| osmo-smdpp |
| ========== |
| |
| `osmo-smdpp` is a proof-of-concept implementation of a minimal **SM-DP+** as specified for the *GSMA |
| Consumer eSIM Remote SIM provisioning*. |
| |
| At least at this point, it is intended to be used for research and development, and not as a |
| production SM-DP+. |
| |
| Unless you are a GSMA SAS-SM accredited SM-DP+ operator and have related DPtls, DPauth and DPpb |
| certificates signed by the GSMA CI, you **can not use osmo-smdpp with regular production eUICC**. |
| This is due to how the GSMA eSIM security architecture works. You can, however, use osmo-smdpp with |
| so-called *test-eUICC*, which contain certificates/keys signed by GSMA test certificates as laid out |
| in GSMA SGP.26. |
| |
| At this point, osmo-smdpp does not support anything beyond the bare minimum required to download |
| eSIM profiles to an eUICC. Specifically, there is no ES2+ interface, and there is no built-in |
| support for profile personalization yet. |
| |
| osmo-smdpp currently |
| |
| * always provides the exact same profile to every request. The profile always has the same IMSI and |
| ICCID. |
| * **is absolutely insecure**, as it |
| |
| * does not perform any certificate verification |
| * does not evaluate/consider any *Matching ID* or *Confirmation Code* |
| * stores the sessions in an unencrypted _python shelve_ and is hence leaking one-time key materials |
| used for profile encryption and signing. |
| |
| |
| Running osmo-smdpp |
| ------------------ |
| |
| osmo-smdpp does not have built-in TLS support as the used *twisted* framework appears to have |
| problems when using the example elliptic curve certificates (both NIST and Brainpool) from GSMA. |
| |
| So in order to use it, you have to put it behind a TLS reverse proxy, which terminates the ES9+ |
| HTTPS from the LPA, and then forwards it as plain HTTP to osmo-smdpp. |
| |
| nginx as TLS proxy |
| ~~~~~~~~~~~~~~~~~~ |
| |
| If you use `nginx` as web server, you can use the following configuration snippet:: |
| |
| upstream smdpp { |
| server localhost:8000; |
| } |
| |
| server { |
| listen 443 ssl; |
| server_name testsmdpplus1.example.com; |
| |
| ssl_certificate /my/path/to/pysim/smdpp-data/certs/DPtls/CERT_S_SM_DP_TLS_NIST.pem; |
| ssl_certificate_key /my/path/to/pysim/smdpp-data/certs/DPtls/SK_S_SM_DP_TLS_NIST.pem; |
| |
| location / { |
| proxy_read_timeout 600s; |
| |
| proxy_hide_header X-Powered-By; |
| proxy_set_header X-Real-IP $remote_addr; |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
| proxy_set_header X-Forwarded-Proto https; |
| proxy_set_header X-Forwarded-Port $proxy_port; |
| proxy_set_header Host $host; |
| |
| proxy_pass http://smdpp/; |
| } |
| } |
| |
| You can of course achieve a similar functionality with apache, lighttpd or many other web server |
| software. |
| |
| |
| osmo-smdpp |
| ~~~~~~~~~~ |
| |
| osmo-smdpp currently doesn't have any configuration file or command line options. You just run it, |
| and it will bind its plain-HTTP ES9+ interface to local TCP port 8000. |
| |
| The `smdpp-data/certs`` directory contains the DPtls, DPauth and DPpb as well as CI certificates |
| used; they are copied from GSMA SGP.26 v2. |
| |
| The `smdpp-data/upp` directory contains the UPP (Unprotected Profile Package) used. |
| |
| |
| DNS setup for your LPA |
| ~~~~~~~~~~~~~~~~~~~~~~ |
| |
| The LPA must resolve `testsmdpplus1.example.com` to the IP address of your TLS proxy. |
| |
| It must also accept the TLS certificates used by your TLS proxy. |
| |