@particle/esim-tooling 1.0.0

package/src/es10/es10b-notifications.ts

@@ -0,0 +1,331 @@
+import { Es10Error } from '../errors.js';
+import { tlvEncode, tlvDecode, tlvFind, tlvFindAll, tlvConcat } from '../tlv.js';
+import { decodeIccid } from './iccid.js';
+import { NotificationEvent, DeleteNotificationStatus, type NotificationMetadata, type Notification, type ProfileInstallationResult } from '../types.js';
+import * as Tags from './tags.js';
+import type { TlvNode } from '../tlv.js';
+
+/**
+ * Notification with raw PendingNotification bytes for sending to SM-DP+.
+ * Internal type used by processNotifications.
+ */
+export interface NotificationWithRaw extends Notification {
+  /** Raw PendingNotification bytes (BF37 or 30) to send to SM-DP+ handleNotification */
+  raw: Uint8Array;
+}
+
+export function encodeListNotificationRequest(): Uint8Array {
+  return tlvEncode(Tags.TAG_LIST_NOTIFICATION_REQUEST, new Uint8Array(0));
+}
+
+export function decodeListNotificationResponse(data: Uint8Array): NotificationMetadata[] {
+  const root = tlvDecode(data);
+  if (root.tag !== Tags.TAG_LIST_NOTIFICATION_REQUEST) {
+    throw new Es10Error(-1, `Unexpected response tag: 0x${root.tag.toString(16)}`);
+  }
+
+  // Check for empty list or error
+  const metadataList = tlvFind(root, Tags.TAG_NOTIFICATION_METADATA_LIST);
+  if (!metadataList) {
+    // Could be an error response or empty
+    return [];
+  }
+
+  const result: NotificationMetadata[] = [];
+  const items = tlvFindAll(metadataList, Tags.TAG_NOTIFICATION_METADATA);
+  for (const item of items) {
+    const metadata = decodeNotificationMetadata(item);
+    if (metadata) result.push(metadata);
+  }
+  return result;
+}
+
+function decodeNotificationMetadata(node: TlvNode): NotificationMetadata | null {
+  const seqNode = tlvFind(node, Tags.TAG_NOTIFICATION_SEQ_NUMBER);
+  const opNode = tlvFind(node, Tags.TAG_NOTIFICATION_OPERATION);
+  const addrNode = tlvFind(node, Tags.TAG_NOTIFICATION_ADDRESS);
+
+  if (!seqNode || !opNode || !addrNode) return null;
+
+  const seqNumber = decodeUnsignedInteger(seqNode.value);
+  const operation = decodeNotificationEvent(opNode.value);
+  const notificationAddress = new TextDecoder('utf-8').decode(addrNode.value);
+
+  const iccidNode = tlvFind(node, Tags.TAG_NOTIFICATION_ICCID);
+  const iccid = iccidNode ? decodeIccid(iccidNode.value) : undefined;
+
+  return { seqNumber, operation, notificationAddress, iccid };
+}
+
+export function encodeRetrieveNotificationsListRequest(seqNumber?: number): Uint8Array {
+  if (seqNumber === undefined) {
+    // No filter - retrieve all notifications
+    return tlvEncode(Tags.TAG_RETRIEVE_NOTIFICATIONS_LIST_REQUEST, new Uint8Array(0));
+  }
+  const seqTlv = tlvEncode(Tags.TAG_NOTIFICATION_SEQ_NUMBER, encodeUnsignedInteger(seqNumber));
+  const criteria = tlvEncode(Tags.TAG_NOTIFICATION_SEARCH_CRITERIA, seqTlv);
+  return tlvEncode(Tags.TAG_RETRIEVE_NOTIFICATIONS_LIST_REQUEST, criteria);
+}
+
+/**
+ * Decode RetrieveNotificationsList response returning raw bytes for a single notification.
+ * Used by processNotifications to forward to SM-DP+.
