not provided, "2.0.0" is assumed.
type: array
items:
$ref: '#/components/schemas/version'
ramHandshakeResponse:
description: >-
The Handshake Response is the Message used by the Remote Agent
during the Handshake Step.<br>
<br>
Each value of the chosen properties shall correspond of one supported
by the Local Agent."
required:
- 'chosenDataProtocol'
- 'chosenTransportProtocol'
- 'chosenVersion'
properties:
chosenTransportProtocol:
allOf:
- description: >-
The Transport Protocol selected by the Remote Agent.
- $ref: '#/components/schemas/transportProtocol'
chosenDataFormat:
allOf:
- description: The Data Protocol selected by the Remote Agent.
- $ref: '#/components/schemas/dataFormat'
chosenVersion:
allOf:
- description: >-
The Version of GP SERAM selected by the Remote Agent
- $ref: '#/components/schemas/version'
remoteManagementOrder:
description: >-
The Remote Agent may used Order Message to select a Secure Element, to
send Commands, or to maintain the connection with the Local Agent.<br>
<br>
All fields are optional.
properties:
delay:
description: >-
Delay in millisecond the Local Agent had to wait before sending
data to the platform. Uses '0' to avoid having any delay.
type: integer
default: 100
chosenSecureElement:
allOf:
- description: >-
Set the Secure Element the Local Agent SHALL used to send
C-APDU
- $ref: '#/components/schemas/secureElement'
ramCommands:
description: >-
List of Commands to be executed by the Local Agent. The list SHALL
contain at least one Command Message. If the list contains more
than one Command Message, the Local Agent SHALL handles them one
by one.
type: array
items:
$ref: '#/components/schemas/ramCommand'
remoteManagementReport:
description: >-
The Local Agent replies to an Order Message with a Report Message that
includes the Responses for the Commands, if any, and to ask the Remote
Agent for next Commands.<br>
<br>
In case of HTTP polling and for the first HTTP message, only the
localAgentStatus is included.
type: object
required:
- localAgentStatus
properties:
localAgentStatus:
allOf:
- description: Status of the Local Agent
- $ref: '#/components/schemas/localAgentStatus'
ramResponses:
description: The list of RAM responses
type: array
items:
$ref: '#/components/schemas/ramResponse'
ramCommand:
description: >-
Commands are sent by the Remote Agent and shall be executed by
the Local Agent.
required:
- ramCommandType
discriminator:
propertyName: ramCommandType
mapping:
ramStartCommand: '#/components/schemas/ramStartCommand'
seRamCommand: '#/components/schemas/seRamCommand'
notificationCommand : '#/components/schemas/notificationCommand'
ramStopCommand : '#/components/schemas/ramStopCommand'
properties:
ramCommandType:
description: >-
The type of Command with authorized values listed in the
discrimitator mapping
type: string
ramStartCommand:
allOf:
- description: >-
The RAM Start Command inform the Local Agent of the start of the
Remote Management Session by the Remote Agent.
- $ref: '#/components/schemas/ramCommand'
seRamCommand:
allOf:
- description: >-
The SE RAM Command is used to send APDU to the Secure Element.<br>
The Local Agent SHALL send each APDU command of the listOfCAPDU to
the Secure Element using the SE Access API. The Local Agent SHALL
add each APDU response to the associated SE RAM Response. If an APDU
Response is not available, the Local Agent SHALL use an empty
string as APDU Response.
- $ref: '#/components/schemas/ramCommand'
- required:
- 'listOfCAPDU'
properties:
listOfCAPDU:
description: >-
An ordered list of APDU to send to the Secure Element. Each APDU
are encoded as hexadecimal string.
type: array
items:
$ref: '#/components/schemas/apdu'
example:
- '00A4040008A00000015100000000'
notificationCommand:
allOf:
- description: >-
The Notification Command is used to send processing a notification
to the Device Application. The meaning of the notification and how
it is handled by the Device Application is implementation dependent.
