Started by upstream project "gerrit-osmo-ttcn3-hacks" build number 3512
originally caused by:
Triggered by Gerrit: https://gerrit.osmocom.org/c/osmo-ttcn3-hacks/+/41122 in silent mode.
Running as SYSTEM
Building remotely on build5-deb12build-ansible (obs ttcn3_with_linux_6.1_or_higher qemu registry-build-amd64 ttcn3 osmo-gsm-tester-build ttcn3-ggsn-test-kernel-git io_uring osmocom-gerrit coverity osmocom-master) in workspace /home/osmocom-build/jenkins/workspace/gerrit-lint
[ssh-agent] Looking for ssh-agent implementation...
$ ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-X0ZbupSekMrf/agent.3996552
SSH_AGENT_PID=3996556
[ssh-agent] Started.
Running ssh-add (command line suppressed)
Identity added: /home/osmocom-build/jenkins/workspace/gerrit-lint@tmp/private_key_17516615346452705143.key (/home/osmocom-build/jenkins/workspace/gerrit-lint@tmp/private_key_17516615346452705143.key)
[ssh-agent] Using credentials jenkins (gerrit.osmocom.org)
The recommended git tool is: NONE
using credential d5eda5e9-b59d-44ba-88d2-43473cb6e42d
Wiping out workspace first.
Cloning the remote Git repository
Cloning repository ssh://jenkins@gerrit.osmocom.org:29418/osmo-ttcn3-hacks
> git init /home/osmocom-build/jenkins/workspace/gerrit-lint/code-from-gerrit # timeout=10
Fetching upstream changes from ssh://jenkins@gerrit.osmocom.org:29418/osmo-ttcn3-hacks
> git --version # timeout=10
> git --version # 'git version 2.39.5'
using GIT_SSH to set credentials gerrit.osmocom.org
Verifying host key using known hosts file, will automatically accept unseen keys
> git fetch --tags --force --progress -- ssh://jenkins@gerrit.osmocom.org:29418/osmo-ttcn3-hacks +refs/heads/*:refs/remotes/origin/* # timeout=10
> git config remote.origin.url ssh://jenkins@gerrit.osmocom.org:29418/osmo-ttcn3-hacks # timeout=10
> git config --add remote.origin.fetch +refs/heads/*:refs/remotes/origin/* # timeout=10
> git config remote.origin.url ssh://jenkins@gerrit.osmocom.org:29418/osmo-ttcn3-hacks # timeout=10
Fetching upstream changes from ssh://jenkins@gerrit.osmocom.org:29418/osmo-ttcn3-hacks
using GIT_SSH to set credentials gerrit.osmocom.org
Verifying host key using known hosts file, will automatically accept unseen keys
> git fetch --tags --force --progress -- ssh://jenkins@gerrit.osmocom.org:29418/osmo-ttcn3-hacks refs/changes/22/41122/2 # timeout=10
> git rev-parse FETCH_HEAD^{commit} # timeout=10
Checking out Revision 660a0a4ea4312e9f2562523b381e26d4288d012d (master)
> git config core.sparsecheckout # timeout=10
> git checkout -f 660a0a4ea4312e9f2562523b381e26d4288d012d # timeout=10
Commit message: "smdpp: proper headers for native code"
> git rev-parse FETCH_HEAD^{commit} # timeout=10
> git rev-list --no-walk 42bd88b869486164068a64001e75ce9f0dd34e95 # timeout=10
[gerrit-lint] $ /bin/sh -xe /tmp/jenkins3019337116968065950.sh
+ rm -rf osmo-ci
+ git clone --depth=1 --branch=master https://gerrit.osmocom.org/osmo-ci osmo-ci
Cloning into 'osmo-ci'...
