Newer
Older
/**
* @author ETSI / STF545
* @version $URL$
* $Id$
* @desc Testcases file for Security Protocol
* @reference ETSI TS ITS-00546v006
* @copyright ETSI Copyright Notification
* No part may be reproduced except as authorized by written permission.
* The copyright and the foregoing restriction extend to reproduction in all media.
* All rights reserved.
*/
module ItsPki_TestCases {
// Libcommon
import from LibCommon_Time all;
import from LibCommon_VerdictControl all;
import from LibCommon_Sync all;
import from LibCommon_BasicTypesAndValues all;
// LibIts
import from IEEE1609dot2BaseTypes language "ASN.1:1997" all;
import from IEEE1609dot2 language "ASN.1:1997" all;
import from EtsiTs102941BaseTypes language "ASN.1:1997" all;
import from EtsiTs102941TypesEnrolment language "ASN.1:1997" all;
import from EtsiTs102941TypesAuthorization language "ASN.1:1997" all;
import from EtsiTs102941TypesAuthorizationValidation language "ASN.1:1997" all;
import from EtsiTs102941MessagesCa language "ASN.1:1997" all;
import from EtsiTs103097Module language "ASN.1:1997" all;
import from ITS_Container language "ASN.1:1997" all;
import from CAM_PDU_Descriptions language "ASN.1:1997" all;
import from LibItsGeoNetworking_TypesAndValues all;
import from LibItsGeoNetworking_Functions all;
import from LibItsGeoNetworking_Templates all;
import from LibItsGeoNetworking_Pics all;
import from LibItsGeoNetworking_TestSystem all;
// LibItsSecurity
import from LibItsSecurity_TypesAndValues all;
import from LibItsSecurity_TestSystem all;
import from LibItsSecurity_Templates all;
import from LibItsSecurity_Functions all;
import from LibItsSecurity_Pixits all;
import from LibItsSecurity_Pics all;
// LibItsHttp
import from LibItsHttp_TypesAndValues all;
import from LibItsHttp_Templates all;
import from LibItsHttp_BinaryTemplates all;
import from LibItsHttp_Functions all;
// AtsPki
import from ItsPki_Functions all;
/**
* @desc 5.2 ITS-S behaviour
*/
group itss_behavior {
group itss_manufacturing {
/**
* @desc Check that IUT sends an enrolment request when triggered.
* <pre>
* Pics Selection:
* Initial conditions:
* with {
* the IUT being in the "initial state"
* }
* Expected behaviour:
* ensure that {
* when {
* the IUT is triggered to requested a new Enrolment Certificate (EC)
* }
* then {
* the IUT sends to EA an EnrolmentRequestMessage
* }
* }
* </pre>
*
* @see ETSI TS ITS-00546v006 TP 2
* @reference ETSI TS 102 941 [2], clause 6.1.3
*/
testcase TC_SEC_PKI_ITSS_ENR_BV_01() runs on ItsMtc /*system ItsPkiItssSystem*/ {
var Oct32 v_private_key;
var Oct32 v_publicKeyX;
var Oct32 v_publicKeyY;
var Oct32 v_publicKeyCompressed;
var integer v_compressedMode;
// Test control
if (not PICS_IUT_ITS_S_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
if (f_generate_key_pair_nistp256(v_private_key, v_publicKeyX, v_publicKeyY, v_publicKeyCompressed, v_compressedMode) == false) {
log("*** " & testcasename() & ": FAIL: Failed to setup InnerEcRequest message ***")
setverdict(inconc);
stop;
}
v_itss.start(f_TC_SEC_PKI_ITSS_ENR_BV_01_itss(cc_taCert_A, v_private_key, v_publicKeyCompressed, v_compressedMode));
v_ea.start(f_TC_SEC_PKI_ITSS_ENR_BV_01_pki(cc_taCert_A, v_private_key, v_publicKeyCompressed, v_compressedMode));
// Synchronization
f_serverSync2ClientsAndStop({c_prDone, c_tbDone, c_poDone});
} // End of testcase TC_SEC_PKI_ITSS_ENR_BV_01
function f_TC_SEC_PKI_ITSS_ENR_BV_01_itss(
in charstring p_certificate_id,
in octetstring p_private_key,
in octetstring p_publicKeyCompressed,
in integer p_compressedMode
) runs on ItsPkiItss /*system ItsPkiItssSystem*/ {
f_sendUtTriggerPrimitive(PICS_ITS_S_CANONICAL_ID, '00'O, p_private_key, p_publicKeyCompressed, p_compressedMode);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
} // End of function f_TC_SEC_PKI_ITSS_ENR_BV_01_itss
function f_TC_SEC_PKI_ITSS_ENR_BV_01_pki(
in charstring p_certificate_id,
in octetstring p_private_key,
in octetstring p_publicKeyCompressed,
in integer p_compressedMode
) runs on ItsPki /*system ItsPkiSystem*/ {
// Local variables
// Test component configuration
LibItsPki_Functions.f_cfUp();
// Test adapter configuration
// Preamble
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
tc_ac.start;
alt {
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
[PICS_SEC_NIST_P256 and p_compressedMode == 0] pkiPort.receive(
mw_innerEcRequest(
PICS_ITS_S_CANONICAL_ID,
mw_publicKeys(
mw_publicVerificationKey_ecdsaNistP256(
mw_eccP256CurvePoint_compressed_y_0(
p_publicKeyCompressed
)
),
omit
)
)
) {
log("*** " & testcasename() & ": INFO: InnerEcRequest received ***");
// TODO Send InnerEcResponse;
log("*** " & testcasename() & ": PASS: Message triggered ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
}
[PICS_SEC_NIST_P256 and p_compressedMode == 1] pkiPort.receive(
mw_innerEcRequest(
PICS_ITS_S_CANONICAL_ID,
mw_publicKeys(
mw_publicVerificationKey_ecdsaNistP256(
mw_eccP256CurvePoint_compressed_y_1(
p_publicKeyCompressed
)
),
omit
)
)
) {
log("*** " & testcasename() & ": INFO: InnerEcRequest received ***");
// TODO Send InnerEcResponse;
log("*** " & testcasename() & ": PASS: Message triggered ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_prDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
LibItsPki_Functions.f_cfDown();
} // End of function f_TC_SEC_PKI_ITSS_ENR_BV_01_pki
} // End of group f_TC_SEC_PKI_ITSS_ENR_BV_01
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
/**
* @desc If the enrolment request of the IUT is an initial enrolment request, the itsId
* (contained in the InnerECRequest) shall be set to the canonical identifier, the
* signer (contained in the outer EtsiTs1030971Data-Signed) shall be set to self and
* the outer signature shall be computed using the canonical private key.
