/* RSP Cryptographic Operations Header * * Author: Eric Wild / sysmocom - s.f.m.c. GmbH * * Released under the terms of GNU General Public License, Version 2 or * (at your option) any later version. * * SPDX-License-Identifier: GPL-2.0-or-later */ #ifndef RSP_CLIENT_H #define RSP_CLIENT_H #include #include #include #include "helpers.h" // For deleter functors // Forward declarations for OpenSSL types typedef struct x509_st X509; typedef struct evp_pkey_st EVP_PKEY; typedef struct x509_store_st X509_STORE; namespace RspCrypto { // Forward declarations for internal types class HttpClient; /** * RSPClient - Remote SIM Provisioning Client * * This class implements the cryptographic operations and certificate management * required for RSP (Remote SIM Provisioning) protocol operations. */ class RSPClient { public: /** * Constructor * @param serverUrl The server URL * @param serverPort The server port * @param certPath Vector of certificate paths (files or directories) * @param name_filters Vector of name filters for certificate selection */ RSPClient(const std::string& serverUrl, const unsigned int serverPort, const std::vector& certPath, const std::vector& name_filters = {}); /** * Destructor */ ~RSPClient(); // Certificate and key management void setCACertPath(const std::string& path); void loadEUICCCertificate(const std::string& euiccCertPath); void loadEUICCKeyPair(const std::string& euiccPrivateKeyPath, const std::string& euiccPublicKeyPath = ""); void loadEUMCertificate(const std::string& eumCertPath); void loadEUMKeyPair(const std::string& eumPrivateKeyPath, const std::string& eumPublicKeyPath = ""); // Certificate retrieval std::vector getEUMCertificate(); std::vector getEUICCCertificate(); std::vector getCICertificate(); // Cryptographic operations std::vector generateChallenge(); void generateEUICCOtpk(); std::vector getEUICCOtpk(); std::vector signDataWithEUICC(const std::vector& dataToSign); bool verifyServerSignature(const std::vector& serverSigned1, const std::vector& signature); bool verifyServerSignature(const std::vector& serverSigned1, const std::vector& serverSignature1, const std::vector& derDataServerCert); std::vector computeECDHSharedSecret(const std::vector& otherPublicKey); // Confirmation code and transaction handling void setConfirmationCode(const std::string& confirmationCode); void setTransactionId(const std::vector& transactionId); std::vector getConfirmationCodeHash() const; void setConfirmationCodeHash(const std::vector& hash); // HTTP client configuration void configureHttpClient(bool useCustomTlsCert, const std::string& customTlsCertPath = ""); void setAuthParams(bool useMutualTLS, const std::string& clientCertPath, const std::string& clientKeyPath); // HTTP operations std::string sendHttpsPost(const std::string& endpoint, const std::string& body, int& httpStatusCode, unsigned int portOverride); std::string sendHttpsPostWithAuth(const std::string& endpoint, const std::string& body, int& httpStatusCode, unsigned int portOverride); std::string sendHttpsPostWithContentType(const std::string& endpoint, const std::string& body, const std::string& contentType, int& httpStatusCode, unsigned int portOverride); std::string sendHttpsPostUnified(const std::string& endpoint, const std::string& body, int& httpStatusCode, unsigned int portOverride, bool useMutualTLS = false, const std::string& clientCertPath = "", const std::string& clientKeyPath = "", const std::string& contentType = "application/json"); private: // Private helper methods void loadCertificate(const std::string& certPath, const std::string& certType, std::unique_ptr& certStorage); void loadKeyPair(const std::string& privateKeyPath, const std::string& publicKeyPath, const std::string& keyType, std::unique_ptr& privateKeyStorage, std::vector& publicKeyStorage); std::vector signDataWithKey(const std::vector& dataToSign, EVP_PKEY* pkey); bool verifyServerSignature(const std::vector& signedData, const std::vector& signature, X509* serverCert); bool verifyServerSignature(const std::vector& serverSigned1, const std::vector& signature, X509* serverCert, const std::string& certSource); int getEUICCCurveNID(); // Member variables std::string m_serverUrl; std::unique_ptr m_rootCA; std::vector> m_intermediateCA; std::unique_ptr m_serverCert; std::vector> m_certPool; std::vector m_euiccSKI; std::string m_EID; std::unique_ptr m_euiccCert; std::unique_ptr m_euiccPrivateKey; std::vector m_euiccPublicKeyData; std::unique_ptr m_euicc_ot_PrivateKey; std::vector m_euiccOtpk; std::unique_ptr m_eumCert; std::unique_ptr m_eumPrivateKey; std::vector m_eumPublicKeyData; std::string m_confirmationCode; std::vector m_confirmationCodeHash; std::vector m_transactionId; std::string m_caCertPath; std::unique_ptr m_httpClient; bool m_useCustomTlsCert; std::string m_customTlsCertPath; bool m_useMutualTLS; std::string m_clientCertPath; std::string m_clientKeyPath; }; // Utility classes used by RSPClient (exposed for use in external functions) class CertificateUtil { public: static std::unique_ptr loadCertFromDER(const std::vector& derData); static std::vector> loadCertificateChain(const std::string& filename); static std::vector> loadCertificatesFromDirectory(const std::string& directory, const std::vector& name_filters); static std::string getEID(X509* cert); static std::string getSubjectName(X509* cert); static std::vector getSubjectKeyIdentifier(X509* cert); static std::vector getAuthorityKeyIdentifier(X509* cert); static bool validateEIDRange(const std::string& eid, const std::vector& eumCertData); static bool hasRSPRole(const std::vector& certData, const std::string& roleOid); static std::string getPermittedEINs(const std::vector& eumCertData); static bool verifyECDHCompatible(const std::vector& pubKey1, const std::vector& pubKey2); static std::string getCurveOID(const std::vector& certData); static bool verifyCertificateChainDynamic(X509* cert, const std::vector& certPool, X509* rootCA, bool verbose); }; } // namespace RspCrypto #endif // RSP_CLIENT_H