Newer
Older
14001
14002
14003
14004
14005
14006
14007
14008
14009
14010
14011
14012
14013
14014
14015
14016
14017
14018
14019
14020
14021
14022
14023
14024
14025
14026
14027
14028
14029
14030
14031
14032
14033
14034
14035
14036
14037
14038
14039
14040
14041
14042
14043
14044
14045
14046
14047
14048
14049
14050
14051
14052
14053
14054
14055
14056
14057
14058
14059
14060
14061
14062
14063
14064
14065
14066
14067
14068
14069
14070
14071
14072
14073
14074
14075
14076
14077
14078
14079
14080
14081
14082
14083
14084
14085
14086
14087
14088
14089
14090
14091
14092
14093
14094
14095
14096
14097
14098
14099
14100
14101
14102
14103
14104
14105
14106
14107
14108
14109
14110
14111
14112
14113
14114
14115
14116
14117
14118
14119
14120
14121
14122
14123
14124
14125
14126
14127
14128
14129
14130
14131
14132
14133
14134
14135
14136
14137
14138
14139
14140
14141
14142
14143
14144
14145
14146
14147
14148
14149
14150
14151
14152
14153
14154
14155
14156
14157
14158
14159
14160
14161
14162
14163
14164
14165
14166
14167
14168
14169
14170
14171
14172
14173
14174
14175
14176
14177
14178
14179
14180
14181
14182
14183
14184
14185
14186
14187
14188
14189
14190
14191
14192
14193
14194
14195
14196
14197
14198
14199
14200
14201
14202
14203
14204
14205
14206
14207
14208
14209
14210
14211
14212
14213
14214
14215
14216
14217
14218
14219
14220
14221
14222
14223
14224
14225
14226
14227
14228
14229
14230
14231
14232
14233
14234
14235
14236
14237
14238
14239
14240
14241
14242
14243
14244
14245
14246
14247
14248
14249
14250
14251
14252
14253
14254
14255
14256
14257
14258
14259
14260
14261
14262
14263
14264
14265
14266
14267
14268
14269
14270
14271
14272
14273
14274
14275
14276
14277
14278
14279
14280
14281
14282
14283
14284
14285
14286
14287
14288
14289
14290
14291
14292
14293
14294
14295
14296
14297
14298
14299
14300
14301
14302
14303
14304
14305
14306
14307
14308
14309
14310
14311
14312
14313
14314
14315
14316
14317
14318
14319
14320
14321
14322
14323
14324
14325
14326
14327
14328
14329
14330
14331
14332
14333
14334
14335
14336
14337
14338
14339
14340
14341
14342
14343
14344
14345
14346
14347
14348
14349
14350
14351
14352
14353
14354
14355
14356
14357
14358
14359
14360
14361
14362
14363
14364
14365
14366
14367
14368
14369
14370
14371
14372
14373
14374
14375
14376
14377
14378
14379
14380
14381
14382
14383
14384
14385
14386
14387
14388
14389
14390
14391
14392
14393
14394
14395
14396
14397
14398
14399
14400
14401
14402
14403
14404
14405
14406
14407
14408
14409
14410
14411
14412
14413
14414
14415
14416
14417
14418
14419
14420
14421
14422
14423
14424
14425
14426
14427
14428
14429
14430
14431
14432
14433
14434
14435
14436
14437
14438
14439
14440
14441
14442
14443
14444
14445
14446
14447
14448
14449
14450
14451
14452
14453
14454
14455
14456
14457
14458
14459
14460
14461
14462
14463
14464
14465
14466
14467
14468
14469
14470
14471
14472
14473
14474
14475
14476
14477
14478
14479
14480
14481
14482
14483
14484
14485
14486
14487
14488
14489
14490
14491
14492
14493
14494
14495
14496
14497
14498
14499
14500
14501
14502
14503
14504
14505
14506
14507
14508
14509
14510
14511
14512
14513
14514
14515
14516
14517
14518
14519
14520
14521
14522
14523
14524
14525
14526
14527
14528
14529
14530
14531
14532
14533
14534
14535
14536
14537
14538
14539
14540
14541
14542
14543
14544
14545
14546
14547
14548
14549
14550
14551
14552
14553
14554
14555
14556
14557
14558
14559
14560
14561
14562
14563
14564
14565
14566
14567
14568
14569
14570
14571
14572
14573
14574
14575
14576
14577
14578
14579
14580
14581
14582
14583
14584
14585
14586
14587
14588
14589
14590
14591
14592
14593
14594
14595
14596
14597
14598
14599
14600
14601
14602
14603
14604
14605
14606
14607
14608
14609
14610
14611
14612
14613
14614
14615
14616
14617
14618
14619
14620
14621
14622
14623
14624
14625
14626
14627
14628
14629
14630
14631
14632
14633
14634
14635
14636
14637
14638
14639
14640
14641
14642
14643
14644
14645
14646
14647
14648
14649
14650
14651
14652
14653
14654
14655
14656
14657
14658
14659
14660
14661
14662
14663
14664
14665
14666
14667
14668
14669
14670
14671
14672
14673
14674
14675
14676
14677
14678
14679
14680
14681
14682
14683
14684
14685
14686
14687
14688
14689
14690
14691
14692
14693
14694
14695
14696
14697
14698
14699
14700
14701
14702
14703
14704
14705
14706
14707
14708
14709
14710
14711
14712
14713
14714
14715
14716
14717
14718
14719
14720
14721
14722
14723
14724
14725
14726
14727
14728
14729
14730
14731
14732
14733
14734
14735
14736
14737
14738
14739
14740
14741
14742
14743
14744
14745
14746
14747
14748
14749
14750
14751
14752
14753
14754
14755
14756
14757
14758
14759
14760
14761
14762
14763
14764
14765
14766
14767
14768
14769
14770
14771
14772
14773
14774
14775
14776
14777
14778
14779
14780
14781
14782
14783
14784
14785
14786
14787
14788
14789
14790
14791
14792
14793
14794
14795
14796
14797
14798
14799
14800
14801
14802
14803
14804
14805
14806
14807
14808
14809
14810
14811
14812
14813
14814
14815
14816
14817
14818
14819
14820
14821
14822
14823
14824
14825
14826
14827
14828
14829
14830
14831
14832
14833
14834
14835
14836
14837
14838
14839
14840
14841
14842
14843
14844
14845
14846
14847
14848
14849
14850
14851
14852
14853
14854
14855
14856
14857
14858
14859
14860
14861
14862
14863
14864
14865
14866
14867
14868
14869
14870
14871
14872
14873
14874
14875
14876
