/** * @author ETSI / STF545 * @version $URL$ * $Id$ * @desc Testcases file for Security Protocol * @reference ETSI TS ITS-00546v006 * @copyright ETSI Copyright Notification * No part may be reproduced except as authorized by written permission. * The copyright and the foregoing restriction extend to reproduction in all media. * All rights reserved. */ module ItsPki_TestCases { // Libcommon import from LibCommon_Time all; import from LibCommon_VerdictControl all; import from LibCommon_Sync all; import from LibCommon_BasicTypesAndValues all; import from LibCommon_DataStrings all; // LibIts import from IEEE1609dot2BaseTypes language "ASN.1:1997" all; import from IEEE1609dot2 language "ASN.1:1997" all; import from EtsiTs102941BaseTypes language "ASN.1:1997" all; import from EtsiTs102941TypesEnrolment language "ASN.1:1997" all; import from EtsiTs102941TypesAuthorization language "ASN.1:1997" all; import from EtsiTs102941TypesAuthorizationValidation language "ASN.1:1997" all; import from EtsiTs102941MessagesCa language "ASN.1:1997" all; import from EtsiTs103097Module language "ASN.1:1997" all; import from ITS_Container language "ASN.1:1997" all; import from CAM_PDU_Descriptions language "ASN.1:1997" all; // LibItsCommon import from LibItsCommon_TypesAndValues all; import from LibItsCommon_Functions all; import from LibItsCommon_TypesAndValues all; import from LibItsCommon_ASN1_NamedNumbers all; // LibItsGeoNetworking import from LibItsGeoNetworking_TypesAndValues all; import from LibItsGeoNetworking_Functions all; import from LibItsGeoNetworking_Templates all; import from LibItsGeoNetworking_Pics all; import from LibItsGeoNetworking_TestSystem all; // LibItsSecurity import from LibItsSecurity_TypesAndValues all; import from LibItsSecurity_TestSystem all; import from LibItsSecurity_Templates all; import from LibItsSecurity_Functions all; import from LibItsSecurity_Pixits all; import from LibItsSecurity_Pics all; // LibItsHttp import from LibItsHttp_TypesAndValues all; import from LibItsHttp_Templates all; import from LibItsHttp_BinaryTemplates all; import from LibItsHttp_Functions all; import from LibItsHttp_TestSystem all; // LibItsPki import from LibItsPki_Templates all; import from LibItsPki_Functions all; import from LibItsPki_TestSystem all; import from LibItsPki_Pics all; import from LibItsPki_Pixits all; /** * @desc 5.2 ITS-S behaviour */ group itss_behavior { group itss_manufacturing { /** * @desc Check that IUT sends an enrolment request when triggered. *
       * Pics Selection: 
       * Initial conditions: 
       *     with {
       *         the IUT being in the "initial state"
       *     }
       * Expected behaviour:
       *     ensure that {
       *         when {
       *             the IUT is triggered to requested a new Enrolment Certificate (EC)
       *         }
       *         then {
       *             the IUT sends to EA an EnrolmentRequestMessage
       *         }
       *     }
       * 
* * @see ETSI TS ITS-00546v006 TP 2 * @reference ETSI TS 102 941 [2], clause 6.1.3 */ testcase TC_SEC_PKI_ITSS_ENR_BV_01() runs on ItsMtc /*system ItsPkiItssSystem*/ { // Local variables var Oct32 v_private_key; var Oct32 v_public_key_x; var Oct32 v_public_key_y; var Oct32 v_public_compressed_key; var integer v_compressed_mode; var ItsPkiItss v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_ITS_S_ROLE) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration if (f_generate_key_pair_nistp256(v_private_key, v_public_key_x, v_public_key_y, v_public_compressed_key, v_compressed_mode) == false) { log("*** " & testcasename() & ": FAIL: Failed to setup InnerEcRequest message ***") setverdict(inconc); stop; } v_itss.start(f_TC_SEC_PKI_ITSS_ENR_BV_01_itss(cc_taCert_A, v_private_key, v_public_compressed_key, v_compressed_mode)); v_ea.start(f_TC_SEC_PKI_ITSS_ENR_BV_01_pki(cc_taCert_A, v_private_key, v_public_compressed_key, v_compressed_mode)); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone, c_poDone}); // Cleanup } // End of testcase TC_SEC_PKI_ITSS_ENR_BV_01 group f_TC_SEC_PKI_ITSS_ENR_BV_01 { function f_TC_SEC_PKI_ITSS_ENR_BV_01_itss( in charstring p_certificate_id, in octetstring p_private_key, in octetstring p_publicKeyCompressed, in integer p_compressed_mode ) runs on ItsPkiItss /*system ItsPkiItssSystem*/ { // Local variables // Test component configuration f_cfUp_itss(); // Test adapter configuration // Preamble f_sendUtTriggerPrimitive(PICS_ITS_S_CANONICAL_ID, '00'O, p_private_key, p_publicKeyCompressed, p_compressed_mode); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); // Postamble f_cfDown_itss(); } // End of function f_TC_SEC_PKI_ITSS_ENR_BV_01_itss function f_TC_SEC_PKI_ITSS_ENR_BV_01_pki( in