- $ref: '#/components/schemas/ramCommand'
- required:
- 'deviceAppNotification'
properties:
deviceAppNotification:
description: >-
An UTF-8 string to be notified to the Device Application
type: string
example: 'step1/action2/OK'
ramStopCommand:
allOf:
- description: >-
A Remote Agent uses this Command to close the Remote Session.<br>
The Local Agent SHALL NOT send any new Report Message and SHALL
discard any remaining Response, if any.
This Command marks the end of the processing by a Management
Platform and no further Order Message will be sent.
- $ref: '#/components/schemas/ramCommand'
ramResponse:
description: >-
Some Command required to send back a response to the Remote Agent.
required:
- 'ramResponseType'
discriminator:
propertyName: ramResponseType
mapping:
seRamResponse: '#/components/schemas/seRamResponse'
properties:
ramResponseType:
description: >-
The type of Response with authorized values listed in the
discrimitator mapping
type: string
seRamResponse:
allOf:
- description: >-
The SE RAM Response contains the APDU responses of the Secure
Element to the corresponding SE RAM Command.<br>
For each APDU send to the Secure Element, the Local Agent shall add
the associated APDU response to the listOfRAPDU property. If an APDU
response is not available (e.g. for a SELECT or on error), it shall
be filled with an empty string.
- $ref: '#/components/schemas/ramResponse'
- required:
- 'listOfRAPDU'
properties:
listOfRAPDU:
description: >-
An ordered list of APDU response of the Secure Element. Each
APDU are encoded as hexadecimal string.
type: array
items:
$ref: '#/components/schemas/apdu'
example:
- '9000'
apdu:
description: hexadecimal encoded APDU
type: string
pattern: '([0-9A-F]{2})*'
dataFormat:
description: Encoding format of GP SERAM Messages
type: string
enum:
- application/json
localAgentStatus:
description: >-
The Local Agent SHALL sent a status in each request to the HTTP server.
required:
- localAgentStatusEnum
- executedRamCommands
properties:
localAgentStatusEnum:
description: >-
Local Agent SHALL send a PROCESSED status whenever at least one
RAM command has been executed. On any error processing one of
UNAVAILABLE_SE, UNKNOWN_FAILURE, or UNGRANTED_ACCESS SHALL be used.
And the POLLING status SHALL be used for the first HTTP request or
if the Remote Agent hasn't sent any Command.
enum:
- PROCESSED
- POLLING
- UNAVAILABLE_SE
- UNKNOWN_FAILURE
- UNGRANTED_ACCESS
executedSeRamCommands:
description: >-
Number of SE RAM command executed. Value SHALL be set to zero
during polling.<br>
The Remote Agent can determine whether an error occurred if the
value differs from the number of commands sent.
type: integer
errorMsg:
description: >-
Additional information that SHOULD be provided in case of error
(i.e. the localAgentStatusEnum is set to UNAVAILABLE_SE,
UNKNOWN_FAILURE, or UNGRANDED_ACCESS). This message SHOULD be
logged for investigation or for legal purpose.
type: string
secureElement:
description: >-
A Secure Element. It is composed of the type of Secure Element and the
identifier of the Secure Element. Moreover, it may includes an
additional field to provide some additional informations related to
the Secure Element (E.g. the support the GP SAM)
type: object
required:
- seType
- seId
properties:
seType:
description: Type of Secure Element.
type: string
enum:
- eSE
- iSE
- uicc
- euicc
- ieuicc
seId:
description: Identifier of the Secure Element.
type: string
example: '89001012012341234012345678901224'
seExtraInfo:
description: A comma separated list of features supported by the SE.
type: string
example: 'SAM'
sessionId:
description: >-
An identifier shared between the Device Application and the Management
Platform and associated with a Management Session.
type: string
example: '0f96af97-f879-45a2-a011-ee7439df3804'
transportProtocol:
description: A transport protocol to exchange GP SERAM Messages.
type: string
enum:
- HTTPS
version:
description: A Version of GP SERAM
type: string
example: '2.0.0'