forked from public/pysim
WIP: Remote Card Procedure Framework
Problem: When UICC/eUICC cards are deployed into the field it is often difficult to perform modifications to those cards. One important factor that makes after-deployment modifications often difficult is that the key material needed to perform the task must not be handed to the card holder due to security requirements. The presented Remote Card Procedure Framework solves this problem. It provides a so called Remote Card Procedure Client (RCPC), which is a lightwight software client which can be run by the card holder on the remote machine. With the RCPC, the card holder can access a so called Remote Card Procedure Server (RCPC), to which so called Remote Card Procedure Modules (RCPM) can subscribe and publish their functionality. With the RCPC, the card holder can browse the functionality offered by those connected modules and eventually the card holder may execute a certain procedure by passing a command to the RCPS. When a procedure is carried out, the RCPS automatically retrieves the required key material from a database or CSV file and passes those keys on to the selected RCPM. The RCPM can then use the key material to establish a secure channel to carry out the procedure. The procedure is then protected by a secure channel and the key material is never disclosed towards the card holder on the remote end. The framework is desinged in such a way that existing pySim APIs and functions can be used from the RCPM API user code. Also only minimal boilerplate code is required. The implementation also ships with a comprehensive example. Related: SYS#6959
This commit is contained in:
Philipp Maier
49
contrib/rcp/usage_example/certs/make_certs.sh
Executable file
49
contrib/rcp/usage_example/certs/make_certs.sh
Executable file
@@ -0,0 +1,49 @@
|
||||
#!/bin/bash
|
||||
EASYRSA=/usr/share/easy-rsa/easyrsa
|
||||
CA_NAME="example_ssl_rcp_ca_cert"
|
||||
|
||||
export EASYRSA_PASSIN=pass:test
|
||||
export EASYRSA_PASSOUT=pass:test
|
||||
|
||||
echo "Cleaning up..."
|
||||
rm -rf ./ca
|
||||
rm -rf ./*.pem
|
||||
rm -rf ./*.key
|
||||
rm -rf ./*.crt
|
||||
|
||||
echo "Creating CA cert..."
|
||||
mkdir -p ./ca
|
||||
cd ./ca
|
||||
$EASYRSA init-pki
|
||||
cp ../vars ./pki/
|
||||
$EASYRSA --batch build-ca
|
||||
cp ./pki/ca.crt ../$CA_NAME.crt
|
||||
|
||||
echo "Creating server certs..."
|
||||
# Secures connection between RCP-Client and RCP-Server:
|
||||
$EASYRSA --batch --subject-alt-name="DNS:127.0.0.1,IP:127.0.0.1" build-server-full example_ssl_rcpc_rcps_cert nopass
|
||||
|
||||
# Secures connection between RCP-Module and RCP-Server (module description):
|
||||
$EASYRSA --batch --subject-alt-name="DNS:127.0.0.1,IP:127.0.0.1" build-server-full example_ssl_rcpm_rcps_cert nopass
|
||||
|
||||
# Secures connection between RCP-Server and RCP-Module (command execution):
|
||||
$EASYRSA --batch --subject-alt-name="DNS:127.0.0.1,IP:127.0.0.1" build-server-full example_ssl_rcps_rcpm_cert nopass
|
||||
|
||||
echo "Collecting server certs..."
|
||||
cp ./pki/issued/* ../
|
||||
cp ./pki/private/* ../
|
||||
cd ..
|
||||
rm ./ca.key
|
||||
|
||||
echo "Merging server certs..."
|
||||
for CRT in ./*.crt; do
|
||||
CRT_NAME=`basename ${CRT%.*}`
|
||||
if [ -f $CRT_NAME.key ]; then
|
||||
cat $CRT_NAME.crt $CRT_NAME.key > $CRT_NAME.pem
|
||||
rm $CRT_NAME.key
|
||||
rm $CRT_NAME.crt
|
||||
fi
|
||||
done
|
||||
|
||||
echo "Finalizing..."
|
||||
rm -rf ./ca
|
||||
Reference in New Issue
Block a user