Newer
Older
log("*** " & testcasename() & ": INFO: Request and waiting for the message containing certificate chain ***");
tc_ac.start;
if (not f_askAndWaitForCertificateChain(v_chain, f_generateDefaultCam())) {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_timeout);
} else {
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
}
5012
5013
5014
5015
5016
5017
5018
5019
5020
5021
5022
5023
5024
5025
5026
5027
5028
5029
5030
5031
5032
5033
5034
5035
5036
5037
5038
5039
5040
5041
5042
5043
5044
5045
5046
5047
5048
5049
5050
f_vr := false;
tc_ac.stop;
for (var integer v_counter := 0; v_counter < lengthof(v_chain); v_counter := v_counter + 1) {
v_vri := v_vr;
f_vri := f_vr;
f_vr := f_getCertificateValidityRestriction(v_chain[v_counter], e_region, v_vr);
if (f_vr) {
var PolygonalRegion v_pr;
var integer v_length;
if (v_vr.validity.region.region_type != e_polygon) {
log("*** " & testcasename() & ": INCONC: Certificate validity restriction region is not polygonal ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
v_pr := v_vr.validity.region.region.polygonal_region;
v_length := lengthof(v_pr);
if (v_length < 3) {
log("*** " & testcasename() & ": FAIL: Count of points in polygonal region is too small in cert " & int2str(v_counter) & " ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
if (v_length > 12) {
log("*** " & testcasename() & ": FAIL: Count of points in polygonal region is too big in cert " & int2str(v_counter) & "***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
if (true != f_isValidPolygonalRegion(v_pr)) {
log("*** " & testcasename() & ": FAIL: Polygonal region is not valid (self-intersected) in cert " & int2str(v_counter) & " ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
if (f_vri) {
// current restrictions must be inside of the parent one
if (true != f_isPolygonalRegionInside(v_vri.validity.region.region.polygonal_region, v_pr)) {
log("*** " & testcasename() & ": FAIL: Certificate validity restriction region in cert " & int2str(v_counter) & " is not inside the issuing one ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
}
} else {
// Region validity restriction is not exist
if (f_vri) {
log("*** " & testcasename() & ": FAIL: Certificate validity restriction region must be set in the certificate " & int2str(v_counter) &
"because this restriction exists in the issuing certificate ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
}
} // End of 'for' statement
log("*** " & testcasename() & ": PASS: All certificates has a valid polygonal region restrictions ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
// Postamble
f_poNeighbour();
f_cf01Down();
* @desc Check that the identified certificate validity region contains values that correspond to numeric country codes
* as defined in ISO 3166-1 or defined by United Nations Statistics Division
* Pics Selection: PICS_GN_SECURITY and PICS_CERTIFICATE_SELECTION and PICS_USE_IDENTIFIED_REGION
5077
5078
5079
5080
5081
5082
5083
5084
5085
5086
5087
5088
5089
5090
5091
5092
5093
5094
5095
5096
5097
5098
5099
5100
5101
5102
5103
5104
5105
5106
5107
* with {
* the IUT being in the 'authorized' state
* the IUT being requested to include certificate in the next CAM
* } ensure that {
* when {
* the IUT is requested to send a CAM
* } then {
* the IUT sends a SecuredMessage
* containing header_fields['signer_info'].signer
* containing type
* indicating 'certificate'
* and containing certificate
* containing validity_restrictions['region']
* containing region
* containing region_type
* indicating 'id'
* and containing id_region
* containing region_dictionary
* indicating 'iso_3166_1' (0)
* and containing region_identifier
* indicating valid value according to 'iso_3166_1'
* and containing local_region
* or containing region
* containing id_region
* containing region_dictionary
* indicating 'un_stats'
* and containing region_identifier
* indicating valid value according to UN STATS
* and containing local_region
* }
* }
testcase TC_SEC_ITSS_SND_CERT_06_01_BV() runs on ItsGeoNetworking system ItsSecSystem {
var Certificate v_cert;
var ValidityRestriction v_vr;
var integer v_counter;
if (not(PICS_GN_SECURITY) or not(PICS_CERTIFICATE_SELECTION) or not(PICS_USE_IDENTIFIED_REGION)) {
log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY and PICS_CERTIFICATE_SELECTION and PICS_USE_IDENTIFIED_REGION' required for executing the TC ***");
