- gerrit-log - lists.osmocom.org

[M] Change in pysim[master]: smdpp: validate eid

by laforge

Attention is currently required from: Hoernchen. laforge has posted comments on this change by Hoernchen. ( https://gerrit.osmocom.org/c/pysim/+/40467?usp=email ) Change subject: smdpp: validate eid ...................................................................... Patch Set 1: Code-Review+1 (1 comment) File osmo-smdpp.py: https://gerrit.osmocom.org/c/pysim/+/40467/comment/8ee3f68c_cb5173a0?usp=em… : PS1, Line 76: Returns 'O' for old variant note that all of the existing code covers SGP.22 v2.x and hence only supports "O". All the other variants with intermediate certs are SGP.22 v3.x which is not yet supported in osmo-smdpp and not really used much in practice in general. -- To view, visit https://gerrit.osmocom.org/c/pysim/+/40467?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: pysim Gerrit-Branch: master Gerrit-Change-Id: Ice704548cb62f14943927b5295007db13c807031 Gerrit-Change-Number: 40467 Gerrit-PatchSet: 1 Gerrit-Owner: Hoernchen <ewild(a)sysmocom.de> Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: laforge <laforge(a)osmocom.org> Gerrit-Attention: Hoernchen <ewild(a)sysmocom.de> Gerrit-Comment-Date: Fri, 13 Jun 2025 20:24:39 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes

1 week, 4 days

1
0
0 0

[S] Change in pysim[master]: smdpp: verify request headers

by laforge

Attention is currently required from: Hoernchen. laforge has posted comments on this change by Hoernchen. ( https://gerrit.osmocom.org/c/pysim/+/40466?usp=email ) Change subject: smdpp: verify request headers ...................................................................... Patch Set 1: Code-Review+1 -- To view, visit https://gerrit.osmocom.org/c/pysim/+/40466?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: pysim Gerrit-Branch: master Gerrit-Change-Id: Ic1221bcb87a9975a013ab356266d3cb76d9241f1 Gerrit-Change-Number: 40466 Gerrit-PatchSet: 1 Gerrit-Owner: Hoernchen <ewild(a)sysmocom.de> Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: laforge <laforge(a)osmocom.org> Gerrit-Attention: Hoernchen <ewild(a)sysmocom.de> Gerrit-Comment-Date: Fri, 13 Jun 2025 20:23:27 +0000 Gerrit-HasComments: No Gerrit-Has-Labels: Yes

1 week, 4 days

1
0
0 0

[S] Change in pysim[master]: smdpp: update certs, prune old certs

by laforge

Attention is currently required from: Hoernchen. laforge has posted comments on this change by Hoernchen. ( https://gerrit.osmocom.org/c/pysim/+/40465?usp=email ) Change subject: smdpp: update certs, prune old certs ...................................................................... Patch Set 1: (1 comment) Patchset: PS1: the commit misses to state the most important question of every commit: why. We can see from the diff that it replaces certs. but why. Also: Where does that zip file originate from (URI, ...). -- To view, visit https://gerrit.osmocom.org/c/pysim/+/40465?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: pysim Gerrit-Branch: master Gerrit-Change-Id: I25442d6f55a385019bba1e47ad3d795120f850ad Gerrit-Change-Number: 40465 Gerrit-PatchSet: 1 Gerrit-Owner: Hoernchen <ewild(a)sysmocom.de> Gerrit-CC: Jenkins Builder Gerrit-CC: laforge <laforge(a)osmocom.org> Gerrit-Attention: Hoernchen <ewild(a)sysmocom.de> Gerrit-Comment-Date: Fri, 13 Jun 2025 20:23:09 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: No

1 week, 4 days

1
0
0 0

[L] Change in pysim[master]: smdpp: add proper tls support, cert generation

by laforge

Attention is currently required from: Hoernchen. laforge has posted comments on this change by Hoernchen. ( https://gerrit.osmocom.org/c/pysim/+/40464?usp=email ) Change subject: smdpp: add proper tls support, cert generation ...................................................................... Patch Set 1: (2 comments) Patchset: PS1: I'm not sure how re-generating the SGP.26 CI certificates would work _unless_ you were to re-use the SGP.26 CI private key? The point of SGP.26 is that they all are derived from the same well-known CI, and all derived certificates can be validated against the exact SGP.26 CA certificate that is published. File contrib/generate_certs.py: https://gerrit.osmocom.org/c/pysim/+/40464/comment/51e89c38_e807ad06?usp=em… : PS1, Line 4: Fa maybe a bit more context here (that this is about certificates for osmo-smdpp)? The name could also be called generate_smdpp_certs.py to make it obvious what kind of certs we're referring to? -- To view, visit https://gerrit.osmocom.org/c/pysim/+/40464?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: pysim Gerrit-Branch: master Gerrit-Change-Id: I84b2666422b8ff565620f3827ef4d4d7635a21be Gerrit-Change-Number: 40464 Gerrit-PatchSet: 1 Gerrit-Owner: Hoernchen <ewild(a)sysmocom.de> Gerrit-Reviewer: Jenkins Builder Gerrit-CC: laforge <laforge(a)osmocom.org> Gerrit-Attention: Hoernchen <ewild(a)sysmocom.de> Gerrit-Comment-Date: Fri, 13 Jun 2025 20:21:22 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: No

1 week, 4 days

1
0
0 0

[XS] Change in pysim[master]: fix up missing requirements

by laforge

Attention is currently required from: Hoernchen. laforge has posted comments on this change by Hoernchen. ( https://gerrit.osmocom.org/c/pysim/+/40463?usp=email ) Change subject: fix up missing requirements ...................................................................... Patch Set 1: (1 comment) Patchset: PS1: the general idea was to *not* include all of osmo-smdpp's dependencies in pysim, as 99.9% of all uses just want pySim-{shell,trace,prog} and not any esim related stuff. Some of the more modern python packaging supports optional/conditional dependenices, AFAICT. The proper solution is to move osmo-smdpp to a seaparate git repo (+ python package), depending on the pySim.esim library code. -- To view, visit https://gerrit.osmocom.org/c/pysim/+/40463?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: pysim Gerrit-Branch: master Gerrit-Change-Id: If69b2bd5f8bc604443108c942c17eba9c22f4053 Gerrit-Change-Number: 40463 Gerrit-PatchSet: 1 Gerrit-Owner: Hoernchen <ewild(a)sysmocom.de> Gerrit-CC: Jenkins Builder Gerrit-CC: laforge <laforge(a)osmocom.org> Gerrit-Attention: Hoernchen <ewild(a)sysmocom.de> Gerrit-Comment-Date: Fri, 13 Jun 2025 20:15:35 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: No