charstring p_certificate_id, in octetstring p_private_key, in octetstring p_publicKeyCompressed, in integer p_compressed_mode ) runs on ItsPkiHttp /*system ItsPkiHttpSystem*/ { // Local variable var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; var InnerEcRequest v_inner_ec_request; // Test component configuration f_cfHttpUp(); // Test adapter configuration // Preamble f_selfOrClientSyncAndVerdictTestBody(c_prDone, e_success); // Test Body tc_ac.start; alt { [] httpPort.receive( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentRequestMessage( mw_encryptedData( -, mw_SymmetricCiphertext_aes128ccm ))))))) -> value v_response { tc_ac.stop; /*if (f_verify_pki_message(vc_eaPrivateEncKey, int2oct(0, 32), vc_eaCertificate, v_response.response.body.binary_body.ieee1609dot2_data, false, v_etsi_ts_102941_data) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": LOG: Receive ", v_etsi_ts_102941_data, " ***"); log("*** " & testcasename() & ": DEBUG: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentRequest(mw_innerEcRequestSignedForPop(mw_signedData))), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log if (match(v_etsi_ts_102941_data.content, mw_enrolmentRequest(mw_innerEcRequestSignedForPop(mw_signedData)))) { // TODO Verify signature of mw_innerEcRequestSignedForPop log("*** " & testcasename() & ": PASS: InnerEcRequestSignedForPop received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Unexpected message received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } }*/ } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of function f_TC_SEC_PKI_ITSS_ENR_BV_01_pki } // End of group f_TC_SEC_PKI_ITSS_ENR_BV_01 /** * @desc If the enrolment request of the IUT is an initial enrolment request, the itsId * (contained in the InnerECRequest) shall be set to the canonical identifier, the * signer (contained in the outer EtsiTs1030971Data-Signed) shall be set to self and * the outer signature shall be computed using the canonical private key. *
       * Pics Selection: 
       * Expected behaviour:
       *     ensure that {
       *         when {
       *             the IUT is requested to send an EnrolmentRequestMessage
       *         }
       *         then {
       *             the IUT sends an EtsiTs103097Data-Encrypted
       *                 containing an encrypted EtsiTs103097Data-Signed
       *                     containing EtsiTs103097Data
       *                          containing InnerECRequestSignedForPOP
       *                             containing InnerEcRequest
       *                                 containing itsId
       *                                     indicating the canonical identifier of the ITS-S 
       *                 and containing signer
       *                     declared as self
       *                 and containing signature 
       *                     computed using the canonical private key
       *         }
       *     }
       * 
* * @see ETSI TS ITS-00546v006 TP 3 * @reference ETSI TS 102 941, clause 6.1.3 */ testcase TC_SEC_PKI_ITSS_ENR_BV_02() runs on ItsMtc /*system ItsPkiItssSystem*/ { // Local variables var Oct32 v_private_key; var Oct32 v_public_key_x; var Oct32 v_public_key_y; var Oct32 v_public_compressed_key; var integer v_compressed_mode; var ItsPkiItss v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_ITS_S_ROLE) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration if (f_generate_key_pair_nistp256(v_private_key, v_public_key_x, v_public_key_y, v_public_compressed_key, v_compressed_mode) == false) { log("*** " & testcasename() & ": FAIL: Failed to setup InnerEcRequest message ***") setverdict(inconc); stop; } v_itss.start(f_TC_SEC_PKI_ITSS_ENR_BV_02_itss(cc_taCert_A, v_private_key, v_public_compressed_key, v_compressed_mode)); v_ea.start(f_TC_SEC_PKI_ITSS_ENR_BV_02_pki(cc_taCert_A, v_private_key, v_public_compressed_key, v_compressed_mode)); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone, c_poDone}); // Cleanup } // End of TC_SEC_PKI_ITSS_ENR_BV_02 group f_TC_SEC_PKI_ITSS_ENR_BV_02 { function f_TC_SEC_PKI_ITSS_ENR_BV_02_itss( in charstring p_certificate_id, in octetstring p_private_key, in octetstring p_publicKeyCompressed, in integer p_compressed_mode ) runs on ItsPkiItss /*system ItsPkiItssSystem*/ { // Local variables // Test component configuration f_cfUp_itss(); // Test adapter configuration // Preamble f_sendUtTriggerPrimitive(PICS_ITS_S_CANONICAL_ID, '00'O, p_private_key, p_publicKeyCompressed, p_compressed_mode); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); // Postamble f_cfDown_itss(); } // End of function f_TC_SEC_PKI_ITSS_ENR_BV_02_itss function f_TC_SEC_PKI_ITSS_ENR_BV_02_pki( in