Skip to content
titanization.patch 1.83 MiB
Newer Older
14001 14002 14003 14004 14005 14006 14007 14008 14009 14010 14011 14012 14013 14014 14015 14016 14017 14018 14019 14020 14021 14022 14023 14024 14025 14026 14027 14028 14029 14030 14031 14032 14033 14034 14035 14036 14037 14038 14039 14040 14041 14042 14043 14044 14045 14046 14047 14048 14049 14050 14051 14052 14053 14054 14055 14056 14057 14058 14059 14060 14061 14062 14063 14064 14065 14066 14067 14068 14069 14070 14071 14072 14073 14074 14075 14076 14077 14078 14079 14080 14081 14082 14083 14084 14085 14086 14087 14088 14089 14090 14091 14092 14093 14094 14095 14096 14097 14098 14099 14100 14101 14102 14103 14104 14105 14106 14107 14108 14109 14110 14111 14112 14113 14114 14115 14116 14117 14118 14119 14120 14121 14122 14123 14124 14125 14126 14127 14128 14129 14130 14131 14132 14133 14134 14135 14136 14137 14138 14139 14140 14141 14142 14143 14144 14145 14146 14147 14148 14149 14150 14151 14152 14153 14154 14155 14156 14157 14158 14159 14160 14161 14162 14163 14164 14165 14166 14167 14168 14169 14170 14171 14172 14173 14174 14175 14176 14177 14178 14179 14180 14181 14182 14183 14184 14185 14186 14187 14188 14189 14190 14191 14192 14193 14194 14195 14196 14197 14198 14199 14200 14201 14202 14203 14204 14205 14206 14207 14208 14209 14210 14211 14212 14213 14214 14215 14216 14217 14218 14219 14220 14221 14222 14223 14224 14225 14226 14227 14228 14229 14230 14231 14232 14233 14234 14235 14236 14237 14238 14239 14240 14241 14242 14243 14244 14245 14246 14247 14248 14249 14250 14251 14252 14253 14254 14255 14256 14257 14258 14259 14260 14261 14262 14263 14264 14265 14266 14267 14268 14269 14270 14271 14272 14273 14274 14275 14276 14277 14278 14279 14280 14281 14282 14283 14284 14285 14286 14287 14288 14289 14290 14291 14292 14293 14294 14295 14296 14297 14298 14299 14300 14301 14302 14303 14304 14305 14306 14307 14308 14309 14310 14311 14312 14313 14314 14315 14316 14317 14318 14319 14320 14321 14322 14323 14324 14325 14326 14327 14328 14329 14330 14331 14332 14333 14334 14335 14336 14337 14338 14339 14340 14341 14342 14343 14344 14345 14346 14347 14348 14349 14350 14351 14352 14353 14354 14355 14356 14357 14358 14359 14360 14361 14362 14363 14364 14365 14366 14367 14368 14369 14370 14371 14372 14373 14374 14375 14376 14377 14378 14379 14380 14381 14382 14383 14384 14385 14386 14387 14388 14389 14390 14391 14392 14393 14394 14395 14396 14397 14398 14399 14400 14401 14402 14403 14404 14405 14406 14407 14408 14409 14410 14411 14412 14413 14414 14415 14416 14417 14418 14419 14420 14421 14422 14423 14424 14425 14426 14427 14428 14429 14430 14431 14432 14433 14434 14435 14436 14437 14438 14439 14440 14441 14442 14443 14444 14445 14446 14447 14448 14449 14450 14451 14452 14453 14454 14455 14456 14457 14458 14459 14460 14461 14462 14463 14464 14465 14466 14467 14468 14469 14470 14471 14472 14473 14474 14475 14476 14477 14478 14479 14480 14481 14482 14483 14484 14485 14486 14487 14488 14489 14490 14491 14492 14493 14494 14495 14496 14497 14498 14499 14500 14501 14502 14503 14504 14505 14506 14507 14508 14509 14510 14511 14512 14513 14514 14515 14516 14517 14518 14519 14520 14521 14522 14523 14524 14525 14526 14527 14528 14529 14530 14531 14532 14533 14534 14535 14536 14537 14538 14539 14540 14541 14542 14543 14544 14545 14546 14547 14548 14549 14550 14551 14552 14553 14554 14555 14556 14557 14558 14559 14560 14561 14562 14563 14564 14565 14566 14567 14568 14569 14570 14571 14572 14573 14574 14575 14576 14577 14578 14579 14580 14581 14582 14583 14584 14585 14586 14587 14588 14589 14590 14591 14592 14593 14594 14595 14596 14597 14598 14599 14600 14601 14602 14603 14604 14605 14606 14607 14608 14609 14610 14611 14612 14613 14614 14615 14616 14617 14618 14619 14620 14621 14622 14623 14624 14625 14626 14627 14628 14629 14630 14631 14632 14633 14634 14635 14636 14637 14638 14639 14640 14641 14642 14643 14644 14645 14646 14647 14648 14649 14650 14651 14652 14653 14654 14655 14656 14657 14658 14659 14660 14661 14662 14663 14664 14665 14666 14667 14668 14669 14670 14671 14672 14673 14674 14675 14676 14677 14678 14679 14680 14681 14682 14683 14684 14685 14686 14687 14688 14689 14690 14691 14692 14693 14694 14695 14696 14697 14698 14699 14700 14701 14702 14703 14704 14705 14706 14707 14708 14709 14710 14711 14712 14713 14714 14715 14716 14717 14718 14719 14720 14721 14722 14723 14724 14725 14726 14727 14728 14729 14730 14731 14732 14733 14734 14735 14736 14737 14738 14739 14740 14741 14742 14743 14744 14745 14746 14747 14748 14749 14750 14751 14752 14753 14754 14755 14756 14757 14758 14759 14760 14761 14762 14763 14764 14765 14766 14767 14768 14769 14770 14771 14772 14773 14774 14775 14776 14777 14778 14779 14780 14781 14782 14783 14784 14785 14786 14787 14788 14789 14790 14791 14792 14793 14794 14795 14796 14797 14798 14799 14800 14801 14802 14803 14804 14805 14806 14807 14808 14809 14810 14811 14812 14813 14814 14815 14816 14817 14818 14819 14820 14821 14822 14823 14824 14825 14826 14827 14828 14829 14830 14831 14832 14833 14834 14835 14836 14837 14838 14839 14840 14841 14842 14843 14844 14845 14846 14847 14848 14849 14850 14851 14852 14853 14854 14855 14856 14857 14858 14859 14860 14861 14862 14863 14864 14865 14866 14867 14868 14869 14870 14871 14872 14873 14874 14875 14876 14877 14878 14879 14880 14881 14882 14883 14884 14885 14886 14887 14888 14889 14890 14891 14892 14893 14894 14895 14896 14897 14898 14899 14900 14901 14902 14903 14904 14905 14906 14907 14908 14909 14910 14911 14912 14913 14914 14915 14916 14917 14918 14919 14920 14921 14922 14923 14924 14925 14926 14927 14928 14929 14930 14931 14932 14933 14934 14935 14936 14937 14938 14939 14940 14941 14942 14943 14944 14945 14946 14947 14948 14949 14950 14951 14952 14953 14954 14955 14956 14957 14958 14959 14960 14961 14962 14963 14964 14965 14966 14967 14968 14969 14970 14971 14972 14973 14974 14975 14976 14977 14978 14979 14980 14981 14982 14983 14984 14985 14986 14987 14988 14989 14990 14991 14992 14993 14994 14995 14996 14997 14998 14999 15000
+             *   the IUT being in the 'authorized' state
+             *   the IUT being requested to include certificate in the next CAM
+             * }
+             * Expected Behaviour:
+             * ensure that {
+             *    when {
+             *     the IUT is requested to send a CAM
+             *   } then {
+             *     the IUT sends a SecuredMessage
+             *         containing header_fields['signer_info'].signer
+             *             containing type
+             *                 indicating 'certificate_chain'
+             *             containing certificates
