diff options
Diffstat (limited to 'pySim/esim')
| -rw-r--r-- | pySim/esim/__init__.py | 16 | ||||
| -rw-r--r-- | pySim/esim/asn1/rsp/PKIX1Explicit88.asn | 657 | ||||
| -rw-r--r-- | pySim/esim/asn1/rsp/PKIX1Implicit88.asn | 343 | ||||
| -rw-r--r-- | pySim/esim/asn1/rsp/rsp.asn | 785 | ||||
| -rw-r--r-- | pySim/esim/es8p.py | 185 | ||||
| -rw-r--r-- | pySim/esim/rsp.py | 100 |
6 files changed, 2086 insertions, 0 deletions
diff --git a/pySim/esim/__init__.py b/pySim/esim/__init__.py index e69de29..4d6c609 100644 --- a/pySim/esim/__init__.py +++ b/pySim/esim/__init__.py @@ -0,0 +1,16 @@ +import sys +from importlib import resources + +import asn1tools + +def compile_asn1_subdir(subdir_name:str): + """Helper function that compiles ASN.1 syntax from all files within given subdir""" + asn_txt = '' + __ver = sys.version_info + if (__ver.major, __ver.minor) >= (3, 9): + for i in resources.files('pySim.esim').joinpath('asn1').joinpath(subdir_name).iterdir(): + asn_txt += i.read_text() + asn_txt += "\n" + #else: + #print(resources.read_text(__name__, 'asn1/rsp.asn')) + return asn1tools.compile_string(asn_txt, codec='der') diff --git a/pySim/esim/asn1/rsp/PKIX1Explicit88.asn b/pySim/esim/asn1/rsp/PKIX1Explicit88.asn new file mode 100644 index 0000000..9284c65 --- /dev/null +++ b/pySim/esim/asn1/rsp/PKIX1Explicit88.asn @@ -0,0 +1,657 @@ +PKIX1Explicit88 { iso(1) identified-organization(3) dod(6) internet(1) + security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit(18) } + +DEFINITIONS EXPLICIT TAGS ::= + +BEGIN + +-- EXPORTS ALL -- + +-- IMPORTS NONE -- + +-- UNIVERSAL Types defined in 1993 and 1998 ASN.1 +-- and required by this specification + +-- pycrate: UniversalString, BMPString and UTF8String already in the builtin types + +--UniversalString ::= [UNIVERSAL 28] IMPLICIT OCTET STRING + -- UniversalString is defined in ASN.1:1993 + +--BMPString ::= [UNIVERSAL 30] IMPLICIT OCTET STRING + -- BMPString is the subtype of UniversalString and models + -- the Basic Multilingual Plane of ISO/IEC 10646 + +--UTF8String ::= [UNIVERSAL 12] IMPLICIT OCTET STRING + -- The content of this type conforms to RFC 3629. + +-- PKIX specific OIDs + +id-pkix OBJECT IDENTIFIER ::= + { iso(1) identified-organization(3) dod(6) internet(1) + security(5) mechanisms(5) pkix(7) } + +-- PKIX arcs + +id-pe OBJECT IDENTIFIER ::= { id-pkix 1 } + -- arc for private certificate extensions +id-qt OBJECT IDENTIFIER ::= { id-pkix 2 } + -- arc for policy qualifier types +id-kp OBJECT IDENTIFIER ::= { id-pkix 3 } + -- arc for extended key purpose OIDS +id-ad OBJECT IDENTIFIER ::= { id-pkix 48 } + -- arc for access descriptors + +-- policyQualifierIds for Internet policy qualifiers + +id-qt-cps OBJECT IDENTIFIER ::= { id-qt 1 } + -- OID for CPS qualifier +id-qt-unotice OBJECT IDENTIFIER ::= { id-qt 2 } + -- OID for user notice qualifier + +-- access descriptor definitions + +id-ad-ocsp OBJECT IDENTIFIER ::= { id-ad 1 } +id-ad-caIssuers OBJECT IDENTIFIER ::= { id-ad 2 } +id-ad-timeStamping OBJECT IDENTIFIER ::= { id-ad 3 } +id-ad-caRepository OBJECT IDENTIFIER ::= { id-ad 5 } + +-- attribute data types + +Attribute ::= SEQUENCE { + type AttributeType, + values SET OF AttributeValue } + -- at least one value is required + +AttributeType ::= OBJECT IDENTIFIER + +AttributeValue ::= ANY -- DEFINED BY AttributeType + +AttributeTypeAndValue ::= SEQUENCE { + type AttributeType, + value AttributeValue } + +-- suggested naming attributes: Definition of the following +-- information object set may be augmented to meet local +-- requirements. Note that deleting members of the set may +-- prevent interoperability with conforming implementations. +-- presented in pairs: the AttributeType followed by the +-- type definition for the corresponding AttributeValue + +-- Arc for standard naming attributes + +id-at OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) ds(5) 4 } + +-- Naming attributes of type X520name + +id-at-name AttributeType ::= { id-at 41 } +id-at-surname AttributeType ::= { id-at 4 } +id-at-givenName AttributeType ::= { id-at 42 } +id-at-initials AttributeType ::= { id-at 43 } +id-at-generationQualifier AttributeType ::= { id-at 44 } + +-- Naming attributes of type X520Name: +-- X520name ::= DirectoryString (SIZE (1..ub-name)) +-- +-- Expanded to avoid parameterized type: +X520name ::= CHOICE { + teletexString TeletexString (SIZE (1..ub-name)), + printableString PrintableString (SIZE (1..ub-name)), + universalString UniversalString (SIZE (1..ub-name)), + utf8String UTF8String (SIZE (1..ub-name)), + bmpString BMPString (SIZE (1..ub-name)) } + +-- Naming attributes of type X520CommonName + +id-at-commonName AttributeType ::= { id-at 3 } + +-- Naming attributes of type X520CommonName: +-- X520CommonName ::= DirectoryName (SIZE (1..ub-common-name)) +-- +-- Expanded to avoid parameterized type: +X520CommonName ::= CHOICE { + teletexString TeletexString (SIZE (1..ub-common-name)), + printableString PrintableString (SIZE (1..ub-common-name)), + universalString UniversalString (SIZE (1..ub-common-name)), + utf8String UTF8String (SIZE (1..ub-common-name)), + bmpString BMPString (SIZE (1..ub-common-name)) } + +-- Naming attributes of type X520LocalityName + +id-at-localityName AttributeType ::= { id-at 7 } + +-- Naming attributes of type X520LocalityName: +-- X520LocalityName ::= DirectoryName (SIZE (1..ub-locality-name)) +-- +-- Expanded to avoid parameterized type: +X520LocalityName ::= CHOICE { + teletexString TeletexString (SIZE (1..ub-locality-name)), + printableString PrintableString (SIZE (1..ub-locality-name)), + universalString UniversalString (SIZE (1..ub-locality-name)), + utf8String UTF8String (SIZE (1..ub-locality-name)), + bmpString BMPString (SIZE (1..ub-locality-name)) } + +-- Naming attributes of type X520StateOrProvinceName + +id-at-stateOrProvinceName AttributeType ::= { id-at 8 } + +-- Naming attributes of type X520StateOrProvinceName: +-- X520StateOrProvinceName ::= DirectoryName (SIZE (1..ub-state-name)) +-- +-- Expanded to avoid parameterized type: +X520StateOrProvinceName ::= CHOICE { + teletexString TeletexString (SIZE (1..ub-state-name)), + printableString PrintableString (SIZE (1..ub-state-name)), + universalString UniversalString (SIZE (1..ub-state-name)), + utf8String UTF8String (SIZE (1..ub-state-name)), + bmpString BMPString (SIZE (1..ub-state-name)) } + +-- Naming attributes of type X520OrganizationName + +id-at-organizationName AttributeType ::= { id-at 10 } + +-- Naming attributes of type X520OrganizationName: +-- X520OrganizationName ::= +-- DirectoryName (SIZE (1..ub-organization-name)) +-- +-- Expanded to avoid parameterized type: +X520OrganizationName ::= CHOICE { + teletexString TeletexString + (SIZE (1..ub-organization-name)), + printableString PrintableString + (SIZE (1..ub-organization-name)), + universalString UniversalString + (SIZE (1..ub-organization-name)), + utf8String UTF8String + (SIZE (1..ub-organization-name)), + bmpString BMPString + (SIZE (1..ub-organization-name)) } + +-- Naming attributes of type X520OrganizationalUnitName + +id-at-organizationalUnitName AttributeType ::= { id-at 11 } + +-- Naming attributes of type X520OrganizationalUnitName: +-- X520OrganizationalUnitName ::= +-- DirectoryName (SIZE (1..ub-organizational-unit-name)) +-- +-- Expanded to avoid parameterized type: +X520OrganizationalUnitName ::= CHOICE { + teletexString TeletexString + (SIZE (1..ub-organizational-unit-name)), + printableString PrintableString + (SIZE (1..ub-organizational-unit-name)), + universalString UniversalString + (SIZE (1..ub-organizational-unit-name)), + utf8String UTF8String + (SIZE (1..ub-organizational-unit-name)), + bmpString BMPString + (SIZE (1..ub-organizational-unit-name)) } + +-- Naming attributes of type X520Title + +id-at-title AttributeType ::= { id-at 12 } + +-- Naming attributes of type X520Title: +-- X520Title ::= DirectoryName (SIZE (1..ub-title)) +-- +-- Expanded to avoid parameterized type: +X520Title ::= CHOICE { + teletexString TeletexString (SIZE (1..ub-title)), + printableString PrintableString (SIZE (1..ub-title)), + universalString UniversalString (SIZE (1..ub-title)), + utf8String UTF8String (SIZE (1..ub-title)), + bmpString BMPString (SIZE (1..ub-title)) } + +-- Naming attributes of type X520dnQualifier + +id-at-dnQualifier AttributeType ::= { id-at 46 } + +X520dnQualifier ::= PrintableString + +-- Naming attributes of type X520countryName (digraph from IS 3166) + +id-at-countryName AttributeType ::= { id-at 6 } + +X520countryName ::= PrintableString (SIZE (2)) + +-- Naming attributes of type X520SerialNumber + +id-at-serialNumber AttributeType ::= { id-at 5 } + +X520SerialNumber ::= PrintableString (SIZE (1..ub-serial-number)) + +-- Naming attributes of type X520Pseudonym + +id-at-pseudonym AttributeType ::= { id-at 65 } + +-- Naming attributes of type X520Pseudonym: +-- X520Pseudonym ::= DirectoryName (SIZE (1..ub-pseudonym)) +-- +-- Expanded to avoid parameterized type: +X520Pseudonym ::= CHOICE { + teletexString TeletexString (SIZE (1..ub-pseudonym)), + printableString PrintableString (SIZE (1..ub-pseudonym)), + universalString UniversalString (SIZE (1..ub-pseudonym)), + utf8String UTF8String (SIZE (1..ub-pseudonym)), + bmpString BMPString (SIZE (1..ub-pseudonym)) } + +-- Naming attributes of type DomainComponent (from RFC 