charstring p_certificate_id, in octetstring p_private_key, in octetstring p_publicKeyCompressed, in integer p_compressed_mode ) runs on ItsPkiHttp /*system ItsPkiHttpSystem*/ { // Local variable var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; var InnerEcRequest v_inner_ec_request; // Test component configuration f_cfHttpUp(); // Test adapter configuration // Preamble f_selfOrClientSyncAndVerdictTestBody(c_prDone, e_success); // Test Body tc_ac.start; alt { [] httpPort.receive( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentRequestMessage( mw_encryptedData( -, mw_SymmetricCiphertext_aes128ccm ))))))) -> value v_response { tc_ac.stop; /*if (f_verify_pki_message(vc_eaPrivateEncKey, int2oct(0, 32), vc_eaCertificate, v_response.response.body.binary_body.ieee1609dot2_data, false, v_etsi_ts_102941_data) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": LOG: Receive ", v_etsi_ts_102941_data, " ***"); log("*** " & testcasename() & ": DEBUG: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentRequest(mw_innerEcRequestSignedForPop(mw_signedData))), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log if (match(v_etsi_ts_102941_data.content, mw_enrolmentRequest(mw_innerEcRequestSignedForPop(mw_signedData)))) { // TODO Verify signature of mw_innerEcRequestSignedForPop log("*** " & testcasename() & ": PASS: InnerEcRequestSignedForPop received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Unexpected message received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } }*/ } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of function f_TC_SEC_PKI_ITSS_ENR_BV_02_pki } // End of f_TC_SEC_PKI_ITSS_ENR_BV_02 } // End of group itss_manufacturing } // End of group itss_behavior group ea_behavior { group enrolment_request_handling { /** * @desc The EnrolmentResponse message shall be sent by the EA to the ITS-S across the interface at reference point S3 in response * to a received EnrolmentRequest message. *
       * Pics Selection: PICS_IUT_EA_ROLE
       * Initial conditions: 
       *     with {
       *         the IUT being in the "operational state"
       *     }
       * Expected behaviour:
       *     ensure that {
       *         when {
       *             the IUT receives an EnrolmentRequestMessage across the interface at the reference point S3
       *         }
       *         then {
       *             the IUT answers with an EnrolmentResponseMessage across the interface at reference point S3
       *         }
       *     }
       * 
* * @see ETSI TS ITS-00546v006 TP 20 * @reference ETSI TS 102 941, clause 6.2.3.2.2 */ testcase TC_SEC_PKI_SND_EA_BV_01() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key; var Oct32 v_public_compressed_key; var integer v_compressed_mode; var Oct32 v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var HeaderLines v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_http_build_inner_ec_request(v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); f_init_default_headers_list(-, "inner_ec_request", v_headers); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body httpPort.send( m_http_request( m_http_request_post( PICS_HTTP_POST_URI, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_ac.start; alt { [] httpPort.receive( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentResponseMessage( mw_encryptedData( -, mw_SymmetricCiphertext_aes128ccm ))))))) -> value v_response { tc_ac.stop; if (f_verify_pki_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, vc_eaCertificate, v_response.response.body.binary_body.ieee1609dot2_data, false, v_etsi_ts_102941_data) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": PASS: InnerEcResponse received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } } [] httpPort.receive( mw_http_response( mw_http_response_ko )) { tc_ac.stop; log("*** " & testcasename() & ": FAIL: Unexpected message received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SEC_PKI_SND_EA_BV_01 } // End of group enrolment_request_handling group enrolment_response { /** * @desc The EnrolmentResponse message shall be encrypted using an ETSI TS 103 097 approved * algorithm and the encryption shall be done with the same AES key as the one used * by the ITS-S requestor for the encryption of the EnrolmentRequest message *
       * Pics Selection: PICS_IUT_EA_ROLE
       * Expected behaviour:
       *     ensure that {
       *         when {
       *             the IUT receives an EnrolmentRequestMessage
       *                 containing encKey
       *                     containing an encrypted AES key (SYMKEY)
       *         }
       *         then {
       *             the IUT answers with an EnrolmentResponseMessage
