Newer
Older
}
} // End of 'alt' statement
// Postamble
f_poNeighbour();
f_cf01Down();
6009
6010
6011
6012
6013
6014
6015
6016
6017
6018
6019
6020
6021
6022
6023
6024
6025
6026
6027
6028
6029
6030
6031
6032
6033
6034
6035
6036
6037
6038
6039
6040
6041
/**
* @desc Check that the certificate verification key contains ECC point of type set to either compressed_lsb_y_0, compressed_lsb_y_1
* or uncompressed
* <pre>
* Pics Selection: PICS_GN_SECURITY
* Config Id: CF01
* Initial conditions:
* with {
* the IUT being in the 'authorized' state
* the IUT being requested to include certificate in the next CAM
* }
* Expected Behaviour:
* ensure that {
* when {
* the IUT is requested to send a CAM
* } then {
* the IUT sends a SecuredMessage
* containing header_fields['signer_info'].signer
* containing type
* indicating certificate
* containing certificate
* containing subject_attributes['verification_key']
* containing key.public_key.type
* indicating compressed_lsb_y_0
* or indicating compressed_lsb_y_1
* or indicating x_coordinate_only
* }
* }
* </pre>
* @see ETSI TS 103 096-2 v1.2.2 TP_SEC_ITSS_SND_CERT_10_01_BV
* @reference ETSI TS 103 097 [1], clause 4.2.4
*/
testcase TC_SEC_ITSS_SND_CERT_10_01_BV() runs on ItsGeoNetworking system ItsSecSystem {
6043
6044
6045
6046
6047
6048
6049
6050
6051
6052
6053
6054
6055
6056
6057
6058
6059
6060
6061
6062
6063
6064
6065
6066
6067
6068
6069
6070
6071
6072
6073
6074
6075
6076
6077
6078
6079
6080
6081
6082
6083
6084
// Test control
if (not(PICS_GN_SECURITY)) {
log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY' required for executing the TC ***");
stop;
}
// Test component configuration
f_cf01Up();
// Test adapter configuration
// Preamble
f_prNeighbour();
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
tc_ac.start;
alt {
[] geoNetworkingPort.receive(
mw_geoNwInd(
mw_geoNwSecPdu(
mdw_securedMessage(
superset(
mw_header_field_signer_info_certificate(
mw_at_certificate(
?,
superset(
mw_subject_attribute_verification_key(
mw_publicKey_eccPoint_compressed_lsb_y_0
)
),
?,
mw_signature
))))))) {
tc_ac.stop;
log("*** " & testcasename() & ": PASS: AT certificate contains verification key with the ECC point of type set to compressed_lsb_y_0 received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
}
[] geoNetworkingPort.receive(
mw_geoNwInd(
mw_geoNwSecPdu(
mdw_securedMessage(
superset(
mw_header_field_signer_info_certificate(
mw_at_certificate(
?,
superset(
mw_subject_attribute_verification_key(
mw_publicKey_eccPoint_compressed_lsb_y_1
)
),
?,
log("*** " & testcasename() & ": PASS: AT certificate contains verification key with the ECC point of type set to compressed_lsb_y_1 received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
}
[] geoNetworkingPort.receive(
mw_geoNwInd(
mw_geoNwSecPdu(
mdw_securedMessage(
superset(
mw_header_field_signer_info_certificate(
mw_at_certificate(
?,
superset(
mw_subject_attribute_verification_key(
mw_publicKey_eccPoint_uncompressed
)
),
?,
log("*** " & testcasename() & ": PASS: AT certificate contains verification key with the ECC point of type set to uncompressed received ***");
6120
6121
6122
6123
6124
6125
6126
6127
6128
6129
6130
6131
6132
6133
6134
6135
6136
6137
6138
6139
6140
6141
6142
6143
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
}
[] geoNetworkingPort.receive(
mw_geoNwInd(
mw_geoNwSecPdu(
mdw_securedMessage(
superset(
mw_header_field_signer_info_certificate(
mw_at_certificate
)))))) {
tc_ac.stop;
log("*** " & testcasename() & ": FAIL: AT certificate signature mismatch ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_poNeighbour();
f_cf01Down();
6145
6146
6147
6148
6149
6150
6151
6152
6153
6154
6155
6156
6157
6158
6159
6160
6161
6162
6163
6164
6165
6166
6167
6168
6169
6170
6171
6172
6173
6174
6175
6176
6177
6178
6179
/**
* @desc Check that all certificate in a chain have verification keys contains ECC point of type set to either compressed_lsb_y_0, compressed_lsb_y_1
* or uncompressed
* <pre>
* Pics Selection: PICS_GN_SECURITY
* Config Id: CF01
* Initial conditions:
