January 2024 - gerrit-log - lists.osmocom.org

[M] Change in osmo-ttcn3-hacks[master]: GSUP: Convert PDP-Type IE to PDP-Address IE

by laforge

Attention is currently required from: lynxis lazus, pespin. laforge has posted comments on this change. ( https://gerrit.osmocom.org/c/osmo-ttcn3-hacks/+/35629?usp=email ) Change subject: GSUP: Convert PDP-Type IE to PDP-Address IE ...................................................................... Patch Set 2: Code-Review+2 -- To view, visit https://gerrit.osmocom.org/c/osmo-ttcn3-hacks/+/35629?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: osmo-ttcn3-hacks Gerrit-Branch: master Gerrit-Change-Id: I3e92368fff61694bcef6a48320595b59ae8f54ca Gerrit-Change-Number: 35629 Gerrit-PatchSet: 2 Gerrit-Owner: pespin <pespin(a)sysmocom.de> Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: fixeria <vyanitskiy(a)sysmocom.de> Gerrit-Reviewer: laforge <laforge(a)osmocom.org> Gerrit-Reviewer: lynxis lazus <lynxis(a)fe80.eu> Gerrit-Attention: pespin <pespin(a)sysmocom.de> Gerrit-Attention: lynxis lazus <lynxis(a)fe80.eu> Gerrit-Comment-Date: Wed, 24 Jan 2024 08:46:31 +0000 Gerrit-HasComments: No Gerrit-Has-Labels: Yes Gerrit-MessageType: comment

1 year, 5 months

1
0
0 0

[M] Change in pysim[master]: osmo-smdpp: Implement eUICC + EUM certificate signature chain validation

