Validate Authorization/AuthorizationValidation

ca7d1839 · Yann Garcia · 5a2f8d34 · ca7d1839 · ca7d1839 · ca7d1839
Commit ca7d1839 authored Feb 13, 2019 by Yann Garcia
--- a/ccsrc/Protocols/Http/http_codec.cc
+++ b/ccsrc/Protocols/Http/http_codec.cc
@@ -215,7 +215,7 @@ int http_codec::encode_request(const LibItsHttp__TypesAndValues::Request& p_requ
  if (_ec.is_content_length_present == 0x01) {
    loggers::get_instance().log_msg("http_codec::encode_request: Add body ", os);
    p_encoding_buffer.put_os(os);
-    //FIXME For test With GEMALTO, comment to be removed, p_encoding_buffer.put_cs("\r\n");
+    p_encoding_buffer.put_cs("\r\n");
  }

  loggers::get_instance().log_to_hexa("<<< http_codec::encode_request: ", p_encoding_buffer);

--- a/etc/AtsPki/AtsPki_Gemalto.cfg_
+++ b/etc/AtsPki/AtsPki_Gemalto.cfg_
@@ -10,17 +10,23 @@ LibItsSecurity_Pixits.PX_IUT_SEC_CONFIG_NAME := "asn1c_cert"

 LibItsHttp_Pics.PICS_HEADER_CONTENT_TYPE := "application/x-its-request"

-# Gemalto
+LibItsPki_Pics.PICS_MULTIPLE_END_POINT := true
 LibItsPki_Pics.PICS_HEADER_HOST_EC  := "etsi.enrolment.ea.msi-dev.acloud.gemalto.com"
 LibItsPki_Pics.PICS_HEADER_HOST_ATV := "etsi.authvalidation.ea.msi-dev.acloud.gemalto.com"
 LibItsPki_Pics.PICS_HEADER_HOST_AT  := "etsi.authorization.aa.msi-dev.acloud.gemalto.com"

+LibItsPki_Pics.PICS_HTTP_POST_URI_EC :="/"
+LibItsPki_Pics.PICS_HTTP_POST_URI_AT :="/"
+LibItsPki_Pics.PICS_HTTP_POST_URI_ATV :="/"
+
 LibItsPki_Pics.PICS_ITS_S_SIGN_NITSP256_PRIVATE_KEY        := '5C25F97607DFC62972A147FAD8B7A7C939569F0F95ECD4C641724A68B51836E5'O
 LibItsPki_Pics.PICS_ITS_S_SIGN_NISTP256_PUBLIC_KEY         := '020144E5174B0AFDA86BDB8B643B68D40030F5BDB9A9F090C64852CC3C20C9D5AD'O
 LibItsPki_Pics.PICS_ITS_S_CANONICAL_ID                     := '1B4CA1210123AE900BBE6C3EBAE7E87DA20DBDAB1E7B2EC0691C51C1021900AA'O
 LibItsPki_Pics.PICS_TS_EA_CERTIFICATE_ID                   := "CERT_GEMALTO_EA"
 LibItsPki_Pics.PICS_TS_AA_CERTIFICATE_ID                   := "CERT_GEMALTO_AA"

+LibItsPki_Pixits.PX_AUTHORIZATION_REQUEST_WITH_POP         := false # Not private key available 
+
 [LOGGING]
 # In this section you can specify the name of the log file and the classes of events
 # you want to log into the file or display on console (standard error).
@@ -37,17 +43,19 @@ LogEventTypes:= Yes

 [TESTPORT_PARAMETERS]
 # Multiple HTTP component ports
-system.httpEcPort.params := "HTTP(codecs=http_its:http_etsi_ieee1609dot2_codec)/TCP(server=etsi.enrolment.ea.msi-dev.acloud.gemalto.com)"
-system.httpAtVPort.params := "HTTP(codecs=http_its:http_etsi_ieee1609dot2_codec)/TCP(server=etsi.authvalidation.ea.msi-dev.acloud.gemalto.com)"
-system.httpAtPort.params := "HTTP(codecs=http_its:http_etsi_ieee1609dot2_codec)/TCP(server=etsi.authorization.aa.msi-dev.acloud.gemalto.com)"
+system.httpEcPort.params := "HTTP(codecs=http_its:http_etsi_ieee1609dot2_codec)/TCP(server=52.85.182.66)" #etsi.enrolment.ea.msi-dev.acloud.gemalto.com
+system.httpAtVPort.params := "HTTP(codecs=http_its:http_etsi_ieee1609dot2_codec)/TCP(server=52.85.182.87)" #etsi.authvalidation.ea.msi-dev.acloud.gemalto.com
+system.httpAtPort.params := "HTTP(codecs=http_its:http_etsi_ieee1609dot2_codec)/TCP(server=52.85.182.235)" #etsi.authorization.aa.msi-dev.acloud.gemalto.com