* with {
* the IUT being in the 'authorized' state
* the IUT being requested to include certificate in the next CAM
* }
* Expected Behaviour:
* ensure that {
* when {
* the IUT is requested to send a CAM
* } then {
* the IUT sends a SecuredMessage
* containing header_fields['signer_info'].signer
* containing type
* indicating 'certificate_chain'
* containing certificates
* indicating length N > 1
* and indicating certificates[n] (0..N)
* containing signature.ecdsa_signature
* containing subject_attributes['verification_key']
* indicating compressed_lsb_y_0
* or indicating compressed_lsb_y_1
* or indicating uncompressed
* }
* }
* </pre>
* @see ETSI TS 103 096-2 v1.2.2 TP_SEC_ITSS_SND_CERT_10_02_BV
* @reference ETSI TS 103 097 [1], clause 4.2.4
*/
testcase TC_SEC_ITSS_SND_CERT_10_02_BV() runs on ItsGeoNetworking system ItsSecSystem {
6181
6182
6183
6184
6185
6186
6187
6188
6189
6190
6191
6192
6193
6194
6195
6196
6197
6198
6199
6200
6201
6202
6203
6204
6205
6206
6207
6208
6209
6210
6211
6212
6213
6214
6215
6216
6217
6218
6219
6220
6221
6222
6223
6224
6225
6226
6227
6228
6229
6230
6231
6232
6233
6234
6235
6236
6237
6238
6239
// Local variables
var GeoNetworkingInd v_geoNwInd;
var SignerInfo v_si;
var CertificateChain v_chain;
var integer v_counter;
// Test control
if (not(PICS_GN_SECURITY)) {
log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY' required for executing the TC ***");
stop;
}
// Test component configuration
f_cf01Up();
// Test adapter configuration
// Preamble
f_prNeighbour();
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
tc_ac.start;
alt {
[] geoNetworkingPort.receive(
mw_geoNwInd(
mw_geoNwSecPdu(
mdw_securedMessage(
superset(
mw_header_field_signer_info_certificate_chain
))))) {
tc_ac.stop;
// Check certificate chain
if (f_getMsgSignerInfo(f_getSecuredMessage(v_geoNwInd.msgIn), v_si)) {
v_chain := v_si.signerInfo.certificates;
for (v_counter := lengthof(v_chain) - 1; v_counter > 0; v_counter := v_counter - 1 ) {
if (
(not match(v_chain[v_counter], mw_certificate(?, ?, superset(mw_subject_attribute_verification_key(mw_publicKey_eccPoint_compressed_lsb_y_0))))) and
(not match(v_chain[v_counter], mw_certificate(?, ?, superset(mw_subject_attribute_verification_key(mw_publicKey_eccPoint_compressed_lsb_y_1))))) and
(not match(v_chain[v_counter], mw_certificate(?, ?, superset(mw_subject_attribute_verification_key(mw_publicKey_eccPoint_uncompressed)))))
) {
log("*** " & testcasename() & ": FAIL: Wrong verification key algorithm ***");
f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_error);
}
} // End of 'for' statement
}
log("*** " & testcasename() & ": PASS: All certificates in a chain have the correct verification key ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_poNeighbour();
f_cf01Down();
/**
* @desc Check the certificate signature
* <pre>
* Pics Selection: PICS_GN_SECURITY
* Config Id: CF01
* Initial conditions:
* with {
* the IUT being in the 'authorized' state
* the IUT being requested to include certificate in the next CAM
* } ensure that {
* when {
* the IUT is requested to send a CAM
* } then {
* the IUT sends a SecuredMessage
* ND containing certificate
* containing signer_info
* containing type
* indicating 'certificate_digest_with_sha256'
* containing digest
* referenced to the certificate CERT
* verifiable using CERT.subject_attributes['verification_key'].key
* }
* }
* @see ETSI TS 103 096-2 v1.2.2 TP_SEC_ITSS_SND_CERT_09_01_BV
testcase TC_SEC_ITSS_SND_CERT_11_01_BV() runs on ItsGeoNetworking system ItsSecSystem {
// Local declarations
var GeoNetworkingInd v_geoNwInd;
var Certificate v_at_cert;
var Certificate v_aa_cert;
var HashedId8 v_aa_digest;
var SignerInfo v_si;
var integer v_counter;
if (not(PICS_GN_SECURITY)) {
log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY' required for executing the TC ***");
stop;
}
// Test adapter configuration
// Preamble
f_prNeighbour();
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Wait for the message with the certificate to get the AA cert digest.