1 week, 4 days

1
0
0 0

[S] Change in pysim[master]: smdpp: verify cert chain

by Hoernchen

Hoernchen has uploaded this change for review. ( https://gerrit.osmocom.org/c/pysim/+/40469?usp=email ) Change subject: smdpp: verify cert chain ...................................................................... smdpp: verify cert chain Change-Id: I1e4e4b1b032dc6a8b7d15bd80d533a50fe0cff15 --- M osmo-smdpp.py 1 file changed, 20 insertions(+), 7 deletions(-) git pull ssh://gerrit.osmocom.org:29418/pysim refs/changes/69/40469/1 diff --git a/osmo-smdpp.py b/osmo-smdpp.py index b8b6303..290f77c 100755 --- a/osmo-smdpp.py +++ b/osmo-smdpp.py @@ -311,6 +311,20 @@ return cert return None + def validate_certificate_chain_for_verification(self, euicc_ci_pkid_list: List[bytes]) -> bool: + """Validate that SM-DP+ has valid certificate chains for the given CI PKIDs.""" + for ci_pkid in euicc_ci_pkid_list: + ci_cert = self.ci_get_cert_for_pkid(ci_pkid) + if ci_cert: + # Check if our DPauth certificate chains to this CI + try: + cs = CertificateSet(ci_cert) + cs.verify_cert_chain(self.dp_auth.cert) + return True + except VerifyError: + continue + return False + def __init__(self, server_hostname: str, ci_certs_path: str, common_cert_path: str, use_brainpool: bool = False): self.server_hostname = server_hostname self.upp_dir = os.path.realpath(os.path.join(DATA_DIR, 'upp')) @@ -394,6 +408,12 @@ pkid_list = euiccInfo1['euiccCiPKIdListForSigning'] if 'euiccCiPKIdListForSigningV3' in euiccInfo1: pkid_list = pkid_list + euiccInfo1['euiccCiPKIdListForSigningV3'] + + # Validate that SM-DP+ supports certificate chains for verification + verification_pkid_list = euiccInfo1.get('euiccCiPKIdListForVerification', []) + if verification_pkid_list and not self.validate_certificate_chain_for_verification(verification_pkid_list): + raise ApiError('8.8.4', '3.7', 'The SM-DP+ has no CERT.DPauth.SIG which chains to one of the eSIM CA Root CA Certificate with a Public Key supported by the eUICC') + # verify it supports one of the keys indicated by euiccCiPKIdListForSigning ci_cert = None for x in pkid_list: @@ -408,13 +428,6 @@ if not ci_cert: raise ApiError('8.8.2', '3.1', 'None of the proposed Public Key Identifiers is supported by the SM-DP+') - # TODO: Determine the set of CERT.DPauth.SIG that satisfy the following criteria: - # * Part of a certificate chain ending at one of the eSIM CA RootCA Certificate, whose Public Keys is - # supported by the eUICC (indicated by euiccCiPKIdListForVerification). - # * Using a certificate chain that the eUICC and the LPA both support: - #euiccInfo1['euiccCiPKIdListForVerification'] - # raise ApiError('8.8.4', '3.7', 'The SM-DP+ has no CERT.DPauth.SIG which chains to one of the eSIM CA Root CA CErtificate with a Public Key supported by the eUICC') - # Generate a TransactionID which is used to identify the ongoing RSP session. The TransactionID # SHALL be unique within the scope and lifetime of each SM-DP+. transactionId = uuid.uuid4().hex.upper() -- To view, visit https://gerrit.osmocom.org/c/pysim/+/40469?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings?usp=email Gerrit-MessageType: newchange Gerrit-Project: pysim Gerrit-Branch: master Gerrit-Change-Id: I1e4e4b1b032dc6a8b7d15bd80d533a50fe0cff15 Gerrit-Change-Number: 40469 Gerrit-PatchSet: 1 Gerrit-Owner: Hoernchen <ewild(a)sysmocom.de>

1 week, 4 days

1
0
0 0

[M] Change in pysim[master]: smdpp: validate eid

by Hoernchen

Hoernchen has uploaded this change for review. ( https://gerrit.osmocom.org/c/pysim/+/40467?usp=email ) Change subject: smdpp: validate eid ...................................................................... smdpp: validate eid Change-Id: Ice704548cb62f14943927b5295007db13c807031 --- M osmo-smdpp.py 1 file changed, 167 insertions(+), 2 deletions(-) git pull ssh://gerrit.osmocom.org:29418/pysim refs/changes/67/40467/1 diff --git a/osmo-smdpp.py b/osmo-smdpp.py index 74863f3..92bbb42 100755 --- a/osmo-smdpp.py +++ b/osmo-smdpp.py @@ -71,6 +71,169 @@ if admin_protocol and not admin_protocol.startswith('gsma/rsp/v'): raise ApiError('1.2.2', '2.1', 'Unsupported X-Admin-Protocol version') +def get_eum_certificate_variant(eum_cert) -> str: + """Determine EUM certificate variant by checking Certificate Policies extension. + Returns 'O' for old variant, or 'NEW' for Ov3/A/B/C variants.""" + + try: + cert_policies_ext = eum_cert.extensions.get_extension_for_oid( + x509.oid.ExtensionOID.CERTIFICATE_POLICIES + ) + + for policy in cert_policies_ext.value: + policy_oid = policy.policy_identifier.dotted_string + print(f"Found certificate policy: {policy_oid}") + + if policy_oid == '2.23.146.1.2.1.2': + print("Detected EUM certificate variant: O (old)") + return 'O' + elif policy_oid == '2.23.146.1.2.1.0.0.0': + print("Detected EUM certificate variant: Ov3/A/B/C (new)") + return 'NEW' + except x509.ExtensionNotFound: + print("No Certificate Policies extension found") + except Exception as e: + print(f"Error checking certificate policies: {e}") + +def parse_permitted_eins_from_cert(eum_cert) -> List[str]: + """Extract permitted IINs from EUM certificate using the appropriate method + based on certificate variant (O vs Ov3/A/B/C). + Returns list of permitted IINs (basically prefixes that valid EIDs must start with).""" + + # Determine certificate variant first + cert_variant = get_eum_certificate_variant(eum_cert) + permitted_iins = [] + + if cert_variant == 'O': + # Old variant - use nameConstraints extension + print("Using nameConstraints parsing for variant O certificate") + permitted_iins.extend(_parse_name_constraints_eins(eum_cert)) + + else: + # New variants (Ov3, A, B, C) - use GSMA permittedEins extension + print("Using GSMA permittedEins parsing for newer certificate variant") + permitted_iins.extend(_parse_gsma_permitted_eins(eum_cert)) + + unique_iins = list(set(permitted_iins)) + + print(f"Total unique permitted IINs found: {len(unique_iins)}") + return unique_iins + +def _parse_gsma_permitted_eins(eum_cert) -> List[str]: + """Parse the GSMA permittedEins extension using correct ASN.1 structure. + PermittedEins ::= SEQUENCE OF PrintableString + Each string contains an IIN (Issuer Identification Number) - a prefix of valid EIDs.""" + permitted_iins = [] + + try: + permitted_eins_oid = x509.ObjectIdentifier('2.23.146.1.2.2.0') # sgp26: 2.23.146.1.2.2.0 = ASN1:SEQUENCE:permittedEins + + for ext in eum_cert.extensions: + if ext.oid == permitted_eins_oid: + print(f"Found GSMA permittedEins extension: {ext.oid}") + + # Get the DER-encoded extension value + ext_der = ext.value.value if hasattr(ext.value, 'value') else ext.value + + if isinstance(ext_der, bytes): + try: + import asn1tools + + permitted_eins_schema = """ + PermittedEins DEFINITIONS ::= BEGIN + PermittedEins ::= SEQUENCE OF PrintableString + END + """ + decoder = asn1tools.compile_string(permitted_eins_schema) + decoded_strings = decoder.decode('PermittedEins', ext_der) + + for iin_string in decoded_strings: + # Each string contains an IIN -> prefix of euicc EID + iin_clean = iin_string.strip().upper() + + # IINs is 8 chars per sgp22, var len according to sgp29, fortunately we don't care + if (len(iin_clean) == 8 and + all(c in '0123456789ABCDEF' for c in iin_clean) and + len(iin_clean) % 2 == 0): + permitted_iins.append(iin_clean) + print(f"Found permitted IIN (GSMA): {iin_clean}") + else: + print(f"Invalid IIN format: {iin_string} (cleaned: {iin_clean})") + except Exception as e: + print(f"Error parsing GSMA permittedEins extension: {e}") + + except Exception as e: + print(f"Error accessing GSMA certificate extensions: {e}") + + return permitted_iins + + +def _parse_name_constraints_eins(eum_cert) -> List[str]: + """Parse permitted IINs from nameConstraints extension (variant O).""" + permitted_iins = [] + + try: + # Look for nameConstraints extension + name_constraints_ext = eum_cert.extensions.get_extension_for_oid( + x509.oid.ExtensionOID.NAME_CONSTRAINTS + ) + + print("Found nameConstraints extension (variant O)") + name_constraints = name_constraints_ext.value + + # Check permittedSubtrees for IIN constraints + if name_constraints.permitted_subtrees: + for subtree in name_constraints.permitted_subtrees: + print(f"Processing permitted subtree: {subtree}") + + if isinstance(subtree, x509.DirectoryName): + for attribute in subtree.value: + # IINs for O in serialNumber + if attribute.oid == x509.oid.NameOID.SERIAL_NUMBER: + serial_value = attribute.value.upper() + # sgp22 8, sgp29 var len, fortunately we don't care + if (len(serial_value) == 8 and + all(c in '0123456789ABCDEF' for c in serial_value) and + len(serial_value) % 2 == 0): + permitted_iins.append(serial_value) + print(f"Found permitted IIN (nameConstraints/DN): {serial_value}") + + except x509.ExtensionNotFound: + print("No nameConstraints extension found") + except Exception as e: + print(f"Error parsing nameConstraints: {e}") + + return permitted_iins + + +def validate_eid_range(eid: str, eum_cert) -> bool: + """Validate that EID is within the permitted EINs of the EUM certificate.""" + if not eid or len(eid) != 32: + print(f"Invalid EID format: {eid}") + return False + + try: + permitted_eins = parse_permitted_eins_from_cert(eum_cert) + + if not permitted_eins: + print("Warning: No permitted EINs found in EUM certificate") + return False + + eid_normalized = eid.upper() + print(f"Validating EID {eid_normalized} against {len(permitted_eins)} permitted EINs") + + for permitted_ein in permitted_eins: + if eid_normalized.startswith(permitted_ein): + print(f"EID {eid_normalized} matches permitted EIN {permitted_ein}") + return True + + print(f"EID {eid_normalized} is not in any permitted EIN list") + return False + + except Exception as e: + print(f"Error validating EID: {e}") + return False + def build_status_code(subject_code: str, reason_code: str, subject_id: Optional[str], message: Optional[str]) -> Dict: r = {'subjectCode': subject_code, 'reasonCode': reason_code } if subject_id: @@ -346,11 +509,13 @@ if not self._ecdsa_verify(euicc_cert, euiccSignature1_bin, euiccSigned1_bin): raise ApiError('8.1', '6.1', 'Verification failed (euiccSignature1 over euiccSigned1)') - # TODO: verify EID of eUICC cert is within permitted range of EUM cert - ss.eid = ss.euicc_cert.subject.get_attributes_for_oid(x509.oid.NameOID.SERIAL_NUMBER)[0].value print("EID (from eUICC cert): %s" % ss.eid) + # Verify EID is within permitted range of EUM certificate + if not validate_eid_range(ss.eid, eum_cert): + raise ApiError('8.1.4', '6.1', 'EID is not within the permitted range of the EUM certificate') + # Verify that the serverChallenge attached to the ongoing RSP session matches the # serverChallenge returned by the eUICC. Otherwise, the SM-DP+ SHALL return a status code "eUICC - # Verification failed". -- To view, visit https://gerrit.osmocom.org/c/pysim/+/40467?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings?usp=email Gerrit-MessageType: newchange Gerrit-Project: pysim Gerrit-Branch: master Gerrit-Change-Id: Ice704548cb62f14943927b5295007db13c807031 Gerrit-Change-Number: 40467 Gerrit-PatchSet: 1 Gerrit-Owner: Hoernchen <ewild(a)sysmocom.de>

