ItsSecurity_TestCases.ttcn3 1.39 MB
Newer Older
                f_prNeighbour();
garciay's avatar
garciay committed
                log("*** " & testcasename() & ": INFO: Request and waiting for the message containing certificate chain  ***");
                tc_ac.start;
                if (not f_askAndWaitForCertificateChain(v_chain, f_generateDefaultCam())) {
                    log("*** " & testcasename() & ": INCONC: Expected message not received ***");
                    f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_timeout);
                } else {
                    f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
                }
garciay's avatar
garciay committed
                f_vr := false;
                tc_ac.stop;
                for (var integer v_counter := 0; v_counter < lengthof(v_chain); v_counter := v_counter + 1) {
                    v_vri := v_vr;
                    f_vri := f_vr;
                    f_vr := f_getCertificateValidityRestriction(v_chain[v_counter], e_region, v_vr);
                    if (f_vr) {
                        var PolygonalRegion v_pr;
                        var integer v_length;
                        
                        if (v_vr.validity.region.region_type != e_polygon) {
                            log("*** " & testcasename() & ": INCONC: Certificate validity restriction region is not polygonal ***");
                            f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
                        }
                        
                        v_pr := v_vr.validity.region.region.polygonal_region;
                        v_length := lengthof(v_pr);
                        
                        if (v_length < 3) {
                            log("*** " & testcasename() & ": FAIL: Count of points in polygonal region is too small in cert " & int2str(v_counter) & " ***");
                            f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
                        }
                        
                        if (v_length > 12) {
                            log("*** " & testcasename() & ": FAIL: Count of points in polygonal region is too big  in cert " & int2str(v_counter) & "***");
                            f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
                        }
                        
                        if (true != f_isValidPolygonalRegion(v_pr)) {
                            log("*** " & testcasename() & ": FAIL: Polygonal region is not valid (self-intersected) in cert " & int2str(v_counter) & " ***");
                            f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
                        }
                        
                        if (f_vri) {
                            // current restrictions must be inside of the parent one
                            if (true != f_isPolygonalRegionInside(v_vri.validity.region.region.polygonal_region, v_pr)) {
                                log("*** " & testcasename() & ": FAIL: Certificate validity restriction region in cert " & int2str(v_counter) & " is not inside the issuing one ***");
                                f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
                            }
garciay's avatar
garciay committed
                            // FIXME Check holes
garciay's avatar
garciay committed
                        }
                    } else {
                        // Region validity restriction is not exist
                        if (f_vri) {
                            log("*** " & testcasename() & ": FAIL: Certificate validity restriction region must be set in the certificate "  & int2str(v_counter) &
                                                                  "because this restriction exists in the issuing certificate ***");
                            f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
                        }
                    }
                } // End of 'for' statement
garciay's avatar
garciay committed
                log("*** " & testcasename() & ": PASS: All certificates has a valid polygonal region restrictions ***");
                f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
                
                // Postamble
                f_poNeighbour();
                f_cf01Down();
garciay's avatar
garciay committed
                
garciay's avatar
garciay committed
            } // End of testcase TC_SEC_ITSS_SND_CERT_05_02_BV
garciay's avatar
garciay committed
            
garciay's avatar
garciay committed
             * @desc Check that the identified certificate validity region contains values that correspond to numeric country codes 
             *       as defined in ISO 3166-1 or defined by United Nations Statistics Division 
garciay's avatar
garciay committed
             * Pics Selection: PICS_GN_SECURITY and PICS_CERTIFICATE_SELECTION and PICS_USE_IDENTIFIED_REGION
             * Config Id: CF01
garciay's avatar
garciay committed
             * with {
             *   the IUT being in the 'authorized' state
             *   the IUT being requested to include certificate in the next CAM
             * } ensure that {
             *    when {
             *     the IUT is requested to send a CAM
             *   } then {
             *     the IUT sends a SecuredMessage
             *         containing header_fields['signer_info'].signer
             *             containing type
             *                 indicating 'certificate'
             *             and containing certificate 
             *                 containing validity_restrictions['region']
             *                     containing region
             *                         containing region_type
             *                             indicating 'id'
             *                         and containing id_region
             *                             containing region_dictionary
             *                                 indicating 'iso_3166_1' (0)
             *                             and containing region_identifier
             *                                 indicating valid value according to 'iso_3166_1'
             *                         and containing local_region
             *                     or containing region
             *                         containing id_region
             *                             containing region_dictionary
             *                                  indicating 'un_stats'
             *                             and containing region_identifier
             *                                 indicating valid value according to UN STATS
             *                             and containing local_region
             *   }
             * }
garciay's avatar
garciay committed
             * @see         ETSI TS 103 096-2 v1.3.2 TP_SEC_ITSS_SND_CERT_06_01_BV
garciay's avatar
garciay committed
             * @reference   ETSI TS 103 097 [1], clause 4.2.26 and 7.4.1
garciay's avatar
garciay committed
            testcase TC_SEC_ITSS_SND_CERT_06_01_BV() runs on ItsGeoNetworking system ItsSecSystem {
garciay's avatar
garciay committed
                var Certificate         v_cert;
                var ValidityRestriction v_vr;
                var integer             v_counter;
garciay's avatar
garciay committed
                // Test control
garciay's avatar
garciay committed
                if (not(PICS_GN_SECURITY) or not(PICS_CERTIFICATE_SELECTION) or not(PICS_USE_IDENTIFIED_REGION)) {
                    log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY and PICS_CERTIFICATE_SELECTION and PICS_USE_IDENTIFIED_REGION' required for executing the TC ***");
garciay's avatar
garciay committed
                    
