Skip to content

libeuicc: Implement AR-DO (tag 0xBF76) parsing in es8p metadata#423

Merged
estkme merged 9 commits intoestkme-group:mainfrom
PeterCxy:metadata-access-rules
Mar 17, 2026
Merged

libeuicc: Implement AR-DO (tag 0xBF76) parsing in es8p metadata#423
estkme merged 9 commits intoestkme-group:mainfrom
PeterCxy:metadata-access-rules

Conversation

@PeterCxy
Copy link
Contributor

@PeterCxy PeterCxy commented Mar 15, 2026
edited
Loading

This is added by some profiles targetting usage on Android with EuiccService API. EuiccService will return these access rules to the system, which decides whether to allow download to proceed based on the certificate hash, i.e. if the requesting app does not match the hash specified in the profile's access rules, download process is aborted.

@PeterCxy PeterCxy requested a review from septs March 15, 2026 22:34
@PeterCxy
Copy link
Contributor Author

PeterCxy commented Mar 15, 2026
edited
Loading

Test w/ BetterRoaming Test Profile (with both cert hash and package name)

{"type":"progress","payload":{"code":0,"message":"es8p_metadata_parse","data":{"iccid":"8944476500009169967","serviceProviderName":"BetterRoaming","profileName":"BetterRoaming","iconType":null,"icon":null,"profileClass":null,"accessRules":[{"certificateHash":"fff5a9517b5a74fc0fe76c699fb1d4d8b2ec98fd","packageName":"com.truphone.betterroaming"}]}}}

com.truphone.betterroaming.apk:

[peter@gpdwm2 Downloads]$ ~/Android/Sdk/build-tools/36.1.0/apksigner verify --print-certs com.truphone.betterroaming.apk
Signer #1 certificate DN: CN=1global, OU=esimfactory, O=1global, C=PT
Signer #1 certificate SHA-256 digest: 296d35e3e69abca4abdbb144da688208023d47341b3ef357af6dbec486221ea6
Signer #1 certificate SHA-1 digest: fff5a9517b5a74fc0fe76c699fb1d4d8b2ec98fd
Signer #1 certificate MD5 digest: 26e196377dd9c018e0abeaec6876c832
Source Stamp Signer certificate DN: CN=Android, OU=Android, O=Google Inc., L=Mountain View, ST=California, C=US
Source Stamp Signer certificate SHA-256 digest: 3257d599a49d2c961a471ca9843f59d341a405884583fc087df4237b733bbd6d
Source Stamp Signer certificate SHA-1 digest: b1af3a0bf998aeede1a8716a539e5a59da1d86d6
Source Stamp Signer certificate MD5 digest: 577b8a9fbc7e308321aec6411169d2fb

SHA-1 digest seems to match.

@PeterCxy
Copy link
Contributor Author

PeterCxy commented Mar 15, 2026

The Speedtest one which seems to come with no access rules, also Truphone RSP though:

{"type":"progress","payload":{"code":0,"message":"es8p_metadata_parse","data":{"iccid":"8944476500009158358","serviceProviderName":"Speedtest Travel","profileName":"BetterRoaming","iconType":null,"icon":null,"profileClass":null,"accessRules":[]}}}

@PeterCxy PeterCxy marked this pull request as ready for review March 15, 2026 22:52
@PeterCxy
Enforce unique children
a683d2d 
This is technically stricter than EuiccGoogle but it seems safer. We can
relax this if it becomes a problem.
septs
septs reviewed Mar 15, 2026
View reviewed changes
CoelacanthusHex
CoelacanthusHex reviewed Mar 16, 2026
View reviewed changes
@estkme
Copy link
Contributor

estkme commented Mar 16, 2026

Does this ar-do also accessible when you list profiles?

CoelacanthusHex
CoelacanthusHex approved these changes Mar 16, 2026
View reviewed changes
Copy link
Contributor

@CoelacanthusHex CoelacanthusHex left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@PeterCxy
Copy link
Contributor Author

PeterCxy commented Mar 16, 2026

@estkme no, I'm pretty sure this is only available during the download process

@estkme estkme merged commit aac8c81 into estkme-group:main Mar 17, 2026
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@septs septs septs approved these changes

@CoelacanthusHex CoelacanthusHex CoelacanthusHex approved these changes

@estkme estkme Awaiting requested review from estkme

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@PeterCxy @estkme @septs @CoelacanthusHex