Initial proof-of-concept SM-DP+ for GSMA consumer eSIM RSP
This commit introduces * the osmo-smdpp.py program implementing the main procedures and the HTTP/REST based ES9+ * python modules for ES8+ and non-volatile RSP Session State storage * the ASN.1 source files required to parse/encode RSP * 3GPP test certificates from SGP.26 * an unsigned profile package (UPP) of a SAIP v2.3 TS48 test profile As I couldn't get the 'Klein' tls support to work, the SM-DP+ code currently does not support HTTPS/TLS but plan HTTP, so you either have to modify your LPA to use HTTP instead of HTTPS, or put a TLS proxy in front. I have successfully installed an eSIM profile on a test eUICC that contains certificate/key data within the test CI defined in GSMA SGP.26 Change-Id: I6232847432dc6920cd2bd08c84d7099c29ca1c11
This commit is contained in:
Harald Welte
93
docs/osmo-smdpp.rst
Normal file
93
docs/osmo-smdpp.rst
Normal file
@@ -0,0 +1,93 @@
|
||||
osmo-smdpp
|
||||
==========
|
||||
|
||||
`osmo-smdpp` is a proof-of-concept implementation of a minimal **SM-DP+** as specified for the *GSMA
|
||||
Consumer eSIM Remote SIM provisioning*.
|
||||
|
||||
At least at this point, it is intended to be used for research and development, and not as a
|
||||
production SM-DP+.
|
||||
|
||||
Unless you are a GSMA SAS-SM accredited SM-DP+ operator and have related DPtls, DPauth and DPpb
|
||||
certificates signed by the GSMA CI, you **can not use osmo-smdpp with regular production eUICC**.
|
||||
This is due to how the GSMA eSIM security architecture works. You can, however, use osmo-smdpp with
|
||||
so-called *test-eUICC*, which contain certificates/keys signed by GSMA test certificates as laid out
|
||||
in GSMA SGP.26.
|
||||
|
||||
At this point, osmo-smdpp does not support anything beyond the bare minimum required to download
|
||||
eSIM profiles to an eUICC. Specifically, there is no ES2+ interface, and there is no built-in
|
||||
support for profile personalization yet.
|
||||
|
||||
osmo-smdpp currently
|
||||
|
||||
* always provides the exact same profile to every request. The profile always has the same IMSI and
|
||||
ICCID.
|
||||
* **is absolutely insecure**, as it
|
||||
|
||||
* does not perform any certificate verification
|
||||
* does not evaluate/consider any *Matching ID* or *Confirmation Code*
|
||||
* stores the sessions in an unencrypted _python shelve_ and is hence leaking one-time key materials
|
||||
used for profile encryption and signing.
|
||||
|
||||
|
||||
Running osmo-smdpp
|
||||
------------------
|
||||
|
||||
osmo-smdpp does not have built-in TLS support as the used *twisted* framework appears to have
|
||||
problems when using the example elliptic curve certificates (both NIST and Brainpool) from GSMA.
|
||||
|
||||
So in order to use it, you have to put it behind a TLS reverse proxy, which terminates the ES9+
|
||||
HTTPS from the LPA, and then forwards it as plain HTTP to osmo-smdpp.
|
||||
|
||||
nginx as TLS proxy
|
||||
~~~~~~~~~~~~~~~~~~
|
||||
|
||||
If you use `nginx` as web server, you can use the following configuration snippet::
|
||||
|
||||
upstream smdpp {
|
||||
server localhost:8000;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
server_name testsmdpplus1.example.com;
|
||||
|
||||
ssl_certificate /my/path/to/pysim/smdpp-data/certs/DPtls/CERT_S_SM_DP_TLS_NIST.pem;
|
||||
ssl_certificate_key /my/path/to/pysim/smdpp-data/certs/DPtls/SK_S_SM_DP_TLS_NIST.pem;
|
||||
|
||||
location / {
|
||||
proxy_read_timeout 600s;
|
||||
|
||||
proxy_hide_header X-Powered-By;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
proxy_set_header X-Forwarded-Port $proxy_port;
|
||||
proxy_set_header Host $host;
|
||||
|
||||
proxy_pass http://smdpp/;
|
||||
}
|
||||
}
|
||||
|
||||
You can of course achieve a similar functionality with apache, lighttpd or many other web server
|
||||
software.
|
||||
|
||||
|
||||
osmo-smdpp
|
||||
~~~~~~~~~~
|
||||
|
||||
osmo-smdpp currently doesn't have any configuration file or command line options. You just run it,
|
||||
and it will bind its plain-HTTP ES9+ interface to local TCP port 8000.
|
||||
|
||||
The `smdpp-data/certs`` directory contains the DPtls, DPauth and DPpb as well as CI certificates
|
||||
used; they are copied from GSMA SGP.26 v2.
|
||||
|
||||
The `smdpp-data/upp` directory contains the UPP (Unprotected Profile Package) used.
|
||||
|
||||
|
||||
DNS setup for your LPA
|
||||
~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
The LPA must resolve `testsmdpplus1.example.com` to the IP address of your TLS proxy.
|
||||
|
||||
It must also accept the TLS certificates used by your TLS proxy.
|
||||
|
||||
Reference in New Issue
Block a user