// Ask for the chain, containing AT and AA certificate
// Check that the AT cert in the first message is signed with the AA cert
log("*** " & testcasename() & ": INFO: Waiting for the message containing certificate ***");
tc_ac.start;
f_waitForCertificate(v_at_cert);
tc_ac.stop;
if (true != f_getCertificateSignerInfo(v_at_cert, v_si)) {
log("*** " & testcasename() & ": FAIL: AT Certificate signer info is unknown ***");
f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_error);
if (not match (v_si.type_, e_certificate_digest_with_sha256)) {
log("*** " & testcasename() & ": FAIL: AT Certificate is not signed well ***");
f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_error);
6313
6314
6315
6316
6317
6318
6319
6320
6321
6322
6323
6324
6325
6326
6327
6328
6329
6330
6331
6332
6333
6334
6335
6336
6337
6338
6339
6340
6341
6342
6343
6344
6345
6346
6347
6348
6349
6350
6351
6352
6353
6354
6355
6356
6357
6358
6359
6360
6361
6362
6363
v_aa_digest := v_si.signerInfo.digest;
// Send a certificate request to the IUT
f_sendCertificateRequest(v_aa_digest, f_generateDefaultCam());
// Test Body
tc_ac.start;
alt {
[] geoNetworkingPort.receive(
mw_geoNwInd(
mw_geoNwSecPdu(
mdw_securedMessage(
superset(
mw_header_field_signer_info_certificate_chain
))))) -> value v_geoNwInd {
var SecuredMessage v_secMsg;
var integer v_chainLength;
tc_ac.stop;
// Check certificate chain
if (f_getMsgSignerInfo(f_getSecuredMessage(v_geoNwInd.msgIn), v_si)) {
v_chainLength := lengthof(v_si.signerInfo.certificates);
if (v_chainLength < 2 ) {
log("*** " & testcasename() & ": FAIL: Certificate chain doesn't contain the AA cert ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
// get aa cert
v_aa_cert := v_si.signerInfo.certificates[v_chainLength-2];
if (not match (v_aa_digest, f_calculateDigestFromCertificate(v_aa_cert))) {
log("*** " & testcasename() & ": FAIL: AT certificate was not signed with the given AA cert ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
// Check that at cert is signed with aa cert
if (false == f_verifyCertificateSignatureWithIssuingCertificate(v_at_cert, v_aa_cert)) {
log("*** " & testcasename() & ": FAIL: AT certificate signature error ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
log("*** " & testcasename() & ": PASS: AT certificate was well signed with AA certificate ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: The message signer info is unknown ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_poNeighbour();
f_cf01Down();
* @desc Check the signatures of the certificates in the chain
* Pics Selection: PICS_GN_SECURITY
* Config Id: CF01
* Initial conditions:
* with {
* the IUT being in the 'authorized' state
* the IUT being requested to include certificate chain in the next CAM
* } ensure that {
* when {
* the IUT is requested to send a CAM
* } then {
* the IUT sends a SecuredMessage
6385
6386
6387
6388
6389
6390
6391
6392
6393
6394
6395
6396
6397
6398
6399
6400
6401
6402
6403
6404
6405
* containing header_fields['signer_info'].signer
* containing type
* indicating 'certificate_chain'
* and containing certificates
* indicating length N > 1
* and containing certificate[0]
* containing signer_info
* containing type
* indicating 'certificate_digest_with_sha256'
* and containing digest
* referenced to the trusted certificate (CERT_ROOT)
* and containing signature
* verifiable using CERTIFICATES[N-1].subject_attributes['verification_key'].key
* and containing certificates[n] (1..N)
* containing signer_info {
* containing type
* indicating 'certificate_digest_with_sha256'
* and containing digest
* referenced to the certificates[n-1]
* and containing signature
* verifiable using certificates[n-1].subject_attributes['verification_key'].key
* @see ETSI TS 103 096-2 v1.2.2 TP_SEC_ITSS_SND_CERT_09_02_BV
testcase TC_SEC_ITSS_SND_CERT_11_02_BV() runs on ItsGeoNetworking system ItsSecSystem {
// Local declarations
var GeoNetworkingInd v_geoNwInd;
var Certificate v_cert;
var CertificateChain v_chain;
var SignerInfo v_si;
var HashedId8 v_digest;
var integer v_counter;
if (not(PICS_GN_SECURITY)) {
log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY' required for executing the TC ***");
stop;
}
// Test adapter configuration
// Preamble
f_prNeighbour();
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Wait for the message with the certificate to get the AA cert digest.