+ git -C osmo-ci log --oneline
60bf602 OBS: disable_manuals: adjust for osmocom-bb
+ readlink -f /tmp/ssh-X0ZbupSekMrf/agent.3996552
+ docker run --rm -e GERRIT_HOST=gerrit.osmocom.org -e GERRIT_PORT=29418 -e GERRIT_PROJECT=osmo-ttcn3-hacks -e GERRIT_CHANGE_NUMBER=41122 -e GERRIT_PATCHSET_NUMBER=2 -e JENKINS_HOME=1 -e SSH_AUTH_SOCK=/ssh-agent -u build -v /tmp/ssh-X0ZbupSekMrf/agent.3996552:/ssh-agent -v ./code-from-gerrit:/build/code-from-gerrit -v ./osmo-ci:/build/osmo-ci -w /build/code-from-gerrit osmocom-build/debian-bookworm-build /build/osmo-ci/lint/lint_diff.sh HEAD~1
Running 'ruff check'...
All checks passed!
Running 'ruff format --diff'...
--- smdpp/generate_all_test_certificates.py
+++ smdpp/generate_all_test_certificates.py
@@ -24,27 +24,32 @@
from cryptography.hazmat.primitives.asymmetric import ec
from cryptography.hazmat.backends import default_backend
+
def load_private_key_from_file(key_path):
"""Load EC private key from PEM file."""
- with open(key_path, 'rb') as f:
+ with open(key_path, "rb") as f:
return serialization.load_pem_private_key(f.read(), password=None, backend=default_backend())
+
def load_certificate_from_file(cert_path):
"""Load certificate from DER file."""
- with open(cert_path, 'rb') as f:
+ with open(cert_path, "rb") as f:
return x509.load_der_x509_certificate(f.read(), default_backend())
+
def generate_invalid_eum_cert():
"""Generate EUM certificate that is self-signed (invalid) for Error Test #1."""
print("Generating invalid EUM certificate (self-signed)...")
- eum_key = load_private_key_from_file('./sgp26/EUM/SK_EUM_ECDSA_NIST.pem')
+ eum_key = load_private_key_from_file("./sgp26/EUM/SK_EUM_ECDSA_NIST.pem")
- subject = x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, "ES"),
- x509.NameAttribute(NameOID.ORGANIZATION_NAME, "RSP Test Invalid EUM"),
- x509.NameAttribute(NameOID.COMMON_NAME, "Invalid EUM Certificate"),
- ])
+ subject = x509.Name(
+ [
+ x509.NameAttribute(NameOID.COUNTRY_NAME, "ES"),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, "RSP Test Invalid EUM"),
+ x509.NameAttribute(NameOID.COMMON_NAME, "Invalid EUM Certificate"),
+ ]
+ )
builder = x509.CertificateBuilder()
builder = builder.subject_name(subject)
@@ -54,10 +59,7 @@
builder = builder.serial_number(0x1000000000000001)
builder = builder.public_key(eum_key.public_key())
- builder = builder.add_extension(
- x509.SubjectKeyIdentifier.from_public_key(eum_key.public_key()),
- critical=False
- )
+ builder = builder.add_extension(x509.SubjectKeyIdentifier.from_public_key(eum_key.public_key()), critical=False)
builder = builder.add_extension(
x509.KeyUsage(
@@ -69,64 +71,65 @@
key_cert_sign=True, # CA
crl_sign=False,
encipher_only=False,
- decipher_only=False
+ decipher_only=False,
),
- critical=True
+ critical=True,
)
builder = builder.add_extension(
- x509.CertificatePolicies([
- x509.PolicyInformation(
- x509.ObjectIdentifier("2.23.146.1.2.1.4"), # EUM policy
- policy_qualifiers=None
- )
- ]),
- critical=True
+ x509.CertificatePolicies(
+ [
+ x509.PolicyInformation(
+ x509.ObjectIdentifier("2.23.146.1.2.1.4"), # EUM policy
+ policy_qualifiers=None,
+ )
+ ]
+ ),
+ critical=True,
)
certificate = builder.sign(eum_key, hashes.SHA256(), default_backend())
- output_path = './InvalidTestCases/CERT_EUM_ECDSA_NIST_INVALID.der'
- os.makedirs('./InvalidTestCases', exist_ok=True)
+ output_path = "./InvalidTestCases/CERT_EUM_ECDSA_NIST_INVALID.der"
+ os.makedirs("./InvalidTestCases", exist_ok=True)
with open(output_path, "wb") as f:
f.write(certificate.public_bytes(serialization.Encoding.DER))
print(f" Saved to: {output_path}")
return certificate
+
def generate_expired_eum_cert():
"""Generate EUM certificate that is expired for Error Test #2."""
print("Generating expired EUM certificate...")
