Skip to content
GitLab
Commit fe22336b authored by Yann Garcia's avatar Yann Garcia
Browse files

Continue PKI ATS development

parent c410c005
Hide whitespace changes
Inline Side-by-side
ttcn/AtsPki/ItsPki_Pixits.ttcn
View file @ fe22336b
......@@ -4,4 +4,6 @@ module ItsPki_Pixits {
modulepar float PX_RE_ENROLMENT_DELAY := 2.0;
modulepar boolean PX_TRIGGER_EC_BEFORE_AT := true;
} // End of module ItsPki_Pixits
ttcn/AtsPki/ItsPki_TestCases.ttcn
View file @ fe22336b
......@@ -76,63 +76,64 @@ module ItsPki_TestCases {
group itss_helpers {
function f_verify_http_request_from_iut(
in Request p_request,
in HeaderLines p_headers,
out InnerEcRequest p_inner_ec_request,
out HttpMessage p_response,
out integer p_result,
in template octetstring p_its_id := PICS_ITS_S_CANONICAL_ID,
in template SignerIdentifier p_signer := m_signerIdentifier_self,
in EnrolmentResponseCode p_force_response_code := ok
) runs on ItsPkiHttp {
function f_verify_http_ec_request_from_iut(
in Request p_request,
in HeaderLines p_headers,
out InnerEcRequest p_inner_ec_request,
out HttpMessage p_response,
out integer p_result,
in template octetstring p_its_id := PICS_ITS_S_CANONICAL_ID,
in template SignerIdentifier p_signer := m_signerIdentifier_self,
in EnrolmentResponseCode p_force_response_code := ok
) runs on ItsPkiHttp {
// Local variables
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var EtsiTs102941Data v_etsi_ts_102941_data;
var Oct16 v_request_hash;
var Oct16 v_aes_enc_key;
var InnerEcResponse v_inner_ec_response;
var template (value) HttpMessage v_response;
log(">>> f_verify_http_request_from_iut:", p_request);
log(">>> f_verify_http_ec_request_from_iut:", p_request);
p_result := 0;
if (f_verify_pki_request_message(vc_eaPrivateEncKey, vc_eaWholeHash/*salt*/, vc_eaWholeHash, p_request.body.binary_body.ieee1609dot2_data, false, v_request_hash, v_etsi_ts_102941_data, v_aes_enc_key) == false) { // Cannot decrypt the message, the rest is not checked yest
if (f_verify_pki_request_message(vc_eaPrivateEncKey, vc_eaWholeHash/*salt*/, vc_eaWholeHash, p_request.body.binary_body.ieee1609dot2_data, false, v_request_hash, v_etsi_ts_102941_data, v_aes_enc_key) == false) { // Cannot decrypt the message
// Send error message
v_response := m_http_response(m_http_response_ko(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers, 400, "Bad request")); // Initialize v_reponse with an error message
// Set verdict
p_result := -1;
} else {
log("f_verify_http_request_from_iut: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentRequest(mw_innerEcRequestSignedForPop(mw_signedData(sha256, mw_toBeSignedData(-, mw_headerInfo_inner_pki_request), p_signer))))); // TODO In TITAN, this is the only way to get the unmatching in log
log("f_verify_http_ec_request_from_iut: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentRequest(mw_innerEcRequestSignedForPop(mw_signedData(sha256, mw_toBeSignedData(-, mw_headerInfo_inner_pki_request), p_signer))))); // TODO In TITAN, this is the only way to get the unmatching in log
if (match(v_etsi_ts_102941_data.content, mw_enrolmentRequest(mw_innerEcRequestSignedForPop(mw_signedData(sha256, mw_toBeSignedData(-, mw_headerInfo_inner_pki_request), p_signer)))) == false) {
// Send error message
f_http_build_inner_ec_response(p_inner_ec_request, cantparse, v_request_hash, -, -, v_aes_enc_key, v_ieee1609dot2_signed_and_encrypted_data);