* <pre>
* Pics Selection:
* Expected behaviour:
* ensure that {
* when {
* the IUT is requested to send an EnrolmentRequestMessage
* }
* then {
* the IUT sends an EtsiTs103097Data-Encrypted
* containing an encrypted EtsiTs103097Data-Signed
* containing EtsiTs103097Data
* containing InnerECRequestSignedForPOP
* containing InnerEcRequest
* containing itsId
* indicating the canonical identifier of the ITS-S
* and containing signer
* declared as self
* and containing signature
* computed using the canonical private key
* }
* }
* </pre>
*
* @see ETSI TS ITS-00546v006 TP 3
* @reference ETSI TS 102 941, clause 6.1.3
*/
testcase TC_SEC_PKI_ITSS_ENR_BV_02() runs on ItsMtc /*system ItsPkiItssSystem*/ {
// Local variables
var Oct32 v_private_key;
var Oct32 v_publicKeyX;
var Oct32 v_publicKeyY;
var Oct32 v_publicKeyCompressed;
var integer v_compressedMode;
var ItsPkiItss v_itss;
var ItsPkiHttp v_ea;
// Test control
if (not PICS_IUT_ITS_S_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
if (f_generate_key_pair_nistp256(v_private_key, v_publicKeyX, v_publicKeyY, v_publicKeyCompressed, v_compressedMode) == false) {
log("*** " & testcasename() & ": FAIL: Failed to setup InnerEcRequest message ***")
setverdict(inconc);
stop;
}
v_itss.start(f_TC_SEC_PKI_ITSS_ENR_BV_02_itss(cc_taCert_A, v_private_key, v_publicKeyCompressed, v_compressedMode));
v_ea.start(f_TC_SEC_PKI_ITSS_ENR_BV_02_pki(cc_taCert_A, v_private_key, v_publicKeyCompressed, v_compressedMode));
// Synchronization
f_serverSync2ClientsAndStop({c_prDone, c_tbDone, c_poDone});
// Cleanup
} // End of TC_SEC_PKI_ITSS_ENR_BV_02
group f_TC_SEC_PKI_ITSS_ENR_BV_02 {
function f_TC_SEC_PKI_ITSS_ENR_BV_02_itss(
in charstring p_certificate_id,
in octetstring p_private_key,
in octetstring p_publicKeyCompressed,
in integer p_compressedMode
) runs on ItsPkiItss /*system ItsPkiItssSystem*/ {
// Local variables
// Test component configuration
f_cfUp_itss();
// Test adapter configuration
// Preamble
f_sendUtTriggerPrimitive(PICS_ITS_S_CANONICAL_ID, '00'O, p_private_key, p_publicKeyCompressed, p_compressedMode);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
// Postamble
f_cfDown_itss();
} // End of function f_TC_SEC_PKI_ITSS_ENR_BV_02_itss
function f_TC_SEC_PKI_ITSS_ENR_BV_02_pki(
in charstring p_certificate_id,
in octetstring p_private_key,
in octetstring p_publicKeyCompressed,
in integer p_compressedMode
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
// Local variable
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
var InnerEcRequest v_inner_ec_request;
// Test component configuration
f_cfHttpUp();
// Test adapter configuration
// Preamble
f_selfOrClientSyncAndVerdictTestBody(c_prDone, e_success);
// Test Body
tc_ac.start;
alt {
[] httpPort.receive(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_enrolmentRequestMessage(
mw_encryptedData(
-,
mw_SymmetricCiphertext_aes128ccm
))))))) -> value v_response {
tc_ac.stop;
/*if (f_verify_pki_message(vc_eaPrivateEncKey, int2oct(0, 32), vc_eaCertificate, v_response.response.body.binary_body.ieee1609dot2_data, false, v_etsi_ts_102941_data) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": LOG: Receive ", v_etsi_ts_102941_data, " ***");
log("*** " & testcasename() & ": DEBUG: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentRequest(mw_innerEcRequestSignedForPop(mw_signedData))), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log
if (match(v_etsi_ts_102941_data.content, mw_enrolmentRequest(mw_innerEcRequestSignedForPop(mw_signedData)))) {
// TODO Verify signature of mw_innerEcRequestSignedForPop
log("*** " & testcasename() & ": PASS: InnerEcRequestSignedForPop received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Unexpected message received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of function f_TC_SEC_PKI_ITSS_ENR_BV_02_pki
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
} // End of f_TC_SEC_PKI_ITSS_ENR_BV_02
/**
* @desc Check that IUT sends an enrolment request when triggered.
* <pre>
* Pics Selection:
* Initial conditions:
* with {
* the IUT being in the "initial state"
* }
* Expected behaviour:
* ensure that {
* when {
* the IUT is triggered to requested a new Enrolment Certificate (EC)
* }
* then {
* the IUT sends to EA an EnrolmentRequestMessage
* }
* }
* </pre>
*
* @see ETSI TS ITS-00546v006 TP 2
* @reference ETSI TS 102 941 [2], clause 6.1.3
*/
testcase TEST() runs on ItsMtc /*system ItsPkiItssSystem*/ {
// Local variables
var Oct32 v_private_key;
var Oct32 v_publicKeyX;
var Oct32 v_publicKeyY;
var Oct32 v_publicKeyCompressed;
var integer v_compressedMode;
var ItsPkiItss v_itss;
var ItsPki v_ea;
// Test control
if (not PICS_IUT_ITS_S_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
if (f_generate_key_pair_nistp256(v_private_key, v_publicKeyX, v_publicKeyY, v_publicKeyCompressed, v_compressedMode) == false) {
log("*** " & testcasename() & ": FAIL: Failed to setup InnerEcRequest message ***")
setverdict(inconc);
stop;
}
v_itss.start(f_TEST_itss(cc_taCert_A, v_private_key, v_publicKeyX, v_publicKeyY, v_publicKeyCompressed, v_compressedMode));
v_ea.start(f_TEST_pki(cc_taCert_A, v_private_key, v_publicKeyX, v_publicKeyY, v_publicKeyCompressed, v_compressedMode));
// Synchronization
f_serverSync2ClientsAndStop({c_prDone, c_tbDone, c_poDone});
// Cleanup
} // End of testcase TEST
group f_TEST {
function f_TEST_itss(
in charstring p_certificate_id,
in octetstring p_private_key,
in octetstring p_publicKeyX,
in octetstring p_publicKeyY,
in octetstring p_publicKeyCompressed,
in integer p_compressedMode
) runs on ItsPkiItss /*system ItsPkiItssSystem*/ {
// Local variables
var GeoNetworkingInd v_geoNwInd;
var EtsiTs103097Certificate v_initial_certificate;
// Test component configuration
f_cfUp_itss();
// Test adapter configuration
// Preamble
tc_ac.start; // Wait for current certificate
alt {
[] geoNetworkingPort.receive(
mw_geoNwInd(
mw_geoNwSecPdu(
mw_etsiTs103097Data_signed(
mw_signedData(
-,
mw_toBeSignedData(
mw_signedDataPayload,
mw_headerInfo_cam
),
mw_signerIdentifier_certificate(
mw_etsiTs103097Certificate(
-,
mw_toBeSignedCertificate_at(
{ mw_appPermissions(c_its_aid_CAM) }
)
)
)
)
),
mw_geoNwShbPacket
))) -> value v_geoNwInd {
tc_ac.stop;
log("*** " & testcasename() & ": INFO: Receieve initial certificate");
// Extract the initial certificate
v_initial_certificate := v_geoNwInd.msgIn.gnPacket.securedMsg.content.signedData.signer.certificate[0];
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
}
[] geoNetworkingPort.receive(
mw_geoNwInd(
mw_geoNwSecPdu(
mw_etsiTs103097Data_signed
))) {
log("*** " & testcasename() & ": DEBUG: Still waiting for certificate");
repeat;
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected CA message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_prDone, e_timeout);
}
} // End of 'alt' statement
// Test Body
tc_ac.start;
alt {
[] geoNetworkingPort.receive(
mw_geoNwInd(
mw_geoNwSecPdu(
mw_etsiTs103097Data_signed(
mw_signedData(
-,
mw_toBeSignedData(
mw_signedDataPayload,
mw_headerInfo_cam
),
mw_signerIdentifier_certificate(
v_initial_certificate
)
)
),
mw_geoNwShbPacket
))) {
log("*** " & testcasename() & ": INFO: IUT still using initial certificate ***");
repeat;
}
[] geoNetworkingPort.receive(
mw_geoNwInd(
mw_geoNwSecPdu(
mw_etsiTs103097Data_signed(
mw_signedData(
-,
mw_toBeSignedData(
mw_signedDataPayload,
mw_headerInfo_gn
),
mw_signerIdentifier_certificate
)
)
))) -> value v_geoNwInd {
tc_ac.stop;
log("*** " & testcasename() & ": PASS: IUT uses new certificate ***");
// TODO Check that is the expected one
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
}
[] geoNetworkingPort.receive(
mw_geoNwInd(
mw_geoNwSecPdu(
mw_etsiTs103097Data_signed
))) {
log("*** " & testcasename() & ": INFO: Unexpected message received, continue ***");
repeat;
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfDown_itss();
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
function f_TEST_pki(
in charstring p_certificate_id,
in octetstring p_private_key,
in octetstring p_publicKeyX,
in octetstring p_publicKeyY,
in octetstring p_publicKeyCompressed,
in integer p_compressedMode
) runs on ItsPki /*system ItsPkiSystem*/ {
// Local variables
// Test component configuration
LibItsPki_Functions.f_cfUp();
// Test adapter configuration
// Preamble
tc_ac.start;
alt {
[] pkiPort.receive(
mw_innerEcRequest
) {
log("*** " & testcasename() & ": INFO: InnerEcRequest received ***");
repeat;
}
[] pkiPort.receive(
mw_innerEcResponse_ok
) {
tc_ac.stop;
log("*** " & testcasename() & ": INFO: InnerEcResponse received ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_prDone, e_timeout);
}
} // End of 'alt' statement
// Test Body
log("*** " & testcasename() & ": PASS: Message triggered ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
// Postamble
LibItsPki_Functions.f_cfDown();
} // End of group itss_manufacturing
} // End of group itss_behavior
/**
* @desc The EnrolmentResponse message shall be sent by the EA to the
* ITS-S across the interface at reference point S3 in response
* to a received EnrolmentRequest message.
* <pre>
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
* Initial conditions:
* with {
* the IUT being in the "operational state"
* }
* Expected behaviour:
* ensure that {
* when {
* the IUT receives an EnrolmentRequestMessage across the interface at the reference point S3
* }
* then {
* the IUT answers with an EnrolmentResponseMessage across the interface at reference point S3
* }
* }
* </pre>
*
* @see ETSI TS ITS-00546v006 TP 20
* @reference ETSI TS 102 941, clause 6.2.3.2.2
*/
testcase TC_SEC_PKI_SND_EA_BV_01() runs on ItsPki system ItsPkiSystem {
// Local variables
var Oct32 v_private_key;
var Oct32 v_publicKeyCompressed;
var integer v_compressedMode;
var InnerEcRequest v_inner_ec_request;
// Test control
if (not PICS_IUT_EA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
LibItsPki_Functions.f_cfUp(PICS_TS_CERTIFICATE_ID, PICS_IUT_EA_CERTIFICATE_ID);
if (f_generate_inner_ec_request(v_private_key, v_publicKeyCompressed, v_compressedMode, v_inner_ec_request) == false) {
log("*** " & testcasename() & ": FAIL: Failed to setup InnerEcRequest message ***")
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_error);
stop;
f_sendAcPkiPrimitive(PICS_TS_CERTIFICATE_ID, v_private_key, v_publicKeyCompressed, v_compressedMode);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
pkiPort.send(v_inner_ec_request);
tc_ac.start;
alt {
[] pkiPort.receive(
mw_innerEcResponse_ok
) {
tc_ac.stop;
log("*** " & testcasename() & ": PASS: InnerEcResponse received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
LibItsPki_Functions.f_cfDown();
} // End of testcase TC_SEC_PKI_SND_EA_BV_01
} // End of group enrolment_request_handling
group enrolment_response {
/**
* @desc The EnrolmentResponse message shall be encrypted using an ETSI TS 103 097 approved
* algorithm and the encryption shall be done with the same AES key as the one used
* by the ITS-S requestor for the encryption of the EnrolmentRequest message
* <pre>
* Expected behaviour:
* ensure that {
* when {
* the IUT receives an EnrolmentRequestMessage
* containing encKey
* containing an encrypted AES key (SYMKEY)
* }
* then {
* the IUT answers with an EnrolmentResponseMessage
* containing cipherTex
* being encrypted
* using SYMKEY
* and using an ETSI TS 103 097 approved algorithm
* }
* }
* </pre>
*
* @see ETSI TS ITS-00546v006 TP 22
* @reference ETSI TS 102 941, clause 6.2.3.2.2
*/
testcase TC_SEC_PKI_SND_EA_BV_02() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var Oct32 v_private_key;
var Oct32 v_publicKeyCompressed;
var integer v_compressedMode;
var Oct32 v_hash_inner_ec_request_signed_for_pop;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var HeaderLines v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
// Test control
if (not PICS_IUT_EA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID); // Default value: CERT_TS_A_EA, CERT_TS_A_EC, CERT_IUT_A_EA
f_http_build_inner_ec_request(v_private_key, v_publicKeyCompressed, v_compressedMode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_hash_inner_ec_request_signed_for_pop);
f_init_default_headers_list(v_headers);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
m_http_request_post(
PICS_HTTP_GET_URI,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
tc_ac.start;
alt {
[] httpPort.receive(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_enrolmentResponseMessage(
mw_encryptedData(
-,
mw_SymmetricCiphertext_aes128ccm
))))))) -> value v_response {
tc_ac.stop;
if (f_verify_pki_message(v_private_key/*, v_publicKeyCompressed, v_compressedMode*/, v_aes_sym_key, v_authentication_vector/*, v_nonce, v_salt*/, vc_eaWholeHash, vc_eaCertificate/*vc_peerEaCertificate*/, v_response.response.body.binary_body.ieee1609dot2_data, false, v_etsi_ts_102941_data) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": LOG: Receive ", v_etsi_ts_102941_data, " ***");
log("*** " & testcasename() & ": DEBUG: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_hash_inner_ec_request_signed_for_pop, 0, 16)))), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log
if (match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_hash_inner_ec_request_signed_for_pop, 0, 16))))) {
log("*** " & testcasename() & ": PASS: InnerEcResponse received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Unexpected message received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
}
[] httpPort.receive(
mw_http_response(
mw_http_response_ko
)) {
tc_ac.stop;