// Test component configuration
vc_hashedId8ToBeUsed := cc_iutCert_E;
// Test adapter configuration
// Preamble
f_prNeighbour();
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
if (not f_waitForCertificate(v_cert)) {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_timeout);
}
tc_ac.stop;
if (f_getCertificateValidityRestriction(v_cert, e_region, v_vr)) {
if (v_vr.validity.region.region_type == e_id) {
if (not match (v_vr.validity.region, mw_geographicRegion_identified(mw_identifiedRegion_iso3166_any))) {
log("*** " & testcasename() & ": FAIL: Identified region is not conformed to ISO 3166-1 ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else if (not match (v_vr.validity.region, mw_geographicRegion_identified(mw_identifiedRegion_un_stats_any))) {
log("*** " & testcasename() & ": FAIL: Identified region is not conformed to United Nations Statistics Division ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
}
log("*** " & testcasename() & ": PASS: Certificate has a valid region ID restrictions ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": FAIL: Certificate doesn't have any location restrictions ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
// Postamble
f_poNeighbour();
f_cf01Down();
* @desc Check that the identified certificate validity region contains values that correspond to numeric country codes
* as defined in ISO 3166-1 or defined by United Nations Statistics Division
* Check that the identified certificate validity region contains values defining the region which is inside
* the validity region of the issuing certificate
* @remark The case when signing certificate and issuing certificate contain different type of region validity restriction is not supported by this test
* Pics Selection: PICS_GN_SECURITY and PICS_CERTIFICATE_SELECTION and PICS_USE_IDENTIFIED_REGION
* with {
* the IUT being in the 'authorized' state
* the IUT being requested to include certificate chain in the next CAM
* } ensure that {
* when {
* the IUT is requested to send a CAM
* } then {
* the IUT sends a SecuredMessage
* containing header_fields['signer_info'].signer
* containing type
* indicating 'certificate_chain'
* and containing certificate
* indicating length N > 1
* containing validity_restrictions['region']
* containing region
* containing region_type
* indicating 'id'
* and containing id_region
* containing region_dictionary
* indicating 'iso_3166_1' (0)
* and containing region_identifier
* indicating valid value according to 'iso_3166_1'
* and containing local_region
* or containing region
* containing id_region
* containing region_dictionary
* indicating 'un_stats'
* and containing region_identifier
* indicating valid value according to UN STATS
* and containing local_region
* }
* }
testcase TC_SEC_ITSS_SND_CERT_06_02_BV() runs on ItsGeoNetworking system ItsSecSystem {
var CertificateChain v_chain;
var ValidityRestriction v_vr := valueof(m_validity_restriction_unknown), v_vri := valueof(m_validity_restriction_unknown); // current and issuing cert validity restrictions
var boolean f_vr := false, f_vri := false;
if (not(PICS_GN_SECURITY) or not(PICS_CERTIFICATE_SELECTION) or not(PICS_USE_IDENTIFIED_REGION)) {
log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY and PICS_CERTIFICATE_SELECTION and PICS_USE_IDENTIFIED_REGION' required for executing the TC ***");
// Test component configuration
vc_hashedId8ToBeUsed := cc_iutCert_E;
// Test adapter configuration
// Preamble
f_prNeighbour();
log("*** " & testcasename() & ": INFO: Request and waiting for the message containing certificate chain ***");
tc_ac.start;
if (not f_askAndWaitForCertificateChain(v_chain, f_generateDefaultCam())) {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_timeout);
} else {
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
}
5238
5239
5240
5241
5242
5243
5244
5245
5246
5247
5248
5249
5250
5251
5252
5253
5254
5255
5256
5257
5258
5259
5260
5261
5262
5263
5264
5265
5266
5267
5268
5269
5270
5271
5272
5273
5274
5275
5276
5277
5278
f_vr := false;
tc_ac.stop;
for (var integer v_counter := 0; v_counter < lengthof(v_chain); v_counter := v_counter + 1) {
v_vri := v_vr;
f_vri := f_vr;
f_vr := f_getCertificateValidityRestriction(v_chain[v_counter], e_region, v_vr);
if (f_vr) {
if (v_vr.validity.region.region_type == e_id) {
if (not match (v_vr.validity.region, mw_geographicRegion_identified(mw_identifiedRegion_iso3166_any))) {
