June 2025 - gerrit-log - lists.osmocom.org

[L] Change in pysim[master]: smdpp: add proper tls support, cert generation

by laforge

Attention is currently required from: Hoernchen. laforge has posted comments on this change by Hoernchen. ( https://gerrit.osmocom.org/c/pysim/+/40464?usp=email ) Change subject: smdpp: add proper tls support, cert generation ...................................................................... Patch Set 1: (2 comments) Patchset: PS1: I'm not sure how re-generating the SGP.26 CI certificates would work _unless_ you were to re-use the SGP.26 CI private key? The point of SGP.26 is that they all are derived from the same well-known CI, and all derived certificates can be validated against the exact SGP.26 CA certificate that is published. File contrib/generate_certs.py: https://gerrit.osmocom.org/c/pysim/+/40464/comment/51e89c38_e807ad06?usp=em… : PS1, Line 4: Fa maybe a bit more context here (that this is about certificates for osmo-smdpp)? The name could also be called generate_smdpp_certs.py to make it obvious what kind of certs we're referring to? -- To view, visit https://gerrit.osmocom.org/c/pysim/+/40464?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: pysim Gerrit-Branch: master Gerrit-Change-Id: I84b2666422b8ff565620f3827ef4d4d7635a21be Gerrit-Change-Number: 40464 Gerrit-PatchSet: 1 Gerrit-Owner: Hoernchen <ewild(a)sysmocom.de> Gerrit-Reviewer: Jenkins Builder Gerrit-CC: laforge <laforge(a)osmocom.org> Gerrit-Attention: Hoernchen <ewild(a)sysmocom.de> Gerrit-Comment-Date: Fri, 13 Jun 2025 20:21:22 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: No

1 week, 3 days

1
0
0 0

[XS] Change in pysim[master]: fix up missing requirements

by laforge

Attention is currently required from: Hoernchen. laforge has posted comments on this change by Hoernchen. ( https://gerrit.osmocom.org/c/pysim/+/40463?usp=email ) Change subject: fix up missing requirements ...................................................................... Patch Set 1: (1 comment) Patchset: PS1: the general idea was to *not* include all of osmo-smdpp's dependencies in pysim, as 99.9% of all uses just want pySim-{shell,trace,prog} and not any esim related stuff. Some of the more modern python packaging supports optional/conditional dependenices, AFAICT. The proper solution is to move osmo-smdpp to a seaparate git repo (+ python package), depending on the pySim.esim library code. -- To view, visit https://gerrit.osmocom.org/c/pysim/+/40463?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: pysim Gerrit-Branch: master Gerrit-Change-Id: If69b2bd5f8bc604443108c942c17eba9c22f4053 Gerrit-Change-Number: 40463 Gerrit-PatchSet: 1 Gerrit-Owner: Hoernchen <ewild(a)sysmocom.de> Gerrit-CC: Jenkins Builder Gerrit-CC: laforge <laforge(a)osmocom.org> Gerrit-Attention: Hoernchen <ewild(a)sysmocom.de> Gerrit-Comment-Date: Fri, 13 Jun 2025 20:15:35 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: No

1 week, 3 days

1
0
0 0

[S] Change in pysim[master]: smdpp: verify cert chain

by Hoernchen

Hoernchen has uploaded this change for review. ( https://gerrit.osmocom.org/c/pysim/+/40469?usp=email ) Change subject: smdpp: verify cert chain ...................................................................... smdpp: verify cert chain Change-Id: I1e4e4b1b032dc6a8b7d15bd80d533a50fe0cff15 --- M osmo-smdpp.py 1 file changed, 20 insertions(+), 7 deletions(-) git pull ssh://gerrit.osmocom.org:29418/pysim refs/changes/69/40469/1 diff --git a/osmo-smdpp.py b/osmo-smdpp.py index b8b6303..290f77c 100755 --- a/osmo-smdpp.py +++ b/osmo-smdpp.py @@ -311,6 +311,20 @@ return cert return None + def validate_certificate_chain_for_verification(self, euicc_ci_pkid_list: List[bytes]) -> bool: + """Validate that SM-DP+ has valid certificate chains for the given CI PKIDs.""" + for ci_pkid in euicc_ci_pkid_list: + ci_cert = self.ci_get_cert_for_pkid(ci_pkid) + if ci_cert: + # Check if our DPauth certificate chains to this CI + try: + cs = CertificateSet(ci_cert) + cs.verify_cert_chain(self.dp_auth.cert) + return True + except VerifyError: + continue + return False + def __init__(self, server_hostname: str, ci_certs_path: str, common_cert_path: str, use_brainpool: bool = False): self.server_hostname = server_hostname self.upp_dir = os.path.realpath(os.path.join(DATA_DIR, 'upp')) @@ -394,6 +408,12 @@ pkid_list = euiccInfo1['euiccCiPKIdListForSigning'] if 'euiccCiPKIdListForSigningV3' in euiccInfo1: pkid_list = pkid_list + euiccInfo1['euiccCiPKIdListForSigningV3'] + + # Validate that SM-DP+ supports certificate chains for verification + verification_pkid_list = euiccInfo1.get('euiccCiPKIdListForVerification', []) + if verification_pkid_list and not self.validate_certificate_chain_for_verification(verification_pkid_list): + raise ApiError('8.8.4', '3.7', 'The SM-DP+ has no CERT.DPauth.SIG which chains to one of the eSIM CA Root CA Certificate with a Public Key supported by the eUICC') + # verify it supports one of the keys indicated by euiccCiPKIdListForSigning ci_cert = None for x in pkid_list: @@ -408,13 +428,6 @@ if not ci_cert: raise ApiError('8.8.2', '3.1', 'None of the proposed Public Key Identifiers is supported by the SM-DP+') - # TODO: Determine the set of CERT.DPauth.SIG that satisfy the following criteria: - # * Part of a certificate chain ending at one of the eSIM CA RootCA Certificate, whose Public Keys is - # supported by the eUICC (indicated by euiccCiPKIdListForVerification). - # * Using a certificate chain that the eUICC and the LPA both support: - #euiccInfo1['euiccCiPKIdListForVerification'] - # raise ApiError('8.8.4', '3.7', 'The SM-DP+ has no CERT.DPauth.SIG which chains to one of the eSIM CA Root CA CErtificate with a Public Key supported by the eUICC') - # Generate a TransactionID which is used to identify the ongoing RSP session. The TransactionID # SHALL be unique within the scope and lifetime of each SM-DP+. transactionId = uuid.uuid4().hex.upper() -- To view, visit https://gerrit.osmocom.org/c/pysim/+/40469?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings?usp=email Gerrit-MessageType: newchange Gerrit-Project: pysim Gerrit-Branch: master Gerrit-Change-Id: I1e4e4b1b032dc6a8b7d15bd80d533a50fe0cff15 Gerrit-Change-Number: 40469 Gerrit-PatchSet: 1 Gerrit-Owner: Hoernchen <ewild(a)sysmocom.de>