14877
14878
14879
14880
14881
14882
14883
14884
14885
14886
14887
14888
14889
14890
14891
14892
14893
14894
14895
14896
14897
14898
14899
14900
14901
14902
14903
14904
14905
14906
14907
14908
14909
14910
14911
14912
14913
14914
14915
14916
14917
14918
14919
14920
14921
14922
14923
14924
14925
14926
14927
14928
14929
14930
14931
14932
14933
14934
14935
14936
14937
14938
14939
14940
14941
14942
14943
14944
14945
14946
14947
14948
14949
14950
14951
14952
14953
14954
14955
14956
14957
14958
14959
14960
14961
14962
14963
14964
14965
14966
14967
14968
14969
14970
14971
14972
14973
14974
14975
14976
14977
14978
14979
14980
14981
14982
14983
14984
14985
14986
14987
14988
14989
14990
14991
14992
14993
14994
14995
14996
14997
14998
14999
15000
+ * the IUT being in the 'authorized' state
+ * the IUT being requested to include certificate in the next CAM
+ * }
+ * Expected Behaviour:
+ * ensure that {
+ * when {
+ * the IUT is requested to send a CAM
+ * } then {
+ * the IUT sends a SecuredMessage
+ * containing header_fields['signer_info'].signer
+ * containing type
+ * indicating 'certificate_chain'
+ * containing certificates
+ * indicating length N > 1
+ * and indicating certificates[n] (0..N)
+ * containing signature.ecdsa_signature
+ * containing subject_attributes['verification_key']
+ * indicating compressed_lsb_y_0
+ * or indicating compressed_lsb_y_1
+ * or indicating uncompressed
+ * }
+ * }
+ * </pre>
+ * @see ETSI TS 103 096-2 v1.3.2 TP_SEC_ITSS_SND_CERT_10_02_BV
+ * @reference ETSI TS 103 097 [1], clause 4.2.4
+ */
+ testcase TC_SEC_ITSS_SND_CERT_10_02_BV() runs on ItsGeoNetworking system ItsSecSystem {
+ // Local variables
+ var GeoNetworkingInd v_geoNwInd;
+ var SignerInfo v_si;
+ var CertificateChain v_chain;
+ var integer v_counter;
+
+ // Test control
+ if (not(PICS_GN_SECURITY)) {
+ log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY' required for executing the TC ***");
+ stop;
+ }
+
+ // Test component configuration
+ f_cf01Up();
+
+ // Test adapter configuration
+
+ // Preamble
+ f_prNeighbour();
+ f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
+
+ // Test Body
+ tc_ac.start;
+ alt {
+ [] geoNetworkingPort.receive(
+ mw_geoNwInd(
+ mw_geoNwSecPdu(
+ mdw_securedMessage(
+ superset(
+ mw_header_field_signer_info_certificate_chain
+ ))))) {
+ tc_ac.stop;
+ // Check certificate chain
+ if (f_getMsgSignerInfo(f_getSecuredMessage(v_geoNwInd.msgIn), v_si)) {
+ v_chain := v_si.signerInfo.certificates;
+ for (v_counter := lengthof(v_chain) - 1; v_counter > 0; v_counter := v_counter - 1 ) {
+ if (
+ (not match(v_chain[v_counter], mw_certificate(?, ?, superset(mw_subject_attribute_verification_key(mw_publicKey_eccPoint_compressed_lsb_y_0))))) and
+ (not match(v_chain[v_counter], mw_certificate(?, ?, superset(mw_subject_attribute_verification_key(mw_publicKey_eccPoint_compressed_lsb_y_1))))) and
+ (not match(v_chain[v_counter], mw_certificate(?, ?, superset(mw_subject_attribute_verification_key(mw_publicKey_eccPoint_uncompressed)))))
+ ) {
+ log("*** " & testcasename() & ": FAIL: Wrong verification key algorithm ***");
+ f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_error);
+ }
+ } // End of 'for' statement
+ }
+ log("*** " & testcasename() & ": PASS: All certificates in a chain have the correct verification key ***");
+ f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
+ }
+ [] tc_ac.timeout {
+ log("*** " & testcasename() & ": INCONC: Expected message not received ***");
+ f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
+ }
+ } // End of 'alt' statement
+
+ // Postamble
+ f_poNeighbour();
+ f_cf01Down();
+
+ } // End of testcase TC_SEC_ITSS_SND_CERT_10_02_BV
+
+ /**
+ * @desc Check the certificate signature
+ * <pre>
+ * Pics Selection: PICS_GN_SECURITY
+ * Config Id: CF01
+ * Initial conditions:
+ * with {
+ * the IUT being in the 'authorized' state
+ * the IUT being requested to include certificate in the next CAM
+ * } ensure that {
+ * when {
+ * the IUT is requested to send a CAM
+ * } then {
+ * the IUT sends a SecuredMessage
+ * containing header_fields['signer_info'].signer
+ * containing type
+ * indicating 'certificate'
+ * ND containing certificate
+ * containing signer_info
+ * containing type
+ * indicating 'certificate_digest_with_sha256'
+ * containing digest
+ * referenced to the certificate CERT
+ * and containing signature
+ * verifiable using CERT.subject_attributes['verification_key'].key
+ * }
+ * }
+ * </pre>
+ * @see ETSI TS 103 096-2 v1.3.2 TP_SEC_ITSS_SND_CERT_09_01_BV
+ * @reference ETSI TS 103 097 [1], clauses 6.1 and 7.4.1
+ */
+ testcase TC_SEC_ITSS_SND_CERT_11_01_BV() runs on ItsGeoNetworking system ItsSecSystem {
+ // Local declarations
+ var GeoNetworkingInd v_geoNwInd;
+ var Certificate v_at_cert;
+ var Certificate v_aa_cert;
+ var HashedId8 v_aa_digest;
+ var SignerInfo v_si;
+ var integer v_counter;
+
+ // Test control
+ if (not(PICS_GN_SECURITY)) {
+ log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY' required for executing the TC ***");
+ stop;
+ }
+
+ // Test component configuration
+ f_cf01Up();
+
+ // Test adapter configuration
+
+ // Preamble
+ f_prNeighbour();
+ f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
+
+ // Wait for the message with the certificate to get the AA cert digest.