f_http_build_inner_ec_response(p_inner_ec_request/*Not required*/, cantparse, v_request_hash, -, -, v_aes_enc_key, v_inner_ec_response, v_ieee1609dot2_signed_and_encrypted_data);
// Set verdict
p_result := -2;
} else {
// Verify signature of mw_innerEcRequestSignedForPop
if (f_verify_inner_ec_request_signed_for_pop(v_etsi_ts_102941_data, p_inner_ec_request) == false) {
// Send error message
f_http_build_inner_ec_response(p_inner_ec_request, cantparse, v_request_hash, -, -, v_aes_enc_key, v_ieee1609dot2_signed_and_encrypted_data);
f_http_build_inner_ec_response(p_inner_ec_request/*Not required*/, cantparse, v_request_hash, -, -, v_aes_enc_key, v_inner_ec_response, v_ieee1609dot2_signed_and_encrypted_data);
v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers));
// Set verdict
p_result := -3;
} else {
log("f_verify_http_request_from_iut: match ", match(p_inner_ec_request, mw_innerEcRequest(p_its_id, -, mw_certificate_subject_attributes({mw_appPermissions(c_its_aid_SCR, ?)})))); // TODO In TITAN, this is the only way to get the unmatching in log
log("f_verify_http_ec_request_from_iut: match ", match(p_inner_ec_request, mw_innerEcRequest(p_its_id, -, mw_certificate_subject_attributes({mw_appPermissions(c_its_aid_SCR, ?)})))); // TODO In TITAN, this is the only way to get the unmatching in log
if (match(p_inner_ec_request, mw_innerEcRequest(p_its_id, -, mw_certificate_subject_attributes({mw_appPermissions(c_its_aid_SCR, ?)}))) == false) {
// Send error message: Not enrolmentrequest
f_http_build_inner_ec_response(p_inner_ec_request, badcontenttype, v_request_hash, -, -, v_aes_enc_key, v_ieee1609dot2_signed_and_encrypted_data);
f_http_build_inner_ec_response(p_inner_ec_request, badcontenttype, v_request_hash, -, -, v_aes_enc_key, v_inner_ec_response, v_ieee1609dot2_signed_and_encrypted_data);
v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers));
// Set verdict
p_result := -4;
} else {
// Send OK message
log("f_verify_http_request_from_iut: Receive ", p_inner_ec_request);
log("f_verify_http_ec_request_from_iut: Receive ", p_inner_ec_request);
if (p_force_response_code == ok) {
f_http_build_inner_ec_response(p_inner_ec_request, ok, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_ieee1609dot2_signed_and_encrypted_data);
f_http_build_inner_ec_response(p_inner_ec_request, ok, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_inner_ec_response, v_ieee1609dot2_signed_and_encrypted_data);
} else {
log("f_verify_http_request_from_iut: Succeed buit force error code ", p_force_response_code);
f_http_build_inner_ec_response(p_inner_ec_request, p_force_response_code, v_request_hash, -, -, v_aes_enc_key, v_ieee1609dot2_signed_and_encrypted_data);
log("f_verify_http_ec_request_from_iut: Succeed buit force error code ", p_force_response_code);
f_http_build_inner_ec_response(p_inner_ec_request, p_force_response_code, v_request_hash, -, -, v_aes_enc_key, v_inner_ec_response, v_ieee1609dot2_signed_and_encrypted_data);
}
v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers));
// Set verdict
......@@ -143,9 +144,78 @@ module ItsPki_TestCases {
}
p_response := valueof(v_response);
log("<<< f_verify_http_request_from_iut: p_response: ", p_response);
log("<<< f_verify_http_request_from_iut: p_result: ", p_result);
} // End of function f_verify_http_request_from_iut
log("<<< f_verify_http_ec_request_from_iut: p_response: ", p_response);