by laforge

laforge has submitted this change. ( https://gerrit.osmocom.org/c/pysim/+/35635?usp=email ) Change subject: osmo-smdpp: Implement eUICC + EUM certificate signature chain validation ...................................................................... osmo-smdpp: Implement eUICC + EUM certificate signature chain validation Change-Id: I961827c50ed5e34c6507bfdf853952ece5b0d121 --- M osmo-smdpp.py M pySim/esim/rsp.py 2 files changed, 43 insertions(+), 20 deletions(-) Approvals: laforge: Looks good to me, approved Jenkins Builder: Verified diff --git a/osmo-smdpp.py b/osmo-smdpp.py index 7e0db27..58b83ff 100755 --- a/osmo-smdpp.py +++ b/osmo-smdpp.py @@ -36,7 +36,8 @@ import pySim.esim.rsp as rsp from pySim.esim.es8p import * -from pySim.esim.x509_cert import oid, cert_policy_has_oid, CertAndPrivkey +from pySim.esim.x509_cert import oid, cert_policy_has_oid, cert_get_auth_key_id +from pySim.esim.x509_cert import CertAndPrivkey, CertificateSet, cert_get_subject_key_id, VerifyError # HACK: make this configurable DATA_DIR = './smdpp-data' @@ -214,7 +215,12 @@ if 'euiccCiPKIdListForSigningV3' in euiccInfo1: pkid_list = pkid_list + euiccInfo1['euiccCiPKIdListForSigningV3'] # verify it supports one of the keys indicated by euiccCiPKIdListForSigning - if not any(self.ci_get_cert_for_pkid(x) for x in pkid_list): + ci_cert = None + for x in pkid_list: + ci_cert = self.ci_get_cert_for_pkid(x) + if ci_cert: + break + if not ci_cert: raise ApiError('8.8.2', '3.1', 'None of the proposed Public Key Identifiers is supported by the SM-DP+') # TODO: Determine the set of CERT.DPauth.SIG that satisfy the following criteria: @@ -257,7 +263,8 @@ #output['otherCertsInChain'] = b64encode2str() # create SessionState and store it in rss - self.rss[transactionId] = rsp.RspSessionState(transactionId, serverChallenge) + self.rss[transactionId] = rsp.RspSessionState(transactionId, serverChallenge, + cert_get_subject_key_id(ci_cert)) return output @@ -292,29 +299,35 @@ euicc_cert = x509.load_der_x509_certificate(euiccCertificate_bin) eum_cert = x509.load_der_x509_certificate(eumCertificate_bin) - # TODO: Verify the validity of the eUICC certificate chain - # raise ApiError('8.1.3', '6.1', 'Verification failed') - # raise ApiError('8.1.3', '6.3', 'Expired') - - # TODO: Verify that the Root Certificate of the eUICC certificate chain corresponds to the - # euiccCiPKIdToBeUsed or euiccCiPKIdToBeUsedV3 - # raise ApiError('8.11.1', '3.9', 'Unknown') - - # Verify euiccSignature1 over euiccSigned1 using pubkey from euiccCertificate. - # Otherwise, the SM-DP+ SHALL return a status code "eUICC - Verification failed" - if not self._ecdsa_verify(euicc_cert, euiccSignature1_bin, euiccSigned1_bin): - raise ApiError('8.1', '6.1', 'Verification failed') - # Verify that the transactionId is known and relates to an ongoing RSP session. Otherwise, the SM-DP+ # SHALL return a status code "TransactionId - Unknown" ss = self.rss.get(transactionId, None) if ss is None: raise ApiError('8.10.1', '3.9', 'Unknown') ss.euicc_cert = euicc_cert - ss.eum_cert = eum_cert # do we need this in the state? + ss.eum_cert = eum_cert # TODO: do we need this in the state? - # TODO: verify eUICC cert is signed by EUM cert - # TODO: verify EUM cert is signed by CI cert + # Verify that the Root Certificate of the eUICC certificate chain corresponds to the + # euiccCiPKIdToBeUsed or TODO: euiccCiPKIdToBeUsedV3 + if cert_get_auth_key_id(eum_cert) != ss.ci_cert_id: + raise ApiError('8.11.1', '3.9', 'Unknown') + + # Verify the validity of the eUICC certificate chain + cs = CertificateSet(self.ci_get_cert_for_pkid(ss.ci_cert_id)) + cs.add_intermediate_cert(eum_cert) + # TODO v3: otherCertsInChain + try: + cs.verify_cert_chain(euicc_cert) + except VerifyError: + raise ApiError('8.1.3', '6.1', 'Verification failed') + # raise ApiError('8.1.3', '6.3', 'Expired') + + + # Verify euiccSignature1 over euiccSigned1 using pubkey from euiccCertificate. + # Otherwise, the SM-DP+ SHALL return a status code "eUICC - Verification failed" + if not self._ecdsa_verify(euicc_cert, euiccSignature1_bin, euiccSigned1_bin): + raise ApiError('8.1', '6.1', 'Verification failed') + # TODO: verify EID of eUICC cert is within permitted range of EUM cert ss.eid = ss.euicc_cert.subject.get_attributes_for_oid(x509.oid.NameOID.SERIAL_NUMBER)[0].value diff --git a/pySim/esim/rsp.py b/pySim/esim/rsp.py index b5289be..1f8e989 100644 --- a/pySim/esim/rsp.py +++ b/pySim/esim/rsp.py @@ -35,10 +35,11 @@ and subsequently used by further API calls using the same transactionId. The session state is removed either after cancelSession or after notification. TODO: add some kind of time based expiration / garbage collection.""" - def __init__(self, transactionId: str, serverChallenge: bytes): + def __init__(self, transactionId: str, serverChallenge: bytes, ci_cert_id: bytes): self.transactionId = transactionId self.serverChallenge = serverChallenge # used at a later point between API calsl + self.ci_cert_id = ci_cert_id self.euicc_cert: Optional[x509.Certificate] = None self.eum_cert: Optional[x509.Certificate] = None self.eid: Optional[bytes] = None -- To view, visit https://gerrit.osmocom.org/c/pysim/+/35635?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: pysim Gerrit-Branch: master Gerrit-Change-Id: I961827c50ed5e34c6507bfdf853952ece5b0d121 Gerrit-Change-Number: 35635 Gerrit-PatchSet: 4 Gerrit-Owner: laforge <laforge(a)osmocom.org> Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: laforge <laforge(a)osmocom.org> Gerrit-MessageType: merged

