Harald Welte | 5bbb144 | 2023-12-11 12:46:47 +0100 | [diff] [blame] | 1 | osmo-smdpp |
| 2 | ========== |
| 3 | |
| 4 | `osmo-smdpp` is a proof-of-concept implementation of a minimal **SM-DP+** as specified for the *GSMA |
| 5 | Consumer eSIM Remote SIM provisioning*. |
| 6 | |
| 7 | At least at this point, it is intended to be used for research and development, and not as a |
| 8 | production SM-DP+. |
| 9 | |
| 10 | Unless you are a GSMA SAS-SM accredited SM-DP+ operator and have related DPtls, DPauth and DPpb |
| 11 | certificates signed by the GSMA CI, you **can not use osmo-smdpp with regular production eUICC**. |
| 12 | This is due to how the GSMA eSIM security architecture works. You can, however, use osmo-smdpp with |
| 13 | so-called *test-eUICC*, which contain certificates/keys signed by GSMA test certificates as laid out |
| 14 | in GSMA SGP.26. |
| 15 | |
| 16 | At this point, osmo-smdpp does not support anything beyond the bare minimum required to download |
| 17 | eSIM profiles to an eUICC. Specifically, there is no ES2+ interface, and there is no built-in |
| 18 | support for profile personalization yet. |
| 19 | |
| 20 | osmo-smdpp currently |
| 21 | |
| 22 | * always provides the exact same profile to every request. The profile always has the same IMSI and |
| 23 | ICCID. |
| 24 | * **is absolutely insecure**, as it |
| 25 | |
| 26 | * does not perform any certificate verification |
| 27 | * does not evaluate/consider any *Matching ID* or *Confirmation Code* |
| 28 | * stores the sessions in an unencrypted _python shelve_ and is hence leaking one-time key materials |
| 29 | used for profile encryption and signing. |
| 30 | |
| 31 | |
| 32 | Running osmo-smdpp |
| 33 | ------------------ |
| 34 | |
| 35 | osmo-smdpp does not have built-in TLS support as the used *twisted* framework appears to have |
| 36 | problems when using the example elliptic curve certificates (both NIST and Brainpool) from GSMA. |
| 37 | |
| 38 | So in order to use it, you have to put it behind a TLS reverse proxy, which terminates the ES9+ |
| 39 | HTTPS from the LPA, and then forwards it as plain HTTP to osmo-smdpp. |
| 40 | |
| 41 | nginx as TLS proxy |
| 42 | ~~~~~~~~~~~~~~~~~~ |
| 43 | |
| 44 | If you use `nginx` as web server, you can use the following configuration snippet:: |
| 45 | |
| 46 | upstream smdpp { |
| 47 | server localhost:8000; |
| 48 | } |
| 49 | |
| 50 | server { |
| 51 | listen 443 ssl; |
| 52 | server_name testsmdpplus1.example.com; |
| 53 | |
| 54 | ssl_certificate /my/path/to/pysim/smdpp-data/certs/DPtls/CERT_S_SM_DP_TLS_NIST.pem; |
| 55 | ssl_certificate_key /my/path/to/pysim/smdpp-data/certs/DPtls/SK_S_SM_DP_TLS_NIST.pem; |
| 56 | |
| 57 | location / { |
| 58 | proxy_read_timeout 600s; |
| 59 | |
| 60 | proxy_hide_header X-Powered-By; |
| 61 | proxy_set_header X-Real-IP $remote_addr; |
| 62 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
| 63 | proxy_set_header X-Forwarded-Proto https; |
| 64 | proxy_set_header X-Forwarded-Port $proxy_port; |
| 65 | proxy_set_header Host $host; |
| 66 | |
| 67 | proxy_pass http://smdpp/; |
| 68 | } |
| 69 | } |
| 70 | |
| 71 | You can of course achieve a similar functionality with apache, lighttpd or many other web server |
| 72 | software. |
| 73 | |
| 74 | |
| 75 | osmo-smdpp |
| 76 | ~~~~~~~~~~ |
| 77 | |
| 78 | osmo-smdpp currently doesn't have any configuration file or command line options. You just run it, |
| 79 | and it will bind its plain-HTTP ES9+ interface to local TCP port 8000. |
| 80 | |
| 81 | The `smdpp-data/certs`` directory contains the DPtls, DPauth and DPpb as well as CI certificates |
| 82 | used; they are copied from GSMA SGP.26 v2. |
| 83 | |
| 84 | The `smdpp-data/upp` directory contains the UPP (Unprotected Profile Package) used. |
| 85 | |
| 86 | |
| 87 | DNS setup for your LPA |
| 88 | ~~~~~~~~~~~~~~~~~~~~~~ |
| 89 | |
| 90 | The LPA must resolve `testsmdpplus1.example.com` to the IP address of your TLS proxy. |
| 91 | |
| 92 | It must also accept the TLS certificates used by your TLS proxy. |
| 93 | |