// Ask for the chain, containing AT and AA certificate
// Check that the AT cert in the first message is signed with the AA cert
log("*** " & testcasename() & ": INFO: Waiting for the message containing certificate and ask for a certificate chain ***");
tc_ac.start;
f_askForCertificateChain(f_generateDefaultCam());
tc_ac.stop;
6445
6446
6447
6448
6449
6450
6451
6452
6453
6454
6455
6456
6457
6458
6459
6460
6461
6462
6463
6464
6465
6466
6467
6468
6469
6470
6471
6472
6473
6474
6475
6476
6477
6478
6479
6480
6481
6482
6483
6484
6485
6486
6487
6488
6489
6490
6491
6492
tc_ac.start;
alt {
[] geoNetworkingPort.receive(
mw_geoNwInd(
mw_geoNwSecPdu(
mdw_securedMessage(
superset(
mw_header_field_signer_info_certificate_chain
))))) -> value v_geoNwInd {
var SecuredMessage v_secMsg;
var integer v_chainLength;
tc_ac.stop;
// Check certificate chain
if (f_getMsgSignerInfo(f_getSecuredMessage(v_geoNwInd.msgIn), v_si)) {
v_chain := v_si.signerInfo.certificates;
for (v_counter := lengthof(v_chain) - 1; v_counter > 0; v_counter := v_counter - 1 ) {
if (not f_getCertificateSignerInfo(v_chain[v_counter], v_si)) {
log("*** " & testcasename() & ": FAIL: Certificate "&int2str(v_counter) & " doesn't have a signer info ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
if (not match (v_si.type_, e_certificate_digest_with_sha256)) {
log("*** " & testcasename() & ": FAIL: Certificate is not signed with digest ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
// Check that cert is signed by issuing cert
v_digest := f_calculateDigestFromCertificate(v_chain[v_counter - 1]);
if (not match (v_si.signerInfo.digest, v_digest)) {
log("*** " & testcasename() & ": FAIL: Certificate chain is not valid ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
// Check that the signature is valid
if (false == f_verifyCertificateSignatureWithIssuingCertificate(v_chain[v_counter], v_chain[v_counter - 1])) {
log("*** " & testcasename() & ": FAIL: AT certificate signature error ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
} // End of 'for' statement
log("*** " & testcasename() & ": PASS: All certificates in the chain signed by it's issuing certs ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: The message signer info is unknown ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
}
// Postamble
f_poNeighbour();
f_cf01Down();
} // End of testcase TC_SEC_ITSS_SND_CERT_11_02_BV
/**
* @desc Check that the assurance level of the subordinate certificate is equal to or less than the assurance level of the issuing certificate
* <pre>
* Pics Selection: PICS_GN_SECURITY and PICS_CERTIFICATE_SELECTION
* Config Id: CF01
* with {
* the IUT being in the 'authorized' state
* the IUT being requested to include certificate chain in the next CAM
* } ensure that {
* when {
* the IUT is requested to send a CAM
* } then {
* the IUT sends a SecuredMessage
* containing header_fields['signer_info'].signer
* containing type
* containing certificates
* indicating length N > 1
* and containing certificates[n](0..N)
* containing subject_attributes ['assurance_level']
* containig assurance_level
* containing bits [5-7]
* indicating assurance level CERT_AL
* and containing signer_info
* containing digest
* referenced to the certificate
* containing subject_attributes ['assurance_level']
* containing assurance_level
* containing bits [5-7]
* indicating value <= CERT_AL
* }
* }
* </pre>
* @see ETSI TS 103 096-2 v1.2.2 TP_SEC_ITSS_SND_CERT_12_01_BV
6536
6537
6538
6539
6540
6541
6542
6543
6544
6545
6546
6547
6548
6549
6550
6551
6552
6553
6554
6555
6556
6557
6558
6559
6560
6561
6562
6563
6564
6565
6566
6567
6568
6569
6570
6571
6572
6573
6574
6575
6576
6577
6578
6579
6580
6581
6582
6583
6584
6585
6586
6587
6588
6589
6590
6591
6592
6593
6594
6595
*/
testcase TC_SEC_ITSS_SND_CERT_12_01_BV() runs on ItsGeoNetworking system ItsSecSystem {