+ // Ask for the chain, containing AT and AA certificate
+ // Check that the AT cert in the first message is signed with the AA cert
+ log("*** " & testcasename() & ": INFO: Waiting for the message containing certificate ***");
+ tc_ac.start;
+ if (not f_waitForCertificate(v_at_cert)) {
+ log("*** " & testcasename() & ": INCONC: Expected message not received ***");
+ f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_timeout);
+ }
+ tc_ac.stop;
+
+ if (true != f_getCertificateSignerInfo(v_at_cert, v_si)) {
+ log("*** " & testcasename() & ": FAIL: AT Certificate signer info is unknown ***");
+ f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_error);
+ }
+ if (v_si.type_ != e_certificate_digest_with_sha256) {
+ log("*** " & testcasename() & ": FAIL: AT Certificate is not signed well ***");
+ f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_error);
+ }
+ v_aa_digest := v_si.signerInfo.digest;
+
+ // Send a certificate request to the IUT
+ f_sendCertificateRequest(v_aa_digest, f_generateDefaultCam());
+
+ // Test Body
+ tc_ac.start;
+ alt {
+ [] geoNetworkingPort.receive(
+ mw_geoNwInd(
+ mw_geoNwSecPdu(
+ mdw_securedMessage(
+ superset(
+ mw_header_field_signer_info_certificate_chain
+ ))))) -> value v_geoNwInd {
+ var SecuredMessage v_secMsg;
+ var integer v_chainLength;
+ tc_ac.stop;
+ // Check certificate chain
+
+ if (f_getMsgSignerInfo(f_getSecuredMessage(v_geoNwInd.msgIn), v_si)) {
+ v_chainLength := lengthof(v_si.signerInfo.certificates);
+ if (v_chainLength < 2 ) {
+ log("*** " & testcasename() & ": FAIL: Certificate chain doesn't contain the AA cert ***");
+ f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
+ }
+ // get aa cert
+ v_aa_cert := v_si.signerInfo.certificates[v_chainLength-2];
+ if (not match (v_aa_digest, f_calculateDigestFromCertificate(v_aa_cert))) {
+ log("*** " & testcasename() & ": FAIL: AT certificate was not signed with the given AA cert ***");
+ f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
+ }
+
+ // Check that at cert is signed with aa cert
+ if (false == f_verifyCertificateSignatureWithIssuingCertificate(v_at_cert, v_aa_cert)) {
+ log("*** " & testcasename() & ": FAIL: AT certificate signature error ***");
+ f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
+ }
+
+ log("*** " & testcasename() & ": PASS: AT certificate was well signed with AA certificate ***");
+ f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
+ } else {
+ log("*** " & testcasename() & ": FAIL: The message signer info is unknown ***");
+ f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
+ }
+ }
+ [] tc_ac.timeout {
+ log("*** " & testcasename() & ": INCONC: Expected message not received ***");
+ f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
+ }
+ } // End of 'alt' statement
+
+ // Postamble
+ f_poNeighbour();
+ f_cf01Down();
+
+ } // End of testcase TC_SEC_ITSS_SND_CERT_11_01_BV
+
+ /**
+ * @desc Check the signatures of the certificates in the chain
+ * <pre>
+ * Pics Selection: PICS_GN_SECURITY
+ * Config Id: CF01
+ * Initial conditions:
+ * with {
+ * the IUT being in the 'authorized' state
+ * the IUT being requested to include certificate chain in the next CAM
+ * } ensure that {
+ * when {
+ * the IUT is requested to send a CAM
+ * } then {
+ * the IUT sends a SecuredMessage
+ * containing header_fields['signer_info'].signer
+ * containing type
+ * indicating 'certificate_chain'
+ * and containing certificates
+ * indicating length N > 1
+ * and containing certificate[0]
+ * containing signer_info
+ * containing type
+ * indicating 'certificate_digest_with_sha256'
+ * and containing digest
+ * referenced to the trusted certificate (CERT_ROOT)
+ * and containing signature
+ * verifiable using CERTIFICATES[N-1].subject_attributes['verification_key'].key
+ * and containing certificates[n] (1..N)
+ * containing signer_info {
+ * containing type
+ * indicating 'certificate_digest_with_sha256'
+ * and containing digest
+ * referenced to the certificates[n-1]
+ * and containing signature
+ * verifiable using certificates[n-1].subject_attributes['verification_key'].key
+ * }
+ * }
+ * </pre>
+ * @see ETSI TS 103 096-2 v1.3.2 TP_SEC_ITSS_SND_CERT_09_02_BV
+ * @reference ETSI TS 103 097 [1], clauses 6.1 and 7.4.1
+ */
+ testcase TC_SEC_ITSS_SND_CERT_11_02_BV() runs on ItsGeoNetworking system ItsSecSystem {
+ // Local declarations
+ var GeoNetworkingInd v_geoNwInd;
+ var Certificate v_cert;
+ var CertificateChain v_chain;
+ var SignerInfo v_si;
+ var HashedId8 v_digest;
+ var integer v_counter;
+
+ // Test control
+ if (not(PICS_GN_SECURITY)) {
+ log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY' required for executing the TC ***");
+ stop;
+ }
+
+ // Test component configuration
+ f_cf01Up();
+
+ // Test adapter configuration
+
+ // Preamble
+ f_prNeighbour();
+ f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
+
+ // Wait for the message with the certificate to get the AA cert digest.