log("*** " & testcasename() & ": FAIL: Identified region is not conformed to ISO 3166-1 ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
if (not match (v_vr.validity.region, mw_geographicRegion_identified(mw_identifiedRegion_un_stats_any))) {
log("*** " & testcasename() & ": FAIL: Identified region is not conformed to United Nations Statistics Division ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
}
if (f_vri) {
// the region code must be the same
if (v_vr.validity.region.region.id_region.region_identifier !=
v_vri.validity.region.region.id_region.region_identifier) {
log("*** " & testcasename() & ": FAIL: Certificate validity restriction identified region in cert " & int2str(v_counter) & " is not the same as in the issuing one ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
if ( v_vri.validity.region.region.id_region.local_region != 0
and v_vri.validity.region.region.id_region.local_region != v_vr.validity.region.region.id_region.local_region ) {
log("*** " & testcasename() & ": FAIL: Certificate validity restriction local identified region in cert " & int2str(v_counter) & " is not the same as in the issuing one ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
}
} else {
// Region validity restriction is not exist
if (f_vri) {
log("*** " & testcasename() & ": FAIL: Certificate validity restriction identified region must be set in the certificate " & int2str(v_counter) &
"because this restriction exists in the issuing certificate ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
}
log("*** " & testcasename() & ": PASS: All certificates has a valid identified regionrestrictions ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
// Postamble
f_poNeighbour();
f_cf01Down();
* @desc Check that the region of the subordinate certificate validity restriction is inside the region of the issuing certificate validity restriction
* <pre>
* Pics Selection: PICS_GN_SECURITY and PICS_CERTIFICATE_SELECTION
5292
5293
5294
5295
5296
5297
5298
5299
5300
5301
5302
5303
5304
5305
5306
5307
5308
5309
5310
5311
5312
5313
5314
5315
5316
5317
5318
5319
5320
5321
5322
5323
5324
5325
5326
5327
5328
5329
5330
5331
5332
5333
5334
5335
5336
5337
5338
5339
5340
5341
5342
5343
5344
* Config Id: CF01
* with {
* the IUT being in the 'authorized' state
* the IUT being requested to include certificate chain in the next CAM
* } ensure that {
* when {
* the IUT is requested to send a CAM
* } then {
* the IUT sends a SecuredMessage
* containing header_fields['signer_info'].signer
* containing type
* indicating 'certificate_chain'
* and containing certificates
* indicating length N > 1
* and containing certificates[n] (0..N)
* indicating certificate
* not containing validity_restrictions['region']
* and containing signer_info
* containing digest
* referenced to the certificate
* not containing validity_restrictions['region']
* or indicating certificate
* containing validity_restrictions['region']
* containing region.region_type
* indicating 'none'
* and containing signer_info
* containing digest
* referenced to the certificate
* not containing validity_restrictions['region']
* or containing validity_restrictions['region']
* containing region.region_type
* indicating 'none'
* or indicating certificate
* containing validity_restrictions['region']
* containing region.region_type
* indicated 'circle'
* or indicated 'rectangle'
* or indicated 'polygon'
* or indicated 'id'
* and containing region (X_CERT__REGION)
* and containing signer_info
* containing digest
* referenced to the certificate
* not containing validity_restrictions['region']
* or containing validity_restrictions['region']
* containing region.region_type
* indicating 'none'
* or containing validity_restrictions['region']
* containing region
* indicating region fully covering the X_CERT_REGION
* }
* }
* </pre>
testcase TC_SEC_ITSS_SND_CERT_07_01_BV() runs on ItsGeoNetworking system ItsSecSystem {
var CertificateChain v_chain;
var Certificate v_cert, v_cert_issuer;
var SignerInfo v_si;
var UInt8 v_counter;
var HashedId8 v_digest;
var CertificatesCaching v_certificatesCaching;
var FncRetCode v_result_status := e_success;
// Test control
if (not(PICS_GN_SECURITY) or not(PICS_CERTIFICATE_SELECTION)) {
log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY and PICS_CERTIFICATE_SELECTION' required for executing the TC ***");