                // Test component configuration
                vc_hashedId8ToBeUsed := cc_iutCert_E;
                // Test adapter configuration
                
                // Preamble
                f_prNeighbour();
                f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
                
garciay's avatar
garciay committed
                // Test body
                tc_ac.start;
                if (not f_waitForCertificate(v_cert)) {
                    log("*** " & testcasename() & ": INCONC: Expected message not received ***");
                    f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_timeout);
                }
garciay's avatar
garciay committed
                tc_ac.stop;
                if (f_getCertificateValidityRestriction(v_cert, e_region, v_vr)) {
                    if (v_vr.validity.region.region_type == e_id) {
                        if (not match (v_vr.validity.region, mw_geographicRegion_identified(mw_identifiedRegion_iso3166_any))) {
                            log("*** " & testcasename() & ": FAIL: Identified region is not conformed to ISO 3166-1 ***");
                            f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
                        } else if (not match (v_vr.validity.region, mw_geographicRegion_identified(mw_identifiedRegion_un_stats_any))) {
                            log("*** " & testcasename() & ": FAIL: Identified region is not conformed to United Nations Statistics Division ***");
                            f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
                        }
                    }
                    log("*** " & testcasename() & ": PASS: Certificate has a valid  region ID restrictions ***");
                    f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
                } else {
                    log("*** " & testcasename() & ": FAIL: Certificate doesn't have any location restrictions ***");
                    f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
                }
                
                // Postamble
                f_poNeighbour();
                f_cf01Down();
garciay's avatar
garciay committed
                
garciay's avatar
garciay committed
            } // End of testcase TC_SEC_ITSS_SND_CERT_06_01_BV
garciay's avatar
garciay committed
             * @desc Check that the identified certificate validity region contains values that correspond to numeric country codes 
             *       as defined in ISO 3166-1 or defined by United Nations Statistics Division
             *       Check that the identified certificate validity region contains values defining the region which is inside 
             *       the validity region of the issuing certificate 
garciay's avatar
garciay committed
             * @remark The case when signing certificate and issuing certificate contain different type of region validity restriction is not supported by this test 
garciay's avatar
garciay committed
             * Pics Selection: PICS_GN_SECURITY and PICS_CERTIFICATE_SELECTION and PICS_USE_IDENTIFIED_REGION
             * Config Id: CF01
garciay's avatar
garciay committed
             * with {
             *   the IUT being in the 'authorized' state
             *   the IUT being requested to include certificate chain in the next CAM
             * } ensure that {
             *    when {
             *     the IUT is requested to send a CAM
             *   } then {
             *     the IUT sends a SecuredMessage
             *         containing header_fields['signer_info'].signer
             *             containing type
             *                 indicating 'certificate_chain'
             *             and containing certificate 
             *                 indicating length N > 1
garciay's avatar
garciay committed
             *                 and containing certificates[n] (0..N)
garciay's avatar
garciay committed
             *                     containing validity_restrictions['region']
             *                         containing region
             *                             containing region_type
             *                                 indicating 'id'
             *                             and containing id_region
             *                                     containing region_dictionary
             *                                     indicating 'iso_3166_1' (0)
             *                                 and containing region_identifier
             *                                     indicating valid value according to 'iso_3166_1'
             *                             and containing local_region
             *                         or containing region
             *                             containing id_region
             *                                 containing region_dictionary
             *                                     indicating 'un_stats'
             *                                 and containing region_identifier
             *                                     indicating valid value according to UN STATS
             *                                 and containing local_region
             *   }
             * }
garciay's avatar
garciay committed
             * @see         ETSI TS 103 096-2 v1.3.2 TP_SEC_ITSS_SND_CERT_06_02_BV
garciay's avatar
garciay committed
             * @reference   ETSI TS 103 097 [1], clause 4.2.26 and 7.4.1
garciay's avatar
garciay committed
            testcase TC_SEC_ITSS_SND_CERT_06_02_BV() runs on ItsGeoNetworking system ItsSecSystem {
garciay's avatar
garciay committed
                var CertificateChain         v_chain;
                var ValidityRestriction v_vr := valueof(m_validity_restriction_unknown), v_vri := valueof(m_validity_restriction_unknown);  // current and issuing cert validity restrictions
                var boolean f_vr := false, f_vri := false;
garciay's avatar
garciay committed
                // Test control
garciay's avatar
garciay committed
                if (not(PICS_GN_SECURITY) or not(PICS_CERTIFICATE_SELECTION) or not(PICS_USE_IDENTIFIED_REGION)) {
                    log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY and PICS_CERTIFICATE_SELECTION and PICS_USE_IDENTIFIED_REGION' required for executing the TC ***");
garciay's avatar
garciay committed
                    
                // Test component configuration
                vc_hashedId8ToBeUsed := cc_iutCert_E;
                // Test adapter configuration
                