 [EXECUTE]
-# The EnrolmentResponse message shall be sent by the EA to the ITS-S across the interface at reference point S3 in response to a received EnrolmentRequest message
-ItsPki_TestCases.TC_SECPKI_EA_ENR_RCV_01_BV
+# The EnrolmentResponse message shall be sent by the EA to the ITS-S across the interface at reference point S3 in response
+# to a received EnrolmentRequest message
+#ItsPki_TestCases.TC_SECPKI_EA_ENR_RCV_01_BV
 # Check that EA doesn't accept Enrolment rekeying request when enrolment is not permitted by signing certificate
 #ItsPki_TestCases.TC_SECPKI_EA_ENR_RCV_02_BI

-# The EnrolmentResponse message shall be encrypted using an ETSI TS 103 097 approved algorithm and the encryption shall be done with the same AES key as the one used by the ITS-S requestor for the encryption of the EnrolmentRequest message.
+# The EnrolmentResponse message shall be encrypted using an ETSI TS 103 097 approved algorithm and the encryption shall be
+#done with the same AES key as the one used by the ITS-S requestor for the encryption of the EnrolmentRequest message.
 #ItsPki_TestCases.TC_SECPKI_EA_ENR_01_BV
 #ItsPki_TestCases.TC_SECPKI_EA_ENR_02_BV
 #ItsPki_TestCases.TC_SECPKI_EA_ENR_03_BV
@@ -60,8 +68,12 @@ ItsPki_TestCases.TC_SECPKI_EA_ENR_RCV_01_BV
 #ItsPki_TestCases.TC_SECPKI_EA_ENR_09_BV
 #ItsPki_TestCases.TC_SECPKI_EA_ENR_10_BV
 #ItsPki_TestCases.TC_SECPKI_EA_ENR_11_BV
-#ItsPki_TestCases.TC_SEC_PKI_SND_EA_AA_BV_01
-#ItsPki_TestCases.TC_SEC_PKI_SND_AA_BV_01
+
+# The AuthorizationValidationResponse message shall be sent by the EA to the AA across the interface at reference point S4
+#in response to a received AuthorizationValidationRequest message
+#ItsPki_TestCases.TC_SECPKI_EA_AUTHVAL_RCV_01_BV
+
+ItsPki_TestCases.TC_SECPKI_AA_AUTH_RCV_01_BV

 [MAIN_CONTROLLER]
 # The options herein control the behavior of MC.