1 year, 5 months

1
0
0 0

[M] Change in pysim[master]: Move X.509 related code from osmo-smdpp to pySim.esim.x509_cert

by laforge

laforge has submitted this change. ( https://gerrit.osmocom.org/c/pysim/+/35634?usp=email ) Change subject: Move X.509 related code from osmo-smdpp to pySim.esim.x509_cert ...................................................................... Move X.509 related code from osmo-smdpp to pySim.esim.x509_cert Change-Id: I230ba0537b702b0bf6e9da9a430908ed2a21ca61 --- M osmo-smdpp.py M pySim/esim/x509_cert.py 2 files changed, 86 insertions(+), 74 deletions(-) Approvals: laforge: Looks good to me, approved Jenkins Builder: Verified diff --git a/osmo-smdpp.py b/osmo-smdpp.py index 41cdfc8..7e0db27 100755 --- a/osmo-smdpp.py +++ b/osmo-smdpp.py @@ -36,6 +36,7 @@ import pySim.esim.rsp as rsp from pySim.esim.es8p import * +from pySim.esim.x509_cert import oid, cert_policy_has_oid, CertAndPrivkey # HACK: make this configurable DATA_DIR = './smdpp-data' @@ -70,18 +71,12 @@ js['header']['functionExecutionStatus']['statusCodeData'] = status_code_data from cryptography.hazmat.primitives.asymmetric.utils import decode_dss_signature, encode_dss_signature -from cryptography.hazmat.primitives.serialization import load_pem_private_key, Encoding, PublicFormat, PrivateFormat, NoEncryption +from cryptography.hazmat.primitives.serialization import Encoding, PublicFormat, PrivateFormat, NoEncryption from cryptography.hazmat.primitives.asymmetric import ec from cryptography.hazmat.primitives import hashes from cryptography.exceptions import InvalidSignature from cryptography import x509 - -def ecdsa_dss_to_tr03111(sig: bytes) -> bytes: - """convert from DER format to BSI TR-03111; first get long integers; then convert those to bytes.""" - r, s = decode_dss_signature(sig) - return r.to_bytes(32, 'big') + s.to_bytes(32, 'big') - def ecdsa_tr03111_to_dss(sig: bytes) -> bytes: """convert an ECDSA signature from BSI TR-03111 format to DER: first get long integers; then encode those.""" assert len(sig) == 64 @@ -90,52 +85,6 @@ return encode_dss_signature(r, s) -class CertAndPrivkey: - """A pair of certificate and private key, as used for ECDSA signing.""" - def __init__(self, required_policy_oid: Optional[x509.ObjectIdentifier] = None, - cert: Optional[x509.Certificate] = None, priv_key = None): - self.required_policy_oid = required_policy_oid - self.cert = cert - self.priv_key = priv_key - - def cert_from_der_file(self, path: str): - with open(path, 'rb') as f: - cert = x509.load_der_x509_certificate(f.read()) - if self.required_policy_oid: - # verify it is the right type of certificate (id-rspRole-dp-auth, id-rspRole-dp-auth-v2, etc.) - assert cert_policy_has_oid(cert, self.required_policy_oid) - self.cert = cert - - def privkey_from_pem_file(self, path: str, password: Optional[str] = None): - with open(path, 'rb') as f: - self.priv_key = load_pem_private_key(f.read(), password) - - def ecdsa_sign(self, plaintext: bytes) -> bytes: - """Sign some input-data using an ECDSA signature compliant with SGP.22, - which internally refers to Global Platform 2.2 Annex E, which in turn points - to BSI TS-03111 which states "concatengated raw R + S values". """ - sig = self.priv_key.sign(plaintext, ec.ECDSA(hashes.SHA256())) - # convert from DER format to BSI TR-03111; first get long integers; then convert those to bytes - return ecdsa_dss_to_tr03111(sig) - - def get_authority_key_identifier(self) -> x509.AuthorityKeyIdentifier: - """Return the AuthorityKeyIdentifier X.509 extension of the certificate.""" - return