[S] Change in pysim[master]: saip.validation: Verify unused mandatory services in header

Tue, 13 Jan 2026 12:21:12 -0800 

laforge has uploaded this change for review. ( 
https://gerrit.osmocom.org/c/pysim/+/41835?usp=email )


Change subject: saip.validation: Verify unused mandatory services in header
......................................................................

saip.validation: Verify unused mandatory services in header

This adds a new check method to the 
pySim.esim.saip.validation.CheckBasicStructure
class, which ensures that no unused authentication algorithm related mandatory
services are indicated in the ProfileHeader.

So if a profile e.g. states in the header it requires
usim-test-algorithm, but then the actual akaParameter instances do not
actually use that algorithm, it would raise an exception.

Change-Id: Id0e1988ae1936a321d04bc7c3c3a33262c767d30
Related: SYS#7826
---
M pySim/esim/saip/validation.py
1 file changed, 20 insertions(+), 0 deletions(-)



  git pull ssh://gerrit.osmocom.org:29418/pysim refs/changes/35/41835/1

diff --git a/pySim/esim/saip/validation.py b/pySim/esim/saip/validation.py
index 5e0323a..bf974c8 100644
--- a/pySim/esim/saip/validation.py
+++ b/pySim/esim/saip/validation.py
@@ -103,6 +103,26 @@
         if 'profile-a-p256' in m_svcs and not ('usim' in m_svcs or 'isim' in 
m_svcs):
             raise ProfileError('profile-a-p256 mandatory, but no usim or isim')

+    def check_mandatory_services_aka(self, pes: ProfileElementSequence):
+        """Ensure that no unnecessary authentication related services are 
marked as mandatory but not
+        actually used within the profile"""
+        m_svcs = 
pes.get_pe_for_type('header').decoded['eUICC-Mandatory-services']
+        # list of tuples (algo_id, key_len_in_octets) for all the 
akaParameters in the PE Sequence
+        algo_id_klen = [(x.decoded['algoConfiguration'][1]['algorithmID'],
+                         len(x.decoded['algoConfiguration'][1]['key'])) for x 
in pes.get_pes_for_type('akaParameter')]
+        # just a plain list of algorithm IDs in akaParameters
+        algorithm_ids = [x[0] for x in algo_id_klen]
+        if 'milenage' in m_svcs and not 1 in algorithm_ids:
+            raise ProfileError('milenage mandatory, but no related 
algorithm_id in akaParameter')
+        if 'tuak128' in m_svcs and not (2, 128/8) in algo_id_klen:
+            raise ProfileError('tuak128 mandatory, but no related algorithm_id 
in akaParameter')
+        if 'cave' in m_svcs and not pes.get_pe_for_type('cdmaParameter'):
+            raise ProfileError('cave mandatory, but no related cdmaParameter')
+        if 'tuak256' in m_svcs and (2, 256/8) in algo_id_klen:
+            raise ProfileError('tuak256 mandatory, but no related algorithm_id 
in akaParameter')
+        if 'usim-test-algorithm' in m_svcs and not 3 in algorithm_ids:
+            raise ProfileError('usim-test-algorithm mandatory, but no related 
algorithm_id in akaParameter')
+
     def check_identification_unique(self, pes: ProfileElementSequence):
         """Ensure that each PE has a unique identification value."""
         id_list = [pe.header['identification'] for pe in pes.pe_list if 
pe.header]

--
To view, visit https://gerrit.osmocom.org/c/pysim/+/41835?usp=email
To unsubscribe, or for help writing mail filters, visit 
https://gerrit.osmocom.org/settings?usp=email

Gerrit-MessageType: newchange
Gerrit-Project: pysim
Gerrit-Branch: master
Gerrit-Change-Id: Id0e1988ae1936a321d04bc7c3c3a33262c767d30
Gerrit-Change-Number: 41835
Gerrit-PatchSet: 1
Gerrit-Owner: laforge <[email protected]>

Reply via email to