1 week, 4 days

1
0
0 0

[L] Change in pysim[master]: smdpp: add proper tls support, cert generation

by Hoernchen

Hoernchen has uploaded this change for review. ( https://gerrit.osmocom.org/c/pysim/+/40464?usp=email ) Change subject: smdpp: add proper tls support, cert generation ...................................................................... smdpp: add proper tls support, cert generation If TLS is enabled (default) it will automagically generate missing pem files + dh params. A faithful reproduction of the certs found in SGP.26_v1.5_Certificates_18_07_2024.zip can be generated by running contrib/generate_certs.py. This allows adjusting the expiry dates, CA flag, and other parameters. They can be used by running $ python -u osmo-smdpp.py -c generated Change-Id: I84b2666422b8ff565620f3827ef4d4d7635a21be --- M .gitignore A contrib/generate_certs.py M osmo-smdpp.py 3 files changed, 705 insertions(+), 12 deletions(-) git pull ssh://gerrit.osmocom.org:29418/pysim refs/changes/64/40464/1 diff --git a/.gitignore b/.gitignore index e9fa1d3..6b74841 100644 --- a/.gitignore +++ b/.gitignore @@ -10,3 +10,6 @@ /smdpp-data/sm-dp-sessions dist tags +smdpp-data/certs/DPtls/CERT_S_SM_DP_TLS_NIST.pem +smdpp-data/generated +smdpp-data/certs/dhparam2048.pem diff --git a/contrib/generate_certs.py b/contrib/generate_certs.py new file mode 100755 index 0000000..c107737 --- /dev/null +++ b/contrib/generate_certs.py @@ -0,0 +1,659 @@ +#!/usr/bin/env python3 + +""" +Faithfully reproduces the certs contained in SGP.26_v1.5_Certificates_18_07_2024.zip +""" + +import os +import binascii +from datetime import datetime +from cryptography import x509 +from cryptography.x509.oid import NameOID, ExtensionOID +from cryptography.hazmat.primitives import hashes, serialization +from cryptography.hazmat.primitives.asymmetric import ec +from cryptography.hazmat.backends import default_backend + +# Custom OIDs used in certificates +OID_CERTIFICATE_POLICIES_CI = "2.23.146.1.2.1.0" # CI cert policy +OID_CERTIFICATE_POLICIES_TLS = "2.23.146.1.2.1.3" # DPtls cert policy +OID_CERTIFICATE_POLICIES_AUTH = "2.23.146.1.2.1.4" # DPauth cert policy +OID_CERTIFICATE_POLICIES_PB = "2.23.146.1.2.1.5" # DPpb cert policy + +# Subject Alternative Name OIDs +OID_CI_RID = "2.999.1" # CI Registered ID +OID_DP_RID = "2.999.10" # DP+ Registered ID +OID_DP2_RID = "2.999.12" # DP+2 Registered ID +OID_DP4_RID = "2.999.14" # DP+4 Registered ID +OID_DP8_RID = "2.999.18" # DP+8 Registered ID + + +class SimplifiedCertificateGenerator: + def __init__(self): + self.backend = default_backend() + # Store generated CI keys to sign other certs + self.ci_certs = {} # {"BRP": cert, "NIST": cert} + self.ci_keys = {} # {"BRP": key, "NIST": key} + + def get_curve(self, curve_type): + """Get the appropriate curve object.""" + if curve_type == "BRP": + return ec.BrainpoolP256R1() + else: + return ec.SECP256R1() + + def generate_key_pair(self, curve): + """Generate a new EC key pair.""" + private_key = ec.generate_private_key(curve, self.backend) + return private_key + + def load_private_key_from_hex(self, hex_key, curve): + """Load EC private key from hex string.""" + key_bytes = binascii.unhexlify(hex_key.replace(":", "").replace(" ", "").replace("\n", "")) + key_int = int.from_bytes(key_bytes, 'big') + return ec.derive_private_key(key_int, curve, self.backend) + + def generate_ci_cert(self, curve_type): + """Generate CI certificate for either BRP or NIST curve.""" + curve = self.get_curve(curve_type) + private_key = self.generate_key_pair(curve) + + # Build subject and issuer (self-signed) - same for both + subject = issuer = x509.Name([ + x509.NameAttribute(NameOID.COMMON_NAME, "Test CI"), + x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, "TESTCERT"), + x509.NameAttribute(NameOID.ORGANIZATION_NAME, "RSPTEST"), + x509.NameAttribute(NameOID.COUNTRY_NAME, "IT"), + ]) + + # Build certificate - all parameters same for both + builder = x509.CertificateBuilder() + builder = builder.subject_name(subject) + builder = builder.issuer_name(issuer) + builder = builder.not_valid_before(datetime(2020, 4, 1, 8, 27, 51)) + builder = builder.not_valid_after(datetime(2055, 4, 1, 8, 27, 51)) + builder = builder.serial_number(0xb874f3abfa6c44d3) + builder = builder.public_key(private_key.public_key()) + + # Add extensions - all same for both + builder = builder.add_extension( + x509.SubjectKeyIdentifier.from_public_key(private_key.public_key()), + critical=False + ) + + builder = builder.add_extension( + x509.BasicConstraints(ca=True, path_length=None), + critical=True + ) + + builder = builder.add_extension( + x509.CertificatePolicies([ + x509.PolicyInformation( + x509.ObjectIdentifier(OID_CERTIFICATE_POLICIES_CI), + policy_qualifiers=None + ) + ]), + critical=True + ) + + builder = builder.add_extension( + x509.KeyUsage( + digital_signature=False, + content_commitment=False, + key_encipherment=False, + data_encipherment=False, + key_agreement=False, + key_cert_sign=True, + crl_sign=True, + encipher_only=False, + decipher_only=False + ), + critical=True + ) + + builder = builder.add_extension( + x509.SubjectAlternativeName([ + x509.RegisteredID(x509.ObjectIdentifier(OID_CI_RID)) + ]), + critical=False + ) + + builder = builder.add_extension( + x509.CRLDistributionPoints([ + x509.DistributionPoint( + full_name=[x509.UniformResourceIdentifier("http://ci.test.example.com/CRL-A.crl")], + relative_name=None, + reasons=None, + crl_issuer=None + ), + x509.DistributionPoint( + full_name=[x509.UniformResourceIdentifier("http://ci.test.example.com/CRL-B.crl")], + relative_name=None, + reasons=None, + crl_issuer=None + ) + ]), + critical=False + ) + + certificate = builder.sign(private_key, hashes.SHA256(), self.backend) + + self.ci_keys[curve_type] = private_key + self.ci_certs[curve_type] = certificate + + return certificate, private_key + + def generate_dp_cert(self, curve_type, subject_cn, serial, key_hex, + cert_policy_oid, rid_oid, validity_start, validity_end): + """Generate a DP certificate signed by CI - works for both BRP and NIST.""" + curve = self.get_curve(curve_type) + private_key = self.load_private_key_from_hex(key_hex, curve) + + ci_cert = self.ci_certs[curve_type] + ci_key = self.ci_keys[curve_type] + + subject = x509.Name([ + x509.NameAttribute(NameOID.ORGANIZATION_NAME, "ACME"), + x509.NameAttribute(NameOID.COMMON_NAME, subject_cn), + ]) + + builder = x509.CertificateBuilder() + builder = builder.subject_name(subject) + builder = builder.issuer_name(ci_cert.subject) + builder = builder.not_valid_before(validity_start) + builder = builder.not_valid_after(validity_end) + builder = builder.serial_number(serial) + builder = builder.public_key(private_key.public_key()) + + builder = builder.add_extension( + x509.AuthorityKeyIdentifier.from_issuer_public_key(ci_key.public_key()), + critical=False + ) + + builder = builder.add_extension( + x509.SubjectKeyIdentifier.from_public_key(private_key.public_key()), + critical=False + ) + + builder = builder.add_extension( + x509.SubjectAlternativeName([ + x509.RegisteredID(x509.ObjectIdentifier(rid_oid)) + ]), + critical=False + ) + + builder = builder.add_extension( + x509.KeyUsage( + digital_signature=True, + content_commitment=False, + key_encipherment=False, + data_encipherment=False, + key_agreement=False, + key_cert_sign=False, + crl_sign=False, + encipher_only=False, + decipher_only=False + ), + critical=True + ) + + builder = builder.add_extension( + x509.CertificatePolicies([ + x509.PolicyInformation( + x509.ObjectIdentifier(cert_policy_oid), + policy_qualifiers=None + ) + ]), + critical=True + ) + + builder = builder.add_extension( + x509.CRLDistributionPoints([ + x509.DistributionPoint( + full_name=[x509.UniformResourceIdentifier("http://ci.test.example.com/CRL-A.crl")], + relative_name=None, + reasons=None, + crl_issuer=None + ), + x509.DistributionPoint( + full_name=[x509.UniformResourceIdentifier("http://ci.test.example.com/CRL-B.crl")], + relative_name=None, + reasons=None, + crl_issuer=None + ) + ]), + critical=False + ) + + certificate = builder.sign(ci_key, hashes.SHA256(), self.backend) + + return certificate, private_key + + def generate_tls_cert(self, curve_type, subject_cn, dns_name, serial, key_hex, + rid_oid, validity_start, validity_end): + """Generate a TLS certificate signed by CI.""" + curve = self.get_curve(curve_type) + private_key = self.load_private_key_from_hex(key_hex, curve) + + ci_cert = self.ci_certs[curve_type] + ci_key = self.ci_keys[curve_type] + + subject = x509.Name([ + x509.NameAttribute(NameOID.ORGANIZATION_NAME, "ACME"), + x509.NameAttribute(NameOID.COMMON_NAME, subject_cn), + ]) + + builder = x509.CertificateBuilder() + builder = builder.subject_name(subject) + builder = builder.issuer_name(ci_cert.subject) + builder = builder.not_valid_before(validity_start) + builder = builder.not_valid_after(validity_end) + builder = builder.serial_number(serial) + builder = builder.public_key(private_key.public_key()) + + builder = builder.add_extension( + x509.KeyUsage( + digital_signature=True, + content_commitment=False, + key_encipherment=False, + data_encipherment=False, + key_agreement=False, + key_cert_sign=False, + crl_sign=False, + encipher_only=False, + decipher_only=False + ), + critical=True + ) + + builder = builder.add_extension( + x509.ExtendedKeyUsage([ + x509.oid.ExtendedKeyUsageOID.SERVER_AUTH, + x509.oid.ExtendedKeyUsageOID.CLIENT_AUTH + ]), + critical=True + ) + + builder = builder.add_extension( + x509.CertificatePolicies([ + x509.PolicyInformation( + x509.ObjectIdentifier(OID_CERTIFICATE_POLICIES_TLS), + policy_qualifiers=None + ) + ]), + critical=False + ) + + builder = builder.add_extension( + x509.SubjectKeyIdentifier.from_public_key(private_key.public_key()), + critical=False + ) + + builder = builder.add_extension( + x509.AuthorityKeyIdentifier.from_issuer_public_key(ci_key.public_key()), + critical=False + ) + + builder = builder.add_extension( + x509.SubjectAlternativeName([ + x509.DNSName(dns_name), + x509.RegisteredID(x509.ObjectIdentifier(rid_oid)) + ]), + critical=False + ) + + builder = builder.add_extension( + x509.CRLDistributionPoints([ + x509.DistributionPoint( + full_name=[x509.UniformResourceIdentifier("http://ci.test.example.com/CRL-A.crl")], + relative_name=None, + reasons=None, + crl_issuer=None + ), + x509.DistributionPoint( + full_name=[x509.UniformResourceIdentifier("http://ci.test.example.com/CRL-B.crl")], + relative_name=None, + reasons=None, + crl_issuer=None + ) + ]), + critical=False + ) + + certificate = builder.sign(ci_key, hashes.SHA256(), self.backend) + + return certificate, private_key + + def generate_eum_cert(self, curve_type, key_hex): + """Generate EUM certificate signed by CI.""" + curve = self.get_curve(curve_type) + private_key = self.load_private_key_from_hex(key_hex, curve) + + ci_cert = self.ci_certs[curve_type] + ci_key = self.ci_keys[curve_type] + + subject = x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, "ES"), + x509.NameAttribute(NameOID.ORGANIZATION_NAME, "RSP Test EUM"), + x509.NameAttribute(NameOID.COMMON_NAME, "EUM Test"), + ]) + + builder = x509.CertificateBuilder() + builder = builder.subject_name(subject) + builder = builder.issuer_name(ci_cert.subject) + builder = builder.not_valid_before(datetime(2020, 4, 1, 9, 28, 37)) + builder = builder.not_valid_after(datetime(2054, 3, 24, 9, 28, 37)) + builder = builder.serial_number(0x12345678) + builder = builder.public_key(private_key.public_key()) + + builder = builder.add_extension( + x509.AuthorityKeyIdentifier.from_issuer_public_key(ci_key.public_key()), + critical=False + ) + + builder = builder.add_extension( + x509.SubjectKeyIdentifier.from_public_key(private_key.public_key()), + critical=False + ) + + builder = builder.add_extension( + x509.KeyUsage( + digital_signature=False, + content_commitment=False, + key_encipherment=False, + data_encipherment=False, + key_agreement=False, + key_cert_sign=True, + crl_sign=False, + encipher_only=False, + decipher_only=False + ), + critical=True + ) + + builder = builder.add_extension( + x509.CertificatePolicies([ + x509.PolicyInformation( + x509.ObjectIdentifier("2.23.146.1.2.1.2"), # EUM policy + policy_qualifiers=None + ) + ]), + critical=True + ) + + builder = builder.add_extension( + x509.SubjectAlternativeName([ + x509.RegisteredID(x509.ObjectIdentifier("2.999.5")) + ]), + critical=False + ) + + builder = builder.add_extension( + x509.BasicConstraints(ca=True, path_length=0), + critical=True + ) + + builder = builder.add_extension( + x509.CRLDistributionPoints([ + x509.DistributionPoint( + full_name=[x509.UniformResourceIdentifier("http://ci.test.example.com/CRL-B.crl")], + relative_name=None, + reasons=None, + crl_issuer=None + ) + ]), + critical=False + ) + + # Name Constraints + constrained_name = x509.Name([ + x509.NameAttribute(NameOID.ORGANIZATION_NAME, "RSP Test EUM"), + x509.NameAttribute(NameOID.SERIAL_NUMBER, "89049032"), + ]) + + name_constraints = x509.NameConstraints( + permitted_subtrees=[ + x509.DirectoryName(constrained_name) + ], + excluded_subtrees=None + ) + + builder = builder.add_extension( + name_constraints, + critical=True + ) + + certificate = builder.sign(ci_key, hashes.SHA256(), self.backend) + + return certificate, private_key + + def generate_euicc_cert(self, curve_type, eum_cert, eum_key, key_hex): + """Generate eUICC certificate signed by EUM.""" + curve = self.get_curve(curve_type) + private_key = self.load_private_key_from_hex(key_hex, curve) + + subject = x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, "ES"), + x509.NameAttribute(NameOID.ORGANIZATION_NAME, "RSP Test EUM"), + x509.NameAttribute(NameOID.SERIAL_NUMBER, "89049032123451234512345678901235"), + x509.NameAttribute(NameOID.COMMON_NAME, "Test