                // Preamble
                f_prNeighbour();
garciay's avatar
garciay committed
                log("*** " & testcasename() & ": INFO: Request and waiting for the message containing certificate chain  ***");
                tc_ac.start;
                if (not f_askAndWaitForCertificateChain(v_chain, f_generateDefaultCam())) {
                    log("*** " & testcasename() & ": INCONC: Expected message not received ***");
                    f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_timeout);
                } else {
                    f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
                }
garciay's avatar
garciay committed
                f_vr := false;
                tc_ac.stop;
                for (var integer v_counter := 0; v_counter < lengthof(v_chain); v_counter := v_counter + 1) {
                    v_vri := v_vr;
                    f_vri := f_vr;
                    f_vr := f_getCertificateValidityRestriction(v_chain[v_counter], e_region, v_vr);
                    
                    if (f_vr) {
                        if (v_vr.validity.region.region_type == e_id) {
                            if (not match (v_vr.validity.region, mw_geographicRegion_identified(mw_identifiedRegion_iso3166_any))) {
                                log("*** " & testcasename() & ": FAIL: Identified region is not conformed to ISO 3166-1 ***");
                                f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
                            }
                            if (not match (v_vr.validity.region, mw_geographicRegion_identified(mw_identifiedRegion_un_stats_any))) {
                                log("*** " & testcasename() & ": FAIL: Identified region is not conformed to United Nations Statistics Division ***");
                                f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
                            }
                        }
                        
                        if (f_vri) {
                            // the region code must be the same
                            if (v_vr.validity.region.region.id_region.region_identifier !=
                               v_vri.validity.region.region.id_region.region_identifier) {
                                log("*** " & testcasename() & ": FAIL: Certificate validity restriction identified region in cert " & int2str(v_counter) & " is not the same as in the issuing one ***");
                                f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
                            }
                            if (    v_vri.validity.region.region.id_region.local_region != 0 
                               and v_vri.validity.region.region.id_region.local_region != v_vr.validity.region.region.id_region.local_region ) {
                                log("*** " & testcasename() & ": FAIL: Certificate validity restriction local identified region in cert " & int2str(v_counter) & " is not the same as in the issuing one ***");
                                f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
                            }
                        }
                        
                    } else {
                        // Region validity restriction is not exist
                        if (f_vri) {
                            log("*** " & testcasename() & ": FAIL: Certificate validity restriction identified region must be set in the certificate "  & int2str(v_counter) &
                                                                  "because this restriction exists in the issuing certificate ***");
                            f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
                        }
                    }
garciay's avatar
garciay committed
                log("*** " & testcasename() & ": PASS: All certificates has a valid identified regionrestrictions ***");
                f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
                
                // Postamble
                f_poNeighbour();
                f_cf01Down();
garciay's avatar
garciay committed
            } // End of testcase TC_SEC_ITSS_SND_CERT_06_02_BV
garciay's avatar
garciay committed
            
garciay's avatar
garciay committed
             * @desc Check that the region of the subordinate certificate validity restriction is inside the region of the issuing certificate validity restriction 
             * <pre>
garciay's avatar
garciay committed
             * Pics Selection: PICS_GN_SECURITY and PICS_CERTIFICATE_SELECTION
garciay's avatar
garciay committed
             * Config Id: CF01
             * with {
             *   the IUT being in the 'authorized' state
             *   the IUT being requested to include certificate chain in the next CAM
             * } ensure that {
             *    when {
             *     the IUT is requested to send a CAM
             *   } then {
             *     the IUT sends a SecuredMessage
             *         containing header_fields['signer_info'].signer
             *             containing type
             *                 indicating 'certificate_chain'
             *             and containing certificates 
             *                 indicating length N > 1
             *                 and containing certificates[n] (0..N)
             *                     indicating certificate
             *                         not containing validity_restrictions['region']
             *                         and containing signer_info
             *                             containing digest
             *                                 referenced to the certificate
             *                                     not containing validity_restrictions['region']
             *                     or indicating certificate
             *                         containing validity_restrictions['region']
             *                             containing region.region_type
             *                                 indicating 'none'
             *                         and containing signer_info
             *                             containing digest
             *                                 referenced to the certificate
             *                                     not containing validity_restrictions['region']
             *                                     or containing validity_restrictions['region']
             *                                         containing region.region_type
             *                                             indicating 'none'
             *                     or indicating certificate
             *                         containing validity_restrictions['region']
             *                             containing region.region_type
             *                                 indicated 'circle'
             *                                 or indicated 'rectangle'
             *                                 or indicated 'polygon'
             *                                 or indicated 'id'
             *                             and containing region (X_CERT__REGION)
             *                         and containing signer_info
             *                             containing digest
             *                                 referenced to the certificate
             *                                     not containing validity_restrictions['region']
             *                                     or containing validity_restrictions['region']
             *                                         containing region.region_type
             *                                             indicating 'none'
             *                                     or containing validity_restrictions['region']
             *                                         containing region
             *                                             indicating region fully covering the X_CERT_REGION
             *   }
             * }
             * </pre>
garciay's avatar
garciay committed
             * @see         ETSI TS 103 096-2 v1.3.2 TP_SEC_ITSS_SND_CERT_07_01_BV
garciay's avatar
garciay committed
             * @reference   ETSI TS 103 097 [1], clause 4.2.26 and 7.4.1
garciay's avatar
garciay committed
             */
garciay's avatar
garciay committed
            testcase TC_SEC_ITSS_SND_CERT_07_01_BV() runs on ItsGeoNetworking system ItsSecSystem {
garciay's avatar
garciay committed
                var CertificateChain    v_chain;
                var Certificate         v_cert, v_cert_issuer;
                var SignerInfo          v_si;
                var UInt8               v_counter;
                var HashedId8           v_digest;
                var CertificatesCaching v_certificatesCaching;
                var FncRetCode          v_result_status := e_success;
                
                // Test control
garciay's avatar
garciay committed
                if (not(PICS_GN_SECURITY) or not(PICS_CERTIFICATE_SELECTION)) {
                    log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY and PICS_CERTIFICATE_SELECTION' required for executing the TC ***");
garciay's avatar
garciay committed
                    stop;
                }
                    