var CertificateChain v_chain;
var Certificate v_aa_cert, v_at_cert;
var SubjectAttribute v_sa;
var SubjectAssurance v_aa_assurance_level, v_at_assurance_level;
// Test control
if (not(PICS_GN_SECURITY)) {
log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY' required for executing the TC ***");
stop;
}
// Test component configuration
f_cf01Up();
// Test adapter configuration
// Preamble
f_prNeighbour();
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
log("*** " & testcasename() & ": INFO: Request and waiting for the message containing certificate chain ***");
tc_ac.start;
if (not f_askAndWaitForCertificateChain(v_chain, f_generateDefaultCam())) {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_timeout);
}
tc_ac.stop;
if (lengthof(v_chain) < 2) {
log("*** " & testcasename() & ": FAIL: Certificate chain is too short ***");
f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_error);
}
v_aa_cert := v_chain[lengthof(v_chain) - 2];
v_at_cert := v_chain[lengthof(v_chain) - 1];
if (not f_getCertificateSubjectAttribute(v_aa_cert, e_assurance_level, v_sa)) {
log("*** " & testcasename() & ": FAIL: AA certificate does not contain its_aid_list subject attribute ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
v_aa_assurance_level := v_sa.attribute.assurance_level;
if (not f_getCertificateSubjectAttribute(v_at_cert, e_assurance_level, v_sa)) {
log("*** " & testcasename() & ": FAIL: AA certificate does not contain its_aid_list subject attribute ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
v_at_assurance_level := v_sa.attribute.assurance_level;
if (bit2int(v_aa_assurance_level.levels) < bit2int(v_at_assurance_level.levels)) {
log("*** " & testcasename() & ": FAIL: The assurence levels mismatch ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": PASS: The assurence levels match ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
}
// Postamble
f_poNeighbour();
f_cf01Down();
} // End of testcase TC_SEC_ITSS_SND_CERT_12_01_BV
* @desc Sending behaviour test cases for AA certificate profil
* @see ETSI TS 103 096-2 V1.2.2 (2016-01) Clause 5.2.7.7 AA certificate profile
*/
group AA_Certificates {
/**
* @desc Check that the subject_type of the AA certificate is set to authorization_authority
* <pre>
* Pics Selection: PICS_GN_SECURITY
* Config Id: CF01
* with {
* the IUT being in the 'authorized' state
* the IUT being requested to include certificate chain in the next CAM
* } ensure that {
* when {
* the IUT is requested to send a CAM
* } then {
* the IUT sends a SecuredMessage
* containing subject_info.subject_type
* indicating 'authorization_authority' (2)
* }
* }
* </pre>
* @see ETSI TS 103 096-2 v1.2.2 TP_SEC_ITSS_SND_CERT_AA_01_01_BV
testcase TC_SEC_ITSS_SND_CERT_AA_01_01_BV() runs on ItsGeoNetworking system ItsSecSystem {
6629
6630
6631
6632
6633
6634
6635
6636
6637
6638
6639
6640
6641
6642
6643
6644
6645
6646
6647
6648
6649
6650
6651
6652
6653
6654
6655
6656
6657
6658
6659
6660
6661
6662
var CertificateChain v_chain;
// Test control
if (not(PICS_GN_SECURITY)) {
log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY' required for executing the TC ***");
stop;
}
// Test component configuration
f_cf01Up();
// Test adapter configuration
// Preamble
f_prNeighbour();
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
log("*** " & testcasename() & ": INFO: Request and waiting for the message containing certificate chain ***");
tc_ac.start;
if (not f_askAndWaitForCertificateChain(v_chain, f_generateDefaultCam())) {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_timeout);
}
tc_ac.stop;
if (lengthof(v_chain) < 2) {
log("*** " & testcasename() & ": FAIL: Certificate chain is too short ***");
f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_error);
}
if (not match(v_chain[lengthof(v_chain) - 2], mw_aa_certificate)) {
