From e453b1b87fdacc47ade75ae51229b5a7a7d57694 Mon Sep 17 00:00:00 2001 From: septs Date: Tue, 10 Dec 2024 19:10:04 +0800 Subject: [PATCH] refactor: certificate issuer detecting --- .../angry/openeuicc/ui/EuiccInfoActivity.kt | 29 ++++++++---------- app-common/src/main/res/values/strings.xml | 9 +++--- .../lpac_jni/impl/RootCertificates.kt | 30 +++++++++++++++++-- 3 files changed, 43 insertions(+), 25 deletions(-) diff --git a/app-common/src/main/java/im/angry/openeuicc/ui/EuiccInfoActivity.kt b/app-common/src/main/java/im/angry/openeuicc/ui/EuiccInfoActivity.kt index 0a7e16c..84b300e 100644 --- a/app-common/src/main/java/im/angry/openeuicc/ui/EuiccInfoActivity.kt +++ b/app-common/src/main/java/im/angry/openeuicc/ui/EuiccInfoActivity.kt @@ -19,13 +19,12 @@ import im.angry.openeuicc.core.EuiccChannel import im.angry.openeuicc.core.EuiccChannelManager import im.angry.openeuicc.util.* import kotlinx.coroutines.launch -import net.typeblog.lpac_jni.impl.DEFAULT_PKID_GSMA_RSP2_ROOT_CI1 +import net.typeblog.lpac_jni.impl.PKID_GSMA_LIVE_CI import net.typeblog.lpac_jni.impl.PKID_GSMA_TEST_CI class EuiccInfoActivity : BaseEuiccAccessActivity() { companion object { private val YES_NO = Pair(R.string.yes, R.string.no) - private val SUPPORTED_UNSUPPORTED = Pair(R.string.supported, R.string.unsupported) } private lateinit var swipeRefresh: SwipeRefreshLayout @@ -107,21 +106,17 @@ class EuiccInfoActivity : BaseEuiccAccessActivity() { add(Pair(R.string.euicc_info_free_nvram, info?.freeNvram?.let(::formatFreeSpace))) } channel.lpa.euiccInfo2?.euiccCiPKIdListForSigning.orEmpty().let { signers -> - add( - Pair( - R.string.euicc_info_gsma_prod, - formatByBoolean( - signers.contains(DEFAULT_PKID_GSMA_RSP2_ROOT_CI1), - SUPPORTED_UNSUPPORTED - ) - ) - ) - add( - Pair( - R.string.euicc_info_gsma_test, - formatByBoolean(PKID_GSMA_TEST_CI.any(signers::contains), SUPPORTED_UNSUPPORTED) - ) - ) + // SGP.28 v1.0, eSIM CI Registration Criteria (Page 5 of 9, 2019-10-24) + // https://www.gsma.com/newsroom/wp-content/uploads/SGP.28-v1.0.pdf#page=5 + // FS.27 v2.0, Security Guidelines for UICC Profiles (Page 25 of 27, 2024-01-30) + // https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/01/FS.27-Security-Guidelines-for-UICC-Credentials-v2.0-FINAL-23-July.pdf#page=25 + val resId = when { + signers.isEmpty() -> R.string.unknown // the case is not mp, but it's is not common + PKID_GSMA_LIVE_CI.any(signers::contains) -> R.string.euicc_info_ci_gsma_live + PKID_GSMA_TEST_CI.any(signers::contains) -> R.string.euicc_info_ci_gsma_test + else -> R.string.euicc_info_ci_unknown + } + add(Pair(R.string.euicc_info_ci_type, getString(resId))) } } diff --git a/app-common/src/main/res/values/strings.xml b/app-common/src/main/res/values/strings.xml index f308826..d532a0c 100644 --- a/app-common/src/main/res/values/strings.xml +++ b/app-common/src/main/res/values/strings.xml @@ -122,11 +122,10 @@ SAS Accreditation Number Protected Profile Version Free NVRAM (eSIM profile storage) - GSMA Production Certificate - GSMA Test Certificate - - Supported - Unsupported + Certificate Issuer + GSMA Live CI + GSMA Test CI + Unknown eSIM CA Yes No diff --git a/libs/lpac-jni/src/main/java/net/typeblog/lpac_jni/impl/RootCertificates.kt b/libs/lpac-jni/src/main/java/net/typeblog/lpac_jni/impl/RootCertificates.kt index 82c443f..cfd5779 100644 --- a/libs/lpac-jni/src/main/java/net/typeblog/lpac_jni/impl/RootCertificates.kt +++ b/libs/lpac-jni/src/main/java/net/typeblog/lpac_jni/impl/RootCertificates.kt @@ -7,8 +7,32 @@ import java.security.cert.CertificateFactory const val DEFAULT_PKID_GSMA_RSP2_ROOT_CI1 = "81370f5125d0b1d408d4c3b232e6d25e795bebfb" -val PKID_GSMA_TEST_CI = - arrayOf("34eecf13156518d48d30bdf06853404d115f955d", "2209f61cd9ec5c9c854e787341ff83ecf9776a5b") +// SGP.28 v1.0, eSIM CI Registration Criteria (Page 5 of 9, 2019-10-24) +// https://www.gsma.com/newsroom/wp-content/uploads/SGP.28-v1.0.pdf#page=5 +// FS.27 v2.0, Security Guidelines for UICC Profiles (Page 25 of 27, 2024-01-30) +// https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/01/FS.27-Security-Guidelines-for-UICC-Credentials-v2.0-FINAL-23-July.pdf#page=25 + +// List of GSMA Live CIs +// https://www.gsma.com/solutions-and-impact/technologies/esim/gsma-root-ci/ +val PKID_GSMA_LIVE_CI = arrayOf( + // GSMA RSP2 Root CI1 (SGP.22 v2+v3, CA: DigiCert) + // https://euicc-manual.osmocom.org/docs/pki/ci/files/81370f.txt + DEFAULT_PKID_GSMA_RSP2_ROOT_CI1, + // OISITE GSMA CI G1 (SGP.22 v2+v3, CA: WISeKey) + // https://euicc-manual.osmocom.org/docs/pki/ci/files/4c2796.txt + "4c27967ad20c14b391e9601e41e604ad57c0222f", +) + +// SGP.26 v3.0, 2023-12-01 +// https://www.gsma.com/solutions-and-impact/technologies/esim/wp-content/uploads/2023/12/SGP.26-v3.0.pdf +val PKID_GSMA_TEST_CI = arrayOf( + // Test CI (SGP.26, NIST P256) + // https://euicc-manual.osmocom.org/docs/pki/ci/files/34eecf.txt + "34eecf13156518d48d30bdf06853404d115f955d", + // Test CI (SGP.26, BRP P256r1) + // https://euicc-manual.osmocom.org/docs/pki/ci/files/2209f6.txt + "2209f61cd9ec5c9c854e787341ff83ecf9776a5b", +) private fun getCertificate(keyId: String): Certificate? = KNOWN_CI_CERTS[keyId]?.toByteArray()?.let { cert -> @@ -60,7 +84,7 @@ internal val KNOWN_CI_CERTS = hashMapOf( -----END CERTIFICATE----- """.trimIndent(), // OISITE GSMA CI G1 (CA: WISeKey) - // Specs: SGP.21 and SGP.22 version 3 + // Specs: SGP.21 and SGP.22 version 2 and version 3 "4c27967ad20c14b391e9601e41e604ad57c0222f" to """ -----BEGIN CERTIFICATE----- MIIB9zCCAZ2gAwIBAgIUSpBSCCDYPOEG/IFHUCKpZ2pIAQMwCgYIKoZIzj0EAwIw -- 2.45.3