+             *                 indicating length N > 1
+             *                 and indicating certificates[n] (0..N)
+             *                     containing signature.ecdsa_signature
+             *                         containing subject_attributes['verification_key']
+             *                             indicating compressed_lsb_y_0
+             *                             or indicating compressed_lsb_y_1 
+             *                             or indicating uncompressed 
+             *   }
+             * }
+             * </pre>
+             * @see         ETSI TS 103 096-2 v1.3.2 TP_SEC_ITSS_SND_CERT_10_02_BV
+             * @reference   ETSI TS 103 097 [1], clause 4.2.4
+             */
+            testcase TC_SEC_ITSS_SND_CERT_10_02_BV() runs on ItsGeoNetworking system ItsSecSystem {
+                // Local variables
+                var GeoNetworkingInd v_geoNwInd;
+                var SignerInfo       v_si;
+                var CertificateChain v_chain;
+                var integer          v_counter;
+                                
+                // Test control
+                if (not(PICS_GN_SECURITY)) {
+                    log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY' required for executing the TC ***");
+                    stop;
+                }
+                
+                // Test component configuration
+                f_cf01Up();
+                
+                // Test adapter configuration
+                
+                // Preamble
+                f_prNeighbour();
+                f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
+                
+                // Test Body
+                tc_ac.start;
+                alt {
+                    [] geoNetworkingPort.receive(
+                        mw_geoNwInd(
+                            mw_geoNwSecPdu(
+                                mdw_securedMessage(
+                                    superset(
+                                        mw_header_field_signer_info_certificate_chain
+                    ))))) {
+                        tc_ac.stop;
+                        // Check certificate chain
+                        if (f_getMsgSignerInfo(f_getSecuredMessage(v_geoNwInd.msgIn), v_si)) {
+                            v_chain  :=  v_si.signerInfo.certificates;
+                            for (v_counter := lengthof(v_chain) - 1; v_counter > 0; v_counter := v_counter - 1 ) {
+                                if (
+                                    (not match(v_chain[v_counter], mw_certificate(?, ?, superset(mw_subject_attribute_verification_key(mw_publicKey_eccPoint_compressed_lsb_y_0))))) and
+                                    (not match(v_chain[v_counter], mw_certificate(?, ?, superset(mw_subject_attribute_verification_key(mw_publicKey_eccPoint_compressed_lsb_y_1))))) and
+                                    (not match(v_chain[v_counter], mw_certificate(?, ?, superset(mw_subject_attribute_verification_key(mw_publicKey_eccPoint_uncompressed)))))
+                                ) {
+                                    log("*** " & testcasename() & ": FAIL: Wrong verification key algorithm ***");
+                                    f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_error);
+                                }
+                            } // End of 'for' statement
+                        }
+                        log("*** " & testcasename() & ": PASS: All certificates in a chain have the correct verification key ***");
+                        f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
+                    }
+                    [] tc_ac.timeout {
+                        log("*** " & testcasename() & ": INCONC: Expected message not received ***");
+                        f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
+                    }
+                } // End of 'alt' statement
+                
+                // Postamble
+                f_poNeighbour();
+                f_cf01Down();
+                
+            } // End of testcase TC_SEC_ITSS_SND_CERT_10_02_BV
+            
+            /**
+             * @desc Check the certificate signature 
+             * <pre>
+             * Pics Selection: PICS_GN_SECURITY
+             * Config Id: CF01
+             * Initial conditions:
+             * with {
+             *   the IUT being in the 'authorized' state
+             *   the IUT being requested to include certificate in the next CAM
+             * } ensure that {
+             *    when {
+             *     the IUT is requested to send a CAM
+             *   } then {
+             *     the IUT sends a SecuredMessage
+             *       containing header_fields['signer_info'].signer
+             *         containing type
+             *           indicating 'certificate'
+             *         ND containing certificate
+             *           containing signer_info
+             *             containing type
+             *               indicating 'certificate_digest_with_sha256'
+             *             containing digest
+             *               referenced to the certificate CERT
+             *           and containing signature
+             *             verifiable using CERT.subject_attributes['verification_key'].key
+             *   }
+             * }
+             * </pre>
+             * @see         ETSI TS 103 096-2 v1.3.2 TP_SEC_ITSS_SND_CERT_09_01_BV
+             * @reference   ETSI TS 103 097 [1], clauses 6.1 and 7.4.1
+             */
+            testcase TC_SEC_ITSS_SND_CERT_11_01_BV() runs on ItsGeoNetworking system ItsSecSystem {
+                // Local declarations
+                var GeoNetworkingInd v_geoNwInd;
+                var Certificate      v_at_cert;
+                var Certificate      v_aa_cert;
+                var HashedId8        v_aa_digest;
+                var SignerInfo       v_si;
+                var integer          v_counter;
+                
+                // Test control
+                if (not(PICS_GN_SECURITY)) {
+                    log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY' required for executing the TC ***");
+                    stop;
+                }
+                    
+                // Test component configuration
+                f_cf01Up();
+                
+                // Test adapter configuration
+                
+                // Preamble
+                f_prNeighbour();
+                f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
+                
+                // Wait for the message with the certificate to get the AA cert digest.
