laforge has submitted this change. ( https://gerrit.osmocom.org/c/pysim/+/38150?usp=email )
Change subject: docs: Bring osmo-smdpp documentation up to date with code ......................................................................
docs: Bring osmo-smdpp documentation up to date with code
Change-Id: Ibaab1fadd5d35ecdb356bed1820074b1b0a1752e Closes: OS#6418 --- M docs/osmo-smdpp.rst 1 file changed, 13 insertions(+), 7 deletions(-)
Approvals: laforge: Looks good to me, approved fixeria: Looks good to me, but someone else must approve Jenkins Builder: Verified
diff --git a/docs/osmo-smdpp.rst b/docs/osmo-smdpp.rst index ad7d902..afc4eb8 100644 --- a/docs/osmo-smdpp.rst +++ b/docs/osmo-smdpp.rst @@ -19,15 +19,20 @@
osmo-smdpp currently
-* uses test certificates copied from GSMA SGP.26 into `./smdpp-data/certs`, assuming that your osmo-smdppp - would be running at the host name `testsmdpplus1.example.com` +* [by default] uses test certificates copied from GSMA SGP.26 into `./smdpp-data/certs`, assuming that your + osmo-smdppp would be running at the host name `testsmdpplus1.example.com`. You can of course replace those + certificates with your own, whether SGP.26 derived or part of a *private root CA* setup with mathcing eUICCs. * doesn't understand profile state. Any profile can always be downloaded any number of times, irrespective - of the EID or whether it was donwloaded before -* doesn't perform any personalization, so the IMSI/ICCID etc. are always identical + of the EID or whether it was donwloaded before. This is actually very useful for R&D and testing, as it + doesn't require you to generate new profiles all the time. This logic of course is unsuitable for + production usage. +* doesn't perform any personalization, so the IMSI/ICCID etc. are always identical (the ones that are stored in + the respective UPP `.der` files) * **is absolutely insecure**, as it
- * does not perform any certificate verification - * does not evaluate/consider any *Matching ID* or *Confirmation Code* + * does not perform all of the mandatory certificate verification (it checks the certificate chain, but not + the expiration dates nor any CRL) + * does not evaluate/consider any *Confirmation Code* * stores the sessions in an unencrypted _python shelve_ and is hence leaking one-time key materials used for profile encryption and signing.
@@ -82,7 +87,8 @@ and it will bind its plain-HTTP ES9+ interface to local TCP port 8000.
The `smdpp-data/certs`` directory contains the DPtls, DPauth and DPpb as well as CI certificates -used; they are copied from GSMA SGP.26 v2. +used; they are copied from GSMA SGP.26 v2. You can of course replace them with custom certificates +if you're operating eSIM with a *private root CA*.
The `smdpp-data/upp` directory contains the UPP (Unprotected Profile Package) used. The file names (without .der suffix) are looked up by the matchingID parameter from the activation code presented by the LPA.