                // Test component configuration
//                vc_hashedId8ToBeUsed := cc_iutCert_E;
                f_cf01Up();
                
                // Test adapter configuration
                
                // Preamble
                f_prNeighbour();
                log("*** " & testcasename() & ": INFO: Request and waiting for the message containing certificate chain  ***");
                tc_ac.start;
                if (not f_askAndWaitForCertificateChain(v_chain, f_generateDefaultCam())) {
                    log("*** " & testcasename() & ": INCONC: Expected message not received ***");
                    f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_timeout);
                } else {
                    f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
                }
                
                // Test Body
                // 1. Create a cache of certificates
                f_createCertificatesCaching(v_chain, v_certificatesCaching);
                // 2. Process the certificates
                v_counter := f_getCertificatesCachingItemSize(v_certificatesCaching) - 1;
                while (v_counter != 0) {
                    // Get the first certificate
                    if (f_getCertificatesCachingItem(v_certificatesCaching, v_counter, v_cert) == false) {
                        v_result_status := e_error;
                        break;
                    }
                    // Retrive SigneInfo field
                    if (not f_getCertificateSignerInfo(v_cert, v_si)) {
                        log("*** " & testcasename() & ": FAIL: Certificate " & int2str(v_counter) & " doesn't have a signer info ***");
                        v_result_status := e_error;
                        break;
                    }
                    if (not match (v_si.type_, e_certificate_digest_with_sha256)) {
                        log("*** " & testcasename() & ": FAIL: Certificate is not signed with digest ***");
                        v_result_status := e_error;
                        break;
                    }
                    // Get issuer
                    if (f_getCertificateFromCaching(v_certificatesCaching, v_si.signerInfo.digest, v_cert_issuer) == false) {
                        log("*** " & testcasename() & ": FAIL: Certificate is not signed with digest ***");
                        v_result_status := e_error;
                        break;
                    }
                    // Check that cert is signed by issuing cert
                    v_digest := f_calculateDigestFromCertificate(v_cert_issuer);
                    if (not match (v_si.signerInfo.digest, v_si.signerInfo.digest)) {
                        log("*** " & testcasename() & ": FAIL: Certificate chain is not valid ***");
                        v_result_status := e_error;
                        break;
                    }
                    // Check that the region of the subordinate certificate validity restriction is inside the region of the issuing certificate validity restriction 
                    if (f_checkRegionValidityRestiction(v_cert, v_cert_issuer) == false) {
                        v_result_status := e_error;
                        break;
                    }
                    
                    // Prepare next loop
                    v_counter := v_counter - 1;
                    
                } // End of 'while' statement
                if (v_result_status == e_success) {
                    log("*** " & testcasename() & ": PASS: All certificates has a valid identified region restrictions ***");
                }
                f_selfOrClientSyncAndVerdictTestBody(c_tbDone, v_result_status);
                
                // Postamble
                f_poNeighbour();
                f_cf01Down();
garciay's avatar
garciay committed
            } // End of testcase TC_SEC_ITSS_SND_CERT_07_01_BV
garciay's avatar
garciay committed
            
            /**
             * @desc Check that the region of the subordinate certificate validity restriction is inside the region of the issuing certificate validity restriction
             * <pre>
garciay's avatar
garciay committed
             * Pics Selection: PICS_GN_SECURITY and PICS_CERTIFICATE_SELECTION and PICS_USE_IDENTIFIED_REGION
garciay's avatar
garciay committed
             * Config Id: CF01
             * with {
             *   the IUT being in the 'authorized' state
             *   the IUT being requested to include certificate chain in the next CAM
             *   the IUT being requested to include certificate chain in the next CAM
             * } ensure that {
             *    when {
             *     the IUT is requested to send a CAM
             *   } then {
             *     the IUT sends a SecuredMessage
             *         containing header_fields['signer_info'].signer
             *             containing type
             *                 indicating 'certificate_chain'
             *             and containing certificates 
             *                 indicating length N > 1
             *                 and containing certificates[n] (0..N)
             *                     indicating certificate
             *                         containing validity_restrictions['region']
             *                             containing region.region_type
             *                                 indicated 'id'
             *                             and containing id_region
             *                                 containing region_dictionary
             *                                     indicating 'iso_3166_1' 
             *                                     or indicating 'un_stat' 
             *                                 and containing region_identifier (X_CERT_REGION_ID)
             *                                     indicating valid value according to 'iso_3166_1' or 'un_stat' 
             *                                 and containing local_region (X_CERT_LOCAL_REGION)
             *                         and containing signer_info
             *                             containing digest
             *                                 referenced to the certificate
             *                                     containing validity_restrictions['region']
             *                                         containing region
             *                                             indicated 'id'
             *                                         and containing id_region
             *                                             containing region_dictionary
             *                                                 indicating 'iso_3166_1' 
             *                                                 or indicating 'un_stat' 
             *                                             and containing region_identifier
             *                                                 indicating value == X_CERT_REGION_ID
             *                                             and containing local_region
             *                                                 indicating value == X_CERT_LOCAL_REGION
             *                                                 or indicating 0
             *                                             or containing id_region
             *                                                 containing region_dictionary
             *                                                    indicating 'un_stats'
             *                                                 and containing region_identifier
             *                                                     indicating region fully covering the X_CERT_REGION
             *   }
             * }
             * </pre>
garciay's avatar
garciay committed
             * @see         ETSI TS 103 096-2 v1.3.2 TP_SEC_ITSS_SND_CERT_07_02_BV
garciay's avatar
garciay committed
             * @reference   ETSI TS 103 097 [1], clause 4.2.26 and 7.4.1
garciay's avatar
garciay committed
             */
garciay's avatar
garciay committed
            testcase TC_SEC_ITSS_SND_CERT_07_02_BV() runs on ItsGeoNetworking system ItsSecSystem {
garciay's avatar
garciay committed
                var CertificateChain    v_chain;
                var Certificate         v_cert, v_cert_issuer;
                var SignerInfo          v_si;
                var UInt8               v_counter;
                var HashedId8           v_digest;
                var CertificatesCaching v_certificatesCaching;
                var FncRetCode          v_result_status := e_success;
                