1 week, 3 days

1
0
0 0

[M] Change in pysim[master]: smdpp: validate eid

by Hoernchen

Hoernchen has uploaded this change for review. ( https://gerrit.osmocom.org/c/pysim/+/40467?usp=email ) Change subject: smdpp: validate eid ...................................................................... smdpp: validate eid Change-Id: Ice704548cb62f14943927b5295007db13c807031 --- M osmo-smdpp.py 1 file changed, 167 insertions(+), 2 deletions(-) git pull ssh://gerrit.osmocom.org:29418/pysim refs/changes/67/40467/1 diff --git a/osmo-smdpp.py b/osmo-smdpp.py index 74863f3..92bbb42 100755 --- a/osmo-smdpp.py +++ b/osmo-smdpp.py @@ -71,6 +71,169 @@ if admin_protocol and not admin_protocol.startswith('gsma/rsp/v'): raise ApiError('1.2.2', '2.1', 'Unsupported X-Admin-Protocol version') +def get_eum_certificate_variant(eum_cert) -> str: + """Determine EUM certificate variant by checking Certificate Policies extension. + Returns 'O' for old variant, or 'NEW' for Ov3/A/B/C variants.""" + + try: + cert_policies_ext = eum_cert.extensions.get_extension_for_oid( + x509.oid.ExtensionOID.CERTIFICATE_POLICIES + ) + + for policy in cert_policies_ext.value: + policy_oid = policy.policy_identifier.dotted_string + print(f"Found certificate policy: {policy_oid}") + + if policy_oid == '2.23.146.1.2.1.2': + print("Detected EUM certificate variant: O (old)") + return 'O' + elif policy_oid == '2.23.146.1.2.1.0.0.0': + print("Detected EUM certificate variant: Ov3/A/B/C (new)") + return 'NEW' + except x509.ExtensionNotFound: + print("No Certificate Policies extension found") + except Exception as e: + print(f"Error checking certificate policies: {e}") + +def parse_permitted_eins_from_cert(eum_cert) -> List[str]: + """Extract permitted IINs from EUM certificate using the appropriate method + based on certificate variant (O vs Ov3/A/B/C). + Returns list of permitted IINs (basically prefixes that valid EIDs must start with).""" + + # Determine certificate variant first + cert_variant = get_eum_certificate_variant(eum_cert) + permitted_iins = [] + + if cert_variant == 'O': + # Old variant - use nameConstraints extension + print("Using nameConstraints parsing for variant O certificate") + permitted_iins.extend(_parse_name_constraints_eins(eum_cert)) + + else: + # New variants (Ov3, A, B, C) - use GSMA permittedEins extension + print("Using GSMA permittedEins parsing for newer certificate variant") + permitted_iins.extend(_parse_gsma_permitted_eins(eum_cert)) + + unique_iins = list(set(permitted_iins)) + + print(f"Total unique permitted IINs found: {len(unique_iins)}") + return unique_iins + +def _parse_gsma_permitted_eins(eum_cert) -> List[str]: + """Parse the GSMA permittedEins extension using correct ASN.1 structure. + PermittedEins ::= SEQUENCE OF PrintableString + Each string contains an IIN (Issuer Identification Number) - a prefix of valid EIDs.""" + permitted_iins = [] + + try: + permitted_eins_oid = x509.ObjectIdentifier('2.23.146.1.2.2.0') # sgp26: 2.23.146.1.2.2.0 = ASN1:SEQUENCE:permittedEins + + for ext in eum_cert.extensions: + if ext.oid == permitted_eins_oid: + print(f"Found GSMA permittedEins extension: {ext.oid}") + + # Get the DER-encoded extension value + ext_der = ext.value.value if hasattr(ext.value, 'value') else ext.value + + if isinstance(ext_der, bytes): + try: + import asn1tools + + permitted_eins_schema = """ + PermittedEins DEFINITIONS ::= BEGIN + PermittedEins ::= SEQUENCE OF PrintableString + END + """ + decoder = asn1tools.compile_string(permitted_eins_schema) + decoded_strings = decoder.decode('PermittedEins', ext_der) + + for iin_string in decoded_strings: + # Each string contains an IIN -> prefix of euicc EID + iin_clean = iin_string.strip().upper() + + # IINs is 8 chars per sgp22, var len according to sgp29, fortunately we don't care + if (len(iin_clean) == 8 and + all(c in '0123456789ABCDEF' for c in iin_clean) and + len(iin_clean) % 2 == 0): + permitted_iins.append(iin_clean) + print(f"Found permitted IIN (GSMA): {iin_clean}") + else: + print(f"Invalid IIN format: {iin_string} (cleaned: {iin_clean})") + except Exception as e: + print(f"Error parsing GSMA permittedEins extension: {e}") + + except Exception as e: + print(f"Error accessing GSMA certificate extensions: {e}") + + return permitted_iins + + +def _parse_name_constraints_eins(eum_cert) -> List[str]: + """Parse permitted IINs from nameConstraints extension (variant O).""" + permitted_iins = [] + + try: + # Look for nameConstraints extension + name_constraints_ext = eum_cert.extensions.get_extension_for_oid( + x509.oid.ExtensionOID.NAME_CONSTRAINTS + ) + + print("Found nameConstraints extension (variant O)") + name_constraints = name_constraints_ext.value + + # Check permittedSubtrees for IIN constraints + if name_constraints.permitted_subtrees: + for subtree in name_constraints.permitted_subtrees: + print(f"Processing permitted subtree: {subtree}") + + if isinstance(subtree, x509.DirectoryName): + for attribute in subtree.value: + # IINs for O in serialNumber + if attribute.oid == x509.oid.NameOID.SERIAL_NUMBER: + serial_value = attribute.value.upper() + # sgp22 8, sgp29 var len, fortunately we don't care + if (len(serial_value) == 8 and + all(c in '0123456789ABCDEF' for c in serial_value) and + len(serial_value) % 2 == 0): + permitted_iins.append(serial_value) + print(f"Found permitted IIN (nameConstraints/DN): {serial_value}") + + except x509.ExtensionNotFound: + print("No nameConstraints extension found") + except Exception as e: + print(f"Error parsing nameConstraints: {e}") + + return permitted_iins + + +def validate_eid_range(eid: str, eum_cert) -> bool: + """Validate that EID is within the permitted EINs of the EUM certificate.""" + if not eid or len(eid) != 32: + print(f"Invalid EID format: {eid}") + return False + + try: + permitted_eins = parse_permitted_eins_from_cert(eum_cert) + + if not permitted_eins: + print("Warning: No permitted EINs found in EUM certificate") + return False + + eid_normalized = eid.upper() + print(f"Validating EID {eid_normalized} against {len(permitted_eins)} permitted EINs") + + for permitted_ein in permitted_eins: + if eid_normalized.startswith(permitted_ein): + print(f"EID {eid_normalized} matches permitted EIN {permitted_ein}") + return True + + print(f"EID {eid_normalized} is not in any permitted EIN list") + return False + + except Exception as e: + print(f"Error validating EID: {e}") + return False + def build_status_code(subject_code: str, reason_code: str, subject_id: Optional[str], message: Optional[str]) -> Dict: r = {'subjectCode': subject_code, 'reasonCode': reason_code } if subject_id: @@ -346,11 +509,13 @@ if not self._ecdsa_verify(euicc_cert, euiccSignature1_bin, euiccSigned1_bin): raise ApiError('8.1', '6.1', 'Verification failed (euiccSignature1 over euiccSigned1)') - # TODO: verify EID of eUICC cert is within permitted range of EUM cert - ss.eid = ss.euicc_cert.subject.get_attributes_for_oid(x509.oid.NameOID.SERIAL_NUMBER)[0].value print("EID (from eUICC cert): %s" % ss.eid) + # Verify EID is within permitted range of EUM certificate + if not validate_eid_range(ss.eid, eum_cert): + raise ApiError('8.1.4', '6.1', 'EID is not within the permitted range of the EUM certificate') + # Verify that the serverChallenge attached to the ongoing RSP session matches the # serverChallenge returned by the eUICC. Otherwise, the SM-DP+ SHALL return a status code "eUICC - # Verification failed". -- To view, visit https://gerrit.osmocom.org/c/pysim/+/40467?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings?usp=email Gerrit-MessageType: newchange Gerrit-Project: pysim Gerrit-Branch: master Gerrit-Change-Id: Ice704548cb62f14943927b5295007db13c807031 Gerrit-Change-Number: 40467 Gerrit-PatchSet: 1 Gerrit-Owner: Hoernchen <ewild(a)sysmocom.de>