       *                 containing cipherTex
       *                     being encrypted
       *                         using SYMKEY
       *                         and using an ETSI TS 103 097 approved algorithm
       *         }
       *     }
       * 
* * @see ETSI TS ITS-00546v006 TP 22 * @reference ETSI TS 102 941, clause 6.2.3.2.2 */ testcase TC_SEC_PKI_SND_EA_BV_02() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key; var Oct32 v_public_compressed_key; var integer v_compressed_mode; var Oct32 v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var HeaderLines v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_http_build_inner_ec_request(v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); f_init_default_headers_list(-, "inner_ec_request", v_headers); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body httpPort.send( m_http_request( m_http_request_post( PICS_HTTP_POST_URI, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_ac.start; alt { [] httpPort.receive( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentResponseMessage( mw_encryptedData( -, mw_SymmetricCiphertext_aes128ccm ))))))) -> value v_response { tc_ac.stop; if (f_verify_pki_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, vc_eaCertificate, v_response.response.body.binary_body.ieee1609dot2_data, false, v_etsi_ts_102941_data) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": LOG: Receive ", v_etsi_ts_102941_data, " ***"); log("*** " & testcasename() & ": DEBUG: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16)))), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log if (match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16))))) { log("*** " & testcasename() & ": PASS: InnerEcResponse received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Unexpected message received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } } } [] httpPort.receive( mw_http_response( mw_http_response_ko )) { tc_ac.stop; log("*** " & testcasename() & ": FAIL: Unexpected message received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SEC_PKI_SND_EA_BV_02 /** * @desc The outermost structure is an EtsiTs103097Data-Encrypted structure containing * the component recipients containing one instance of RecipientInfo of choice * pskRecipInfo, which contains the HashedId8 of the symmetric key used by the * ITS-S to encrypt the EnrolmentRequest message to which the response is built * and containing the component ciphertext, once decrypted, contains an * EtsiTs103097Data-Signed structure *
       * Pics Selection: PICS_IUT_EA_ROLE
       * Expected behaviour:
       *     ensure that {
       *         when {
       *             the IUT receives an EnrolmentRequestMessage
       *         }
       *         then {
       *             the IUT sends an EtsiTs103097Data-Encrypted structure
       *                 containing recipients
       *                     containing one instance of RecipientInfo of choice pskRecipInfo
       *                         containing the HashedId8 of the symmetric key used to encrypt the EnrolmentRequestMessage
       *                 and containing cipherText
       *                     being an encrypted EtsiTs103097Data-Signed structure
       *         }
       *     }
       * 
* * @see ETSI TS ITS-00546v006 TP 24 * @reference ETSI TS 102 941, clause 6.2.3.2.2 */ testcase TC_SEC_PKI_SND_EA_BV_03() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key; var Oct32 v_public_compressed_key; var integer v_compressed_mode; var Oct32 v_request_hash; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Oct16 v_aes_sym_key; var Oct16 v_encrypted_sym_key; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var HeaderLines v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_http_build_inner_ec_request(v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); f_init_default_headers_list(-, "inner_ec_request", v_headers); httpPort.send( m_http_request( m_http_request_post( PICS_HTTP_POST_URI, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body tc_ac.start; alt { [] httpPort.receive( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentResponseMessage( mw_encryptedData( -, mw_SymmetricCiphertext_aes128ccm ))))))) -> value v_response { tc_ac.stop; if (f_verify_pki_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, vc_eaCertificate, v_response.response.body.binary_body.ieee1609dot2_data, true, v_etsi_ts_102941_data) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": LOG: Receive ", v_etsi_ts_102941_data, " ***"); log("*** " & testcasename() & ": DEBUG: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16)))), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log