                // Test control
garciay's avatar
garciay committed
                if (not(PICS_GN_SECURITY) or not(PICS_CERTIFICATE_SELECTION) or not(PICS_USE_IDENTIFIED_REGION)) {
                    log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY and PICS_CERTIFICATE_SELECTION and PICS_USE_IDENTIFIED_REGION' required for executing the TC ***");
garciay's avatar
garciay committed
                    stop;
                }
                    
                // Test component configuration
//                vc_hashedId8ToBeUsed := cc_iutCert_E;
                f_cf01Up();
                
                // Test adapter configuration
                
                // Preamble
                f_prNeighbour();
                log("*** " & testcasename() & ": INFO: Request and waiting for the message containing certificate chain  ***");
                tc_ac.start;
                if (not f_askAndWaitForCertificateChain(v_chain, f_generateDefaultCam())) {
                    log("*** " & testcasename() & ": INCONC: Expected message not received ***");
                    f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_timeout);
                } else {
                    f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
                }
                
                // Test Body
                // 1. Create a cache of certificates
                f_createCertificatesCaching(v_chain, v_certificatesCaching);
                // 2. Process the certificates
                v_counter := f_getCertificatesCachingItemSize(v_certificatesCaching) - 1;
                while (v_counter != 0) {
                    // Get the first certificate
                    if (f_getCertificatesCachingItem(v_certificatesCaching, v_counter, v_cert) == false) {
                        v_result_status := e_error;
                        break;
                    }
                    // Retrive SigneInfo field
                    if (not f_getCertificateSignerInfo(v_cert, v_si)) {
                        log("*** " & testcasename() & ": FAIL: Certificate " & int2str(v_counter) & " doesn't have a signer info ***");
                        v_result_status := e_error;
                        break;
                    }
                    if (not match (v_si.type_, e_certificate_digest_with_sha256)) {
                        log("*** " & testcasename() & ": FAIL: Certificate is not signed with digest ***");
                        v_result_status := e_error;
                        break;
                    }
                    // Get issuer
                    if (f_getCertificateFromCaching(v_certificatesCaching, v_si.signerInfo.digest, v_cert_issuer) == false) {
                        log("*** " & testcasename() & ": FAIL: Certificate is not signed with digest ***");
                        v_result_status := e_error;
                        break;
                    }
                    // Check that cert is signed by issuing cert
                    v_digest := f_calculateDigestFromCertificate(v_cert_issuer);
                    if (not match (v_si.signerInfo.digest, v_si.signerInfo.digest)) {
                        log("*** " & testcasename() & ": FAIL: Certificate chain is not valid ***");
                        v_result_status := e_error;
                        break;
                    }
                    // Check that the region of the subordinate certificate validity restriction is inside the region of the issuing certificate validity restriction 
                    if (f_checkRegionValidityRestiction(v_cert, v_cert_issuer) == false) {
                        v_result_status := e_error;
                        break;
                    }
                    
                    // Prepare next loop
                    v_counter := v_counter - 1;
                    
                } // End of 'while' statement
                if (v_result_status == e_success) {
                    log("*** " & testcasename() & ": PASS: All certificates has a valid identified region restrictions ***");
                }
                f_selfOrClientSyncAndVerdictTestBody(c_tbDone, v_result_status);
                
                // Postamble
                f_poNeighbour();
                f_cf01Down();
garciay's avatar
garciay committed
            } // End of testcase TC_SEC_ITSS_SND_CERT_02_01_BV
garciay's avatar
garciay committed
            
            /**
garciay's avatar
garciay committed
             * @desc Check the certificate chain to ensure that the time validity restriction of the subordinate certificate is inside the time validity restriction of the issuing certificate
garciay's avatar
garciay committed
             * <pre>
             * Pics Selection: PICS_GN_SECURITY
             * Config Id: CF01
             * with {
             *   the IUT being in the 'authorized' state
             *   the IUT being requested to include certificate chain in the next CAM
             * } ensure that {
             *    when {
             *     the IUT is requested to send a CAM
             *   } then {
             *     the IUT sends a SecuredMessage
             *         containing header_fields['signer_info'].signer
             *             containing type
garciay's avatar
garciay committed
             *                 indicating 'certificate_chain'
garciay's avatar
garciay committed
             *             containing certificates
             *                 containing certificates[last-1]
             *                     containing validity_restrictions
             *                         containing validity_restrictions['time_start_and_end']
             *                             containing start_validity
             *                                 indicating START_AA_VALIDITY
             *                             containing end_validity
             *                                 indicating END_AA_VALIDITY >= START_AA_VALIDITY
             *                     and containing signer_info
             *                         containing digest
             *                             referenced to the trusted certificate
             *                                 containing validity_restrictions['time_end']
             *                                     containing end_validity
             *                                         indicating value > AA_END_VALIDITY
             *                                 or containing validity_restrictions['time_start_and_end']
             *                                     containing start_validity
             *                                         indicating value <= AA_START_VALIDITY
             *                                      and containing end_validity
             *                                         indicating value > AA_END_VALIDITY
             *                                 or containing validity_restrictions['time_start_and_duration']
             *                                     containing start_validity
             *                                         indicating X_START_VALIDITY <= AA_START_VALIDITY
             *                                     and containing duration
             *                                         indicating value > AA_END_VALIDITY - X_START_VALIDITY
             *   }
             * }
             * </pre>
garciay's avatar
garciay committed
             * @see         ETSI TS 103 096-2 v1.3.2 TP_SEC_ITSS_SND_CERT_08_01_BV
garciay's avatar
garciay committed
             * @reference   ETSI TS 103 097 [1], clauses 7.4.4
             */
garciay's avatar
garciay committed
            testcase TC_SEC_ITSS_SND_CERT_08_01_BV() runs on ItsGeoNetworking system ItsSecSystem {
garciay's avatar
garciay committed
                var CertificateChain         v_chain;
                var Certificate              v_aa_cert;
                var ValidityRestriction      v_vr;
                var SignerInfo               v_si;
                var Time64                   v_generationTime;
                var Time64                   v_curTime;
                var Time64                   v_startTime, v_endTime, v_duration;
                
