[S] Change in pysim[master]: personalization audit: by default audit all SD keys - gerrit-log

5 May 2025

neels has uploaded this change for review. ( https://gerrit.osmocom.org/c/pysim/+/40209?usp=email )
Change subject: personalization audit: by default audit all SD keys
......................................................................
personalization audit: by default audit all SD keys
Audit also all Security Domain KVN that we have *not* created
ConfigurableParameter subclasses for.
For example, SCP80 has reserved kvn 0x01..0x0f, but we offer only
Scp80Kvn01, Scp80Kvn02, Scp80Kvn03. So we would not show kvn
0x03..0x0f in an audit.
This patch includes audits of all SD key kvn there may be in the UPP.
This will help to spot SD keys that may already be present in a UPP
template, with unexpected / unusual kvn.
Change-Id: Icaf6f7b589f117868633c0968a99f2f0252cf612
---
M pySim/esim/saip/personalization.py
1 file changed, 23 insertions(+), 2 deletions(-)
git pull ssh://gerrit.osmocom.org:29418/pysim refs/changes/09/40209/1

diff --git a/pySim/esim/saip/personalization.py b/pySim/esim/saip/personalization.py
index 3919e79..6828ada 100644
--- a/pySim/esim/saip/personalization.py
+++ b/pySim/esim/saip/personalization.py
@@ -1173,11 +1173,18 @@
     """
@classmethod
-    def from_der(cls, der: bytes, params: List):
+    def from_der(cls, der: bytes, params: List, additional_sd_keys=True):
         '''return a dict of parameter name and set of parameter values found in a DER encoded profile.
         Read all parameters listed in params. This calls only classmethods, so each entry in params can either be a class or
         an instance of a class, of a (non-abstract) ConfigurableParameter subclass. For example, params = [Imsi, ] is
-        equivalent to params = [Imsi(), ].'''
+        equivalent to params = [Imsi(), ].
+
+        For additional_sd_keys=True, audit also all Security Domain KVN that there are *no* ConfigurableParameter
+        subclasses for. For example, SCP80 has reserved kvn 0x01..0x0f, but we offer only Scp80Kvn01, Scp80Kvn02,
+        Scp80Kvn03. So we would not show kvn 0x03..0x0f in an audit. additional_sd_keys=True includes audits of all SD
+        key KVN there may be in the UPP. This helps to spot SD keys that may already be present in a UPP template, with
+        unexpected / unusual kvn.
+        '''
         upp_audit = cls()
upp_audit['der_size'] = set((len(der), ))
@@ -1193,6 +1200,20 @@
                     upp_audit.add_values(valdict)
             except (TypeError, ValueError) as e:
                 raise ValueError(f'Error during audit for parameter {key}: {e}') from e
+
+        if not additional_sd_keys:
+            return upp_audit
+
+        # additional_sd_keys
+        for pe in pes.pe_list:
+            if pe.type != 'securityDomain':
+                continue
+            assert isinstance(pe, ProfileElementSD)
+
+            for key in pe.keys:
+                audit_key = f'SdKey_KVN{key.key_version_number:02x}_ID{key.key_identifier:02x}'
+                audit_val = f'{key.key_components!r} {key.key_usage_qualifier!r}'
+                upp_audit[audit_key] = audit_val
         return upp_audit
def get_single_val(self, param, validate=True, allow_absent=False, absent_val=None):
-- 
To view, visit https://gerrit.osmocom.org/c/pysim/+/40209?usp=email
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings?usp=email

Gerrit-MessageType: newchange
Gerrit-Project: pysim
Gerrit-Branch: master
Gerrit-Change-Id: Icaf6f7b589f117868633c0968a99f2f0252cf612
Gerrit-Change-Number: 40209
Gerrit-PatchSet: 1
Gerrit-Owner: neels nhofmeyr@sysmocom.de



    