if (match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16))))) { log("*** " & testcasename() & ": PASS: InnerEcResponse received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Unexpected message received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SEC_PKI_SND_EA_BV_03 /** * @desc If the ITS-S has been able to decrypt the content, this expected EtsiTs103097Data-Signed structure shall * contain hashId, tbsData, signer and signature. The hashId shall indicate the hash algorithm to be used as * specified in ETSI TS 103 097, the signer shall be declared as a digest, containing the HashedId8 of the * EA certificate and the signature over tbsData shall be computed using the EA private key corresponding to * its publicVerificationKey found in the referenced EA certificate. *
       * Pics Selection: PICS_IUT_EA_ROLE
       * Expected behaviour:
       *     ensure that {
       *         when {
       *             the IUT receives an EnrolmentRequestMessage
       *         }
       *         then {
       *             the IUT sends an EtsiTs103097Data-Encrypted structure
       *                 containing an encrypted EtsiTs103097Data-Signed structure
       *                     containing hashId
       *                        indicating the hash algorithm to be used as specified in ETSI TS 103 097
       *                     and containing tbsData
       *                     and containing signer
       *                         declared as a digest
       *                             containing the HashedId8 of the EA certificate
       *                     and containing signature
       *                         computed over tbsData
       *                             using the EA private key
       *                                 corresponding to the publicVerificationKey found in the referenced EA certificate
       *         }
       *     }
       * 
* * @see ETSI TS ITS-00546v006 TP 25 * @reference ETSI TS 102 941, clause 6.2.3.2.2 */ testcase TC_SEC_PKI_SND_EA_BV_04() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key; var Oct32 v_public_compressed_key; var integer v_compressed_mode; var Oct32 v_request_hash; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Oct16 v_aes_sym_key; var Oct16 v_encrypted_sym_key; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var HeaderLines v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_http_build_inner_ec_request(v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); f_init_default_headers_list(-, "inner_ec_request", v_headers); httpPort.send( m_http_request( m_http_request_post( PICS_HTTP_POST_URI, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body tc_ac.start; alt { [] httpPort.receive( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentResponseMessage( mw_encryptedData( -, mw_SymmetricCiphertext_aes128ccm ))))))) -> value v_response { tc_ac.stop; if (f_verify_pki_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, vc_eaCertificate, v_response.response.body.binary_body.ieee1609dot2_data, true, v_etsi_ts_102941_data) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": LOG: Receive ", v_etsi_ts_102941_data, " ***"); log("*** " & testcasename() & ": DEBUG: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16)))), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log if (match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16))))) { if (f_verify_ec_certificate(v_etsi_ts_102941_data.content.enrolmentResponse.certificate, v_public_compressed_key, v_compressed_mode)) { log("*** " & testcasename() & ": PASS: Well-secured EA certificate received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Cannot verify EC certificate signature ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } } else { log("*** " & testcasename() & ": FAIL: Unexpected message received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SEC_PKI_SND_EA_BV_04 /** * @desc Within the headerInfo of the tbsData, the psid shall be set to “secured certificate request� as assigned in * ETSI TS 102 965 and the generationTime shall be present. *
       * Pics Selection: PICS_IUT_EA_ROLE
       * Expected behaviour:
       *     ensure that {
       *         when {
       *             the IUT receives an EnrolmentRequestMessage
       *         }
       *         then {
       *             the IUT sends an EtsiTs103097Data-Encrypted structure
       *                 containing an encrypted EtsiTs103097Data-Signed structure
       *                     containing tbsData
       *                         containing headerInfo
       *                             containing psid
       *                                 indicating AID_CERT_REQ
       *                             and containing generationTime
       *         }
       *     }
       * 
* * @see ETSI TS ITS-00546v006 TP 26 * @reference ETSI TS 102 941, clause 6.2.3.2.2 */ testcase TC_SEC_PKI_SND_EA_BV_05() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key; var Oct32 v_public_compressed_key; var integer v_compressed_mode; var Oct32 v_request_hash; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Oct16 v_aes_sym_key; var Oct16 v_encrypted_sym_key; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var HeaderLines v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_http_build_inner_ec_request(v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); f_init_default_headers_list(-, "inner_ec_request", v_headers); httpPort.send( m_http_request( m_http_request_post( PICS_HTTP_POST_URI, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body tc_ac.start; alt { [] httpPort.receive( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentResponseMessage( mw_encryptedData( -, mw_SymmetricCiphertext_aes128ccm ))))))) -> value v_response { tc_ac.stop; if (f_verify_pki_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, vc_eaCertificate, v_response.response.body.binary_body.ieee1609dot2_data, true, v_etsi_ts_102941_data) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": LOG: Receive ", v_etsi_ts_102941_data, " ***"); log("*** " & testcasename() & ": DEBUG: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16)))), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log if (match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16))))) { if (f_verify_ec_certificate(v_etsi_ts_102941_data.content.enrolmentResponse.certificate, v_public_compressed_key, v_compressed_mode)) { log("*** " & testcasename() & ": PASS: Well-secured EA certificate received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Cannot verify EA certificate signature ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } } else { log("*** " & testcasename() & ": FAIL: Unexpected message received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SEC_PKI_SND_EA_BV_05 /** * @desc Within the headerInfo of the tbsData, aside from psid and generationTime, * all other components of the component tbsData.headerInfo not used and absent. *
       * Pics Selection: PICS_IUT_EA_ROLE
       * Expected behaviour:
       *     ensure that {
       *         when {
       *             the IUT receives an EnrolmentRequestMessage
       *         }
       *         then {
       *             the IUT sends an EtsiTs103097Data-Encrypted structure
       *                 containing an encrypted EtsiTs103097Data-Signed structure
       *                     containing tbsData
       *                         containing headerInfo
       *                             containing psid
       *                             and containing generationTime
       *         }
       *     }
       * 
* * @see ETSI TS ITS-00546v006 TP 27 * @reference ETSI TS 102 941, clause 6.2.3.2.2 */ testcase TC_SEC_PKI_SND_EA_BV_06() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key; var Oct32 v_public_compressed_key; var integer v_compressed_mode; var Oct32 v_request_hash; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Oct16 v_aes_sym_key; var Oct16 v_encrypted_sym_key; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var HeaderLines v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_http_build_inner_ec_request(v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); f_init_default_headers_list(-, "inner_ec_request", v_headers); httpPort.send( m_http_request( m_http_request_post( PICS_HTTP_POST_URI, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body tc_ac.start; alt { [] httpPort.receive( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentResponseMessage( mw_encryptedData( -, mw_SymmetricCiphertext_aes128ccm ))))))) -> value v_response { tc_ac.stop; if (f_verify_pki_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, vc_eaCertificate, v_response.response.body.binary_body.ieee1609dot2_data, true, v_etsi_ts_102941_data) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": LOG: Receive ", v_etsi_ts_102941_data, " ***"); log("*** " & testcasename() & ": DEBUG: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16)))), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log if (match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16))))) { if (f_verify_ec_certificate(v_etsi_ts_102941_data.content.enrolmentResponse.certificate, v_public_compressed_key, v_compressed_mode)) { log("*** " & testcasename() & ": PASS: Well-secured EA certificate received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Cannot verify EA certificate signature ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } } else { log("*** " & testcasename() & ": FAIL: Unexpected message received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SEC_PKI_SND_EA_BV_06 /** * @desc The EtsiTS102941Data shall contain the version set to v1 (integer value set to 1) * and the content set to InnerECResponse. *
