Attention is currently required from: dexter. laforge has posted comments on this change by dexter. ( https://gerrit.osmocom.org/c/pysim/+/39225?usp=email ) Change subject: global_platform: fix usage of the Key Version Number (kvn) ...................................................................... Patch Set 3: Code-Review+1 (1 comment) File pySim/global_platform/scp.py: https://gerrit.osmocom.org/c/pysim/+/39225/comment/9e5d033c_48ccc764?usp=em… : PS2, Line 230: kvn_ranges = [[0x00, 0x00], [0x01, 0x01], [0x20, 0x2f], [0x70, 0x70]] the spec reference you indicated just talks about KVN / KID within the same SD. The check I implemented originally is about deriving the SCP version from the KVN. The spec quote says nothing about those. * TS 102 225 Annex A.1 states KVN 0x01..0x0F shall be used for SCP80 * GPC_GUI_003 states * For the Issuer Security Domain, this is initially Key Version Number 'FF' which has been deliberately chosen to be outside of the allowable range ('01' to '7F') for a Key Version Number. * It is logical that the initial keys in the Issuer Security Domain be replaced by an initial issuer Key Version Number in the range '01' to '6F'. * Key Version Numbers '70' to '72' and '74' to '7F' are reserved for future use. * On an implementation supporting Supplementary Security Domains, the RSA public key with a Key Version Number '73' and a Key Identifier of '01' has the following functionality in a Supplementary Security Domain with the DAP Verification privilege [...] * GPC_GUI_010 V1.0.1 Section 6 states * Key Version number range ('20' to '2F') is reserved for SCP02 * Key Version 'FF' is reserved for use by an Issuer Security Domain supporting SCP02, and cannot be used for SCP80. This initial key set shall be replaced by a key set with a Key Version Number in the ('20' to '2F') range. * Key Version number range ('01' to '0F') is reserved for SCP80 * Key Version number '70' with Key Identifier '01' is reserved for the Token Key, which is either a RSA public key or a DES key * Key Version number '71' with Key Identifier '01' is reserved for the Receipt Key, which is a DES key * Key Version Number '11' is reserved for DAP as specified in ETSI TS 102 226 [2] * Key Version Number '73' with Key Identifier '01' is reserved for the DAP verification key as specified in sections 3.3.3 and 4 of [4], which is either an RSA public key or DES key * Key Version Number '74' is reserved for the CASD Keys (cf. section 9.2) * Key Version Number '75' with Key Identifier '01' is reserved for the key used to decipher the Ciphered Load File Data Block described in section 4.8 of [5]. Sadly I don't have the UICC Configuration 2.0 document, and GP charges 1495 USD for a copy, so I'm currently unable to "officially" confirm that the '30 .. 3F' range is reserved for SCP03. Given I did all the above research now durign this patch review, please add a commit that copy+pastes the above KVN ranges somewhere into the pySim source code for further reference. -- To view, visit https://gerrit.osmocom.org/c/pysim/+/39225?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: pysim Gerrit-Branch: master Gerrit-Change-Id: I42be2438c7f199b238f2ec7a9434cec5393210a7 Gerrit-Change-Number: 39225 Gerrit-PatchSet: 3 Gerrit-Owner: dexter <pmaier(a)sysmocom.de> Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: laforge <laforge(a)osmocom.org> Gerrit-Attention: dexter <pmaier(a)sysmocom.de> Gerrit-Comment-Date: Wed, 08 Jan 2025 11:29:56 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Comment-In-Reply-To: laforge <laforge(a)osmocom.org> Comment-In-Reply-To: dexter <pmaier(a)sysmocom.de>