+ // Ask for the chain, containing AT and AA certificate
+ // Check that the AT cert in the first message is signed with the AA cert
+ log("*** " & testcasename() & ": INFO: Waiting for the message containing certificate and ask for a certificate chain ***");
+ tc_ac.start;
+ f_askForCertificateChain(f_generateDefaultCam());
+ tc_ac.stop;
+
+ // Test Body
+ tc_ac.start;
+ alt {
+ [] geoNetworkingPort.receive(
+ mw_geoNwInd(
+ mw_geoNwSecPdu(
+ mdw_securedMessage(
+ superset(
+ mw_header_field_signer_info_certificate_chain
+ ))))) -> value v_geoNwInd {
+ var SecuredMessage v_secMsg;
+ var integer v_chainLength;
+ tc_ac.stop;
+ // Check certificate chain
+ if (f_getMsgSignerInfo(f_getSecuredMessage(v_geoNwInd.msgIn), v_si)) {
+ v_chain := v_si.signerInfo.certificates;
+ for (v_counter := lengthof(v_chain) - 1; v_counter > 0; v_counter := v_counter - 1 ) {
+ if (not f_getCertificateSignerInfo(v_chain[v_counter], v_si)) {
+ log("*** " & testcasename() & ": FAIL: Certificate "&int2str(v_counter) & " doesn't have a signer info ***");
+ f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
+ }
+ if (v_si.type_ != e_certificate_digest_with_sha256) {
+ log("*** " & testcasename() & ": FAIL: Certificate is not signed with digest ***");
+ f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
+ }
+ // Check that cert is signed by issuing cert
+ v_digest := f_calculateDigestFromCertificate(v_chain[v_counter - 1]);
+ if (not match (v_si.signerInfo.digest, v_digest)) {
+ log("*** " & testcasename() & ": FAIL: Certificate chain is not valid ***");
+ f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
+ }
+ // Check that the signature is valid
+ if (false == f_verifyCertificateSignatureWithIssuingCertificate(v_chain[v_counter], v_chain[v_counter - 1])) {
+ log("*** " & testcasename() & ": FAIL: AT certificate signature error ***");
+ f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
+ }
+ } // End of 'for' statement
+
+ log("*** " & testcasename() & ": PASS: All certificates in the chain signed by it's issuing certs ***");
+ f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
+ } else {
+ log("*** " & testcasename() & ": FAIL: The message signer info is unknown ***");
+ f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
+ }
+ }
+ [] tc_ac.timeout {
+ log("*** " & testcasename() & ": INCONC: Expected message not received ***");
+ f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
+ }
+ }
+
+ // Postamble
+ f_poNeighbour();
+ f_cf01Down();
+
+ } // End of testcase TC_SEC_ITSS_SND_CERT_11_02_BV
+
+ /**
+ * @desc Check that the assurance level of the subordinate certificate is equal to or less than the assurance level of the issuing certificate
+ * <pre>
+ * Pics Selection: PICS_GN_SECURITY and PICS_CERTIFICATE_SELECTION
+ * Config Id: CF01
+ * with {
+ * the IUT being in the 'authorized' state
+ * the IUT being requested to include certificate chain in the next CAM
+ * } ensure that {
+ * when {
+ * the IUT is requested to send a CAM
+ * } then {
+ * the IUT sends a SecuredMessage
+ * containing header_fields['signer_info'].signer
+ * containing type
+ * indicating 'certificate_chain'
+ * containing certificates
+ * indicating length N > 1
+ * and containing certificates[n](0..N)
+ * containing subject_attributes ['assurance_level']
+ * containig assurance_level
+ * containing bits [5-7]
+ * indicating assurance level CERT_AL
+ * and containing signer_info
+ * containing digest
+ * referenced to the certificate
+ * containing subject_attributes ['assurance_level']
+ * containing assurance_level
+ * containing bits [5-7]
+ * indicating value <= CERT_AL
+ * }
+ * }
+ * </pre>
+ * @see ETSI TS 103 096-2 v1.3.2 TP_SEC_ITSS_SND_CERT_12_01_BV
+ * @reference ETSI TS 103 097 [1], clause 7.4.1
+ */
+ testcase TC_SEC_ITSS_SND_CERT_12_01_BV() runs on ItsGeoNetworking system ItsSecSystem {
+ var CertificateChain v_chain;
+ var Certificate v_aa_cert, v_at_cert;
+ var SubjectAttribute v_sa;
+ var SubjectAssurance v_aa_assurance_level, v_at_assurance_level;
+
+ // Test control
+ if (not(PICS_GN_SECURITY)) {
+ log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY' required for executing the TC ***");
+ stop;
+ }
+
+ // Test component configuration
+ f_cf01Up();
+
+ // Test adapter configuration
+
+ // Preamble
+ f_prNeighbour();
+ f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
+
+ // Test Body
+ log("*** " & testcasename() & ": INFO: Request and waiting for the message containing certificate chain ***");
+ tc_ac.start;
+ if (not f_askAndWaitForCertificateChain(v_chain, f_generateDefaultCam())) {
+ log("*** " & testcasename() & ": INCONC: Expected message not received ***");
+ f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_timeout);
+ }
+ tc_ac.stop;
+ if (lengthof(v_chain) < 2) {
+ log("*** " & testcasename() & ": FAIL: Certificate chain is too short ***");
+ f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_error);
+ }
+ v_aa_cert := v_chain[lengthof(v_chain) - 2];
+ v_at_cert := v_chain[lengthof(v_chain) - 1];
+ if (not f_getCertificateSubjectAttribute(v_aa_cert, e_assurance_level, v_sa)) {
+ log("*** " & testcasename() & ": FAIL: AA certificate does not contain its_aid_list subject attribute ***");