1 week, 3 days

1
0
0 0

[L] Change in pysim[master]: smdpp: add proper tls support, cert generation

by Hoernchen

Hoernchen has uploaded this change for review. ( https://gerrit.osmocom.org/c/pysim/+/40464?usp=email ) Change subject: smdpp: add proper tls support, cert generation ...................................................................... smdpp: add proper tls support, cert generation If TLS is enabled (default) it will automagically generate missing pem files + dh params. A faithful reproduction of the certs found in SGP.26_v1.5_Certificates_18_07_2024.zip can be generated by running contrib/generate_certs.py. This allows adjusting the expiry dates, CA flag, and other parameters. They can be used by running $ python -u osmo-smdpp.py -c generated Change-Id: I84b2666422b8ff565620f3827ef4d4d7635a21be --- M .gitignore A contrib/generate_certs.py M osmo-smdpp.py 3 files changed, 705 insertions(+), 12 deletions(-) git pull ssh://gerrit.osmocom.org:29418/pysim refs/changes/64/40464/1 diff --git a/.gitignore b/.gitignore index e9fa1d3..6b74841 100644 --- a/.gitignore +++ b/.gitignore @@ -10,3 +10,6 @@ /smdpp-data/sm-dp-sessions dist tags +smdpp-data/certs/DPtls/CERT_S_SM_DP_TLS_NIST.pem +smdpp-data/generated +smdpp-data/certs/dhparam2048.pem diff --git a/contrib/generate_certs.py b/contrib/generate_certs.py new file mode 100755 index 0000000..c107737 --- /dev/null +++ b/contrib/generate_certs.py @@ -0,0 +1,659 @@ +#!/usr/bin/env python3 + +""" +Faithfully reproduces the certs contained in SGP.26_v1.5_Certificates_18_07_2024.zip +""" + +import os +import binascii +from datetime import datetime +from cryptography import x509 +from cryptography.x509.oid import NameOID, ExtensionOID +from cryptography.hazmat.primitives import hashes, serialization +from cryptography.hazmat.primitives.asymmetric import ec +from cryptography.hazmat.backends import default_backend + +# Custom OIDs used in certificates +OID_CERTIFICATE_POLICIES_CI = "2.23.146.1.2.1.0" # CI cert policy +OID_CERTIFICATE_POLICIES_TLS = "2.23.146.1.2.1.3" # DPtls cert policy +OID_CERTIFICATE_POLICIES_AUTH = "2.23.146.1.2.1.4" # DPauth cert policy +OID_CERTIFICATE_POLICIES_PB = "2.23.146.1.2.1.5" # DPpb cert policy + +# Subject Alternative Name OIDs +OID_CI_RID = "2.999.1" # CI Registered ID +OID_DP_RID = "2.999.10" # DP+ Registered ID +OID_DP2_RID = "2.999.12" # DP+2 Registered ID +OID_DP4_RID = "2.999.14" # DP+4 Registered ID +OID_DP8_RID = "2.999.18" # DP+8 Registered ID + + +class SimplifiedCertificateGenerator: + def __init__(self): + self.backend = default_backend() + # Store generated CI keys to sign other certs + self.ci_certs = {} # {"BRP": cert, "NIST": cert} + self.ci_keys = {} # {"BRP": key, "NIST": key} + + def get_curve(self, curve_type): + """Get the appropriate curve object.""" + if curve_type == "BRP": + return ec.BrainpoolP256R1() + else: + return ec.SECP256R1() + + def generate_key_pair(self, curve): + """Generate a new EC key pair.""" + private_key = ec.generate_private_key(curve, self.backend) + return private_key + + def load_private_key_from_hex(self, hex_key, curve): + """Load EC private key from hex string.""" + key_bytes = binascii.unhexlify(hex_key.replace(":", "").replace(" ", "").replace("\n", "")) + key_int = int.from_bytes(key_bytes, 'big') + return ec.derive_private_key(key_int, curve, self.backend) + + def generate_ci_cert(self, curve_type): + """Generate CI certificate for either BRP or NIST curve.""" + curve = self.get_curve(curve_type) + private_key = self.generate_key_pair(curve) + + # Build subject and issuer (self-signed) - same for both + subject = issuer = x509.Name([ + x509.NameAttribute(NameOID.COMMON_NAME, "Test CI"), + x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, "TESTCERT"), + x509.NameAttribute(NameOID.ORGANIZATION_NAME, "RSPTEST"), + x509.NameAttribute(NameOID.COUNTRY_NAME, "IT"), + ]) + + # Build certificate - all parameters same for both + builder = x509.CertificateBuilder() + builder = builder.subject_name(subject) + builder = builder.issuer_name(issuer) + builder = builder.not_valid_before(datetime(2020, 4, 1, 8, 27, 51)) + builder = builder.not_valid_after(datetime(2055, 4, 1, 8, 27, 51)) + builder = builder.serial_number(0xb874f3abfa6c44d3) + builder = builder.public_key(private_key.public_key()) + + # Add extensions - all same for both + builder = builder.add_extension( + x509.SubjectKeyIdentifier.from_public_key(private_key.public_key()), + critical=False + ) + + builder = builder.add_extension( + x509.BasicConstraints(ca=True, path_length=None), + critical=True + ) + + builder = builder.add_extension( + x509.CertificatePolicies([ + x509.PolicyInformation( + x509.ObjectIdentifier(OID_CERTIFICATE_POLICIES_CI), + policy_qualifiers=None + ) + ]), + critical=True + ) + + builder = builder.add_extension( + x509.KeyUsage( + digital_signature=False, + content_commitment=False, + key_encipherment=False, + data_encipherment=False, + key_agreement=False, + key_cert_sign=True, + crl_sign=True, + encipher_only=False, + decipher_only=False + ), + critical=True + ) + + builder = builder.add_extension( + x509.SubjectAlternativeName([ + x509.RegisteredID(x509.ObjectIdentifier(OID_CI_RID)) + ]), + critical=False + ) + + builder = builder.add_extension( + x509.CRLDistributionPoints([ + x509.DistributionPoint( + full_name=[x509.UniformResourceIdentifier("http://ci.test.example.com/CRL-A.crl")], + relative_name=None, + reasons=None, + crl_issuer=None + ), + x509.DistributionPoint( + full_name=[x509.UniformResourceIdentifier("http://ci.test.example.com/CRL-B.crl")], + relative_name=None, + reasons=None, + crl_issuer=None + ) + ]), + critical=False + ) + + certificate = builder.sign(private_key, hashes.SHA256(), self.backend) + + self.ci_keys[curve_type] = private_key + self.ci_certs[curve_type] = certificate + + return certificate, private_key + + def generate_dp_cert(self, curve_type, subject_cn, serial, key_hex, + cert_policy_oid, rid_oid, validity_start, validity_end): + """Generate a DP certificate signed by CI - works for both BRP and NIST.""" + curve = self.get_curve(curve_type) + private_key = self.load_private_key_from_hex(key_hex, curve) + + ci_cert = self.ci_certs[curve_type] + ci_key = self.ci_keys[curve_type] + + subject = x509.Name([ + x509.NameAttribute(NameOID.ORGANIZATION_NAME, "ACME"), + x509.NameAttribute(NameOID.COMMON_NAME, subject_cn), + ]) + + builder = x509.CertificateBuilder() + builder = builder.subject_name(subject) + builder = builder.issuer_name(ci_cert.subject) + builder = builder.not_valid_before(validity_start) + builder = builder.not_valid_after(validity_end) + builder = builder.serial_number(serial) + builder = builder.public_key(private_key.public_key()) + + builder = builder.add_extension( + x509.AuthorityKeyIdentifier.from_issuer_public_key(ci_key.public_key()), + critical=False + ) + + builder = builder.add_extension( + x509.SubjectKeyIdentifier.from_public_key(private_key.public_key()), + critical=False + ) + + builder = builder.add_extension( + x509.SubjectAlternativeName([ + x509.RegisteredID(x509.ObjectIdentifier(rid_oid)) + ]), + critical=False + ) + + builder = builder.add_extension( + x509.KeyUsage( + digital_signature=True, + content_commitment=False, + key_encipherment=False, + data_encipherment=False, + key_agreement=False, + key_cert_sign=False, + crl_sign=False, + encipher_only=False, + decipher_only=False + ), + critical=True + ) + + builder = builder.add_extension( + x509.CertificatePolicies([ + x509.PolicyInformation( + x509.ObjectIdentifier(cert_policy_oid), + policy_qualifiers=None + ) + ]), + critical=True + ) + + builder = builder.add_extension( + x509.CRLDistributionPoints([ + x509.DistributionPoint( + full_name=[x509.UniformResourceIdentifier("http://ci.test.example.com/CRL-A.crl")], + relative_name=None, + reasons=None, + crl_issuer=None + ), + x509.DistributionPoint( + full_name=[x509.UniformResourceIdentifier("http://ci.test.example.com/CRL-B.crl")], + relative_name=None, + reasons=None, + crl_issuer=None + ) + ]), + critical=False + ) + + certificate = builder.sign(ci_key, hashes.SHA256(), self.backend) + + return certificate, private_key + + def generate_tls_cert(self, curve_type, subject_cn, dns_name, serial, key_hex, + rid_oid, validity_start, validity_end): + """Generate a TLS certificate signed by CI.""" + curve = self.get_curve(curve_type) + private_key = self.load_private_key_from_hex(key_hex, curve) + + ci_cert = self.ci_certs[curve_type] + ci_key = self.ci_keys[curve_type] + + subject = x509.Name([ + x509.NameAttribute(NameOID.ORGANIZATION_NAME, "ACME"), + x509.NameAttribute(NameOID.COMMON_NAME, subject_cn), + ]) + + builder = x509.CertificateBuilder() + builder = builder.subject_name(subject) + builder = builder.issuer_name(ci_cert.subject) + builder = builder.not_valid_before(validity_start) + builder = builder.not_valid_after(validity_end) + builder = builder.serial_number(serial) + builder = builder.public_key(private_key.public_key()) + + builder = builder.add_extension( + x509.KeyUsage( + digital_signature=True, + content_commitment=False, + key_encipherment=False, + data_encipherment=False, + key_agreement=False, + key_cert_sign=False, + crl_sign=False, + encipher_only=False, + decipher_only=False + ), + critical=True + ) + + builder = builder.add_extension( + x509.ExtendedKeyUsage([ + x509.oid.ExtendedKeyUsageOID.SERVER_AUTH, + x509.oid.ExtendedKeyUsageOID.CLIENT_AUTH + ]), + critical=True + ) + + builder = builder.add_extension( + x509.CertificatePolicies([ + x509.PolicyInformation( + x509.ObjectIdentifier(OID_CERTIFICATE_POLICIES_TLS), + policy_qualifiers=None + ) + ]), + critical=False + ) + + builder = builder.add_extension( + x509.SubjectKeyIdentifier.from_public_key(private_key.public_key()), + critical=False + ) + + builder = builder.add_extension( + x509.AuthorityKeyIdentifier.from_issuer_public_key(ci_key.public_key()), + critical=False + ) + + builder = builder.add_extension( + x509.SubjectAlternativeName([ + x509.DNSName(dns_name), + x509.RegisteredID(x509.ObjectIdentifier(rid_oid)) + ]), + critical=False + ) + + builder = builder.add_extension( + x509.CRLDistributionPoints([ + x509.DistributionPoint( + full_name=[x509.UniformResourceIdentifier("http://ci.test.example.com/CRL-A.crl")], + relative_name=None, + reasons=None, + crl_issuer=None + ), + x509.DistributionPoint( + full_name=[x509.UniformResourceIdentifier("http://ci.test.example.com/CRL-B.crl")], + relative_name=None, + reasons=None, + crl_issuer=None + ) + ]), + critical=False + ) + + certificate = builder.sign(ci_key, hashes.SHA256(), self.backend) + + return certificate, private_key + + def generate_eum_cert(self, curve_type, key_hex): + """Generate EUM certificate signed by CI.""" + curve = self.get_curve(curve_type) + private_key = self.load_private_key_from_hex(key_hex, curve) + + ci_cert = self.ci_certs[curve_type] + ci_key = self.ci_keys[curve_type] + + subject = x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, "ES"), + x509.NameAttribute(NameOID.ORGANIZATION_NAME, "RSP Test EUM"), + x509.NameAttribute(NameOID.COMMON_NAME, "EUM Test"), + ]) + + builder = x509.CertificateBuilder() + builder = builder.subject_name(subject) + builder = builder.issuer_name(ci_cert.subject) + builder = builder.not_valid_before(datetime(2020, 4, 1, 9, 28, 37)) + builder = builder.not_valid_after(datetime(2054, 3, 24, 9, 28, 37)) + builder = builder.serial_number(0x12345678) + builder = builder.public_key(private_key.public_key()) + + builder = builder.add_extension( + x509.AuthorityKeyIdentifier.from_issuer_public_key(ci_key.public_key()), + critical=False + ) + + builder = builder.add_extension( + x509.SubjectKeyIdentifier.from_public_key(private_key.public_key()), + critical=False + ) + + builder = builder.add_extension( + x509.KeyUsage( + digital_signature=False, + content_commitment=False, + key_encipherment=False, + data_encipherment=False, + key_agreement=False, + key_cert_sign=True, + crl_sign=False, + encipher_only=False, + decipher_only=False + ), + critical=True + ) + + builder = builder.add_extension( + x509.CertificatePolicies([ + x509.PolicyInformation( + x509.ObjectIdentifier("2.23.146.1.2.1.2"), # EUM policy + policy_qualifiers=None + ) + ]), + critical=True + ) + + builder = builder.add_extension( + x509.SubjectAlternativeName([ + x509.RegisteredID(x509.ObjectIdentifier("2.999.5")) + ]), + critical=False + ) + + builder = builder.add_extension( + x509.BasicConstraints(ca=True, path_length=0), + critical=True + ) + + builder = builder.add_extension( + x509.CRLDistributionPoints([ + x509.DistributionPoint( + full_name=[x509.UniformResourceIdentifier("http://ci.test.example.com/CRL-B.crl")], + relative_name=None, + reasons=None, + crl_issuer=None + ) + ]), + critical=False + ) + + # Name Constraints + constrained_name = x509.Name([ + x509.NameAttribute(NameOID.ORGANIZATION_NAME, "RSP Test EUM"), + x509.NameAttribute(NameOID.SERIAL_NUMBER, "89049032"), + ]) + + name_constraints = x509.NameConstraints( + permitted_subtrees=[ + x509.DirectoryName(constrained_name) + ], + excluded_subtrees=None + ) + + builder = builder.add_extension( + name_constraints, + critical=True + ) + + certificate = builder.sign(ci_key, hashes.SHA256(), self.backend) + + return certificate, private_key + + def generate_euicc_cert(self, curve_type, eum_cert, eum_key, key_hex): + """Generate eUICC certificate signed by EUM.""" + curve = self.get_curve(curve_type) + private_key = self.load_private_key_from_hex(key_hex, curve) + + subject = x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, "ES"), + x509.NameAttribute(NameOID.ORGANIZATION_NAME, "RSP Test EUM"), + x509.NameAttribute(NameOID.SERIAL_NUMBER, "89049032123451234512345678901235"), + x509.NameAttribute(NameOID.COMMON_NAME, "Test