+ */
+export function decodeRetrieveNotificationsListResponse(data: Uint8Array): Uint8Array {
+  const root = tlvDecode(data);
+  if (root.tag !== Tags.TAG_RETRIEVE_NOTIFICATIONS_LIST_REQUEST) {
+    throw new Es10Error(-1, `Unexpected response tag: 0x${root.tag.toString(16)}`);
+  }
+
+  // Check for error response: BF2B { 02 <error-code> }
+  // notificationsListResultError is an INTEGER (tag 0x02)
+  const errorNode = tlvFind(root, 0x02);
+  if (errorNode) {
+    const errorCode = errorNode.value[0] ?? 127;
+    throw new Es10Error(errorCode, `RetrieveNotificationsList failed: error=${errorCode}`);
+  }
+
+  // Response structure: BF2B { A0 { BF37 or 30 } }
+  // The A0 is the notificationList wrapper (CHOICE alternative [0])
+  const notificationList = tlvFind(root, 0xa0);
+  const searchNode = notificationList ?? root;
+
+  // The pending notification is the raw value to forward to SM-DP+
+  // Could be BF37 (ProfileInstallationResult) or 30 (OtherSignedNotification)
+  const installResult = tlvFind(searchNode, Tags.TAG_PROFILE_INSTALLATION_RESULT);
+  if (installResult) {
+    return installResult.raw ?? installResult.value;
+  }
+  const otherNotif = tlvFind(searchNode, Tags.TAG_OTHER_SIGNED_NOTIFICATION);
+  if (otherNotif) {
+    return otherNotif.raw ?? otherNotif.value;
+  }
+  throw new Es10Error(-1, 'PendingNotification not found in response');
+}
+
+/**
+ * Decode RetrieveNotificationsList response returning full Notification objects
+ * with raw bytes for sending to SM-DP+.
+ */
+export function decodeRetrieveNotificationsListFull(data: Uint8Array): NotificationWithRaw[] {
+  const root = tlvDecode(data);
+  if (root.tag !== Tags.TAG_RETRIEVE_NOTIFICATIONS_LIST_REQUEST) {
+    throw new Es10Error(-1, `Unexpected response tag: 0x${root.tag.toString(16)}`);
+  }
+
+  // Check for error response: BF2B { 02 <error-code> }
+  // notificationsListResultError is an INTEGER (tag 0x02)
+  const errorNode = tlvFind(root, 0x02);
+  if (errorNode) {
+    const errorCode = errorNode.value[0] ?? 127;
+    throw new Es10Error(errorCode, `RetrieveNotificationsList failed: error=${errorCode}`);
+  }
+
+  const result: NotificationWithRaw[] = [];
+
+  // Response structure: BF2B { A0 { BF37... 30... } }
+  // The A0 is the notificationList wrapper (CHOICE alternative [0])
+  const notificationList = tlvFind(root, 0xa0);
+  const searchNode = notificationList ?? root;
+
+  // Find all ProfileInstallationResult (BF37) nodes - install notifications
+  const installResults = tlvFindAll(searchNode, Tags.TAG_PROFILE_INSTALLATION_RESULT);
+  for (const node of installResults) {
+    const notif = decodeProfileInstallationResult(node);
+    if (notif) {
+      // Raw bytes are the entire PendingNotification (BF37 node)
+      const raw = node.raw ?? new Uint8Array(0);
+      result.push({ ...notif, raw });
+    }
+  }
+
+  // Find all OtherSignedNotification (30) nodes - enable/disable/delete notifications
+  const otherNotifs = tlvFindAll(searchNode, Tags.TAG_OTHER_SIGNED_NOTIFICATION);
+  for (const node of otherNotifs) {
+    const notif = decodeOtherSignedNotification(node);
+    if (notif) {
+      // Raw bytes are the entire PendingNotification (30 node)
+      const raw = node.raw ?? new Uint8Array(0);
+      result.push({ ...notif, raw });
+    }
+  }
+
+  return result;
+}
+
+/**
+ * Decode ProfileInstallationResult (BF37) to extract metadata and success/failure.