+ f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
+ }
+ v_aa_assurance_level := v_sa.attribute.assurance_level;
+
+ if (not f_getCertificateSubjectAttribute(v_at_cert, e_assurance_level, v_sa)) {
+ log("*** " & testcasename() & ": FAIL: AA certificate does not contain its_aid_list subject attribute ***");
+ f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
+ }
+ v_at_assurance_level := v_sa.attribute.assurance_level;
+
+ if (bit2int(v_aa_assurance_level.levels) < bit2int(v_at_assurance_level.levels)) {
+ log("*** " & testcasename() & ": FAIL: The assurence levels mismatch ***");
+ f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
+ } else {
+ log("*** " & testcasename() & ": PASS: The assurence levels match ***");
+ f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
+ }
+
+ // Postamble
+ f_poNeighbour();
+ f_cf01Down();
+ } // End of testcase TC_SEC_ITSS_SND_CERT_12_01_BV
+
+ /**
+ * @desc Sending behaviour test cases for AA certificate profil
+ * @see ETSI TS 103 096-2 V1.2.2 (2016-01) Clause 5.2.7.7 AA certificate profile
+ */
+ group AA_Certificates {
+
+ /**
+ * @desc Check that the subject_type of the AA certificate is set to authorization_authority
+ * <pre>
+ * Pics Selection: PICS_GN_SECURITY
+ * Config Id: CF01
+ * with {
+ * the IUT being in the 'authorized' state
+ * the IUT being requested to include certificate chain in the next CAM
+ * } ensure that {
+ * when {
+ * the IUT is requested to send a CAM
+ * } then {
+ * the IUT sends a SecuredMessage
+ * containing header_fields['signer_info'].signer
+ * containing type
+ * indicating 'certificate_chain'
+ * containing certificates[last-1]
+ * containing subject_info.subject_type
+ * indicating 'authorization_authority' (2)
+ * }
+ * }
+ * </pre>
+ * @see ETSI TS 103 096-2 v1.3.2 TP_SEC_ITSS_SND_CERT_AA_01_01_BV
+ * @reference ETSI TS 103 097 [1], clause 7.4.4
+ */
+ testcase TC_SEC_ITSS_SND_CERT_AA_01_01_BV() runs on ItsGeoNetworking system ItsSecSystem {
+ var CertificateChain v_chain;
+
+ // Test control
+ if (not(PICS_GN_SECURITY)) {
+ log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY' required for executing the TC ***");
+ stop;
+ }
+
+ // Test component configuration
+ f_cf01Up();
+
+ // Test adapter configuration
+
+ // Preamble
+ f_prNeighbour();
+ f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
+
+ // Test Body
+ log("*** " & testcasename() & ": INFO: Request and waiting for the message containing certificate chain ***");
+ tc_ac.start;
+ if (not f_askAndWaitForCertificateChain(v_chain, f_generateDefaultCam())) {
+ log("*** " & testcasename() & ": INCONC: Expected message not received ***");
+ f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_timeout);
+ }
+ tc_ac.stop;
+ if (lengthof(v_chain) < 2) {
+ log("*** " & testcasename() & ": FAIL: Certificate chain is too short ***");
+ f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_error);
+ }
+ if (not match(v_chain[lengthof(v_chain) - 2], mw_aa_certificate)) {
+ log("*** " & testcasename() & ": FAIL: AA certificate not found in the chain[last-1] ***");
+ f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
+ }
+ log("*** " & testcasename() & ": PASS: AA certificate was found in the chain ***");
+ f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
+
+ // Postamble
+ f_poNeighbour();
+ f_cf01Down();
+ } // End of testcase TC_SEC_ITSS_SND_CERT_AA_01_01_BV
+
+ /**
+ * @desc Check that the AA certificsate subject_name variable-length vector contains 32 bytes maximum
+ * <pre>
+ * Pics Selection: PICS_GN_SECURITY
+ * Config Id: CF01
+ * with {
+ * the IUT being in the 'authorized' state
+ * the IUT being requested to include certificate chain in the next CAM
+ * } ensure that {
+ * when {
+ * the IUT is requested to send a CAM
+ * } then {
+ * the IUT sends a SecuredMessage
+ * containing header_fields['signer_info'].signer
+ * containing type
+ * indicating 'certificate_chain'
+ * containing certificates[last-1]
+ * containing subject_info.subject_name
+ * indicating length <= 32 bytes
+ * }
+ * }
+ * </pre>
+ * @see ETSI TS 103 096-2 v1.3.2 TP_SEC_ITSS_SND_CERT_AA_02_01_BV
+ * @reference ETSI TS 103 097 [1], clause 6.2
+ */
+ testcase TC_SEC_ITSS_SND_CERT_AA_02_01_BV() runs on ItsGeoNetworking system ItsSecSystem {
+ var CertificateChain v_chain;
+
+ // Test control
+ if (not(PICS_GN_SECURITY)) {
+ log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY' required for executing the TC ***");
+ stop;
+ }
+
+ // Test component configuration
+ f_cf01Up();
+
+ // Test adapter configuration
+
+ // Preamble
+ f_prNeighbour();
+ f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
+
+ // Test Body
+ log("*** " & testcasename() & ": INFO: Request and waiting for the message containing certificate chain ***");
+ tc_ac.start;
+ if (not f_askAndWaitForCertificateChain(v_chain, f_generateDefaultCam())) {
+ log("*** " & testcasename() & ": INCONC: Expected message not received ***");
+ f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_timeout);
+ }
+ tc_ac.stop;
+ if (lengthof(v_chain) < 2) {
+ log("*** " & testcasename() & ": FAIL: Certificate chain is too short ***");