list(filter(lambda x: isinstance(x.value, x509.AuthorityKeyIdentifier), self.cert.extensions))[0].value - - def get_subject_alt_name(self) -> x509.SubjectAlternativeName: - """Return the SubjectAlternativeName X.509 extension of the certificate.""" - return list(filter(lambda x: isinstance(x.value, x509.SubjectAlternativeName), self.cert.extensions))[0].value - - def get_cert_as_der(self) -> bytes: - """Return certificate encoded as DER.""" - return self.cert.public_bytes(Encoding.DER) - - def get_curve(self) -> ec.EllipticCurve: - return self.cert.public_key().public_numbers().curve - - - - class ApiError(Exception): def __init__(self, subject_code: str, reason_code: str, message: Optional[str] = None, subject_id: Optional[str] = None): @@ -147,27 +96,6 @@ build_resp_header(js, 'Failed', self.status_code) return json.dumps(js) -def cert_policy_has_oid(cert: x509.Certificate, match_oid: x509.ObjectIdentifier) -> bool: - """Determine if given certificate has a certificatePolicy extension of matching OID.""" - for policy_ext in filter(lambda x: isinstance(x.value, x509.CertificatePolicies), cert.extensions): - if any(policy.policy_identifier == match_oid for policy in policy_ext.value._policies): - return True - return False - -ID_RSP = "2.23.146.1" -ID_RSP_CERT_OBJECTS = '.'.join([ID_RSP, '2']) -ID_RSP_ROLE = '.'.join([ID_RSP_CERT_OBJECTS, '1']) - -class oid: - id_rspRole_ci = x509.ObjectIdentifier(ID_RSP_ROLE + '.0') - id_rspRole_euicc_v2 = x509.ObjectIdentifier(ID_RSP_ROLE + '.1') - id_rspRole_eum_v2 = x509.ObjectIdentifier(ID_RSP_ROLE + '.2') - id_rspRole_dp_tls_v2 = x509.ObjectIdentifier(ID_RSP_ROLE + '.3') - id_rspRole_dp_auth_v2 = x509.ObjectIdentifier(ID_RSP_ROLE + '.4') - id_rspRole_dp_pb_v2 = x509.ObjectIdentifier(ID_RSP_ROLE + '.5') - id_rspRole_ds_tls_v2 = x509.ObjectIdentifier(ID_RSP_ROLE + '.6') - id_rspRole_ds_auth_v2 = x509.ObjectIdentifier(ID_RSP_ROLE + '.7') - class SmDppHttpServer: app = Klein() diff --git a/pySim/esim/x509_cert.py b/pySim/esim/x509_cert.py index f6c6d43..9f6c8e6 100644 --- a/pySim/esim/x509_cert.py +++ b/pySim/esim/x509_cert.py @@ -23,6 +23,7 @@ from cryptography.hazmat.primitives import hashes from cryptography.exceptions import InvalidSignature from cryptography import x509 +from cryptography.hazmat.primitives.serialization import load_pem_private_key, Encoding from pySim.utils import b2h @@ -43,6 +44,27 @@ aki_ext = cert.extensions.get_extension_for_class(x509.AuthorityKeyIdentifier).value return aki_ext.key_identifier +def cert_policy_has_oid(cert: x509.Certificate, match_oid: x509.ObjectIdentifier) -> bool: + """Determine if given certificate has a certificatePolicy extension of matching OID.""" + for policy_ext in filter(lambda x: isinstance(x.value, x509.CertificatePolicies), cert.extensions): + if any(policy.policy_identifier == match_oid for policy in policy_ext.value._policies): + return True + return False + +ID_RSP = "2.23.146.1" +ID_RSP_CERT_OBJECTS = '.'.join([ID_RSP, '2']) +ID_RSP_ROLE = '.'.join([ID_RSP_CERT_OBJECTS, '1']) + +class oid: + id_rspRole_ci = x509.ObjectIdentifier(ID_RSP_ROLE + '.0') + id_rspRole_euicc_v2 = x509.ObjectIdentifier(ID_RSP_ROLE + '.1') + id_rspRole_eum_v2 = x509.ObjectIdentifier(ID_RSP_ROLE + '.2') + id_rspRole_dp_tls_v2 = x509.ObjectIdentifier(ID_RSP_ROLE + '.3') + id_rspRole_dp_auth_v2 = x509.ObjectIdentifier(ID_RSP_ROLE + '.4') + id_rspRole_dp_pb_v2 = x509.ObjectIdentifier(ID_RSP_ROLE + '.5') + id_rspRole_ds_tls_v2 = x509.ObjectIdentifier(ID_RSP_ROLE + '.6') + id_rspRole_ds_auth_v2 = x509.ObjectIdentifier(ID_RSP_ROLE + '.7') + class VerifyError(Exception): """An error during certificate verification,""" pass @@ -54,6 +76,8 @@ def __init__(self, root_cert: x509.Certificate): check_signed(root_cert, root_cert) # TODO: check other mandatory attributes for CA Cert + if not cert_policy_has_oid(root_cert, oid.id_rspRole_ci): + raise ValueError("Given root certificate doesn't have rspRole_ci OID") usage_ext = root_cert.extensions.get_extension_for_class(x509.KeyUsage).value if not usage_ext.key_cert_sign: raise ValueError('Given root certificate key usage does not permit signing of certificates') @@ -135,3 +159,54 @@ depth += 1 if depth > max_depth: raise VerifyError('Maximum depth %u exceeded while verifying certificate chain' % max_depth) + +from cryptography.hazmat.primitives.asymmetric.utils import decode_dss_signature + +def ecdsa_dss_to_tr03111(sig: bytes) -> bytes: + """convert from DER format to BSI TR-03111; first get long integers; then convert those to bytes.""" + r, s = decode_dss_signature(sig) + return r.to_bytes(32, 'big') + s.to_bytes(32, 'big') + + +class CertAndPrivkey: + """A pair of certificate and private key, as used for ECDSA signing.""" + def __init__(self, required_policy_oid: Optional[x509.ObjectIdentifier] = None, + cert: Optional[x509.Certificate] = None, priv_key = None): + self.required_policy_oid = required_policy_oid + self.cert = cert + self.priv_key = priv_key + + def cert_from_der_file(self, path: str): + with open(path, 'rb') as f: + cert = x509.load_der_x509_certificate(f.read()) + if self.required_policy_oid: + # verify it is the right type of certificate (id-rspRole-dp-auth, id-rspRole-dp-auth-v2, etc.) + assert cert_policy_has_oid(cert, self.required_policy_oid) + self.cert = cert + + def privkey_from_pem_file(self, path: str, password: Optional[str] = None): + with open(path, 'rb') as f: + self.priv_key = load_pem_private_key(f.read(), password) + + def ecdsa_sign(self, plaintext: bytes) -> bytes: + """Sign some input-data using an ECDSA signature compliant with SGP.22, + which internally refers to Global Platform 2.2 Annex E, which in turn points + to BSI TS-03111 which states "concatengated raw R + S values". """ + sig = self.priv_key.sign(plaintext, ec.ECDSA(hashes.SHA256())) + # convert from DER format to BSI TR-03111; first get long integers; then convert those to bytes + return ecdsa_dss_to_tr03111(sig) + + def get_authority_key_identifier(self) -> x509.AuthorityKeyIdentifier: + """Return the AuthorityKeyIdentifier X.509 extension of the certificate.""" + return list(filter(lambda x: isinstance(x.value, x509.AuthorityKeyIdentifier), self.cert.extensions))[0].value + + def get_subject_alt_name(self) -> x509.SubjectAlternativeName: + """Return the SubjectAlternativeName X.509 extension of the certificate.""" + return list(filter(lambda x: isinstance(x.value, x509.SubjectAlternativeName), self.cert.extensions))[0].value + + def get_cert_as_der(self) -> bytes: + """Return certificate encoded as DER.""" + return self.cert.public_bytes(Encoding.DER) + + def get_curve(self) -> ec.EllipticCurve: + return self.cert.public_key().public_numbers().curve -- To view, visit https://gerrit.osmocom.org/c/pysim/+/35634?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: pysim Gerrit-Branch: master Gerrit-Change-Id: I230ba0537b702b0bf6e9da9a430908ed2a21ca61 Gerrit-Change-Number: 35634 Gerrit-PatchSet: 2 Gerrit-Owner: laforge <laforge(a)osmocom.org> Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: laforge <laforge(a)osmocom.org> Gerrit-MessageType: merged

