- Berlin, Germany
- https://laforge.gnumonks.org
- Joined on
2024-01-27
what's odd is that the authoritkeyidentifier / subjectkeyidentifier of the SGP.26 v1 NIST CI certificate i s f54172bdf98a95d65cbeb88a38a1c11d800a85c3
(also in your RootCertificates.kt file) -…
Actually the standard mandates that the first TLS certificate sent is the sender (server) certificate, followed by any other crtificates. See: https://www.rfc-editor.org/rfc/rfc5246#section-7.4.2 …
First of all: Thanks a lot for your effort!
I didn't have a chance to test it until today. However, it doesn't appear to be working, sorry.
I configured smdpp.test.rsp.sysmocom.de to…
I now wonder if it is even necessary for the LPA to verify the TLS cert at all, given that the eUICC is not supposed to accept arbitrary BPP anyway.
I thin it's mostly about privacy /…
It looks like many production SM-DP+ servers do not actually send the full certificate chain, and therefore we cannot verify CERT.DP.TLS against CERT.CI.ECDSA without hard-coding the CI cert.…
An interim solution that can be implemented a bit faster would be an option that allows the user to supply a custom CI public key, or an option to disable the check on the TLS side altogether.
…
by the way: In case you're interested: I can send you free samples of such an eUICC with SGP.26 test certificates. Or I can even create completely custom/private CI and then personalize eUICCs…
Looking a bit at Android and Java APIs for this, I think the course of action would be to implement a custom X509TrustManager
whose checkServerTrusted
method would get all the certificates…
Ok, a quick look at the source code reveals:
- OpenEUICC includes exactly only one root certificate, see
app-common/src/main/res/raw/symantec_gsma_rspv2_root_ci1
and `app-common/src/main/res/xml…
I really like the idea of displaying the size of existing/installed profiles as well as the total remaining space.
Hoever, I also agree with @PeterCxy that ther is no way to estimate the number…