mirror of
https://gitea.osmocom.org/sim-card/pysim.git
synced 2026-03-16 18:38:32 +03:00
1aaf978d9f
It's generally a bad idea to keep [card specific] key material lying around unencrypted in CSV files. The industry standard solution in the GSMA is a so-called "transport key", which encrypts the key material. Let's introduce support for this in the CardKeyProvider (and specifically, the CardKeyProviderCSV) and allow the user to specify transport key material as command line options to pySim-shell. Different transport keys can be used for different key materials, so allow specification of keys on a CSV-column base. The higher-level goal is to allow the CSV file not only to store the ADM keys (like now), but also global platform key material for establishing SCP towards various security domains in a given card. Change-Id: I13146a799448d03c681dc868aaa31eb78b7821ff
210 lines
8.8 KiB
Python
210 lines
8.8 KiB
Python
# coding=utf-8
|
|
"""Obtaining card parameters (mostly key data) from external source.
|
|
|
|
This module contains a base class and a concrete implementation of
|
|
obtaining card key material (or other card-individual parameters) from
|
|
an external data source.
|
|
|
|
This is used e.g. to keep PIN/PUK data in some file on disk, avoiding
|
|
the need of manually entering the related card-individual data on every
|
|
operation with pySim-shell.
|
|
"""
|
|
|
|
# (C) 2021-2024 by Sysmocom s.f.m.c. GmbH
|
|
# All Rights Reserved
|
|
#
|
|
# Author: Philipp Maier, Harald Welte
|
|
#
|
|
# This program is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 2 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
from typing import List, Dict, Optional
|
|
from Cryptodome.Cipher import AES
|
|
from pySim.utils import h2b, b2h
|
|
|
|
import abc
|
|
import csv
|
|
|
|
card_key_providers = [] # type: List['CardKeyProvider']
|
|
|
|
# well-known groups of columns relate to a given functionality. This avoids having
|
|
# to specify the same transport key N number of times, if the same key is used for multiple
|
|
# fields of one group, like KIC+KID+KID of one SD.
|
|
CRYPT_GROUPS = {
|
|
'UICC_SCP02': ['UICC_SCP02_KIC1', 'UICC_SCP02_KID1', 'UICC_SCP02_KIK1'],
|
|
'UICC_SCP03': ['UICC_SCP03_KIC1', 'UICC_SCP03_KID1', 'UICC_SCP03_KIK1'],
|
|
'SCP03_ISDR': ['SCP03_ENC_ISDR', 'SCP03_MAC_ISDR', 'SCP03_DEK_ISDR'],
|
|
'SCP03_ISDA': ['SCP03_ENC_ISDR', 'SCP03_MAC_ISDA', 'SCP03_DEK_ISDA'],
|
|
'SCP03_ECASD': ['SCP03_ENC_ECASD', 'SCP03_MAC_ECASD', 'SCP03_DEK_ECASD'],
|
|
}
|
|
|
|
class CardKeyProvider(abc.ABC):
|
|
"""Base class, not containing any concrete implementation."""
|
|
|
|
VALID_KEY_FIELD_NAMES = ['ICCID', 'EID', 'IMSI' ]
|
|
|
|
# check input parameters, but do nothing concrete yet
|
|
def _verify_get_data(self, fields: List[str] = [], key: str = 'ICCID', value: str = "") -> Dict[str, str]:
|
|
"""Verify multiple fields for identified card.
|
|
|
|
Args:
|
|
fields : list of valid field names such as 'ADM1', 'PIN1', ... which are to be obtained
|
|
key : look-up key to identify card data, such as 'ICCID'
|
|
value : value for look-up key to identify card data
|
|
Returns:
|
|
dictionary of {field, value} strings for each requested field from 'fields'
|
|
"""
|
|
|
|
if key not in self.VALID_KEY_FIELD_NAMES:
|
|
raise ValueError("Key field name '%s' is not a valid field name, valid field names are: %s" %
|
|
(key, str(self.VALID_KEY_FIELD_NAMES)))
|
|
|
|
return {}
|
|
|
|
def get_field(self, field: str, key: str = 'ICCID', value: str = "") -> Optional[str]:
|
|
"""get a single field from CSV file using a specified key/value pair"""
|
|
fields = [field]
|
|
result = self.get(fields, key, value)
|
|
return result.get(field)
|
|
|
|
@abc.abstractmethod
|
|
def get(self, fields: List[str], key: str, value: str) -> Dict[str, str]:
|
|
"""Get multiple card-individual fields for identified card.
|
|
|
|
Args:
|
|
fields : list of valid field names such as 'ADM1', 'PIN1', ... which are to be obtained
|
|
key : look-up key to identify card data, such as 'ICCID'
|
|
value : value for look-up key to identify card data
|
|
Returns:
|
|
dictionary of {field, value} strings for each requested field from 'fields'
|
|
"""
|
|
|
|
|
|
class CardKeyProviderCsv(CardKeyProvider):
|
|
"""Card key provider implementation that allows to query against a specified CSV file.