+                // Ask for the chain, containing AT and AA certificate
+                // Check that the AT cert in the first message is signed with the AA cert
+                log("*** " & testcasename() & ": INFO: Waiting for the message containing certificate  ***");
+                tc_ac.start;
+                if (not f_waitForCertificate(v_at_cert)) {
+                    log("*** " & testcasename() & ": INCONC: Expected message not received ***");
+                    f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_timeout);
+                }
+                tc_ac.stop;
+                
+                if (true != f_getCertificateSignerInfo(v_at_cert, v_si)) {
+                    log("*** " & testcasename() & ": FAIL: AT Certificate signer info is unknown ***");
+                    f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_error);
+                }
+                if (v_si.type_ != e_certificate_digest_with_sha256) {
+                    log("*** " & testcasename() & ": FAIL: AT Certificate is not signed well ***");
+                    f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_error);
+                }
+                v_aa_digest := v_si.signerInfo.digest;
+                
+                // Send a certificate request to the IUT 
+                f_sendCertificateRequest(v_aa_digest, f_generateDefaultCam());
+                    
+                // Test Body
+                tc_ac.start;
+                alt {
+                    [] geoNetworkingPort.receive(
+                        mw_geoNwInd(
+                            mw_geoNwSecPdu(
+                                mdw_securedMessage(
+                                    superset(
+                                        mw_header_field_signer_info_certificate_chain
+                    ))))) -> value v_geoNwInd {
+                        var SecuredMessage v_secMsg;
+                        var integer v_chainLength;
+                        tc_ac.stop;
+                        // Check certificate chain
+                        
+                        if (f_getMsgSignerInfo(f_getSecuredMessage(v_geoNwInd.msgIn), v_si)) {
+                            v_chainLength := lengthof(v_si.signerInfo.certificates);
+                            if (v_chainLength < 2 ) {
+                                log("*** " & testcasename() & ": FAIL: Certificate chain doesn't contain the AA cert ***");
+                                f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
+                            }
+                            // get aa cert
+                            v_aa_cert := v_si.signerInfo.certificates[v_chainLength-2];
+                            if (not match (v_aa_digest, f_calculateDigestFromCertificate(v_aa_cert))) {
+                                log("*** " & testcasename() & ": FAIL: AT certificate was not signed with the given AA cert ***");
+                                f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
+                            }
+                            
+                            // Check that at cert is signed with aa cert
+                            if (false == f_verifyCertificateSignatureWithIssuingCertificate(v_at_cert, v_aa_cert)) {
+                                log("*** " & testcasename() & ": FAIL: AT certificate signature error ***");
+                                f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
+                            }
+                            
+                            log("*** " & testcasename() & ": PASS: AT certificate was well signed with AA certificate ***");
+                            f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
+                        } else {
+                            log("*** " & testcasename() & ": FAIL: The message signer info is unknown ***");
+                            f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
+                        }
+                    }
+                    [] tc_ac.timeout {
+                        log("*** " & testcasename() & ": INCONC: Expected message not received ***");
+                        f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
+                    }
+                } // End of 'alt' statement
+                
+                // Postamble
+                f_poNeighbour();
+                f_cf01Down();
+                
+            } // End of testcase TC_SEC_ITSS_SND_CERT_11_01_BV
+            
+            /**
+             * @desc Check the signatures of the certificates in the chain 
+             * <pre>
+             * Pics Selection: PICS_GN_SECURITY
+             * Config Id: CF01
+             * Initial conditions:
+             * with {
+             *   the IUT being in the 'authorized' state
+             *   the IUT being requested to include certificate chain in the next CAM
+             * } ensure that {
+             *    when {
+             *     the IUT is requested to send a CAM
+             *   } then {
+             *     the IUT sends a SecuredMessage
+             *         containing header_fields['signer_info'].signer
+             *           containing type
+             *               indicating 'certificate_chain'
+             *         and containing certificates
+             *             indicating length N > 1
+             *             and containing certificate[0]
+             *                 containing signer_info
+             *                     containing type
+             *                         indicating 'certificate_digest_with_sha256'
+             *                     and containing digest
+             *                         referenced to the trusted certificate (CERT_ROOT)
+             *                 and containing signature
+             *                     verifiable using CERTIFICATES[N-1].subject_attributes['verification_key'].key
+             *             and containing certificates[n] (1..N)
+             *                 containing signer_info {
+             *                     containing type
+             *                         indicating 'certificate_digest_with_sha256'
+             *                     and containing digest
+             *                         referenced to the certificates[n-1]
+             *                 and containing signature
+             *                     verifiable using certificates[n-1].subject_attributes['verification_key'].key
+             *   }
+             * }
+             * </pre>
+             * @see         ETSI TS 103 096-2 v1.3.2 TP_SEC_ITSS_SND_CERT_09_02_BV
+             * @reference   ETSI TS 103 097 [1], clauses 6.1 and 7.4.1
+             */
+            testcase TC_SEC_ITSS_SND_CERT_11_02_BV() runs on ItsGeoNetworking system ItsSecSystem {
+                // Local declarations
+                var GeoNetworkingInd v_geoNwInd;
+                var Certificate      v_cert;
+                var CertificateChain v_chain;
+                var SignerInfo       v_si;
+                var HashedId8        v_digest;
+                var integer          v_counter;
+                
+                // Test control
+                if (not(PICS_GN_SECURITY)) {
+                    log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY' required for executing the TC ***");
+                    stop;
+                }
+                
+                // Test component configuration
+                f_cf01Up();
+                
+                // Test adapter configuration
+                
+                // Preamble
+                f_prNeighbour();
+                f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
+                
+                // Wait for the message with the certificate to get the AA cert digest.