5360
5361
5362
5363
5364
5365
5366
5367
5368
5369
5370
5371
5372
5373
5374
5375
5376
5377
5378
5379
5380
5381
5382
5383
5384
5385
5386
5387
5388
5389
5390
5391
5392
5393
5394
5395
5396
5397
5398
5399
5400
5401
5402
5403
5404
5405
5406
5407
5408
5409
5410
5411
5412
5413
5414
5415
5416
5417
5418
5419
5420
5421
5422
5423
5424
5425
5426
5427
5428
5429
5430
5431
5432
stop;
}
// Test component configuration
// vc_hashedId8ToBeUsed := cc_iutCert_E;
f_cf01Up();
// Test adapter configuration
// Preamble
f_prNeighbour();
log("*** " & testcasename() & ": INFO: Request and waiting for the message containing certificate chain ***");
tc_ac.start;
if (not f_askAndWaitForCertificateChain(v_chain, f_generateDefaultCam())) {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_timeout);
} else {
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
}
// Test Body
// 1. Create a cache of certificates
f_createCertificatesCaching(v_chain, v_certificatesCaching);
// 2. Process the certificates
v_counter := f_getCertificatesCachingItemSize(v_certificatesCaching) - 1;
while (v_counter != 0) {
// Get the first certificate
if (f_getCertificatesCachingItem(v_certificatesCaching, v_counter, v_cert) == false) {
v_result_status := e_error;
break;
}
// Retrive SigneInfo field
if (not f_getCertificateSignerInfo(v_cert, v_si)) {
log("*** " & testcasename() & ": FAIL: Certificate " & int2str(v_counter) & " doesn't have a signer info ***");
v_result_status := e_error;
break;
}
if (not match (v_si.type_, e_certificate_digest_with_sha256)) {
log("*** " & testcasename() & ": FAIL: Certificate is not signed with digest ***");
v_result_status := e_error;
break;
}
// Get issuer
if (f_getCertificateFromCaching(v_certificatesCaching, v_si.signerInfo.digest, v_cert_issuer) == false) {
log("*** " & testcasename() & ": FAIL: Certificate is not signed with digest ***");
v_result_status := e_error;
break;
}
// Check that cert is signed by issuing cert
v_digest := f_calculateDigestFromCertificate(v_cert_issuer);
if (not match (v_si.signerInfo.digest, v_si.signerInfo.digest)) {
log("*** " & testcasename() & ": FAIL: Certificate chain is not valid ***");
v_result_status := e_error;
break;
}
// Check that the region of the subordinate certificate validity restriction is inside the region of the issuing certificate validity restriction
if (f_checkRegionValidityRestiction(v_cert, v_cert_issuer) == false) {
v_result_status := e_error;
break;
}
// Prepare next loop
v_counter := v_counter - 1;
} // End of 'while' statement
if (v_result_status == e_success) {
log("*** " & testcasename() & ": PASS: All certificates has a valid identified region restrictions ***");
}
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, v_result_status);
// Postamble
f_poNeighbour();
f_cf01Down();
/**
* @desc Check that the region of the subordinate certificate validity restriction is inside the region of the issuing certificate validity restriction
* <pre>
* Pics Selection: PICS_GN_SECURITY and PICS_CERTIFICATE_SELECTION and PICS_USE_IDENTIFIED_REGION
5439
5440
5441
5442
5443
5444
5445
5446
5447
5448
5449
5450
5451
5452
5453
5454
5455
5456
5457
5458
5459
5460
5461
5462
5463
5464
5465
5466
5467
5468
5469
5470
5471
5472
5473
5474
5475
5476
5477
5478
5479
5480
5481
5482
5483
5484
5485
5486
5487
5488
* Config Id: CF01
* with {
* the IUT being in the 'authorized' state
* the IUT being requested to include certificate chain in the next CAM
* the IUT being requested to include certificate chain in the next CAM
* } ensure that {
* when {
* the IUT is requested to send a CAM
* } then {
* the IUT sends a SecuredMessage
* containing header_fields['signer_info'].signer
* containing type
* indicating 'certificate_chain'
* and containing certificates
* indicating length N > 1
* and containing certificates[n] (0..N)
* indicating certificate
* containing validity_restrictions['region']
* containing region.region_type
* indicated 'id'
* and containing id_region
* containing region_dictionary
* indicating 'iso_3166_1'
* or indicating 'un_stat'
* and containing region_identifier (X_CERT_REGION_ID)
* indicating valid value according to 'iso_3166_1' or 'un_stat'
* and containing local_region (X_CERT_LOCAL_REGION)
* and containing signer_info
* containing digest
* referenced to the certificate
* containing validity_restrictions['region']
* containing region
* indicated 'id'