- ci_cert = load_certificate_from_file('./sgp26/CertificateIssuer/CERT_CI_ECDSA_NIST.der')
- ci_key = load_private_key_from_file('./sgp26/CertificateIssuer/SK_CI_ECDSA_NIST.pem')
+ ci_cert = load_certificate_from_file("./sgp26/CertificateIssuer/CERT_CI_ECDSA_NIST.der")
+ ci_key = load_private_key_from_file("./sgp26/CertificateIssuer/SK_CI_ECDSA_NIST.pem")
- eum_key = load_private_key_from_file('./sgp26/EUM/SK_EUM_ECDSA_NIST.pem')
+ eum_key = load_private_key_from_file("./sgp26/EUM/SK_EUM_ECDSA_NIST.pem")
- subject = x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, "ES"),
- x509.NameAttribute(NameOID.ORGANIZATION_NAME, "RSP Test EUM"),
- x509.NameAttribute(NameOID.COMMON_NAME, "Expired EUM Certificate"),
- ])
+ subject = x509.Name(
+ [
+ x509.NameAttribute(NameOID.COUNTRY_NAME, "ES"),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, "RSP Test EUM"),
+ x509.NameAttribute(NameOID.COMMON_NAME, "Expired EUM Certificate"),
+ ]
+ )
builder = x509.CertificateBuilder()
builder = builder.subject_name(subject)
builder = builder.issuer_name(ci_cert.subject) # Signed by CI
builder = builder.not_valid_before(datetime(2010, 1, 1, 0, 0, 0)) # Old
- builder = builder.not_valid_after(datetime(2015, 1, 1, 0, 0, 0)) # Expired
+ builder = builder.not_valid_after(datetime(2015, 1, 1, 0, 0, 0)) # Expired
builder = builder.serial_number(0x1000000000000002)
builder = builder.public_key(eum_key.public_key())
# Add extensions
builder = builder.add_extension(
- x509.AuthorityKeyIdentifier.from_issuer_public_key(ci_key.public_key()),
- critical=False
+ x509.AuthorityKeyIdentifier.from_issuer_public_key(ci_key.public_key()), critical=False
)
- builder = builder.add_extension(
- x509.SubjectKeyIdentifier.from_public_key(eum_key.public_key()),
- critical=False
- )
+ builder = builder.add_extension(x509.SubjectKeyIdentifier.from_public_key(eum_key.public_key()), critical=False)
builder = builder.add_extension(
x509.KeyUsage(
@@ -138,42 +141,47 @@
key_cert_sign=True,
crl_sign=False,
encipher_only=False,
- decipher_only=False
+ decipher_only=False,
),
- critical=True
+ critical=True,
)
builder = builder.add_extension(
- x509.CertificatePolicies([
- x509.PolicyInformation(
- x509.ObjectIdentifier("2.23.146.1.2.1.4"), # EUM policy
- policy_qualifiers=None
- )
- ]),
- critical=True
+ x509.CertificatePolicies(
+ [
+ x509.PolicyInformation(
+ x509.ObjectIdentifier("2.23.146.1.2.1.4"), # EUM policy
+ policy_qualifiers=None,
+ )
+ ]
+ ),
+ critical=True,
)
certificate = builder.sign(ci_key, hashes.SHA256(), default_backend())
- output_path = './InvalidTestCases/CERT_EUM_ECDSA_NIST_EXPIRED.der'
+ output_path = "./InvalidTestCases/CERT_EUM_ECDSA_NIST_EXPIRED.der"
with open(output_path, "wb") as f:
f.write(certificate.public_bytes(serialization.Encoding.DER))
print(f" Saved to: {output_path}")
return certificate
+
def generate_invalid_euicc_cert():
"""Generate eUICC certificate that is self-signed (invalid) for Error Test #3."""
print("Generating invalid eUICC certificate (self-signed)...")