eUICC"), + ]) + + builder = x509.CertificateBuilder() + builder = builder.subject_name(subject) + builder = builder.issuer_name(eum_cert.subject) + builder = builder.not_valid_before(datetime(2020, 4, 1, 9, 48, 58)) + builder = builder.not_valid_after(datetime(7496, 1, 24, 9, 48, 58)) + builder = builder.serial_number(0x0200000000000001) + builder = builder.public_key(private_key.public_key()) + + builder = builder.add_extension( + x509.AuthorityKeyIdentifier.from_issuer_public_key(eum_key.public_key()), + critical=False + ) + + builder = builder.add_extension( + x509.SubjectKeyIdentifier.from_public_key(private_key.public_key()), + critical=False + ) + + builder = builder.add_extension( + x509.KeyUsage( + digital_signature=True, + content_commitment=False, + key_encipherment=False, + data_encipherment=False, + key_agreement=False, + key_cert_sign=False, + crl_sign=False, + encipher_only=False, + decipher_only=False + ), + critical=True + ) + + builder = builder.add_extension( + x509.CertificatePolicies([ + x509.PolicyInformation( + x509.ObjectIdentifier("2.23.146.1.2.1.1"), # eUICC policy + policy_qualifiers=None + ) + ]), + critical=True + ) + + certificate = builder.sign(eum_key, hashes.SHA256(), self.backend) + + return certificate, private_key + + def save_cert_and_key(self, cert, key, cert_path_der, cert_path_pem, key_path_sk, key_path_pk): + """Save certificate and key in various formats.""" + # Create directories if needed + os.makedirs(os.path.dirname(cert_path_der), exist_ok=True) + + with open(cert_path_der, "wb") as f: + f.write(cert.public_bytes(serialization.Encoding.DER)) + + if cert_path_pem: + with open(cert_path_pem, "wb") as f: + f.write(cert.public_bytes(serialization.Encoding.PEM)) + + if key and key_path_sk: + with open(key_path_sk, "wb") as f: + f.write(key.private_bytes( + encoding=serialization.Encoding.PEM, + format=serialization.PrivateFormat.TraditionalOpenSSL, + encryption_algorithm=serialization.NoEncryption() + )) + + if key and key_path_pk: + with open(key_path_pk, "wb") as f: + f.write(key.public_key().public_bytes( + encoding=serialization.Encoding.PEM, + format=serialization.PublicFormat.SubjectPublicKeyInfo + )) + + +def main(): + gen = SimplifiedCertificateGenerator() + + output_dir = "smdpp-data/generated" + os.makedirs(output_dir, exist_ok=True) + + print("=== Generating CI Certificates ===") + + for curve_type in ["BRP", "NIST"]: + ci_cert, ci_key = gen.generate_ci_cert(curve_type) + suffix = "_ECDSA_BRP" if curve_type == "BRP" else "_ECDSA_NIST" + gen.save_cert_and_key( + ci_cert, ci_key, + f"{output_dir}/CertificateIssuer/CERT_CI{suffix}.der", + f"{output_dir}/CertificateIssuer/CERT_CI{suffix}.pem", + None, None + ) + print(f"Generated CI {curve_type} certificate") + + print("\n=== Generating DPauth Certificates ===") + + dpauth_configs = [ + ("BRP", "TEST SM-DP+", 256, "93:fb:33:d0:58:4f:34:9b:07:f8:b5:d2:af:93:d7:c3:e3:54:b3:49:a3:b9:13:50:2e:6a:bc:07:0e:4d:49:29", OID_DP_RID, "DPauth"), + ("NIST", "TEST SM-DP+", 256, "0a:7c:c1:c2:44:e6:0c:52:cd:5b:78:07:ab:8c:36:0c:26:52:46:01:50:7d:ca:bc:5d:d5:98:b5:a6:16:d5:d5", OID_DP_RID, "DPauth"), + ("BRP", "TEST SM-DP+2", 512, "0c:17:35:5c:01:1d:0f:e8:d7:da:dd:63:f1:97:85:cf:6c:51:cb:cd:46:6a:e8:8b:e8:f8:1b:c1:05:88:46:f6", OID_DP2_RID, "DP2auth"), + ("NIST", "TEST SM-DP+2", 512, "9c:32:a0:95:d4:88:42:d9:ff:a4:04:f7:12:51:2a:a2:c5:42:5a:1a:26:38:6a:b6:a1:45:d5:81:1e:03:91:41", OID_DP2_RID, "DP2auth"), + ] + + for curve_type, cn, serial, key_hex, rid_oid, name_prefix in dpauth_configs: + cert, key = gen.generate_dp_cert( + curve_type, cn, serial, key_hex, + OID_CERTIFICATE_POLICIES_AUTH, rid_oid, + datetime(2020, 4, 1, 8, 31, 30), + datetime(2030, 3, 30, 8, 31, 30) + ) + suffix = "_ECDSA_BRP" if curve_type == "BRP" else "_ECDSA_NIST" + gen.save_cert_and_key( + cert, key, + f"{output_dir}/DPauth/CERT_S_SM_{name_prefix}{suffix}.der", + None, + f"{output_dir}/DPauth/SK_S_SM_{name_prefix}{suffix}.pem", + f"{output_dir}/DPauth/PK_S_SM_{name_prefix}{suffix}.pem" + ) + print(f"Generated {name_prefix} {curve_type} certificate") + + print("\n=== Generating DPpb Certificates ===") + + dppb_configs = [ + ("BRP", "TEST SM-DP+", 257, "75:ff:32:2f:41:66:16:da:e1:a4:84:ef:71:d4:87:4f:b0:df:32:95:fd:35:c2:cb:a4:89:fb:b2:bb:9c:7b:f6", OID_DP_RID, "DPpb"), + ("NIST", "TEST SM-DP+", 257, "dc:d6:94:b7:78:95:7e:8e:9a:dd:bd:d9:44:33:e9:ef:8f:73:d1:1e:49:1c:48:d4:25:a3:8a:94:91:bd:3b:ed", OID_DP_RID, "DPpb"), + ("BRP", "TEST SM-DP+2", 513, "9c:ae:2e:1a:56:07:a9:d5:78:38:2e:ee:93:2e:25:1f:52:30:4f:86:ee:b1:f1:70:8c:db:d3:c0:7b:e2:cd:3d", OID_DP2_RID, "DP2pb"), + ("NIST", "TEST SM-DP+2", 513, "66:93:11:49:63:9d:ba:ac:1d:c3:d3:06:c5:8b:d2:df:d2:2f:73:bf:63:ac:86:31:98:32:90:b5:7f:90:93:45", OID_DP2_RID, "DP2pb"), + ] + + for curve_type, cn, serial, key_hex, rid_oid, name_prefix in dppb_configs: + cert, key = gen.generate_dp_cert( + curve_type, cn, serial, key_hex, + OID_CERTIFICATE_POLICIES_PB, rid_oid, + datetime(2020, 4, 1, 8, 34, 46), + datetime(2030, 3, 30, 8, 34, 46) + ) + suffix = "_ECDSA_BRP" if curve_type == "BRP" else "_ECDSA_NIST" + gen.save_cert_and_key( + cert, key, + f"{output_dir}/DPpb/CERT_S_SM_{name_prefix}{suffix}.der", + None, + f"{output_dir}/DPpb/SK_S_SM_{name_prefix}{suffix}.pem", + f"{output_dir}/DPpb/PK_S_SM_{name_prefix}{suffix}.pem" + ) + print(f"Generated {name_prefix} {curve_type} certificate") + + print("\n=== Generating DPtls Certificates ===") + + dptls_configs = [ + ("BRP", "testsmdpplus1.example.com", "testsmdpplus1.example.com", 9, "3f:67:15:28:02:b3:f4:c7:fa:e6:79:58:55:f6:82:54:1e:45:e3:5e:ff:f4:e8:a0:55:65:a0:f1:91:2a:78:2e", OID_DP_RID, "DP_TLS_BRP"), + ("NIST", "testsmdpplus1.example.com", "testsmdpplus1.example.com", 9, "a0:3e:7c:e4:55:04:74:be:a4:b7:a8:73:99:ce:5a:8c:9f:66:1b:68:0f:94:01:39:ff:f8:4e:9d:ec:6a:4d:8c", OID_DP_RID, "DP_TLS_NIST"), + ("NIST", "testsmdpplus2.example.com", "testsmdpplus2.example.com", 12, "4e:65:61:c6:40:88:f6:69:90:7a:db:e3:94:b1:1a:84:24:2e:03:3a:82:a8:84:02:31:63:6d:c9:1b:4e:e3:f5", OID_DP2_RID, "DP2_TLS"), + ("NIST", "testsmdpplus4.example.com", "testsmdpplus4.example.com", 14, "f2:65:9d:2f:52:8f:4b:11:37:40:d5:8a:0d:2a:f3:eb:2b:48:e1:22:c2:b6:0a:6a:f6:fc:96:ad:86:be:6f:a4", OID_DP4_RID, "DP4_TLS"), + ("NIST", "testsmdpplus8.example.com", "testsmdpplus8.example.com", 18, "ff:6e:4a:50:9b:ad:db:38:10:88:31:c2:3c:cc:2d:44:30:7a:f2:81:e9:25:96:7f:8c:df:1d:95:54:a0:28:8d", OID_DP8_RID, "DP8_TLS"), + ] + + for curve_type, cn, dns, serial, key_hex, rid_oid, name_prefix in dptls_configs: + cert, key = gen.generate_tls_cert( + curve_type, cn, dns, serial, key_hex, rid_oid, + datetime(2024, 7, 9, 15, 29, 36), + datetime(2025, 8, 11, 15, 29, 36) + ) + gen.save_cert_and_key( + cert, key, + f"{output_dir}/DPtls/CERT_S_SM_{name_prefix}.der", + None, + f"{output_dir}/DPtls/SK_S_SM_{name_prefix.replace('_BRP', '_BRP').replace('_NIST', '_NIST')}.pem", + f"{output_dir}/DPtls/PK_S_SM_{name_prefix.replace('_BRP', '_BRP').replace('_NIST', '_NIST')}.pem" + ) + print(f"Generated {name_prefix} certificate") + + print("\n=== Generating EUM Certificates ===") + + eum_configs = [ + ("BRP", "12:9b:0a:b1:3f:17:e1:4a:40:b6:fa:4e:d8:23:e0:cf:46:5b:7b:3d:73:24:05:e6:29:5d:3b:23:b0:45:c9:9a"), + ("NIST", "25:e6:75:77:28:e1:e9:51:13:51:9c:dc:34:55:5c:29:ba:ed:23:77:3a:c5:af:dd:dc:da:d9:84:89:8a:52:f0"), + ] + + eum_certs = {} + eum_keys = {} + + for curve_type, key_hex in eum_configs: + cert, key = gen.generate_eum_cert(curve_type, key_hex) + eum_certs[curve_type] = cert + eum_keys[curve_type] = key + suffix = "_ECDSA_BRP" if curve_type == "BRP" else "_ECDSA_NIST" + gen.save_cert_and_key( + cert, key, + f"{output_dir}/EUM/CERT_EUM{suffix}.der", + None, + f"{output_dir}/EUM/SK_EUM{suffix}.pem", + f"{output_dir}/EUM/PK_EUM{suffix}.pem" + ) + print(f"Generated EUM {curve_type} certificate") + + print("\n=== Generating eUICC Certificates ===") + + euicc_configs = [ + ("BRP", "8d:c3:47:a7:6d:b7:bd:d6:22:2d:d7:5e:a1:a1:68:8a:ca:81:1e:4c:bc:6a:7f:6a:ef:a4:b2:64:19:62:0b:90"), + ("NIST", "11:e1:54:67:dc:19:4f:33:71:83:e4:60:c9:f6:32:60:09:1e:12:e8:10:26:cd:65:61:e1:7c:6d:85:39:cc:9c"), + ] + + for curve_type, key_hex in euicc_configs: + cert, key = gen.generate_euicc_cert(curve_type, eum_certs[curve_type], eum_keys[curve_type], key_hex) + suffix = "_ECDSA_BRP" if curve_type == "BRP" else "_ECDSA_NIST" + gen.save_cert_and_key( + cert, key, + f"{output_dir}/eUICC/CERT_EUICC{suffix}.der", + None, + f"{output_dir}/eUICC/SK_EUICC{suffix}.pem", + f"{output_dir}/eUICC/PK_EUICC{suffix}.pem" + ) + print(f"Generated eUICC {curve_type} certificate") + + print("\n=== Certificate generation complete! ===") + print(f"All certificates saved to: {output_dir}/") + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/osmo-smdpp.py b/osmo-smdpp.py index 9328b99..5baa154 100755 --- a/osmo-smdpp.py +++ b/osmo-smdpp.py @@ -17,6 +17,13 @@ # You should have received a copy of the GNU Affero General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. +from cryptography.hazmat.primitives.asymmetric.utils import decode_dss_signature, encode_dss_signature +from cryptography import x509 +from cryptography.exceptions import InvalidSignature +from cryptography.hazmat.primitives import hashes +from cryptography.hazmat.primitives.asymmetric import ec, dh +from cryptography.hazmat.primitives.serialization import Encoding, PublicFormat, PrivateFormat, NoEncryption, ParameterFormat +from pathlib import Path import json import sys import argparse @@ -72,12 +79,6 @@ if status_code_data: js['header']['functionExecutionStatus']['statusCodeData'] = status_code_data -from cryptography.hazmat.primitives.asymmetric.utils import decode_dss_signature, encode_dss_signature -from cryptography.hazmat.primitives.serialization import Encoding, PublicFormat, PrivateFormat, NoEncryption -from cryptography.hazmat.primitives.asymmetric import ec -from cryptography.hazmat.primitives import hashes -from cryptography.exceptions import InvalidSignature -from cryptography import x509 def ecdsa_tr03111_to_dss(sig: bytes) -> bytes: """convert an ECDSA signature from BSI TR-03111 format to DER: first get long integers; then encode those.""" @@ -134,13 +135,13 @@ return cert return None - def __init__(self, server_hostname: str, ci_certs_path: str, use_brainpool: bool = False): + def __init__(self, server_hostname: str, ci_certs_path: str, common_cert_path: str, use_brainpool: bool = False): self.server_hostname = server_hostname self.upp_dir = os.path.realpath(os.path.join(DATA_DIR, 'upp')) self.ci_certs = self.load_certs_from_path(ci_certs_path) # load DPauth cert + key self.dp_auth = CertAndPrivkey(oid.id_rspRole_dp_auth_v2) - cert_dir = os.path.join(DATA_DIR, 'certs') + cert_dir = common_cert_path if use_brainpool: self.dp_auth.cert_from_der_file(os.path.join(cert_dir, 'DPauth', 'CERT_S_SM_DPauth_ECDSA_BRP.der')) self.dp_auth.privkey_from_pem_file(os.path.join(cert_dir, 'DPauth', 'SK_S_SM_DPauth_ECDSA_BRP.pem')) @@ -583,13 +584,43 @@ parser = argparse.ArgumentParser() parser.add_argument("-H", "--host", help="Host/IP to bind HTTP to", default="localhost") parser.add_argument("-p", "--port", help="TCP port to bind HTTP to", default=8000) - #parser.add_argument("-v", "--verbose", help="increase output verbosity", action='count', default=0) - + parser.add_argument("-c", "--certpath", help=f"cert subdir relative to {DATA_DIR}", default="certs") + parser.add_argument("-s", "--nossl", help="do NOT use ssl", action='store_true', default=False) args = parser.parse_args() - hs = SmDppHttpServer(HOSTNAME, os.path.join(DATA_DIR, 'certs', 'CertificateIssuer'), use_brainpool=False) - #hs.app.run(endpoint_description="ssl:port=8000:dhParameters=dh_param_2048.pem") + common_cert_path = os.path.join(DATA_DIR, args.certpath) + hs = SmDppHttpServer(server_hostname=HOSTNAME, ci_certs_path=os.path.join(common_cert_path, 'CertificateIssuer'), common_cert_path=common_cert_path, use_brainpool=False) + if(args.nossl): hs.app.run(args.host, args.port) + else: + cert_derpath = Path(common_cert_path) / 'DPtls' / 'CERT_S_SM_DP_TLS_NIST.der' + cert_pempath = Path(common_cert_path) / 'DPtls' / 'CERT_S_SM_DP_TLS_NIST.pem' + cert_skpath = Path(common_cert_path) / 'DPtls' / 'SK_S_SM_DP_TLS_NIST.pem' + dhparam_path = Path(common_cert_path) / "dhparam2048.pem" + if not dhparam_path.exists(): + print("Generating dh params, this takes a few seconds..") + # Generate DH parameters with 2048-bit key size and generator 2 + parameters = dh.generate_parameters(generator=2, key_size=2048) + pem_data = parameters.parameter_bytes(encoding=Encoding.PEM,format=ParameterFormat.PKCS3) + with open(dhparam_path, 'wb') as file: + file.write(pem_data) + print("DH params created successfully") + + if not cert_pempath.exists(): + print("Translating tls server cert from DER to PEM..") + with open(cert_derpath, 'rb') as der_file: + der_cert_data = der_file.read() + + cert = x509.load_der_x509_certificate(der_cert_data) + pem_cert = cert.public_bytes(Encoding.PEM) #.decode('utf-8') + + with open(cert_pempath, 'wb') as pem_file: + pem_file.write(pem_cert) + + SERVER_STRING = f'ssl:{args.port}:privateKey={cert_skpath}:certKey={cert_pempath}:dhParameters={dhparam_path}' + print(SERVER_STRING) + + hs.app.run(host=HOSTNAME, port=args.port, endpoint_description=SERVER_STRING) if __name__ == "__main__": main(sys.argv) -- To view, visit https://gerrit.osmocom.org/c/pysim/+/40464?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings?usp=email Gerrit-MessageType: newchange Gerrit-Project: pysim Gerrit-Branch: master Gerrit-Change-Id: I84b2666422b8ff565620f3827ef4d4d7635a21be Gerrit-Change-Number: 40464 Gerrit-PatchSet: 1 Gerrit-Owner: Hoernchen <ewild(a)sysmocom.de>

1 week, 3 days

1
0
0 0

[S] Change in pysim[master]: smdpp: verify request headers

by Hoernchen

Hoernchen has uploaded this change for review. ( https://gerrit.osmocom.org/c/pysim/+/40466?usp=email ) Change subject: smdpp: verify request headers ...................................................................... smdpp: verify request headers Change-Id: Ic1221bcb87a9975a013ab356266d3cb76d9241f1 --- M osmo-smdpp.py 1 file changed, 11 insertions(+), 2 deletions(-) git pull ssh://gerrit.osmocom.org:29418/pysim refs/changes/66/40466/1 diff --git a/osmo-smdpp.py b/osmo-smdpp.py index 5baa154..74863f3 100755 --- a/osmo-smdpp.py +++ b/osmo-smdpp.py @@ -61,6 +61,16 @@ request.setHeader('Content-Type', 'application/json;charset=UTF-8') request.setHeader('X-Admin-Protocol', 'gsma/rsp/v2.1.0') +def validate_request_headers(request: IRequest): + """Validate mandatory HTTP headers according to SGP.22.""" + content_type = request.getHeader('Content-Type') + if not content_type or not content_type.startswith('application/json'): + raise ApiError('1.2.1', '2.1', 'Invalid Content-Type header') + + admin_protocol = request.getHeader('X-Admin-Protocol') + if admin_protocol and not admin_protocol.startswith('gsma/rsp/v'): + raise ApiError('1.2.2', '2.1', 'Unsupported X-Admin-Protocol version') + def build_status_code(subject_code: str, reason_code: str, subject_id: Optional[str], message: Optional[str]) -> Dict: r = {'subjectCode': subject_code, 'reasonCode': reason_code } if subject_id: @@ -180,8 +190,7 @@ functionality, such as JSON decoding/encoding and debug-printing.""" @functools.wraps(func) def _api_wrapper(self, request: IRequest): - # TODO: evaluate User-Agent + X-Admin-Protocol header - # TODO: reject any non-JSON Content-type + validate_request_headers(request) content = json.loads(request.content.read()) print("Rx JSON: %s" % json.dumps(content)) -- To view, visit https://gerrit.osmocom.org/c/pysim/+/40466?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings?usp=email Gerrit-MessageType: newchange Gerrit-Project: pysim Gerrit-Branch: master Gerrit-Change-Id: Ic1221bcb87a9975a013ab356266d3cb76d9241f1 Gerrit-Change-Number: 40466 Gerrit-PatchSet: 1 Gerrit-Owner: Hoernchen <ewild(a)sysmocom.de>