* and containing id_region
* containing region_dictionary
* indicating 'iso_3166_1'
* or indicating 'un_stat'
* and containing region_identifier
* indicating value == X_CERT_REGION_ID
* and containing local_region
* indicating value == X_CERT_LOCAL_REGION
* or indicating 0
* or containing id_region
* containing region_dictionary
* indicating 'un_stats'
* and containing region_identifier
* indicating region fully covering the X_CERT_REGION
* }
* }
* </pre>
testcase TC_SEC_ITSS_SND_CERT_07_02_BV() runs on ItsGeoNetworking system ItsSecSystem {
var CertificateChain v_chain;
var Certificate v_cert, v_cert_issuer;
var SignerInfo v_si;
var UInt8 v_counter;
var HashedId8 v_digest;
var CertificatesCaching v_certificatesCaching;
var FncRetCode v_result_status := e_success;
// Test control
if (not(PICS_GN_SECURITY) or not(PICS_CERTIFICATE_SELECTION) or not(PICS_USE_IDENTIFIED_REGION)) {
log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY and PICS_CERTIFICATE_SELECTION and PICS_USE_IDENTIFIED_REGION' required for executing the TC ***");
5504
5505
5506
5507
5508
5509
5510
5511
5512
5513
5514
5515
5516
5517
5518
5519
5520
5521
5522
5523
5524
5525
5526
5527
5528
5529
5530
5531
5532
5533
5534
5535
5536
5537
5538
5539
5540
5541
5542
5543
5544
5545
5546
5547
5548
5549
5550
5551
5552
5553
5554
5555
5556
5557
5558
5559
5560
5561
5562
5563
5564
5565
5566
5567
5568
5569
5570
5571
5572
5573
5574
5575
5576
stop;
}
// Test component configuration
// vc_hashedId8ToBeUsed := cc_iutCert_E;
f_cf01Up();
// Test adapter configuration
// Preamble
f_prNeighbour();
log("*** " & testcasename() & ": INFO: Request and waiting for the message containing certificate chain ***");
tc_ac.start;
if (not f_askAndWaitForCertificateChain(v_chain, f_generateDefaultCam())) {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_timeout);
} else {
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
}
// Test Body
// 1. Create a cache of certificates
f_createCertificatesCaching(v_chain, v_certificatesCaching);
// 2. Process the certificates
v_counter := f_getCertificatesCachingItemSize(v_certificatesCaching) - 1;
while (v_counter != 0) {
// Get the first certificate
if (f_getCertificatesCachingItem(v_certificatesCaching, v_counter, v_cert) == false) {
v_result_status := e_error;
break;
}
// Retrive SigneInfo field
if (not f_getCertificateSignerInfo(v_cert, v_si)) {
log("*** " & testcasename() & ": FAIL: Certificate " & int2str(v_counter) & " doesn't have a signer info ***");
v_result_status := e_error;
break;
}
if (not match (v_si.type_, e_certificate_digest_with_sha256)) {
log("*** " & testcasename() & ": FAIL: Certificate is not signed with digest ***");
v_result_status := e_error;
break;
}
// Get issuer
if (f_getCertificateFromCaching(v_certificatesCaching, v_si.signerInfo.digest, v_cert_issuer) == false) {
log("*** " & testcasename() & ": FAIL: Certificate is not signed with digest ***");
v_result_status := e_error;
break;
}
// Check that cert is signed by issuing cert
v_digest := f_calculateDigestFromCertificate(v_cert_issuer);
if (not match (v_si.signerInfo.digest, v_si.signerInfo.digest)) {
log("*** " & testcasename() & ": FAIL: Certificate chain is not valid ***");
v_result_status := e_error;
break;
}
// Check that the region of the subordinate certificate validity restriction is inside the region of the issuing certificate validity restriction
if (f_checkRegionValidityRestiction(v_cert, v_cert_issuer) == false) {
v_result_status := e_error;
break;
}
// Prepare next loop
v_counter := v_counter - 1;
} // End of 'while' statement
if (v_result_status == e_success) {
log("*** " & testcasename() & ": PASS: All certificates has a valid identified region restrictions ***");
}
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, v_result_status);
// Postamble
f_poNeighbour();
f_cf01Down();
* @desc Check the certificate chain to ensure that the time validity restriction of the subordinate certificate is inside the time validity restriction of the issuing certificate
* <pre>
* Pics Selection: PICS_GN_SECURITY
* Config Id: CF01
* with {
* the IUT being in the 'authorized' state
* the IUT being requested to include certificate chain in the next CAM
* } ensure that {
* when {
* the IUT is requested to send a CAM
* } then {
* the IUT sends a SecuredMessage
* containing header_fields['signer_info'].signer
* containing type
5595
5596
5597
5598
5599
5600
5601
