ItsSecurity_TestCases.ttcn3 1.39 MB
Newer Older
garciay's avatar
garciay committed
                                                        mw_publicKey_eccPoint_compressed_lsb_y_1
                                                    )
                                                ),
                                                ?,
garciay's avatar
garciay committed
                                                mw_signature
garciay's avatar
garciay committed
                    ))))))) {
                        tc_ac.stop;
garciay's avatar
garciay committed
                        log("*** " & testcasename() & ": PASS: AT certificate contains verification key with the ECC point of type set to compressed_lsb_y_1 received ***");
garciay's avatar
garciay committed
                        f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
                    }
                    [] geoNetworkingPort.receive(
                        mw_geoNwInd(
                            mw_geoNwSecPdu(
                                mdw_securedMessage(
                                    superset(
                                        mw_header_field_signer_info_certificate(
                                            mw_at_certificate(
                                                ?,
                                                superset(
                                                    mw_subject_attribute_verification_key(
                                                        mw_publicKey_eccPoint_uncompressed
                                                    )
                                                ),
                                                ?,
garciay's avatar
garciay committed
                                                mw_signature
garciay's avatar
garciay committed
                    ))))))) {
                        tc_ac.stop;
garciay's avatar
garciay committed
                        log("*** " & testcasename() & ": PASS: AT certificate contains verification key with the ECC point of type set to uncompressed received ***");
garciay's avatar
garciay committed
                        f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
                    }
                    [] geoNetworkingPort.receive(
                        mw_geoNwInd(
                            mw_geoNwSecPdu(
                                mdw_securedMessage(
                                    superset(
                                        mw_header_field_signer_info_certificate(
                                            mw_at_certificate
                    )))))) {
                        tc_ac.stop;
                        log("*** " & testcasename() & ": FAIL: AT certificate signature mismatch ***");
                        f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
                    }
                    [] tc_ac.timeout {
                        log("*** " & testcasename() & ": INCONC: Expected message not received ***");
                        f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
                    }
                } // End of 'alt' statement
                
                // Postamble
                f_poNeighbour();
                f_cf01Down();
                
garciay's avatar
garciay committed
            } // End of testcase TC_SEC_ITSS_SND_CERT_10_01_BV
garciay's avatar
garciay committed
            
            /**
             * @desc    Check that  all certificate in a chain have verification keys contains ECC point of type set to either compressed_lsb_y_0, compressed_lsb_y_1 
             *          or uncompressed
             * <pre>
             * Pics Selection: PICS_GN_SECURITY
             * Config Id: CF01
             * Initial conditions:
             * with {
             *   the IUT being in the 'authorized' state
             *   the IUT being requested to include certificate in the next CAM
             * }
             * Expected Behaviour:
             * ensure that {
             *    when {
             *     the IUT is requested to send a CAM
             *   } then {
             *     the IUT sends a SecuredMessage
             *         containing header_fields['signer_info'].signer
             *             containing type
             *                 indicating 'certificate_chain'
             *             containing certificates
             *                 indicating length N > 1
             *                 and indicating certificates[n] (0..N)
             *                     containing signature.ecdsa_signature
             *                         containing subject_attributes['verification_key']
             *                             indicating compressed_lsb_y_0
             *                             or indicating compressed_lsb_y_1 
             *                             or indicating uncompressed 
             *   }
             * }
             * </pre>
garciay's avatar
garciay committed
             * @see         ETSI TS 103 096-2 v1.3.2 TP_SEC_ITSS_SND_CERT_10_02_BV
garciay's avatar
garciay committed
             * @reference   ETSI TS 103 097 [1], clause 4.2.4
             */
garciay's avatar
garciay committed
            testcase TC_SEC_ITSS_SND_CERT_10_02_BV() runs on ItsGeoNetworking system ItsSecSystem {
garciay's avatar
garciay committed
                // Local variables
                var GeoNetworkingInd v_geoNwInd;
                var SignerInfo       v_si;
                var CertificateChain v_chain;
                var integer          v_counter;
                                
                // Test control
                if (not(PICS_GN_SECURITY)) {
                    log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY' required for executing the TC ***");
                    stop;
                }
                
                // Test component configuration
                f_cf01Up();
                
                // Test adapter configuration
                
                // Preamble
                f_prNeighbour();
                f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
                
                // Test Body
                tc_ac.start;
                alt {
                    [] geoNetworkingPort.receive(
                        mw_geoNwInd(
                            mw_geoNwSecPdu(
                                mdw_securedMessage(
                                    superset(
                                        mw_header_field_signer_info_certificate_chain
                    ))))) {
                        tc_ac.stop;
                        // Check certificate chain
                        if (f_getMsgSignerInfo(f_getSecuredMessage(v_geoNwInd.msgIn), v_si)) {
                            v_chain  :=  v_si.signerInfo.certificates;
                            for (v_counter := lengthof(v_chain) - 1; v_counter > 0; v_counter := v_counter - 1 ) {
                                if (
                                    (not match(v_chain[v_counter], mw_certificate(?, ?, superset(mw_subject_attribute_verification_key(mw_publicKey_eccPoint_compressed_lsb_y_0))))) and
                                    (not match(v_chain[v_counter], mw_certificate(?, ?, superset(mw_subject_attribute_verification_key(mw_publicKey_eccPoint_compressed_lsb_y_1))))) and
                                    (not match(v_chain[v_counter], mw_certificate(?, ?, superset(mw_subject_attribute_verification_key(mw_publicKey_eccPoint_uncompressed)))))
                                ) {
                                    log("*** " & testcasename() & ": FAIL: Wrong verification key algorithm ***");
                                    f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_error);
                                }
                            } // End of 'for' statement
                        }
                        log("*** " & testcasename() & ": PASS: All certificates in a chain have the correct verification key ***");
                        f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
                    }
                    [] tc_ac.timeout {
                        log("*** " & testcasename() & ": INCONC: Expected message not received ***");
                        f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
                    }
                } // End of 'alt' statement
                
