Ok, this has now been implemented but with the caveat that we still have to hard-code a mapping between known PKIDs and their public certificates. However, compared to just adding the certificates…
auto-discovery mechanism as I described. will only work with SM-DP+ that include the root cert
Also note that the Subject Key Identifier of the CI cert can be an arbitrary string dictated by…
Although I guess I could also piggyback on lpac's derutil.c
here from JNI.
Even without considering support for test CIs, I think implementing the certificate check as part of the initial handshake is also advantageous over just installing the cert and trusting it across…
I now wonder if it is even necessary for the LPA to verify the TLS cert at all, given that the eUICC is not supposed to accept arbitrary BPP anyway.
It looks like many production SM-DP+ servers do not actually send the full certificate chain, and therefore we cannot verify CERT.DP.TLS against CERT.CI.ECDSA without hard-coding the CI cert. The…
I have just updated the README.md for this yesterday -- you can find a debug mode apk for both OpenEUICC and EasyEUICC inside the "Actions" tab in this repository. No release build is planned,…