log("*** " & testcasename() & ": FAIL: Unexpected message received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
/**
* @desc The outermost structure is an EtsiTs103097Data-Encrypted structure containing
* the component recipients containing one instance of RecipientInfo of choice
* pskRecipInfo, which contains the HashedId8 of the symmetric key used by the
* ITS-S to encrypt the EnrolmentRequest message to which the response is built
* and containing the component ciphertext, once decrypted, contains an
* EtsiTs103097Data-Signed structure
* <pre>
* Expected behaviour:
* ensure that {
* when {
* the IUT receives an EnrolmentRequestMessage
* }
* then {
* the IUT sends an EtsiTs103097Data-Encrypted structure
* containing recipients
* containing one instance of RecipientInfo of choice pskRecipInfo
* containing the HashedId8 of the symmetric key used to encrypt the EnrolmentRequestMessage
* and containing cipherText
* being an encrypted EtsiTs103097Data-Signed structure
* }
* }
* </pre>
*
* @see ETSI TS ITS-00546v006 TP 24
* @reference ETSI TS 102 941, clause 6.2.3.2.2
*/
testcase TC_SEC_PKI_SND_EA_BV_03() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var Oct32 v_private_key;
var Oct32 v_publicKeyCompressed;
var integer v_compressedMode;
var Oct32 v_hash_inner_ec_request_signed_for_pop;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Oct16 v_aes_sym_key;
var Oct16 v_encrypted_sym_key;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var HeaderLines v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
// Test control
if (not PICS_IUT_EA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID); // Default value: CERT_TS_A_EA
f_http_build_inner_ec_request(v_private_key, v_publicKeyCompressed, v_compressedMode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_hash_inner_ec_request_signed_for_pop);
f_init_default_headers_list(v_headers);
httpPort.send(
m_http_request(
m_http_request_post(
PICS_HTTP_GET_URI,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
tc_ac.start;
alt {
[] httpPort.receive(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_enrolmentResponseMessage(
mw_encryptedData(
-,
mw_SymmetricCiphertext_aes128ccm
))))))) -> value v_response {
tc_ac.stop;
/*if (f_verify_pki_message(vc_eaPrivateEncKey, vc_eaPeerWholeHash, vc_peerEaCertificate, v_response.response.body.binary_body.ieee1609dot2_data, false, v_etsi_ts_102941_data) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": LOG: Receive ", v_etsi_ts_102941_data, " ***");
log("*** " & testcasename() & ": DEBUG: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_hash_inner_ec_request_signed_for_pop, 0, 16)))), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log
if (match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_hash_inner_ec_request_signed_for_pop, 0, 16))))) {
log("*** " & testcasename() & ": PASS: InnerEcResponse received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Unexpected message received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SEC_PKI_SND_EA_BV_03
/**
* @desc If the ITS-S has been able to decrypt the content, this expected EtsiTs103097Data-Signed structure shall
* contain hashId, tbsData, signer and signature. The hashId shall indicate the hash algorithm to be used as
* specified in ETSI TS 103 097, the signer shall be declared as a digest, containing the HashedId8 of the
* EA certificate and the signature over tbsData shall be computed using the EA private key corresponding to
* its publicVerificationKey found in the referenced EA certificate.
* <pre>
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
* Expected behaviour:
* ensure that {
* when {
* the IUT receives an EnrolmentRequestMessage
* }
* then {
* the IUT sends an EtsiTs103097Data-Encrypted structure
* containing an encrypted EtsiTs103097Data-Signed structure
* containing hashId
* indicating the hash algorithm to be used as specified in ETSI TS 103 097
* and containing tbsData
* and containing signer
* declared as a digest
* containing the HashedId8 of the EA certificate
* and containing signature
* computed over tbsData
* using the EA private key
* corresponding to the publicVerificationKey found in the referenced EA certificate
* }
* }
* </pre>
*
* @see ETSI TS ITS-00546v006 TP 25
* @reference ETSI TS 102 941, clause 6.2.3.2.2
*/
testcase TC_SEC_PKI_SND_EA_BV_04() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var Oct32 v_private_key;
var Oct32 v_publicKeyCompressed;
var integer v_compressedMode;
var Oct32 v_hash_inner_ec_request_signed_for_pop;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Oct16 v_aes_sym_key;
var Oct16 v_encrypted_sym_key;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var HeaderLines v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
// Test control
if (not PICS_IUT_EA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID); // Default value: CERT_TS_A_EA
// Test adapter configuration
// Preamble
f_http_build_inner_ec_request(v_private_key, v_publicKeyCompressed, v_compressedMode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_hash_inner_ec_request_signed_for_pop);
f_init_default_headers_list(v_headers);
httpPort.send(
m_http_request(
m_http_request_post(
PICS_HTTP_GET_URI,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
tc_ac.start;
alt {
[] httpPort.receive(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_enrolmentResponseMessage(
mw_encryptedData(
-,
mw_SymmetricCiphertext_aes128ccm
))))))) -> value v_response {
/*if (f_verify_pki_message(vc_eaPrivateEncKey, vc_eaPeerWholeHash, vc_peerEaCertificate, v_response.response.body.binary_body.ieee1609dot2_data, false, v_etsi_ts_102941_data) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": LOG: Receive ", v_etsi_ts_102941_data, " ***");
log("*** " & testcasename() & ": DEBUG: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_hash_inner_ec_request_signed_for_pop, 0, 16)))), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log
if (match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_hash_inner_ec_request_signed_for_pop, 0, 16))))) {
if (f_verify_ea_certificate(v_etsi_ts_102941_data.content.enrolmentResponse.certificate, v_publicKeyCompressed, v_compressedMode)) {
log("*** " & testcasename() & ": PASS: Well-secured EA certificate received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Cannot verify EA certificate signature ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
} else {
log("*** " & testcasename() & ": FAIL: Unexpected message received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SEC_PKI_SND_EA_BV_04
/**
* @desc Within the headerInfo of the tbsData, the psid shall be set to “secured certificate request” as assigned in
* ETSI TS 102 965 and the generationTime shall be present.