                // Postamble
                f_poNeighbour();
                f_cf01Down();
                
garciay's avatar
garciay committed
            } // End of testcase TC_SEC_ITSS_SND_CERT_10_02_BV
garciay's avatar
garciay committed
            
            /**
             * @desc Check the certificate signature 
             * <pre>
             * Pics Selection: PICS_GN_SECURITY
             * Config Id: CF01
             * Initial conditions:
garciay's avatar
garciay committed
             * with {
             *   the IUT being in the 'authorized' state
             *   the IUT being requested to include certificate in the next CAM
             * } ensure that {
             *    when {
             *     the IUT is requested to send a CAM
             *   } then {
             *     the IUT sends a SecuredMessage
garciay's avatar
garciay committed
             *       containing header_fields['signer_info'].signer
garciay's avatar
garciay committed
             *         containing type
             *           indicating 'certificate'
garciay's avatar
garciay committed
             *         ND containing certificate
             *           containing signer_info
garciay's avatar
garciay committed
             *             containing type
             *               indicating 'certificate_digest_with_sha256'
             *             containing digest
             *               referenced to the certificate CERT
garciay's avatar
garciay committed
             *           and containing signature
garciay's avatar
garciay committed
             *             verifiable using CERT.subject_attributes['verification_key'].key
             *   }
             * }
garciay's avatar
garciay committed
             * @see         ETSI TS 103 096-2 v1.3.2 TP_SEC_ITSS_SND_CERT_09_01_BV
garciay's avatar
garciay committed
             * @reference   ETSI TS 103 097 [1], clauses 6.1 and 7.4.1
garciay's avatar
garciay committed
            testcase TC_SEC_ITSS_SND_CERT_11_01_BV() runs on ItsGeoNetworking system ItsSecSystem {
garciay's avatar
garciay committed
                // Local declarations
                var GeoNetworkingInd v_geoNwInd;
                var Certificate      v_at_cert;
                var Certificate      v_aa_cert;
                var HashedId8        v_aa_digest;
                var SignerInfo       v_si;
                var integer          v_counter;
garciay's avatar
garciay committed
                // Test control
                if (not(PICS_GN_SECURITY)) {
                    log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY' required for executing the TC ***");
                    stop;
                }
garciay's avatar
garciay committed
                    
                // Test component configuration
                // Test adapter configuration
                
                // Preamble
                f_prNeighbour();
                f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
                
garciay's avatar
garciay committed
                // Wait for the message with the certificate to get the AA cert digest.
                // Ask for the chain, containing AT and AA certificate
                // Check that the AT cert in the first message is signed with the AA cert
                log("*** " & testcasename() & ": INFO: Waiting for the message containing certificate  ***");
                tc_ac.start;
                f_waitForCertificate(v_at_cert);
                tc_ac.stop;
garciay's avatar
garciay committed
                if (true != f_getCertificateSignerInfo(v_at_cert, v_si)) {
                    log("*** " & testcasename() & ": FAIL: AT Certificate signer info is unknown ***");
                    f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_error);
garciay's avatar
garciay committed
                if (not match (v_si.type_, e_certificate_digest_with_sha256)) {
                    log("*** " & testcasename() & ": FAIL: AT Certificate is not signed well ***");
                    f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_error);
garciay's avatar
garciay committed
                v_aa_digest := v_si.signerInfo.digest;
                
                // Send a certificate request to the IUT 
                f_sendCertificateRequest(v_aa_digest, f_generateDefaultCam());
                    
                // Test Body
                tc_ac.start;
                alt {
                    [] geoNetworkingPort.receive(
                        mw_geoNwInd(
                            mw_geoNwSecPdu(
                                mdw_securedMessage(
                                    superset(
                                        mw_header_field_signer_info_certificate_chain
                    ))))) -> value v_geoNwInd {
                        var SecuredMessage v_secMsg;
                        var integer v_chainLength;
                        tc_ac.stop;
                        // Check certificate chain
                        
                        if (f_getMsgSignerInfo(f_getSecuredMessage(v_geoNwInd.msgIn), v_si)) {
                            v_chainLength := lengthof(v_si.signerInfo.certificates);
                            if (v_chainLength < 2 ) {
                                log("*** " & testcasename() & ": FAIL: Certificate chain doesn't contain the AA cert ***");
                                f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
                            }
                            // get aa cert
                            v_aa_cert := v_si.signerInfo.certificates[v_chainLength-2];
                            if (not match (v_aa_digest, f_calculateDigestFromCertificate(v_aa_cert))) {
                                log("*** " & testcasename() & ": FAIL: AT certificate was not signed with the given AA cert ***");
                                f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
                            }
                            
                            // Check that at cert is signed with aa cert
                            if (false == f_verifyCertificateSignatureWithIssuingCertificate(v_at_cert, v_aa_cert)) {
                                log("*** " & testcasename() & ": FAIL: AT certificate signature error ***");
                                f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
                            }
                            