                // Test control
                if (not(PICS_GN_SECURITY)) {
                    log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY' required for executing the TC ***");
                    stop;
                }
                
                // Test component configuration
                f_cf01Up();
                
                // Test adapter configuration
                
                // Preamble
                f_prNeighbour();
                f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
                
                // Test Body
                log("*** " & testcasename() & ": INFO: Request and waiting for the message containing certificate chain  ***");
                tc_ac.start;
                if (not f_askAndWaitForCertificateChain(v_chain, f_generateDefaultCam())) {
                    log("*** " & testcasename() & ": INCONC: Expected message not received ***");
                    f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_timeout);
                }
                tc_ac.stop;
                if (lengthof(v_chain) < 2) {
                    log("*** " & testcasename() & ": FAIL: Certificate chain is too short ***");
                    f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_error);
                }
                v_aa_cert := v_chain[lengthof(v_chain) - 1];
                if (match (v_aa_cert.validity_restrictions, (superset(mw_validity_restriction_time_end,
                                                                      mw_validity_restriction_time_start_and_duration)))
                ) {
                    log("*** " & testcasename() & ": FAIL: AA certificate must not contain time_end and time_start_and_duration restrictions ***");
                    f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
                }
                
                if ( true != f_getCertificateValidityRestriction(v_aa_cert, e_time_start_and_end, v_vr)) {
                    log("*** " & testcasename() & ": FAIL: AA certificate must contain time_start_and_end restrictions ***");
                    f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
                }
                
                if (v_vr.validity.time_start_and_end.start_validity > v_vr.validity.time_start_and_end.end_validity ) {
                    log("*** " & testcasename() & ": FAIL: start validity mus not be greater then end validity in the validity restrictions of AA certificate ***");
                    f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
                }
                
                // Process signerInfo field
                if ( true != f_getCertificateSignerInfo(v_aa_cert, v_si)) {
                    log("*** " & testcasename() & ": FAIL: AA certificate must contain SignerInfo fields ***");
                    f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
                }
                if (v_si.type_ == e_certificate) {
                    log("*** " & testcasename() & ": FAIL: AA certificate must contain SignerInfo field containing a certificate ***");
                    f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
                }
                for (var integer v_counter := 0; v_counter < lengthof(v_si.signerInfo.certificate.validity_restrictions); v_counter := v_counter + 1) {
                    if (v_si.signerInfo.certificate.validity_restrictions[v_counter].type_ == e_time_end) {
                        v_endTime := v_si.signerInfo.certificate.validity_restrictions[v_counter].validity.end_validity * 1000000;
                        if (not match(v_generationTime, Time64:(0 .. v_endTime))){
                            log("*** " & testcasename() & ": FAIL: DENM generation time is not inside the validity of the certificate");
                            f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
                        }
                    } else if (v_si.signerInfo.certificate.validity_restrictions[v_counter].type_ == e_time_start_and_end) {
                        v_endTime := v_si.signerInfo.certificate.validity_restrictions[v_counter].validity.time_start_and_end.end_validity * 1000000;
                        v_startTime := v_si.signerInfo.certificate.validity_restrictions[v_counter].validity.time_start_and_end.start_validity * 1000000;
                        if (not match(v_generationTime, Time64:(v_startTime .. v_endTime))){
                            log("*** " & testcasename() & ": FAIL: DENM generation time is not inside the validity of the certificate");
                            f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
                        }
                    } else if (v_si.signerInfo.certificate.validity_restrictions[v_counter].type_ == e_time_start_and_duration) {
                        v_startTime := v_si.signerInfo.certificate.validity_restrictions[v_counter].validity.time_start_and_duration.start_validity * 1000000;
                        v_duration  := f_duration2time(v_si.signerInfo.certificate.validity_restrictions[v_counter].validity.time_start_and_duration.duration_) * 1000000;
                        if (not match(v_generationTime, Time64:(v_startTime .. v_duration))){
                            log("*** " & testcasename() & ": FAIL: DENM generation time is not inside the validity of the certificate");
                            f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
                        }
                    } else {
                        log("*** " & testcasename() & ": FAIL: Mal-formed the certificate");
                        f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
                    }
                } // End of 'for' statement
                
                log("*** " & testcasename() & ": PASS: Time validity restriction of the AA certificate is good ***");
                f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
                