eUICC"), + ]) + + builder = x509.CertificateBuilder() + builder = builder.subject_name(subject) + builder = builder.issuer_name(eum_cert.subject) + builder = builder.not_valid_before(datetime(2020, 4, 1, 9, 48, 58)) + builder = builder.not_valid_after(datetime(7496, 1, 24, 9, 48, 58)) + builder = builder.serial_number(0x0200000000000001) + builder = builder.public_key(private_key.public_key()) + + builder = builder.add_extension( + x509.AuthorityKeyIdentifier.from_issuer_public_key(eum_key.public_key()), + critical=False + ) + + builder = builder.add_extension( + x509.SubjectKeyIdentifier.from_public_key(private_key.public_key()), + critical=False + ) + + builder = builder.add_extension( + x509.KeyUsage( + digital_signature=True, + content_commitment=False, + key_encipherment=False, + data_encipherment=False, + key_agreement=False, + key_cert_sign=False, + crl_sign=False, + encipher_only=False, + decipher_only=False + ), + critical=True + ) + + builder = builder.add_extension( + x509.CertificatePolicies([ + x509.PolicyInformation( + x509.ObjectIdentifier("2.23.146.1.2.1.1"), # eUICC policy + policy_qualifiers=None + ) + ]), + critical=True + ) + + certificate = builder.sign(eum_key, hashes.SHA256(), self.backend) + + return certificate, private_key + + def save_cert_and_key(self, cert, key, cert_path_der, cert_path_pem, key_path_sk, key_path_pk): + """Save certificate and key in various formats.""" + # Create directories if needed + os.makedirs(os.path.dirname(cert_path_der), exist_ok=True) + + with open(cert_path_der, "wb") as f: + f.write(cert.public_bytes(serialization.Encoding.DER)) + + if cert_path_pem: + with open(cert_path_pem, "wb") as f: + f.write(cert.public_bytes(serialization.Encoding.PEM)) + + if key and key_path_sk: + with open(key_path_sk, "wb") as f: + f.write(key.private_bytes( + encoding=serialization.Encoding.PEM, + format=serialization.PrivateFormat.TraditionalOpenSSL, + encryption_algorithm=serialization.NoEncryption() + )) + + if key and key_path_pk: + with open(key_path_pk, "wb") as f: + f.write(key.public_key().public_bytes( + encoding=serialization.Encoding.PEM, + format=serialization.PublicFormat.SubjectPublicKeyInfo + )) + + +def main(): + gen = SimplifiedCertificateGenerator() + + output_dir = "smdpp-data/generated" + os.makedirs(output_dir, exist_ok=True) + + print("=== Generating CI Certificates ===") + + for curve_type in ["BRP", "NIST"]: + ci_cert, ci_key = gen.generate_ci_cert(curve_type) + suffix = "_ECDSA_BRP" if curve_type == "BRP" else "_ECDSA_NIST" + gen.save_cert_and_key( + ci_cert, ci_key, + f"{output_dir}/CertificateIssuer/CERT_CI{suffix}.der", + f"{output_dir}/CertificateIssuer/CERT_CI{suffix}.pem", + None, None + ) + print(f"Generated CI {curve_type} certificate") + + print("\n=== Generating DPauth Certificates ===") + + dpauth_configs = [ + ("BRP", "TEST SM-DP+", 256, "93:fb:33:d0:58:4f:34:9b:07:f8:b5:d2:af:93:d7:c3:e3:54:b3:49:a3:b9:13:50:2e:6a:bc:07:0e:4d:49:29", OID_DP_RID, "DPauth"), + ("NIST", "TEST SM-DP+", 256, "0a:7c:c1:c2:44:e6:0c:52:cd:5b:78:07:ab:8c:36:0c:26:52:46:01:50:7d:ca:bc:5d:d5:98:b5:a6:16:d5:d5", OID_DP_RID, "DPauth"), + ("BRP", "TEST SM-DP+2", 512, "0c:17:35:5c:01:1d:0f:e8:d7:da:dd:63:f1:97:85:cf:6c:51:cb:cd:46:6a:e8:8b:e8:f8:1b:c1:05:88:46:f6", OID_DP2_RID, "DP2auth"), + ("NIST", "TEST SM-DP+2", 512, "9c:32:a0:95:d4:88:42:d9:ff:a4:04:f7:12:51:2a:a2:c5:42:5a:1a:26:38:6a:b6:a1:45:d5:81:1e:03:91:41", OID_DP2_RID, "DP2auth"), + ] + + for curve_type, cn, serial, key_hex, rid_oid, name_prefix in dpauth_configs: + cert, key = gen.generate_dp_cert( + curve_type, cn, serial, key_hex, + OID_CERTIFICATE_POLICIES_AUTH, rid_oid, + datetime(2020, 4, 1, 8, 31, 30), + datetime(2030, 3, 30, 8, 31, 30) + ) + suffix = "_ECDSA_BRP" if curve_type == "BRP" else "_ECDSA_NIST" + gen.save_cert_and_key( + cert, key, + f"{output_dir}/DPauth/CERT_S_SM_{name_prefix}{suffix}.der", + None, + f"{output_dir}/DPauth/SK_S_SM_{name_prefix}{suffix}.pem", + f"{output_dir}/DPauth/PK_S_SM_{name_prefix}{suffix}.pem" + ) + print(f"Generated {name_prefix} {curve_type} certificate") + + print("\n=== Generating DPpb Certificates ===") + + dppb_configs = [ + ("BRP", "TEST SM-DP+", 257, "75:ff:32:2f:41:66:16:da:e1:a4:84:ef:71:d4:87:4f:b0:df:32:95:fd:35:c2:cb:a4:89:fb:b2:bb:9c:7b:f6", OID_DP_RID, "DPpb"), + ("NIST", "TEST SM-DP+", 257, "dc:d6:94:b7:78:95:7e:8e:9a:dd:bd:d9:44:33:e9:ef:8f:73:d1:1e:49:1c:48:d4:25:a3:8a:94:91:bd:3b:ed", OID_DP_RID, "DPpb"), + ("BRP", "TEST SM-DP+2", 513, "9c:ae:2e:1a:56:07:a9:d5:78:38:2e:ee:93:2e:25:1f:52:30:4f:86:ee:b1:f1:70:8c:db:d3:c0:7b:e2:cd:3d", OID_DP2_RID, "DP2pb"), + ("NIST", "TEST SM-DP+2", 513, "66:93:11:49:63:9d:ba:ac:1d:c3:d3:06:c5:8b:d2:df:d2:2f:73:bf:63:ac:86:31:98:32:90:b5:7f:90:93:45", OID_DP2_RID, "DP2pb"), + ] + + for curve_type, cn, serial, key_hex, rid_oid, name_prefix in dppb_configs: + cert, key = gen.generate_dp_cert( + curve_type, cn, serial, key_hex, + OID_CERTIFICATE_POLICIES_PB, rid_oid, + datetime(2020, 4, 1, 8, 34, 46), + datetime(2030, 3, 30, 8, 34, 46) + ) + suffix = "_ECDSA_BRP" if curve_type == "BRP" else "_ECDSA_NIST" + gen.save_cert_and_key( + cert, key, + f"{output_dir}/DPpb/CERT_S_SM_{name_prefix}{suffix}.der", + None, + f"{output_dir}/DPpb/SK_S_SM_{name_prefix}{suffix}.pem", + f"{output_dir}/DPpb/PK_S_SM_{name_prefix}{suffix}.pem" + ) + print(f"Generated {name_prefix} {curve_type} certificate") + + print("\n=== Generating DPtls Certificates ===") + + dptls_configs = [ + ("BRP", "testsmdpplus1.example.com", "testsmdpplus1.example.com", 9, "3f:67:15:28:02:b3:f4:c7:fa:e6:79:58:55:f6:82:54:1e:45:e3:5e:ff:f4:e8:a0:55:65:a0:f1:91:2a:78:2e", OID_DP_RID, "DP_TLS_BRP"), + ("NIST", "testsmdpplus1.example.com", "testsmdpplus1.example.com", 9, "a0:3e:7c:e4:55:04:74:be:a4:b7:a8:73:99:ce:5a:8c:9f:66:1b:68:0f:94:01:39:ff:f8:4e:9d:ec:6a:4d:8c", OID_DP_RID, "DP_TLS_NIST"), + ("NIST", "testsmdpplus2.example.com", "testsmdpplus2.example.com", 12, "4e:65:61:c6:40:88:f6:69:90:7a:db:e3:94:b1:1a:84:24:2e:03:3a:82:a8:84:02:31:63:6d:c9:1b:4e:e3:f5", OID_DP2_RID, "DP2_TLS"), + ("NIST", "testsmdpplus4.example.com", "testsmdpplus4.example.com", 14, "f2:65:9d:2f:52:8f:4b:11:37:40:d5:8a:0d:2a:f3:eb:2b:48:e1:22:c2:b6:0a:6a:f6:fc:96:ad:86:be:6f:a4", OID_DP4_RID, "DP4_TLS"), + ("NIST", "testsmdpplus8.example.com", "testsmdpplus8.example.com", 18, "ff:6e:4a:50:9b:ad:db:38:10:88:31:c2:3c:cc:2d:44:30:7a:f2:81:e9:25:96:7f:8c:df:1d:95:54:a0:28:8d", OID_DP8_RID, "DP8_TLS"), + ] + + for curve_type, cn, dns, serial, key_hex, rid_oid, name_prefix in dptls_configs: + cert, key = gen.generate_tls_cert( + curve_type, cn, dns, serial, key_hex, rid_oid, + datetime(2024, 7, 9, 15, 29, 36), + datetime(2025, 8, 11, 15, 29, 