- euicc_key = load_private_key_from_file('./sgp26/eUICC/SK_EUICC_ECDSA_NIST.pem')
+ euicc_key = load_private_key_from_file("./sgp26/eUICC/SK_EUICC_ECDSA_NIST.pem")
- subject = x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, "ES"),
- x509.NameAttribute(NameOID.ORGANIZATION_NAME, "RSP Test eUICC"),
- x509.NameAttribute(NameOID.SERIAL_NUMBER, "89049032123451234512345678901235"),
- x509.NameAttribute(NameOID.COMMON_NAME, "Invalid eUICC Certificate"),
- ])
+ subject = x509.Name(
+ [
+ x509.NameAttribute(NameOID.COUNTRY_NAME, "ES"),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, "RSP Test eUICC"),
+ x509.NameAttribute(NameOID.SERIAL_NUMBER, "89049032123451234512345678901235"),
+ x509.NameAttribute(NameOID.COMMON_NAME, "Invalid eUICC Certificate"),
+ ]
+ )
builder = x509.CertificateBuilder()
builder = builder.subject_name(subject)
@@ -183,10 +191,7 @@
builder = builder.serial_number(0x2000000000000001)
builder = builder.public_key(euicc_key.public_key())
- builder = builder.add_extension(
- x509.SubjectKeyIdentifier.from_public_key(euicc_key.public_key()),
- critical=False
- )
+ builder = builder.add_extension(x509.SubjectKeyIdentifier.from_public_key(euicc_key.public_key()), critical=False)
builder = builder.add_extension(
x509.KeyUsage(
@@ -198,63 +203,64 @@
key_cert_sign=False,
crl_sign=False,
encipher_only=False,
- decipher_only=False
+ decipher_only=False,
),
- critical=True
+ critical=True,
)
builder = builder.add_extension(
- x509.CertificatePolicies([
- x509.PolicyInformation(
- x509.ObjectIdentifier("2.23.146.1.2.1.1"), # eUICC policy
- policy_qualifiers=None
- )
- ]),
- critical=True
+ x509.CertificatePolicies(
+ [
+ x509.PolicyInformation(
+ x509.ObjectIdentifier("2.23.146.1.2.1.1"), # eUICC policy
+ policy_qualifiers=None,
+ )
+ ]
+ ),
+ critical=True,
)
certificate = builder.sign(euicc_key, hashes.SHA256(), default_backend())
- output_path = './InvalidTestCases/CERT_EUICC_ECDSA_NIST_INVALID.der'
+ output_path = "./InvalidTestCases/CERT_EUICC_ECDSA_NIST_INVALID.der"
with open(output_path, "wb") as f:
f.write(certificate.public_bytes(serialization.Encoding.DER))
print(f" Saved to: {output_path}")
return certificate
+
def generate_expired_euicc_cert():
"""Generate eUICC certificate that is expired for Error Test #4."""
print("Generating expired eUICC certificate...")
- eum_cert = load_certificate_from_file('./sgp26/EUM/CERT_EUM_ECDSA_NIST.der')
- eum_key = load_private_key_from_file('./sgp26/EUM/SK_EUM_ECDSA_NIST.pem')
+ eum_cert = load_certificate_from_file("./sgp26/EUM/CERT_EUM_ECDSA_NIST.der")
+ eum_key = load_private_key_from_file("./sgp26/EUM/SK_EUM_ECDSA_NIST.pem")
- euicc_key = load_private_key_from_file('./sgp26/eUICC/SK_EUICC_ECDSA_NIST.pem')
+ euicc_key = load_private_key_from_file("./sgp26/eUICC/SK_EUICC_ECDSA_NIST.pem")
- subject = x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, "ES"),
- x509.NameAttribute(NameOID.ORGANIZATION_NAME, "RSP Test EUM"),
- x509.NameAttribute(NameOID.SERIAL_NUMBER, "89049032123451234512345678901235"),
- x509.NameAttribute(NameOID.COMMON_NAME, "Expired eUICC Certificate"),
- ])
+ subject = x509.Name(
+ [
+ x509.NameAttribute(NameOID.COUNTRY_NAME, "ES"),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, "RSP Test EUM"),
+ x509.NameAttribute(NameOID.SERIAL_NUMBER, "89049032123451234512345678901235"),
