osmo-smdpp¶
osmo-smdpp is a proof-of-concept implementation of a minimal SM-DP+ as specified for the GSMA Consumer eSIM Remote SIM provisioning.
At least at this point, it is intended to be used for research and development, and not as a production SM-DP+.
Unless you are a GSMA SAS-SM accredited SM-DP+ operator and have related DPtls, DPauth and DPpb certificates signed by the GSMA CI, you can not use osmo-smdpp with regular production eUICC. This is due to how the GSMA eSIM security architecture works. You can, however, use osmo-smdpp with so-called test-eUICC, which contain certificates/keys signed by GSMA test certificates as laid out in GSMA SGP.26.
At this point, osmo-smdpp does not support anything beyond the bare minimum required to download eSIM profiles to an eUICC. Specifically, there is no ES2+ interface, and there is no built-in support for profile personalization yet.
osmo-smdpp currently
uses test certificates copied from GSMA SGP.26 into ./smdpp-data/certs, assuming that your osmo-smdppp would be running at the host name testsmdpplus1.example.com
doesn’t understand profile state. Any profile can always be downloaded any number of times, irrespective of the EID or whether it was donwloaded before
doesn’t perform any personalization, so the IMSI/ICCID etc. are always identical
is absolutely insecure, as it
does not perform any certificate verification
does not evaluate/consider any Matching ID or Confirmation Code
stores the sessions in an unencrypted _python shelve_ and is hence leaking one-time key materials used for profile encryption and signing.
Running osmo-smdpp¶
osmo-smdpp does not have built-in TLS support as the used twisted framework appears to have problems when using the example elliptic curve certificates (both NIST and Brainpool) from GSMA.
So in order to use it, you have to put it behind a TLS reverse proxy, which terminates the ES9+ HTTPS from the LPA, and then forwards it as plain HTTP to osmo-smdpp.
nginx as TLS proxy¶
If you use nginx as web server, you can use the following configuration snippet:
upstream smdpp {
server localhost:8000;
}
server {
listen 443 ssl;
server_name testsmdpplus1.example.com;
ssl_certificate /my/path/to/pysim/smdpp-data/certs/DPtls/CERT_S_SM_DP_TLS_NIST.pem;
ssl_certificate_key /my/path/to/pysim/smdpp-data/certs/DPtls/SK_S_SM_DP_TLS_NIST.pem;
location / {
proxy_read_timeout 600s;
proxy_hide_header X-Powered-By;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port $proxy_port;
proxy_set_header Host $host;
proxy_pass http://smdpp/;
}
}
You can of course achieve a similar functionality with apache, lighttpd or many other web server software.
osmo-smdpp¶
osmo-smdpp currently doesn’t have any configuration file or command line options. You just run it, and it will bind its plain-HTTP ES9+ interface to local TCP port 8000.
The smdpp-data/certs` directory contains the DPtls, DPauth and DPpb as well as CI certificates used; they are copied from GSMA SGP.26 v2.
The smdpp-data/upp directory contains the UPP (Unprotected Profile Package) used. The file names (without .der suffix) are looked up by the matchingID parameter from the activation code presented by the LPA.
DNS setup for your LPA¶
The LPA must resolve testsmdpplus1.example.com to the IP address of your TLS proxy.
It must also accept the TLS certificates used by your TLS proxy.
Supported eUICC¶
If you run osmo-smdpp with the included SGP.26 certificates, you must use an eUICC with matching SGP.26 certificates, i.e. the EUM certificate must be signed by a SGP.26 test root CA and the eUICC certificate in turn must be signed by that SGP.26 EUM certificate.
sysmocom (sponsoring development and maintenance of pySim and osmo-smdpp) is selling SGP.26 test eUICC as sysmoEUICC1-C2T. They are publicly sold in the sysmocom webshop.
In general you can use osmo-smdpp also with certificates signed by any other certificate authority. You just always must ensure that the certificates of the SM-DP+ are signed by the same root CA as those of your eUICCs.
Hypothetically, osmo-smdpp could also be operated with GSMA production certificates, but it would require that somebody brings the code in-line with all the GSMA security requirements (HSM support, …) and operate it in a GSMA SAS-SM accredited environment and pays for the related audits.