+ */
+function decodeProfileInstallationResult(node: TlvNode): Notification | null {
+  // ProfileInstallationResult contains ProfileInstallationResultData (BF27)
+  const resultData = tlvFind(node, Tags.TAG_PROFILE_INSTALLATION_RESULT_DATA);
+  if (!resultData) return null;
+
+  // Extract NotificationMetadata (BF2F) from within
+  const metadataNode = tlvFind(resultData, Tags.TAG_NOTIFICATION_METADATA);
+  if (!metadataNode) return null;
+
+  const metadata = decodeNotificationMetadata(metadataNode);
+  if (!metadata) return null;
+
+  // The result structure can be:
+  // 1. A2 (finalResult wrapper) containing either:
+  //    - A0 (successResult) with ICCID
+  //    - A1 (errorResult) with error codes
+  // 2. A1 (errorResult) directly in BF27 (without A2 wrapper)
+  //
+  // Check for A2 first, then look inside it for A0 or A1
+  const finalResult = tlvFind(resultData, Tags.TAG_FINAL_RESULT);
+  if (finalResult) {
+    // Check if A2 contains A1 (error) - this takes precedence
+    const errorInFinal = tlvFind(finalResult, Tags.TAG_ERROR_RESULT);
+    if (errorInFinal) {
+      const subjectNode = tlvFind(errorInFinal, Tags.TAG_SUBJECT_CODE);
+      const reasonNode = tlvFind(errorInFinal, Tags.TAG_REASON_CODE);
+      return {
+        ...metadata,
+        success: false,
+        errorSubjectCode: subjectNode ? decodeUnsignedInteger(subjectNode.value) : undefined,
+        errorReasonCode: reasonNode ? decodeUnsignedInteger(reasonNode.value) : undefined,
+      };
+    }
+    // A2 without A1 inside = success, extract ICCID
+    const iccidNode = tlvFind(finalResult, Tags.TAG_NOTIFICATION_ICCID);
+    const iccid = iccidNode ? decodeIccid(iccidNode.value) : metadata.iccid;
+    return { ...metadata, iccid, success: true };
+  }
+
+  // Check for A1 directly in BF27 (without A2 wrapper)
+  const errorResult = tlvFind(resultData, Tags.TAG_ERROR_RESULT);
+  if (errorResult) {
+    const subjectNode = tlvFind(errorResult, Tags.TAG_SUBJECT_CODE);
+    const reasonNode = tlvFind(errorResult, Tags.TAG_REASON_CODE);
+    return {
+      ...metadata,
+      success: false,
+      errorSubjectCode: subjectNode ? decodeUnsignedInteger(subjectNode.value) : undefined,
+      errorReasonCode: reasonNode ? decodeUnsignedInteger(reasonNode.value) : undefined,
+    };
+  }
+
+  // No result info - assume success (shouldn't happen per spec)
+  return { ...metadata, success: true };
+}
+
+/**
+ * Decode OtherSignedNotification (SEQUENCE tag 30) for enable/disable/delete.
+ * These always represent completed operations (success=true).
+ */
+function decodeOtherSignedNotification(node: TlvNode): Notification | null {
+  // OtherSignedNotification contains tbsOtherNotification which is NotificationMetadata
+  const metadataNode = tlvFind(node, Tags.TAG_NOTIFICATION_METADATA);
+  if (!metadataNode) return null;
+
+  const metadata = decodeNotificationMetadata(metadataNode);
+  if (!metadata) return null;
+
+  // Enable/disable/delete notifications are always for completed operations
+  return { ...metadata, success: true };
+}
+
+/**
+ * Decode ProfileInstallationResult (BF37) from BPP loading response.
+ * Returns success/failure status and ICCID or error codes.
+ */
+export function decodeBppInstallationResult(data: Uint8Array): ProfileInstallationResult {
+  const root = tlvDecode(data);
+  if (root.tag !== Tags.TAG_PROFILE_INSTALLATION_RESULT) {
+    throw new Es10Error(-1, `Unexpected response tag: 0x${root.tag.toString(16)}, expected BF37`);
+  }
+
+  // ProfileInstallationResult contains ProfileInstallationResultData (BF27)
+  const resultData = tlvFind(root, Tags.TAG_PROFILE_INSTALLATION_RESULT_DATA);
+  if (!resultData) {
+    throw new Es10Error(-1, 'ProfileInstallationResultData (BF27) not found');
+  }
+
+  // The result structure can be:
+  // 1. A2 (finalResult wrapper) containing either:
+  //    - A1 (errorResult) with error codes
+  //    - 5A (ICCID) indicating success
+  // 2. A1 (errorResult) directly in BF27
+  //
+  // Check for A2 first, then look inside it for A1 or ICCID
+  const finalResult = tlvFind(resultData, Tags.TAG_FINAL_RESULT);
+  if (finalResult) {
+    // Check if A2 contains A1 (error) - this takes precedence
+    const errorInFinal = tlvFind(finalResult, Tags.TAG_ERROR_RESULT);
+    if (errorInFinal) {
+      const subjectNode = tlvFind(errorInFinal, Tags.TAG_SUBJECT_CODE);
+      const reasonNode = tlvFind(errorInFinal, Tags.TAG_REASON_CODE);
+      return {
+        success: false,
+        errorSubjectCode: subjectNode ? decodeUnsignedInteger(subjectNode.value) : undefined,
+        errorReasonCode: reasonNode ? decodeUnsignedInteger(reasonNode.value) : undefined,
+      };
+    }
+    // A2 without A1 inside = success, extract ICCID
+    const iccidNode = tlvFind(finalResult, Tags.TAG_NOTIFICATION_ICCID);
+    const iccid = iccidNode ? decodeIccid(iccidNode.value) : undefined;
+    return { success: true, iccid };
+  }
+
+  // Check for A1 directly in BF27 (without A2 wrapper)
+  const errorResult = tlvFind(resultData, Tags.TAG_ERROR_RESULT);
+  if (errorResult) {
+    const subjectNode = tlvFind(errorResult, Tags.TAG_SUBJECT_CODE);
+    const reasonNode = tlvFind(errorResult, Tags.TAG_REASON_CODE);
+    return {
+      success: false,
+      errorSubjectCode: subjectNode ? decodeUnsignedInteger(subjectNode.value) : undefined,
+      errorReasonCode: reasonNode ? decodeUnsignedInteger(reasonNode.value) : undefined,
+    };
+  }
+
+  // No explicit result - shouldn't happen per spec
+  return { success: true };
+}
+
+export function encodeRemoveNotificationRequest(seqNumber: number): Uint8Array {
+  const seqTlv = tlvEncode(Tags.TAG_NOTIFICATION_SEQ_NUMBER, encodeUnsignedInteger(seqNumber));
+  return tlvEncode(Tags.TAG_REMOVE_NOTIFICATION_REQUEST, seqTlv);
+}
+
+export function decodeRemoveNotificationResponse(data: Uint8Array): DeleteNotificationStatus {
+  const root = tlvDecode(data);
+  if (root.tag !== Tags.TAG_REMOVE_NOTIFICATION_REQUEST) {
+    throw new Es10Error(-1, `Unexpected response tag: 0x${root.tag.toString(16)}`);
+  }
+  const status = tlvFind(root, Tags.TAG_DELETE_NOTIFICATION_STATUS);
+  if (!status) {
+    throw new Es10Error(-1, 'DeleteNotificationStatus not found in response');
+  }
+  return status.value[0] as DeleteNotificationStatus;
+}
+
+function decodeNotificationEvent(value: Uint8Array): NotificationEvent {
+  // NotificationEvent is a BIT STRING — first byte is number of unused bits, rest is the bitmap
+  if (value.length < 2) return NotificationEvent.Install;
+  return value[1] as NotificationEvent;
+}
+
+function encodeUnsignedInteger(value: number): Uint8Array {
+  if (value < 0x80) return new Uint8Array([value]);
+  if (value < 0x100) return new Uint8Array([0x00, value]);
+  if (value < 0x8000) return new Uint8Array([(value >> 8) & 0xff, value & 0xff]);
+  if (value < 0x10000) return new Uint8Array([0x00, (value >> 8) & 0xff, value & 0xff]);
+  return new Uint8Array([
+    0x00,
+    (value >> 16) & 0xff,
+    (value >> 8) & 0xff,
+    value & 0xff,
+  ]);
+}
+
+function decodeUnsignedInteger(value: Uint8Array): number {
+  let result = 0;
+  for (let i = 0; i < value.length; i++) {
+    result = (result << 8) | value[i];
+  }
+  return result;
+}

package/src/es10/es10b.ts

@@ -0,0 +1,163 @@
+import { Es10Error } from '../errors.js';
+import { tlvEncode, tlvDecode, tlvFind, tlvConcat } from '../tlv.js';
+import type { CancelSessionReason } from '../types.js';
+import * as Tags from './tags.js';
+
+export interface AuthenticateServerParams {
+  serverSigned1: Uint8Array;
+  serverSignature1: Uint8Array;
+  euiccCiPKIdToBeUsed: Uint8Array;
+  serverCertificate: Uint8Array;
+  matchingId?: string;
+}
+
+export interface PrepareDownloadParams {
+  smdpSigned2: Uint8Array;
+  smdpSignature2: Uint8Array;
+  smdpCertificate: Uint8Array;
+  hashCc?: Uint8Array;
+}
+
+export interface AuthenticateServerDecodedResponse {
+  raw: Uint8Array;
+}
+
+export interface PrepareDownloadDecodedResponse {
+  raw: Uint8Array;
+}
+
+export function encodeGetEuiccChallengeRequest(): Uint8Array {
+  return tlvEncode(Tags.TAG_GET_EUICC_CHALLENGE_REQUEST, new Uint8Array(0));
+}
+
+export function decodeGetEuiccChallengeResponse(data: Uint8Array): Uint8Array {
+  const root = tlvDecode(data);
+  if (root.tag !== Tags.TAG_GET_EUICC_CHALLENGE_REQUEST) {
+    throw new Es10Error(-1, `Unexpected response tag: 0x${root.tag.toString(16)}`);
+  }
+  const challenge = tlvFind(root, Tags.TAG_EUICC_CHALLENGE);
+  if (!challenge) {
+    throw new Es10Error(-1, 'EuiccChallenge not found in response');
+  }
+  return challenge.value;
+}
+
+export function encodeGetEuiccInfo1Request(): Uint8Array {
+  return tlvEncode(Tags.TAG_GET_EUICC_INFO1_REQUEST, new Uint8Array(0));
+}
+
+export function encodeAuthenticateServerRequest(params: AuthenticateServerParams): Uint8Array {
+  // Build ctxParams1 with matchingId and deviceInfo
+  const ctxParts: Uint8Array[] = [];
+
+  if (params.matchingId) {
+    ctxParts.push(tlvEncode(Tags.TAG_MATCHING_ID, new TextEncoder().encode(params.matchingId)));
+  }
+
+  // DeviceInfo with dummy TAC 0x88888888 and empty deviceCapabilities
+  // Per SGP.22, DeviceInfo ::= SEQUENCE { tac [0], deviceCapabilities [1] }
+  // Both fields are MANDATORY. deviceCapabilities can be empty but must be present.
+  const tac = tlvEncode(0x80, new Uint8Array([0x88, 0x88, 0x88, 0x88])); // [0] tac
+  const deviceCapabilities = tlvEncode(0xa1, new Uint8Array(0)); // [1] deviceCapabilities (empty SEQUENCE)
+  const deviceInfo = tlvEncode(Tags.TAG_DEVICE_INFO, tlvConcat(tac, deviceCapabilities));
+  ctxParts.push(deviceInfo);
+
+  const ctxParams1 = tlvEncode(Tags.TAG_CTX_PARAMS1, tlvConcat(...ctxParts));
+
+  // The request wraps: serverSigned1, serverSignature1, euiccCiPKIdToBeUsed, serverCertificate, ctxParams1
+  // serverSigned1, serverSignature1, euiccCiPKIdToBeUsed, serverCertificate are raw DER passed through
+  const content = tlvConcat(
+    params.serverSigned1,
+    params.serverSignature1,
+    params.euiccCiPKIdToBeUsed,
+    params.serverCertificate,
+    ctxParams1,
+  );
+
+  return tlvEncode(Tags.TAG_AUTHENTICATE_SERVER_REQUEST, content);
+}
+
+export function decodeAuthenticateServerResponse(data: Uint8Array): AuthenticateServerDecodedResponse {
+  const root = tlvDecode(data);
+  if (root.tag !== Tags.TAG_AUTHENTICATE_SERVER_REQUEST) {
+    throw new Es10Error(-1, `Unexpected response tag: 0x${root.tag.toString(16)}`);
+  }
+
+  // Check for error (A1 tag)
+  const errorNode = tlvFind(root, Tags.TAG_AUTH_SERVER_RESPONSE_ERROR);
+  if (errorNode) {
+    throw new Es10Error(-1, 'AuthenticateServer failed on eUICC');
+  }
+