                // Postamble
                f_poNeighbour();
                f_cf01Down();
garciay's avatar
garciay committed
            } // End of testcase TC_SEC_ITSS_SND_CERT_08_01_BV
garciay's avatar
garciay committed
            
            /**
             * @desc    Check that the certificate signature contains ECC point of type set to either compressed_lsb_y_0, compressed_lsb_y_1 
             *          or x_coordinate_only
             * Pics Selection: PICS_GN_SECURITY
             * Config Id: CF01
             * Initial conditions:
garciay's avatar
garciay committed
             * with {
             *   the IUT being in the 'authorized' state
             *      the IUT being requested to include certificate in the next CAM
             * }
             * Expected Behaviour:
             * ensure that {
             *    when {
garciay's avatar
garciay committed
             *       the IUT is requested to send a CAM
garciay's avatar
garciay committed
             *   } then {
garciay's avatar
garciay committed
             *       the IUT sends a SecuredMessage
             *           containing header_fields['signer_info'].signer
             *               containing type
             *                   indicating certificate
             *               containing certificate
             *                   containing signature.ecdsa_signature
             *                       containing R.type
             *                           indicating compressed_lsb_y_0
             *                           or indicating compressed_lsb_y_1 
             *                           or indicating x_coordinate_only
garciay's avatar
garciay committed
             *   }
             * }
garciay's avatar
garciay committed
             * @see         ETSI TS 103 096-2 v1.3.2 TP_SEC_ITSS_SND_CERT_09_01_BV
garciay's avatar
garciay committed
             * @reference   ETSI TS 103 097 [1], clause 4.2.9
garciay's avatar
garciay committed
            testcase TC_SEC_ITSS_SND_CERT_09_01_BV() runs on ItsGeoNetworking system ItsSecSystem {
garciay's avatar
garciay committed
                // Test control
                if (not(PICS_GN_SECURITY)) {
                    log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY' required for executing the TC ***");
                    stop;
                }
garciay's avatar
garciay committed
                // Test component configuration
                // Test adapter configuration
                
                // Preamble
                f_prNeighbour();
                f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
                
                // Test Body
garciay's avatar
garciay committed
                tc_ac.start;
                alt {
                    [] geoNetworkingPort.receive(
                        mw_geoNwInd(
                            mw_geoNwSecPdu(
                                mdw_securedMessage(
                                    superset(
                                        mw_header_field_signer_info_certificate(
                                            mw_at_certificate(
                                                ?,
                                                ?,
                                                ?,
                                                mw_signature(
                                                    mw_ecdsaSignature(
                                                        mw_eccPointecdsa_nistp256_with_sha256_y0_coordinate_only
                    ))))))))) {
                        tc_ac.stop;
                        log("*** " & testcasename() & ": PASS: AT certificate contains signature with the ECC point of type set to compressed_lsb_y_0 received ***");
                        f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
                    }
                    [] geoNetworkingPort.receive(
                        mw_geoNwInd(
                            mw_geoNwSecPdu(
                                mdw_securedMessage(
                                    superset(
                                        mw_header_field_signer_info_certificate(
                                            mw_at_certificate(
                                                ?,
                                                ?,
                                                ?,
                                                mw_signature(
                                                    mw_ecdsaSignature(
                                                        mw_eccPointecdsa_nistp256_with_sha256_y1_coordinate_only
                    ))))))))) {
                        tc_ac.stop;
                        log("*** " & testcasename() & ": PASS: AT certificate contains signature with the ECC point of type set to compressed_lsb_y_1 received ***");
                        f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
                    }
                    [] geoNetworkingPort.receive(
                        mw_geoNwInd(
                            mw_geoNwSecPdu(
                                mdw_securedMessage(
                                    superset(
                                        mw_header_field_signer_info_certificate(
                                            mw_at_certificate(
                                                ?,
                                                ?,
                                                ?,
                                                mw_signature(
                                                    mw_ecdsaSignature(
                                                        mw_eccPointecdsa_nistp256_with_sha256_x_coordinate_only
                    ))))))))) {
                        tc_ac.stop;
                        log("*** " & testcasename() & ": PASS: AT certificate contains signature with the ECC point of type set to x_coordinate_only received ***");
                        f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
                    }
                    [] geoNetworkingPort.receive(
                        mw_geoNwInd(
                            mw_geoNwSecPdu(
                                mdw_securedMessage(
                                    superset(
                                        mw_header_field_signer_info_certificate(
                                            mw_at_certificate
                    )))))) {
                        tc_ac.stop;
                        log("*** " & testcasename() & ": FAIL: AT certificate signature mismatch ***");
                        f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
                    }
                    [] tc_ac.timeout {
                        log("*** " & testcasename() & ": INCONC: Expected message not received ***");
                        f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
                    }
                } // End of 'alt' statement
                
                // Postamble
                f_poNeighbour();
                f_cf01Down();
garciay's avatar
garciay committed
                
garciay's avatar
garciay committed
            } // End of testcase TC_SEC_ITSS_SND_CERT_09_01_BV
garciay's avatar
garciay committed
             * @desc    Check that the all certificates in a chain have signatures contains ECC point of type set to either compressed_lsb_y_0, compressed_lsb_y_1 
             *          or x_coordinate_only
             * Pics Selection: PICS_GN_SECURITY
             * Config Id: CF01
             * Initial conditions:
garciay's avatar
garciay committed
             * with {
             *   the IUT being in the 'authorized' state
garciay's avatar
garciay committed
             *   the IUT being requested to include certificate in the next CAM
garciay's avatar
garciay committed
             * }
             * Expected Behaviour:
             * ensure that {
             *    when {
             *     the IUT is requested to send a CAM
             *   } then {
             *     the IUT sends a SecuredMessage
garciay's avatar
garciay committed
             *         containing header_fields['signer_info'].signer
             *             containing type
             *                 indicating 'certificate_chain'
             *             containing certificates
             *                 indicating length N > 1
             *                 and indicating certificates[n] (0..N)
             *                     containing signature.ecdsa_signature
             *                         containing R.type
             *                             indicating compressed_lsb_y_0
             *                             or indicating compressed_lsb_y_1 
             *                             or indicating x_coordinate_only 
garciay's avatar
garciay committed
             *   }
             * }
garciay's avatar
garciay committed
             * @see         ETSI TS 103 096-2 v1.3.2 TP_SEC_ITSS_SND_CERT_09_02_BV
garciay's avatar
garciay committed
             * @reference   ETSI TS 103 097 [1], clause 4.2.9
garciay's avatar
garciay committed
            testcase TC_SEC_ITSS_SND_CERT_09_02_BV() runs on ItsGeoNetworking system ItsSecSystem {
garciay's avatar
garciay committed
                // Local variables
                var GeoNetworkingInd v_geoNwInd;
                var SignerInfo       v_si;
                var CertificateChain v_chain;
                var integer          v_counter;
garciay's avatar
garciay committed
                // Test control
                if (not(PICS_GN_SECURITY)) {
                    log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY' required for executing the TC ***");
                    stop;
                }
garciay's avatar
garciay committed
                // Test component configuration
                // Test adapter configuration
                
                // Preamble
                f_prNeighbour();
                f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
                
                // Test Body
garciay's avatar
garciay committed
                tc_ac.start;
                alt {
                    [] geoNetworkingPort.receive(
                        mw_geoNwInd(
                            mw_geoNwSecPdu(
                                mdw_securedMessage(
                                    superset(
garciay's avatar
garciay committed
                                        mw_header_field_signer_info_certificate_chain
                    ))))) -> value v_geoNwInd {
garciay's avatar
garciay committed
                        tc_ac.stop;
garciay's avatar
garciay committed
                        // Check certificate chain
                        if (f_getMsgSignerInfo(f_getSecuredMessage(v_geoNwInd.msgIn), v_si)) {
                            v_chain  :=  v_si.signerInfo.certificates;
                            for (v_counter := lengthof(v_chain) - 1; v_counter > 0; v_counter := v_counter - 1 ) {
                                if (v_chain[v_counter].signature_.algorithm != e_ecdsa_nistp256_with_sha256) {
                                    log("*** " & testcasename() & ": FAIL: Wrong signature algorithm ***");
                                    f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_error);
                                } else if (
                                    (v_chain[v_counter].signature_.signature_.ecdsa_signature.r.type_ != e_x_coordinate_only) and 
                                    (v_chain[v_counter].signature_.signature_.ecdsa_signature.r.type_ != e_compressed_lsb_y_0) and 
                                    (v_chain[v_counter].signature_.signature_.ecdsa_signature.r.type_ != e_compressed_lsb_y_1) 
                                ) {
                                    log("*** " & testcasename() & ": FAIL: Wrong ECDSA R type ***");
                                    f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_error);
                                }
                            } // End of 'for' statement
                        }
                        log("*** " & testcasename() & ": PASS: All certificates in a chain have the correct signature type ***");
                        f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
                    }
                    [] tc_ac.timeout {
                        log("*** " & testcasename() & ": INCONC: Expected message not received ***");
                        f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
                    }
                } // End of 'alt' statement
                
                // Postamble
                f_poNeighbour();
                f_cf01Down();
                
garciay's avatar
garciay committed
            } // End of testcase TC_SEC_ITSS_SND_CERT_09_02_BV
garciay's avatar
garciay committed
            
            /**
             * @desc    Check that the certificate verification key contains ECC point of type set to either compressed_lsb_y_0, compressed_lsb_y_1 
             *          or uncompressed
             * <pre>
             * Pics Selection: PICS_GN_SECURITY
             * Config Id: CF01
             * Initial conditions:
             * with {
             *   the IUT being in the 'authorized' state
             *   the IUT being requested to include certificate in the next CAM
             * }
             * Expected Behaviour:
             * ensure that {
             *    when {
             *     the IUT is requested to send a CAM
             *   } then {
             *     the IUT sends a SecuredMessage
             *       containing header_fields['signer_info'].signer
             *         containing type
             *           indicating certificate
             *         containing certificate
             *             containing subject_attributes['verification_key']
             *                 containing key.public_key.type
             *                     indicating compressed_lsb_y_0
             *                     or indicating compressed_lsb_y_1 
             *                     or indicating x_coordinate_only
             *   }
             * }
             * </pre>
garciay's avatar
garciay committed
             * @see         ETSI TS 103 096-2 v1.3.2 TP_SEC_ITSS_SND_CERT_10_01_BV
garciay's avatar
garciay committed
             * @reference   ETSI TS 103 097 [1], clause 4.2.4
             */
garciay's avatar
garciay committed
            testcase TC_SEC_ITSS_SND_CERT_10_01_BV() runs on ItsGeoNetworking system ItsSecSystem {
garciay's avatar
garciay committed
                
                // Test control
                if (not(PICS_GN_SECURITY)) {
                    log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY' required for executing the TC ***");
                    stop;
                }
                
                // Test component configuration
                f_cf01Up();
                
                // Test adapter configuration
                
                // Preamble
                f_prNeighbour();
                f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);