--- a/etc/AtsPki/AtsPki_Idnomic.cfg_
+++ b/etc/AtsPki/AtsPki_Idnomic.cfg_
+[MODULE_PARAMETERS]
+# This section shall contain the values of all parameters that are defined in your TTCN-3 modules.
+
+# Enable Security support
+LibItsGeoNetworking_Pics.PICS_GN_SECURITY := true
+# Root path to access certificate stored in files, identified by certficate ID
+LibItsSecurity_Pixits.PX_CERTIFICATE_POOL_PATH := "/home/vagrant/tmp"
+# Configuration sub-directory to access certificate stored in files
+LibItsSecurity_Pixits.PX_IUT_SEC_CONFIG_NAME := "asn1c_cert"
+
+LibItsHttp_Pics.PICS_HEADER_CONTENT_TYPE  := "application/x-its-request"
+LibItsHttp_Pics.PICS_HEADER_HOST          := "test.bsi.v2x-pilot.escrypt.com"
+
+LibItsPki_Pics.PICS_MULTIPLE_END_POINT := true
+LibItsPki_Pics.PICS_HEADER_HOST_EC  := "ea.utopia.plugtests2019.innovation.keynectis.net"
+LibItsPki_Pics.PICS_HEADER_HOST_ATV := "ea.utopia.plugtests2019.innovation.keynectis.net"
+LibItsPki_Pics.PICS_HEADER_HOST_AT  := "aa.utopia.plugtests2019.innovation.keynectis.net"
+
+LibItsPki_Pics.PICS_HTTP_POST_URI_EC                 := "/ea/enrolment"
+LibItsPki_Pics.PICS_HTTP_POST_URI_AT                 := "/aa/authorize"
+LibItsPki_Pics.PICS_HTTP_POST_URI_ATV                := "/aa/authorize"
+LibItsPki_Pics.PICS_ITS_S_SIGN_NITSP256_PRIVATE_KEY  := '5C25F97607DFC62972A147FAD8B7A7C939569F0F95ECD4C641724A68B51836E5'O
+LibItsPki_Pics.PICS_ITS_S_SIGN_NISTP256_PUBLIC_KEY   := '020144E5174B0AFDA86BDB8B643B68D40030F5BDB9A9F090C64852CC3C20C9D5AD'O
+LibItsPki_Pics.PICS_ITS_S_CANONICAL_ID               := '45545349504C55470000000000000000'O
+LibItsPki_Pics.PICS_TS_EA_CERTIFICATE_ID             := "CERT_IDNOMIC_EA"
+LibItsPki_Pics.PICS_TS_AA_CERTIFICATE_ID             := "CERT_IDNOMIC_AA"
+
+[LOGGING]
+# In this section you can specify the name of the log file and the classes of events
+# you want to log into the file or display on console (standard error).
+
+LogFile := "../logs/%e.%h-%r.%s"
+FileMask := LOG_ALL | USER | DEBUG | MATCHING
+ConsoleMask := LOG_ALL | USER | DEBUG | MATCHING
+#FileMask := ERROR | WARNING | USER | MATCHING | EXECUTOR_RUNTIME | VERDICTOP
+#ConsoleMask := ERROR | WARNING | USER | MATCHING | EXECUTOR_RUNTIME | VERDICTOP
+LogSourceInfo := Stack
+LogEntityName:= Yes
+LogEventTypes:= Yes
+#TimeStampFormat := DateTime
+
+[TESTPORT_PARAMETERS]
+# Multiple HTTP component ports
+system.httpEcPort.params := "HTTP(codecs=http_its:http_etsi_ieee1609dot2_codec)/TCP(server=ea.utopia.plugtests2019.innovation.keynectis.net)"
+system.httpAtVPort.params := "HTTP(codecs=http_its:http_etsi_ieee1609dot2_codec)/TCP(server=ea.utopia.plugtests2019.innovation.keynectis.net)"
+system.httpAtPort.params := "HTTP(codecs=http_its:http_etsi_ieee1609dot2_codec)/TCP(server=aa.utopia.plugtests2019.innovation.keynectis.net)"
+
+[EXECUTE]
+# The EnrolmentResponse message shall be sent by the EA to the ITS-S across the interface at reference point S3 in response to a received EnrolmentRequest message
+ItsPki_TestCases.TC_SECPKI_EA_ENR_RCV_01_BV
+# Check that EA doesn't accept Enrolment rekeying request when enrolment is not permitted by signing certificate
+#ItsPki_TestCases.TC_SECPKI_EA_ENR_RCV_02_BI
+
+# The EnrolmentResponse message shall be encrypted using an ETSI TS 103 097 approved algorithm and the encryption shall be done with the same AES key as the one used by the ITS-S requestor for the encryption of the EnrolmentRequest message.
+#ItsPki_TestCases.TC_SECPKI_EA_ENR_01_BV
+#ItsPki_TestCases.TC_SECPKI_EA_ENR_02_BV
+#ItsPki_TestCases.TC_SECPKI_EA_ENR_03_BV
+#ItsPki_TestCases.TC_SECPKI_EA_ENR_04_BV
+#ItsPki_TestCases.TC_SECPKI_EA_ENR_05_BV
+#ItsPki_TestCases.TC_SECPKI_EA_ENR_06_BV
+#ItsPki_TestCases.TC_SECPKI_EA_ENR_07_BV
+#ItsPki_TestCases.TC_SECPKI_EA_ENR_01_BV
+#ItsPki_TestCases.TC_SECPKI_EA_ENR_08_BV
+#ItsPki_TestCases.TC_SECPKI_EA_ENR_09_BV
+#ItsPki_TestCases.TC_SECPKI_EA_ENR_10_BV
+#ItsPki_TestCases.TC_SECPKI_EA_ENR_11_BV
+#ItsPki_TestCases.TC_SEC_PKI_SND_EA_AA_BV_01
+#ItsPki_TestCases.TC_SEC_PKI_SND_AA_BV_01
+
+[MAIN_CONTROLLER]
+# The options herein control the behavior of MC.
+KillTimer := 10.0
+LocalAddress := 127.0.0.1
+TCPPort := 12000
+NumHCs := 1
+
--- a/ttcn/AtsPki/ItsPki_TestCases.ttcn
+++ b/ttcn/AtsPki/ItsPki_TestCases.ttcn
@@ -212,24 +212,27 @@ module ItsPki_TestCases {
                if (match(v_etsi_ts_102941_data.content, mw_enrolmentRequest(mw_innerEcRequestSignedForPop(mw_signedData)))) {
                  // Verify signature of mw_innerEcRequestSignedForPop
                  if (f_verify_inner_ec_request_signed_for_pop(v_etsi_ts_102941_data, v_inner_ec_request) == false) {
-                    f_http_build_inner_ec_response(v_inner_ec_request, cantparse, v_request_hash, vc_eaPrivateKey, vc_eaHashedId8, v_aes_enc_key, v_ieee1609dot2_signed_and_encrypted_data);
+                    f_http_build_inner_ec_response(v_inner_ec_request, cantparse, v_request_hash, -, -, v_aes_enc_key, v_ieee1609dot2_signed_and_encrypted_data);
                    log("*** " & testcasename() & ": FAIL: Failed to verify InnerEcResponseSignedForPop message ***");
                    f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
                  } else {
                    log("*** " & testcasename() & ": DEBUG: match ", match(v_inner_ec_request, mw_innerEcRequest), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log
                    if (match(v_inner_ec_request, mw_innerEcRequest)) {
                      log("*** " & testcasename() & ": LOG: Receive ", v_inner_ec_request, " ***");
-                      f_http_build_inner_ec_response(v_inner_ec_request, ok, v_request_hash, vc_eaPrivateKey, vc_eaHashedId8, v_aes_enc_key, v_ieee1609dot2_signed_and_encrypted_data);
+                      f_http_build_inner_ec_response(v_inner_ec_request, ok, v_request_hash,
+                                                   '3E4CAB36D3BCB08A838CECBE0AACD1AE1EB2C4E60896AB23B88CE14568AE16EF'O,//TODO vc_eaPrivateKey, waiting for new certificates
+                                                   'B8B3E88138D442B34CFC7F9C1DB5F825D372344931CBD67CE033CA4219D70BF6'O, //TODO vc_eaHash, waiting for new certificates
+                                                   v_aes_enc_key, v_ieee1609dot2_signed_and_encrypted_data);
                      log("*** " & testcasename() & ": PASS: InnerEcRequest received ***");
                      f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
                    } else {
-                      f_http_build_inner_ec_response(v_inner_ec_request, cantparse, v_request_hash, vc_eaPrivateKey, vc_eaHashedId8, v_aes_enc_key, v_ieee1609dot2_signed_and_encrypted_data);
+                      f_http_build_inner_ec_response(v_inner_ec_request, cantparse, v_request_hash, -, -, v_aes_enc_key, v_ieee1609dot2_signed_and_encrypted_data);
                      log("*** " & testcasename() & ": FAIL: Unexpected message received ***");
                      f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
                    }
                  }
                } else {
-                  f_http_build_inner_ec_response(v_inner_ec_request, cantparse, v_request_hash, vc_eaPrivateKey, vc_eaHashedId8, v_aes_enc_key, v_ieee1609dot2_signed_and_encrypted_data);
+                  f_http_build_inner_ec_response(v_inner_ec_request, cantparse, v_request_hash, -, -, v_aes_enc_key, v_ieee1609dot2_signed_and_encrypted_data);
                  log("*** " & testcasename() & ": FAIL: Unexpected message received ***");
                  f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
                }
@@ -3502,7 +3505,7 @@ module ItsPki_TestCases {
        }
        