+  // Success (A0 tag) — preserve raw bytes for passthrough to SM-DP+
+  const okNode = tlvFind(root, Tags.TAG_AUTH_SERVER_RESPONSE_OK);
+  if (!okNode) {
+    throw new Es10Error(-1, 'Unexpected AuthenticateServer response format');
+  }
+
+  return { raw: root.raw ?? data };
+}
+
+export function encodePrepareDownloadRequest(params: PrepareDownloadParams): Uint8Array {
+  // Field order per SGP.22: smdpSigned2 → smdpSignature2 → hashCc (optional) → smdpCertificate
+  const parts: Uint8Array[] = [
+    params.smdpSigned2,
+    params.smdpSignature2,
+  ];
+
+  if (params.hashCc) {
+    parts.push(tlvEncode(Tags.TAG_HASH_CC, params.hashCc));
+  }
+
+  parts.push(params.smdpCertificate);
+
+  return tlvEncode(Tags.TAG_PREPARE_DOWNLOAD_REQUEST, tlvConcat(...parts));
+}
+
+export function decodePrepareDownloadResponse(data: Uint8Array): PrepareDownloadDecodedResponse {
+  const root = tlvDecode(data);
+  if (root.tag !== Tags.TAG_PREPARE_DOWNLOAD_REQUEST) {
+    throw new Es10Error(-1, `Unexpected response tag: 0x${root.tag.toString(16)}`);
+  }
+
+  const errorNode = tlvFind(root, Tags.TAG_PREPARE_DOWNLOAD_RESPONSE_ERROR);
+  if (errorNode) {
+    throw new Es10Error(-1, 'PrepareDownload failed on eUICC');
+  }
+
+  const okNode = tlvFind(root, Tags.TAG_PREPARE_DOWNLOAD_RESPONSE_OK);
+  if (!okNode) {
+    throw new Es10Error(-1, 'Unexpected PrepareDownload response format');
+  }
+
+  return { raw: root.raw ?? data };
+}
+
+/**
+ * Hash a confirmation code per SGP.22 Section 3.1.3:
+ * hashCc = SHA-256(SHA-256(confirmationCodeUtf8) || transactionIdHexBytes)
+ */
+export async function hashConfirmationCode(code: string, transactionId: string): Promise<Uint8Array> {
+  const codeBytes = new TextEncoder().encode(code);
+  const firstHash = new Uint8Array(await crypto.subtle.digest('SHA-256', codeBytes.buffer));
+
+  // transactionId is a hex string — decode to bytes
+  const txIdBytes = hexToBytes(transactionId);
+
+  const combined = tlvConcat(firstHash, txIdBytes);
+  return new Uint8Array(await crypto.subtle.digest('SHA-256', combined.buffer as ArrayBuffer));
+}
+
+export function encodeCancelSessionRequest(transactionId: Uint8Array, reason: CancelSessionReason): Uint8Array {
+  const txIdTlv = tlvEncode(Tags.TAG_CANCEL_SESSION_TRANSACTION_ID, transactionId);
+  const reasonTlv = tlvEncode(Tags.TAG_CANCEL_SESSION_REASON, new Uint8Array([reason]));
+  return tlvEncode(Tags.TAG_CANCEL_SESSION_REQUEST, tlvConcat(txIdTlv, reasonTlv));
+}
+
+function hexToBytes(hex: string): Uint8Array {
+  const bytes = new Uint8Array(hex.length / 2);
+  for (let i = 0; i < hex.length; i += 2) {
+    bytes[i / 2] = parseInt(hex.substring(i, i + 2), 16);
+  }
+  return bytes;
+}

package/src/es10/es10c.ts

@@ -0,0 +1,168 @@
+import { Es10Error } from '../errors.js';
+import { tlvEncode, tlvDecode, tlvFind, tlvFindAll, tlvConcat } from '../tlv.js';
+import { decodeIccid, encodeIccid } from './iccid.js';
+import {
+  type Profile,
+  ProfileState,
+  ProfileClass,
+  type EnableProfileResult,
+  type DisableProfileResult,
+  type DeleteProfileResult,
+} from '../types.js';
+import * as Tags from './tags.js';
+
+export function encodeGetEidRequest(): Uint8Array {
+  // GetEuiccDataRequest (BF3E) with tag list requesting EID (5A)
+  const tagList = tlvEncode(Tags.TAG_TAG_LIST, new Uint8Array([Tags.TAG_EID]));
+  return tlvEncode(Tags.TAG_GET_EID_REQUEST, tagList);
+}
+
+export function decodeGetEidResponse(data: Uint8Array): string {
+  const root = tlvDecode(data);
+  if (root.tag !== Tags.TAG_GET_EID_REQUEST) {
+    throw new Es10Error(-1, `Unexpected response tag: 0x${root.tag.toString(16)}`);
+  }
+  const eid = tlvFind(root, Tags.TAG_EID);
+  if (!eid) {
+    throw new Es10Error(-1, 'EID not found in response');
+  }
+  // EID is hex-encoded bytes
+  return Array.from(eid.value)
+    .map((b) => b.toString(16).padStart(2, '0').toUpperCase())
+    .join('');
+}
+
+export function encodeGetProfilesInfoRequest(): Uint8Array {
+  // GetProfilesInfo (BF2D) with tag list for the fields we want
+  const tagListValue = tlvConcat(
+    new Uint8Array([Tags.TAG_ICCID]),
+    new Uint8Array([Tags.TAG_ISDP_AID]),
+    encodeTagBytes(Tags.TAG_PROFILE_STATE),
+    new Uint8Array([Tags.TAG_PROFILE_NICKNAME]),
+    new Uint8Array([Tags.TAG_SERVICE_PROVIDER_NAME]),
+    new Uint8Array([Tags.TAG_PROFILE_NAME]),
+    new Uint8Array([Tags.TAG_PROFILE_CLASS]),
+  );
+  const tagList = tlvEncode(Tags.TAG_TAG_LIST, tagListValue);
+  return tlvEncode(Tags.TAG_PROFILE_INFO_LIST_REQUEST, tagList);
+}
+
+/** Encode a multi-byte tag as raw bytes for inclusion in a tag list */
+function encodeTagBytes(tag: number): Uint8Array {
+  if (tag <= 0xff) return new Uint8Array([tag]);
+  if (tag <= 0xffff) return new Uint8Array([(tag >> 8) & 0xff, tag & 0xff]);
+  return new Uint8Array([(tag >> 16) & 0xff, (tag >> 8) & 0xff, tag & 0xff]);
+}
+
+export function decodeGetProfilesInfoResponse(data: Uint8Array): Profile[] {
+  const root = tlvDecode(data);
+  if (root.tag !== Tags.TAG_PROFILE_INFO_LIST_REQUEST) {
+    throw new Es10Error(-1, `Unexpected response tag: 0x${root.tag.toString(16)}`);
+  }
+
+  // ProfileInfoListResponse is a CHOICE:
+  // - profileInfoListOk: SEQUENCE containing [0] profileInfoList (A0 with E3 entries)
+  // - profileInfoListError: INTEGER (tag 02) with error code
+
+  // Check for error response
+  const errorNode = tlvFind(root, 0x02);
+  if (errorNode) {
+    const errorCode = errorNode.value[0] ?? 127;
+    throw new Es10Error(errorCode, `GetProfilesInfo failed: error=${errorCode}`);
+  }
+
+  // Look for A0 wrapper (profileInfoList) first, then search directly
+  // Some eUICCs may return profiles directly in BF2D without A0 wrapper
+  const profileListNode = tlvFind(root, 0xa0);
+  const searchNode = profileListNode ?? root;
+
+  const profiles: Profile[] = [];
+  const profileNodes = tlvFindAll(searchNode, Tags.TAG_PROFILE_INFO);
+  for (const node of profileNodes) {
+    const profile = decodeProfileInfo(node);
+    if (profile) profiles.push(profile);
+  }
+  return profiles;
+}
+
+function decodeProfileInfo(node: TlvNode): Profile | null {
+  const iccidNode = tlvFind(node, Tags.TAG_ICCID);
+  if (!iccidNode) return null;
+
+  const iccid = decodeIccid(iccidNode.value);
+
+  const aidNode = tlvFind(node, Tags.TAG_ISDP_AID);
+  const stateNode = tlvFind(node, Tags.TAG_PROFILE_STATE);
+  const nicknameNode = tlvFind(node, Tags.TAG_PROFILE_NICKNAME);
+  const spNameNode = tlvFind(node, Tags.TAG_SERVICE_PROVIDER_NAME);
+  const profileNameNode = tlvFind(node, Tags.TAG_PROFILE_NAME);
+  const classNode = tlvFind(node, Tags.TAG_PROFILE_CLASS);
+
+  return {
+    iccid,
+    isdpAid: aidNode ? toHex(aidNode.value) : undefined,
+    state: stateNode ? (stateNode.value[0] as ProfileState) : ProfileState.Disabled,
+    nickname: nicknameNode ? textDecode(nicknameNode.value) : undefined,
+    serviceProviderName: spNameNode ? textDecode(spNameNode.value) : undefined,
+    profileName: profileNameNode ? textDecode(profileNameNode.value) : undefined,
+    profileClass: classNode ? (classNode.value[0] as ProfileClass) : undefined,
+  };
+}
+
+export function encodeEnableProfileRequest(iccid: string, refreshFlag = false): Uint8Array {
+  const iccidTlv = tlvEncode(Tags.TAG_ICCID, encodeIccid(iccid));
+  const identifier = tlvEncode(Tags.TAG_PROFILE_IDENTIFIER, iccidTlv);
+  const refresh = tlvEncode(Tags.TAG_REFRESH_FLAG, new Uint8Array([refreshFlag ? 0x01 : 0x00]));
+  return tlvEncode(Tags.TAG_ENABLE_PROFILE_REQUEST, tlvConcat(identifier, refresh));
+}
+
+export function decodeEnableProfileResponse(data: Uint8Array): EnableProfileResult {
+  return decodeResultResponse(data, Tags.TAG_ENABLE_PROFILE_REQUEST) as EnableProfileResult;
+}
+
+export function encodeDisableProfileRequest(iccid: string, refreshFlag = false): Uint8Array {
+  const iccidTlv = tlvEncode(Tags.TAG_ICCID, encodeIccid(iccid));
+  const identifier = tlvEncode(Tags.TAG_PROFILE_IDENTIFIER, iccidTlv);
+  const refresh = tlvEncode(Tags.TAG_REFRESH_FLAG, new Uint8Array([refreshFlag ? 0x01 : 0x00]));
+  return tlvEncode(Tags.TAG_DISABLE_PROFILE_REQUEST, tlvConcat(identifier, refresh));
+}
+
+export function decodeDisableProfileResponse(data: Uint8Array): DisableProfileResult {
+  return decodeResultResponse(data, Tags.TAG_DISABLE_PROFILE_REQUEST) as DisableProfileResult;
+}
+
+export function encodeDeleteProfileRequest(iccid: string): Uint8Array {
+  // Note: DeleteProfile does NOT use the A0 wrapper (unlike Enable/Disable)
+  // Per SGP.22, ICCID (5A) goes directly inside BF33
+  const iccidTlv = tlvEncode(Tags.TAG_ICCID, encodeIccid(iccid));
+  return tlvEncode(Tags.TAG_DELETE_PROFILE_REQUEST, iccidTlv);
+}
+
+export function decodeDeleteProfileResponse(data: Uint8Array): DeleteProfileResult {
+  return decodeResultResponse(data, Tags.TAG_DELETE_PROFILE_REQUEST) as DeleteProfileResult;
+}
+
+function decodeResultResponse(data: Uint8Array, expectedTag: number): number {
+  const root = tlvDecode(data);
+  if (root.tag !== expectedTag) {
+    throw new Es10Error(-1, `Unexpected response tag: 0x${root.tag.toString(16)}`);
+  }
+  const result = tlvFind(root, Tags.TAG_RESULT);
+  if (!result) {
+    throw new Es10Error(-1, 'Result code not found in response');
+  }
+  return result.value[0];
+}
+
+function toHex(bytes: Uint8Array): string {
+  return Array.from(bytes)
+    .map((b) => b.toString(16).padStart(2, '0').toUpperCase())
+    .join('');
+}
+
+function textDecode(bytes: Uint8Array): string {
+  return new TextDecoder('utf-8').decode(bytes);
+}
+
+// Re-export for use by tlvFind in other modules
+import type { TlvNode } from '../tlv.js';

package/src/es10/iccid.ts

@@ -0,0 +1,32 @@
+/**
+ * BCD nibble-swapped encoding/decoding for SIM ICCIDs.
+ *
+ * ICCID is stored as BCD with each pair of digits having their nibbles swapped.
+ * "89" becomes byte 0x98, "01" becomes byte 0x10, etc.
+ */
+
+export function encodeIccid(iccid: string): Uint8Array {
+  // Pad to even length with 'F' if needed
+  const padded = iccid.length % 2 === 1 ? iccid + 'F' : iccid;
+  const bytes = new Uint8Array(padded.length / 2);
+  for (let i = 0; i < padded.length; i += 2) {
+    const hi = parseInt(padded[i], 16);
+    const lo = parseInt(padded[i + 1], 16);
+    // Swap nibbles: first digit goes in low nibble, second in high
+    bytes[i / 2] = (lo << 4) | hi;
+  }
+  return bytes;
+}
+
+export function decodeIccid(bytes: Uint8Array): string {
+  let result = '';
+  for (let i = 0; i < bytes.length; i++) {
+    const lo = bytes[i] & 0x0f;
+    const hi = (bytes[i] >> 4) & 0x0f;
+    result += lo.toString(16).toUpperCase();
+    if (hi !== 0x0f) {
+      result += hi.toString(16).toUpperCase();
+    }
+  }
+  return result;
+}