4519) + +id-domainComponent AttributeType ::= { 0 9 2342 19200300 100 1 25 } + +DomainComponent ::= IA5String + +-- Legacy attributes + +pkcs-9 OBJECT IDENTIFIER ::= + { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 9 } + +id-emailAddress AttributeType ::= { pkcs-9 1 } + +EmailAddress ::= IA5String (SIZE (1..ub-emailaddress-length)) + +-- naming data types -- + +Name ::= CHOICE { -- only one possibility for now -- + rdnSequence RDNSequence } + +RDNSequence ::= SEQUENCE OF RelativeDistinguishedName + +DistinguishedName ::= RDNSequence + +RelativeDistinguishedName ::= SET SIZE (1..MAX) OF AttributeTypeAndValue + +-- Directory string type -- + +DirectoryString ::= CHOICE { + teletexString TeletexString (SIZE (1..MAX)), + printableString PrintableString (SIZE (1..MAX)), + universalString UniversalString (SIZE (1..MAX)), + utf8String UTF8String (SIZE (1..MAX)), + bmpString BMPString (SIZE (1..MAX)) } + +-- certificate and CRL specific structures begin here + +Certificate ::= SEQUENCE { + tbsCertificate TBSCertificate, + signatureAlgorithm AlgorithmIdentifier, + signature BIT STRING } + +TBSCertificate ::= SEQUENCE { + version [0] Version DEFAULT v1, + serialNumber CertificateSerialNumber, + signature AlgorithmIdentifier, + issuer Name, + validity Validity, + subject Name, + subjectPublicKeyInfo SubjectPublicKeyInfo, + issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, + -- If present, version MUST be v2 or v3 + subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, + -- If present, version MUST be v2 or v3 + extensions [3] Extensions OPTIONAL + -- If present, version MUST be v3 -- } + +Version ::= INTEGER { v1(0), v2(1), v3(2) } + +CertificateSerialNumber ::= INTEGER + +Validity ::= SEQUENCE { + notBefore Time, + notAfter Time } + +Time ::= CHOICE { + utcTime UTCTime, + generalTime GeneralizedTime } + +UniqueIdentifier ::= BIT STRING + +SubjectPublicKeyInfo ::= SEQUENCE { + algorithm AlgorithmIdentifier, + subjectPublicKey BIT STRING } + +Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension + +Extension ::= SEQUENCE { + extnID OBJECT IDENTIFIER, + critical BOOLEAN DEFAULT FALSE, + extnValue OCTET STRING + -- contains the DER encoding of an ASN.1 value + -- corresponding to the extension type identified + -- by extnID + } + +-- CRL structures + +CertificateList ::= SEQUENCE { + tbsCertList TBSCertList, + signatureAlgorithm AlgorithmIdentifier, + signature BIT STRING } + +TBSCertList ::= SEQUENCE { + version Version OPTIONAL, + -- if present, MUST be v2 + signature AlgorithmIdentifier, + issuer Name, + thisUpdate Time, + nextUpdate Time OPTIONAL, + revokedCertificates SEQUENCE OF SEQUENCE { + userCertificate CertificateSerialNumber, + revocationDate Time, + crlEntryExtensions Extensions OPTIONAL + -- if present, version MUST be v2 + } OPTIONAL, + crlExtensions [0] Extensions OPTIONAL } + -- if present, version MUST be v2 + +-- Version, Time, CertificateSerialNumber, and Extensions were +-- defined earlier for use in the certificate structure + +AlgorithmIdentifier ::= SEQUENCE { + algorithm OBJECT IDENTIFIER, + parameters ANY DEFINED BY algorithm OPTIONAL } + -- contains a value of the type + -- registered for use with the + -- algorithm object identifier value + +-- X.400 address syntax starts here + +ORAddress ::= SEQUENCE { + built-in-standard-attributes BuiltInStandardAttributes, + built-in-domain-defined-attributes + BuiltInDomainDefinedAttributes OPTIONAL, + -- see also teletex-domain-defined-attributes + extension-attributes ExtensionAttributes OPTIONAL } + +-- Built-in Standard Attributes + +BuiltInStandardAttributes ::= SEQUENCE { + country-name CountryName OPTIONAL, + administration-domain-name AdministrationDomainName OPTIONAL, + network-address [0] IMPLICIT NetworkAddress OPTIONAL, + -- see also extended-network-address + terminal-identifier [1] IMPLICIT TerminalIdentifier OPTIONAL, + private-domain-name [2] PrivateDomainName OPTIONAL, + organization-name [3] IMPLICIT OrganizationName OPTIONAL, + -- see also teletex-organization-name + numeric-user-identifier [4] IMPLICIT NumericUserIdentifier + OPTIONAL, + personal-name [5] IMPLICIT PersonalName OPTIONAL, + -- see also teletex-personal-name + organizational-unit-names [6] IMPLICIT OrganizationalUnitNames + OPTIONAL } + -- see also teletex-organizational-unit-names + +CountryName ::= [APPLICATION 1] CHOICE { + x121-dcc-code NumericString + (SIZE (ub-country-name-numeric-length)), + iso-3166-alpha2-code PrintableString + (SIZE (ub-country-name-alpha-length)) } + +AdministrationDomainName ::= [APPLICATION 2] CHOICE { + numeric NumericString (SIZE (0..ub-domain-name-length)), + printable PrintableString (SIZE (0..ub-domain-name-length)) } + +NetworkAddress ::= X121Address -- see also extended-network-address + +X121Address ::= NumericString (SIZE (1..ub-x121-address-length)) + +TerminalIdentifier ::= PrintableString (SIZE (1..ub-terminal-id-length)) + +PrivateDomainName ::= CHOICE { + numeric NumericString (SIZE (1..ub-domain-name-length)), + printable PrintableString (SIZE (1..ub-domain-name-length)) } + +OrganizationName ::= PrintableString + (SIZE (1..ub-organization-name-length)) + -- see also teletex-organization-name + +NumericUserIdentifier ::= NumericString + (SIZE (1..ub-numeric-user-id-length)) + +PersonalName ::= SET { + surname [0] IMPLICIT PrintableString + (SIZE (1..ub-surname-length)), + given-name [1] IMPLICIT PrintableString + (SIZE (1..ub-given-name-length)) OPTIONAL, + initials [2] IMPLICIT PrintableString + (SIZE (1..ub-initials-length)) OPTIONAL, + generation-qualifier [3] IMPLICIT PrintableString + (SIZE (1..ub-generation-qualifier-length)) + OPTIONAL } + -- see also teletex-personal-name + +OrganizationalUnitNames ::= SEQUENCE SIZE (1..ub-organizational-units) + OF OrganizationalUnitName + -- see also teletex-organizational-unit-names + +OrganizationalUnitName ::= PrintableString (SIZE + (1..ub-organizational-unit-name-length)) + +-- Built-in Domain-defined Attributes + +BuiltInDomainDefinedAttributes ::= SEQUENCE SIZE + (1..ub-domain-defined-attributes) OF + BuiltInDomainDefinedAttribute + +BuiltInDomainDefinedAttribute ::= SEQUENCE { + type PrintableString (SIZE + (1..ub-domain-defined-attribute-type-length)), + value PrintableString (SIZE + (1..ub-domain-defined-attribute-value-length)) } + +-- Extension Attributes + +ExtensionAttributes ::= SET SIZE (1..ub-extension-attributes) OF + ExtensionAttribute + +ExtensionAttribute ::= SEQUENCE { + extension-attribute-type [0] IMPLICIT INTEGER + (0..ub-extension-attributes), + extension-attribute-value [1] + ANY DEFINED BY extension-attribute-type } + +-- Extension types and attribute values + +common-name INTEGER ::= 1 + +CommonName ::= PrintableString (SIZE (1..ub-common-name-length)) + +teletex-common-name INTEGER ::= 2 + +TeletexCommonName ::= TeletexString (SIZE (1..ub-common-name-length)) + +teletex-organization-name INTEGER ::= 3 + +TeletexOrganizationName ::= + TeletexString (SIZE (1..ub-organization-name-length)) + +teletex-personal-name INTEGER ::= 4 + +TeletexPersonalName ::= SET { + surname [0] IMPLICIT TeletexString + (SIZE (1..ub-surname-length)), + given-name [1] IMPLICIT TeletexString + (SIZE (1..ub-given-name-length)) OPTIONAL, + initials [2] IMPLICIT TeletexString + (SIZE (1..ub-initials-length)) OPTIONAL, + generation-qualifier [3] IMPLICIT TeletexString + (SIZE (1..ub-generation-qualifier-length)) + OPTIONAL } + +teletex-organizational-unit-names INTEGER ::= 5 + +TeletexOrganizationalUnitNames ::= SEQUENCE SIZE + (1..ub-organizational-units) OF TeletexOrganizationalUnitName + +TeletexOrganizationalUnitName ::= TeletexString + (SIZE (1..ub-organizational-unit-name-length)) + +pds-name INTEGER ::= 7 + +PDSName ::= PrintableString (SIZE (1..ub-pds-name-length)) + +physical-delivery-country-name INTEGER ::= 8 + +PhysicalDeliveryCountryName ::= CHOICE { + x121-dcc-code NumericString (SIZE (ub-country-name-numeric-length)), + iso-3166-alpha2-code PrintableString + (SIZE (ub-country-name-alpha-length)) } + +postal-code INTEGER ::= 9 + +PostalCode ::= CHOICE { + numeric-code NumericString (SIZE (1..ub-postal-code-length)), + printable-code PrintableString (SIZE (1..ub-postal-code-length)) } + +physical-delivery-office-name INTEGER ::= 10 + +PhysicalDeliveryOfficeName ::= PDSParameter + +physical-delivery-office-number INTEGER ::= 11 + +PhysicalDeliveryOfficeNumber ::= PDSParameter + +extension-OR-address-components INTEGER ::= 12 + +ExtensionORAddressComponents ::= PDSParameter + +physical-delivery-personal-name INTEGER ::= 13 + +PhysicalDeliveryPersonalName ::= PDSParameter + +physical-delivery-organization-name INTEGER ::= 14 + +PhysicalDeliveryOrganizationName ::= PDSParameter + +extension-physical-delivery-address-components INTEGER ::= 15 + +ExtensionPhysicalDeliveryAddressComponents ::= PDSParameter + +unformatted-postal-address INTEGER ::= 16 + +UnformattedPostalAddress ::= SET { + printable-address SEQUENCE SIZE (1..ub-pds-physical-address-lines) + OF PrintableString (SIZE (1..ub-pds-parameter-length)) OPTIONAL, + teletex-string TeletexString + (SIZE (1..ub-unformatted-address-length)) OPTIONAL } + +street-address INTEGER ::= 17 + +StreetAddress ::= PDSParameter + +post-office-box-address INTEGER ::= 18 + +PostOfficeBoxAddress ::= PDSParameter + +poste-restante-address INTEGER ::= 19 + +PosteRestanteAddress ::= PDSParameter + +unique-postal-name INTEGER ::= 20 + +UniquePostalName ::= PDSParameter + +local-postal-attributes INTEGER ::= 21 + +LocalPostalAttributes ::= PDSParameter + +PDSParameter ::= SET { + printable-string PrintableString + (SIZE(1..ub-pds-parameter-length)) OPTIONAL, + teletex-string TeletexString + (SIZE(1..ub-pds-parameter-length)) OPTIONAL } + +extended-network-address INTEGER ::= 22 + +ExtendedNetworkAddress ::= CHOICE { + e163-4-address SEQUENCE { + number [0] IMPLICIT NumericString + (SIZE (1..ub-e163-4-number-length)), + sub-address [1] IMPLICIT NumericString + (SIZE (1..ub-e163-4-sub-address-length)) + OPTIONAL }, + psap-address [0] IMPLICIT PresentationAddress } + +PresentationAddress ::= SEQUENCE { + pSelector [0] EXPLICIT OCTET STRING OPTIONAL, + sSelector [1] EXPLICIT OCTET STRING OPTIONAL, + tSelector [2] EXPLICIT OCTET STRING OPTIONAL, + nAddresses [3] EXPLICIT SET SIZE (1..MAX) OF OCTET STRING } + +terminal-type INTEGER ::= 23 + +TerminalType ::= INTEGER { + telex (3), + teletex (4), + g3-facsimile (5), + g4-facsimile (6), + ia5-terminal (7), + videotex (8) } (0..ub-integer-options) + +-- Extension Domain-defined Attributes + +teletex-domain-defined-attributes INTEGER ::= 6 + +TeletexDomainDefinedAttributes ::= SEQUENCE SIZE + (1..ub-domain-defined-attributes) OF TeletexDomainDefinedAttribute + +TeletexDomainDefinedAttribute ::= SEQUENCE { + type TeletexString + (SIZE (1..ub-domain-defined-attribute-type-length)), + value TeletexString + (SIZE (1..ub-domain-defined-attribute-value-length)) } + +-- specifications of Upper Bounds MUST be regarded as mandatory +-- from Annex B of ITU-T X.411 Reference Definition of MTS Parameter +-- Upper Bounds + +-- Upper Bounds +ub-name INTEGER ::= 32768 +ub-common-name INTEGER ::= 64 +ub-locality-name INTEGER ::= 128 +ub-state-name INTEGER ::= 128 +ub-organization-name INTEGER ::= 64 +ub-organizational-unit-name INTEGER ::= 64 +ub-title INTEGER ::= 64 +ub-serial-number INTEGER ::= 64 +ub-match INTEGER ::= 128 +ub-emailaddress-length INTEGER ::= 255 +ub-common-name-length INTEGER ::= 64 +ub-country-name-alpha-length INTEGER ::= 2 +ub-country-name-numeric-length INTEGER ::= 3 +ub-domain-defined-attributes INTEGER ::= 4 +ub-domain-defined-attribute-type-length INTEGER ::= 8 +ub-domain-defined-attribute-value-length INTEGER ::= 128 +ub-domain-name-length INTEGER ::= 16 +ub-extension-attributes INTEGER ::= 256 +ub-e163-4-number-length INTEGER ::= 15 +ub-e163-4-sub-address-length INTEGER ::= 40 +ub-generation-qualifier-length INTEGER ::= 3 +ub-given-name-length INTEGER ::= 16 +ub-initials-length INTEGER ::= 5 +ub-integer-options INTEGER ::= 256 +ub-numeric-user-id-length INTEGER ::= 32 +ub-organization-name-length INTEGER ::= 64 +ub-organizational-unit-name-length INTEGER ::= 32 +ub-organizational-units INTEGER ::= 4 +ub-pds-name-length INTEGER ::= 16 +ub-pds-parameter-length INTEGER ::= 30 +ub-pds-physical-address-lines INTEGER ::= 6 +ub-postal-code-length INTEGER ::= 16 +ub-pseudonym INTEGER ::= 128 +ub-surname-length INTEGER ::= 40 +ub-terminal-id-length INTEGER ::= 24 +ub-unformatted-address-length INTEGER ::= 180 +ub-x121-address-length INTEGER ::= 16 + +-- Note - upper bounds on string types, such as TeletexString, are +-- measured in characters. Excepting PrintableString or IA5String, a +-- significantly greater number of octets will be required to hold +-- such a value. As a minimum, 16 octets, or twice the specified +-- upper bound, whichever is the larger, should be allowed for +-- TeletexString. For UTF8String or UniversalString at least four +-- times the upper bound should be allowed. + +END + diff --git a/pySim/esim/asn1/rsp/PKIX1Implicit88.asn b/pySim/esim/asn1/rsp/PKIX1Implicit88.asn new file mode 100644 index 0000000..aafd785 --- /dev/null +++ b/pySim/esim/asn1/rsp/PKIX1Implicit88.asn @@ -0,0 +1,343 @@ +PKIX1Implicit88 { iso(1) identified-organization(3) dod(6) internet(1) + security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-implicit(19) } + +DEFINITIONS IMPLICIT TAGS ::= + +BEGIN + +-- EXPORTS ALL -- + +IMPORTS + id-pe, id-kp, id-qt-unotice, id-qt-cps, + ORAddress, Name, RelativeDistinguishedName, + CertificateSerialNumber, Attribute, DirectoryString + FROM PKIX1Explicit88 { iso(1) identified-organization(3) + dod(6) internet(1) security(5) mechanisms(5) pkix(7) + id-mod(0) id-pkix1-explicit(18) }; + +-- ISO arc for standard certificate and CRL extensions + +id-ce OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) ds(5) 29} + +-- authority key identifier OID and syntax + +id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 35 } + +AuthorityKeyIdentifier ::= SEQUENCE { + keyIdentifier [0] KeyIdentifier OPTIONAL, + authorityCertIssuer [1] GeneralNames OPTIONAL, + authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL } + -- authorityCertIssuer and authorityCertSerialNumber MUST both + -- be present or both be absent + +KeyIdentifier ::= OCTET STRING + +-- subject key identifier OID and syntax + +id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 14 } + +SubjectKeyIdentifier ::= KeyIdentifier + +-- key usage extension OID and syntax + +id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 } + +KeyUsage ::= BIT STRING { + digitalSignature (0), + nonRepudiation (1), -- recent editions of X.509 have + -- renamed this bit to contentCommitment + keyEncipherment (2), + dataEncipherment (3), + keyAgreement (4), + keyCertSign (5), + cRLSign (6), + encipherOnly (7), + decipherOnly (8) } + +-- private key usage period extension OID and syntax + +id-ce-privateKeyUsagePeriod OBJECT IDENTIFIER ::= { id-ce 16 } + +PrivateKeyUsagePeriod ::= SEQUENCE { + notBefore [0] GeneralizedTime OPTIONAL, + notAfter [1] GeneralizedTime OPTIONAL } + -- either notBefore or notAfter MUST be present + +-- certificate policies extension OID and syntax + +id-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-ce 32 } + +anyPolicy OBJECT IDENTIFIER ::= { id-ce-certificatePolicies 0 } + +CertificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation + +PolicyInformation ::= SEQUENCE { + policyIdentifier CertPolicyId, + policyQualifiers SEQUENCE SIZE (1..MAX) OF + PolicyQualifierInfo OPTIONAL } + +CertPolicyId ::= OBJECT IDENTIFIER + +PolicyQualifierInfo ::= SEQUENCE { + policyQualifierId PolicyQualifierId, + qualifier ANY DEFINED BY policyQualifierId } + +-- Implementations that recognize additional policy qualifiers MUST +-- augment the following definition for PolicyQualifierId + +PolicyQualifierId ::= OBJECT IDENTIFIER ( id-qt-cps | id-qt-unotice ) + +-- CPS pointer qualifier + +CPSuri ::= IA5String + +-- user notice qualifier + +UserNotice ::= SEQUENCE { + noticeRef NoticeReference OPTIONAL, + explicitText DisplayText OPTIONAL } + +NoticeReference ::= SEQUENCE { + organization DisplayText, + noticeNumbers SEQUENCE OF INTEGER } + +DisplayText ::= CHOICE { + ia5String IA5String (SIZE (1..200)), + visibleString VisibleString (SIZE (1..200)), + bmpString BMPString (SIZE (1..200)), + utf8String UTF8String (SIZE (1..200)) } + +-- policy mapping extension OID and syntax + +id-ce-policyMappings OBJECT IDENTIFIER ::= { id-ce 33 } + +PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE { + issuerDomainPolicy CertPolicyId, + subjectDomainPolicy CertPolicyId } + +-- subject alternative name extension OID and syntax + +id-ce-subjectAltName OBJECT IDENTIFIER ::= { id-ce 17 } + +SubjectAltName ::= GeneralNames + +GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName + +GeneralName ::= CHOICE { + otherName [0] AnotherName, + rfc822Name [1] IA5String, + dNSName [2] IA5String, + x400Address [3] ORAddress, + directoryName [4] Name, + ediPartyName [5] EDIPartyName, + uniformResourceIdentifier [6] IA5String, + iPAddress [7] OCTET STRING, + registeredID [8] OBJECT IDENTIFIER } + +-- AnotherName replaces OTHER-NAME ::= TYPE-IDENTIFIER, as +-- TYPE-IDENTIFIER is not supported in the '88 ASN.1 syntax + +AnotherName ::= SEQUENCE { + type-id OBJECT IDENTIFIER, + value [0] EXPLICIT ANY DEFINED BY type-id } + +EDIPartyName ::= SEQUENCE { + nameAssigner [0] DirectoryString OPTIONAL, + partyName [1] DirectoryString } + +-- issuer alternative name extension OID and syntax + +id-ce-issuerAltName OBJECT IDENTIFIER ::= { id-ce 18 } + +IssuerAltName ::= GeneralNames + +id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::= { id-ce 9 } + +SubjectDirectoryAttributes ::= SEQUENCE SIZE (1..MAX) OF Attribute + +-- basic constraints extension OID and syntax + +id-ce-basicConstraints OBJECT IDENTIFIER ::= { id-ce 19 } + +BasicConstraints ::= SEQUENCE { + cA BOOLEAN DEFAULT FALSE, + pathLenConstraint INTEGER (0..MAX) OPTIONAL } + +-- name constraints extension OID and syntax + +id-ce-nameConstraints OBJECT IDENTIFIER ::= { id-ce 30 } + +NameConstraints ::= SEQUENCE { + permittedSubtrees [0] GeneralSubtrees OPTIONAL, + excludedSubtrees [1] GeneralSubtrees OPTIONAL } + +GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree + +GeneralSubtree ::= SEQUENCE { + base GeneralName, + minimum [0] BaseDistance DEFAULT 0, + maximum [1] BaseDistance OPTIONAL } + +BaseDistance ::= INTEGER (0..MAX) + +-- policy constraints extension OID and syntax + +id-ce-policyConstraints OBJECT IDENTIFIER ::= { id-ce 36 } + +PolicyConstraints ::= SEQUENCE { + requireExplicitPolicy [0] SkipCerts OPTIONAL, + inhibitPolicyMapping [1] SkipCerts OPTIONAL } + +SkipCerts ::= INTEGER (0..MAX) + +-- CRL distribution points extension OID and syntax + +id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= {id-ce 31} + +CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint + +DistributionPoint ::= SEQUENCE { + distributionPoint [0] DistributionPointName OPTIONAL, + reasons [1] ReasonFlags OPTIONAL, + cRLIssuer [2] GeneralNames OPTIONAL } + +DistributionPointName ::= CHOICE { + fullName [0] GeneralNames, + nameRelativeToCRLIssuer [1] RelativeDistinguishedName } + +ReasonFlags ::= BIT STRING { + unused (0), + keyCompromise (1), + cACompromise (2), + affiliationChanged (3), + superseded (4), + cessationOfOperation (5), + certificateHold (6), + privilegeWithdrawn (7), + aACompromise (8) } + +-- extended key usage extension OID and syntax + +id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37} + +ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId + +KeyPurposeId ::= OBJECT IDENTIFIER + +-- permit unspecified key uses + +anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 } + +-- extended key purpose OIDs + +id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 } +id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 } +id-kp-codeSigning OBJECT IDENTIFIER ::= { id-kp 3 } +id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 } +id-kp-timeStamping OBJECT IDENTIFIER ::= { id-kp 8 } +id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 } + +-- inhibit any policy OID and syntax + +id-ce-inhibitAnyPolicy OBJECT IDENTIFIER ::= { id-ce 54 } + +InhibitAnyPolicy ::= SkipCerts + +-- freshest (delta)CRL extension OID and syntax + +id-ce-freshestCRL OBJECT IDENTIFIER ::= { id-ce 46 } + +FreshestCRL ::= CRLDistributionPoints + +-- authority info access + +id-pe-authorityInfoAccess OBJECT IDENTIFIER ::= { id-pe 1 } + +AuthorityInfoAccessSyntax ::= + SEQUENCE SIZE (1..MAX) OF AccessDescription + +AccessDescription ::= SEQUENCE { + accessMethod OBJECT IDENTIFIER, + accessLocation GeneralName } + +-- subject info access + +id-pe-subjectInfoAccess OBJECT IDENTIFIER ::= { id-pe 11 } + +SubjectInfoAccessSyntax ::= + SEQUENCE SIZE (1..MAX) OF AccessDescription + +-- CRL number extension OID and syntax + +id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 } + +CRLNumber ::= INTEGER (0..MAX) + +-- issuing distribution point extension OID and syntax + +id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= { id-ce 28 } + +IssuingDistributionPoint ::= SEQUENCE { + distributionPoint [0] DistributionPointName OPTIONAL, + onlyContainsUserCerts [1] BOOLEAN DEFAULT FALSE, + onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE, + onlySomeReasons [3] ReasonFlags OPTIONAL, + indirectCRL [4] BOOLEAN DEFAULT FALSE, + onlyContainsAttributeCerts [5] BOOLEAN DEFAULT FALSE } + -- at most one of onlyContainsUserCerts, onlyContainsCACerts, + -- and onlyContainsAttributeCerts may be set to TRUE. + +id-ce-deltaCRLIndicator OBJECT IDENTIFIER ::= { id-ce 27 } + +BaseCRLNumber ::= CRLNumber + +-- reason code extension OID and syntax + +id-ce-cRLReasons OBJECT IDENTIFIER ::= { id-ce 21 } + +CRLReason ::= ENUMERATED { + unspecified (0), + keyCompromise (1), + cACompromise (2), + affiliationChanged (3), + superseded (4), + cessationOfOperation (5), + certificateHold (6), + removeFromCRL (8), + privilegeWithdrawn (9), + aACompromise (10) } + +-- certificate issuer CRL entry extension OID and syntax + +id-ce-certificateIssuer OBJECT IDENTIFIER ::= { id-ce 29 } + +CertificateIssuer ::= GeneralNames + +-- hold instruction extension OID and syntax + +id-ce-holdInstructionCode OBJECT IDENTIFIER ::= { id-ce 23 } + +HoldInstructionCode ::= OBJECT IDENTIFIER + +-- ANSI x9 arc holdinstruction arc + +holdInstruction OBJECT IDENTIFIER ::= + {joint-iso-itu-t(2) member-body(2) us(840) x9cm(10040) 2} + +-- ANSI X9 holdinstructions + +id-holdinstruction-none OBJECT IDENTIFIER ::= + {holdInstruction 1} -- deprecated + +id-holdinstruction-callissuer OBJECT IDENTIFIER ::= {holdInstruction 2} + +id-holdinstruction-reject OBJECT IDENTIFIER ::= {holdInstruction 3} + +-- invalidity date CRL entry extension OID and syntax + +id-ce-invalidityDate OBJECT IDENTIFIER ::= { id-ce 24 } + +InvalidityDate ::= GeneralizedTime + +END + diff --git a/pySim/esim/asn1/rsp/rsp.asn b/pySim/esim/asn1/rsp/rsp.asn new file mode 100644 index 0000000..e87b74e --- /dev/null +++ b/pySim/esim/asn1/rsp/rsp.asn @@ -0,0 +1,785 @@ +RSPDefinitions {joint-iso-itu-t(2) international-organizations(23) gsma(146) rsp(1) spec-version(1) version-two(2)} +DEFINITIONS +AUTOMATIC TAGS +EXTENSIBILITY IMPLIED ::= +BEGIN + +IMPORTS Certificate, CertificateList, Time FROM PKIX1Explicit88 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit(18)} +SubjectKeyIdentifier FROM PKIX1Implicit88 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-implicit(19)}; + +id-rsp OBJECT IDENTIFIER ::= {joint-iso-itu-t(2) international-organizations(23) gsma(146) rsp(1)} + +-- Basic types, for size constraints +Octet8 ::= OCTET STRING (SIZE(8)) +Octet16 ::= OCTET STRING (SIZE(16)) +OctetTo16 ::= OCTET STRING (SIZE(1..16)) +Octet32 ::= OCTET STRING (SIZE(32)) +Octet1 ::= OCTET STRING(SIZE(1)) +Octet2 ::= OCTET STRING (SIZE(2)) +VersionType ::= OCTET STRING(SIZE(3)) -- major/minor/revision version are coded as binary value on byte 1/2/3, e.g. '02 00 0C' for v2.0.12. +Iccid ::= [APPLICATION 26] OCTET STRING (SIZE(10)) -- ICCID as coded in EFiccid, corresponding tag is '5A' +RemoteOpId ::= [2] INTEGER {installBoundProfilePackage(1)} +TransactionId ::= OCTET STRING (SIZE(1..16)) + +-- Definition of EUICCInfo1 -------------------------- +GetEuiccInfo1Request ::= [32] SEQUENCE { -- Tag 'BF20' +} + +EUICCInfo1 ::= [32] SEQUENCE { -- Tag 'BF20' + svn [2] VersionType, -- GSMA SGP.22 version supported (SVN) + euiccCiPKIdListForVerification [9] SEQUENCE OF SubjectKeyIdentifier, -- List of CI Public Key Identifiers supported on the eUICC for signature verification + euiccCiPKIdListForSigning [10] SEQUENCE OF SubjectKeyIdentifier -- List of CI Public Key Identifier supported on the eUICC for signature creation +} + +-- Definition of EUICCInfo2 -------------------------- +GetEuiccInfo2Request ::= [34] SEQUENCE { -- Tag 'BF22' +} + +EUICCInfo2 ::= [34] SEQUENCE { -- Tag 'BF22' + profileVersion [1] VersionType, -- SIMAlliance Profile package version supported + svn [2] VersionType, -- GSMA SGP.22 version supported (SVN) + euiccFirmwareVer [3] VersionType, -- eUICC Firmware version + extCardResource [4] OCTET STRING, -- Extended Card Resource Information according to ETSI TS 102 226 + uiccCapability [5] UICCCapability, + javacardVersion [6] VersionType OPTIONAL, + globalplatformVersion [7] VersionType OPTIONAL, + rspCapability [8] RspCapability, + euiccCiPKIdListForVerification [9] SEQUENCE OF SubjectKeyIdentifier, -- List of CI Public Key Identifiers supported on the eUICC for signature verification + euiccCiPKIdListForSigning [10] SEQUENCE OF SubjectKeyIdentifier, -- List of CI Public Key Identifier supported on the eUICC for signature creation + euiccCategory [11] INTEGER { + other(0), + basicEuicc(1), + mediumEuicc(2), + contactlessEuicc(3) + } OPTIONAL, + forbiddenProfilePolicyRules [25] PprIds OPTIONAL, -- Tag '99' + ppVersion VersionType, -- Protection Profile version + sasAcreditationNumber UTF8String (SIZE(0..64)), + certificationDataObject [12] CertificationDataObject OPTIONAL +} + +-- Definition of RspCapability +RspCapability ::= BIT STRING { + additionalProfile(0), -- at least one more Profile can be installed + crlSupport(1), -- CRL + rpmSupport(2), -- Remote Profile Management + testProfileSupport (3) -- support for test profile +} + +-- Definition of CertificationDataObject +CertificationDataObject ::= SEQUENCE { + platformLabel UTF8String, -- Platform_Label as defined in GlobalPlatform DLOA specification [57] + discoveryBaseURL UTF8String -- Discovery Base URL of the SE default DLOA Registrar as defined in GlobalPlatform DLOA specification [57] +} + +CertificateInfo ::= BIT STRING { + + reserved(0), -- eUICC has a CERT.EUICC.ECDSA in GlobalPlatform format. The use of this bit is deprecated. + certSigningX509(1), -- eUICC has a CERT.EUICC.ECDSA in X.509 format + rfu2(2), + rfu3(3), + reserved2(4), -- Handling of Certificate in GlobalPlatform format. The use of this bit is deprecated. + certVerificationX509(5)-- Handling of Certificate in X.509 format +} + +-- Definition of UICCCapability +UICCCapability ::= BIT STRING { +/* Sequence is derived from ServicesList[] defined in SIMalliance PEDefinitions*/ + contactlessSupport(0), -- Contactless (SWP, HCI and associated APIs) + usimSupport(1), -- USIM as defined by 3GPP + isimSupport(2), -- ISIM as defined by 3GPP + csimSupport(3), -- CSIM as defined by 3GPP2 + + akaMilenage(4), -- Milenage as AKA algorithm + akaCave(5), -- CAVE as authentication algorithm + akaTuak128(6), -- TUAK as AKA algorithm with 128 bit key length + akaTuak256(7), -- TUAK as AKA algorithm with 256 bit key length + rfu1(8), -- reserved for further algorithms + rfu2(9), -- reserved for further algorithms + + gbaAuthenUsim(10), -- GBA authentication in the context of USIM + gbaAuthenISim(11), -- GBA authentication in the context of ISIM + mbmsAuthenUsim(12), -- MBMS authentication in the context of USIM + eapClient(13), -- EAP client + + javacard(14), -- Javacard