log("*** " & testcasename() & ": FAIL: AA certificate not found in the chain[last-1] ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
log("*** " & testcasename() & ": PASS: AA certificate was found in the chain ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
* @desc Check that the AA certificsate subject_name variable-length vector contains 32 bytes maximum
* <pre>
* Pics Selection: PICS_GN_SECURITY
* Config Id: CF01
* with {
* the IUT being in the 'authorized' state
* the IUT being requested to include certificate chain in the next CAM
* } ensure that {
* when {
* the IUT is requested to send a CAM
* } then {
* the IUT sends a SecuredMessage
* containing subject_info.subject_name
* indicating length <= 32 bytes
* }
* }
* </pre>
* @see ETSI TS 103 096-2 v1.2.2 TP_SEC_ITSS_SND_CERT_AA_02_01_BV
* @reference ETSI TS 103 097 [1], clause 6.2
*/
testcase TC_SEC_ITSS_SND_CERT_AA_02_01_BV() runs on ItsGeoNetworking system ItsSecSystem {
6696
6697
6698
6699
6700
6701
6702
6703
6704
6705
6706
6707
6708
6709
6710
6711
6712
6713
6714
6715
6716
6717
6718
6719
6720
6721
6722
6723
6724
6725
6726
6727
6728
6729
6730
6731
6732
6733
6734
6735
var CertificateChain v_chain;
// Test control
if (not(PICS_GN_SECURITY)) {
log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY' required for executing the TC ***");
stop;
}
// Test component configuration
f_cf01Up();
// Test adapter configuration
// Preamble
f_prNeighbour();
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
log("*** " & testcasename() & ": INFO: Request and waiting for the message containing certificate chain ***");
tc_ac.start;
if (not f_askAndWaitForCertificateChain(v_chain, f_generateDefaultCam())) {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_timeout);
}
tc_ac.stop;
if (lengthof(v_chain) < 2) {
log("*** " & testcasename() & ": FAIL: Certificate chain is too short ***");
f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_error);
}
// Verified automatically on decoding
if (lengthof(v_chain[lengthof(v_chain) - 2].subject_info.subject_name) > 32 ) {
log("*** " & testcasename() & ": FAIL: Subject name of the AA certificate is too long ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
log("*** " & testcasename() & ": PASS: Subject name of the AA certificate is good ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
// Postamble
f_poNeighbour();
f_cf01Down();
* @desc Check that signer_info type of AA certificates is set to 'certificate_digest_with_sha256'
* <pre>
* Pics Selection: PICS_GN_SECURITY
* Config Id: CF01
* with {
* the IUT being in the 'authorized' state
* the IUT being requested to include certificate chain in the next CAM
* } ensure that {
* when {
* the IUT is requested to send a CAM
* } then {
* the IUT sends a SecuredMessage
* containing certificates[last-1]
* containing signer_info
* containing type
* indicating 'certificate_digest_with_sha256'
* containing digest
* }
* }
* </pre>
* @see ETSI TS 103 096-2 v1.2.2 TP_SEC_ITSS_SND_CERT_AA_03_01_BV
* @reference ETSI TS 103 097 [1], clause 7.4.4
testcase TC_SEC_ITSS_SND_CERT_AA_03_01_BV() runs on ItsGeoNetworking system ItsSecSystem {
6766
6767
6768
6769
6770
6771
6772
6773
6774
6775
6776
6777
6778
6779
6780
6781
6782
6783
6784
6785
6786
6787
6788
6789
6790
6791
6792
6793
6794
6795
6796
6797
6798
6799
6800
6801
6802
6803
6804
6805
6806
var CertificateChain v_chain;
var Certificate v_aa_cert;
// Test control
if (not(PICS_GN_SECURITY)) {
log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY' required for executing the TC ***");
stop;
}
// Test component configuration
f_cf01Up();
// Test adapter configuration
// Preamble
f_prNeighbour();
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
log("*** " & testcasename() & ": INFO: Request and waiting for the message containing certificate chain ***");
tc_ac.start;