+                // Ask for the chain, containing AT and AA certificate
+                // Check that the AT cert in the first message is signed with the AA cert
+                log("*** " & testcasename() & ": INFO: Waiting for the message containing certificate and ask for a certificate chain ***");
+                tc_ac.start;
+                f_askForCertificateChain(f_generateDefaultCam());
+                tc_ac.stop;
+                    
+                // Test Body
+                tc_ac.start;
+                alt {
+                    [] geoNetworkingPort.receive(
+                        mw_geoNwInd(
+                            mw_geoNwSecPdu(
+                                mdw_securedMessage(
+                                    superset(
+                                        mw_header_field_signer_info_certificate_chain
+                    ))))) -> value v_geoNwInd {
+                        var SecuredMessage v_secMsg;
+                        var integer v_chainLength;
+                        tc_ac.stop;
+                        // Check certificate chain
+                        if (f_getMsgSignerInfo(f_getSecuredMessage(v_geoNwInd.msgIn), v_si)) {
+                            v_chain  :=  v_si.signerInfo.certificates;
+                            for (v_counter := lengthof(v_chain) - 1; v_counter > 0; v_counter := v_counter - 1 ) {
+                                if (not f_getCertificateSignerInfo(v_chain[v_counter], v_si)) {
+                                    log("*** " & testcasename() & ": FAIL: Certificate "&int2str(v_counter) & " doesn't have a signer info ***");
+                                    f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
+                                }
+                                if (v_si.type_ != e_certificate_digest_with_sha256) {
+                                    log("*** " & testcasename() & ": FAIL: Certificate is not signed with digest ***");
+                                    f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
+                                }
+                                // Check that cert is signed by issuing cert
+                                v_digest := f_calculateDigestFromCertificate(v_chain[v_counter - 1]);
+                                if (not match (v_si.signerInfo.digest, v_digest)) {
+                                    log("*** " & testcasename() & ": FAIL: Certificate chain is not valid ***");
+                                    f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
+                                }
+                                // Check that the signature is valid
+                                if (false == f_verifyCertificateSignatureWithIssuingCertificate(v_chain[v_counter], v_chain[v_counter - 1])) {
+                                    log("*** " & testcasename() & ": FAIL: AT certificate signature error ***");
+                                    f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
+                                }
+                            } // End of 'for' statement
+                            
+                            log("*** " & testcasename() & ": PASS: All certificates in the chain signed by it's issuing certs ***");
+                            f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
+                        } else {
+                            log("*** " & testcasename() & ": FAIL: The message signer info is unknown ***");
+                            f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
+                        }
+                    }
+                    [] tc_ac.timeout {
+                        log("*** " & testcasename() & ": INCONC: Expected message not received ***");
+                        f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
+                    }
+                }
+                
+                // Postamble
+                f_poNeighbour();
+                f_cf01Down();
+                
+            } // End of testcase TC_SEC_ITSS_SND_CERT_11_02_BV
+            
+            /**
+             * @desc Check that the assurance level of the subordinate certificate is equal to or less than the assurance level of the issuing certificate
+             * <pre>
+             * Pics Selection: PICS_GN_SECURITY and PICS_CERTIFICATE_SELECTION
+             * Config Id: CF01
+             * with {
+             *   the IUT being in the 'authorized' state
+             *   the IUT being requested to include certificate chain in the next CAM
+             * } ensure that {
+             *    when {
+             *     the IUT is requested to send a CAM
+             *   } then {
+             *     the IUT sends a SecuredMessage
+             *       containing header_fields['signer_info'].signer
+             *         containing type
+             *           indicating 'certificate_chain'
+             *         containing certificates
+             *           indicating length N > 1
+             *           and containing certificates[n](0..N)
+             *             containing subject_attributes ['assurance_level']
+             *               containig assurance_level
+             *                 containing bits [5-7]
+             *                   indicating assurance level CERT_AL
+             *             and containing signer_info
+             *               containing digest
+             *                 referenced to the certificate
+             *                   containing subject_attributes ['assurance_level']
+             *                     containing assurance_level
+             *                       containing bits [5-7]
+             *                         indicating value <= CERT_AL
+             *   }
+             * }
+             * </pre>
+             * @see         ETSI TS 103 096-2 v1.3.2 TP_SEC_ITSS_SND_CERT_12_01_BV
+             * @reference   ETSI TS 103 097 [1], clause 7.4.1
+             */
+            testcase TC_SEC_ITSS_SND_CERT_12_01_BV() runs on ItsGeoNetworking system ItsSecSystem {
+                var CertificateChain         v_chain;
+                var Certificate              v_aa_cert, v_at_cert;
+                var SubjectAttribute         v_sa;
+                var SubjectAssurance         v_aa_assurance_level, v_at_assurance_level;
+                
+                // Test control
+                if (not(PICS_GN_SECURITY)) {
+                    log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY' required for executing the TC ***");
+                    stop;
+                }
+                
+                // Test component configuration
+                f_cf01Up();
+                
+                // Test adapter configuration
+                
+                // Preamble
+                f_prNeighbour();
+                f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
+                
+                // Test Body
+                log("*** " & testcasename() & ": INFO: Request and waiting for the message containing certificate chain  ***");
+                tc_ac.start;
+                if (not f_askAndWaitForCertificateChain(v_chain, f_generateDefaultCam())) {
+                    log("*** " & testcasename() & ": INCONC: Expected message not received ***");
+                    f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_timeout);
+                }
+                tc_ac.stop;
+                if (lengthof(v_chain) < 2) {
+                    log("*** " & testcasename() & ": FAIL: Certificate chain is too short ***");
+                    f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_error);
+                }
+                v_aa_cert := v_chain[lengthof(v_chain) - 2];
+                v_at_cert := v_chain[lengthof(v_chain) - 1];
+                if (not f_getCertificateSubjectAttribute(v_aa_cert, e_assurance_level, v_sa)) {
+                    log("*** " & testcasename() & ": FAIL: AA certificate does not contain its_aid_list subject attribute ***");
+                    f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
+                }
+                v_aa_assurance_level := v_sa.attribute.assurance_level;
+                
+                if (not f_getCertificateSubjectAttribute(v_at_cert, e_assurance_level, v_sa)) {
+                    log("*** " & testcasename() & ": FAIL: AA certificate does not contain its_aid_list subject attribute ***");
+                    f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
+                }
+                v_at_assurance_level := v_sa.attribute.assurance_level;
+                
+                if (bit2int(v_aa_assurance_level.levels) < bit2int(v_at_assurance_level.levels)) {
+                    log("*** " & testcasename() & ": FAIL: The assurence levels mismatch ***");
+                    f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
+                } else {
+                    log("*** " & testcasename() & ": PASS: The assurence levels match ***");
+                    f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
+                }
+                
+                // Postamble
+                f_poNeighbour();
+                f_cf01Down();
+            } // End of testcase TC_SEC_ITSS_SND_CERT_12_01_BV
+            
+            /**
+             * @desc Sending behaviour test cases for AA certificate profil
+             * @see ETSI TS 103 096-2 V1.2.2 (2016-01) Clause 5.2.7.7 AA certificate profile
+             */
+            group AA_Certificates {
+                
+                /**
+                 * @desc Check that the subject_type of the AA certificate is set to authorization_authority
+                 * <pre>
+                 * Pics Selection: PICS_GN_SECURITY
+                 * Config Id: CF01
+                 * with {
+                 *   the IUT being in the 'authorized' state
+                 *   the IUT being requested to include certificate chain in the next CAM
+                 * } ensure that {
+                 *    when {
+                 *     the IUT is requested to send a CAM
+                 *   } then {
+                 *     the IUT sends a SecuredMessage
+                 *       containing header_fields['signer_info'].signer
+                 *         containing type
+                 *           indicating 'certificate_chain'
+                 *         containing certificates[last-1]
+                 *           containing subject_info.subject_type
+                 *             indicating 'authorization_authority' (2)
+                 *   }
+                 * }
+                 * </pre>
+                 * @see         ETSI TS 103 096-2 v1.3.2 TP_SEC_ITSS_SND_CERT_AA_01_01_BV
+                 * @reference   ETSI TS 103 097 [1], clause 7.4.4
+                 */
+                testcase TC_SEC_ITSS_SND_CERT_AA_01_01_BV() runs on ItsGeoNetworking system ItsSecSystem {
+                    var CertificateChain         v_chain;
+                    
+                    // Test control
+                    if (not(PICS_GN_SECURITY)) {
+                        log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY' required for executing the TC ***");
+                        stop;
+                    }
+                    
+                    // Test component configuration
+                    f_cf01Up();
+                    
+                    // Test adapter configuration
+                    
+                    // Preamble
+                    f_prNeighbour();
+                    f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
+                    
+                    // Test Body
+                    log("*** " & testcasename() & ": INFO: Request and waiting for the message containing certificate chain  ***");
+                    tc_ac.start;
+                    if (not f_askAndWaitForCertificateChain(v_chain, f_generateDefaultCam())) {
+                        log("*** " & testcasename() & ": INCONC: Expected message not received ***");
+                        f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_timeout);
+                    }
+                    tc_ac.stop;
+                    if (lengthof(v_chain) < 2) {
+                        log("*** " & testcasename() & ": FAIL: Certificate chain is too short ***");
+                        f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_error);
+                    }
+                    if (not match(v_chain[lengthof(v_chain) - 2], mw_aa_certificate)) {
+                        log("*** " & testcasename() & ": FAIL: AA certificate not found in the chain[last-1] ***");
+                        f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
+                    }
+                    log("*** " & testcasename() & ": PASS: AA certificate was found in the chain ***");
+                    f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
+                    
+                    // Postamble
+                    f_poNeighbour();
+                    f_cf01Down();
+                } // End of testcase TC_SEC_ITSS_SND_CERT_AA_01_01_BV
+                
+                /**
+                 * @desc Check that the AA certificsate subject_name variable-length vector contains 32 bytes maximum
+                 * <pre>
+                 * Pics Selection: PICS_GN_SECURITY
+                 * Config Id: CF01
+                 * with {
+                 *   the IUT being in the 'authorized' state
+                 *   the IUT being requested to include certificate chain in the next CAM
+                 * } ensure that {
+                 *    when {
+                 *     the IUT is requested to send a CAM
+                 *   } then {
+                 *     the IUT sends a SecuredMessage
+                 *       containing header_fields['signer_info'].signer
+                 *         containing type
+                 *           indicating 'certificate_chain'
+                 *         containing certificates[last-1]
+                 *           containing subject_info.subject_name
+                 *             indicating length <= 32 bytes
+                 *   }
+                 * }
+                 * </pre>
+                 * @see         ETSI TS 103 096-2 v1.3.2 TP_SEC_ITSS_SND_CERT_AA_02_01_BV
+                 * @reference   ETSI TS 103 097 [1], clause 6.2
+                 */
+                testcase TC_SEC_ITSS_SND_CERT_AA_02_01_BV() runs on ItsGeoNetworking system ItsSecSystem {
+                    var CertificateChain         v_chain;
+                    
+                    // Test control
+                    if (not(PICS_GN_SECURITY)) {
+                        log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY' required for executing the TC ***");
+                        stop;
+                    }
+                    
+                    // Test component configuration
+                    f_cf01Up();
+                    
+                    // Test adapter configuration
+                    
+                    // Preamble
+                    f_prNeighbour();
+                    f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
+                    
+                    // Test Body
+                    log("*** " & testcasename() & ": INFO: Request and waiting for the message containing certificate chain  ***");
+                    tc_ac.start;
+                    if (not f_askAndWaitForCertificateChain(v_chain, f_generateDefaultCam())) {
+                        log("*** " & testcasename() & ": INCONC: Expected message not received ***");
+                        f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_timeout);
+                    }
+                    tc_ac.stop;
+                    if (lengthof(v_chain) < 2) {
+                        log("*** " & testcasename() & ": FAIL: Certificate chain is too short ***");
+                        f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_error);
+                    }
+                    // Verified automatically on decoding
+                    if (lengthof(v_chain[lengthof(v_chain) - 2].subject_info.subject_name) > 32 ) {
+                        log("*** " & testcasename() & ": FAIL: Subject name of the AA certificate is too long ***");
+                        f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
+                    }
+                    log("*** " & testcasename() & ": PASS: Subject name of the AA certificate is good ***");
+                    f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
+                    
+                    // Postamble
+                    f_poNeighbour();
+                    f_cf01Down();
+                } // End of testcase TC_SEC_ITSS_SND_CERT_AA_02_01_BV
+                
+                /**
+                 * @desc Check that signer_info type of AA certificates is set to 'certificate_digest_with_sha256'
+                 * <pre>
+                 * Pics Selection: PICS_GN_SECURITY
+                 * Config Id: CF01
+                 * with {
+                 *   the IUT being in the 'authorized' state
+                 *   the IUT being requested to include certificate chain in the next CAM
+                 * } ensure that {
+                 *    when {
+                 *     the IUT is requested to send a CAM
+                 *   } then {
+                 *     the IUT sends a SecuredMessage
+                 *       containing header_fields['signer_info'].signer
+                 *         containing type
+                 *           indicating 'certificate_chain'
+                 *         containing certificates[last-1]
+                 *           containing signer_info
+                 *             containing type
+                 *               indicating 'certificate_digest_with_sha256'
+                 *   }
+                 * }
+                 * </pre>
+                 * @see         ETSI TS 103 096-2 v1.3.2 TP_SEC_ITSS_SND_CERT_AA_03_01_BV
+                 * @reference   ETSI TS 103 097 [1], clause 7.4.4
+                 */
+                testcase TC_SEC_ITSS_SND_CERT_AA_03_01_BV() runs on ItsGeoNetworking system ItsSecSystem {
+                    var CertificateChain         v_chain;
+                    var Certificate              v_aa_cert;
+                    
+                    // Test control
+                    if (not(PICS_GN_SECURITY)) {
+                        log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY' required for executing the TC ***");
+                        stop;
+                    }
+                    
+                    // Test component configuration
+                    f_cf01Up();
+                    
+                    // Test adapter configuration
+                    
+                    // Preamble
+                    f_prNeighbour();
+                    f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
+                    
+                    // Test Body
+                    log("*** " & testcasename() & ": INFO: Request and waiting for the message containing certificate chain  ***");
+                    tc_ac.start;
+                    if (not f_askAndWaitForCertificateChain(v_chain, f_generateDefaultCam())) {
+                        log("*** " & testcasename() & ": INCONC: Expected message not received ***");
+                        f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_timeout);
+                    }
+                    tc_ac.stop;
+                    if (lengthof(v_chain) < 2) {
+                        log("*** " & testcasename() & ": FAIL: Certificate chain is too short ***");
+                        f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_error);
+                    }
+                    v_aa_cert := v_chain[lengthof(v_chain) - 2];
+                    if (not match(v_aa_cert, mw_aa_certificate(mw_signerInfo_digest))) {
+                        log("*** " & testcasename() & ": FAIL: AA certificate not signed by digest ***");
+                        f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
+                    }
+                    log("*** " & testcasename() & ": PASS: AA certificate is signed by digest ***");
+                    f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
+                    
+                    // Postamble
+                    f_poNeighbour();
+                    f_cf01Down();
+                } // End of testcase TC_SEC_ITSS_SND_CERT_AA_03_01_BV
+                
+                /**
+                 * @desc Check that AA certificate is signed by Root CA or other authority
+                 * @remark There is no clear specification that AA cert shall be signed by the Root CA only
+                 * <pre>
+                 * Pics Selection: PICS_GN_SECURITY
+                 * Config Id: CF01
+                 * with {
+                 *   the IUT being in the 'authorized' state
+                 *   the IUT being requested to include certificate in the next CAM
+                 * } ensure that {
+                 *    when {
+                 *     the IUT is requested to send a CAM
+                 *   } then {
+                 *     the IUT sends a SecuredMessage
+                 *       containing header_fields['signer_info'].signer
+                 *         containing type
+                 *           indicating 'certificate_chain'
+                 *         containing certificates
+                 *           containing certificates[last-1]
+                 *             containing signer_info
+                 *               containing type
+                 *                 indicating 'certificate_digest_with_ecdsap256'
+                 *               and containing digest
+                 *                 referencing to the trusted certificate
+                 *                   containing subject_info.subject_type
+                 *                     indicating 'root_ca'
+                 *                     or indicating 'authorisation_authority'
+                 *   }
+                 * }
+                 * </pre>
+                 * @see         ETSI TS 103 096-2 v1.3.2 TP_SEC_ITSS_SND_CERT_AA_04_01_BV
+                 * @reference   ETSI TS 103 097 [1], clauses 6.3
+                 */
+                testcase TC_SEC_ITSS_SND_CERT_AA_04_01_BV() runs on ItsGeoNetworking system ItsSecSystem {
+                    var CertificateChain    v_chain;
+                    var Certificate         v_aa_cert, v_ca_cert;
+                    var SignerInfo          v_si;
+                    var HashedId8           v_ca_digest;
+                    
+                    // Test control
+                    if (not(PICS_GN_SECURITY)) {
+                        log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY' required for executing the TC ***");
+                        stop;
+                    }
+                    
+                    // Test component configuration
+                    f_cf01Up();
+                    
+                    // Test adapter configuration
+                    
+                    // Preamble
+                    f_prNeighbour();
+                    f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
+                    
+                    // Test Body
+                    log("*** " & testcasename() & ": INFO: Request and waiting for the message containing certificate chain  ***");
+                    tc_ac.start;
+                    if (not f_askAndWaitForCertificateChain(v_chain, f_generateDefaultCam())) {
+                        log("*** " & testcasename() & ": INCONC: Expected message not received ***");
+                        f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_timeout);
+                    }
+                    tc_ac.stop;
+                    v_aa_cert := v_chain[lengthof(v_chain) - 2];
+                    // Process signerInfo field
+                    if ( true != f_getCertificateSignerInfo(v_aa_cert, v_si)) {
+                        log("*** " & testcasename() & ": FAIL: AA certificate must contain SignerInfo fields ***");