                            log("*** " & testcasename() & ": PASS: AT certificate was well signed with AA certificate ***");
                            f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
                        } else {
                            log("*** " & testcasename() & ": FAIL: The message signer info is unknown ***");
                            f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
                        }
                    }
                    [] tc_ac.timeout {
                        log("*** " & testcasename() & ": INCONC: Expected message not received ***");
                        f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
                    }
                } // End of 'alt' statement
                
                // Postamble
                f_poNeighbour();
                f_cf01Down();
garciay's avatar
garciay committed
                
garciay's avatar
garciay committed
            } // End of testcase TC_SEC_ITSS_SND_CERT_11_01_BV
garciay's avatar
garciay committed
             * @desc Check the signatures of the certificates in the chain 
             * Pics Selection: PICS_GN_SECURITY
             * Config Id: CF01
             * Initial conditions:
garciay's avatar
garciay committed
             * with {
             *   the IUT being in the 'authorized' state
             *   the IUT being requested to include certificate chain in the next CAM
             * } ensure that {
             *    when {
             *     the IUT is requested to send a CAM
             *   } then {
             *     the IUT sends a SecuredMessage
garciay's avatar
garciay committed
             *         containing header_fields['signer_info'].signer
             *           containing type
             *               indicating 'certificate_chain'
             *         and containing certificates
             *             indicating length N > 1
             *             and containing certificate[0]
             *                 containing signer_info
             *                     containing type
             *                         indicating 'certificate_digest_with_sha256'
             *                     and containing digest
             *                         referenced to the trusted certificate (CERT_ROOT)
             *                 and containing signature
             *                     verifiable using CERTIFICATES[N-1].subject_attributes['verification_key'].key
             *             and containing certificates[n] (1..N)
             *                 containing signer_info {
             *                     containing type
             *                         indicating 'certificate_digest_with_sha256'
             *                     and containing digest
             *                         referenced to the certificates[n-1]
             *                 and containing signature
             *                     verifiable using certificates[n-1].subject_attributes['verification_key'].key
garciay's avatar
garciay committed
             *   }
             * }
garciay's avatar
garciay committed
             * @see         ETSI TS 103 096-2 v1.3.2 TP_SEC_ITSS_SND_CERT_09_02_BV
garciay's avatar
garciay committed
             * @reference   ETSI TS 103 097 [1], clauses 6.1 and 7.4.1
garciay's avatar
garciay committed
            testcase TC_SEC_ITSS_SND_CERT_11_02_BV() runs on ItsGeoNetworking system ItsSecSystem {
garciay's avatar
garciay committed
                // Local declarations
                var GeoNetworkingInd v_geoNwInd;
                var Certificate      v_cert;
                var CertificateChain v_chain;
                var SignerInfo       v_si;
                var HashedId8        v_digest;
                var integer          v_counter;
garciay's avatar
garciay committed
                // Test control
                if (not(PICS_GN_SECURITY)) {
                    log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY' required for executing the TC ***");
                    stop;
                }
                
garciay's avatar
garciay committed
                // Test component configuration
                // Test adapter configuration
                
                // Preamble
                f_prNeighbour();
                f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
                
garciay's avatar
garciay committed
                // Wait for the message with the certificate to get the AA cert digest.
                // Ask for the chain, containing AT and AA certificate
                // Check that the AT cert in the first message is signed with the AA cert
                log("*** " & testcasename() & ": INFO: Waiting for the message containing certificate and ask for a certificate chain ***");
                tc_ac.start;
                f_askForCertificateChain(f_generateDefaultCam());
                tc_ac.stop;
                    
garciay's avatar
garciay committed
                tc_ac.start;
                alt {
                    [] geoNetworkingPort.receive(
                        mw_geoNwInd(
                            mw_geoNwSecPdu(
                                mdw_securedMessage(
                                    superset(
                                        mw_header_field_signer_info_certificate_chain
                    ))))) -> value v_geoNwInd {
                        var SecuredMessage v_secMsg;
                        var integer v_chainLength;
                        tc_ac.stop;
                        // Check certificate chain
                        if (f_getMsgSignerInfo(f_getSecuredMessage(v_geoNwInd.msgIn), v_si)) {
                            v_chain  :=  v_si.signerInfo.certificates;
                            for (v_counter := lengthof(v_chain) - 1; v_counter > 0; v_counter := v_counter - 1 ) {
                                if (not f_getCertificateSignerInfo(v_chain[v_counter], v_si)) {
                                    log("*** " & testcasename() & ": FAIL: Certificate "&int2str(v_counter) & " doesn't have a signer info ***");
                                    f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
                                }
                                if (not match (v_si.type_, e_certificate_digest_with_sha256)) {
                                    log("*** " & testcasename() & ": FAIL: Certificate is not signed with digest ***");
                                    f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
                                }
                                // Check that cert is signed by issuing cert
                                v_digest := f_calculateDigestFromCertificate(v_chain[v_counter - 1]);
                                if (not match (v_si.signerInfo.digest, v_digest)) {
                                    log("*** " & testcasename() & ": FAIL: Certificate chain is not valid ***");
                                    f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
                                }
                                // Check that the signature is valid
                                if (false == f_verifyCertificateSignatureWithIssuingCertificate(v_chain[v_counter], v_chain[v_counter - 1])) {
                                    log("*** " & testcasename() & ": FAIL: AT certificate signature error ***");
                                    f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
                                }
                            } // End of 'for' statement
                            