+ f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_error);
+ }
+ // Verified automatically on decoding
+ if (lengthof(v_chain[lengthof(v_chain) - 2].subject_info.subject_name) > 32 ) {
+ log("*** " & testcasename() & ": FAIL: Subject name of the AA certificate is too long ***");
+ f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
+ }
+ log("*** " & testcasename() & ": PASS: Subject name of the AA certificate is good ***");
+ f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
+
+ // Postamble
+ f_poNeighbour();
+ f_cf01Down();
+ } // End of testcase TC_SEC_ITSS_SND_CERT_AA_02_01_BV
+
+ /**
+ * @desc Check that signer_info type of AA certificates is set to 'certificate_digest_with_sha256'
+ * <pre>
+ * Pics Selection: PICS_GN_SECURITY
+ * Config Id: CF01
+ * with {
+ * the IUT being in the 'authorized' state
+ * the IUT being requested to include certificate chain in the next CAM
+ * } ensure that {
+ * when {
+ * the IUT is requested to send a CAM
+ * } then {
+ * the IUT sends a SecuredMessage
+ * containing header_fields['signer_info'].signer
+ * containing type
+ * indicating 'certificate_chain'
+ * containing certificates[last-1]
+ * containing signer_info
+ * containing type
+ * indicating 'certificate_digest_with_sha256'
+ * }
+ * }
+ * </pre>
+ * @see ETSI TS 103 096-2 v1.3.2 TP_SEC_ITSS_SND_CERT_AA_03_01_BV
+ * @reference ETSI TS 103 097 [1], clause 7.4.4
+ */
+ testcase TC_SEC_ITSS_SND_CERT_AA_03_01_BV() runs on ItsGeoNetworking system ItsSecSystem {
+ var CertificateChain v_chain;
+ var Certificate v_aa_cert;
+
+ // Test control
+ if (not(PICS_GN_SECURITY)) {
+ log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY' required for executing the TC ***");
+ stop;
+ }
+
+ // Test component configuration
+ f_cf01Up();
+
+ // Test adapter configuration
+
+ // Preamble
+ f_prNeighbour();
+ f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
+
+ // Test Body
+ log("*** " & testcasename() & ": INFO: Request and waiting for the message containing certificate chain ***");
+ tc_ac.start;
+ if (not f_askAndWaitForCertificateChain(v_chain, f_generateDefaultCam())) {
+ log("*** " & testcasename() & ": INCONC: Expected message not received ***");
+ f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_timeout);
+ }
+ tc_ac.stop;
+ if (lengthof(v_chain) < 2) {
+ log("*** " & testcasename() & ": FAIL: Certificate chain is too short ***");
+ f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_error);
+ }
+ v_aa_cert := v_chain[lengthof(v_chain) - 2];
+ if (not match(v_aa_cert, mw_aa_certificate(mw_signerInfo_digest))) {
+ log("*** " & testcasename() & ": FAIL: AA certificate not signed by digest ***");
+ f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
+ }
+ log("*** " & testcasename() & ": PASS: AA certificate is signed by digest ***");
+ f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
+
+ // Postamble
+ f_poNeighbour();
+ f_cf01Down();
+ } // End of testcase TC_SEC_ITSS_SND_CERT_AA_03_01_BV
+
+ /**
+ * @desc Check that AA certificate is signed by Root CA or other authority
+ * @remark There is no clear specification that AA cert shall be signed by the Root CA only
+ * <pre>
+ * Pics Selection: PICS_GN_SECURITY
+ * Config Id: CF01
+ * with {
+ * the IUT being in the 'authorized' state
+ * the IUT being requested to include certificate in the next CAM
+ * } ensure that {
+ * when {
+ * the IUT is requested to send a CAM
+ * } then {
+ * the IUT sends a SecuredMessage
+ * containing header_fields['signer_info'].signer
+ * containing type
+ * indicating 'certificate_chain'
+ * containing certificates
+ * containing certificates[last-1]
+ * containing signer_info
+ * containing type
+ * indicating 'certificate_digest_with_ecdsap256'
+ * and containing digest
+ * referencing to the trusted certificate
+ * containing subject_info.subject_type
+ * indicating 'root_ca'
+ * or indicating 'authorisation_authority'
+ * }
+ * }
+ * </pre>
+ * @see ETSI TS 103 096-2 v1.3.2 TP_SEC_ITSS_SND_CERT_AA_04_01_BV
+ * @reference ETSI TS 103 097 [1], clauses 6.3
+ */
+ testcase TC_SEC_ITSS_SND_CERT_AA_04_01_BV() runs on ItsGeoNetworking system ItsSecSystem {
+ var CertificateChain v_chain;
+ var Certificate v_aa_cert, v_ca_cert;
+ var SignerInfo v_si;
+ var HashedId8 v_ca_digest;
+
+ // Test control
+ if (not(PICS_GN_SECURITY)) {
+ log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY' required for executing the TC ***");
+ stop;
+ }
+
+ // Test component configuration
+ f_cf01Up();
+
+ // Test adapter configuration
+
+ // Preamble
+ f_prNeighbour();
+ f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
+
+ // Test Body
+ log("*** " & testcasename() & ": INFO: Request and waiting for the message containing certificate chain ***");
+ tc_ac.start;
+ if (not f_askAndWaitForCertificateChain(v_chain, f_generateDefaultCam())) {
+ log("*** " & testcasename() & ": INCONC: Expected message not received ***");
+ f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_timeout);
+ }
+ tc_ac.stop;
+ v_aa_cert := v_chain[lengthof(v_chain) - 2];
+ // Process signerInfo field
+ if ( true != f_getCertificateSignerInfo(v_aa_cert, v_si)) {
+ log("*** " & testcasename() & ": FAIL: AA certificate must contain SignerInfo fields ***");