+ x509.NameAttribute(NameOID.COMMON_NAME, "Expired eUICC Certificate"),
+ ]
+ )
builder = x509.CertificateBuilder()
builder = builder.subject_name(subject)
builder = builder.issuer_name(eum_cert.subject) # Signed by EUM
builder = builder.not_valid_before(datetime(2010, 1, 1, 0, 0, 0)) # Old
- builder = builder.not_valid_after(datetime(2015, 1, 1, 0, 0, 0)) # Expired
+ builder = builder.not_valid_after(datetime(2015, 1, 1, 0, 0, 0)) # Expired
builder = builder.serial_number(0x2000000000000002)
builder = builder.public_key(euicc_key.public_key())
builder = builder.add_extension(
- x509.AuthorityKeyIdentifier.from_issuer_public_key(eum_key.public_key()),
- critical=False
+ x509.AuthorityKeyIdentifier.from_issuer_public_key(eum_key.public_key()), critical=False
)
- builder = builder.add_extension(
- x509.SubjectKeyIdentifier.from_public_key(euicc_key.public_key()),
- critical=False
- )
+ builder = builder.add_extension(x509.SubjectKeyIdentifier.from_public_key(euicc_key.public_key()), critical=False)
builder = builder.add_extension(
x509.KeyUsage(
@@ -266,41 +272,46 @@
key_cert_sign=False,
crl_sign=False,
encipher_only=False,
- decipher_only=False
+ decipher_only=False,
),
- critical=True
+ critical=True,
)
builder = builder.add_extension(
- x509.CertificatePolicies([
- x509.PolicyInformation(
- x509.ObjectIdentifier("2.23.146.1.2.1.1"), # eUICC policy
- policy_qualifiers=None
- )
- ]),
- critical=True
+ x509.CertificatePolicies(
+ [
+ x509.PolicyInformation(
+ x509.ObjectIdentifier("2.23.146.1.2.1.1"), # eUICC policy
+ policy_qualifiers=None,
+ )
+ ]
+ ),
+ critical=True,
)
certificate = builder.sign(eum_key, hashes.SHA256(), default_backend())
- output_path = './InvalidTestCases/CERT_EUICC_ECDSA_NIST_EXPIRED.der'
+ output_path = "./InvalidTestCases/CERT_EUICC_ECDSA_NIST_EXPIRED.der"
with open(output_path, "wb") as f:
f.write(certificate.public_bytes(serialization.Encoding.DER))
print(f" Saved to: {output_path}")
return certificate
+
def generate_unknown_ci_eum_cert():
"""Generate EUM certificate signed by unknown CI for Error Test #7."""
print("Generating EUM certificate signed by unknown CI...")
unknown_ci_key = ec.generate_private_key(ec.SECP256R1(), default_backend())
- ci_subject = x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, "XX"),
- x509.NameAttribute(NameOID.ORGANIZATION_NAME, "Unknown CI"),
- x509.NameAttribute(NameOID.COMMON_NAME, "Unknown Certificate Issuer"),
- ])
+ ci_subject = x509.Name(
+ [
+ x509.NameAttribute(NameOID.COUNTRY_NAME, "XX"),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, "Unknown CI"),
+ x509.NameAttribute(NameOID.COMMON_NAME, "Unknown Certificate Issuer"),
+ ]
+ )
ci_builder = x509.CertificateBuilder()
ci_builder = ci_builder.subject_name(ci_subject)
@@ -312,13 +323,15 @@
unknown_ci_cert = ci_builder.sign(unknown_ci_key, hashes.SHA256(), default_backend())
- eum_key = load_private_key_from_file('./sgp26/EUM/SK_EUM_ECDSA_NIST.pem')
+ eum_key = load_private_key_from_file("./sgp26/EUM/SK_EUM_ECDSA_NIST.pem")
- subject = x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, "ES"),
- x509.NameAttribute(NameOID.ORGANIZATION_NAME, "RSP Test EUM"),
- x509.NameAttribute(NameOID.COMMON_NAME, "EUM with Unknown CI"),
- ])
+ subject = x509.Name(
+ [
+ x509.NameAttribute(NameOID.COUNTRY_NAME, "ES"),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, "RSP Test EUM"),