log("<<< f_verify_http_ec_request_from_iut: p_result: ", p_result);
} // End of function f_verify_http_ec_request_from_iut
function f_verify_http_at_request_from_iut(
in Request p_request,
in HeaderLines p_headers,
in InnerEcResponse p_inner_ec_resonse,
out InnerAtRequest pinner_at_request,
out HttpMessage p_response,
out integer p_result
) runs on ItsPkiHttp {
// Local variables
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var EtsiTs102941Data v_etsi_ts_102941_data;
var Oct16 v_request_hash;
var Oct16 v_aes_enc_key;
var template (value) HttpMessage v_response;
log(">>> f_verify_http_at_request_from_iut:", p_request);
p_result := 0;
if (f_verify_pki_request_message(vc_aaPrivateEncKey, vc_aaWholeHash/*salt*/, vc_aaWholeHash, p_request.body.binary_body.ieee1609dot2_data, false, v_request_hash, v_etsi_ts_102941_data, v_aes_enc_key) == false) { // Cannot decrypt the message
// Send error message
v_response := m_http_response(m_http_response_ko(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers, 400, "Bad request")); // Initialize v_reponse with an error message
// Set verdict
p_result := -1;
} else {/*
log("f_verify_http_at_request_from_iut: match ", match(v_etsi_ts_102941_data.content, mw_authorizationRequest(mw_innerEcRequestSignedForPop(mw_signedData(sha256, mw_toBeSignedData(-, mw_headerInfo_inner_pki_request), p_signer))))); // TODO In TITAN, this is the only way to get the unmatching in log
if (match(v_etsi_ts_102941_data.content, mw_enrolmentRequest(mw_innerEcRequestSignedForPop(mw_signedData(sha256, mw_toBeSignedData(-, mw_headerInfo_inner_pki_request), p_signer)))) == false) {
// Send error message
f_http_build_inner_at_response(p_inner_at_request, cantparse, v_request_hash, -, -, v_aes_enc_key, v_ieee1609dot2_signed_and_encrypted_data);
// Set verdict
p_result := -2;
} else {
// Verify signature of mw_innerEcRequestSignedForPop
if (f_verify_inner_at_request_signed_for_pop(v_etsi_ts_102941_data, p_inner_at_request) == false) {
// Send error message
f_http_build_inner_at_response(p_inner_at_request, cantparse, v_request_hash, -, -, v_aes_enc_key, v_ieee1609dot2_signed_and_encrypted_data);
v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers));
// Set verdict
p_result := -3;
} else {
log("f_verify_http_at_request_from_iut: match ", match(p_inner_at_request, mw_innerEcRequest(p_its_id, -, mw_certificate_subject_attributes({mw_appPermissions(c_its_aid_SCR, ?)})))); // TODO In TITAN, this is the only way to get the unmatching in log
if (match(p_inner_at_request, mw_innerEcRequest(p_its_id, -, mw_certificate_subject_attributes({mw_appPermissions(c_its_aid_SCR, ?)}))) == false) {
// Send error message: Not enrolmentrequest
f_http_build_inner_at_response(p_inner_at_request, badcontenttype, v_request_hash, -, -, v_aes_enc_key, v_ieee1609dot2_signed_and_encrypted_data);
v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers));
// Set verdict
p_result := -4;
} else {
// Send OK message
log("f_verify_http_at_request_from_iut: Receive ", p_inner_at_request);
if (p_force_response_code == ok) {
f_http_build_inner_at_response(p_inner_at_request, ok, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_ieee1609dot2_signed_and_encrypted_data);
} else {
log("f_verify_http_at_request_from_iut: Succeed buit force error code ", p_force_response_code);