36) + ) + gen.save_cert_and_key( + cert, key, + f"{output_dir}/DPtls/CERT_S_SM_{name_prefix}.der", + None, + f"{output_dir}/DPtls/SK_S_SM_{name_prefix.replace('_BRP', '_BRP').replace('_NIST', '_NIST')}.pem", + f"{output_dir}/DPtls/PK_S_SM_{name_prefix.replace('_BRP', '_BRP').replace('_NIST', '_NIST')}.pem" + ) + print(f"Generated {name_prefix} certificate") + + print("\n=== Generating EUM Certificates ===") + + eum_configs = [ + ("BRP", "12:9b:0a:b1:3f:17:e1:4a:40:b6:fa:4e:d8:23:e0:cf:46:5b:7b:3d:73:24:05:e6:29:5d:3b:23:b0:45:c9:9a"), + ("NIST", "25:e6:75:77:28:e1:e9:51:13:51:9c:dc:34:55:5c:29:ba:ed:23:77:3a:c5:af:dd:dc:da:d9:84:89:8a:52:f0"), + ] + + eum_certs = {} + eum_keys = {} + + for curve_type, key_hex in eum_configs: + cert, key = gen.generate_eum_cert(curve_type, key_hex) + eum_certs[curve_type] = cert + eum_keys[curve_type] = key + suffix = "_ECDSA_BRP" if curve_type == "BRP" else "_ECDSA_NIST" + gen.save_cert_and_key( + cert, key, + f"{output_dir}/EUM/CERT_EUM{suffix}.der", + None, + f"{output_dir}/EUM/SK_EUM{suffix}.pem", + f"{output_dir}/EUM/PK_EUM{suffix}.pem" + ) + print(f"Generated EUM {curve_type} certificate") + + print("\n=== Generating eUICC Certificates ===") + + euicc_configs = [ + ("BRP", "8d:c3:47:a7:6d:b7:bd:d6:22:2d:d7:5e:a1:a1:68:8a:ca:81:1e:4c:bc:6a:7f:6a:ef:a4:b2:64:19:62:0b:90"), + ("NIST", "11:e1:54:67:dc:19:4f:33:71:83:e4:60:c9:f6:32:60:09:1e:12:e8:10:26:cd:65:61:e1:7c:6d:85:39:cc:9c"), + ] + + for curve_type, key_hex in euicc_configs: + cert, key = gen.generate_euicc_cert(curve_type, eum_certs[curve_type], eum_keys[curve_type], key_hex) + suffix = "_ECDSA_BRP" if curve_type == "BRP" else "_ECDSA_NIST" + gen.save_cert_and_key( + cert, key, + f"{output_dir}/eUICC/CERT_EUICC{suffix}.der", + None, + f"{output_dir}/eUICC/SK_EUICC{suffix}.pem", + f"{output_dir}/eUICC/PK_EUICC{suffix}.pem" + ) + print(f"Generated eUICC {curve_type} certificate") + + print("\n=== Certificate generation complete! ===") + print(f"All certificates saved to: {output_dir}/") + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/osmo-smdpp.py b/osmo-smdpp.py index 9328b99..5baa154 100755 --- a/osmo-smdpp.py +++ b/osmo-smdpp.py @@ -17,6 +17,13 @@ # You should have received a copy of the GNU Affero General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. +from cryptography.hazmat.primitives.asymmetric.utils import decode_dss_signature, encode_dss_signature +from cryptography import x509 +from cryptography.exceptions import InvalidSignature +from cryptography.hazmat.primitives import hashes +from cryptography.hazmat.primitives.asymmetric import ec, dh +from cryptography.hazmat.primitives.serialization import Encoding, PublicFormat, PrivateFormat, NoEncryption, ParameterFormat +from pathlib import Path import json import sys import argparse @@ -72,12 +79,6 @@ if status_code_data: js['header']['functionExecutionStatus']['statusCodeData'] = status_code_data -from cryptography.hazmat.primitives.asymmetric.utils import decode_dss_signature, encode_dss_signature -from cryptography.hazmat.primitives.serialization import Encoding, PublicFormat, PrivateFormat, NoEncryption -from cryptography.hazmat.primitives.asymmetric import ec -from cryptography.hazmat.primitives import hashes -from cryptography.exceptions import InvalidSignature -from cryptography import x509 def ecdsa_tr03111_to_dss(sig: bytes) -> bytes: """convert an ECDSA signature from BSI TR-03111 format to DER: first get long integers; then encode those.""" @@ -134,13 +135,13 @@ return cert return None - def __init__(self, server_hostname: str, ci_certs_path: str, use_brainpool: bool = False): + def __init__(self, server_hostname: str, ci_certs_path: str, common_cert_path: str, use_brainpool: bool = False): self.server_hostname = server_hostname self.upp_dir = os.path.realpath(os.path.join(DATA_DIR, 'upp')) self.ci_certs = self.load_certs_from_path(ci_certs_path) # load DPauth cert + key self.dp_auth = CertAndPrivkey(oid.id_rspRole_dp_auth_v2) - cert_dir = os.path.join(DATA_DIR, 'certs') + cert_dir = common_cert_path if use_brainpool: self.dp_auth.cert_from_der_file(os.path.join(cert_dir, 'DPauth', 'CERT_S_SM_DPauth_ECDSA_BRP.der')) self.dp_auth.privkey_from_pem_file(os.path.join(cert_dir, 'DPauth', 'SK_S_SM_DPauth_ECDSA_BRP.pem')) @@ -583,13 +584,43 @@ parser = argparse.ArgumentParser() parser.add_argument("-H", "--host", help="Host/IP to bind HTTP to", default="localhost") parser.add_argument("-p", "--port", help="TCP port to bind HTTP to", default=8000) - #parser.add_argument("-v", "--verbose", help="increase output verbosity", action='count', default=0) - + parser.add_argument("-c", "--certpath", help=f"cert subdir relative to {DATA_DIR}", default="certs") + parser.add_argument("-s", "--nossl", help="do NOT use ssl", action='store_true', default=False) args = parser.parse_args() - hs = SmDppHttpServer(HOSTNAME, os.path.join(DATA_DIR, 'certs', 'CertificateIssuer'), use_brainpool=False) - #hs.app.run(endpoint_description="ssl:port=8000:dhParameters=dh_param_2048.pem") + common_cert_path = os.path.join(DATA_DIR, args.certpath) + hs = SmDppHttpServer(server_hostname=HOSTNAME, ci_certs_path=os.path.join(common_cert_path, 'CertificateIssuer'), common_cert_path=common_cert_path, use_brainpool=False) + if(args.nossl): hs.app.run(args.host, args.port) + else: + cert_derpath = Path(common_cert_path) / 'DPtls' / 'CERT_S_SM_DP_TLS_NIST.der' + cert_pempath = Path(common_cert_path) / 'DPtls' / 'CERT_S_SM_DP_TLS_NIST.pem' + cert_skpath = Path(common_cert_path) / 'DPtls' / 'SK_S_SM_DP_TLS_NIST.pem' + dhparam_path = Path(common_cert_path) / "dhparam2048.pem" + if not dhparam_path.exists(): + print("Generating dh params, this takes a few seconds..") + # Generate DH parameters with 2048-bit key size and generator 2 + parameters = dh.generate_parameters(generator=2, key_size=2048) + pem_data = parameters.parameter_bytes(encoding=Encoding.PEM,format=ParameterFormat.PKCS3) + with open(dhparam_path, 'wb') as file: + file.write(pem_data) + print("DH params created successfully") + + if not cert_pempath.exists(): + print("Translating tls server cert from DER to PEM..") + with open(cert_derpath, 'rb') as der_file: + der_cert_data = der_file.read() + + cert = x509.load_der_x509_certificate(der_cert_data) + pem_cert = cert.public_bytes(Encoding.PEM) #.decode('utf-8') + + with open(cert_pempath, 'wb') as pem_file: + pem_file.write(pem_cert) + + SERVER_STRING = f'ssl:{args.port}:privateKey={cert_skpath}:certKey={cert_pempath}:dhParameters={dhparam_path}' + print(SERVER_STRING) + + hs.app.run(host=HOSTNAME, port=args.port, endpoint_description=SERVER_STRING) if __name__ == "__main__": main(sys.argv) -- To view, visit https://gerrit.osmocom.org/c/pysim/+/40464?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings?usp=email Gerrit-MessageType: newchange Gerrit-Project: pysim Gerrit-Branch: master Gerrit-Change-Id: I84b2666422b8ff565620f3827ef4d4d7635a21be Gerrit-Change-Number: 40464 Gerrit-PatchSet: 1 Gerrit-Owner: Hoernchen <ewild(a)sysmocom.de>