* <pre>
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
* Expected behaviour:
* ensure that {
* when {
* the IUT receives an EnrolmentRequestMessage
* }
* then {
* the IUT sends an EtsiTs103097Data-Encrypted structure
* containing an encrypted EtsiTs103097Data-Signed structure
* containing tbsData
* containing headerInfo
* containing psid
* indicating AID_CERT_REQ
* and containing generationTime
* }
* }
* </pre>
*
* @see ETSI TS ITS-00546v006 TP 26
* @reference ETSI TS 102 941, clause 6.2.3.2.2
*/
testcase TC_SEC_PKI_SND_EA_BV_05() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var Oct32 v_private_key;
var Oct32 v_publicKeyCompressed;
var integer v_compressedMode;
var Oct32 v_hash_inner_ec_request_signed_for_pop;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Oct16 v_aes_sym_key;
var Oct16 v_encrypted_sym_key;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var HeaderLines v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
// Test control
if (not PICS_IUT_EA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID); // Default value: CERT_TS_A_EA
// Test adapter configuration
// Preamble
f_http_build_inner_ec_request(v_private_key, v_publicKeyCompressed, v_compressedMode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_hash_inner_ec_request_signed_for_pop);
f_init_default_headers_list(v_headers);
httpPort.send(
m_http_request(
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
PICS_HTTP_GET_URI,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
tc_ac.start;
alt {
[] httpPort.receive(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_enrolmentResponseMessage(
mw_encryptedData(
-,
mw_SymmetricCiphertext_aes128ccm
))))))) -> value v_response {
/*if (f_verify_pki_message(vc_eaPrivateEncKey, vc_eaPeerWholeHash, vc_peerEaCertificate, v_response.response.body.binary_body.ieee1609dot2_data, false, v_etsi_ts_102941_data) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": LOG: Receive ", v_etsi_ts_102941_data, " ***");
log("*** " & testcasename() & ": DEBUG: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_hash_inner_ec_request_signed_for_pop, 0, 16)))), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log
if (match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_hash_inner_ec_request_signed_for_pop, 0, 16))))) {
if (f_verify_ea_certificate(v_etsi_ts_102941_data.content.enrolmentResponse.certificate, v_publicKeyCompressed, v_compressedMode)) {
log("*** " & testcasename() & ": PASS: Well-secured EA certificate received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Cannot verify EA certificate signature ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
} else {
log("*** " & testcasename() & ": FAIL: Unexpected message received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SEC_PKI_SND_EA_BV_05
/**
* @desc Within the headerInfo of the tbsData, aside from psid and generationTime,
* all other components of the component tbsData.headerInfo not used and absent.
* <pre>
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
* Expected behaviour:
* ensure that {
* when {
* the IUT receives an EnrolmentRequestMessage
* }
* then {
* the IUT sends an EtsiTs103097Data-Encrypted structure
* containing an encrypted EtsiTs103097Data-Signed structure
* containing tbsData
* containing headerInfo
* containing psid
* and containing generationTime
* }
* }
* </pre>
*
* @see ETSI TS ITS-00546v006 TP 27
* @reference ETSI TS 102 941, clause 6.2.3.2.2
*/
testcase TC_SEC_PKI_SND_EA_BV_06() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var Oct32 v_private_key;
var Oct32 v_publicKeyCompressed;
var integer v_compressedMode;
var Oct32 v_hash_inner_ec_request_signed_for_pop;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Oct16 v_aes_sym_key;
var Oct16 v_encrypted_sym_key;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var HeaderLines v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
// Test control
if (not PICS_IUT_EA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID); // Default value: CERT_TS_A_EA
// Test adapter configuration
// Preamble
f_http_build_inner_ec_request(v_private_key, v_publicKeyCompressed, v_compressedMode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_hash_inner_ec_request_signed_for_pop);
f_init_default_headers_list(v_headers);
httpPort.send(
m_http_request(
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
PICS_HTTP_GET_URI,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
tc_ac.start;
alt {
[] httpPort.receive(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_enrolmentResponseMessage(
mw_encryptedData(
-,
mw_SymmetricCiphertext_aes128ccm
))))))) -> value v_response {
tc_ac.stop;
/*if (f_verify_pki_message(vc_eaPrivateEncKey, vc_eaPeerWholeHash, vc_eaCertificate, v_response.response.body.binary_body.ieee1609dot2_data, false, v_etsi_ts_102941_data) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": LOG: Receive ", v_etsi_ts_102941_data, " ***");
log("*** " & testcasename() & ": DEBUG: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_hash_inner_ec_request_signed_for_pop, 0, 16)))), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log
if (match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_hash_inner_ec_request_signed_for_pop, 0, 16))))) {
if (f_verify_ea_certificate(v_etsi_ts_102941_data.content.enrolmentResponse.certificate, v_publicKeyCompressed, v_compressedMode)) {
log("*** " & testcasename() & ": PASS: Well-secured EA certificate received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Cannot verify EA certificate signature ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
} else {
log("*** " & testcasename() & ": FAIL: Unexpected message received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SEC_PKI_SND_EA_BV_06
/**
* @desc The EtsiTS102941Data shall contain the version set to v1 (integer value set to 1)
* and the content set to InnerECResponse.
* <pre>
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
* Expected behaviour:
* ensure that {
* when {
* the IUT receives an EnrolmentRequestMessage
* }
* then {
* the IUT sends an EtsiTs103097Data-Encrypted structure
* containing an encrypted EtsiTs103097Data-Signed structure
* containing tbsData
* containing EtsiTS102941Data
* containing version
* indicating v1 (integer value set to 1)
* }
* }
* </pre>
*
* @see ETSI TS ITS-00546v006 TP 28
* @reference ETSI TS 102 941, clause 6.2.3.2.2
*/
testcase TC_SEC_PKI_SND_EA_BV_07() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var Oct32 v_private_key;
var Oct32 v_publicKeyCompressed;
var integer v_compressedMode;
var Oct32 v_hash_inner_ec_request_signed_for_pop;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Oct16 v_aes_sym_key;
var Oct16 v_encrypted_sym_key;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var HeaderLines v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
// Test control
if (not PICS_IUT_EA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID); // Default value: CERT_TS_A_EA
// Test adapter configuration
// Preamble
f_http_build_inner_ec_request(v_private_key, v_publicKeyCompressed, v_compressedMode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_hash_inner_ec_request_signed_for_pop);
f_init_default_headers_list(v_headers);
httpPort.send(
m_http_request(
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
PICS_HTTP_GET_URI,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
tc_ac.start;
alt {
[] httpPort.receive(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_enrolmentResponseMessage(
mw_encryptedData(
-,
mw_SymmetricCiphertext_aes128ccm
))))))) -> value v_response {
tc_ac.stop;
/*if (f_verify_pki_message(vc_eaPrivateEncKey, vc_eaPeerWholeHash, vc_eaCertificate, v_response.response.body.binary_body.ieee1609dot2_data, false, v_etsi_ts_102941_data) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": LOG: Receive ", v_etsi_ts_102941_data, " ***");
log("*** " & testcasename() & ": DEBUG: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_hash_inner_ec_request_signed_for_pop, 0, 16)))), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log
if (match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_hash_inner_ec_request_signed_for_pop, 0, 16))))) {
log("*** " & testcasename() & ": PASS: Well-secured EA certificate received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Unexpected message received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SEC_PKI_SND_EA_BV_07
/**
* @desc The InnerECResponse shall contain the requestHash, which is the left-most 16 octets of the SHA256 digest of the
* EtsiTs103097Data - Signed structure received in the request and a responseCode indicating the result of the request.
* <pre>
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
* Expected behaviour:
* ensure that {
* when {
* the IUT receives an EnrolmentRequestMessage
* }
* then {
* the IUT sends an EtsiTs103097Data-Encrypted structure
* containing an encrypted EtsiTs103097Data-Signed structure
* containing tbsData
* containing EtsiTS102941Data
* containing requestHash
* indicating the left-most 16 octets of the SHA256 digest of the EtsiTs103097Data-Signed structure received in the request
* and containing responseCode
* }
* }
* </pre>
*
* @see ETSI TS ITS-00546v006 TP 29
* @reference ETSI TS 102 941, clause 6.2.3.2.2
*/
testcase TC_SEC_PKI_SND_EA_BV_08() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var Oct32 v_private_key;
var Oct32 v_publicKeyCompressed;
var integer v_compressedMode;
var Oct32 v_hash_inner_ec_request_signed_for_pop;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Oct16 v_aes_sym_key;
var Oct16 v_encrypted_sym_key;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var HeaderLines v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
// Test control
if (not PICS_IUT_EA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID); // Default value: CERT_TS_A_EA
// Test adapter configuration
// Preamble
f_http_build_inner_ec_request(v_private_key, v_publicKeyCompressed, v_compressedMode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_hash_inner_ec_request_signed_for_pop);
f_init_default_headers_list(v_headers);
httpPort.send(
m_http_request(
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
PICS_HTTP_GET_URI,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
tc_ac.start;
alt {
[] httpPort.receive(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_enrolmentResponseMessage(
mw_encryptedData(
-,
mw_SymmetricCiphertext_aes128ccm
))))))) -> value v_response {
tc_ac.stop;
/*if (f_verify_pki_message(vc_eaPrivateEncKey, vc_eaPeerWholeHash, vc_eaCertificate, v_response.response.body.binary_body.ieee1609dot2_data, false, v_etsi_ts_102941_data) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": LOG: Receive ", v_etsi_ts_102941_data, " ***");
log("*** " & testcasename() & ": DEBUG: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_hash_inner_ec_request_signed_for_pop, 0, 16)))), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log
if (match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_hash_inner_ec_request_signed_for_pop, 0, 16))))) {
log("*** " & testcasename() & ": PASS: Well-secured EA certificate received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Unexpected message received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SEC_PKI_SND_EA_BV_08
/**
* @desc If the responseCode is 0, the InnerECResponse shall also contain an (enrolment) certificate.
* <pre>
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
* Expected behaviour:
* ensure that {
* when {
* the IUT receives an EnrolmentRequestMessage
* }
* then {
* the IUT sends an EtsiTs103097Data-Encrypted structure
* containing an encrypted EtsiTs103097Data-Signed structure
* containing tbsData
* containing EtsiTS102941Data
* containing InnerECResponse
* containing an enrolment certificate
* }
* }
* </pre>
*
* @see ETSI TS ITS-00546v006 TP 30
* @reference ETSI TS 102 941, clause 6.2.3.2.2
*/
testcase TC_SEC_PKI_SND_EA_BV_09() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var Oct32 v_private_key;
var Oct32 v_publicKeyCompressed;
var integer v_compressedMode;
var Oct32 v_hash_inner_ec_request_signed_for_pop;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Oct16 v_aes_sym_key;
var Oct16 v_encrypted_sym_key;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var HeaderLines v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
// Test control
if (not PICS_IUT_EA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID); // Default value: CERT_TS_A_EA
// Test adapter configuration
// Preamble
f_http_build_inner_ec_request(v_private_key, v_publicKeyCompressed, v_compressedMode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_hash_inner_ec_request_signed_for_pop);
f_init_default_headers_list(v_headers);
httpPort.send(
m_http_request(
PICS_HTTP_GET_URI,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
tc_ac.start;
alt {
[] httpPort.receive(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_enrolmentResponseMessage(
mw_encryptedData(
mw_SymmetricCiphertext_aes128ccm
))))))) -> value v_response {
tc_ac.stop;
/*if (f_verify_pki_message(vc_eaPrivateEncKey, vc_eaPeerWholeHash, vc_eaCertificate, v_response.response.body.binary_body.ieee1609dot2_data, false, v_etsi_ts_102941_data) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": LOG: Receive ", v_etsi_ts_102941_data, " ***");
log("*** " & testcasename() & ": DEBUG: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_hash_inner_ec_request_signed_for_pop, 0, 16)))), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log
if (match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_hash_inner_ec_request_signed_for_pop, 0, 16))))) {
log("*** " & testcasename() & ": PASS: Well-secured EA certificate received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Unexpected message received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SEC_PKI_SND_EA_BV_09
/**
* @desc If the responseCode is 0, the InnerECResponse shall also contain an (enrolment) certificate.
* <pre>
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
* Expected behaviour:
* ensure that {
* when {
* the IUT receives an EnrolmentRequestMessage
* }
* then {
* the IUT sends an EtsiTs103097Data-Encrypted structure
* containing an encrypted EtsiTs103097Data-Signed structure
* containing tbsData
* containing EtsiTS102941Data
* containing InnerECResponse
* containing an enrolment certificate
* }
* }
* </pre>
*
* @see ETSI TS ITS-00546v006 TP 31
* @reference ETSI TS 102 941, clause 6.2.3.2.2
*/
testcase TC_SEC_PKI_SND_EA_BV_10() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var Oct32 v_private_key;
var Oct32 v_publicKeyCompressed;
var integer v_compressedMode;
var Oct32 v_hash_inner_ec_request_signed_for_pop;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Oct16 v_aes_sym_key;
var Oct16 v_encrypted_sym_key;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var HeaderLines v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
// Test control
if (not PICS_IUT_EA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID); // Default value: CERT_TS_A_EA
// Test adapter configuration
// Preamble
f_http_build_invalid_enrolment_request(v_private_key, v_publicKeyCompressed, v_compressedMode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_hash_inner_ec_request_signed_for_pop);
f_init_default_headers_list(v_headers);
httpPort.send(
m_http_request(
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
PICS_HTTP_GET_URI,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
tc_ac.start;
alt {
[] httpPort.receive(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_enrolmentResponseMessage(
mw_encryptedData(
-,
mw_SymmetricCiphertext_aes128ccm
))))))) -> value v_response {
tc_ac.stop;
/*if (f_verify_pki_message(vc_eaPrivateEncKey, vc_eaPeerWholeHash, vc_eaCertificate, v_response.response.body.binary_body.ieee1609dot2_data, false, v_etsi_ts_102941_data) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": LOG: Receive ", v_etsi_ts_102941_data, " ***");
