[S] Change in pysim[master]: docs: Bring osmo-smdpp documentation up to date with code

laforge has submitted this change. ( https://gerrit.osmocom.org/c/pysim/+/38150?usp=email ) Change subject: docs: Bring osmo-smdpp documentation up to date with code ...................................................................... docs: Bring osmo-smdpp documentation up to date with code Change-Id: Ibaab1fadd5d35ecdb356bed1820074b1b0a1752e Closes: OS#6418 --- M docs/osmo-smdpp.rst 1 file changed, 13 insertions(+), 7 deletions(-) Approvals: laforge: Looks good to me, approved fixeria: Looks good to me, but someone else must approve Jenkins Builder: Verified diff --git a/docs/osmo-smdpp.rst b/docs/osmo-smdpp.rst index ad7d902..afc4eb8 100644 --- a/docs/osmo-smdpp.rst +++ b/docs/osmo-smdpp.rst @@ -19,15 +19,20 @@ osmo-smdpp currently -* uses test certificates copied from GSMA SGP.26 into `./smdpp-data/certs`, assuming that your osmo-smdppp - would be running at the host name `testsmdpplus1.example.com` +* [by default] uses test certificates copied from GSMA SGP.26 into `./smdpp-data/certs`, assuming that your + osmo-smdppp would be running at the host name `testsmdpplus1.example.com`. You can of course replace those + certificates with your own, whether SGP.26 derived or part of a *private root CA* setup with mathcing eUICCs. * doesn't understand profile state. Any profile can always be downloaded any number of times, irrespective - of the EID or whether it was donwloaded before -* doesn't perform any personalization, so the IMSI/ICCID etc. are always identical + of the EID or whether it was donwloaded before. This is actually very useful for R&D and testing, as it + doesn't require you to generate new profiles all the time. This logic of course is unsuitable for + production usage. +* doesn't perform any personalization, so the IMSI/ICCID etc. are always identical (the ones that are stored in + the respective UPP `.der` files) * **is absolutely insecure**, as it - * does not perform any certificate verification - * does not evaluate/consider any *Matching ID* or *Confirmation Code* + * does not perform all of the mandatory certificate verification (it checks the certificate chain, but not + the expiration dates nor any CRL) + * does not evaluate/consider any *Confirmation Code* * stores the sessions in an unencrypted _python shelve_ and is hence leaking one-time key materials used for profile encryption and signing. @@ -82,7 +87,8 @@ and it will bind its plain-HTTP ES9+ interface to local TCP port 8000. The `smdpp-data/certs`` directory contains the DPtls, DPauth and DPpb as well as CI certificates -used; they are copied from GSMA SGP.26 v2. +used; they are copied from GSMA SGP.26 v2. You can of course replace them with custom certificates +if you're operating eSIM with a *private root CA*. The `smdpp-data/upp` directory contains the UPP (Unprotected Profile Package) used. The file names (without .der suffix) are looked up by the matchingID parameter from the activation code presented by the LPA. -- To view, visit https://gerrit.osmocom.org/c/pysim/+/38150?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings?usp=email Gerrit-MessageType: merged Gerrit-Project: pysim Gerrit-Branch: master Gerrit-Change-Id: Ibaab1fadd5d35ecdb356bed1820074b1b0a1752e Gerrit-Change-Number: 38150 Gerrit-PatchSet: 6 Gerrit-Owner: laforge <laforge(a)osmocom.org> Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: fixeria <vyanitskiy(a)sysmocom.de> Gerrit-Reviewer: laforge <laforge(a)osmocom.org> Gerrit-Reviewer: pespin <pespin(a)sysmocom.de>