1 week, 4 days

1
0
0 0

[S] Change in pysim[master]: smdpp: verify request headers

by Hoernchen

Hoernchen has uploaded this change for review. ( https://gerrit.osmocom.org/c/pysim/+/40466?usp=email ) Change subject: smdpp: verify request headers ...................................................................... smdpp: verify request headers Change-Id: Ic1221bcb87a9975a013ab356266d3cb76d9241f1 --- M osmo-smdpp.py 1 file changed, 11 insertions(+), 2 deletions(-) git pull ssh://gerrit.osmocom.org:29418/pysim refs/changes/66/40466/1 diff --git a/osmo-smdpp.py b/osmo-smdpp.py index 5baa154..74863f3 100755 --- a/osmo-smdpp.py +++ b/osmo-smdpp.py @@ -61,6 +61,16 @@ request.setHeader('Content-Type', 'application/json;charset=UTF-8') request.setHeader('X-Admin-Protocol', 'gsma/rsp/v2.1.0') +def validate_request_headers(request: IRequest): + """Validate mandatory HTTP headers according to SGP.22.""" + content_type = request.getHeader('Content-Type') + if not content_type or not content_type.startswith('application/json'): + raise ApiError('1.2.1', '2.1', 'Invalid Content-Type header') + + admin_protocol = request.getHeader('X-Admin-Protocol') + if admin_protocol and not admin_protocol.startswith('gsma/rsp/v'): + raise ApiError('1.2.2', '2.1', 'Unsupported X-Admin-Protocol version') + def build_status_code(subject_code: str, reason_code: str, subject_id: Optional[str], message: Optional[str]) -> Dict: r = {'subjectCode': subject_code, 'reasonCode': reason_code } if subject_id: @@ -180,8 +190,7 @@ functionality, such as JSON decoding/encoding and debug-printing.""" @functools.wraps(func) def _api_wrapper(self, request: IRequest): - # TODO: evaluate User-Agent + X-Admin-Protocol header - # TODO: reject any non-JSON Content-type + validate_request_headers(request) content = json.loads(request.content.read()) print("Rx JSON: %s" % json.dumps(content)) -- To view, visit https://gerrit.osmocom.org/c/pysim/+/40466?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings?usp=email Gerrit-MessageType: newchange Gerrit-Project: pysim Gerrit-Branch: master Gerrit-Change-Id: Ic1221bcb87a9975a013ab356266d3cb76d9241f1 Gerrit-Change-Number: 40466 Gerrit-PatchSet: 1 Gerrit-Owner: Hoernchen <ewild(a)sysmocom.de>

