After creating osmo-smdpp, and the sysmoEUICC1 products during recent months, I’ve more recently been investigating whether it’s possible to install test-eSIMs onto a test-eUICC using some kind of Android GUI application.
In fact, Peter Cai has created the amazing EasyEUICC app. It uses android OMAPI (specifically FEATURE_SE_OMAPI_UICC) to get raw APDU access to the eUICC. This works by storing the hash of the APK-signing-certificate on the eUICC itself.
Sadly, I could not get EasyEUICC to work with the sysmoEUICC-C2T SGP.26 test eUICCs. Initially, the problem was some wrong configuration of the ARA-M/ARA-D applet. After this was resolved, EasyEUICC could see the eUICC and manage (enable/disable) the present profiles on the eUICC. However, download (e.g. from smdpp.test.rsp.sysmocom.de) always failed rather quickly.
Yesterday I finally [found the cause]: EasyEUICC does not respect the SubjectKeyIdentifiers reported by the eUICC, but it contains a hard-coded CA certificate when verifying the TLS certificate of the SM-DP+. This means that in its current form, it will only work with SM-DP+ that have a TLS certificate signed by the GSMA consumer v2 CA.
I’ve reported a bug containing the details of how I think this should be implemented in a generic way. After all, the eUICC tells us which CAs it supports, and any LPA should learn that information rather than making hard-coded assumptions.
As I’m not an Android or Java developer at all, I don’t really feel confident I can implement the proper behaviour, though. But as an interim work-around, I created a forked EasyEUICC (called EasyEUICC-SGP.26) which contains a patch to add the SGP.26 CA root certificates. A resulting pre-built APK file signed with the sysmocom APK signing key (which is authorized by sysmoEUICC-C2T) can be found at https://test.rsp.sysmocom.de/easyeuicc/latest.apk
With that EasyEUICC-SGP.26 I’m finally able to download SGP.26-signed eSIM profiles onto the sysmoEUICC-C2T from and random Android phone’s UI. So far I’ve only tested with a Galaxy S9 and a Pixel 7, but I’ll certainly try some other phone models, too.
Note that the sysmoEUICC-C2T only recently (since serial number 13, i.e. EID 898821199000000000000000000013xx and later) started to include the ARA-M applet with the rule to authorize android apps signed using the sysmocom APK signing key. If you have an earlier sample, please reach out to support@sysmocom.de and we can discuss getting you an updated replacement.