+ x509.NameAttribute(NameOID.COMMON_NAME, "EUM with Unknown CI"),
+ ]
+ )
builder = x509.CertificateBuilder()
builder = builder.subject_name(subject)
@@ -329,14 +342,10 @@
builder = builder.public_key(eum_key.public_key())
builder = builder.add_extension(
- x509.AuthorityKeyIdentifier.from_issuer_public_key(unknown_ci_key.public_key()),
- critical=False
+ x509.AuthorityKeyIdentifier.from_issuer_public_key(unknown_ci_key.public_key()), critical=False
)
- builder = builder.add_extension(
- x509.SubjectKeyIdentifier.from_public_key(eum_key.public_key()),
- critical=False
- )
+ builder = builder.add_extension(x509.SubjectKeyIdentifier.from_public_key(eum_key.public_key()), critical=False)
builder = builder.add_extension(
x509.KeyUsage(
@@ -348,28 +357,30 @@
key_cert_sign=True,
crl_sign=False,
encipher_only=False,
- decipher_only=False
+ decipher_only=False,
),
- critical=True
+ critical=True,
)
builder = builder.add_extension(
- x509.CertificatePolicies([
- x509.PolicyInformation(
- x509.ObjectIdentifier("2.23.146.1.2.1.4"), # EUM policy
- policy_qualifiers=None
- )
- ]),
- critical=True
+ x509.CertificatePolicies(
+ [
+ x509.PolicyInformation(
+ x509.ObjectIdentifier("2.23.146.1.2.1.4"), # EUM policy
+ policy_qualifiers=None,
+ )
+ ]
+ ),
+ critical=True,
)
certificate = builder.sign(unknown_ci_key, hashes.SHA256(), default_backend())
- output_path = './InvalidTestCases/CERT_EUM_ECDSA_NIST_UNKNOWN_CI.der'
+ output_path = "./InvalidTestCases/CERT_EUM_ECDSA_NIST_UNKNOWN_CI.der"
with open(output_path, "wb") as f:
f.write(certificate.public_bytes(serialization.Encoding.DER))
- ci_output_path = './InvalidTestCases/CERT_UNKNOWN_CI_ECDSA_NIST.der'
+ ci_output_path = "./InvalidTestCases/CERT_UNKNOWN_CI_ECDSA_NIST.der"
with open(ci_output_path, "wb") as f:
f.write(unknown_ci_cert.public_bytes(serialization.Encoding.DER))
@@ -377,24 +388,27 @@
print(f" Saved unknown CI cert to: {ci_output_path}")
return certificate
+
def generate_euicc_cert_with_invalid_eid():
"""Generate eUICC certificate with EID outside EUM's permitted range for Error Test #6."""
print("Generating eUICC certificate with invalid EID (outside EUM's range)...")
- eum_cert = load_certificate_from_file('./sgp26/EUM/CERT_EUM_ECDSA_NIST.der')
- eum_key = load_private_key_from_file('./sgp26/EUM/SK_EUM_ECDSA_NIST.pem')
+ eum_cert = load_certificate_from_file("./sgp26/EUM/CERT_EUM_ECDSA_NIST.der")
+ eum_key = load_private_key_from_file("./sgp26/EUM/SK_EUM_ECDSA_NIST.pem")
- euicc_key = load_private_key_from_file('./sgp26/eUICC/SK_EUICC_ECDSA_NIST.pem')
+ euicc_key = load_private_key_from_file("./sgp26/eUICC/SK_EUICC_ECDSA_NIST.pem")
# Create subject with DIFFERENT EID PREFIX - outside EUM's permitted range
# EUM permits only EIDs starting with 89049032
# We'll use a different prefix: 89049033 (just increment the last digit)
- subject = x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, "ES"),
- x509.NameAttribute(NameOID.ORGANIZATION_NAME, "RSP Test EUM"),
- x509.NameAttribute(NameOID.SERIAL_NUMBER, "89049033123451234512345678901234"), # Different prefix!
- x509.NameAttribute(NameOID.COMMON_NAME, "Test eUICC Invalid EID"),
- ])
+ subject = x509.Name(
+ [
+ x509.NameAttribute(NameOID.COUNTRY_NAME, "ES"),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, "RSP Test EUM"),
+ x509.NameAttribute(NameOID.SERIAL_NUMBER, "89049033123451234512345678901234"), # Different prefix!