1 week, 3 days

1
0
0 0

[M] Change in pysim[master]: smdpp: less verbose by default

by Hoernchen

Hoernchen has uploaded this change for review. ( https://gerrit.osmocom.org/c/pysim/+/40468?usp=email ) Change subject: smdpp: less verbose by default ...................................................................... smdpp: less verbose by default Those data blobs are huge. Change-Id: I04a72b8f52417862d4dcba1f0743700dd942ef49 --- M osmo-smdpp.py M pySim/esim/bsp.py M pySim/esim/es8p.py 3 files changed, 51 insertions(+), 11 deletions(-) git pull ssh://gerrit.osmocom.org:29418/pysim refs/changes/68/40468/1 diff --git a/osmo-smdpp.py b/osmo-smdpp.py index 92bbb42..b8b6303 100755 --- a/osmo-smdpp.py +++ b/osmo-smdpp.py @@ -47,6 +47,9 @@ from pySim.esim.x509_cert import oid, cert_policy_has_oid, cert_get_auth_key_id from pySim.esim.x509_cert import CertAndPrivkey, CertificateSet, cert_get_subject_key_id, VerifyError +import logging +logger = logging.getLogger(__name__) + # HACK: make this configurable DATA_DIR = './smdpp-data' HOSTNAME = 'testsmdpplus1.example.com' # must match certificates! @@ -356,7 +359,7 @@ validate_request_headers(request) content = json.loads(request.content.read()) - print("Rx JSON: %s" % json.dumps(content)) + logger.debug("Rx JSON: %s" % json.dumps(content)) set_headers(request) output = func(self, request, content) @@ -364,7 +367,7 @@ return '' build_resp_header(output) - print("Tx JSON: %s" % json.dumps(output)) + logger.debug("Tx JSON: %s" % json.dumps(output)) return json.dumps(output) return _api_wrapper @@ -383,7 +386,7 @@ euiccInfo1_bin = b64decode(content['euiccInfo1']) euiccInfo1 = rsp.asn1.decode('EUICCInfo1', euiccInfo1_bin) - print("Rx euiccInfo1: %s" % euiccInfo1) + logger.debug("Rx euiccInfo1: %s" % euiccInfo1) #euiccInfo1['svn'] # TODO: If euiccCiPKIdListForSigningV3 is present ... @@ -458,7 +461,7 @@ authenticateServerResp_bin = b64decode(content['authenticateServerResponse']) authenticateServerResp = rsp.asn1.decode('AuthenticateServerResponse', authenticateServerResp_bin) - print("Rx %s: %s" % authenticateServerResp) + logger.debug("Rx %s: %s" % authenticateServerResp) if authenticateServerResp[0] == 'authenticateResponseError': r_err = authenticateServerResp[1] #r_err['transactionId'] @@ -589,7 +592,7 @@ prepDownloadResp_bin = b64decode(content['prepareDownloadResponse']) prepDownloadResp = rsp.asn1.decode('PrepareDownloadResponse', prepDownloadResp_bin) - print("Rx %s: %s" % prepDownloadResp) + logger.debug("Rx %s: %s" % prepDownloadResp) if prepDownloadResp[0] == 'downloadResponseError': r_err = prepDownloadResp[1] @@ -611,7 +614,7 @@ # store otPK.EUICC.ECKA in session state ss.euicc_otpk = euiccSigned2['euiccOtpk'] - print("euiccOtpk: %s" % (b2h(ss.euicc_otpk))) + logger.debug("euiccOtpk: %s" % (b2h(ss.euicc_otpk))) # Generate a one-time ECKA key pair (ot{PK,SK}.DP.ECKA) using the curve indicated by the Key Parameter # Reference value of CERT.DPpb.ECDDSA @@ -619,8 +622,8 @@ ss.smdp_ot = ec.generate_private_key(self.dp_pb.get_curve()) # extract the public key in (hopefully) the right format for the ES8+ interface ss.smdp_otpk = ss.smdp_ot.public_key().public_bytes(Encoding.X962, PublicFormat.UncompressedPoint) - print("smdpOtpk: %s" % b2h(ss.smdp_otpk)) - print("smdpOtsk: %s" % b2h(ss.smdp_ot.private_bytes(Encoding.DER, PrivateFormat.PKCS8, NoEncryption()))) + logger.debug("smdpOtpk: %s" % b2h(ss.smdp_otpk)) + logger.debug("smdpOtsk: %s" % b2h(ss.smdp_ot.private_bytes(Encoding.DER, PrivateFormat.PKCS8, NoEncryption()))) ss.host_id = b'mahlzeit' @@ -661,7 +664,7 @@ request.setResponseCode(204) pendingNotification_bin = b64decode(content['pendingNotification']) pendingNotification = rsp.asn1.decode('PendingNotification', pendingNotification_bin) - print("Rx %s: %s" % pendingNotification) + logger.debug("Rx %s: %s" % pendingNotification) if pendingNotification[0] == 'profileInstallationResult': profileInstallRes = pendingNotification[1] pird = profileInstallRes['profileInstallationResultData'] @@ -714,7 +717,7 @@ @rsp_api_wrapper def cancelSession(self, request: IRequest, content: dict) -> dict: """See ES9+ CancelSession in SGP.22 Section 5.6.5""" - print("Rx JSON: %s" % content) + logger.debug("Rx JSON: %s" % content) transactionId = content['transactionId'] # Verify that the received transactionId is known and relates to an ongoing RSP session @@ -724,7 +727,7 @@ cancelSessionResponse_bin = b64decode(content['cancelSessionResponse']) cancelSessionResponse = rsp.asn1.decode('CancelSessionResponse', cancelSessionResponse_bin) - print("Rx %s: %s" % cancelSessionResponse) + logger.debug("Rx %s: %s" % cancelSessionResponse) if cancelSessionResponse[0] == 'cancelSessionResponseError': # FIXME: print some error @@ -760,8 +763,11 @@ parser.add_argument("-p", "--port", help="TCP port to bind HTTP to", default=8000) parser.add_argument("-c", "--certpath", help=f"cert subdir relative to {DATA_DIR}", default="certs") parser.add_argument("-s", "--nossl", help="do NOT use ssl", action='store_true', default=False) + parser.add_argument("-v", "--verbose", help="dump more raw info", action='store_true', default=False) args = parser.parse_args() + logging.basicConfig(level=logging.DEBUG if args.verbose else logging.WARNING) + common_cert_path = os.path.join(DATA_DIR, args.certpath) hs = SmDppHttpServer(server_hostname=HOSTNAME, ci_certs_path=os.path.join(common_cert_path, 'CertificateIssuer'), common_cert_path=common_cert_path, use_brainpool=False) if(args.nossl): diff --git a/pySim/esim/bsp.py b/pySim/esim/bsp.py index fb4c0b3..6935802 100644 --- a/pySim/esim/bsp.py +++ b/pySim/esim/bsp.py @@ -149,8 +149,18 @@ temp_data = self.mac_chain + tag_and_length + data old_mcv = self.mac_chain c_mac = self._auth(temp_data) + + # DEBUG: Show MAC computation details + logger.debug(f"MAC_DEBUG: tag=0x{tag:02x}, lcc={lcc}") + logger.debug(f"MAC_DEBUG: tag_and_length: {tag_and_length.hex()}") + logger.debug(f"MAC_DEBUG: mac_chain[:20]: {old_mcv[:20].hex()}") + logger.debug(f"MAC_DEBUG: temp_data[:20]: {temp_data[:20].hex()}") + logger.debug(f"MAC_DEBUG: c_mac: {c_mac.hex()}") + # The output data is computed by concatenating the following data: the tag, the final length, the result of step 2 and the C-MAC value. ret = tag_and_length + data + c_mac + logger.debug(f"MAC_DEBUG: final_output[:20]: {ret[:20].hex()}") + logger.debug("auth(tag=0x%x, mcv=%s, s_mac=%s, plaintext=%s, temp=%s) -> %s", tag, b2h(old_mcv), b2h(self.s_mac), b2h(data), b2h(temp_data), b2h(ret)) return ret @@ -204,6 +214,11 @@ s_enc = out[l:2*l] s_mac = out[l*2:3*l] + logger.debug(f"BSP_KDF_DEBUG: kdf_out = {b2h(out)}") + logger.debug(f"BSP_KDF_DEBUG: initial_mcv = {b2h(initial_mac_chaining_value)}") + logger.debug(f"BSP_KDF_DEBUG: s_enc = {b2h(s_enc)}") + logger.debug(f"BSP_KDF_DEBUG: s_mac = {b2h(s_mac)}") + return s_enc, s_mac, initial_mac_chaining_value @@ -231,9 +246,21 @@ """Encrypt + MAC a single plaintext TLV. Returns the protected ciphertext.""" assert tag <= 255 assert len(plaintext) <= self.max_payload_size + + # DEBUG: Show what we're processing + logger.debug(f"BSP_DEBUG: encrypt_and_mac_one(tag=0x{tag:02x}, plaintext_len={len(plaintext)})") + logger.debug(f"BSP_DEBUG: plaintext[:20]: {plaintext[:20].hex()}") + logger.debug(f"BSP_DEBUG: s_enc[:20]: {self.c_algo.s_enc[:20].hex()}") + logger.debug(f"BSP_DEBUG: s_mac[:20]: {self.m_algo.s_mac[:20].hex()}") + logger.debug("encrypt_and_mac_one(tag=0x%x, plaintext=%s)", tag, b2h(plaintext)) ciphered = self.c_algo.encrypt(plaintext) + logger.debug(f"BSP_DEBUG: ciphered[:20]: {ciphered[:20].hex()}") + maced = self.m_algo.auth(tag, ciphered) + logger.debug(f"BSP_DEBUG: final_result[:20]: {maced[:20].hex()}") + logger.debug(f"BSP_DEBUG: final_result_len: {len(maced)}") + return maced def encrypt_and_mac(self, tag: int, plaintext:bytes) -> List[bytes]: diff --git a/pySim/esim/es8p.py b/pySim/esim/es8p.py index 8bd7e14..4c854f1 100644 --- a/pySim/esim/es8p.py +++ b/pySim/esim/es8p.py @@ -25,6 +25,9 @@ from pySim.esim.bsp import BspInstance from pySim.esim import PMO +import logging +logger = logging.getLogger(__name__) + # Given that GSMA RSP uses ASN.1 in a very weird way, we actually cannot encode the full data type before # signing, but we have to build parts of it separately first, then sign that, so we can put the signature # into the same sequence as the signed data. We use the existing pySim TLV code for this. @@ -196,8 +199,12 @@ # 'initialiseSecureChannelRequest' bpp_seq = rsp.asn1.encode('InitialiseSecureChannelRequest', iscr) # firstSequenceOf87 + logger.debug(f"BPP_ENCODE_DEBUG: Encrypting ConfigureISDP with BSP keys") + logger.debug(f"BPP_ENCODE_DEBUG: BSP S-ENC: {bsp.c_algo.s_enc.hex()}") + logger.debug(f"BPP_ENCODE_DEBUG: BSP S-MAC: {bsp.m_algo.s_mac.hex()}") bpp_seq += encode_seq(0xa0, bsp.encrypt_and_mac(0x87, conf_idsp_bin)) # sequenceOF88 + logger.debug(f"BPP_ENCODE_DEBUG: MAC-only StoreMetadata with BSP keys") bpp_seq += encode_seq(0xa1, bsp.mac_only(0x88, smr_bin)) if self.ppp: # we have to use session keys -- To view, visit https://gerrit.osmocom.org/c/pysim/+/40468?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings?usp=email Gerrit-MessageType: newchange Gerrit-Project: pysim Gerrit-Branch: master Gerrit-Change-Id: I04a72b8f52417862d4dcba1f0743700dd942ef49 Gerrit-Change-Number: 40468 Gerrit-PatchSet: 1 Gerrit-Owner: Hoernchen <ewild(a)sysmocom.de>