5602
5603
5604
5605
5606
5607
5608
5609
5610
5611
5612
5613
5614
5615
5616
5617
5618
5619
5620
5621
* containing certificates
* containing certificates[last-1]
* containing validity_restrictions
* containing validity_restrictions['time_start_and_end']
* containing start_validity
* indicating START_AA_VALIDITY
* containing end_validity
* indicating END_AA_VALIDITY >= START_AA_VALIDITY
* and containing signer_info
* containing digest
* referenced to the trusted certificate
* containing validity_restrictions['time_end']
* containing end_validity
* indicating value > AA_END_VALIDITY
* or containing validity_restrictions['time_start_and_end']
* containing start_validity
* indicating value <= AA_START_VALIDITY
* and containing end_validity
* indicating value > AA_END_VALIDITY
* or containing validity_restrictions['time_start_and_duration']
* containing start_validity
* indicating X_START_VALIDITY <= AA_START_VALIDITY
* and containing duration
* indicating value > AA_END_VALIDITY - X_START_VALIDITY
* }
* }
* </pre>
testcase TC_SEC_ITSS_SND_CERT_08_01_BV() runs on ItsGeoNetworking system ItsSecSystem {
5626
5627
5628
5629
5630
5631
5632
5633
5634
5635
5636
5637
5638
5639
5640
5641
5642
5643
5644
5645
5646
5647
5648
5649
5650
5651
5652
5653
5654
5655
5656
5657
5658
5659
5660
5661
5662
5663
5664
5665
5666
5667
5668
5669
5670
5671
5672
5673
5674
5675
5676
5677
5678
5679
5680
5681
5682
5683
5684
5685
5686
5687
5688
5689
5690
5691
5692
5693
5694
5695
5696
5697
5698
5699
5700
5701
5702
5703
5704
5705
5706
5707
5708
5709
5710
5711
5712
5713
5714
5715
5716
5717
5718
5719
5720
var CertificateChain v_chain;
var Certificate v_aa_cert;
var ValidityRestriction v_vr;
var SignerInfo v_si;
var Time64 v_generationTime;
var Time64 v_curTime;
var Time64 v_startTime, v_endTime, v_duration;
// Test control
if (not(PICS_GN_SECURITY)) {
log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY' required for executing the TC ***");
stop;
}
// Test component configuration
f_cf01Up();
// Test adapter configuration
// Preamble
f_prNeighbour();
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
log("*** " & testcasename() & ": INFO: Request and waiting for the message containing certificate chain ***");
tc_ac.start;
if (not f_askAndWaitForCertificateChain(v_chain, f_generateDefaultCam())) {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_timeout);
}
tc_ac.stop;
if (lengthof(v_chain) < 2) {
log("*** " & testcasename() & ": FAIL: Certificate chain is too short ***");
f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_error);
}
v_aa_cert := v_chain[lengthof(v_chain) - 1];
if (match (v_aa_cert.validity_restrictions, (superset(mw_validity_restriction_time_end,
mw_validity_restriction_time_start_and_duration)))
) {
log("*** " & testcasename() & ": FAIL: AA certificate must not contain time_end and time_start_and_duration restrictions ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
if ( true != f_getCertificateValidityRestriction(v_aa_cert, e_time_start_and_end, v_vr)) {
log("*** " & testcasename() & ": FAIL: AA certificate must contain time_start_and_end restrictions ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
if (v_vr.validity.time_start_and_end.start_validity > v_vr.validity.time_start_and_end.end_validity ) {
log("*** " & testcasename() & ": FAIL: start validity mus not be greater then end validity in the validity restrictions of AA certificate ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
// Process signerInfo field
if ( true != f_getCertificateSignerInfo(v_aa_cert, v_si)) {
log("*** " & testcasename() & ": FAIL: AA certificate must contain SignerInfo fields ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
if (v_si.type_ == e_certificate) {
log("*** " & testcasename() & ": FAIL: AA certificate must contain SignerInfo field containing a certificate ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
for (var integer v_counter := 0; v_counter < lengthof(v_si.signerInfo.certificate.validity_restrictions); v_counter := v_counter + 1) {
if (v_si.signerInfo.certificate.validity_restrictions[v_counter].type_ == e_time_end) {
v_endTime := v_si.signerInfo.certificate.validity_restrictions[v_counter].validity.end_validity * 1000000;
if (not match(v_generationTime, Time64:(0 .. v_endTime))){
log("*** " & testcasename() & ": FAIL: DENM generation time is not inside the validity of the certificate");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