+ x509.NameAttribute(NameOID.COMMON_NAME, "Test eUICC Invalid EID"),
+ ]
+ )
builder = x509.CertificateBuilder()
builder = builder.subject_name(subject)
@@ -405,14 +419,10 @@
builder = builder.public_key(euicc_key.public_key())
builder = builder.add_extension(
- x509.AuthorityKeyIdentifier.from_issuer_public_key(eum_key.public_key()),
- critical=False
+ x509.AuthorityKeyIdentifier.from_issuer_public_key(eum_key.public_key()), critical=False
)
- builder = builder.add_extension(
- x509.SubjectKeyIdentifier.from_public_key(euicc_key.public_key()),
- critical=False
- )
+ builder = builder.add_extension(x509.SubjectKeyIdentifier.from_public_key(euicc_key.public_key()), critical=False)
builder = builder.add_extension(
x509.KeyUsage(
@@ -424,24 +434,26 @@
key_cert_sign=False,
crl_sign=False,
encipher_only=False,
- decipher_only=False
+ decipher_only=False,
),
- critical=True
+ critical=True,
)
builder = builder.add_extension(
- x509.CertificatePolicies([
- x509.PolicyInformation(
- x509.ObjectIdentifier("2.23.146.1.2.1.1"), # eUICC policy
- policy_qualifiers=None
- )
- ]),
- critical=True
+ x509.CertificatePolicies(
+ [
+ x509.PolicyInformation(
+ x509.ObjectIdentifier("2.23.146.1.2.1.1"), # eUICC policy
+ policy_qualifiers=None,
+ )
+ ]
+ ),
+ critical=True,
)
certificate = builder.sign(eum_key, hashes.SHA256(), default_backend())
- output_path = './InvalidTestCases/CERT_EUICC_ECDSA_NIST_INVALID_EID.der'
+ output_path = "./InvalidTestCases/CERT_EUICC_ECDSA_NIST_INVALID_EID.der"
with open(output_path, "wb") as f:
f.write(certificate.public_bytes(serialization.Encoding.DER))
@@ -452,32 +464,37 @@
print(" Note: Uses same private key as SK_EUICC_ECDSA_NIST.pem")
# Also save as PEM for inspection
- pem_path = output_path.replace('.der', '.pem')
+ pem_path = output_path.replace(".der", ".pem")
with open(pem_path, "wb") as f:
f.write(certificate.public_bytes(serialization.Encoding.PEM))
return certificate
+
def generate_euicc_cert_unmatched_eid():
"""Generate eUICC certificate with EID not in default profiles for Error Test #14."""
print("Generating eUICC certificate with unmatched EID (not in default profiles)...")
- eum_cert = load_certificate_from_file('./sgp26/EUM/CERT_EUM_ECDSA_NIST.der')
- eum_key = load_private_key_from_file('./sgp26/EUM/SK_EUM_ECDSA_NIST.pem')
+ eum_cert = load_certificate_from_file("./sgp26/EUM/CERT_EUM_ECDSA_NIST.der")
+ eum_key = load_private_key_from_file("./sgp26/EUM/SK_EUM_ECDSA_NIST.pem")
- euicc_key = load_private_key_from_file('./sgp26/eUICC/SK_EUICC_ECDSA_NIST.pem')
+ euicc_key = load_private_key_from_file("./sgp26/eUICC/SK_EUICC_ECDSA_NIST.pem")
# Create subject with EID that:
# - Starts with 89049032 (within EUM's permitted range)
# - But is NOT in the server's default_profiles:
# - 89049032123451234512345678901235 is EID1 (has default profile)
# - We'll use 89049032123451234512345678901299 (different ending)
- subject = x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, "ES"),
- x509.NameAttribute(NameOID.ORGANIZATION_NAME, "RSP Test EUM"),
- x509.NameAttribute(NameOID.SERIAL_NUMBER, "89049032123451234512345678901299"), # Valid prefix, not in defaults
- x509.NameAttribute(NameOID.COMMON_NAME, "Test eUICC Unmatched EID"),
- ])
+ subject = x509.Name(
+ [