f_http_build_inner_at_response(p_inner_at_request, p_force_response_code, v_request_hash, -, -, v_aes_enc_key, v_ieee1609dot2_signed_and_encrypted_data);
}
v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers));
// Set verdict
p_result := 0;
}
}
}
*/ }
p_response := valueof(v_response);
log("<<< f_verify_http_at_request_from_iut: p_response: ", p_response);
log("<<< f_verify_http_at_request_from_iut: p_result: ", p_result);
} // End of function f_verify_http_at_request_from_iut
/**
* @desc Await CA message using the default AT certificate
......@@ -346,7 +416,7 @@ module ItsPki_TestCases {
tc_ac.stop;
// Verify IUT response
f_verify_http_request_from_iut(v_request.request, v_headers, v_inner_ec_request, v_response, v_result);
f_verify_http_ec_request_from_iut(v_request.request, v_headers, v_inner_ec_request, v_response, v_result);
// Send response
if (isvalue(v_response)) {
httpPort.send(v_response);
......@@ -575,7 +645,7 @@ module ItsPki_TestCases {
tc_ac.stop;
// Verify IUT response
f_verify_http_request_from_iut(
f_verify_http_ec_request_from_iut(
v_request.request, v_headers, v_inner_ec_request, v_response, v_result,
PICS_ITS_S_CANONICAL_ID, // containing itsId declared as digest containing the HashedId8 of the EC identifier
......@@ -824,7 +894,7 @@ module ItsPki_TestCases {
tc_ac.stop;
// Verify IUT response
f_verify_http_request_from_iut(v_request.request, v_headers, v_inner_ec_request, v_response, v_result);
f_verify_http_ec_request_from_iut(v_request.request, v_headers, v_inner_ec_request, v_response, v_result);
// Send response
if (isvalue(v_response)) {
httpPort.send(v_response);
......@@ -865,7 +935,7 @@ module ItsPki_TestCases {
tc_ac.stop;
// Verify IUT response
f_verify_http_request_from_iut(v_request.request, v_headers, v_inner_ec_request, v_response, v_result);
f_verify_http_ec_request_from_iut(v_request.request, v_headers, v_inner_ec_request, v_response, v_result);
// Send response
if (isvalue(v_response)) {
httpPort.send(v_response);
......@@ -1057,7 +1127,7 @@ module ItsPki_TestCases {
tc_ac.stop;
// Verify IUT response
f_verify_http_request_from_iut(
f_verify_http_ec_request_from_iut(
v_request.request, v_headers, v_inner_ec_request, v_response, v_result,
PICS_ITS_S_CANONICAL_ID, // containing itsId declared as digest containing the HashedId8 of the EC identifier
......@@ -1517,7 +1587,7 @@ module ItsPki_TestCases {
tc_ac.stop;
// Verify IUT response
f_verify_http_request_from_iut(v_request.request, v_headers, v_inner_ec_request, v_response, v_result, -, -, cantparse);
f_verify_http_ec_request_from_iut(v_request.request, v_headers, v_inner_ec_request, v_response, v_result, -, -, cantparse);
// Send response forcing error code
if (isvalue(v_response)) {
httpPort.send(v_response);
......@@ -1696,7 +1766,7 @@ module ItsPki_TestCases {
tc_ac.stop;
// Verify IUT response
f_verify_http_request_from_iut(v_request.request, v_headers, v_inner_ec_request, v_response, v_result, -, -, cantparse);
f_verify_http_ec_request_from_iut(v_request.request, v_headers, v_inner_ec_request, v_response, v_result, -, -, cantparse);
// Send response forcing error code
if (isvalue(v_response)) {
httpPort.send(v_response);
......@@ -1725,7 +1795,180 @@ module ItsPki_TestCases {
} // End of group itss_enrolment_response
group itss_authorization_request {
// TODO
/**
* @desc Check that the ITS-S send the Authorization Request message to the Authorization Authority (AA) to request an authorization ticket.