1 week, 3 days

1
0
0 0

[S] Change in pysim[master]: smdpp: update certs, prune old certs

by Hoernchen

Hoernchen has uploaded this change for review. ( https://gerrit.osmocom.org/c/pysim/+/40465?usp=email ) Change subject: smdpp: update certs, prune old certs ...................................................................... smdpp: update certs, prune old certs Grabbed from SGP.26_v1.5_Certificates_18_07_2024.zip Change-Id: I25442d6f55a385019bba1e47ad3d795120f850ad --- D smdpp-data/certs/DPauth/data_sig.der M smdpp-data/certs/DPtls/CERT_S_SM_DP2_TLS.der M smdpp-data/certs/DPtls/CERT_S_SM_DP4_TLS.der M smdpp-data/certs/DPtls/CERT_S_SM_DP8_TLS.der M smdpp-data/certs/DPtls/CERT_S_SM_DP_TLS_BRP.der M smdpp-data/certs/DPtls/CERT_S_SM_DP_TLS_NIST.der M smdpp-data/certs/DPtls/CERT_S_SM_DP_TLS_NIST.pem D smdpp-data/certs/DPtls/Old_TLS_Validity/Expired 2021/CERT_S_SM_DP2_TLS.der D smdpp-data/certs/DPtls/Old_TLS_Validity/Expired 2021/CERT_S_SM_DP4_TLS.der D smdpp-data/certs/DPtls/Old_TLS_Validity/Expired 2021/CERT_S_SM_DP8_TLS.der D smdpp-data/certs/DPtls/Old_TLS_Validity/Expired 2021/CERT_S_SM_DP_TLS_BRP.der D smdpp-data/certs/DPtls/Old_TLS_Validity/Expired 2021/CERT_S_SM_DP_TLS_NIST.der D smdpp-data/certs/DPtls/Old_TLS_Validity/Expired 2022/CERT_S_SM_DP2_TLS.der D smdpp-data/certs/DPtls/Old_TLS_Validity/Expired 2022/CERT_S_SM_DP4_TLS.der D smdpp-data/certs/DPtls/Old_TLS_Validity/Expired 2022/CERT_S_SM_DP8_TLS.der D smdpp-data/certs/DPtls/Old_TLS_Validity/Expired 2022/CERT_S_SM_DP_TLS_BRP.der D smdpp-data/certs/DPtls/Old_TLS_Validity/Expired 2022/CERT_S_SM_DP_TLS_NIST.der D smdpp-data/certs/DPtls/Old_TLS_Validity/Expired 2023/CERT_S_SM_DP2_TLS.der D smdpp-data/certs/DPtls/Old_TLS_Validity/Expired 2023/CERT_S_SM_DP4_TLS.der D smdpp-data/certs/DPtls/Old_TLS_Validity/Expired 2023/CERT_S_SM_DP8_TLS.der D smdpp-data/certs/DPtls/Old_TLS_Validity/Expired 2023/CERT_S_SM_DP_TLS_BRP.der D smdpp-data/certs/DPtls/Old_TLS_Validity/Expired 2023/CERT_S_SM_DP_TLS_NIST.der 22 files changed, 5 insertions(+), 6 deletions(-) git pull ssh://gerrit.osmocom.org:29418/pysim refs/changes/65/40465/1 diff --git a/smdpp-data/certs/DPauth/data_sig.der b/smdpp-data/certs/DPauth/data_sig.der deleted file mode 100644 index 7f44ce2..0000000 --- a/smdpp-data/certs/DPauth/data_sig.der +++ /dev/null @@ -1 +0,0 @@ -0D AL¶þV¿eRÌÍìAHÊt£×ôÍºnìE<Nåû R¤~&Àk\þ~ ÉRlÜÛ°¥7ì¶NmWø \ No newline at end of file diff --git a/smdpp-data/certs/DPtls/CERT_S_SM_DP2_TLS.der b/smdpp-data/certs/DPtls/CERT_S_SM_DP2_TLS.der index be20b34..79ef55d 100644 --- a/smdpp-data/certs/DPtls/CERT_S_SM_DP2_TLS.der +++ b/smdpp-data/certs/DPtls/CERT_S_SM_DP2_TLS.der Binary files differ diff --git a/smdpp-data/certs/DPtls/CERT_S_SM_DP4_TLS.der b/smdpp-data/certs/DPtls/CERT_S_SM_DP4_TLS.der index 07b4c85..eb1d606 100644 --- a/smdpp-data/certs/DPtls/CERT_S_SM_DP4_TLS.der +++ b/smdpp-data/certs/DPtls/CERT_S_SM_DP4_TLS.der Binary files differ diff --git a/smdpp-data/certs/DPtls/CERT_S_SM_DP8_TLS.der b/smdpp-data/certs/DPtls/CERT_S_SM_DP8_TLS.der index 3b45b14..dec58b9 100644 --- a/smdpp-data/certs/DPtls/CERT_S_SM_DP8_TLS.der +++ b/smdpp-data/certs/DPtls/CERT_S_SM_DP8_TLS.der Binary files differ diff --git a/smdpp-data/certs/DPtls/CERT_S_SM_DP_TLS_BRP.der b/smdpp-data/certs/DPtls/CERT_S_SM_DP_TLS_BRP.der index dc730f0..48f8422 100644 --- a/smdpp-data/certs/DPtls/CERT_S_SM_DP_TLS_BRP.der +++ b/smdpp-data/certs/DPtls/CERT_S_SM_DP_TLS_BRP.der Binary files differ diff --git a/smdpp-data/certs/DPtls/CERT_S_SM_DP_TLS_NIST.der b/smdpp-data/certs/DPtls/CERT_S_SM_DP_TLS_NIST.der index 0cb9ba7..b819e77 100644 --- a/smdpp-data/certs/DPtls/CERT_S_SM_DP_TLS_NIST.der +++ b/smdpp-data/certs/DPtls/CERT_S_SM_DP_TLS_NIST.der Binary files differ diff --git a/smdpp-data/certs/DPtls/CERT_S_SM_DP_TLS_NIST.pem b/smdpp-data/certs/DPtls/CERT_S_SM_DP_TLS_NIST.pem index 4525642..c94d612 100644 --- a/smdpp-data/certs/DPtls/CERT_S_SM_DP_TLS_NIST.pem +++ b/smdpp-data/certs/DPtls/CERT_S_SM_DP_TLS_NIST.pem @@ -1,7 +1,7 @@ -----BEGIN CERTIFICATE----- -MIICgjCCAiigAwIBAgIBCjAKBggqhkjOPQQDAjBEMRAwDgYDVQQDDAdUZXN0IENJ +MIICgzCCAiigAwIBAgIBCTAKBggqhkjOPQQDAjBEMRAwDgYDVQQDDAdUZXN0IENJ MREwDwYDVQQLDAhURVNUQ0VSVDEQMA4GA1UECgwHUlNQVEVTVDELMAkGA1UEBhMC -SVQwHhcNMjUwNDIzMTUyMzA1WhcNMzUwNDIxMTUyMzA1WjAzMQ0wCwYDVQQKDARB +SVQwHhcNMjQwNzA5MTUyODMzWhcNMjUwODExMTUyODMzWjAzMQ0wCwYDVQQKDARB Q01FMSIwIAYDVQQDDBl0ZXN0c21kcHBsdXMxLmV4YW1wbGUuY29tMFkwEwYHKoZI zj0CAQYIKoZIzj0DAQcDQgAEKCQwdc6O/R+uZ2g5QH2ybkzLQ3CUYhybOWEz8bJL tQG4/k6yTT4NOS8lP28blGJws8opLjTbb3qHs6X2rJRfCKOCARowggEWMA4GA1Ud @@ -10,7 +10,7 @@ qTAfBgNVHSMEGDAWgBT1QXK9+YqV1ly+uIo4ocEdgAqFwzApBgNVHREEIjAgghl0 ZXN0c21kcHBsdXMxLmV4YW1wbGUuY29tiAOINwowYQYDVR0fBFowWDAqoCigJoYk aHR0cDovL2NpLnRlc3QuZXhhbXBsZS5jb20vQ1JMLUEuY3JsMCqgKKAmhiRodHRw -Oi8vY2kudGVzdC5leGFtcGxlLmNvbS9DUkwtQi5jcmwwCgYIKoZIzj0EAwIDSAAw -RQIgYakBZP6y9/2iu9aZkgb89SQgfRb0TKVMGElWgtyoX2gCIQCT8o/TkAxhWCTY -yaBDMi1L9Ub+93ef5s+S+eHLmwuudA== +Oi8vY2kudGVzdC5leGFtcGxlLmNvbS9DUkwtQi5jcmwwCgYIKoZIzj0EAwIDSQAw +RgIhAL1qQ/cnrCZC7UnnLJ8WeK+0aWUJFWh1cOlBEzw0NlTVAiEA25Vf4WHzwmJi +zkARzxJ1qB0qfBofuJrtfPM4gNJ4Quw= -----END CERTIFICATE----- diff --git a/smdpp-data/certs/DPtls/Old_TLS_Validity/Expired 2021/CERT_S_SM_DP2_TLS.der b/smdpp-data/certs/DPtls/Old_TLS_Validity/Expired 2021/CERT_S_SM_DP2_TLS.der deleted file mode 100644 index 4f91532..0000000 --- a/smdpp-data/certs/DPtls/Old_TLS_Validity/Expired 2021/CERT_S_SM_DP2_TLS.der +++ /dev/null Binary files differ diff --git a/smdpp-data/certs/DPtls/Old_TLS_Validity/Expired 2021/CERT_S_SM_DP4_TLS.der b/smdpp-data/certs/DPtls/Old_TLS_Validity/Expired 2021/CERT_S_SM_DP4_TLS.der deleted file mode 100644 index 70820fa..0000000 --- a/smdpp-data/certs/DPtls/Old_TLS_Validity/Expired 2021/CERT_S_SM_DP4_TLS.der +++ /dev/null Binary files differ diff --git a/smdpp-data/certs/DPtls/Old_TLS_Validity/Expired 2021/CERT_S_SM_DP8_TLS.der b/smdpp-data/certs/DPtls/Old_TLS_Validity/Expired 2021/CERT_S_SM_DP8_TLS.der deleted file mode 100644 index 33cc6fb..0000000 --- a/smdpp-data/certs/DPtls/Old_TLS_Validity/Expired 2021/CERT_S_SM_DP8_TLS.der +++ /dev/null Binary files differ diff --git a/smdpp-data/certs/DPtls/Old_TLS_Validity/Expired 2021/CERT_S_SM_DP_TLS_BRP.der b/smdpp-data/certs/DPtls/Old_TLS_Validity/Expired 2021/CERT_S_SM_DP_TLS_BRP.der deleted file mode 100644 index 5d0ae30..0000000 --- a/smdpp-data/certs/DPtls/Old_TLS_Validity/Expired 2021/CERT_S_SM_DP_TLS_BRP.der +++ /dev/null Binary files differ diff --git a/smdpp-data/certs/DPtls/Old_TLS_Validity/Expired 2021/CERT_S_SM_DP_TLS_NIST.der b/smdpp-data/certs/DPtls/Old_TLS_Validity/Expired 2021/CERT_S_SM_DP_TLS_NIST.der deleted file mode 100644 index 38927b1..0000000 --- a/smdpp-data/certs/DPtls/Old_TLS_Validity/Expired 2021/CERT_S_SM_DP_TLS_NIST.der +++ /dev/null Binary files differ diff --git a/smdpp-data/certs/DPtls/Old_TLS_Validity/Expired 2022/CERT_S_SM_DP2_TLS.der b/smdpp-data/certs/DPtls/Old_TLS_Validity/Expired 2022/CERT_S_SM_DP2_TLS.der deleted file mode 100644 index 32909ce..0000000 --- a/smdpp-data/certs/DPtls/Old_TLS_Validity/Expired 2022/CERT_S_SM_DP2_TLS.der +++ /dev/null Binary files differ diff --git a/smdpp-data/certs/DPtls/Old_TLS_Validity/Expired 2022/CERT_S_SM_DP4_TLS.der b/smdpp-data/certs/DPtls/Old_TLS_Validity/Expired 2022/CERT_S_SM_DP4_TLS.der deleted file mode 100644 index ea11075..0000000 --- a/smdpp-data/certs/DPtls/Old_TLS_Validity/Expired 2022/CERT_S_SM_DP4_TLS.der +++ /dev/null Binary files differ diff --git a/smdpp-data/certs/DPtls/Old_TLS_Validity/Expired 2022/CERT_S_SM_DP8_TLS.der b/smdpp-data/certs/DPtls/Old_TLS_Validity/Expired 2022/CERT_S_SM_DP8_TLS.der deleted file mode 100644 index 93a0cc0..0000000 --- a/smdpp-data/certs/DPtls/Old_TLS_Validity/Expired 2022/CERT_S_SM_DP8_TLS.der +++ /dev/null Binary files differ diff --git a/smdpp-data/certs/DPtls/Old_TLS_Validity/Expired 2022/CERT_S_SM_DP_TLS_BRP.der b/smdpp-data/certs/DPtls/Old_TLS_Validity/Expired 2022/CERT_S_SM_DP_TLS_BRP.der deleted file mode 100644 index 3d00317..0000000 --- a/smdpp-data/certs/DPtls/Old_TLS_Validity/Expired 2022/CERT_S_SM_DP_TLS_BRP.der +++ /dev/null Binary files differ diff --git a/smdpp-data/certs/DPtls/Old_TLS_Validity/Expired 2022/CERT_S_SM_DP_TLS_NIST.der b/smdpp-data/certs/DPtls/Old_TLS_Validity/Expired 2022/CERT_S_SM_DP_TLS_NIST.der deleted file mode 100644 index 179c37b..0000000 --- a/smdpp-data/certs/DPtls/Old_TLS_Validity/Expired 2022/CERT_S_SM_DP_TLS_NIST.der +++ /dev/null Binary files differ diff --git a/smdpp-data/certs/DPtls/Old_TLS_Validity/Expired 2023/CERT_S_SM_DP2_TLS.der b/smdpp-data/certs/DPtls/Old_TLS_Validity/Expired 2023/CERT_S_SM_DP2_TLS.der deleted file mode 100644 index da5516c..0000000 --- a/smdpp-data/certs/DPtls/Old_TLS_Validity/Expired 2023/CERT_S_SM_DP2_TLS.der +++ /dev/null Binary files differ diff --git a/smdpp-data/certs/DPtls/Old_TLS_Validity/Expired 2023/CERT_S_SM_DP4_TLS.der b/smdpp-data/certs/DPtls/Old_TLS_Validity/Expired 2023/CERT_S_SM_DP4_TLS.der deleted file mode 100644 index b1c222c..0000000 --- a/smdpp-data/certs/DPtls/Old_TLS_Validity/Expired 2023/CERT_S_SM_DP4_TLS.der +++ /dev/null Binary files differ diff --git a/smdpp-data/certs/DPtls/Old_TLS_Validity/Expired 2023/CERT_S_SM_DP8_TLS.der b/smdpp-data/certs/DPtls/Old_TLS_Validity/Expired 2023/CERT_S_SM_DP8_TLS.der deleted file mode 100644 index 638e4a1..0000000 --- a/smdpp-data/certs/DPtls/Old_TLS_Validity/Expired 2023/CERT_S_SM_DP8_TLS.der +++ /dev/null Binary files differ diff --git a/smdpp-data/certs/DPtls/Old_TLS_Validity/Expired 2023/CERT_S_SM_DP_TLS_BRP.der b/smdpp-data/certs/DPtls/Old_TLS_Validity/Expired 2023/CERT_S_SM_DP_TLS_BRP.der deleted file mode 100644 index 6746cbb..0000000 --- a/smdpp-data/certs/DPtls/Old_TLS_Validity/Expired 2023/CERT_S_SM_DP_TLS_BRP.der +++ /dev/null Binary files differ diff --git a/smdpp-data/certs/DPtls/Old_TLS_Validity/Expired 2023/CERT_S_SM_DP_TLS_NIST.der b/smdpp-data/certs/DPtls/Old_TLS_Validity/Expired 2023/CERT_S_SM_DP_TLS_NIST.der deleted file mode 100644 index 6977bd3..0000000 --- a/smdpp-data/certs/DPtls/Old_TLS_Validity/Expired 2023/CERT_S_SM_DP_TLS_NIST.der +++ /dev/null Binary files differ -- To view, visit https://gerrit.osmocom.org/c/pysim/+/40465?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings?usp=email Gerrit-MessageType: newchange Gerrit-Project: pysim Gerrit-Branch: master Gerrit-Change-Id: I25442d6f55a385019bba1e47ad3d795120f850ad Gerrit-Change-Number: 40465 Gerrit-PatchSet: 1 Gerrit-Owner: Hoernchen <ewild(a)sysmocom.de>