                            log("*** " & testcasename() & ": PASS: All certificates in the chain signed by it's issuing certs ***");
                            f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
                        } else {
                            log("*** " & testcasename() & ": FAIL: The message signer info is unknown ***");
                            f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
                        }
                    }
                    [] tc_ac.timeout {
                        log("*** " & testcasename() & ": INCONC: Expected message not received ***");
                        f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
                    }
                }
                
                // Postamble
                f_poNeighbour();
                f_cf01Down();
garciay's avatar
garciay committed
                
garciay's avatar
garciay committed
            } // End of testcase TC_SEC_ITSS_SND_CERT_11_02_BV
            
            /**
             * @desc Check that the assurance level of the subordinate certificate is equal to or less than the assurance level of the issuing certificate
             * <pre>
             * Pics Selection: PICS_GN_SECURITY and PICS_CERTIFICATE_SELECTION
             * Config Id: CF01
             * with {
             *   the IUT being in the 'authorized' state
             *   the IUT being requested to include certificate chain in the next CAM
             * } ensure that {
             *    when {
             *     the IUT is requested to send a CAM
             *   } then {
             *     the IUT sends a SecuredMessage
             *       containing header_fields['signer_info'].signer
             *         containing type
garciay's avatar
garciay committed
             *           indicating 'certificate_chain'
garciay's avatar
garciay committed
             *         containing certificates
             *           indicating length N > 1
             *           and containing certificates[n](0..N)
             *             containing subject_attributes ['assurance_level']
             *               containig assurance_level
             *                 containing bits [5-7]
             *                   indicating assurance level CERT_AL
             *             and containing signer_info
             *               containing digest
             *                 referenced to the certificate
             *                   containing subject_attributes ['assurance_level']
             *                     containing assurance_level
             *                       containing bits [5-7]
             *                         indicating value <= CERT_AL
             *   }
             * }
             * </pre>
garciay's avatar
garciay committed
             * @see         ETSI TS 103 096-2 v1.3.2 TP_SEC_ITSS_SND_CERT_12_01_BV
garciay's avatar
garciay committed
             * @reference   ETSI TS 103 097 [1], clause 7.4.1
garciay's avatar
garciay committed
             */
            testcase TC_SEC_ITSS_SND_CERT_12_01_BV() runs on ItsGeoNetworking system ItsSecSystem {
                var CertificateChain         v_chain;
                var Certificate              v_aa_cert, v_at_cert;
                var SubjectAttribute         v_sa;
                var SubjectAssurance         v_aa_assurance_level, v_at_assurance_level;
                
                // Test control
                if (not(PICS_GN_SECURITY)) {
                    log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY' required for executing the TC ***");
                    stop;
                }
                
                // Test component configuration
                f_cf01Up();
                
                // Test adapter configuration
                
                // Preamble
                f_prNeighbour();
                f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
                
                // Test Body
                log("*** " & testcasename() & ": INFO: Request and waiting for the message containing certificate chain  ***");
                tc_ac.start;
                if (not f_askAndWaitForCertificateChain(v_chain, f_generateDefaultCam())) {
                    log("*** " & testcasename() & ": INCONC: Expected message not received ***");
                    f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_timeout);
                }
                tc_ac.stop;
                if (lengthof(v_chain) < 2) {
                    log("*** " & testcasename() & ": FAIL: Certificate chain is too short ***");
                    f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_error);
                }
                v_aa_cert := v_chain[lengthof(v_chain) - 2];
                v_at_cert := v_chain[lengthof(v_chain) - 1];
                if (not f_getCertificateSubjectAttribute(v_aa_cert, e_assurance_level, v_sa)) {
                    log("*** " & testcasename() & ": FAIL: AA certificate does not contain its_aid_list subject attribute ***");
                    f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
                }
                v_aa_assurance_level := v_sa.attribute.assurance_level;
                
                if (not f_getCertificateSubjectAttribute(v_at_cert, e_assurance_level, v_sa)) {
                    log("*** " & testcasename() & ": FAIL: AA certificate does not contain its_aid_list subject attribute ***");
                    f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
                }
                v_at_assurance_level := v_sa.attribute.assurance_level;
                
                if (bit2int(v_aa_assurance_level.levels) < bit2int(v_at_assurance_level.levels)) {
                    log("*** " & testcasename() & ": FAIL: The assurence levels mismatch ***");
                    f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
                } else {
                    log("*** " & testcasename() & ": PASS: The assurence levels match ***");
                    f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
                }
                
                // Postamble
                f_poNeighbour();
                f_cf01Down();
            } // End of testcase TC_SEC_ITSS_SND_CERT_12_01_BV
garciay's avatar
garciay committed
             * @desc Sending behaviour test cases for AA certificate profil
             * @see ETSI TS 103 096-2 V1.2.2 (2016-01) Clause 5.2.7.7 AA certificate profile
             */
            group AA_Certificates {
                