+                        f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
+                    }
+                    if (v_si.type_ == e_certificate_digest_with_sha256) {
+                        log("*** " & testcasename() & ": FAIL: AA certificate must contain SignerInfo field containing a certificate_digest_with_ecdsap256 ***");
+                        f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
+                    }
+                    
+                    f_readCertificate(cc_taCert_CA, v_ca_cert);
+                    v_ca_digest := f_calculateDigestFromCertificate(v_ca_cert); 
+                    
+                    if (not match(v_aa_cert, mw_aa_certificate(mw_signerInfo_digest(v_ca_digest)))) {
+                        log("*** " & testcasename() & ": FAIL: AA certificate signer info doesn't reference the CA certificate from the chain ***");
+                        f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
+                    }
+                    
+                    if (not f_verifyCertificateSignatureWithIssuingCertificate(v_aa_cert, v_ca_cert)) {
+                        log("*** " & testcasename() & ": FAIL: AT certificate signature verification failed ***");
+                        f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
+                    }
+                    
+                    log("*** " & testcasename() & ": PASS: AA certificate was signed by the CA certificate from the given chain ***");
+                    f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
+                    
+                    // Postamble
+                    f_poNeighbour();
+                    f_cf01Down();
+                } // End of testcase TC_SEC_ITSS_SND_CERT_AA_04_01_BV
+                
+                /**
+                 * @desc Check that all neccesary subject attributes are present and arranged in accesing order
+                 * <pre>
+                 * Pics Selection: PICS_GN_SECURITY
+                 * Config Id: CF01
+                 * with {
+                 *   the IUT being in the 'authorized' state
+                 *   the IUT being requested to include certificate chain in the next CAM
+                 * } ensure that {
+                 *    when {
+                 *     the IUT is requested to send a CAM
+                 *   } then {
+                 *     the IUT sends a SecuredMessage
+                 *       containing header_fields['signer_info'].signer
+                 *         containing type
+                 *           indicating 'certificate_chain'
+                 *         containing certificates[last-1]
+                 *           containing subject_attributes [0..N]
+                 *             indicating subject_attributes[n].type < subject_attributes[n+ 1].type
+                 *             containing subject_attributes['verification_key']
+                 *             containing subject_attributes['assurance_level']
+                 *             containing subject_attributes['its_aid_list']
+                 *   }
+                 * }
+                 * </pre>
+                 * @see         ETSI TS 103 096-2 v1.3.2 TP_SEC_ITSS_SND_CERT_AA_05_01_BV
+                 * @reference   ETSI TS 103 097 [1], clauses 6.1, 7.4.1 and 7.4.4
+                 */
+                testcase TC_SEC_ITSS_SND_CERT_AA_05_01_BV() runs on ItsGeoNetworking system ItsSecSystem {
+                    var CertificateChain         v_chain;
+                    var SubjectAttributes        v_attrs;
+                    
+                    // Test control
+                    if (not(PICS_GN_SECURITY)) {
+                        log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY' required for executing the TC ***");
+                        stop;
+                    }
+                    
+                    // Test component configuration
+                    f_cf01Up();
+                    
+                    // Test adapter configuration
+                    
+                    // Preamble
+                    f_prNeighbour();
+                    f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
+                    
+                    // Test Body
+                    log("*** " & testcasename() & ": INFO: Request and waiting for the message containing certificate chain  ***");
+                    tc_ac.start;
+                    if (not f_askAndWaitForCertificateChain(v_chain, f_generateDefaultCam())) {
+                        log("*** " & testcasename() & ": INCONC: Expected message not received ***");
+                        f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_timeout);
+                    }
+                    tc_ac.stop;
+                    if (lengthof(v_chain) < 2) {
+                        log("*** " & testcasename() & ": FAIL: Certificate chain is too short ***");
+                        f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_error);
+                    }
+                    if (not match(v_chain[lengthof(v_chain) - 2], 
+                                 mw_aa_certificate(?,
+                                        superset(mw_subject_attribute_verification_key,
+                                                 mw_subject_attribute_assurance_level,
+                                                 mw_subject_attribute_its_aid_list)))
+                     ) {
+                        log("*** " & testcasename() & ": FAIL: Required subject attribute of AA certificate is not found ***");
+                        f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
+                    }
+                    
+                    v_attrs := v_chain[lengthof(v_chain) - 2].subject_attributes;
+                    for (var integer v_counter := 1; v_counter < lengthof(v_attrs); v_counter := v_counter + 1 ) {
+                        if (v_attrs[v_counter].type_ <= v_attrs[v_counter-1].type_) {
+                            log("*** " & testcasename() & ": FAIL: AA certificate subject attributes are not arranged in accening order ***");
+                            f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
+                        }
+                    }
+                    
+                    log("*** " & testcasename() & ": PASS: All required AA certificate subject attributes are presents ***");
+                    f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
+                    
+                    // Postamble
+                    f_poNeighbour();
+                    f_cf01Down();
+                } // End of testcase TC_SEC_ITSS_SND_CERT_AA_05_01_BV
+                
+                /**
+                 * @desc Check that all AIDs containing in the its_aid_list in AA certificate are unique
+                 *       Check that AID list contains not more then 31 items
+                 * <pre>
+                 * Pics Selection: PICS_GN_SECURITY
+                 * Config Id: CF01
+                 * with {
+                 *   the IUT being in the 'authorized' state
+                 *   the IUT being requested to include certificate chain in the next CAM
+                 * } ensure that {
+                 *    when {
+                 *     the IUT is requested to send a CAM
+                 *   } then {
+                 *     the IUT sends a SecuredMessage
+                 *       containing header_fields['signer_info'].signer
+                 *         containing type
+                 *           indicating 'certificate_chain'
+                 *         containing certificates[last-1]
+                 *           containing subject_attributes['its_aid_list']
+                 *             containing its_aid_list[0..N]
+                 *               containing no more then 31 unique item
+                 *   }
+                 * }
+                 * </pre>
+                 * @see         ETSI TS 103 096-2 v1.3.2 TP_SEC_ITSS_SND_CERT_AA_08_01_BV
+                 * @reference   ETSI TS 103 097 [1], clauses 7.4.4
+                 */