if (not f_askAndWaitForCertificateChain(v_chain, f_generateDefaultCam())) {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_timeout);
}
tc_ac.stop;
if (lengthof(v_chain) < 2) {
log("*** " & testcasename() & ": FAIL: Certificate chain is too short ***");
f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_error);
}
v_aa_cert := v_chain[lengthof(v_chain) - 2];
if (not match(v_aa_cert, mw_aa_certificate(mw_signerInfo_digest))) {
log("*** " & testcasename() & ": FAIL: AA certificate not signed by digest ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
log("*** " & testcasename() & ": PASS: AA certificate is signed by digest ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
// Postamble
f_poNeighbour();
f_cf01Down();
} // End of testcase TC_SEC_ITSS_SND_CERT_AA_03_01_BV
6809
6810
6811
6812
6813
6814
6815
6816
6817
6818
6819
6820
6821
6822
6823
6824
6825
6826
6827
6828
6829
6830
6831
6832
6833
6834
6835
6836
6837
6838
6839
6840
6841
6842
6843
6844
6845
6846
6847
6848
6849
6850
6851
6852
6853
6854
6855
6856
6857
6858
6859
6860
6861
6862
6863
6864
6865
6866
6867
6868
6869
6870
6871
6872
6873
6874
6875
6876
6877
6878
6879
6880
6881
6882
6883
6884
6885
6886
6887
6888
6889
6890
6891
6892
6893
6894
6895
6896
6897
6898
6899
6900
6901
/**
* @desc Check that AA certificate is signed by Root CA or other authority
* @remark There is no clear specification that AA cert shall be signed by the Root CA only
* <pre>
* Pics Selection: PICS_GN_SECURITY
* Config Id: CF01
* with {
* the IUT being in the 'authorized' state
* the IUT being requested to include certificate in the next CAM
* } ensure that {
* when {
* the IUT is requested to send a CAM
* } then {
* the IUT sends a SecuredMessage
* containing header_fields['signer_info'].signer
* containing type
* indicating 'certificate_chain'
* containing certificates
* containing certificates[last-1]
* containing signer_info
* containing type
* indicating 'certificate_digest_with_ecdsap256'
* and containing digest
* referencing to the trusted certificate
* containing subject_info.subject_type
* indicating 'root_ca'
* or indicating 'authorisation_authority'
* }
* }
* </pre>
* @see ETSI TS 103 096-2 v1.2.2 TP_SEC_ITSS_SND_CERT_AA_04_01_BV
* @reference ETSI TS 103 097 [1], clauses 7.4.1 and 7.4.2
*/
testcase TC_SEC_ITSS_SND_CERT_AA_04_01_BV() runs on ItsGeoNetworking system ItsSecSystem {
var CertificateChain v_chain;
var Certificate v_aa_cert, v_ca_cert;
var SignerInfo v_si;
var HashedId8 v_ca_digest;
// Test control
if (not(PICS_GN_SECURITY)) {
log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY' required for executing the TC ***");
stop;
}
// Test component configuration
f_cf01Up();
// Test adapter configuration
// Preamble
f_prNeighbour();
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
log("*** " & testcasename() & ": INFO: Request and waiting for the message containing certificate chain ***");
tc_ac.start;
if (not f_askAndWaitForCertificateChain(v_chain, f_generateDefaultCam())) {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_timeout);
}
tc_ac.stop;
v_aa_cert := v_chain[lengthof(v_chain) - 2];
// Process signerInfo field
if ( true != f_getCertificateSignerInfo(v_aa_cert, v_si)) {
log("*** " & testcasename() & ": FAIL: AA certificate must contain SignerInfo fields ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
if (v_si.type_ == e_certificate_digest_with_sha256) {
log("*** " & testcasename() & ": FAIL: AA certificate must contain SignerInfo field containing a certificate_digest_with_ecdsap256 ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
f_readCertificate(cc_taCert_CA, v_ca_cert);
v_ca_digest := f_calculateDigestFromCertificate(v_ca_cert);
if (not match(v_aa_cert, mw_aa_certificate(mw_signerInfo_digest(v_ca_digest)))) {
log("*** " & testcasename() & ": FAIL: AA certificate signer info doesn't reference the CA certificate from the chain ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