                /**
garciay's avatar
garciay committed
                 * @desc Check that the subject_type of the AA certificate is set to authorization_authority
garciay's avatar
garciay committed
                 * <pre>
                 * Pics Selection: PICS_GN_SECURITY
                 * Config Id: CF01
                 * with {
                 *   the IUT being in the 'authorized' state
                 *   the IUT being requested to include certificate chain in the next CAM
                 * } ensure that {
                 *    when {
                 *     the IUT is requested to send a CAM
                 *   } then {
                 *     the IUT sends a SecuredMessage
garciay's avatar
garciay committed
                 *       containing header_fields['signer_info'].signer
garciay's avatar
garciay committed
                 *         containing type
garciay's avatar
garciay committed
                 *           indicating 'certificate_chain'
garciay's avatar
garciay committed
                 *         containing certificates[last-1]
garciay's avatar
garciay committed
                 *           containing subject_info.subject_type
                 *             indicating 'authorization_authority' (2)
                 *   }
                 * }
                 * </pre>
garciay's avatar
garciay committed
                 * @see         ETSI TS 103 096-2 v1.3.2 TP_SEC_ITSS_SND_CERT_AA_01_01_BV
garciay's avatar
garciay committed
                 * @reference   ETSI TS 103 097 [1], clause 7.4.4
garciay's avatar
garciay committed
                 */
garciay's avatar
garciay committed
                testcase TC_SEC_ITSS_SND_CERT_AA_01_01_BV() runs on ItsGeoNetworking system ItsSecSystem {
garciay's avatar
garciay committed
                    var CertificateChain         v_chain;
                    
                    // Test control
                    if (not(PICS_GN_SECURITY)) {
                        log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY' required for executing the TC ***");
                        stop;
                    }
                    
                    // Test component configuration
                    f_cf01Up();
                    
                    // Test adapter configuration
                    
                    // Preamble
                    f_prNeighbour();
                    f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
                    
                    // Test Body
                    log("*** " & testcasename() & ": INFO: Request and waiting for the message containing certificate chain  ***");
                    tc_ac.start;
                    if (not f_askAndWaitForCertificateChain(v_chain, f_generateDefaultCam())) {
                        log("*** " & testcasename() & ": INCONC: Expected message not received ***");
                        f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_timeout);
                    }
                    tc_ac.stop;
                    if (lengthof(v_chain) < 2) {
                        log("*** " & testcasename() & ": FAIL: Certificate chain is too short ***");
                        f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_error);
                    }
                    if (not match(v_chain[lengthof(v_chain) - 2], mw_aa_certificate)) {
                        log("*** " & testcasename() & ": FAIL: AA certificate not found in the chain[last-1] ***");
                        f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
                    }
                    log("*** " & testcasename() & ": PASS: AA certificate was found in the chain ***");
                    f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
garciay's avatar
garciay committed
                    
                    // Postamble
                    f_poNeighbour();
                    f_cf01Down();
garciay's avatar
garciay committed
                } // End of testcase TC_SEC_ITSS_SND_CERT_AA_01_01_BV
garciay's avatar
garciay committed
                
                /**
garciay's avatar
garciay committed
                 * @desc Check that the AA certificsate subject_name variable-length vector contains 32 bytes maximum
garciay's avatar
garciay committed
                 * <pre>
                 * Pics Selection: PICS_GN_SECURITY
                 * Config Id: CF01
                 * with {
                 *   the IUT being in the 'authorized' state
                 *   the IUT being requested to include certificate chain in the next CAM
                 * } ensure that {
                 *    when {
                 *     the IUT is requested to send a CAM
                 *   } then {
                 *     the IUT sends a SecuredMessage
garciay's avatar
garciay committed
                 *       containing header_fields['signer_info'].signer
garciay's avatar
garciay committed
                 *         containing type
garciay's avatar
garciay committed
                 *           indicating 'certificate_chain'
garciay's avatar
garciay committed
                 *         containing certificates[last-1]
garciay's avatar
garciay committed
                 *           containing subject_info.subject_name
                 *             indicating length <= 32 bytes
                 *   }
                 * }
                 * </pre>
garciay's avatar
garciay committed
                 * @see         ETSI TS 103 096-2 v1.3.2 TP_SEC_ITSS_SND_CERT_AA_02_01_BV
garciay's avatar
garciay committed
                 * @reference   ETSI TS 103 097 [1], clause 6.2
                 */
garciay's avatar
garciay committed
                testcase TC_SEC_ITSS_SND_CERT_AA_02_01_BV() runs on ItsGeoNetworking system ItsSecSystem {
garciay's avatar
garciay committed
                    var CertificateChain         v_chain;
                    
                    // Test control
                    if (not(PICS_GN_SECURITY)) {
                        log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY' required for executing the TC ***");
                        stop;
                    }
                    
                    // Test component configuration
                    f_cf01Up();
                    
                    // Test adapter configuration
                    
                    // Preamble
                    f_prNeighbour();
                    f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
                    
                    // Test Body
                    log("*** " & testcasename() & ": INFO: Request and waiting for the message containing certificate chain  ***");
                    tc_ac.start;
                    if (not f_askAndWaitForCertificateChain(v_chain, f_generateDefaultCam())) {
                        log("*** " & testcasename() & ": INCONC: Expected message not received ***");
                        f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_timeout);
                    }
                    tc_ac.stop;
                    if (lengthof(v_chain) < 2) {
                        log("*** " & testcasename() & ": FAIL: Certificate chain is too short ***");
                        f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_error);
                    }
                    // Verified automatically on decoding
                    if (lengthof(v_chain[lengthof(v_chain) - 2].subject_info.subject_name) > 32 ) {
                        log("*** " & testcasename() & ": FAIL: Subject name of the AA certificate is too long ***");
                        f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
                    }
                    log("*** " & testcasename() & ": PASS: Subject name of the AA certificate is good ***");
                    f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
                    
                    // Postamble
                    f_poNeighbour();
                    f_cf01Down();
garciay's avatar
garciay committed
                } // End of testcase TC_SEC_ITSS_SND_CERT_AA_02_01_BV
garciay's avatar
garciay committed
                