if (match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ko))) {
log("*** " & testcasename() & ": PASS: Well-secured EA certificate received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Unexpected message received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SEC_PKI_SND_EA_BV_10
} // End of group enrolment_response
group authorization_vaidation_response {
/**
* @desc The AuthorizationValidationResponse message shall be sent by the EA to the AA across the interface
* at reference point S4 in response to a received AuthorizationValidationRequest message
* <pre>
* Initial conditions:
* with {
* the IUT being in the "operational state"
* }
* Expected behaviour:
* ensure that {
* when {
* the IUT receives a AuthorizationValidationRequest message
* the IUT sends a AuthorizationValidationResponse message
* across the reference point S4 to the AA
* }
* }
* </pre>
*
* @see ETSI TS ITS-00546v006 TP AuthValRes_1_EA
* @reference ETSI TS 102 941, clause 6.2.3.4
*/
testcase TC_SEC_PKI_SND_EA_BV_11() runs on ItsPki system ItsPkiSystem {
var octetstring v_private_key;
var octetstring v_publicKeyCompressed;
var integer v_compressedMode;
var AuthorizationValidationRequest v_authorization_validation_request;
// Test control
if (not PICS_IUT_EA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
LibItsPki_Functions.f_cfUp(
PICS_TS_AA_CERTIFICATE_ID, // TS role is AA
PICS_IUT_EA_CERTIFICATE_ID // Peer certificate, IUT
);
// Test adapter configuration
// Preamble
if (f_generate_authorization_validation_request(vc_eaCertificate, vc_eaHashedId8, v_private_key, v_publicKeyCompressed, v_compressedMode, v_authorization_validation_request) == false) {
log("*** " & testcasename() & ": FAIL: Failed to setup AuthorisationValidationRequest message ***")
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_error);
stop;
}
f_sendAcPkiPrimitive(PICS_TS_AA_CERTIFICATE_ID, v_private_key, v_publicKeyCompressed, v_compressedMode);
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
pkiPort.send(v_authorization_validation_request);
tc_ac.start;
alt {
[] pkiPort.receive(
mw_authorizationValidationResponse_ok
) {
tc_ac.stop;
log("*** " & testcasename() & ": PASS: AuthorizationValidationResponse received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
LibItsPki_Functions.f_cfDown();
} // End of testcase TC_SEC_PKI_SND_EA_BV_11
/**
* @desc The AuthorizationValidationResponse message shall be sent by the EA to the AA across the interface
* at reference point S4 in response to a received AuthorizationValidationRequest message
* <pre>
* Initial conditions:
* with {
* the IUT being in the "operational state"
* }
* Expected behaviour:
* ensure that {
* when {
* the IUT receives a AuthorizationValidationRequest message
* the IUT sends a AuthorizationValidationResponse message
* across the reference point S4 to the AA
* }
* }
* </pre>
*
* @see ETSI TS ITS-00546v006 TP AuthValRes_1_EA
* @reference ETSI TS 102 941, clause 6.2.3.4
*/
testcase TC_SEC_PKI_SND_EA_BV_12() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var Oct32 v_private_key;
var Oct32 v_publicKeyCompressed;
var integer v_compressedMode;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var HeaderLines v_headers;
var HttpMessage v_response;
// Test control
if (not PICS_IUT_EA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(); // Default value: CERT_TS_A_EA
// Test adapter configuration
// Preamble
f_http_build_authorization_validation_request(v_private_key, v_publicKeyCompressed, v_compressedMode, v_ieee1609dot2_signed_and_encrypted_data);
f_init_default_headers_list(v_headers);
httpPort.send(
m_http_request(
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
PICS_HTTP_GET_URI,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
tc_ac.start;
alt {
[] httpPort.receive(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationValidationResponseMessage(
mw_encryptedData(
-,
mw_SymmetricCiphertext_aes128ccm
))))))) -> value v_response {
tc_ac.stop;
log("*** " & testcasename() & ": PASS: AuthorizationValidationResponse received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SEC_PKI_SND_EA_BV_12
} // End of group authorization_vaidation_response
} // End of group ea_behavior
group aa_behavior {
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
/**
* @desc Check that the AA is able to decrypt the AuthorizationRequest message using the encryption private key corresponding to the recipient certificate
* Check that the AA is able to verify the inner signature
* Check that the AA is able to verify the request authenticity using the hmacKey verification
* Check that the AA sends the AuthorizationValidationRequest message to the correspondent EA
* <pre>
* Pics Selection: PICS_IUT_AA_ROLE
* Initial conditions:
* with {
* the AA in "operational state"
* authorized with the certificate CERT_AA
* containing encryptionKey (AA_ENC_PUB_KEY)
* }
* Expected behaviour:
* ensure that {
* when {
* the IUT receives an EtsiTs103097Data message
* containing content.encryptedData
* containing recipients
* containing the instance of RecipientInfo
* containing certRecipInfo
* containing recipientId
* indicating HashedId8 of the certificate CERT_AA
* and containing encKey
* indicating symmetric key (S_KEY)
* encrypted with the private key correspondent to the AA_ENC_PUB_KEY
* and containing cyphertext (ENC_DATA)
* containing encrypted representation of the EtsiTs103097Data-Signed
* containing content.signedData
* containing hashId
* indicating valid hash algorythm
* and containing signer
* containing self
* and containing tbsData (SIGNED_DATA)
* containing payload
* containing EtsiTs102941Data
* containing content.authorizationRequest
* containing publicKeys.verificationKey (V_KEY)
* and containing hmacKey (HMAC)
* and containing sharedAtRequest
* containing keyTag (KEY_TAG)
* and containing eaId (EA_ID)
( indicating HashedId8 of the known EA certificate
* and containing signature (SIGNATURE)
* }
* then {
* the IUT is able to decrypt the S_KEY
* using the private key
* corresponding to the AA_ENC_PUB_KEY
* and the IUT is able to decrypt the cypthertext ENC_DATA
* using the S_KEY
* and the IUT is able to verify the signature SIGNATURE over the SIGNED_DATA
* using the V_KEY
* and the IUT is able to verify integrity of HMAC and KEY_TAG
* and the IUT sends the AuthorizationValidationRequest message to the EA
* identified by the EA_ID
* }
* }
* </pre>
*
* @see ETSI TS ITS-00546v006 TP BV
* @reference ETSI TS 102 941, clause 6.2.3.3.1
*/
testcase TC_SEC_PKI_SND_AA_BV_01() runs on ItsPkiHttp system ItsPkiHttpSystem {
var Oct32 v_private_key;
var Oct32 v_publicKeyCompressed;
var integer v_compressedMode;
var HashedId8 v_hash_inner_at_request;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var HeaderLines v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
// Test control
if (not PICS_IUT_AA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_AA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(
PICS_TS_CERTIFICATE_ID, // TS role is ITS-S
PICS_IUT_AA_CERTIFICATE_ID // Peer certificate, IUT
);
// Test adapter configuration
// Preamble
f_http_build_inner_at_request(v_private_key, v_publicKeyCompressed, v_compressedMode, v_ieee1609dot2_signed_and_encrypted_data, v_hash_inner_at_request);
f_init_default_headers_list(v_headers);