1 year, 5 months

1
0
0 0

[M] Change in pysim[master]: New pySim.esim.x509_cert module for X.509 certificate handling

by laforge

laforge has submitted this change. ( https://gerrit.osmocom.org/c/pysim/+/35633?usp=email ) Change subject: New pySim.esim.x509_cert module for X.509 certificate handling ...................................................................... New pySim.esim.x509_cert module for X.509 certificate handling Change-Id: Ia8cc2dac02fcd96624dc6d9348f103373eeeb614 --- A pySim/esim/x509_cert.py 1 file changed, 146 insertions(+), 0 deletions(-) Approvals: Jenkins Builder: Verified laforge: Looks good to me, approved diff --git a/pySim/esim/x509_cert.py b/pySim/esim/x509_cert.py new file mode 100644 index 0000000..f6c6d43 --- /dev/null +++ b/pySim/esim/x509_cert.py @@ -0,0 +1,137 @@ +# Implementation of X.509 certificate handling in GSMA eSIM +# as per SGP22 v3.0 +# +# (C) 2024 by Harald Welte <laforge(a)osmocom.org> +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import requests +from typing import Optional, List + +from cryptography.hazmat.primitives.asymmetric import ec, padding +from cryptography.hazmat.primitives import hashes +from cryptography.exceptions import InvalidSignature +from cryptography import x509 + +from pySim.utils import b2h + +def check_signed(signed: x509.Certificate, signer: x509.Certificate) -> bool: + """Verify if 'signed' certificate was signed using 'signer'.""" + # this code only works for ECDSA, but this is all we need for GSMA eSIM + pkey = signer.public_key() + # this 'signed.signature_algorithm_parameters' below requires cryptopgraphy 41.0.0 :( + pkey.verify(signed.signature, signed.tbs_certificate_bytes, signed.signature_algorithm_parameters) + +def cert_get_subject_key_id(cert: x509.Certificate) -> bytes: + """Obtain the subject key identifier of the given cert object (as raw bytes).""" + ski_ext = cert.extensions.get_extension_for_class(x509.SubjectKeyIdentifier).value + return ski_ext.key_identifier + +def cert_get_auth_key_id(cert: x509.Certificate) -> bytes: + """Obtain the authority key identifier of the given cert object (as raw bytes).""" + aki_ext = cert.extensions.get_extension_for_class(x509.AuthorityKeyIdentifier).value + return aki_ext.key_identifier + +class VerifyError(Exception): + """An error during certificate verification,""" + pass + +class CertificateSet: + """A set of certificates consisting of a trusted [self-signed] CA root certificate, + and an optional number of intermediate certificates. Can be used to verify the certificate chain + of any given other certificate.""" + def __init__(self, root_cert: x509.Certificate): + check_signed(root_cert, root_cert) + # TODO: check other mandatory attributes for CA Cert + usage_ext = root_cert.extensions.get_extension_for_class(x509.KeyUsage).value + if not usage_ext.key_cert_sign: + raise ValueError('Given root certificate key usage does not permit signing of certificates') + if not usage_ext.crl_sign: + raise ValueError('Given root certificate key usage does not permit signing of CRLs') + self.root_cert = root_cert + self.intermediate_certs = {} + self.crl = None + + def load_crl(self, urls: Optional[List[str]] = None): + if urls and type(urls) is str: + urls = [urls] + if not urls: + # generate list of CRL URLs from root CA certificate + crl_ext = self.root_cert.extensions.get_extension_for_class(x509.CRLDistributionPoints).value + name_list = [x.full_name for x in crl_ext] + merged_list = [] + for n in name_list: + merged_list += n + uri_list = filter(lambda x: isinstance(x, x509.UniformResourceIdentifier), merged_list) + urls = [x.value for x in uri_list] + + for url in urls: + try: + crl_bytes = requests.get(url) + except requests.exceptions.ConnectionError: + continue + crl = x509.load_der_x509_crl(crl_bytes) + if not crl.is_signature_valid(self.root_cert.public_key()): + raise ValueError('Given CRL has incorrect signature and cannot be trusted') + # FIXME: various other checks + self.crl = crl + # FIXME: should we support multiple CRLs? we only support a single CRL right now + return + # FIXME: report on success/failure + + @property + def root_cert_id(self) -> bytes: + return cert_get_subject_key_id(self.root_cert) + + def add_intermediate_cert(self, cert: x509.Certificate): + """Add a potential intermediate certificate to the CertificateSet.""" + # TODO: check mandatory attributes for intermediate cert + usage_ext = cert.extensions.get_extension_for_class(x509.KeyUsage).value + if not usage_ext.key_cert_sign: + raise ValueError('Given intermediate certificate key usage does not permit signing of certificates') + aki = cert_get_auth_key_id(cert) + ski = cert_get_subject_key_id(cert) + if aki == ski: + raise ValueError('Cannot add self-signed cert as intermediate cert') + self.intermediate_certs[ski] = cert + # TODO: we could test if this cert verifies against the root, and mark it as pre-verified + # so we don't need to verify again and again the chain of intermediate certificates + + def verify_cert_crl(self, cert: x509.Certificate): + if not self.crl: + # we cannot check if there's no CRL + return + if self.crl.get_revoked_certificate_by_serial_number(cert.serial_nr): + raise VerifyError('Certificate is present in CRL, verification failed') + + def verify_cert_chain(self, cert: x509.Certificate, max_depth: int = 100): + """Verify if a given certificate's signature chain can be traced back to the root CA of this + CertificateSet.""" + depth = 1 + c = cert + while True: + aki = cert_get_auth_key_id(c) + if aki == self.root_cert_id: + # last step: + check_signed(c, self.root_cert) + return + parent_cert = self.intermediate_certs.get(aki, None) + if not aki: + raise VerifyError('Could not find intermediate certificate for AuthKeyId %s' % b2h(aki)) + check_signed(c, parent_cert) + # if we reach here, we passed (no exception raised) + c = parent_cert + depth += 1 + if depth > max_depth: + raise VerifyError('Maximum depth %u exceeded while verifying certificate chain' % max_depth) -- To view, visit https://gerrit.osmocom.org/c/pysim/+/35633?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: pysim Gerrit-Branch: master Gerrit-Change-Id: Ia8cc2dac02fcd96624dc6d9348f103373eeeb614 Gerrit-Change-Number: 35633 Gerrit-PatchSet: 2 Gerrit-Owner: laforge <laforge(a)osmocom.org> Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: laforge <laforge(a)osmocom.org> Gerrit-MessageType: merged

1 year, 5 months

1
0
0 0

[M] Change in pysim[master]: osmo-smdpp: Implement eUICC + EUM certificate signature chain validation

by laforge

laforge has posted comments on this change. ( https://gerrit.osmocom.org/c/pysim/+/35635?usp=email ) Change subject: osmo-smdpp: Implement eUICC + EUM certificate signature chain validation ...................................................................... Patch Set 4: Code-Review+2 -- To view, visit https://gerrit.osmocom.org/c/pysim/+/35635?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: pysim Gerrit-Branch: master Gerrit-Change-Id: I961827c50ed5e34c6507bfdf853952ece5b0d121 Gerrit-Change-Number: 35635 Gerrit-PatchSet: 4 Gerrit-Owner: laforge <laforge(a)osmocom.org> Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: laforge <laforge(a)osmocom.org> Gerrit-Comment-Date: Wed, 24 Jan 2024 08:45:42 +0000 Gerrit-HasComments: No Gerrit-Has-Labels: Yes Gerrit-MessageType: comment

1 year, 5 months

1
0
0 0

[M] Change in pysim[master]: Move X.509 related code from osmo-smdpp to pySim.esim.x509_cert

by laforge

laforge has posted comments on this change. ( https://gerrit.osmocom.org/c/pysim/+/35634?usp=email ) Change subject: Move X.509 related code from osmo-smdpp to pySim.esim.x509_cert ...................................................................... Patch Set 2: Code-Review+2 -- To view, visit https://gerrit.osmocom.org/c/pysim/+/35634?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: pysim Gerrit-Branch: master Gerrit-Change-Id: I230ba0537b702b0bf6e9da9a430908ed2a21ca61 Gerrit-Change-Number: 35634 Gerrit-PatchSet: 2 Gerrit-Owner: laforge <laforge(a)osmocom.org> Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: laforge <laforge(a)osmocom.org> Gerrit-Comment-Date: Wed, 24 Jan 2024 08:45:39 +0000 Gerrit-HasComments: No Gerrit-Has-Labels: Yes Gerrit-MessageType: comment

1 year, 5 months

1
0
0 0

[M] Change in pysim[master]: New pySim.esim.x509_cert module for X.509 certificate handling

by laforge

laforge has posted comments on this change. ( https://gerrit.osmocom.org/c/pysim/+/35633?usp=email ) Change subject: New pySim.esim.x509_cert module for X.509 certificate handling ...................................................................... Patch Set 2: Code-Review+2 -- To view, visit https://gerrit.osmocom.org/c/pysim/+/35633?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: pysim Gerrit-Branch: master Gerrit-Change-Id: Ia8cc2dac02fcd96624dc6d9348f103373eeeb614 Gerrit-Change-Number: 35633 Gerrit-PatchSet: 2 Gerrit-Owner: laforge <laforge(a)osmocom.org> Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: laforge <laforge(a)osmocom.org> Gerrit-Comment-Date: Wed, 24 Jan 2024 08:45:36 +0000 Gerrit-HasComments: No Gerrit-Has-Labels: Yes Gerrit-MessageType: comment

1 year, 5 months

1
0
0 0

[M] Change in ...osmo-epdg[master]: Make CreateSession Req+Resp procedure async

by laforge

Attention is currently required from: pespin. laforge has posted comments on this change. ( https://gerrit.osmocom.org/c/erlang/osmo-epdg/+/35660?usp=email ) Change subject: Make CreateSession Req+Resp procedure async ...................................................................... Patch Set 1: Code-Review+1 -- To view, visit https://gerrit.osmocom.org/c/erlang/osmo-epdg/+/35660?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: erlang/osmo-epdg Gerrit-Branch: master Gerrit-Change-Id: Ib42ed08afa4a06149d2d72ac64487eec808e260f Gerrit-Change-Number: 35660 Gerrit-PatchSet: 1 Gerrit-Owner: pespin <pespin(a)sysmocom.de> Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: laforge <laforge(a)osmocom.org> Gerrit-Attention: pespin <pespin(a)sysmocom.de> Gerrit-Comment-Date: Wed, 24 Jan 2024 08:43:23 +0000 Gerrit-HasComments: No Gerrit-Has-Labels: Yes Gerrit-MessageType: comment

1 year, 5 months

1
0
0 0

[L] Change in ...osmo-epdg[master]: Introduce ue_fsm

by laforge

Attention is currently required from: pespin. laforge has posted comments on this change. ( https://gerrit.osmocom.org/c/erlang/osmo-epdg/+/35659?usp=email ) Change subject: Introduce ue_fsm ...................................................................... Patch Set 1: Code-Review+1 -- To view, visit https://gerrit.osmocom.org/c/erlang/osmo-epdg/+/35659?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: erlang/osmo-epdg Gerrit-Branch: master Gerrit-Change-Id: I0c960c4c250458384ed706a99582ec52083019f6 Gerrit-Change-Number: 35659 Gerrit-PatchSet: 1 Gerrit-Owner: pespin <pespin(a)sysmocom.de> Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: laforge <laforge(a)osmocom.org> Gerrit-Attention: pespin <pespin(a)sysmocom.de> Gerrit-Comment-Date: Wed, 24 Jan 2024 08:43:01 +0000 Gerrit-HasComments: No Gerrit-Has-Labels: Yes Gerrit-MessageType: comment

1 year, 5 months

1
0
0 0

[S] Change in ...osmo-epdg[master]: Forward IP Address from CreateSessionresponse in GSUP EPDG Tunnel Result

by laforge

Attention is currently required from: lynxis lazus, pespin. laforge has posted comments on this change. ( https://gerrit.osmocom.org/c/erlang/osmo-epdg/+/35658?usp=email ) Change subject: Forward IP Address from CreateSessionresponse in GSUP EPDG Tunnel Result ...................................................................... Patch Set 2: Code-Review+1 (1 comment) File rebar.config: https://gerrit.osmocom.org/c/erlang/osmo-epdg/+/35658/comment/aedb95e2_8959… PS2, Line 9: {osmo_gsup, {git, "https://gerrit.osmocom.org/erlang/osmo_gsup", {branch, "osmocom/epdg"}}} probably an unrelated change to switch the repo to upstream? -- To view, visit https://gerrit.osmocom.org/c/erlang/osmo-epdg/+/35658?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: erlang/osmo-epdg Gerrit-Branch: master Gerrit-Change-Id: I2a9130d242830daa826414a287f54862752017d2 Gerrit-Change-Number: 35658 Gerrit-PatchSet: 2 Gerrit-Owner: pespin <pespin(a)sysmocom.de> Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: laforge <laforge(a)osmocom.org> Gerrit-Reviewer: lynxis lazus <lynxis(a)fe80.eu> Gerrit-Attention: pespin <pespin(a)sysmocom.de> Gerrit-Attention: lynxis lazus <lynxis(a)fe80.eu> Gerrit-Comment-Date: Wed, 24 Jan 2024 08:41:59 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment

1 year, 5 months

1
0
0 0

2025

2024

2023

2022

gerrit-log January 2024