                /**
garciay's avatar
garciay committed
                 * @desc Check that signer_info type of AA certificates is set to 'certificate_digest_with_sha256'
garciay's avatar
garciay committed
                 * <pre>
                 * Pics Selection: PICS_GN_SECURITY
                 * Config Id: CF01
                 * with {
                 *   the IUT being in the 'authorized' state
                 *   the IUT being requested to include certificate chain in the next CAM
                 * } ensure that {
                 *    when {
                 *     the IUT is requested to send a CAM
                 *   } then {
                 *     the IUT sends a SecuredMessage
garciay's avatar
garciay committed
                 *       containing header_fields['signer_info'].signer
garciay's avatar
garciay committed
                 *         containing type
garciay's avatar
garciay committed
                 *           indicating 'certificate_chain'
garciay's avatar
garciay committed
                 *         containing certificates[last-1]
                 *           containing signer_info
garciay's avatar
garciay committed
                 *             containing type
                 *               indicating 'certificate_digest_with_sha256'
                 *   }
                 * }
                 * </pre>
garciay's avatar
garciay committed
                 * @see         ETSI TS 103 096-2 v1.3.2 TP_SEC_ITSS_SND_CERT_AA_03_01_BV
garciay's avatar
garciay committed
                 * @reference   ETSI TS 103 097 [1], clause 7.4.4
garciay's avatar
garciay committed
                 */
garciay's avatar
garciay committed
                testcase TC_SEC_ITSS_SND_CERT_AA_03_01_BV() runs on ItsGeoNetworking system ItsSecSystem {
garciay's avatar
garciay committed
                    var CertificateChain         v_chain;
                    var Certificate              v_aa_cert;
                    
                    // Test control
                    if (not(PICS_GN_SECURITY)) {
                        log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY' required for executing the TC ***");
                        stop;
                    }
                    
                    // Test component configuration
                    f_cf01Up();
                    
                    // Test adapter configuration
                    
                    // Preamble
                    f_prNeighbour();
                    f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
                    
                    // Test Body
                    log("*** " & testcasename() & ": INFO: Request and waiting for the message containing certificate chain  ***");
                    tc_ac.start;
                    if (not f_askAndWaitForCertificateChain(v_chain, f_generateDefaultCam())) {
                        log("*** " & testcasename() & ": INCONC: Expected message not received ***");
                        f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_timeout);
                    }
                    tc_ac.stop;
                    if (lengthof(v_chain) < 2) {
                        log("*** " & testcasename() & ": FAIL: Certificate chain is too short ***");
                        f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_error);
                    }
                    v_aa_cert := v_chain[lengthof(v_chain) - 2];
                    if (not match(v_aa_cert, mw_aa_certificate(mw_signerInfo_digest))) {
                        log("*** " & testcasename() & ": FAIL: AA certificate not signed by digest ***");
                        f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
                    }
                    log("*** " & testcasename() & ": PASS: AA certificate is signed by digest ***");
                    f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
                    
                    // Postamble
                    f_poNeighbour();
                    f_cf01Down();
garciay's avatar
garciay committed
                } // End of testcase TC_SEC_ITSS_SND_CERT_AA_03_01_BV
                
garciay's avatar
garciay committed
                /**
                 * @desc Check that AA certificate is signed by Root CA or other authority
                 * @remark There is no clear specification that AA cert shall be signed by the Root CA only
                 * <pre>
                 * Pics Selection: PICS_GN_SECURITY
                 * Config Id: CF01
                 * with {
                 *   the IUT being in the 'authorized' state
                 *   the IUT being requested to include certificate in the next CAM
                 * } ensure that {
                 *    when {
                 *     the IUT is requested to send a CAM
                 *   } then {
                 *     the IUT sends a SecuredMessage
                 *       containing header_fields['signer_info'].signer
                 *         containing type
                 *           indicating 'certificate_chain'
                 *         containing certificates
                 *           containing certificates[last-1]
                 *             containing signer_info
                 *               containing type
                 *                 indicating 'certificate_digest_with_ecdsap256'
                 *               and containing digest
                 *                 referencing to the trusted certificate
                 *                   containing subject_info.subject_type
                 *                     indicating 'root_ca'
                 *                     or indicating 'authorisation_authority'
                 *   }
                 * }
                 * </pre>
garciay's avatar
garciay committed
                 * @see         ETSI TS 103 096-2 v1.3.2 TP_SEC_ITSS_SND_CERT_AA_04_01_BV
                 * @reference   ETSI TS 103 097 [1], clauses 6.3
garciay's avatar
garciay committed
                 */
                testcase TC_SEC_ITSS_SND_CERT_AA_04_01_BV() runs on ItsGeoNetworking system ItsSecSystem {
                    var CertificateChain    v_chain;
                    var Certificate         v_aa_cert, v_ca_cert;
                    var SignerInfo          v_si;
                    var HashedId8           v_ca_digest;
                    
                    // Test control
                    if (not(PICS_GN_SECURITY)) {
                        log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY' required for executing the TC ***");
                        stop;
                    }
                    
                    // Test component configuration
                    f_cf01Up();
                    
                    // Test adapter configuration
                    
                    // Preamble
                    f_prNeighbour();
                    f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
                    
                    // Test Body
                    log("*** " & testcasename() & ": INFO: Request and waiting for the message containing certificate chain  ***");
                    tc_ac.start;
                    if (not f_askAndWaitForCertificateChain(v_chain, f_generateDefaultCam())) {
                        log("*** " & testcasename() & ": INCONC: Expected message not received ***");
                        f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_timeout);
                    }
                    tc_ac.stop;
                    v_aa_cert := v_chain[lengthof(v_chain) - 2];
                    // Process signerInfo field
                    if ( true != f_getCertificateSignerInfo(v_aa_cert, v_si)) {
                        log("*** " & testcasename() & ": FAIL: AA certificate must contain SignerInfo fields ***");
                        f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
                    }
                    if (v_si.type_ == e_certificate_digest_with_sha256) {
                        log("*** " & testcasename() & ": FAIL: AA certificate must contain SignerInfo field containing a certificate_digest_with_ecdsap256 ***");
                        f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
                    }
                    
                    f_readCertificate(cc_taCert_CA, v_ca_cert);
                    v_ca_digest := f_calculateDigestFromCertificate(v_ca_cert); 
                    
                    if (not match(v_aa_cert, mw_aa_certificate(mw_signerInfo_digest(v_ca_digest)))) {
garciay's avatar
garciay committed
                        log("*** " & testcasename() & ": FAIL: AA certificate signer info doesn't reference the CA certificate from the chain ***");
garciay's avatar
garciay committed
                        f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
                    }
                    
                    if (not f_verifyCertificateSignatureWithIssuingCertificate(v_aa_cert, v_ca_cert)) {
                        log("*** " & testcasename() & ": FAIL: AT certificate signature verification failed ***");
                        f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
                    }
                    
                    log("*** " & testcasename() & ": PASS: AA certificate was signed by the CA certificate from the given chain ***");
                    f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
                    
                    // Postamble
                    f_poNeighbour();
                    f_cf01Down();
                } // End of testcase TC_SEC_ITSS_SND_CERT_AA_04_01_BV
garciay's avatar
garciay committed
                
                /**
garciay's avatar
garciay committed
                 * @desc Check that all neccesary subject attributes are present and arranged in accesing order
garciay's avatar
garciay committed
                 * <pre>
                 * Pics Selection: PICS_GN_SECURITY
                 * Config Id: CF01
                 * with {
                 *   the IUT being in the 'authorized' state
                 *   the IUT being requested to include certificate chain in the next CAM
                 * } ensure that {
                 *    when {
                 *     the IUT is requested to send a CAM
                 *   } then {
                 *     the IUT sends a SecuredMessage
garciay's avatar
garciay committed
                 *       containing header_fields['signer_info'].signer
garciay's avatar
garciay committed
                 *         containing type
garciay's avatar
garciay committed
                 *           indicating 'certificate_chain'
garciay's avatar
garciay committed
                 *         containing certificates[last-1]
                 *           containing subject_attributes [0..N]
garciay's avatar
garciay committed
                 *             indicating subject_attributes[n].type < subject_attributes[n+ 1].type
                 *             containing subject_attributes['verification_key']
                 *             containing subject_attributes['assurance_level']
                 *             containing subject_attributes['its_aid_list']
                 *   }
                 * }
                 * </pre>
garciay's avatar
garciay committed
                 * @see         ETSI TS 103 096-2 v1.3.2 TP_SEC_ITSS_SND_CERT_AA_05_01_BV
garciay's avatar
garciay committed
                 * @reference   ETSI TS 103 097 [1], clauses 6.1, 7.4.1 and 7.4.4
garciay's avatar
garciay committed
                 */
garciay's avatar
garciay committed
                testcase TC_SEC_ITSS_SND_CERT_AA_05_01_BV() runs on ItsGeoNetworking system ItsSecSystem {
garciay's avatar
garciay committed
                    var CertificateChain         v_chain;
                    var SubjectAttributes        v_attrs;
                    
                    // Test control
                    if (not(PICS_GN_SECURITY)) {
                        log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY' required for executing the TC ***");
                        stop;
                    }
                    
                    // Test component configuration
                    f_cf01Up();
                    
                    // Test adapter configuration
                    
                    // Preamble
                    f_prNeighbour();
                    f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
                    
                    // Test Body
                    log("*** " & testcasename() & ": INFO: Request and waiting for the message containing certificate chain  ***");
                    tc_ac.start;
                    if (not f_askAndWaitForCertificateChain(v_chain, f_generateDefaultCam())) {
                        log("*** " & testcasename() & ": INCONC: Expected message not received ***");
                        f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_timeout);
                    }
                    tc_ac.stop;
                    if (lengthof(v_chain) < 2) {
                        log("*** " & testcasename() & ": FAIL: Certificate chain is too short ***");
                        f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_error);
                    }
                    if (not match(v_chain[lengthof(v_chain) - 2], 
                                 mw_aa_certificate(?,
                                        superset(mw_subject_attribute_verification_key,
                                                 mw_subject_attribute_assurance_level,
                                                 mw_subject_attribute_its_aid_list)))
                     ) {
                        log("*** " & testcasename() & ": FAIL: Required subject attribute of AA certificate is not found ***");
                        f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
                    }
                    
                    v_attrs := v_chain[lengthof(v_chain) - 2].subject_attributes;
                    for (var integer v_counter := 1; v_counter < lengthof(v_attrs); v_counter := v_counter + 1 ) {
                        if (v_attrs[v_counter].type_ <= v_attrs[v_counter-1].type_) {
                            log("*** " & testcasename() & ": FAIL: AA certificate subject attributes are not arranged in accening order ***");
                            f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
                        }
                    }
                    
                    log("*** " & testcasename() & ": PASS: All required AA certificate subject attributes are presents ***");
                    f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
                    