} else if (v_si.signerInfo.certificate.validity_restrictions[v_counter].type_ == e_time_start_and_end) {
v_endTime := v_si.signerInfo.certificate.validity_restrictions[v_counter].validity.time_start_and_end.end_validity * 1000000;
v_startTime := v_si.signerInfo.certificate.validity_restrictions[v_counter].validity.time_start_and_end.start_validity * 1000000;
if (not match(v_generationTime, Time64:(v_startTime .. v_endTime))){
log("*** " & testcasename() & ": FAIL: DENM generation time is not inside the validity of the certificate");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
} else if (v_si.signerInfo.certificate.validity_restrictions[v_counter].type_ == e_time_start_and_duration) {
v_startTime := v_si.signerInfo.certificate.validity_restrictions[v_counter].validity.time_start_and_duration.start_validity * 1000000;
v_duration := f_duration2time(v_si.signerInfo.certificate.validity_restrictions[v_counter].validity.time_start_and_duration.duration_) * 1000000;
if (not match(v_generationTime, Time64:(v_startTime .. v_duration))){
log("*** " & testcasename() & ": FAIL: DENM generation time is not inside the validity of the certificate");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
} else {
log("*** " & testcasename() & ": FAIL: Mal-formed the certificate");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
} // End of 'for' statement
log("*** " & testcasename() & ": PASS: Time validity restriction of the AA certificate is good ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
// Postamble
f_poNeighbour();
f_cf01Down();
/**
* @desc Check that the certificate signature contains ECC point of type set to either compressed_lsb_y_0, compressed_lsb_y_1
* or x_coordinate_only
* Pics Selection: PICS_GN_SECURITY
* Config Id: CF01
* Initial conditions:
* with {
* the IUT being in the 'authorized' state
* the IUT being requested to include certificate in the next CAM
* }
* Expected Behaviour:
* ensure that {
* when {
* the IUT sends a SecuredMessage
* containing header_fields['signer_info'].signer
* containing type
* indicating certificate
* containing certificate
* containing signature.ecdsa_signature
* containing R.type
* indicating compressed_lsb_y_0
* or indicating compressed_lsb_y_1
* or indicating x_coordinate_only
testcase TC_SEC_ITSS_SND_CERT_09_01_BV() runs on ItsGeoNetworking system ItsSecSystem {
if (not(PICS_GN_SECURITY)) {
log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY' required for executing the TC ***");
stop;
}
// Test adapter configuration
// Preamble
f_prNeighbour();
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
5773
5774
5775
5776
5777
5778
5779
5780
5781
5782
5783
5784
5785
5786
5787
5788
5789
5790
5791
5792
5793
5794
5795
5796
5797
5798
5799
5800
5801
5802
5803
5804
5805
5806
5807
5808
5809
5810
5811
5812
5813
5814
5815
5816
5817
5818
5819
5820
5821
5822
5823
5824
5825
5826
5827
5828
5829
5830
5831
5832
5833
5834
5835
5836
5837
5838
5839
5840
5841
5842
5843
5844
5845
tc_ac.start;
alt {
[] geoNetworkingPort.receive(
mw_geoNwInd(
mw_geoNwSecPdu(
mdw_securedMessage(
superset(
mw_header_field_signer_info_certificate(
mw_at_certificate(
?,
?,
?,
mw_signature(
mw_ecdsaSignature(
mw_eccPointecdsa_nistp256_with_sha256_y0_coordinate_only
))))))))) {
tc_ac.stop;
log("*** " & testcasename() & ": PASS: AT certificate contains signature with the ECC point of type set to compressed_lsb_y_0 received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
}
[] geoNetworkingPort.receive(
mw_geoNwInd(
mw_geoNwSecPdu(
mdw_securedMessage(
superset(
mw_header_field_signer_info_certificate(
mw_at_certificate(
?,
?,
?,
mw_signature(
mw_ecdsaSignature(
mw_eccPointecdsa_nistp256_with_sha256_y1_coordinate_only
))))))))) {
tc_ac.stop;
log("*** " & testcasename() & ": PASS: AT certificate contains signature with the ECC point of type set to compressed_lsb_y_1 received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
}
[] geoNetworkingPort.receive(
mw_geoNwInd(
mw_geoNwSecPdu(
mdw_securedMessage(
superset(
mw_header_field_signer_info_certificate(
mw_at_certificate(
?,
?,
?,
mw_signature(
mw_ecdsaSignature(
mw_eccPointecdsa_nistp256_with_sha256_x_coordinate_only
))))))))) {
tc_ac.stop;
log("*** " & testcasename() & ": PASS: AT certificate contains signature with the ECC point of type set to x_coordinate_only received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