support + multos(15), -- Multos support + + multipleUsimSupport(16), -- Multiple USIM applications are supported within the same Profile + multipleIsimSupport(17), -- Multiple ISIM applications are supported within the same Profile + multipleCsimSupport(18) -- Multiple CSIM applications are supported within the same Profile +} + +-- Definition of DeviceInfo +DeviceInfo ::= SEQUENCE { + tac Octet8, + deviceCapabilities DeviceCapabilities, + imei Octet8 OPTIONAL +} + +DeviceCapabilities ::= SEQUENCE { -- Highest fully supported release for each definition + -- The device SHALL set all the capabilities it supports + gsmSupportedRelease VersionType OPTIONAL, + utranSupportedRelease VersionType OPTIONAL, + cdma2000onexSupportedRelease VersionType OPTIONAL, + cdma2000hrpdSupportedRelease VersionType OPTIONAL, + cdma2000ehrpdSupportedRelease VersionType OPTIONAL, + eutranSupportedRelease VersionType OPTIONAL, + contactlessSupportedRelease VersionType OPTIONAL, + rspCrlSupportedVersion VersionType OPTIONAL, + rspRpmSupportedVersion VersionType OPTIONAL +} + +ProfileInfoListRequest ::= [45] SEQUENCE { -- Tag 'BF2D' + searchCriteria [0] CHOICE { + isdpAid [APPLICATION 15] OctetTo16, -- AID of the ISD-P, tag '4F' + iccid Iccid, -- ICCID, tag '5A' + profileClass [21] ProfileClass -- Tag '95' + } OPTIONAL, + tagList [APPLICATION 28] OCTET STRING OPTIONAL -- tag '5C' +} + +-- Definition of ProfileInfoList +ProfileInfoListResponse ::= [45] CHOICE { -- Tag 'BF2D' + profileInfoListOk SEQUENCE OF ProfileInfo, + profileInfoListError ProfileInfoListError +} + +ProfileInfo ::= [PRIVATE 3] SEQUENCE { -- Tag 'E3' + iccid Iccid OPTIONAL, + isdpAid [APPLICATION 15] OctetTo16 OPTIONAL, -- AID of the ISD-P containing the Profile, tag '4F' + profileState [112] ProfileState OPTIONAL, -- Tag '9F70' + profileNickname [16] UTF8String (SIZE(0..64)) OPTIONAL, -- Tag '90' + serviceProviderName [17] UTF8String (SIZE(0..32)) OPTIONAL, -- Tag '91' + profileName [18] UTF8String (SIZE(0..64)) OPTIONAL, -- Tag '92' + iconType [19] IconType OPTIONAL, -- Tag '93' + icon [20] OCTET STRING (SIZE(0..1024)) OPTIONAL, -- Tag '94', see condition in ES10c:GetProfilesInfo + profileClass [21] ProfileClass DEFAULT operational, -- Tag '95' + notificationConfigurationInfo [22] SEQUENCE OF NotificationConfigurationInformation OPTIONAL, -- Tag 'B6' + profileOwner [23] OperatorID OPTIONAL, -- Tag 'B7' + dpProprietaryData [24] DpProprietaryData OPTIONAL, -- Tag 'B8' + profilePolicyRules [25] PprIds OPTIONAL -- Tag '99' +} + +PprIds ::= BIT STRING {-- Definition of Profile Policy Rules identifiers + pprUpdateControl(0), -- defines how to update PPRs via ES6 + ppr1(1), -- Indicator for PPR1 'Disabling of this Profile is not allowed' + ppr2(2), -- Indicator for PPR2 'Deletion of this Profile is not allowed' + ppr3(3) -- Indicator for PPR3 'Deletion of this Profile is required upon its successful disabling' +} + +OperatorID ::= SEQUENCE { + mccMnc OCTET STRING (SIZE(3)), -- MCC and MNC coded as defined in 3GPP TS 24.008 [32] + gid1 OCTET STRING OPTIONAL, -- referring to content of EF GID1 (file identifier '6F3E') as defined in 3GPP TS 31.102 [54] + gid2 OCTET STRING OPTIONAL -- referring to content of EF GID2 (file identifier '6F3F') as defined in 3GPP TS 31.102 [54] +} + +ProfileInfoListError ::= INTEGER {incorrectInputValues(1), undefinedError(127)} + +-- Definition of StoreMetadata request + +StoreMetadataRequest ::= [37] SEQUENCE { -- Tag 'BF25' + iccid Iccid, + serviceProviderName [17] UTF8String (SIZE(0..32)), -- Tag '91' + profileName [18] UTF8String (SIZE(0..64)), -- Tag '92' (corresponds to 'Short Description' defined in SGP.21 [2]) + iconType [19] IconType OPTIONAL, -- Tag '93' (JPG or PNG) + icon [20] OCTET STRING (SIZE(0..1024)) OPTIONAL, -- Tag '94'(Data of the icon. Size 64 x 64 pixel. This field SHALL only be present if iconType is present) + profileClass [21] ProfileClass OPTIONAL, -- Tag '95' (default if absent: 'operational') + notificationConfigurationInfo [22] SEQUENCE OF NotificationConfigurationInformation OPTIONAL, + profileOwner [23] OperatorID OPTIONAL, -- Tag 'B7' + profilePolicyRules [25] PprIds OPTIONAL -- Tag '99' +} + +NotificationEvent ::= BIT STRING { + notificationInstall (0), + notificationEnable(1), + notificationDisable(2), + notificationDelete(3) +} + +NotificationConfigurationInformation ::= SEQUENCE { + profileManagementOperation NotificationEvent, + notificationAddress UTF8String -- FQDN to forward the notification +} + +IconType ::= INTEGER {jpg(0), png(1)} +ProfileState ::= INTEGER {disabled(0), enabled(1)} +ProfileClass ::= INTEGER {test(0), provisioning(1), operational(2)} + +-- Definition of UpdateMetadata request +UpdateMetadataRequest ::= [42] SEQUENCE { -- Tag 'BF2A' + serviceProviderName [17] UTF8String (SIZE(0..32)) OPTIONAL, -- Tag '91' + profileName [18] UTF8String (SIZE(0..64)) OPTIONAL, -- Tag '92' + iconType [19] IconType OPTIONAL, -- Tag '93' + icon [20] OCTET STRING (SIZE(0..1024)) OPTIONAL, -- Tag '94' + profilePolicyRules [25] PprIds OPTIONAL -- Tag '99' +} + +-- Definition of data objects for command PrepareDownload ------------------------- +PrepareDownloadRequest ::= [33] SEQUENCE { -- Tag 'BF21' + smdpSigned2 SmdpSigned2, -- Signed information + smdpSignature2 [APPLICATION 55] OCTET STRING, -- DP_Sign1, tag '5F37' + hashCc Octet32 OPTIONAL, -- Hash of confirmation code + smdpCertificate Certificate -- CERT.DPpb.ECDSA +} + +SmdpSigned2 ::= SEQUENCE { + transactionId [0] TransactionId, -- The TransactionID generated by the SM DP+ + ccRequiredFlag BOOLEAN, --Indicates if the Confirmation Code is required + bppEuiccOtpk [APPLICATION 73] OCTET STRING OPTIONAL -- otPK.EUICC.ECKA already used for binding the BPP, tag '5F49' +} + +PrepareDownloadResponse ::= [33] CHOICE { -- Tag 'BF21' + downloadResponseOk PrepareDownloadResponseOk, + downloadResponseError PrepareDownloadResponseError +} + +PrepareDownloadResponseOk ::= SEQUENCE { + euiccSigned2 EUICCSigned2, -- Signed information + euiccSignature2 [APPLICATION 55] OCTET STRING -- tag '5F37' +} + +EUICCSigned2 ::= SEQUENCE { + transactionId [0] TransactionId, + euiccOtpk [APPLICATION 73] OCTET STRING, -- otPK.EUICC.ECKA, tag '5F49' + hashCc Octet32 OPTIONAL -- Hash of confirmation code +} + +PrepareDownloadResponseError ::= SEQUENCE { + transactionId [0] TransactionId, + downloadErrorCode DownloadErrorCode +} + +DownloadErrorCode ::= INTEGER {invalidCertificate(1), invalidSignature(2), unsupportedCurve(3), noSessionContext(4), invalidTransactionId(5), undefinedError(127)} + +-- Definition of data objects for command AuthenticateServer-------------------- +AuthenticateServerRequest ::= [56] SEQUENCE { -- Tag 'BF38' + serverSigned1 ServerSigned1, -- Signed information + serverSignature1 [APPLICATION 55] OCTET STRING, -- tag ?5F37? + euiccCiPKIdToBeUsed SubjectKeyIdentifier, -- CI Public Key Identifier to be used + serverCertificate Certificate, -- RSP Server Certificate CERT.XXauth.ECDSA + ctxParams1 CtxParams1 +} + +ServerSigned1 ::= SEQUENCE { + transactionId [0] TransactionId, -- The Transaction ID generated by the RSP Server + euiccChallenge [1] Octet16, -- The eUICC Challenge + serverAddress [3] UTF8String, -- The RSP Server address + serverChallenge [4] Octet16 -- The RSP Server Challenge +} + +CtxParams1 ::= CHOICE { + ctxParamsForCommonAuthentication CtxParamsForCommonAuthentication -- New contextual data objects may be defined for extensibility +} + +CtxParamsForCommonAuthentication ::= SEQUENCE { + matchingId UTF8String OPTIONAL,-- The MatchingId could be the Activation code token or EventID or empty + deviceInfo DeviceInfo -- The Device information +} + +AuthenticateServerResponse ::= [56] CHOICE { -- Tag 'BF38' + authenticateResponseOk AuthenticateResponseOk, + authenticateResponseError AuthenticateResponseError +} + +AuthenticateResponseOk ::= SEQUENCE { + euiccSigned1 EuiccSigned1, -- Signed information + euiccSignature1 [APPLICATION 55] OCTET STRING, --EUICC_Sign1, tag 5F37 + euiccCertificate Certificate, -- eUICC Certificate (CERT.EUICC.ECDSA) signed by the EUM + eumCertificate Certificate -- EUM Certificate (CERT.EUM.ECDSA) signed by the requested CI +} + +EuiccSigned1 ::= SEQUENCE { + transactionId [0] TransactionId, + serverAddress [3] UTF8String, + serverChallenge [4] Octet16, -- The RSP Server Challenge + euiccInfo2 [34] EUICCInfo2, + ctxParams1 CtxParams1 +} + +AuthenticateResponseError ::= SEQUENCE { + transactionId [0] TransactionId, + authenticateErrorCode AuthenticateErrorCode +} + +AuthenticateErrorCode ::= INTEGER {invalidCertificate(1), invalidSignature(2), unsupportedCurve(3), noSessionContext(4), invalidOid(5), euiccChallengeMismatch(6), ciPKUnknown(7), undefinedError(127)} + +-- Definition of Cancel Session------------------------------ +CancelSessionRequest ::= [65] SEQUENCE { -- Tag 'BF41' + transactionId TransactionId, -- The TransactionID generated by the RSP Server + reason CancelSessionReason +} + +CancelSessionReason ::= INTEGER {endUserRejection(0), postponed(1), timeout(2), pprNotAllowed(3)} + +CancelSessionResponse ::= [65] CHOICE { -- Tag 'BF41' + cancelSessionResponseOk CancelSessionResponseOk, + cancelSessionResponseError INTEGER {invalidTransactionId(5), undefinedError(127)} +} + +CancelSessionResponseOk ::= SEQUENCE { + euiccCancelSessionSigned EuiccCancelSessionSigned, -- Signed