if (not f_verifyCertificateSignatureWithIssuingCertificate(v_aa_cert, v_ca_cert)) {
log("*** " & testcasename() & ": FAIL: AT certificate signature verification failed ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
log("*** " & testcasename() & ": PASS: AA certificate was signed by the CA certificate from the given chain ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
// Postamble
f_poNeighbour();
f_cf01Down();
} // End of testcase TC_SEC_ITSS_SND_CERT_AA_04_01_BV
* @desc Check that all neccesary subject attributes are present and arranged in accesing order
* <pre>
* Pics Selection: PICS_GN_SECURITY
* Config Id: CF01
* with {
* the IUT being in the 'authorized' state
* the IUT being requested to include certificate chain in the next CAM
* } ensure that {
* when {
* the IUT is requested to send a CAM
* } then {
* the IUT sends a SecuredMessage
* containing certificates[last-1]
* containing subject_attributes [0..N]
* indicating subject_attributes[n].type < subject_attributes[n+ 1].type
* containing subject_attributes['verification_key']
* containing subject_attributes['assurance_level']
* containing subject_attributes['its_aid_list']
* }
* }
* </pre>
* @see ETSI TS 103 096-2 v1.2.2 TP_SEC_ITSS_SND_CERT_AA_05_01_BV
* @reference ETSI TS 103 097 [1], clauses 6.1, 7.4.1 and 7.4.4
testcase TC_SEC_ITSS_SND_CERT_AA_05_01_BV() runs on ItsGeoNetworking system ItsSecSystem {
6932
6933
6934
6935
6936
6937
6938
6939
6940
6941
6942
6943
6944
6945
6946
6947
6948
6949
6950
6951
6952
6953
6954
6955
6956
6957
6958
6959
6960
6961
6962
6963
6964
6965
6966
6967
6968
6969
6970
6971
6972
6973
6974
6975
6976
6977
6978
6979
6980
6981
6982
6983
6984
6985
var CertificateChain v_chain;
var SubjectAttributes v_attrs;
// Test control
if (not(PICS_GN_SECURITY)) {
log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY' required for executing the TC ***");
stop;
}
// Test component configuration
f_cf01Up();
// Test adapter configuration
// Preamble
f_prNeighbour();
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
log("*** " & testcasename() & ": INFO: Request and waiting for the message containing certificate chain ***");
tc_ac.start;
if (not f_askAndWaitForCertificateChain(v_chain, f_generateDefaultCam())) {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_timeout);
}
tc_ac.stop;
if (lengthof(v_chain) < 2) {
log("*** " & testcasename() & ": FAIL: Certificate chain is too short ***");
f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_error);
}
if (not match(v_chain[lengthof(v_chain) - 2],
mw_aa_certificate(?,
superset(mw_subject_attribute_verification_key,
mw_subject_attribute_assurance_level,
mw_subject_attribute_its_aid_list)))
) {
log("*** " & testcasename() & ": FAIL: Required subject attribute of AA certificate is not found ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
v_attrs := v_chain[lengthof(v_chain) - 2].subject_attributes;
for (var integer v_counter := 1; v_counter < lengthof(v_attrs); v_counter := v_counter + 1 ) {
if (v_attrs[v_counter].type_ <= v_attrs[v_counter-1].type_) {
log("*** " & testcasename() & ": FAIL: AA certificate subject attributes are not arranged in accening order ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
}
log("*** " & testcasename() & ": PASS: All required AA certificate subject attributes are presents ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
// Postamble
f_poNeighbour();
f_cf01Down();
* @desc Check that all AIDs containing in the its_aid_list in AA certificate are unique
* <pre>
* Pics Selection: PICS_GN_SECURITY
* Config Id: CF01
* with {
* the IUT being in the 'authorized' state
* the IUT being requested to include certificate chain in the next CAM
* } ensure that {
* when {
* the IUT is requested to send a CAM
* } then {