1 week, 3 days

1
0
0 0

[XS] Change in pysim[master]: fix up missing requirements

by Hoernchen

Hoernchen has uploaded this change for review. ( https://gerrit.osmocom.org/c/pysim/+/40463?usp=email ) Change subject: fix up missing requirements ...................................................................... fix up missing requirements No idea why the list was incomplete? How do people run this? Change-Id: If69b2bd5f8bc604443108c942c17eba9c22f4053 --- M requirements.txt M setup.py 2 files changed, 8 insertions(+), 0 deletions(-) git pull ssh://gerrit.osmocom.org:29418/pysim refs/changes/63/40463/1 diff --git a/requirements.txt b/requirements.txt index 9749d7f..6491f2a 100644 --- a/requirements.txt +++ b/requirements.txt @@ -15,3 +15,7 @@ packaging git+https://github.com/hologram-io/smpp.pdu smpp.twisted3 @ git+https://github.com/jookies/smpp.twisted +klein +service-identity +pyopenssl +requests \ No newline at end of file diff --git a/setup.py b/setup.py index b33fb67..8965a70 100644 --- a/setup.py +++ b/setup.py @@ -34,6 +34,10 @@ "smpp.pdu @ git+https://github.com/hologram-io/smpp.pdu", "asn1tools", "smpp.twisted3 @ git+https://github.com/jookies/smpp.twisted", + "klein", + "service-identity", + "pyopenssl", + "requests", ], scripts=[ 'pySim-prog.py', -- To view, visit https://gerrit.osmocom.org/c/pysim/+/40463?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings?usp=email Gerrit-MessageType: newchange Gerrit-Project: pysim Gerrit-Branch: master Gerrit-Change-Id: If69b2bd5f8bc604443108c942c17eba9c22f4053 Gerrit-Change-Number: 40463 Gerrit-PatchSet: 1 Gerrit-Owner: Hoernchen <ewild(a)sysmocom.de>

1 week, 3 days

1
0
0 0

[M] Change in libosmo-sigtran[master]: ipa: Implement ASP Hearbeat procedure

by pespin

pespin has posted comments on this change by pespin. ( https://gerrit.osmocom.org/c/libosmo-sigtran/+/40460?usp=email ) Change subject: ipa: Implement ASP Hearbeat procedure ...................................................................... Patch Set 3: (1 comment) Patchset: PS3: Marking as WIP until I do more testing. -- To view, visit https://gerrit.osmocom.org/c/libosmo-sigtran/+/40460?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: libosmo-sigtran Gerrit-Branch: master Gerrit-Change-Id: I0947977b192447d433ecf6b3ccb830141d8ae04d Gerrit-Change-Number: 40460 Gerrit-PatchSet: 3 Gerrit-Owner: pespin <pespin(a)sysmocom.de> Gerrit-Reviewer: Jenkins Builder Gerrit-Comment-Date: Fri, 13 Jun 2025 19:04:38 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: No

1 week, 3 days

1
0
0 0