        // Test component configuration
-        f_cfHttpUp();
+        f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID);
        
        // Test adapter configuration
        
@@ -3555,7 +3558,7 @@ module ItsPki_TestCases {
            log("*** " & testcasename() & ": PASS: AuthorizationValidationResponse received ***");
            f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
          }
-          [PICS_MULTIPLE_END_POINT] httpAtPort.receive(
+          [PICS_MULTIPLE_END_POINT] httpAtVPort.receive(
                                                        mw_http_response(
                                                                         mw_http_response_ok(
                                                                                             mw_http_message_body_binary(
@@ -3635,7 +3638,7 @@ module ItsPki_TestCases {
        }
        
        // Test component configuration
-        f_cfHttpUp();
+        f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID);
        
        // Test adapter configuration
        
@@ -3811,7 +3814,7 @@ module ItsPki_TestCases {
        
        // Test Body
        f_http_build_authorization_request(v_inner_ec_response.certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, p_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
-        f_init_default_headers_list(-, "authorization_request", v_headers);
+        f_init_default_headers_list(-, "inner_at_request", v_headers);
        f_http_send(
                    v_headers,
                    m_http_request(

--- a/LibIts @ 467ea0b7
+++ b/LibIts @ 467ea0b7
-Subproject commit b1729a03676613e0233209066db2209f1cfdf853
+Subproject commit 467ea0b72dbef25dc1a8ce0c938f77442a7fdf4d