* <pre>
* Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION
* Initial conditions:
* with {
* the IUT being in the "operational state"
* }
* Expected behaviour:
* ensure that {
* when {
* the IUT is triggered to requested a new Authorization Ticket (AT)
* }
* then {
* the IUT sends EtsiTs103097Data to the AA
* }
* }
* </pre>
*
* @see ETSI TS 103 525-2 v0.0.10 SECPKI_ITSS_AUTH_01_BV
* @reference ETSI TS 102 941 [2], clause 6.1.3
*/
testcase TC_SECPKI_ITSS_AUTH_01_BV() runs on ItsMtc /*system ItsPkiItssSystem*/ {
// Local variables
var ItsPkiItss v_itss;
var ItsPkiHttp v_ea;
// Test control
if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_AUTHORIZATION) {
log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfMtcUp(v_itss, v_ea);
// Start component
v_itss.start(f_TC_SECPKI_ITSS_AUTH_01_BV_itss());
v_ea.start(f_TC_SECPKI_ITSS_AUTH_01_BV_pki());
// Synchronization
f_serverSync2ClientsAndStop({c_prDone, c_tbDone});
// Cleanup
f_cfMtcDown(v_itss, v_ea);
} // End of testcase TC_SECPKI_ITSS_AUTH_01_BV
group f_TC_SECPKI_ITSS_AUTH_01_BV {
function f_TC_SECPKI_ITSS_AUTH_01_BV_itss() runs on ItsPkiItss /*system ItsPkiItssSystem*/ {
// Local variables
var HashedId8 v_certificate_digest;
var EtsiTs103097Certificate v_certificate;
// Test component configuration
vc_hashedId8ToBeUsed := PX_IUT_DEFAULT_CERTIFICATE;
f_cfUp_itss();
// Test adapter configuration
// Preamble
f_readCertificate(vc_hashedId8ToBeUsed, v_certificate);
f_getCertificateDigest(vc_hashedId8ToBeUsed, v_certificate_digest);
// Wait for IUT certificate
geoNetworkingPort.clear;
tc_ac.start;
alt {
[] a_await_cam_with_current_cert(v_certificate_digest, v_certificate) {
tc_ac.stop;
if (PX_TRIGGER_EC_BEFORE_AT) {
f_sendUtTriggerEnrolmentRequestPrimitive();
}
f_selfOrClientSyncAndVerdict(c_prDone, e_success);
}
[] geoNetworkingPort.receive(
mw_geoNwInd(
mw_geoNwSecPdu(
mw_etsiTs103097Data_signed
))) {
repeat;
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected CA message not received ***");
f_selfOrClientSyncAndVerdict(c_prDone, e_timeout);
}
} // End of 'alt' statement
// Test Body
f_sendUtTriggerAuthorizationRequestPrimitive();
log("*** " & testcasename() & ": PASS: Enrolment trigger sent succesfully ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
// Postamble
f_cfDown_itss();
} // End of function f_TC_SECPKI_ITSS_AUTH_01_BV_itss
function f_TC_SECPKI_ITSS_AUTH_01_BV_pki() runs on ItsPkiHttp /*system ItsPkiHttpSystem*/ {
// Local variable
var HeaderLines v_headers;
var HttpMessage v_request;
var InnerEcResponse v_inner_ec_response;
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
if (PX_TRIGGER_EC_BEFORE_AT) {
if (f_await_ec_request_send_response(v_inner_ec_response) == true) {
log("*** " & testcasename() & ": INFO: Enrolment succeed ***");
f_selfOrClientSyncAndVerdict(c_prDone, e_success);
} else {
log("*** " & testcasename() & ": INCONC: Enrolment failed ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout);
}
} else {
f_selfOrClientSyncAndVerdict(c_prDone, e_success);
}
// Test Body
tc_ac.start;
alt {
[] a_await_at_http_response_from_iut(
mw_http_request(
mw_http_request_post(
PICS_HTTP_POST_URI_EC,
-,
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_enrolmentRequestMessage(
mw_encryptedData(
-,
mw_SymmetricCiphertext_aes128ccm
)))))),
v_request
) {
var HttpMessage v_response;
var integer v_result;
var InnerAtRequest v_inner_at_request;
tc_ac.stop;
// Verify IUT response
f_verify_http_at_request_from_iut(v_request.request, v_headers, v_inner_ec_response, v_inner_at_request, v_response, v_result);
// Send response
if (isvalue(v_response)) {
httpPort.send(v_response);
}
// Set verdict
if (v_result == 0) {
log("*** " & testcasename() & ": PASS: InnerEcRequest received ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Failed to verify EA an EnrolmentRequestMessage ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of function f_TC_SECPKI_ITSS_AUTH_01_BV_pki
} // End of group f_TC_SECPKI_ITSS_AUTH_01_BV
} // End of group itss_authorization_request
group itss_authorization_response {
......
LibIts @ b90de034
Compare d2d6eae8...b90de034
Subproject commit d2d6eae8e179a226e372c6ede69cb9a0863f654e
Subproject commit b90de034d822448787ed192b35e5936f4e693427
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment