Newer
Older
// Prepare next loop
v_counter := v_counter - 1;
} // End of 'while' statement
if (v_result_status == e_success) {
log("*** " & testcasename() & ": PASS: All certificates has a valid identified region restrictions ***");
}
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, v_result_status);
// Postamble
f_poNeighbour();
f_cf01Down();
6015
6016
6017
6018
6019
6020
6021
6022
6023
6024
6025
6026
6027
6028
6029
6030
6031
6032
6033
6034
6035
6036
6037
6038
6039
6040
6041
6042
6043
6044
6045
6046
6047
6048
6049
6050
6051
6052
6053
6054
6055
6056
6057
6058
6059
6060
6061
6062
6063
6064
6065
6066
6067
6068
6069
6070
6071
6072
/**
* @desc Check that the region of the subordinate certificate validity restriction is inside the region of the issuing certificate validity restriction
* <pre>
* Pics Selection: PICS_GN_SECURITY and PICS_USE_IDENTIFIED_REGION
* Config Id: CF01
* with {
* the IUT being in the 'authorized' state
* the IUT being requested to include certificate chain in the next CAM
* the IUT being requested to include certificate chain in the next CAM
* } ensure that {
* when {
* the IUT is requested to send a CAM
* } then {
* the IUT sends a SecuredMessage
* containing header_fields['signer_info'].signer
* containing type
* indicating 'certificate_chain'
* and containing certificates
* indicating length N > 1
* and containing certificates[n] (0..N)
* indicating certificate
* containing validity_restrictions['region']
* containing region.region_type
* indicated 'id'
* and containing id_region
* containing region_dictionary
* indicating 'iso_3166_1'
* or indicating 'un_stat'
* and containing region_identifier (X_CERT_REGION_ID)
* indicating valid value according to 'iso_3166_1' or 'un_stat'
* and containing local_region (X_CERT_LOCAL_REGION)
* and containing signer_info
* containing digest
* referenced to the certificate
* containing validity_restrictions['region']
* containing region
* indicated 'id'
* and containing id_region
* containing region_dictionary
* indicating 'iso_3166_1'
* or indicating 'un_stat'
* and containing region_identifier
* indicating value == X_CERT_REGION_ID
* and containing local_region
* indicating value == X_CERT_LOCAL_REGION
* or indicating 0
* or containing id_region
* containing region_dictionary
* indicating 'un_stats'
* and containing region_identifier
* indicating region fully covering the X_CERT_REGION
* }
* }
* </pre>
* @see ETSI TS 103 096-2 v1.2.2 TP_SEC_ITSS_SND_CERT_07_02_BV
* @reference ETSI TS 103 097 [1], clause 4.2.25, 4.2.26 and 7.4.1
*/
testcase TC_SEC_ITSS_SND_CERT_07_02_BV() runs on ItsGeoNetworking system ItsSecSystem {
6074
6075
6076
6077
6078
6079
6080
6081
6082
6083
6084
6085
6086
6087
6088
6089
6090
6091
6092
6093
6094
6095
6096
6097
6098
6099
6100
6101
6102
6103
6104
6105
6106
6107
6108
6109
6110
6111
6112
6113
6114
6115
6116
6117
6118
6119
6120
6121
6122
6123
6124
6125
6126
6127
6128
6129
6130
6131
6132
6133
6134
6135
6136
6137
6138
6139
6140
6141
6142
6143
6144
6145
6146
6147
6148
6149
6150
6151
6152
6153
6154
6155
6156
6157
var CertificateChain v_chain;
var Certificate v_cert, v_cert_issuer;
var SignerInfo v_si;
var UInt8 v_counter;
var HashedId8 v_digest;
var CertificatesCaching v_certificatesCaching;
var FncRetCode v_result_status := e_success;
// Test control
if (not(PICS_GN_SECURITY) or not(PICS_USE_IDENTIFIED_REGION)) {
log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY and PICS_USE_IDENTIFIED_REGION' required for executing the TC ***");
stop;
}
// Test component configuration
// vc_hashedId8ToBeUsed := cc_iutCert_E;
f_cf01Up();
// Test adapter configuration
// Preamble
f_prNeighbour();
log("*** " & testcasename() & ": INFO: Request and waiting for the message containing certificate chain ***");
tc_ac.start;
if (not f_askAndWaitForCertificateChain(v_chain, f_generateDefaultCam())) {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_timeout);
} else {
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
}
// Test Body
// 1. Create a cache of certificates
f_createCertificatesCaching(v_chain, v_certificatesCaching);
// 2. Process the certificates
v_counter := f_getCertificatesCachingItemSize(v_certificatesCaching) - 1;
while (v_counter != 0) {
// Get the first certificate
if (f_getCertificatesCachingItem(v_certificatesCaching, v_counter, v_cert) == false) {
v_result_status := e_error;
break;
}
// Retrive SigneInfo field
if (not f_getCertificateSignerInfo(v_cert, v_si)) {
log("*** " & testcasename() & ": FAIL: Certificate " & int2str(v_counter) & " doesn't have a signer info ***");
v_result_status := e_error;
break;
}
if (not match (v_si.type_, e_certificate_digest_with_sha256)) {
log("*** " & testcasename() & ": FAIL: Certificate is not signed with digest ***");
v_result_status := e_error;
break;
}
// Get issuer
if (f_getCertificateFromCaching(v_certificatesCaching, v_si.signerInfo.digest, v_cert_issuer) == false) {
log("*** " & testcasename() & ": FAIL: Certificate is not signed with digest ***");
v_result_status := e_error;
break;
}
// Check that cert is signed by issuing cert
v_digest := f_calculateDigestFromCertificate(v_cert_issuer);
if (not match (v_si.signerInfo.digest, v_si.signerInfo.digest)) {
log("*** " & testcasename() & ": FAIL: Certificate chain is not valid ***");
v_result_status := e_error;
break;
}
// Check that the region of the subordinate certificate validity restriction is inside the region of the issuing certificate validity restriction
if (f_checkRegionValidityRestiction(v_cert, v_cert_issuer) == false) {
v_result_status := e_error;
break;
}
// Prepare next loop
v_counter := v_counter - 1;
} // End of 'while' statement
if (v_result_status == e_success) {
log("*** " & testcasename() & ": PASS: All certificates has a valid identified region restrictions ***");
}
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, v_result_status);
// Postamble
f_poNeighbour();
f_cf01Down();
6159
6160
6161
6162
6163
6164
6165
6166
6167
6168
6169
6170
6171
6172
6173
6174
6175
6176
6177
6178
6179
6180
6181
6182
6183
6184
6185
6186
6187
6188
6189
6190
6191
6192
6193
6194
6195
6196
6197
6198
6199
6200
6201
6202
6203
6204
6205
6206
6207
/**
* @desc Check that time_start_and_end is included in the AA certificate validation restrictions
* Check that end_validity is later then start_validity
* Check that validity restriction of AA certificate is inside the validity restriction of its issuing certificate
* <pre>
* Pics Selection: PICS_GN_SECURITY
* Config Id: CF01
* with {
* the IUT being in the 'authorized' state
* the IUT being requested to include certificate chain in the next CAM
* } ensure that {
* when {
* the IUT is requested to send a CAM
* } then {
* the IUT sends a SecuredMessage
* containing header_fields['signer_info'].signer
* containing type
* indicating certificate_chain
* containing certificates
* containing certificates[last-1]
* containing validity_restrictions
* containing validity_restrictions['time_start_and_end']
* containing start_validity
* indicating START_AA_VALIDITY
* containing end_validity
* indicating END_AA_VALIDITY >= START_AA_VALIDITY
* and containing signer_info
* containing digest
* referenced to the trusted certificate
* containing validity_restrictions['time_end']
* containing end_validity
* indicating value > AA_END_VALIDITY
* or containing validity_restrictions['time_start_and_end']
* containing start_validity
* indicating value <= AA_START_VALIDITY
* and containing end_validity
* indicating value > AA_END_VALIDITY
* or containing validity_restrictions['time_start_and_duration']
* containing start_validity
* indicating X_START_VALIDITY <= AA_START_VALIDITY
* and containing duration
* indicating value > AA_END_VALIDITY - X_START_VALIDITY
* }
* }
* </pre>
* @see ETSI TS 103 096-2 v1.2.2 TP_SEC_ITSS_SND_CERT_08_01_BV
* @reference ETSI TS 103 097 [1], clauses 7.4.4
*/
testcase TC_SEC_ITSS_SND_CERT_08_01_BV() runs on ItsGeoNetworking system ItsSecSystem {
6209
6210
6211
6212
6213
6214
6215
6216
6217
6218
6219
6220
6221
6222
6223
6224
6225
6226
6227
6228
6229
6230
6231
6232
6233
6234
6235
6236
6237
6238
6239
6240
6241
6242
6243
6244
6245
6246
6247
6248
6249
6250
6251
6252
6253
6254
6255
6256
6257
6258
6259
6260
6261
6262
6263
6264
6265
6266
6267
6268
6269
6270
6271
6272
6273
6274
6275
6276
6277
6278
6279
6280
6281
6282
6283
6284
6285
6286
6287
6288
6289
6290
6291
6292
6293
6294
6295
6296
6297
6298
6299
6300
6301
6302
6303
var CertificateChain v_chain;
var Certificate v_aa_cert;
var ValidityRestriction v_vr;
var SignerInfo v_si;
var Time64 v_generationTime;
var Time64 v_curTime;
var Time64 v_startTime, v_endTime, v_duration;
// Test control
if (not(PICS_GN_SECURITY)) {
log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY' required for executing the TC ***");
stop;
}
// Test component configuration
f_cf01Up();
// Test adapter configuration
// Preamble
f_prNeighbour();
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
log("*** " & testcasename() & ": INFO: Request and waiting for the message containing certificate chain ***");
tc_ac.start;
if (not f_askAndWaitForCertificateChain(v_chain, f_generateDefaultCam())) {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_timeout);
}
tc_ac.stop;
if (lengthof(v_chain) < 2) {
log("*** " & testcasename() & ": FAIL: Certificate chain is too short ***");
f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_error);
}
v_aa_cert := v_chain[lengthof(v_chain) - 1];
if (match (v_aa_cert.validity_restrictions, (superset(mw_validity_restriction_time_end,
mw_validity_restriction_time_start_and_duration)))
) {
log("*** " & testcasename() & ": FAIL: AA certificate must not contain time_end and time_start_and_duration restrictions ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
if ( true != f_getCertificateValidityRestriction(v_aa_cert, e_time_start_and_end, v_vr)) {
log("*** " & testcasename() & ": FAIL: AA certificate must contain time_start_and_end restrictions ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
if (v_vr.validity.time_start_and_end.start_validity > v_vr.validity.time_start_and_end.end_validity ) {
log("*** " & testcasename() & ": FAIL: start validity mus not be greater then end validity in the validity restrictions of AA certificate ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
// Process signerInfo field
if ( true != f_getCertificateSignerInfo(v_aa_cert, v_si)) {
log("*** " & testcasename() & ": FAIL: AA certificate must contain SignerInfo fields ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
if (v_si.type_ == e_certificate) {
log("*** " & testcasename() & ": FAIL: AA certificate must contain SignerInfo field containing a certificate ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
for (var integer v_counter := 0; v_counter < lengthof(v_si.signerInfo.certificate.validity_restrictions); v_counter := v_counter + 1) {
if (v_si.signerInfo.certificate.validity_restrictions[v_counter].type_ == e_time_end) {
v_endTime := v_si.signerInfo.certificate.validity_restrictions[v_counter].validity.end_validity * 1000000;
if (not match(v_generationTime, Time64:(0 .. v_endTime))){
log("*** " & testcasename() & ": FAIL: DENM generation time is not inside the validity of the certificate");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
} else if (v_si.signerInfo.certificate.validity_restrictions[v_counter].type_ == e_time_start_and_end) {
v_endTime := v_si.signerInfo.certificate.validity_restrictions[v_counter].validity.time_start_and_end.end_validity * 1000000;
v_startTime := v_si.signerInfo.certificate.validity_restrictions[v_counter].validity.time_start_and_end.start_validity * 1000000;
if (not match(v_generationTime, Time64:(v_startTime .. v_endTime))){
log("*** " & testcasename() & ": FAIL: DENM generation time is not inside the validity of the certificate");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
} else if (v_si.signerInfo.certificate.validity_restrictions[v_counter].type_ == e_time_start_and_duration) {
v_startTime := v_si.signerInfo.certificate.validity_restrictions[v_counter].validity.time_start_and_duration.start_validity * 1000000;
v_duration := f_duration2time(v_si.signerInfo.certificate.validity_restrictions[v_counter].validity.time_start_and_duration.duration_) * 1000000;
if (not match(v_generationTime, Time64:(v_startTime .. v_duration))){
log("*** " & testcasename() & ": FAIL: DENM generation time is not inside the validity of the certificate");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
} else {
log("*** " & testcasename() & ": FAIL: Mal-formed the certificate");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
} // End of 'for' statement
log("*** " & testcasename() & ": PASS: Time validity restriction of the AA certificate is good ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
// Postamble
f_poNeighbour();
f_cf01Down();
/**
* @desc Check that the certificate signature contains ECC point of type set to either compressed_lsb_y_0, compressed_lsb_y_1
* or x_coordinate_only
* Pics Selection: PICS_GN_SECURITY
* Config Id: CF01
* Initial conditions:
* with {
* the IUT being in the 'authorized' state
* the IUT being requested to include certificate in the next CAM
* }
* Expected Behaviour:
* ensure that {
* when {
* the IUT is requested to send a CAM
* } then {
* the IUT sends a SecuredMessage
* containing header_fields['signer_info'].signer {
* containing type
* indicating certificate
* containing certificate {
* containing signature.ecdsa_signature
* containing R.type
* indicating compressed_lsb_y_0
* or indicating compressed_lsb_y_1
* or indicating x_coordinate_only
* }
* @see ETSI TS 103 096-2 v1.2.2 TP_SEC_ITSS_SND_CERT_09_01_BV
testcase TC_SEC_ITSS_SND_CERT_09_01_BV() runs on ItsGeoNetworking system ItsSecSystem {
if (not(PICS_GN_SECURITY)) {
log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY' required for executing the TC ***");
stop;
}
// Test adapter configuration
// Preamble
f_prNeighbour();
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
6358
6359
6360
6361
6362
6363
6364
6365
6366
6367
6368
6369
6370
6371
6372
6373
6374
6375
6376
6377
6378
6379
6380
6381
6382
6383
6384
6385
6386
6387
6388
6389
6390
6391
6392
6393
6394
6395
6396
6397
6398
6399
6400
6401
6402
6403
6404
6405
6406
6407
6408
6409
6410
6411
6412
6413
6414
6415
6416
6417
6418
6419
6420
6421
6422
6423
6424
6425
6426
6427
6428
6429
6430
tc_ac.start;
alt {
[] geoNetworkingPort.receive(
mw_geoNwInd(
mw_geoNwSecPdu(
mdw_securedMessage(
superset(
mw_header_field_signer_info_certificate(
mw_at_certificate(
?,
?,
?,
mw_signature(
mw_ecdsaSignature(
mw_eccPointecdsa_nistp256_with_sha256_y0_coordinate_only
))))))))) {
tc_ac.stop;
log("*** " & testcasename() & ": PASS: AT certificate contains signature with the ECC point of type set to compressed_lsb_y_0 received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
}
[] geoNetworkingPort.receive(
mw_geoNwInd(
mw_geoNwSecPdu(
mdw_securedMessage(
superset(
mw_header_field_signer_info_certificate(
mw_at_certificate(
?,
?,
?,
mw_signature(
mw_ecdsaSignature(
mw_eccPointecdsa_nistp256_with_sha256_y1_coordinate_only
))))))))) {
tc_ac.stop;
log("*** " & testcasename() & ": PASS: AT certificate contains signature with the ECC point of type set to compressed_lsb_y_1 received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
}
[] geoNetworkingPort.receive(
mw_geoNwInd(
mw_geoNwSecPdu(
mdw_securedMessage(
superset(
mw_header_field_signer_info_certificate(
mw_at_certificate(
?,
?,
?,
mw_signature(
mw_ecdsaSignature(
mw_eccPointecdsa_nistp256_with_sha256_x_coordinate_only
))))))))) {
tc_ac.stop;
log("*** " & testcasename() & ": PASS: AT certificate contains signature with the ECC point of type set to x_coordinate_only received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
}
[] geoNetworkingPort.receive(
mw_geoNwInd(
mw_geoNwSecPdu(
mdw_securedMessage(
superset(
mw_header_field_signer_info_certificate(
mw_at_certificate
)))))) {
tc_ac.stop;
log("*** " & testcasename() & ": FAIL: AT certificate signature mismatch ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_poNeighbour();
f_cf01Down();
* @desc Check that the all certificates in a chain have signatures contains ECC point of type set to either compressed_lsb_y_0, compressed_lsb_y_1
* or x_coordinate_only
* Pics Selection: PICS_GN_SECURITY
* Config Id: CF01
* Initial conditions:
* the IUT being requested to include certificate in the next CAM
* }
* Expected Behaviour:
* ensure that {
* when {
* the IUT is requested to send a CAM
* } then {
* the IUT sends a SecuredMessage
* containing header_fields['signer_info'].signer
* containing type
* indicating 'certificate_chain'
* containing certificates
* indicating length N > 1
* and indicating certificates[n] (0..N)
* containing signature.ecdsa_signature
* containing R.type
* indicating compressed_lsb_y_0
* or indicating compressed_lsb_y_1
* or indicating x_coordinate_only
* @see ETSI TS 103 096-2 v1.2.2 TP_SEC_ITSS_SND_CERT_09_02_BV
* @reference ETSI TS 103 097 [1], clause 4.2.9
testcase TC_SEC_ITSS_SND_CERT_09_02_BV() runs on ItsGeoNetworking system ItsSecSystem {
// Local variables
var GeoNetworkingInd v_geoNwInd;
var SignerInfo v_si;
var CertificateChain v_chain;
var integer v_counter;
if (not(PICS_GN_SECURITY)) {
log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY' required for executing the TC ***");
stop;
}
// Test adapter configuration
// Preamble
f_prNeighbour();
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
tc_ac.start;
alt {
[] geoNetworkingPort.receive(
mw_geoNwInd(
mw_geoNwSecPdu(
mdw_securedMessage(
superset(
mw_header_field_signer_info_certificate_chain
))))) -> value v_geoNwInd {
6505
6506
6507
6508
6509
6510
6511
6512
6513
6514
6515
6516
6517
6518
6519
6520
6521
6522
6523
6524
6525
6526
6527
6528
6529
6530
6531
6532
6533
6534
// Check certificate chain
if (f_getMsgSignerInfo(f_getSecuredMessage(v_geoNwInd.msgIn), v_si)) {
v_chain := v_si.signerInfo.certificates;
for (v_counter := lengthof(v_chain) - 1; v_counter > 0; v_counter := v_counter - 1 ) {
if (v_chain[v_counter].signature_.algorithm != e_ecdsa_nistp256_with_sha256) {
log("*** " & testcasename() & ": FAIL: Wrong signature algorithm ***");
f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_error);
} else if (
(v_chain[v_counter].signature_.signature_.ecdsa_signature.r.type_ != e_x_coordinate_only) and
(v_chain[v_counter].signature_.signature_.ecdsa_signature.r.type_ != e_compressed_lsb_y_0) and
(v_chain[v_counter].signature_.signature_.ecdsa_signature.r.type_ != e_compressed_lsb_y_1)
) {
log("*** " & testcasename() & ": FAIL: Wrong ECDSA R type ***");
f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_error);
}
} // End of 'for' statement
}
log("*** " & testcasename() & ": PASS: All certificates in a chain have the correct signature type ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_poNeighbour();
f_cf01Down();
6536
6537
6538
6539
6540
6541
6542
6543
6544
6545
6546
6547
6548
6549
6550
6551
6552
6553
6554
6555
6556
6557
6558
6559
6560
6561
6562
6563
6564
6565
6566
6567
6568
/**
* @desc Check that the certificate verification key contains ECC point of type set to either compressed_lsb_y_0, compressed_lsb_y_1
* or uncompressed
* <pre>
* Pics Selection: PICS_GN_SECURITY
* Config Id: CF01
* Initial conditions:
* with {
* the IUT being in the 'authorized' state
* the IUT being requested to include certificate in the next CAM
* }
* Expected Behaviour:
* ensure that {
* when {
* the IUT is requested to send a CAM
* } then {
* the IUT sends a SecuredMessage
* containing header_fields['signer_info'].signer
* containing type
* indicating certificate
* containing certificate
* containing subject_attributes['verification_key']
* containing key.public_key.type
* indicating compressed_lsb_y_0
* or indicating compressed_lsb_y_1
* or indicating x_coordinate_only
* }
* }
* </pre>
* @see ETSI TS 103 096-2 v1.2.2 TP_SEC_ITSS_SND_CERT_10_01_BV
* @reference ETSI TS 103 097 [1], clause 4.2.4
*/
testcase TC_SEC_ITSS_SND_CERT_10_01_BV() runs on ItsGeoNetworking system ItsSecSystem {
6570
6571
6572
6573
6574
6575
6576
6577
6578
6579
6580
6581
6582
6583
6584
6585
6586
6587
6588
6589
6590
6591
6592
6593
6594
6595
6596
6597
6598
6599
6600
6601
6602
6603
6604
6605
6606
6607
6608
6609
6610
6611
// Test control
if (not(PICS_GN_SECURITY)) {
log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY' required for executing the TC ***");
stop;
}
// Test component configuration
f_cf01Up();
// Test adapter configuration
// Preamble
f_prNeighbour();
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
tc_ac.start;
alt {
[] geoNetworkingPort.receive(
mw_geoNwInd(
mw_geoNwSecPdu(
mdw_securedMessage(
superset(
mw_header_field_signer_info_certificate(
mw_at_certificate(
?,
superset(
mw_subject_attribute_verification_key(
mw_publicKey_eccPoint_compressed_lsb_y_0
)
),
?,
mw_signature
))))))) {
tc_ac.stop;
log("*** " & testcasename() & ": PASS: AT certificate contains verification key with the ECC point of type set to compressed_lsb_y_0 received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
}
[] geoNetworkingPort.receive(
mw_geoNwInd(
mw_geoNwSecPdu(
mdw_securedMessage(
superset(
mw_header_field_signer_info_certificate(
mw_at_certificate(
?,
superset(
mw_subject_attribute_verification_key(
mw_publicKey_eccPoint_compressed_lsb_y_1
)
),
?,
log("*** " & testcasename() & ": PASS: AT certificate contains verification key with the ECC point of type set to compressed_lsb_y_1 received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
}
[] geoNetworkingPort.receive(
mw_geoNwInd(
mw_geoNwSecPdu(
mdw_securedMessage(
superset(
mw_header_field_signer_info_certificate(
mw_at_certificate(
?,
superset(
mw_subject_attribute_verification_key(
mw_publicKey_eccPoint_uncompressed
)
),
?,
log("*** " & testcasename() & ": PASS: AT certificate contains verification key with the ECC point of type set to uncompressed received ***");
6647
6648
6649
6650
6651
6652
6653
6654
6655
6656
6657
6658
6659
6660
6661
6662
6663
6664
6665
6666
6667
6668
6669
6670
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
}
[] geoNetworkingPort.receive(
mw_geoNwInd(
mw_geoNwSecPdu(
mdw_securedMessage(
superset(
mw_header_field_signer_info_certificate(
mw_at_certificate
)))))) {
tc_ac.stop;
log("*** " & testcasename() & ": FAIL: AT certificate signature mismatch ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_poNeighbour();
f_cf01Down();
6672
6673
6674
6675
6676
6677
6678
6679
6680
6681
6682
6683
6684
6685
6686
6687
6688
6689
6690
6691
6692
6693
6694
6695
6696
6697
6698
6699
6700
6701
6702
6703
6704
6705
6706
/**
* @desc Check that all certificate in a chain have verification keys contains ECC point of type set to either compressed_lsb_y_0, compressed_lsb_y_1
* or uncompressed
* <pre>
* Pics Selection: PICS_GN_SECURITY
* Config Id: CF01
* Initial conditions:
* with {
* the IUT being in the 'authorized' state
* the IUT being requested to include certificate in the next CAM
* }
* Expected Behaviour:
* ensure that {
* when {
* the IUT is requested to send a CAM
* } then {
* the IUT sends a SecuredMessage
* containing header_fields['signer_info'].signer
* containing type
* indicating 'certificate_chain'
* containing certificates
* indicating length N > 1
* and indicating certificates[n] (0..N)
* containing signature.ecdsa_signature
* containing subject_attributes['verification_key']
* indicating compressed_lsb_y_0
* or indicating compressed_lsb_y_1
* or indicating uncompressed
* }
* }
* </pre>
* @see ETSI TS 103 096-2 v1.2.2 TP_SEC_ITSS_SND_CERT_10_02_BV
* @reference ETSI TS 103 097 [1], clause 4.2.4
*/
testcase TC_SEC_ITSS_SND_CERT_10_02_BV() runs on ItsGeoNetworking system ItsSecSystem {
6708
6709
6710
6711
6712
6713
6714
6715
6716
6717
6718
6719
6720
6721
6722
6723
6724
6725
6726
6727
6728
6729
6730
6731
6732
6733
6734
6735
6736
6737
6738
6739
6740
6741
6742
6743
6744
6745
6746
6747
6748
6749
6750
6751
6752
6753
6754
6755
6756
6757
6758
6759
6760
6761
6762
6763
6764
6765
6766
// Local variables
var GeoNetworkingInd v_geoNwInd;
var SignerInfo v_si;
var CertificateChain v_chain;
var integer v_counter;
// Test control
if (not(PICS_GN_SECURITY)) {
log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY' required for executing the TC ***");
stop;
}
// Test component configuration
f_cf01Up();
// Test adapter configuration
// Preamble
f_prNeighbour();
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
tc_ac.start;
alt {
[] geoNetworkingPort.receive(
mw_geoNwInd(
mw_geoNwSecPdu(
mdw_securedMessage(
superset(
mw_header_field_signer_info_certificate_chain
))))) {
tc_ac.stop;
// Check certificate chain
if (f_getMsgSignerInfo(f_getSecuredMessage(v_geoNwInd.msgIn), v_si)) {
v_chain := v_si.signerInfo.certificates;
for (v_counter := lengthof(v_chain) - 1; v_counter > 0; v_counter := v_counter - 1 ) {
if (
(not match(v_chain[v_counter], mw_certificate(?, ?, superset(mw_subject_attribute_verification_key(mw_publicKey_eccPoint_compressed_lsb_y_0))))) and
(not match(v_chain[v_counter], mw_certificate(?, ?, superset(mw_subject_attribute_verification_key(mw_publicKey_eccPoint_compressed_lsb_y_1))))) and
(not match(v_chain[v_counter], mw_certificate(?, ?, superset(mw_subject_attribute_verification_key(mw_publicKey_eccPoint_uncompressed)))))
) {
log("*** " & testcasename() & ": FAIL: Wrong verification key algorithm ***");
f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_error);
}
} // End of 'for' statement
}
log("*** " & testcasename() & ": PASS: All certificates in a chain have the correct verification key ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_poNeighbour();
f_cf01Down();
/**
* @desc Check the certificate signature
* <pre>
* Pics Selection: PICS_GN_SECURITY
* Config Id: CF01
* Initial conditions:
* with {
* the IUT being in the 'authorized' state
* the IUT being requested to include certificate in the next CAM
* } ensure that {
* when {
* the IUT is requested to send a CAM
* } then {
* the IUT sends a SecuredMessage
* ND containing certificate
* containing signer_info
* containing type
* indicating 'certificate_digest_with_sha256'
* containing digest
* referenced to the certificate CERT
* verifiable using CERT.subject_attributes['verification_key'].key
* }
* }
* @see ETSI TS 103 096-2 v1.2.2 TP_SEC_ITSS_SND_CERT_09_01_BV
testcase TC_SEC_ITSS_SND_CERT_11_01_BV() runs on ItsGeoNetworking system ItsSecSystem {
// Local declarations
var GeoNetworkingInd v_geoNwInd;
var Certificate v_at_cert;
var Certificate v_aa_cert;
var HashedId8 v_aa_digest;
var SignerInfo v_si;
var integer v_counter;
if (not(PICS_GN_SECURITY)) {
log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY' required for executing the TC ***");
stop;
}
// Test adapter configuration
// Preamble
f_prNeighbour();
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Wait for the message with the certificate to get the AA cert digest.
// Ask for the chain, containing AT and AA certificate
// Check that the AT cert in the first message is signed with the AA cert
log("*** " & testcasename() & ": INFO: Waiting for the message containing certificate ***");
tc_ac.start;
f_waitForCertificate(v_at_cert);
tc_ac.stop;
if (true != f_getCertificateSignerInfo(v_at_cert, v_si)) {
log("*** " & testcasename() & ": FAIL: AT Certificate signer info is unknown ***");
f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_error);
if (not match (v_si.type_, e_certificate_digest_with_sha256)) {
log("*** " & testcasename() & ": FAIL: AT Certificate is not signed well ***");
f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_error);
6840
6841
6842
6843
6844
6845
6846
6847
6848
6849
6850
6851
6852
6853
6854
6855
6856
6857
6858
6859
6860
6861
6862
6863
6864
6865
6866
6867
6868
6869
6870
6871
6872
6873
6874
6875
6876
6877
6878
6879
6880
6881
6882
6883
6884
6885
6886
6887
6888
6889
6890
v_aa_digest := v_si.signerInfo.digest;
// Send a certificate request to the IUT
f_sendCertificateRequest(v_aa_digest, f_generateDefaultCam());
// Test Body
tc_ac.start;
alt {
[] geoNetworkingPort.receive(
mw_geoNwInd(
mw_geoNwSecPdu(
mdw_securedMessage(
superset(
mw_header_field_signer_info_certificate_chain
))))) -> value v_geoNwInd {
var SecuredMessage v_secMsg;
var integer v_chainLength;
tc_ac.stop;
// Check certificate chain
if (f_getMsgSignerInfo(f_getSecuredMessage(v_geoNwInd.msgIn), v_si)) {
v_chainLength := lengthof(v_si.signerInfo.certificates);
if (v_chainLength < 2 ) {
log("*** " & testcasename() & ": FAIL: Certificate chain doesn't contain the AA cert ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
// get aa cert
v_aa_cert := v_si.signerInfo.certificates[v_chainLength-2];
if (not match (v_aa_digest, f_calculateDigestFromCertificate(v_aa_cert))) {
log("*** " & testcasename() & ": FAIL: AT certificate was not signed with the given AA cert ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
// Check that at cert is signed with aa cert
if (false == f_verifyCertificateSignatureWithIssuingCertificate(v_at_cert, v_aa_cert)) {
log("*** " & testcasename() & ": FAIL: AT certificate signature error ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
log("*** " & testcasename() & ": PASS: AT certificate was well signed with AA certificate ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: The message signer info is unknown ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_poNeighbour();
f_cf01Down();
* @desc Check the signatures of the certificates in the chain
* Pics Selection: PICS_GN_SECURITY
* Config Id: CF01
* Initial conditions:
* with {
* the IUT being in the 'authorized' state
* the IUT being requested to include certificate chain in the next CAM
* } ensure that {
* when {
* the IUT is requested to send a CAM
* } then {
* the IUT sends a SecuredMessage
6912
6913
6914
6915
6916
6917
6918
6919
6920
6921
6922
6923
6924
6925
6926
6927
6928
6929
6930
6931
6932
* containing header_fields['signer_info'].signer
* containing type
* indicating 'certificate_chain'
* and containing certificates
* indicating length N > 1
* and containing certificate[0]
* containing signer_info
* containing type
* indicating 'certificate_digest_with_sha256'
* and containing digest
* referenced to the trusted certificate (CERT_ROOT)
* and containing signature
* verifiable using CERTIFICATES[N-1].subject_attributes['verification_key'].key
* and containing certificates[n] (1..N)
* containing signer_info {
* containing type
* indicating 'certificate_digest_with_sha256'
* and containing digest
* referenced to the certificates[n-1]
* and containing signature
* verifiable using certificates[n-1].subject_attributes['verification_key'].key
* @see ETSI TS 103 096-2 v1.2.2 TP_SEC_ITSS_SND_CERT_09_02_BV
testcase TC_SEC_ITSS_SND_CERT_11_02_BV() runs on ItsGeoNetworking system ItsSecSystem {
// Local declarations
var GeoNetworkingInd v_geoNwInd;
var Certificate v_cert;
var CertificateChain v_chain;
var SignerInfo v_si;
var HashedId8 v_digest;
var integer v_counter;
if (not(PICS_GN_SECURITY)) {
log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY' required for executing the TC ***");
stop;
}
// Test adapter configuration
// Preamble
f_prNeighbour();
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Wait for the message with the certificate to get the AA cert digest.
// Ask for the chain, containing AT and AA certificate
// Check that the AT cert in the first message is signed with the AA cert
log("*** " & testcasename() & ": INFO: Waiting for the message containing certificate and ask for a certificate chain ***");
tc_ac.start;
f_askForCertificateChain(f_generateDefaultCam());
tc_ac.stop;
6972
6973
6974
6975
6976
6977
6978
6979
6980
6981
6982
6983
6984
6985
6986
6987
6988
6989
6990
6991
6992
6993
6994
6995
6996
6997
6998
6999
7000
tc_ac.start;
alt {
[] geoNetworkingPort.receive(
mw_geoNwInd(
mw_geoNwSecPdu(
mdw_securedMessage(
superset(
mw_header_field_signer_info_certificate_chain
))))) -> value v_geoNwInd {
var SecuredMessage v_secMsg;
var integer v_chainLength;
tc_ac.stop;
// Check certificate chain
if (f_getMsgSignerInfo(f_getSecuredMessage(v_geoNwInd.msgIn), v_si)) {
v_chain := v_si.signerInfo.certificates;
for (v_counter := lengthof(v_chain) - 1; v_counter > 0; v_counter := v_counter - 1 ) {
if (not f_getCertificateSignerInfo(v_chain[v_counter], v_si)) {
log("*** " & testcasename() & ": FAIL: Certificate "&int2str(v_counter) & " doesn't have a signer info ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
if (not match (v_si.type_, e_certificate_digest_with_sha256)) {
log("*** " & testcasename() & ": FAIL: Certificate is not signed with digest ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
// Check that cert is signed by issuing cert
v_digest := f_calculateDigestFromCertificate(v_chain[v_counter - 1]);
if (not match (v_si.signerInfo.digest, v_digest)) {
log("*** " & testcasename() & ": FAIL: Certificate chain is not valid ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);