+                testcase TC_SEC_ITSS_SND_CERT_AA_08_01_BV() runs on ItsGeoNetworking system ItsSecSystem {
+                    var CertificateChain         v_chain;
+                    var Certificate              v_aa_cert;
+                    var SubjectAttribute         v_sa;
+                    
+                    // Test control
+                    if (not(PICS_GN_SECURITY)) {
+                        log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY' required for executing the TC ***");
+                        stop;
+                    }
+                    
+                    // Test component configuration
+                    f_cf01Up();
+                    
+                    // Test adapter configuration
+                    
+                    // Preamble
+                    f_prNeighbour();
+                    f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
+                    
+                    // Test Body
+                    log("*** " & testcasename() & ": INFO: Request and waiting for the message containing certificate chain  ***");
+                    tc_ac.start;
+                    if (not f_askAndWaitForCertificateChain(v_chain, f_generateDefaultCam())) {
+                        log("*** " & testcasename() & ": INCONC: Expected message not received ***");
+                        f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_timeout);
+                    }
+                    tc_ac.stop;
+                    if (lengthof(v_chain) < 2) {
+                        log("*** " & testcasename() & ": FAIL: Certificate chain is too short ***");
+                        f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_error);
+                    }
+                    v_aa_cert := v_chain[lengthof(v_chain) - 2];
+                    if (f_getCertificateSubjectAttribute(v_aa_cert, e_its_aid_list, v_sa)) {
+                        
+                        if (lengthof(v_sa.attribute.its_aid_list) > 31) {
+                            log("*** " & testcasename() & ": FAIL: ITS-AID list contains " & int2str(lengthof(v_sa.attribute.its_aid_list)) & " items (>31) ***");
+                            f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
+                        }
+                        
+                        for (var integer v_counter :=0; v_counter < lengthof(v_sa.attribute.its_aid_list); v_counter := v_counter + 1) {
+                            for (var integer j :=0; j < lengthof(v_sa.attribute.its_aid_list); j := j + 1) {
+                                if (v_counter != j and v_sa.attribute.its_aid_list[v_counter] == v_sa.attribute.its_aid_list[j]) {
+                                    log("*** " & testcasename() & ": FAIL: ITS-AID " & int2str(v_sa.attribute.its_aid_list[j]) & " is duplicated in AA certificate ***");
+                                    f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
+                                }
+                            }
+                        } // End of 'for' statement
+                    } else {
+                        log("*** " & testcasename() & ": FAIL: AA certificate does not contain its_aid_list subject attribute ***");
+                        f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
+                    }
+                    
+                    log("*** " & testcasename() & ": PASS: Time validity restriction of the AA certificate is good ***");
+                    f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
+                    
+                    // Postamble
+                    f_poNeighbour();
+                    f_cf01Down();
+                } // End of testcase TC_SEC_ITSS_SND_CERT_AA_08_01_BV
+                
+                /**
+                 * @desc Check that all mandatory validity restrictions are present and arranged in ascending order
+                 * <pre>
+                 * Pics Selection: PICS_GN_SECURITY
+                 * Config Id: CF01
+                 * with {
+                 *   the IUT being in the 'authorized' state
+                 *   the IUT being requested to include certificate chain in the next CAM
+                 * } ensure that {
+                 *    when {
+                 *     the IUT is requested to send a CAM
+                 *   } then {
+                 *     the IUT sends a SecuredMessage
+                 *       containing header_fields['signer_info'].signer
+                 *           containing type
+                 *               indicating 'certificate_chain'
+                 *           and containing certificates
+                 *               containing certificates[last-1]
+                 *                   containing validity_restrictions[0..N]
+                 *                       indicating validity_restrictions[n].type < validity_restrictions[n+1].type
+                 *                       and containing validity_restrictions['time_start_and_end']
+                 *                       and not containing validity_restrictions['time_end']
+                 *                       and not containing validity_restrictions['time_start_and_duration']
+                 *   }
+                 * }
+                 * </pre>
+                 * @see         ETSI TS 103 096-2 v1.3.2 TP_SEC_ITSS_SND_CERT_AA_10_01_BV
+                 * @reference   ETSI TS 103 097 [1], clauses 6.1, 6.7 and 7.4.1
+                 */
+                testcase TC_SEC_ITSS_SND_CERT_AA_10_01_BV() runs on ItsGeoNetworking system ItsSecSystem {
+                    
+                    // Local variables
+                    var CertificateChain v_chain;
+                    var Certificate v_cert;
+                    var integer v_previousValidityRestrictionType;
+                    
+                    // Test control
+                    if (not(PICS_GN_SECURITY)) {
+                        log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY' required for executing the TC ***");
+                        stop;
+                    }
+                    
+                    // Test component configuration
+                    f_cf01Up();
+                    
+                    // Test adapter configuration
+                    
+                    // Preamble
+                    f_prNeighbour();
+                    f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
+                    
+                    log("*** " & testcasename() & ": INFO: Request and waiting for the message containing certificate chain  ***");
+                    tc_ac.start;
+                    if (not f_askAndWaitForCertificateChain(v_chain, f_generateDefaultCam())) {
+                        log("*** " & testcasename() & ": INCONC: Expected message not received ***");
+                        f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_timeout);
+                    }
+                    tc_ac.stop;
+                    
+                    // Test Body
+                    // Process certificate[last - 1]
+                    v_cert := v_chain[lengthof(v_chain) - 2];
+                    if (match(
+                              v_cert.validity_restrictions, 
+                                  superset(
+                                      mw_validity_restriction_time_end,
+                                      mw_validity_restriction_time_start_and_duration
+                                  )
+                    )) {
+                        log("*** " & testcasename() & ": FAIL: certificate[last-2] must not contain time_end and time_start_and_duration restrictions ***");
+                        f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
+                    }
+                    
+                    for (var integer v_counter := 1; v_counter < lengthof(v_cert.validity_restrictions); v_counter := v_counter + 1) {
+                        // Check forbidden header
+                        if (v_cert.validity_restrictions[v_counter].type_ != e_time_start_and_end) { // FIXME To be reviewed