information + euiccCancelSessionSignature [APPLICATION 55] OCTET STRING -- tag '5F37 +} + +EuiccCancelSessionSigned ::= SEQUENCE { + transactionId TransactionId, + smdpOid OBJECT IDENTIFIER, -- SM-DP+ OID as contained in CERT.DPauth.ECDSA + reason CancelSessionReason +} + +-- Definition of Bound Profile Package -------------------------- +BoundProfilePackage ::= [54] SEQUENCE { -- Tag 'BF36' + initialiseSecureChannelRequest [35] InitialiseSecureChannelRequest, -- Tag 'BF23' + firstSequenceOf87 [0] SEQUENCE OF [7] OCTET STRING, -- sequence of '87' TLVs + sequenceOf88 [1] SEQUENCE OF [8] OCTET STRING, -- sequence of '88' TLVs + secondSequenceOf87 [2] SEQUENCE OF [7] OCTET STRING OPTIONAL, -- sequence of '87' TLVs + sequenceOf86 [3] SEQUENCE OF [6] OCTET STRING -- sequence of '86' TLVs +} + +-- Definition of Get eUICC Challenge -------------------------- +GetEuiccChallengeRequest ::= [46] SEQUENCE { -- Tag 'BF2E' +} + +GetEuiccChallengeResponse ::= [46] SEQUENCE { -- Tag 'BF2E' + euiccChallenge Octet16 -- random eUICC challenge +} + +-- Definition of Profile Installation Resulceipt +ProfileInstallationResult ::= [55] SEQUENCE { -- Tag 'BF37' + profileInstallationResultData [39] ProfileInstallationResultData, + euiccSignPIR EuiccSignPIR +} + +ProfileInstallationResultData ::= [39] SEQUENCE { -- Tag 'BF27' + transactionId[0] TransactionId, -- The TransactionID generated by the SM-DP+ + notificationMetadata[47] NotificationMetadata, + smdpOid OBJECT IDENTIFIER OPTIONAL, -- SM-DP+ OID (same value as in CERT.DPpb.ECDSA) + finalResult [2] CHOICE { + successResult SuccessResult, + errorResult ErrorResult + } +} + +EuiccSignPIR ::= [APPLICATION 55] OCTET STRING -- Tag '5F37', eUICC?s signature + +SuccessResult ::= SEQUENCE { + aid [APPLICATION 15] OCTET STRING (SIZE (5..16)), -- AID of ISD-P + simaResponse OCTET STRING -- contains (multiple) 'EUICCResponse' as defined in [5] +} + +ErrorResult ::= SEQUENCE { + bppCommandId BppCommandId, + errorReason ErrorReason, + simaResponse OCTET STRING OPTIONAL -- contains (multiple) 'EUICCResponse' as defined in [5] +} + +BppCommandId ::= INTEGER {initialiseSecureChannel(0), configureISDP(1), storeMetadata(2), storeMetadata2(3), replaceSessionKeys(4), loadProfileElements(5)} + +ErrorReason ::= INTEGER { + incorrectInputValues(1), + invalidSignature(2), + invalidTransactionId(3), + unsupportedCrtValues(4), + unsupportedRemoteOperationType(5), + unsupportedProfileClass(6), + scp03tStructureError(7), + scp03tSecurityError(8), + installFailedDueToIccidAlreadyExistsOnEuicc(9), installFailedDueToInsufficientMemoryForProfile(10), + installFailedDueToInterruption(11), + installFailedDueToPEProcessingError (12), + installFailedDueToIccidMismatch(13), + testProfileInstallFailedDueToInvalidNaaKey(14), + pprNotAllowed(15), + installFailedDueToUnknownError(127) +} + +ListNotificationRequest ::= [40] SEQUENCE { -- Tag 'BF28' + profileManagementOperation [1] NotificationEvent OPTIONAL +} + +ListNotificationResponse ::= [40] CHOICE { -- Tag 'BF28' + notificationMetadataList SEQUENCE OF NotificationMetadata, + listNotificationsResultError INTEGER {undefinedError(127)} +} + +NotificationMetadata ::= [47] SEQUENCE { -- Tag 'BF2F' + seqNumber [0] INTEGER, + profileManagementOperation [1] NotificationEvent, --Only one bit set to 1 + notificationAddress UTF8String, -- FQDN to forward the notification + iccid Iccid OPTIONAL +} + +-- Definition of Profile Nickname Information +SetNicknameRequest ::= [41] SEQUENCE { -- Tag 'BF29' + iccid Iccid, + profileNickname [16] UTF8String (SIZE(0..64)) +} + +SetNicknameResponse ::= [41] SEQUENCE { -- Tag 'BF29' + setNicknameResult INTEGER {ok(0), iccidNotFound (1), undefinedError(127)} +} + +id-rsp-cert-objects OBJECT IDENTIFIER ::= { id-rsp cert-objects(2)} + +id-rspExt OBJECT IDENTIFIER ::= {id-rsp-cert-objects 0} + +id-rspRole OBJECT IDENTIFIER ::= {id-rsp-cert-objects 1} + +-- Definition of OIDs for role identification +id-rspRole-ci OBJECT IDENTIFIER ::= {id-rspRole 0} +id-rspRole-euicc OBJECT IDENTIFIER ::= {id-rspRole 1} +id-rspRole-eum OBJECT IDENTIFIER ::= {id-rspRole 2} +id-rspRole-dp-tls OBJECT IDENTIFIER ::= {id-rspRole 3} +id-rspRole-dp-auth OBJECT IDENTIFIER ::= {id-rspRole 4} +id-rspRole-dp-pb OBJECT IDENTIFIER ::= {id-rspRole 5} +id-rspRole-ds-tls OBJECT IDENTIFIER ::= {id-rspRole 6} +id-rspRole-ds-auth OBJECT IDENTIFIER ::= {id-rspRole 7} + +--Definition of data objects for InitialiseSecureChannel Request +InitialiseSecureChannelRequest ::= [35] SEQUENCE { -- Tag 'BF23' + remoteOpId RemoteOpId, -- Remote Operation Type Identifier (value SHALL be set to installBoundProfilePackage) + transactionId [0] TransactionId, -- The TransactionID generated by the SM-DP+ + controlRefTemplate[6] IMPLICIT ControlRefTemplate, -- Control Reference Template (Key Agreement). Current specification considers a subset of CRT specified in GlobalPlatform Card Specification [8], section 6.4.2.3 for the Mutual Authentication Data Field + smdpOtpk [APPLICATION 73] OCTET STRING, ---otPK.DP.ECKA as specified in GlobalPlatform Card Specification [8] section 6.4.2.3 for ePK.OCE.ECKA, tag '5F49' + smdpSign [APPLICATION 55] OCTET STRING -- SM-DP's signature, tag '5F37' +} + +ControlRefTemplate ::= SEQUENCE { +keyType[0] Octet1, -- Key type according to GlobalPlatform Card Specification [8] Table 11-16, AES= '88', Tag '80' +keyLen[1] Octet1, --Key length in number of bytes. For current specification key length SHALL by 0x10 bytes, Tag '81' +hostId[4] OctetTo16 -- Host ID value , Tag '84' +} + +--Definition of data objects for ConfigureISDPRequest +ConfigureISDPRequest ::= [36] SEQUENCE { -- Tag 'BF24' + dpProprietaryData [24] DpProprietaryData OPTIONAL -- Tag 'B8' +} + +DpProprietaryData ::= SEQUENCE { -- maximum size including tag and length field: 128 bytes + dpOid OBJECT IDENTIFIER -- OID in the tree of the SM-DP+ that created the Profile + -- additional data objects defined by the SM-DP+ MAY follow +} + +-- Definition of request message for command ReplaceSessionKeys +ReplaceSessionKeysRequest ::= [38] SEQUENCE { -- tag 'BF26' +/*The new initial MAC chaining value*/ + initialMacChainingValue OCTET STRING, +/*New session key value for encryption/decryption (PPK-ENC)*/ + ppkEnc OCTET STRING, +/*New session key value of the session key C-MAC computation/verification (PPK-MAC)*/ + ppkCmac OCTET STRING +} + +-- Definition of data objects for RetrieveNotificationsList +RetrieveNotificationsListRequest ::= [43] SEQUENCE { -- Tag 'BF2B' + searchCriteria CHOICE { + seqNumber [0] INTEGER, + profileManagementOperation [1] NotificationEvent + } OPTIONAL +} + +RetrieveNotificationsListResponse ::= [43] CHOICE { -- Tag 'BF2B' + notificationList SEQUENCE OF PendingNotification, + notificationsListResultError INTEGER {noResultAvailable(1), undefinedError(127)} +} + +PendingNotification ::= CHOICE { + profileInstallationResult [55] ProfileInstallationResult, -- tag 'BF37' + otherSignedNotification OtherSignedNotification +} + +OtherSignedNotification ::= SEQUENCE { + tbsOtherNotification NotificationMetadata, + euiccNotificationSignature [APPLICATION 55] OCTET STRING, -- eUICC signature of tbsOtherNotification, Tag '5F37' + euiccCertificate Certificate, -- eUICC Certificate (CERT.EUICC.ECDSA) signed by the EUM + eumCertificate Certificate -- EUM Certificate (CERT.EUM.ECDSA) signed by the requested CI +} + +-- Definition of notificationSent +NotificationSentRequest ::= [48] SEQUENCE { -- Tag 'BF30' + seqNumber [0] INTEGER +} + +NotificationSentResponse ::= [48] SEQUENCE { -- Tag 'BF30' + deleteNotificationStatus INTEGER {ok(0), nothingToDelete(1), undefinedError(127)} +} + +-- Definition of Enable Profile -------------------------- +EnableProfileRequest ::= [49] SEQUENCE { -- Tag 'BF31' + profileIdentifier CHOICE { + isdpAid [APPLICATION 15] OctetTo16, -- AID, tag '4F' + iccid Iccid -- ICCID, tag '5A' + }, + refreshFlag BOOLEAN -- indicating whether REFRESH is required +} + +EnableProfileResponse ::= [49] SEQUENCE { -- Tag 'BF31' + enableResult INTEGER {ok(0), iccidOrAidNotFound (1), profileNotInDisabledState(2), disallowedByPolicy(3), wrongProfileReenabling(4), undefinedError(127)} +} + +-- Definition of Disable Profile -------------------------- +DisableProfileRequest ::= [50] SEQUENCE { -- Tag 'BF32' + profileIdentifier CHOICE { + isdpAid [APPLICATION 15] OctetTo16, -- AID, tag '4F' + iccid Iccid -- ICCID, tag '5A' + }, + refreshFlag BOOLEAN -- indicating whether REFRESH is required +} + +DisableProfileResponse ::= [50] SEQUENCE { -- Tag 'BF32' + disableResult INTEGER {ok(0), iccidOrAidNotFound (1), profileNotInEnabledState(2), disallowedByPolicy(3), undefinedError(127)} +} + +-- Definition of Delete Profile -------------------------- +DeleteProfileRequest ::= [51] CHOICE { -- Tag 'BF33' + isdpAid [APPLICATION 15] OctetTo16, -- AID, tag '4F' + iccid Iccid -- ICCID, tag '5A' +} + +DeleteProfileResponse ::= [51] SEQUENCE { -- Tag 'BF33' + deleteResult INTEGER {ok(0), iccidOrAidNotFound (1), profileNotInDisabledState(2), disallowedByPolicy(3), undefinedError(127)} +} + +-- Definition of Memory Reset -------------------------- +EuiccMemoryResetRequest ::= [52] SEQUENCE { -- Tag 'BF34' + resetOptions [2] BIT STRING { + deleteOperationalProfiles(0), + deleteFieldLoadedTestProfiles(1), + resetDefaultSmdpAddress(2)} +} + +EuiccMemoryResetResponse ::= [52] SEQUENCE { -- Tag 'BF34' + resetResult INTEGER {ok(0), nothingToDelete(1), undefinedError(127)} +} + +-- Definition of Get EID -------------------------- +GetEuiccDataRequest ::= [62] SEQUENCE { -- Tag 'BF3E' + tagList [APPLICATION 28] Octet1 -- tag '5C', the value SHALL be set to '5A' +} + +GetEuiccDataResponse ::= [62] SEQUENCE { -- Tag 'BF3E' + eidValue [APPLICATION 26] Octet16 -- tag '5A' +} + +-- Definition of Get Rat + +GetRatRequest ::= [67] SEQUENCE { -- Tag ' BF43' + -- No input data +} + + +GetRatResponse ::= [67] SEQUENCE { -- Tag 'BF43' + rat RulesAuthorisationTable +} + +RulesAuthorisationTable ::= SEQUENCE OF ProfilePolicyAuthorisationRule +ProfilePolicyAuthorisationRule ::= SEQUENCE { + pprIds PprIds, + allowedOperators SEQUENCE OF OperatorID, + pprFlags BIT STRING {consentRequired(0)} +} + +-- Definition of data structure command for loading a CRL +LoadCRLRequest ::= [53] SEQUENCE { -- Tag 'BF35' + -- A CRL-A + crl CertificateList +} + +-- Definition of data structure response for loading a CRL +LoadCRLResponse ::= [53] CHOICE { -- Tag 'BF35' +loadCRLResponseOk LoadCRLResponseOk, +loadCRLResponseError LoadCRLResponseError +} + +LoadCRLResponseOk ::= SEQUENCE { + missingParts SEQUENCE OF SEQUENCE { + number INTEGER (0..MAX) + } OPTIONAL +} +LoadCRLResponseError ::= INTEGER {invalidSignature(1), invalidCRLFormat(2), notEnoughMemorySpace(3), verificationKeyNotFound(4), undefinedError(127)} + +-- Definition of the extension for Certificate Expiration Date +id-rsp-expDate OBJECT IDENTIFIER ::= {id-rspExt 1} +ExpirationDate ::= Time + +-- Definition of the extension id for total partial-CRL number +id-rsp-totalPartialCrlNumber OBJECT IDENTIFIER ::= {id-rspExt 2} +TotalPartialCrlNumber ::= INTEGER + + +-- Definition of the extension id for the partial-CRL number +id-rsp-partialCrlNumber OBJECT IDENTIFIER ::= {id-rspExt 3} +PartialCrlNumber ::= INTEGER + +-- Definition for ES9+ ASN.1 Binding -------------------------- +RemoteProfileProvisioningRequest ::= [2] CHOICE { -- Tag 'A2' + initiateAuthenticationRequest [57] InitiateAuthenticationRequest, -- Tag 'BF39' + authenticateClientRequest [59] AuthenticateClientRequest, -- Tag 'BF3B' + getBoundProfilePackageRequest [58] GetBoundProfilePackageRequest, -- Tag 'BF3A' + cancelSessionRequestEs9 [65] CancelSessionRequestEs9, -- Tag 'BF41' + handleNotification [61] HandleNotification -- tag 'BF3D' +} + +RemoteProfileProvisioningResponse ::= [2] CHOICE { -- Tag 'A2' + initiateAuthenticationResponse [57] InitiateAuthenticationResponse, -- Tag 'BF39' + authenticateClientResponseEs9 [59] AuthenticateClientResponseEs9, -- Tag 'BF3B' + getBoundProfilePackageResponse [58] GetBoundProfilePackageResponse, -- Tag 'BF3A' + cancelSessionResponseEs9 [65] CancelSessionResponseEs9, -- Tag 'BF41' + authenticateClientResponseEs11 [64] AuthenticateClientResponseEs11 -- Tag 'BF40' +} + +InitiateAuthenticationRequest ::= [57] SEQUENCE { -- Tag 'BF39' + euiccChallenge [1] Octet16, -- random eUICC challenge + smdpAddress [3] UTF8String, + euiccInfo1 EUICCInfo1 +} + +InitiateAuthenticationResponse ::= [57] CHOICE { -- Tag 'BF39' + initiateAuthenticationOk InitiateAuthenticationOkEs9, + initiateAuthenticationError INTEGER { + invalidDpAddress(1), + euiccVersionNotSupportedByDp(2), + ciPKNotSupported(3) + } +} + +InitiateAuthenticationOkEs9 ::= SEQUENCE { + transactionId [0] TransactionId, -- The TransactionID generated by the SM-DP+ + serverSigned1 ServerSigned1, -- Signed information + serverSignature1 [APPLICATION 55] OCTET STRING, -- Server_Sign1, tag '5F37' + euiccCiPKIdToBeUsed SubjectKeyIdentifier, -- The curve CI Public Key to be used as required by ES10b.AuthenticateServer + serverCertificate Certificate +} + +AuthenticateClientRequest ::= [59] SEQUENCE { -- Tag 'BF3B' + transactionId [0] TransactionId, + authenticateServerResponse [56] AuthenticateServerResponse -- This is the response from ES10b.AuthenticateServer +} + +AuthenticateClientResponseEs9 ::= [59] CHOICE { -- Tag 'BF3B' + authenticateClientOk AuthenticateClientOk, + authenticateClientError INTEGER { + eumCertificateInvalid(1), + eumCertificateExpired(2), + euiccCertificateInvalid(3), + euiccCertificateExpired(4), + euiccSignatureInvalid(5), + matchingIdRefused(6), + eidMismatch(7), + noEligibleProfile(8), + ciPKUnknown(9), + invalidTransactionId(10), + undefinedError(127) + } +} + +AuthenticateClientOk ::= SEQUENCE { + transactionId [0] TransactionId, + profileMetaData [37] StoreMetadataRequest, + prepareDownloadRequest [33] PrepareDownloadRequest +} + +GetBoundProfilePackageRequest ::= [58] SEQUENCE { -- Tag 'BF3A' + transactionId [0] TransactionId, + prepareDownloadResponse [33] PrepareDownloadResponse +} + +GetBoundProfilePackageResponse ::= [58] CHOICE { -- Tag 'BF3A' + getBoundProfilePackageOk GetBoundProfilePackageOk, + getBoundProfilePackageError INTEGER { + euiccSignatureInvalid(1), + confirmationCodeMissing(2), + confirmationCodeRefused(3), + confirmationCodeRetriesExceeded(4), + invalidTransactionId(95), + undefinedError(127) + } +} + +GetBoundProfilePackageOk ::= SEQUENCE { + transactionId [0] TransactionId, + boundProfilePackage [54] BoundProfilePackage +} + +HandleNotification ::= [61] SEQUENCE { -- Tag 'BF3D' + pendingNotification PendingNotification +} + +CancelSessionRequestEs9 ::= [65] SEQUENCE { -- Tag 'BF41' + transactionId TransactionId, + cancelSessionResponse CancelSessionResponse -- data structure defined for ES10b.CancelSession function +} + +CancelSessionResponseEs9 ::= [65] CHOICE { -- Tag 'BF41' + cancelSessionOk CancelSessionOk, + cancelSessionError INTEGER { + invalidTransactionId(1), + euiccSignatureInvalid(2), + undefinedError(127) + } +} + +CancelSessionOk ::= SEQUENCE { -- This function has no output data +} + +EuiccConfiguredAddressesRequest ::= [60] SEQUENCE { -- Tag 'BF3C' +} + +EuiccConfiguredAddressesResponse ::= [60] SEQUENCE { -- Tag 'BF3C' + defaultDpAddress UTF8String OPTIONAL, -- Default SM-DP+ address as an FQDN + rootDsAddress UTF8String -- Root SM-DS address as an FQDN +} + +ISDRProprietaryApplicationTemplate ::= [PRIVATE 0] SEQUENCE { -- Tag 'E0' + svn [2] VersionType, -- GSMA SGP.22 version supported (SVN) + lpaeSupport BIT STRING { + lpaeUsingCat(0), -- LPA in the eUICC using Card Application Toolkit + lpaeUsingScws(1) -- LPA in the eUICC using Smartcard Web Server + } OPTIONAL +} + +LpaeActivationRequest ::= [66] SEQUENCE { -- Tag 'BF42' + lpaeOption BIT STRING { + activateCatBasedLpae(0), -- LPAe with LUIe based on CAT + activateScwsBasedLpae(1) -- LPAe with LUIe based on SCWS + } +} + +LpaeActivationResponse ::= [66] SEQUENCE { -- Tag 'BF42' + lpaeActivationResult INTEGER {ok(0), notSupported(1)} +} + +SetDefaultDpAddressRequest ::= [63] SEQUENCE { -- Tag 'BF3F' + defaultDpAddress UTF8String -- Default SM-DP+ address as an FQDN +} + +SetDefaultDpAddressResponse ::= [63] SEQUENCE { -- Tag 'BF3F' + setDefaultDpAddressResult INTEGER { ok (0), undefinedError (127)} +} + +AuthenticateClientResponseEs11 ::= [64] CHOICE { -- Tag 'BF40' + authenticateClientOk AuthenticateClientOkEs11, + authenticateClientError INTEGER { + eumCertificateInvalid(1), + eumCertificateExpired(2), + euiccCertificateInvalid(3), + euiccCertificateExpired(4), + euiccSignatureInvalid(5), + eventIdUnknown(6), + invalidTransactionId(7), + undefinedError(127) + } +} + +AuthenticateClientOkEs11 ::= SEQUENCE { + transactionId TransactionId, + eventEntries SEQUENCE OF EventEntries +} + +EventEntries ::= SEQUENCE { + eventId UTF8String, + rspServerAddress UTF8String +} + +END
\ No newline at end of file diff --git a/pySim/esim/es8p.py b/pySim/esim/es8p.py new file mode 100644 index 0000000..81b0fc9 --- /dev/null +++ b/pySim/esim/es8p.py @@ -0,0 +1,185 @@ +# Implementation of GSMA eSIM RSP (Remote SIM Provisioning) ES8+ +# as per SGP22 v3.0 Section 5.5 +# +# (C) 2023-2024 by Harald Welte <laforge@osmocom.org> +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +from typing import Dict, List, Optional +from pySim.utils import b2h, h2b, bertlv_encode_tag, bertlv_encode_len + +import pySim.esim.rsp as rsp +from pySim.esim.bsp import BspInstance + +# Given that GSMA RSP uses ASN.1 in a very weird way, we actually cannot encode the full data type before +# signing, but we have to build parts of it separately first, then sign that, so we can put the signature +# into the same sequence as the signed data. We use the existing pySim TLV code for this. + +def wrap_as_der_tlv(tag: int, val: bytes) -> bytes: + """Wrap the 'value' into a DER-encoded TLV.""" + return bertlv_encode_tag(tag) + bertlv_encode_len(len(val)) + val + +def gen_init_sec_chan_signed_part(iscsp: Dict) -> bytes: + """Generate the concatenated remoteOpId, transactionId, controlRefTemplate and smdpOtpk data objects + without the outer SEQUENCE tag / length or the remainder of initialiseSecureChannel, as is required + for signing purpose.""" + out = b'' + out += wrap_as_der_tlv(0x82, bytes([iscsp['remoteOpId']])) + out += wrap_as_der_tlv(0x80, iscsp['transactionId']) + + crt = iscsp['controlRefTemplate'] + out_crt = wrap_as_der_tlv(0x80, crt['keyType']) + out_crt += wrap_as_der_tlv(0x81, crt['keyLen']) + out_crt += wrap_as_der_tlv(0x84, crt['hostId']) + out += wrap_as_der_tlv(0xA6, out_crt) + + out += wrap_as_der_tlv(0x5F49, iscsp['smdpOtpk']) + return out + + +# SGP.22 Section 5.5.1 +def gen_initialiseSecureChannel(transactionId: str, host_id: bytes, smdp_otpk: bytes, euicc_otpk: bytes, dp_pb): + """Generate decoded representation of (signed) initialiseSecureChannel (SGP.22 5.5.2)""" + init_scr = { 'remoteOpId': 1, # installBoundProfilePackage + 'transactionId': h2b(transactionId), + # GlobalPlatform Card Specification Amendment F [13] section 6.5.2.3 for the Mutual Authentication Data Field + 'controlRefTemplate': { 'keyType': bytes([0x88]), 'keyLen': bytes([16]), 'hostId': host_id }, + 'smdpOtpk': smdp_otpk, # otPK.DP.KA + } + to_sign = gen_init_sec_chan_signed_part(init_scr) + wrap_as_der_tlv(0x5f49, euicc_otpk) + init_scr['smdpSign'] = dp_pb.ecdsa_sign(to_sign) + return init_scr + +def gen_replace_session_keys(ppk_enc: bytes, ppk_cmac: bytes, initial_mcv: bytes) -> bytes: + """Generate encoded (but unsigned) ReplaceSessionKeysReqest DO (SGP.22 5.5.4)""" + rsk = { 'ppkEnc': ppk_enc, 'ppkCmac': ppk_cmac, 'initialMacChainingValue': initial_mcv } + return rsp.asn1.encode('ReplaceSessionKeysRequest', rsk) + + +class ProfileMetadata: + """Representation of Profile metadata. Right now only the mandatory bits are + supported, but in general this should follow the StoreMetadataRequest of SGP.22 5.5.3""" + def __init__(self, iccid_bin: bytes, spn: str, profile_name: str): + self.iccid_bin = iccid_bin + self.spn = spn + self.profile_name = profile_name + + def gen_store_metadata_request(self) -> bytes: + """Generate encoded (but unsigned) StoreMetadataReqest DO (SGP.22 5.5.3)""" + smr = { + 'iccid': self.iccid_bin, + 'serviceProviderName': self.spn, + 'profileName': self.profile_name, + } + return rsp.asn1.encode('StoreMetadataRequest', smr) + + +class ProfilePackage: + def __init__(self, metadata: Optional[ProfileMetadata] = None): + self.metadata = metadata + +class UnprotectedProfilePackage(ProfilePackage): + """Representing an unprotected profile package (UPP) as defined in SGP.22 Section 2.5.2""" + + @classmethod + def from_der(cls, der: bytes, metadata: Optional[ProfileMetadata] = None) -> 'UnprotectedProfilePackage': + """Load an UPP from its DER representation.""" + inst = cls(metadata=metadata) + cls.der = der + # TODO: we later certainly want to parse it so we can perform modification (IMSI, key material, ...) + # just like in the traditional SIM/USIM dynamic data phase at the end of personalization + return inst + + def to_der(self): + """Return the DER representation of the UPP.""" + # TODO: once we work on decoded structures, we may want to re-encode here + return self.der + +class ProtectedProfilePackage(ProfilePackage): + """Representing a protected profile package (PPP) as defined in SGP.22 Section 2.5.3""" + + @classmethod + def from_upp(cls, upp: UnprotectedProfilePackage, bsp: BspInstance) -> 'ProtectedProfilePackage': + """Generate the PPP as a sequence of encrypted and MACed Command TLVs representing the UPP""" + inst = cls(metadata=upp.metadata) + inst.upp = upp + # store ppk-enc, ppc-mac + inst.ppk_enc = bsp.c_algo.s_enc + inst.ppk_mac = bsp.m_algo.s_mac + inst.initial_mcv = bsp.m_algo.mac_chain + inst.encoded = bsp.encrypt_and_mac(0x86, upp.to_der()) + return inst + + #def __val__(self): + #return self.encoded + +class BoundProfilePackage(ProfilePackage): + """Representing a bound profile package (BPP) as defined in SGP.22 Section 2.5.4""" + + @classmethod + def from_ppp(cls, ppp: ProtectedProfilePackage): + inst = cls() + inst.upp = None + inst.ppp = ppp + return inst + + @classmethod + def from_upp(cls, upp: UnprotectedProfilePackage): + inst = cls() + inst.upp = upp + inst.ppp = None + return inst + + def encode(self, ss: 'RspSessionState', dp_pb: 'CertAndPrivkey') -> bytes: + """Generate a bound profile package (SGP.22 2.5.4).""" + + def encode_seq(tag: int, sequence: List[bytes]) -> bytes: + """Encode a "sequenceOfXX" as specified in SGP.22 specifying the raw SEQUENCE OF tag, + and assuming the caller provides the fully-encoded (with TAG + LEN) member TLVs.""" + payload = b''.join(sequence) + return bertlv_encode_tag(tag) + bertlv_encode_len(len(payload)) + payload + + bsp = BspInstance.from_kdf(ss.shared_secret, 0x88, 16, ss.host_id, h2b(ss.eid)) + + iscr = gen_initialiseSecureChannel(ss.transactionId, ss.host_id, ss.smdp_otpk, ss.euicc_otpk, dp_pb) + # generate unprotected input data + conf_idsp_bin = rsp.asn1.encode('ConfigureISDPRequest', {}) + if self.upp: + smr_bin = self.upp.metadata.gen_store_metadata_request() + else: + smr_bin = self.ppp.metadata.gen_store_metadata_request() + + # we don't use rsp.asn1.encode('boundProfilePackage') here, as the BSP already provides + # fully encoded + MACed TLVs including their tag + length values. We cannot put those as + # 'value' input into an ASN.1 encoder, as that would double the TAG + LENGTH :( + + # 'initialiseSecureChannelRequest' + bpp_seq = rsp.asn1.encode('InitialiseSecureChannelRequest', iscr) + # firstSequenceOf87 + bpp_seq += encode_seq(0xa0, bsp.encrypt_and_mac(0x87, conf_idsp_bin)) + # sequenceOF88 + bpp_seq += encode_seq(0xa1, bsp.mac_only(0x88, smr_bin)) + + if self.ppp: # we have to use session keys + rsk_bin = gen_replace_session_keys(self.ppp.ppk_enc, self.ppp.ppk_mac, self.ppp.initial_mcv) + # secondSequenceOf87 + bpp_seq += encode_seq(0xa2, bsp.encrypt_and_mac(0x87, rsk_bin)) + else: + self.ppp = ProtectedProfilePackage.from_upp(self.upp, bsp) + + # 'sequenceOf86' + bpp_seq += encode_seq(0xa3, self.ppp.encoded) + + # manual DER encode: wrap in outer SEQUENCE + return bertlv_encode_tag(0xbf36) + bertlv_encode_len(len(bpp_seq)) + bpp_seq diff --git a/pySim/esim/rsp.py b/pySim/esim/rsp.py new file mode 100644 index 0000000..b5289be --- /dev/null +++ b/pySim/esim/rsp.py @@ -0,0 +1,100 @@ +# Implementation of GSMA eSIM RSP (Remote SIM Provisioning) +# as per SGP22 v3.0 +# +# (C) 2023-2024 by Harald Welte <laforge@osmocom.org> +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + + +from typing import Optional +import shelve +import copyreg + +from cryptography.hazmat.primitives.asymmetric import ec +from cryptography.hazmat.primitives.serialization import Encoding +from cryptography import x509 +from collections.abc import MutableMapping + +from pySim.esim import compile_asn1_subdir + +asn1 = compile_asn1_subdir('rsp') + +class RspSessionState: + """Encapsulates the state of a RSP session. It is created during the initiateAuthentication + and subsequently used by further API calls using the same transactionId. The session state + is removed either after cancelSession or after notification. + TODO: add some kind of time based expiration / garbage collection.""" + def __init__(self, transactionId: str, serverChallenge: bytes): + self.transactionId = transactionId + self.serverChallenge = serverChallenge + # used at a later point between API calsl + self.euicc_cert: Optional[x509.Certificate] = None + self.eum_cert: Optional[x509.Certificate] = None + self.eid: Optional[bytes] = None + self.profileMetadata: Optional['ProfileMetadata'] = None + self.smdpSignature2_do = None + # really only needed while processing getBoundProfilePackage request? + self.euicc_otpk: Optional[bytes] = None + self.smdp_ot: Optional[ec.EllipticCurvePrivateKey] = None + self.smdp_otpk: Optional[bytes] = None + self.host_id: Optional[bytes] = None + self.shared_secret: Optional[bytes] = None + + + def __getstate__(self): + """helper function called when pickling the object to persistent storage. We must pickel all + members that are not pickle-able.""" + state = self.__dict__.copy() + # serialize eUICC certificate as DER + if state.get('euicc_cert', None): + state['_euicc_cert'] = self.euicc_cert.public_bytes(Encoding.DER) + del state['euicc_cert'] + # serialize EUM certificate as DER + if state.get('eum_cert', None): + state['_eum_cert'] = self.eum_cert.public_bytes(Encoding.DER) + del state['eum_cert'] + # serialize one-time SMDP private key to integer + curve + if state.get('smdp_ot', None): + state['_smdp_otsk'] = self.smdp_ot.private_numbers().private_value + state['_smdp_ot_curve'] = self.smdp_ot.curve + del state['smdp_ot'] + return state + + def __setstate__(self, state): + """helper function called when unpickling the object from persistent storage. We must recreate all + members from the state generated in __getstate__ above.""" + # restore eUICC certificate from DER + if '_euicc_cert' in state: + self.euicc_cert = x509.load_der_x509_certificate(state['_euicc_cert']) + del state['_euicc_cert'] + else: + self.euicc_cert = None + # restore EUM certificate from DER + if '_eum_cert' in state: + self.eum_cert = x509.load_der_x509_certificate(state['_eum_cert']) + del state['_eum_cert'] + # restore one-time SMDP private key from integer + curve + if state.get('_smdp_otsk', None): + self.smdp_ot = ec.derive_private_key(state['_smdp_otsk'], state['_smdp_ot_curve']) + # FIXME: how to add the public key from smdp_otpk to an instance of EllipticCurvePrivateKey? + del state['_smdp_otsk'] + del state['_smdp_ot_curve'] + # automatically recover all the remainig state + self.__dict__.update(state) + + +class RspSessionStore(shelve.DbfilenameShelf): + """A derived class as wrapper around the database-backed non-volatile storage 'shelve', in case we might + need to extend it in the future. We use it to store RspSessionState objects indexed by transactionId.""" + pass |