}
[] geoNetworkingPort.receive(
mw_geoNwInd(
mw_geoNwSecPdu(
mdw_securedMessage(
superset(
mw_header_field_signer_info_certificate(
mw_at_certificate
)))))) {
tc_ac.stop;
log("*** " & testcasename() & ": FAIL: AT certificate signature mismatch ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_poNeighbour();
f_cf01Down();
* @desc Check that the all certificates in a chain have signatures contains ECC point of type set to either compressed_lsb_y_0, compressed_lsb_y_1
* or x_coordinate_only
* Pics Selection: PICS_GN_SECURITY
* Config Id: CF01
* Initial conditions:
* the IUT being requested to include certificate in the next CAM
* }
* Expected Behaviour:
* ensure that {
* when {
* the IUT is requested to send a CAM
* } then {
* the IUT sends a SecuredMessage
* containing header_fields['signer_info'].signer
* containing type
* indicating 'certificate_chain'
* containing certificates
* indicating length N > 1
* and indicating certificates[n] (0..N)
* containing signature.ecdsa_signature
* containing R.type
* indicating compressed_lsb_y_0
* or indicating compressed_lsb_y_1
* or indicating x_coordinate_only
testcase TC_SEC_ITSS_SND_CERT_09_02_BV() runs on ItsGeoNetworking system ItsSecSystem {
// Local variables
var GeoNetworkingInd v_geoNwInd;
var SignerInfo v_si;
var CertificateChain v_chain;
var integer v_counter;
if (not(PICS_GN_SECURITY)) {
log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY' required for executing the TC ***");
stop;
}
// Test adapter configuration
// Preamble
f_prNeighbour();
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
tc_ac.start;
alt {
[] geoNetworkingPort.receive(
mw_geoNwInd(
mw_geoNwSecPdu(
mdw_securedMessage(
superset(
mw_header_field_signer_info_certificate_chain
))))) -> value v_geoNwInd {
5920
5921
5922
5923
5924
5925
5926
5927
5928
5929
5930
5931
5932
5933
5934
5935
5936
5937
5938
5939
5940
5941
5942
5943
5944
5945
5946
5947
5948
5949
// Check certificate chain
if (f_getMsgSignerInfo(f_getSecuredMessage(v_geoNwInd.msgIn), v_si)) {
v_chain := v_si.signerInfo.certificates;
for (v_counter := lengthof(v_chain) - 1; v_counter > 0; v_counter := v_counter - 1 ) {
if (v_chain[v_counter].signature_.algorithm != e_ecdsa_nistp256_with_sha256) {
log("*** " & testcasename() & ": FAIL: Wrong signature algorithm ***");
f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_error);
} else if (
(v_chain[v_counter].signature_.signature_.ecdsa_signature.r.type_ != e_x_coordinate_only) and
(v_chain[v_counter].signature_.signature_.ecdsa_signature.r.type_ != e_compressed_lsb_y_0) and
(v_chain[v_counter].signature_.signature_.ecdsa_signature.r.type_ != e_compressed_lsb_y_1)
) {
log("*** " & testcasename() & ": FAIL: Wrong ECDSA R type ***");
f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_error);
}
} // End of 'for' statement
}
log("*** " & testcasename() & ": PASS: All certificates in a chain have the correct signature type ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_poNeighbour();
f_cf01Down();
5951
5952
5953
5954
5955
5956
5957
5958
5959
5960
5961
5962
5963
5964
5965
5966
5967
5968
5969
5970
5971
5972
5973
5974
5975
5976
5977
5978
5979
5980
/**
* @desc Check that the certificate verification key contains ECC point of type set to either compressed_lsb_y_0, compressed_lsb_y_1
* or uncompressed
* <pre>
* Pics Selection: PICS_GN_SECURITY
* Config Id: CF01
* Initial conditions:
* with {
* the IUT being in the 'authorized' state
* the IUT being requested to include certificate in the next CAM
* }
* Expected Behaviour:
* ensure that {
* when {
* the IUT is requested to send a CAM
* } then {
* the IUT sends a SecuredMessage
* containing header_fields['signer_info'].signer
* containing type
* indicating certificate
* containing certificate
* containing subject_attributes['verification_key']
* containing key.public_key.type
* indicating compressed_lsb_y_0
* or indicating compressed_lsb_y_1
* or indicating x_coordinate_only
* }
* }
* </pre>
testcase TC_SEC_ITSS_SND_CERT_10_01_BV() runs on ItsGeoNetworking system ItsSecSystem {
// Test control
if (not(PICS_GN_SECURITY)) {
log("*** " & testcasename() & ":ERROR: 'PICS_GN_SECURITY' required for executing the TC ***");
stop;
}
// Test component configuration
f_cf01Up();
// Test adapter configuration
// Preamble
f_prNeighbour();
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);