+ f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
+ }
+ if (v_si.type_ == e_certificate_digest_with_sha256) {
+ log("*** " & testcasename() & ": FAIL: AA certificate must contain SignerInfo field containing a certificate_digest_with_ecdsap256 ***");
+ f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
+ }
+
+ f_readCertificate(cc_taCert_CA, v_ca_cert);
+ v_ca_digest := f_calculateDigestFromCertificate(v_ca_cert);
+
+ if (not match(v_aa_cert, mw_aa_certificate(mw_signerInfo_digest(v_ca_digest)))) {
+ log("*** " & testcasename() & ": FAIL: AA certificate signer info doesn't reference the CA certificate from the chain ***");
+ f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
+ }
+
+ if (not f_verifyCertificateSignatureWithIssuingCertificate(v_aa_cert, v_ca_cert)) {
+ log("*** " & testcasename() & ": FAIL: AT certificate signature verification failed ***");
+ f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
+ }
+
+ log("*** " & testcasename() & ": PASS: AA certificate was signed by the CA certificate from the given chain ***");
+ f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
+
+ // Postamble
+ f_poNeighbour();
+ f_cf01Down();
+ } // End of testcase TC_SEC_ITSS_SND_CERT_AA_04_01_BV
+
+ /**
+ * @desc Check that all neccesary subject attributes are present and arranged in accesing order
+ * <pre>
+ * Pics Selection: PICS_GN_SECURITY
+ * Config Id: CF01
+ * with {
+ * the IUT being in the 'authorized' state
+ * the IUT being requested to include certificate chain in the next CAM
+ * } ensure that {
+ * when {
+ * the IUT is requested to send a CAM
+ * } then {
+ * the IUT sends a SecuredMessage
+ * containing header_fields['signer_info'].signer
+ * containing type
+ * indicating 'certificate_chain'
+ * containing certificates[last-1]
+ * containing subject_attributes [0..N]
+ * indicating subject_attributes[n].type < subject_attributes[n+ 1].type
+ * containing subject_attributes['verification_key']
+ * containing subject_attributes['assurance_level']
+ * containing subject_attributes['its_aid_list']
+ * }
+ * }
+ * </pre>
+ * @see ETSI TS 103 096-2 v1.3.2 TP_SEC_ITSS_SND_CERT_AA_05_01_BV
+ * @reference ETSI TS 103 097 [1], clauses 6.1, 7.4.1 and 7.4.4
+ */
+ testcase TC_SEC_ITSS_SND_CERT_AA_05_01_BV() runs on ItsGeoNetworking system ItsSecSystem {
+ var CertificateChain v_chain;
+ var SubjectAttributes v_attrs;
+
+ // Test control
+ if (not(PICS_GN_SECURITY)) {
+ log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY' required for executing the TC ***");
+ stop;
+ }
+
+ // Test component configuration
+ f_cf01Up();
+
+ // Test adapter configuration
+
+ // Preamble
+ f_prNeighbour();
+ f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
+
+ // Test Body
+ log("*** " & testcasename() & ": INFO: Request and waiting for the message containing certificate chain ***");
+ tc_ac.start;
+ if (not f_askAndWaitForCertificateChain(v_chain, f_generateDefaultCam())) {
+ log("*** " & testcasename() & ": INCONC: Expected message not received ***");
+ f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_timeout);
+ }
+ tc_ac.stop;
+ if (lengthof(v_chain) < 2) {
+ log("*** " & testcasename() & ": FAIL: Certificate chain is too short ***");
+ f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_error);
+ }
+ if (not match(v_chain[lengthof(v_chain) - 2],
+ mw_aa_certificate(?,
+ superset(mw_subject_attribute_verification_key,
+ mw_subject_attribute_assurance_level,
+ mw_subject_attribute_its_aid_list)))
+ ) {
+ log("*** " & testcasename() & ": FAIL: Required subject attribute of AA certificate is not found ***");
+ f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
+ }
+
+ v_attrs := v_chain[lengthof(v_chain) - 2].subject_attributes;
+ for (var integer v_counter := 1; v_counter < lengthof(v_attrs); v_counter := v_counter + 1 ) {
+ if (v_attrs[v_counter].type_ <= v_attrs[v_counter-1].type_) {
+ log("*** " & testcasename() & ": FAIL: AA certificate subject attributes are not arranged in accening order ***");
+ f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
+ }
+ }
+
+ log("*** " & testcasename() & ": PASS: All required AA certificate subject attributes are presents ***");
+ f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
+
+ // Postamble
+ f_poNeighbour();
+ f_cf01Down();
+ } // End of testcase TC_SEC_ITSS_SND_CERT_AA_05_01_BV
+
+ /**
+ * @desc Check that all AIDs containing in the its_aid_list in AA certificate are unique
+ * Check that AID list contains not more then 31 items
+ * <pre>
+ * Pics Selection: PICS_GN_SECURITY
+ * Config Id: CF01
+ * with {
+ * the IUT being in the 'authorized' state
+ * the IUT being requested to include certificate chain in the next CAM
+ * } ensure that {
+ * when {
+ * the IUT is requested to send a CAM
+ * } then {
+ * the IUT sends a SecuredMessage
+ * containing header_fields['signer_info'].signer
+ * containing type
+ * indicating 'certificate_chain'
+ * containing certificates[last-1]
+ * containing subject_attributes['its_aid_list']
+ * containing its_aid_list[0..N]
+ * containing no more then 31 unique item
+ * }
+ * }
+ * </pre>
+ * @see ETSI TS 103 096-2 v1.3.2 TP_SEC_ITSS_SND_CERT_AA_08_01_BV
+ * @reference ETSI TS 103 097 [1], clauses 7.4.4
+ */
+ testcase TC_SEC_ITSS_SND_CERT_AA_08_01_BV() runs on ItsGeoNetworking system ItsSecSystem {
+ var CertificateChain v_chain;
+ var Certificate v_aa_cert;
+ var SubjectAttribute v_sa;
+
+ // Test control
+ if (not(PICS_GN_SECURITY)) {
+ log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY' required for executing the TC ***");
+ stop;
+ }
+
+ // Test component configuration
+ f_cf01Up();
+
+ // Test adapter configuration
+
+ // Preamble
+ f_prNeighbour();
+ f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
+
+ // Test Body
+ log("*** " & testcasename() & ": INFO: Request and waiting for the message containing certificate chain ***");
+ tc_ac.start;
+ if (not f_askAndWaitForCertificateChain(v_chain, f_generateDefaultCam())) {
+ log("*** " & testcasename() & ": INCONC: Expected message not received ***");
+ f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_timeout);
+ }
+ tc_ac.stop;
+ if (lengthof(v_chain) < 2) {
+ log("*** " & testcasename() & ": FAIL: Certificate chain is too short ***");
+ f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_error);
+ }
+ v_aa_cert := v_chain[lengthof(v_chain) - 2];
+ if (f_getCertificateSubjectAttribute(v_aa_cert, e_its_aid_list, v_sa)) {
+
+ if (lengthof(v_sa.attribute.its_aid_list) > 31) {
+ log("*** " & testcasename() & ": FAIL: ITS-AID list contains " & int2str(lengthof(v_sa.attribute.its_aid_list)) & " items (>31) ***");
+ f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
+ }
+
+ for (var integer v_counter :=0; v_counter < lengthof(v_sa.attribute.its_aid_list); v_counter := v_counter + 1) {
+ for (var integer j :=0; j < lengthof(v_sa.attribute.its_aid_list); j := j + 1) {
+ if (v_counter != j and v_sa.attribute.its_aid_list[v_counter] == v_sa.attribute.its_aid_list[j]) {
+ log("*** " & testcasename() & ": FAIL: ITS-AID " & int2str(v_sa.attribute.its_aid_list[j]) & " is duplicated in AA certificate ***");
+ f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
+ }
+ }
+ } // End of 'for' statement
+ } else {
+ log("*** " & testcasename() & ": FAIL: AA certificate does not contain its_aid_list subject attribute ***");
+ f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
+ }
+
+ log("*** " & testcasename() & ": PASS: Time validity restriction of the AA certificate is good ***");
+ f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
+
+ // Postamble
+ f_poNeighbour();
+ f_cf01Down();
+ } // End of testcase TC_SEC_ITSS_SND_CERT_AA_08_01_BV
+
+ /**
+ * @desc Check that all mandatory validity restrictions are present and arranged in ascending order
+ * <pre>
+ * Pics Selection: PICS_GN_SECURITY
+ * Config Id: CF01
+ * with {
+ * the IUT being in the 'authorized' state
+ * the IUT being requested to include certificate chain in the next CAM
+ * } ensure that {
+ * when {
+ * the IUT is requested to send a CAM
+ * } then {
+ * the IUT sends a SecuredMessage
+ * containing header_fields['signer_info'].signer
+ * containing type
+ * indicating 'certificate_chain'
+ * and containing certificates
+ * containing certificates[last-1]
+ * containing validity_restrictions[0..N]
+ * indicating validity_restrictions[n].type < validity_restrictions[n+1].type
+ * and containing validity_restrictions['time_start_and_end']
+ * and not containing validity_restrictions['time_end']
+ * and not containing validity_restrictions['time_start_and_duration']
+ * }
+ * }
+ * </pre>
+ * @see ETSI TS 103 096-2 v1.3.2 TP_SEC_ITSS_SND_CERT_AA_10_01_BV
+ * @reference ETSI TS 103 097 [1], clauses 6.1, 6.7 and 7.4.1
+ */
+ testcase TC_SEC_ITSS_SND_CERT_AA_10_01_BV() runs on ItsGeoNetworking system ItsSecSystem {
+
+ // Local variables
+ var CertificateChain v_chain;
+ var Certificate v_cert;
+ var integer v_previousValidityRestrictionType;
+
+ // Test control
+ if (not(PICS_GN_SECURITY)) {
+ log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY' required for executing the TC ***");
+ stop;
+ }
+
+ // Test component configuration
+ f_cf01Up();
+
+ // Test adapter configuration
+
+ // Preamble
+ f_prNeighbour();
+ f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
+
+ log("*** " & testcasename() & ": INFO: Request and waiting for the message containing certificate chain ***");
+ tc_ac.start;
+ if (not f_askAndWaitForCertificateChain(v_chain, f_generateDefaultCam())) {
+ log("*** " & testcasename() & ": INCONC: Expected message not received ***");
+ f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_timeout);
+ }
+ tc_ac.stop;
+
+ // Test Body
+ // Process certificate[last - 1]
+ v_cert := v_chain[lengthof(v_chain) - 2];
+ if (match(
+ v_cert.validity_restrictions,
+ superset(
+ mw_validity_restriction_time_end,
+ mw_validity_restriction_time_start_and_duration
+ )
+ )) {
+ log("*** " & testcasename() & ": FAIL: certificate[last-2] must not contain time_end and time_start_and_duration restrictions ***");
+ f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
+ }
+
+ for (var integer v_counter := 1; v_counter < lengthof(v_cert.validity_restrictions); v_counter := v_counter + 1) {
+ // Check forbidden header
+ if (v_cert.validity_restrictions[v_counter].type_ != e_time_start_and_end) { // FIXME To be reviewed