                    // Postamble
                    f_poNeighbour();
                    f_cf01Down();
garciay's avatar
garciay committed
                } // End of testcase TC_SEC_ITSS_SND_CERT_AA_05_01_BV
garciay's avatar
garciay committed
                
                /**
garciay's avatar
garciay committed
                 * @desc Check that all AIDs containing in the its_aid_list in AA certificate are unique
garciay's avatar
garciay committed
                 *       Check that AID list contains not more then 31 items
garciay's avatar
garciay committed
                 * <pre>
                 * Pics Selection: PICS_GN_SECURITY
                 * Config Id: CF01
                 * with {
                 *   the IUT being in the 'authorized' state
                 *   the IUT being requested to include certificate chain in the next CAM
                 * } ensure that {
                 *    when {
                 *     the IUT is requested to send a CAM
                 *   } then {
                 *     the IUT sends a SecuredMessage
garciay's avatar
garciay committed
                 *       containing header_fields['signer_info'].signer
garciay's avatar
garciay committed
                 *         containing type
garciay's avatar
garciay committed
                 *           indicating 'certificate_chain'
garciay's avatar
garciay committed
                 *         containing certificates[last-1]
                 *           containing subject_attributes['its_aid_list']
                 *             containing its_aid_list[0..N]
                 *               containing no more then 31 unique item
garciay's avatar
garciay committed
                 *   }
                 * }
                 * </pre>
garciay's avatar
garciay committed
                 * @see         ETSI TS 103 096-2 v1.3.2 TP_SEC_ITSS_SND_CERT_AA_08_01_BV
garciay's avatar
garciay committed
                 * @reference   ETSI TS 103 097 [1], clauses 7.4.4
garciay's avatar
garciay committed
                 */
garciay's avatar
garciay committed
                testcase TC_SEC_ITSS_SND_CERT_AA_08_01_BV() runs on ItsGeoNetworking system ItsSecSystem {
garciay's avatar
garciay committed
                    var CertificateChain         v_chain;
                    var Certificate              v_aa_cert;
garciay's avatar
garciay committed
                    var SubjectAttribute         v_sa;
garciay's avatar
garciay committed
                    
                    // Test control
                    if (not(PICS_GN_SECURITY)) {
                        log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY' required for executing the TC ***");
                        stop;
                    }
                    
                    // Test component configuration
                    f_cf01Up();
                    
                    // Test adapter configuration
                    
                    // Preamble
                    f_prNeighbour();
                    f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
                    
                    // Test Body
                    log("*** " & testcasename() & ": INFO: Request and waiting for the message containing certificate chain  ***");
                    tc_ac.start;
                    if (not f_askAndWaitForCertificateChain(v_chain, f_generateDefaultCam())) {
                        log("*** " & testcasename() & ": INCONC: Expected message not received ***");
                        f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_timeout);
                    }
                    tc_ac.stop;
                    if (lengthof(v_chain) < 2) {
                        log("*** " & testcasename() & ": FAIL: Certificate chain is too short ***");
                        f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_error);
                    }
                    v_aa_cert := v_chain[lengthof(v_chain) - 2];
garciay's avatar
garciay committed
                    if (f_getCertificateSubjectAttribute(v_aa_cert, e_its_aid_list, v_sa)) {
                        
                        if (lengthof(v_sa.attribute.its_aid_list) > 31) {
                            log("*** " & testcasename() & ": FAIL: ITS-AID list contains " & int2str(lengthof(v_sa.attribute.its_aid_list)) & " items (>31) ***");
                            f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
                        }
                        
                        for (var integer v_counter :=0; v_counter < lengthof(v_sa.attribute.its_aid_list); v_counter := v_counter + 1) {
                            for (var integer j :=0; j < lengthof(v_sa.attribute.its_aid_list); j := j + 1) {
                                if (v_counter != j and v_sa.attribute.its_aid_list[v_counter] == v_sa.attribute.its_aid_list[j]) {
                                    log("*** " & testcasename() & ": FAIL: ITS-AID " & int2str(v_sa.attribute.its_aid_list[j]) & " is duplicated in AA certificate ***");
                                    f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
                                }
                            }
                        } // End of 'for' statement
                    } else {
                        log("*** " & testcasename() & ": FAIL: AA certificate does not contain its_aid_list subject attribute ***");
garciay's avatar
garciay committed
                        f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
                    }
                    
                    log("*** " & testcasename() & ": PASS: Time validity restriction of the AA certificate is good ***");
                    f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
                    
                    // Postamble
                    f_poNeighbour();
                    f_cf01Down();
garciay's avatar
garciay committed
                } // End of testcase TC_SEC_ITSS_SND_CERT_AA_08_01_BV
garciay's avatar
garciay committed
                
                /**
garciay's avatar
garciay committed
                 * @desc Check that all mandatory validity restrictions are present and arranged in ascending order
garciay's avatar
garciay committed
                 * <pre>
                 * Pics Selection: PICS_GN_SECURITY
                 * Config Id: CF01
                 * with {
                 *   the IUT being in the 'authorized' state
                 *   the IUT being requested to include certificate chain in the next CAM
                 * } ensure that {
                 *    when {
                 *     the IUT is requested to send a CAM
                 *   } then {
                 *     the IUT sends a SecuredMessage
garciay's avatar
garciay committed
                 *       containing header_fields['signer_info'].signer
                 *           containing type
                 *               indicating 'certificate_chain'
                 *           and containing certificates