|
|
Supports column-based encryption as it is generally a bad idea to store cryptographic key material in
|
|
plaintext. Instead, the key material should be encrypted by a "key-encryption key", occasionally also
|
|
known as "transport key" (see GSMA FS.28)."""
|
|
IV = b'\x23' * 16
|
|
csv_file = None
|
|
filename = None
|
|
|
|
def __init__(self, filename: str, transport_keys: dict):
|
|
"""
|
|
Args:
|
|
filename : file name (path) of CSV file containing card-individual key/data
|
|
transport_keys : a dict indexed by field name, whose values are hex-encoded AES keys for the
|
|
respective field (column) of the CSV. This is done so that different fields
|
|
(columns) can use different transport keys, which is strongly recommended by
|
|
GSMA FS.28
|
|
"""
|
|
self.csv_file = open(filename, 'r')
|
|
if not self.csv_file:
|
|
raise RuntimeError("Could not open CSV file '%s'" % filename)
|
|
self.filename = filename
|
|
self.transport_keys = self.process_transport_keys(transport_keys)
|
|
|
|
@staticmethod
|
|
def process_transport_keys(transport_keys: dict):
|
|
"""Apply a single transport key to multiple fields/columns, if the name is a group."""
|
|
new_dict = {}
|
|
for name, key in transport_keys.items():
|
|
if name in CRYPT_GROUPS:
|
|
for field in CRYPT_GROUPS[name]:
|
|
new_dict[field] = key
|
|
else:
|
|
new_dict[name] = key
|
|
return new_dict
|
|
|
|
def _decrypt_field(self, field_name: str, encrypted_val: str) -> str:
|
|
"""decrypt a single field, if we have a transport key for the field of that name."""
|
|
if not field_name in self.transport_keys:
|
|
return encrypted_val
|
|
cipher = AES.new(h2b(self.transport_keys[field_name]), AES.MODE_CBC, self.IV)
|
|
return b2h(cipher.decrypt(h2b(encrypted_val)))
|
|
|
|
def get(self, fields: List[str], key: str, value: str) -> Dict[str, str]:
|
|
super()._verify_get_data(fields, key, value)
|
|
|
|
self.csv_file.seek(0)
|
|
cr = csv.DictReader(self.csv_file)
|
|
if not cr:
|
|
raise RuntimeError(
|
|
"Could not open DictReader for CSV-File '%s'" % self.filename)
|
|
cr.fieldnames = [field.upper() for field in cr.fieldnames]
|
|
|
|
rc = {}
|
|
for row in cr:
|
|
if row[key] == value:
|
|
for f in fields:
|
|
if f in row:
|
|
rc.update({f: self._decrypt_field(f, row[f])})
|
|
else:
|
|
raise RuntimeError("CSV-File '%s' lacks column '%s'" %
|
|
(self.filename, f))
|
|
return rc
|
|
|
|
|
|
def card_key_provider_register(provider: CardKeyProvider, provider_list=card_key_providers):
|
|
"""Register a new card key provider.
|
|
|
|
Args:
|
|
provider : the to-be-registered provider
|
|
provider_list : override the list of providers from the global default
|
|
"""
|
|
if not isinstance(provider, CardKeyProvider):
|
|
raise ValueError("provider is not a card data provier")
|
|
provider_list.append(provider)
|
|
|
|
|
|
def card_key_provider_get(fields, key: str, value: str, provider_list=card_key_providers) -> Dict[str, str]:
|
|
"""Query all registered card data providers for card-individual [key] data.
|
|
|
|
Args:
|
|
fields : list of valid field names such as 'ADM1', 'PIN1', ... which are to be obtained
|
|
key : look-up key to identify card data, such as 'ICCID'
|
|
value : value for look-up key to identify card data
|
|
provider_list : override the list of providers from the global default
|
|
Returns:
|
|
dictionary of {field, value} strings for each requested field from 'fields'
|
|
"""
|
|
for p in provider_list:
|
|
if not isinstance(p, CardKeyProvider):
|
|
raise ValueError(
|
|
"provider list contains element which is not a card data provier")
|
|
result = p.get(fields, key, value)
|
|
if result:
|
|
return result
|
|
return {}
|
|
|
|
|
|
def card_key_provider_get_field(field: str, key: str, value: str, provider_list=card_key_providers) -> Optional[str]:
|
|
"""Query all registered card data providers for a single field.
|
|
|
|
Args:
|
|
field : name valid field such as 'ADM1', 'PIN1', ... which is to be obtained
|
|
key : look-up key to identify card data, such as 'ICCID'
|
|
value : value for look-up key to identify card data
|
|
provider_list : override the list of providers from the global default
|
|
Returns:
|
|
dictionary of {field, value} strings for the requested field
|
|
"""
|
|
for p in provider_list:
|
|
if not isinstance(p, CardKeyProvider):
|
|
raise ValueError(
|
|
"provider list contains element which is not a card data provier")
|
|
result = p.get_field(field, key, value)
|
|
if result:
|
|
return result
|
|
return None
|