1 week, 4 days

1
0
0 0

[M] Change in pysim[master]: smdpp: less verbose by default

by Hoernchen

Hoernchen has uploaded this change for review. ( https://gerrit.osmocom.org/c/pysim/+/40468?usp=email ) Change subject: smdpp: less verbose by default ...................................................................... smdpp: less verbose by default Those data blobs are huge. Change-Id: I04a72b8f52417862d4dcba1f0743700dd942ef49 --- M osmo-smdpp.py M pySim/esim/bsp.py M pySim/esim/es8p.py 3 files changed, 51 insertions(+), 11 deletions(-) git pull ssh://gerrit.osmocom.org:29418/pysim refs/changes/68/40468/1 diff --git a/osmo-smdpp.py b/osmo-smdpp.py index 92bbb42..b8b6303 100755 --- a/osmo-smdpp.py +++ b/osmo-smdpp.py @@ -47,6 +47,9 @@ from pySim.esim.x509_cert import oid, cert_policy_has_oid, cert_get_auth_key_id from pySim.esim.x509_cert import CertAndPrivkey, CertificateSet, cert_get_subject_key_id, VerifyError +import logging +logger = logging.getLogger(__name__) + # HACK: make this configurable DATA_DIR = './smdpp-data' HOSTNAME = 'testsmdpplus1.example.com' # must match certificates! @@ -356,7 +359,7 @@ validate_request_headers(request) content = json.loads(request.content.read()) - print("Rx JSON: %s" % json.dumps(content)) + logger.debug("Rx JSON: %s" % json.dumps(content)) set_headers(request) output = func(self, request, content) @@ -364,7 +367,7 @@ return '' build_resp_header(output) - print("Tx JSON: %s" % json.dumps(output)) + logger.debug("Tx JSON: %s" % json.dumps(output)) return json.dumps(output) return _api_wrapper @@ -383,7 +386,7 @@ euiccInfo1_bin = b64decode(content['euiccInfo1']) euiccInfo1 = rsp.asn1.decode('EUICCInfo1', euiccInfo1_bin) - print("Rx euiccInfo1: %s" % euiccInfo1) + logger.debug("Rx euiccInfo1: %s" % euiccInfo1) #euiccInfo1['svn'] # TODO: If euiccCiPKIdListForSigningV3 is present ... @@ -458,7 +461,7 @@ authenticateServerResp_bin = b64decode(content['authenticateServerResponse']) authenticateServerResp = rsp.asn1.decode('AuthenticateServerResponse', authenticateServerResp_bin) - print("Rx %s: %s" % authenticateServerResp) + logger.debug("Rx %s: %s" % authenticateServerResp) if authenticateServerResp[0] == 'authenticateResponseError': r_err = authenticateServerResp[1] #r_err['transactionId'] @@ -589,7 +592,7 @@ prepDownloadResp_bin = b64decode(content['prepareDownloadResponse']) prepDownloadResp = rsp.asn1.decode('PrepareDownloadResponse', prepDownloadResp_bin) - print("Rx %s: %s" % prepDownloadResp) + logger.debug("Rx %s: %s" % prepDownloadResp) if prepDownloadResp[0] == 'downloadResponseError': r_err = prepDownloadResp[1] @@ -611,7 +614,7 @@ # store otPK.EUICC.ECKA in session state ss.euicc_otpk = euiccSigned2['euiccOtpk'] - print("euiccOtpk: %s" % (b2h(ss.euicc_otpk))) + logger.debug("euiccOtpk: %s" % (b2h(ss.euicc_otpk))) # Generate a one-time ECKA key pair (ot{PK,SK}.DP.ECKA) using the curve indicated by the Key Parameter # Reference value of CERT.DPpb.ECDDSA @@ -619,8 +622,8 @@ ss.smdp_ot = ec.generate_private_key(self.dp_pb.get_curve()) # extract the public key in (hopefully) the right format for the ES8+ interface ss.smdp_otpk = ss.smdp_ot.public_key().public_bytes(Encoding.X962, PublicFormat.UncompressedPoint) - print("smdpOtpk: %s" % b2h(ss.smdp_otpk)) - print("smdpOtsk: %s" % b2h(ss.smdp_ot.private_bytes(Encoding.DER, PrivateFormat.PKCS8, NoEncryption()))) + logger.debug("smdpOtpk: %s" % b2h(ss.smdp_otpk)) + logger.debug("smdpOtsk: %s" % b2h(ss.smdp_ot.private_bytes(Encoding.DER, PrivateFormat.PKCS8, NoEncryption()))) ss.host_id = b'mahlzeit' @@ -661,7 +664,7 @@ request.setResponseCode(204) pendingNotification_bin = b64decode(content['pendingNotification']) pendingNotification = rsp.asn1.decode('PendingNotification', pendingNotification_bin) - print("Rx %s: %s" % pendingNotification) + logger.debug("Rx %s: %s" % pendingNotification) if pendingNotification[0] == 'profileInstallationResult': profileInstallRes = pendingNotification[1] pird = profileInstallRes['profileInstallationResultData'] @@ -714,7 +717,7 @@ @rsp_api_wrapper def cancelSession(self, request: IRequest, content: dict) -> dict: """See ES9+ CancelSession in SGP.22 Section 5.6.5""" - print("Rx JSON: %s" % content) + logger.debug("Rx JSON: %s" % content) transactionId = content['transactionId'] # Verify that the received transactionId is known and relates to an ongoing RSP session @@ -724,7 +727,7 @@ cancelSessionResponse_bin = b64decode(content['cancelSessionResponse']) cancelSessionResponse = rsp.asn1.decode('CancelSessionResponse', cancelSessionResponse_bin) - print("Rx %s: %s" % cancelSessionResponse) + logger.debug("Rx %s: %s" % cancelSessionResponse) if cancelSessionResponse[0] == 'cancelSessionResponseError': # FIXME: print some error @@ -760,8 +763,11 @@ parser.add_argument("-p", "--port", help="TCP port to bind HTTP to", default=8000) parser.add_argument("-c", "--certpath", help=f"cert subdir relative to {DATA_DIR}", default="certs") parser.add_argument("-s", "--nossl", help="do NOT use ssl", action='store_true', default=False) + parser.add_argument("-v", "--verbose", help="dump more raw info", action='store_true', default=False) args = parser.parse_args() + logging.basicConfig(level=logging.DEBUG if args.verbose else logging.WARNING) + common_cert_path = os.path.join(DATA_DIR, args.certpath) hs = SmDppHttpServer(server_hostname=HOSTNAME, ci_certs_path=os.path.join(common_cert_path, 'CertificateIssuer'), common_cert_path=common_cert_path, use_brainpool=False) if(args.nossl): diff --git a/pySim/esim/bsp.py b/pySim/esim/bsp.py index fb4c0b3..6935802 100644 --- a/pySim/esim/bsp.py +++ b/pySim/esim/bsp.py @@ -149,8 +149,18 @@ temp_data = self.mac_chain + tag_and_length + data old_mcv = self.mac_chain c_mac = self._auth(temp_data) + + # DEBUG: Show MAC computation details + logger.debug(f"MAC_DEBUG: tag=0x{tag:02x}, lcc={lcc}") + logger.debug(f"MAC_DEBUG: tag_and_length: {tag_and_length.hex()}") + logger.debug(f"MAC_DEBUG: mac_chain[:20]: {old_mcv[:20].hex()}") + logger.debug(f"MAC_DEBUG: temp_data[:20]: {temp_data[:20].hex()}") + logger.debug(f"MAC_DEBUG: c_mac: {c_mac.hex()}") + # The output data is computed by concatenating the following data: the tag, the final length, the result of step 2 and the C-MAC value. ret = tag_and_length + data + c_mac + logger.debug(f"MAC_DEBUG: final_output[:20]: {ret[:20].hex()}") + logger.debug("auth(tag=0x%x, mcv=%s, s_mac=%s, plaintext=%s, temp=%s) -> %s", tag, b2h(old_mcv), b2h(self.s_mac), b2h(data), b2h(temp_data), b2h(ret)) return ret @@ -204,6 +214,11 @@ s_enc = out[l:2*l] s_mac = out[l*2:3*l] + logger.debug(f"BSP_KDF_DEBUG: kdf_out = {b2h(out)}") + logger.debug(f"BSP_KDF_DEBUG: initial_mcv = {b2h(initial_mac_chaining_value)}") + logger.debug(f"BSP_KDF_DEBUG: s_enc = {b2h(s_enc)}") + logger.debug(f"BSP_KDF_DEBUG: s_mac = {b2h(s_mac)}") + return s_enc, s_mac, initial_mac_chaining_value @@ -231,9 +246,21 @@ """Encrypt + MAC a single plaintext TLV. Returns the protected ciphertext.""" assert tag <= 255 assert len(plaintext) <= self.max_payload_size + + # DEBUG: Show what we're processing + logger.debug(f"BSP_DEBUG: encrypt_and_mac_one(tag=0x{tag:02x}, plaintext_len={len(plaintext)})") + logger.debug(f"BSP_DEBUG: plaintext[:20]: {plaintext[:20].hex()}") + logger.debug(f"BSP_DEBUG: s_enc[:20]: {self.c_algo.s_enc[:20].hex()}") + logger.debug(f"BSP_DEBUG: s_mac[:20]: {self.m_algo.s_mac[:20].hex()}") + logger.debug("encrypt_and_mac_one(tag=0x%x, plaintext=%s)", tag, b2h(plaintext)) ciphered = self.c_algo.encrypt(plaintext) + logger.debug(f"BSP_DEBUG: ciphered[:20]: {ciphered[:20].hex()}") + maced = self.m_algo.auth(tag, ciphered) + logger.debug(f"BSP_DEBUG: final_result[:20]: {maced[:20].hex()}") + logger.debug(f"BSP_DEBUG: final_result_len: {len(maced)}") + return maced def encrypt_and_mac(self, tag: int, plaintext:bytes) -> List[bytes]: diff --git a/pySim/esim/es8p.py b/pySim/esim/es8p.py index 8bd7e14..4c854f1 100644 --- a/pySim/esim/es8p.py +++ b/pySim/esim/es8p.py @@ -25,6 +25,9 @@ from pySim.esim.bsp import BspInstance from pySim.esim import PMO +import logging +logger = logging.getLogger(__name__) + # Given that GSMA RSP uses ASN.1 in a very weird way, we actually cannot encode the full data type before # signing, but we have to build parts of it separately first, then sign that, so we can put the signature # into the same sequence as the signed data. We use the existing pySim TLV code for this. @@ -196,8 +199,12 @@ # 'initialiseSecureChannelRequest' bpp_seq = rsp.asn1.encode('InitialiseSecureChannelRequest', iscr) # firstSequenceOf87 + logger.debug(f"BPP_ENCODE_DEBUG: Encrypting ConfigureISDP with BSP keys") + logger.debug(f"BPP_ENCODE_DEBUG: BSP S-ENC: {bsp.c_algo.s_enc.hex()}") + logger.debug(f"BPP_ENCODE_DEBUG: BSP S-MAC: {bsp.m_algo.s_mac.hex()}") bpp_seq += encode_seq(0xa0, bsp.encrypt_and_mac(0x87, conf_idsp_bin)) # sequenceOF88 + logger.debug(f"BPP_ENCODE_DEBUG: MAC-only StoreMetadata with BSP keys") bpp_seq += encode_seq(0xa1, bsp.mac_only(0x88, smr_bin)) if self.ppp: # we have to use session keys -- To view, visit https://gerrit.osmocom.org/c/pysim/+/40468?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings?usp=email Gerrit-MessageType: newchange Gerrit-Project: pysim Gerrit-Branch: master Gerrit-Change-Id: I04a72b8f52417862d4dcba1f0743700dd942ef49 Gerrit-Change-Number: 40468 Gerrit-PatchSet: 1 Gerrit-Owner: Hoernchen <ewild(a)sysmocom.de>

1 week, 4 days

1
0
0 0

2025

2024

2023

2022

gerrit-log