httpPort.send(
m_http_request(
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
PICS_HTTP_GET_URI,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
tc_ac.start;
alt {
[] httpPort.receive(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationResponseMessage(
mw_encryptedData(
-,
mw_SymmetricCiphertext_aes128ccm
))))))) -> value v_response {
tc_ac.stop;
/*if (f_verify_pki_message(vc_eaPrivateEncKey, vc_eaPeerWholeHash, vc_eaCertificate, v_response.response.body.binary_body.ieee1609dot2_data, false, v_etsi_ts_102941_data) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": LOG: Receive ", v_etsi_ts_102941_data, " ***");
if (match(v_etsi_ts_102941_data.content, mw_authorizationValidationResponse(mw_authorizationValidationResponse_ok))) {
// TODO Refined expected mw_authorizationValidationResponse_ok
log("*** " & testcasename() & ": PASS: Well-secured EA certificate received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Unexpected message received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SEC_PKI_SND_AA_BV_01
/**
* @desc Check that the AA is able to decrypt the AuthorizationRequest message using the encryption private key corresponding to the recipient certificate
* Check that the AA is able to verify the request authenticity using the hmacKey verification
* Check that the AA sends the AuthorizationValidationRequest message to the correspondent EA
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
* <pre>
* Pics Selection: PICS_IUT_AA_ROLE
* Initial conditions:
* with {
* the AA in "operational state"
* authorized with the certificate CERT_AA
* containing encryptionKey (AA_ENC_PUB_KEY)
* }
* Expected behaviour:
* ensure that {
* when {
* the IUT receives an EtsiTs103097Data message
* containing content.encryptedData
* containing recipients
* containing the instance of RecipientInfo
* containing certRecipInfo
* containing recipientId
* indicating HashedId8 of the certificate CERT_AA
* and containing encKey
* indicating symmetric key (S_KEY)
* encrypted with the private key correspondent to the AA_ENC_PUB_KEY
* and containing cyphertext (ENC_DATA)
* containing EtsiTs102941Data
* containing content.authorizationRequest
* containing hmacKey (HMAC)
* and containing sharedAtRequest
* containing keyTag (KEY_TAG)
* and containing eaId (EA_ID)
* indicating HashedId8 of the known EA certificate
* }
* then {
* the IUT is able to decrypt the S_KEY
* using the private key
* corresponding to the AA_ENC_PUB_KEY
* and the IUT is able to decrypt the cypthertext ENC_DATA
* using the S_KEY
* and the IUT is able to verify integrity of HMAC and KEY_TAG
* and the IUT sends the AuthorizationValidationRequest message to the EA
* identified by the EA_ID
* }
* }
* </pre>
*
* @see ETSI TS ITS-00546v006 TP BV
* @reference ETSI TS 102 941, clause 6.2.3.3.1
*/
testcase TC_SEC_PKI_SND_AA_BV_02() runs on ItsPkiHttp system ItsPkiHttpSystem {
var Oct32 v_private_key;
var Oct32 v_publicKeyCompressed;
var integer v_compressedMode;
var HashedId8 v_hash_inner_at_request;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var HeaderLines v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
// Test control
if (not PICS_IUT_AA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_AA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(
PICS_TS_CERTIFICATE_ID, // TS role is ITS-S
PICS_IUT_AA_CERTIFICATE_ID // Peer certificate, IUT
);
// Test adapter configuration
// Preamble
f_http_build_inner_at_request(v_private_key, v_publicKeyCompressed, v_compressedMode, v_ieee1609dot2_signed_and_encrypted_data, v_hash_inner_at_request);
f_init_default_headers_list(v_headers);
httpPort.send(
m_http_request(
m_http_request_post(
PICS_HTTP_GET_URI,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
tc_ac.start;
alt {
[] httpPort.receive(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationResponseMessage(
mw_encryptedData(
-,
mw_SymmetricCiphertext_aes128ccm
))))))) -> value v_response {
tc_ac.stop;
/*if (f_verify_pki_message(vc_eaPrivateEncKey, vc_eaPeerWholeHash, vc_eaCertificate, v_response.response.body.binary_body.ieee1609dot2_data, false, v_etsi_ts_102941_data) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": LOG: Receive ", v_etsi_ts_102941_data, " ***");
if (match(v_etsi_ts_102941_data.content, mw_authorizationValidationResponse(mw_authorizationValidationResponse_ok))) {
// TODO Refined expected mw_authorizationValidationResponse_ok
log("*** " & testcasename() & ": PASS: Well-secured EA certificate received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Unexpected message received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SEC_PKI_SND_AA_BV_02
2143
2144
2145
2146
2147
2148
2149
2150
2151
2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183
2184
2185
2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2221
2222
2223
2224
2225
2226
2227
2228
2229
2230
2231
2232
2233
2234
2235
2236
2237
2238
2239
2240
2241
2242
2243
2244
/**
* @desc Check that the AA skips the AuthorizationRequest message if it is not addressed to this AA
* <pre>
* Pics Selection: PICS_IUT_AA_ROLE
* Initial conditions:
* with {
* the AA in "operational state"
* authorized with the certificate CERT_AA
* containing encryptionKey (AA_ENC_PUB_KEY)
* }
* Expected behaviour:
* ensure that {
* when {
* the IUT receives an EtsiTs103097Data message
* containing content.encryptedData
* containing recipients
* containing the instance of RecipientInfo
* containing certRecipInfo
* containing recipientId
* indicating value
* NOT equal to the HashedId8 of the certificate CERT_AA
* and containing encKey
* indicating symmetric key (S_KEY)
* encrypted with the private key correspondent to the AA_ENC_PUB_KEY
* }
* then {
* the IUT does not send the AuthorizationValidationRequest message
* }
* }
* </pre>
*
* @see ETSI TS ITS-00546v006 TP BV
* @reference ETSI TS 102 941, clause 6.2.3.3.1
*/
testcase TC_SEC_PKI_SND_AA_BV_03() runs on ItsPkiHttp system ItsPkiHttpSystem {
var Oct32 v_private_key;
var Oct32 v_publicKeyCompressed;
var integer v_compressedMode;
var HashedId8 v_hash_inner_at_request;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var HeaderLines v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
// Test control
if (not PICS_IUT_AA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_AA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(
PICS_TS_CERTIFICATE_ID, // TS role is ITS-S
PICS_IUT_AA_CERTIFICATE_ID // Peer certificate, IUT
);
// Test adapter configuration
// Preamble
f_http_build_inner_at_request(v_private_key, v_publicKeyCompressed, v_compressedMode, v_ieee1609dot2_signed_and_encrypted_data, v_hash_inner_at_request);
f_init_default_headers_list(v_headers);
httpPort.send(
m_http_request(
m_http_request_post(
PICS_HTTP_GET_URI,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
tc_noac.start;
alt {
[] httpPort.receive(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationResponseMessage(
mw_encryptedData(
-,
mw_SymmetricCiphertext_aes128ccm
))))))) -> value v_response {
tc_noac.stop;
log("*** " & testcasename() & ": FAIL: Unexpected message received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
[] tc_noac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SEC_PKI_SND_AA_BV_03
} // End of group aa_beavior
} // End of module ItsPki_TestCases