+ x509.NameAttribute(NameOID.COUNTRY_NAME, "ES"),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, "RSP Test EUM"),
+ x509.NameAttribute(
+ NameOID.SERIAL_NUMBER, "89049032123451234512345678901299"
+ ), # Valid prefix, not in defaults
+ x509.NameAttribute(NameOID.COMMON_NAME, "Test eUICC Unmatched EID"),
+ ]
+ )
builder = x509.CertificateBuilder()
builder = builder.subject_name(subject)
@@ -488,14 +505,10 @@
builder = builder.public_key(euicc_key.public_key())
builder = builder.add_extension(
- x509.AuthorityKeyIdentifier.from_issuer_public_key(eum_key.public_key()),
- critical=False
+ x509.AuthorityKeyIdentifier.from_issuer_public_key(eum_key.public_key()), critical=False
)
- builder = builder.add_extension(
- x509.SubjectKeyIdentifier.from_public_key(euicc_key.public_key()),
- critical=False
- )
+ builder = builder.add_extension(x509.SubjectKeyIdentifier.from_public_key(euicc_key.public_key()), critical=False)
builder = builder.add_extension(
x509.KeyUsage(
@@ -507,24 +520,26 @@
key_cert_sign=False,
crl_sign=False,
encipher_only=False,
- decipher_only=False
+ decipher_only=False,
),
- critical=True
+ critical=True,
)
builder = builder.add_extension(
- x509.CertificatePolicies([
- x509.PolicyInformation(
- x509.ObjectIdentifier("2.23.146.1.2.1.1"), # eUICC policy
- policy_qualifiers=None
- )
- ]),
- critical=True
+ x509.CertificatePolicies(
+ [
+ x509.PolicyInformation(
+ x509.ObjectIdentifier("2.23.146.1.2.1.1"), # eUICC policy
+ policy_qualifiers=None,
+ )
+ ]
+ ),
+ critical=True,
)
certificate = builder.sign(eum_key, hashes.SHA256(), default_backend())
- output_path = './InvalidTestCases/CERT_EUICC_ECDSA_NIST_UNMATCHED_EID.der'
+ output_path = "./InvalidTestCases/CERT_EUICC_ECDSA_NIST_UNMATCHED_EID.der"
with open(output_path, "wb") as f:
f.write(certificate.public_bytes(serialization.Encoding.DER))
@@ -535,12 +550,13 @@
print(" Note: Uses same private key as SK_EUICC_ECDSA_NIST.pem")
# Also save as PEM for inspection
- pem_path = output_path.replace('.der', '.pem')
+ pem_path = output_path.replace(".der", ".pem")
with open(pem_path, "wb") as f:
f.write(certificate.public_bytes(serialization.Encoding.PEM))
return certificate
+
if __name__ == "__main__":
print("Generating all test certificates for SM-DP+ error test cases...")
print("=" * 60)
@@ -567,7 +583,9 @@
# Error Test #6: Invalid EID
generate_euicc_cert_with_invalid_eid()
- certificates_generated.append("CERT_EUICC_ECDSA_NIST_INVALID_EID.der - eUICC with EID outside EUM range (Error Test #6)")
+ certificates_generated.append(
+ "CERT_EUICC_ECDSA_NIST_INVALID_EID.der - eUICC with EID outside EUM range (Error Test #6)"
+ )
# Error Test #14: Unmatched EID
generate_euicc_cert_unmatched_eid()
@@ -579,4 +597,4 @@
print("\nGenerated certificates in ./InvalidTestCases/:")
for cert in certificates_generated:
print(f" • {cert}")
- print("\nTotal: {} certificates generated".format(len(certificates_generated)))
\ No newline at end of file
+ print("\nTotal: {} certificates generated".format(len(certificates_generated)))
1 file would be reformatted, 13 files already formatted
Build step 'Execute shell' marked build as failure
$ ssh-agent -k
unset SSH_AUTH_SOCK;
unset SSH_AGENT_PID;
echo Agent pid 3996556 killed;
[ssh-agent] Stopped.
Finished: FAILURE