       * Pics Selection: PICS_IUT_EA_ROLE
       * Expected behaviour:
       *     ensure that {
       *         when {
       *             the IUT receives an EnrolmentRequestMessage
       *         }
       *         then {
       *             the IUT sends an EtsiTs103097Data-Encrypted structure
       *                 containing an encrypted EtsiTs103097Data-Signed structure
       *                     containing tbsData
       *                         containing EtsiTS102941Data
       *                             containing version
       *                                 indicating v1 (integer value set to 1)
       *         }
       *     }
       * 
* * @see ETSI TS ITS-00546v006 TP 28 * @reference ETSI TS 102 941, clause 6.2.3.2.2 */ testcase TC_SEC_PKI_SND_EA_BV_07() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key; var Oct32 v_public_compressed_key; var integer v_compressed_mode; var Oct32 v_request_hash; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Oct16 v_aes_sym_key; var Oct16 v_encrypted_sym_key; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var HeaderLines v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_http_build_inner_ec_request(v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); f_init_default_headers_list(-, "inner_ec_request", v_headers); httpPort.send( m_http_request( m_http_request_post( PICS_HTTP_POST_URI, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body tc_ac.start; alt { [] httpPort.receive( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentResponseMessage( mw_encryptedData( -, mw_SymmetricCiphertext_aes128ccm ))))))) -> value v_response { tc_ac.stop; if (f_verify_pki_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, vc_eaCertificate, v_response.response.body.binary_body.ieee1609dot2_data, true, v_etsi_ts_102941_data) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": LOG: Receive ", v_etsi_ts_102941_data, " ***"); log("*** " & testcasename() & ": DEBUG: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16)))), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log if (match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16))))) { log("*** " & testcasename() & ": PASS: Well-secured EA certificate received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Unexpected message received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SEC_PKI_SND_EA_BV_07 /** * @desc The InnerECResponse shall contain the requestHash, which is the left-most 16 octets of the SHA256 digest of the * EtsiTs103097Data - Signed structure received in the request and a responseCode indicating the result of the request. *
       * Pics Selection: PICS_IUT_EA_ROLE
       * Expected behaviour:
       *     ensure that {
       *         when {
       *             the IUT receives an EnrolmentRequestMessage
       *         }
       *         then {
       *             the IUT sends an EtsiTs103097Data-Encrypted structure
       *                 containing an encrypted EtsiTs103097Data-Signed structure
       *                     containing tbsData
       *                         containing EtsiTS102941Data
       *                             containing requestHash
       *                                 indicating the left-most 16 octets of the SHA256 digest of the EtsiTs103097Data-Signed structure received in the request
       *                             and containing responseCode
       *         }
       *     }
       * 
* * @see ETSI TS ITS-00546v006 TP 29 * @reference ETSI TS 102 941, clause 6.2.3.2.2 */ testcase TC_SEC_PKI_SND_EA_BV_08() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key; var Oct32 v_public_compressed_key; var integer v_compressed_mode; var Oct32 v_request_hash; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Oct16 v_aes_sym_key; var Oct16 v_encrypted_sym_key; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var HeaderLines v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_http_build_inner_ec_request(v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); f_init_default_headers_list(-, "inner_ec_request", v_headers); httpPort.send( m_http_request( m_http_request_post( PICS_HTTP_POST_URI, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body tc_ac.start; alt { [] httpPort.receive( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentResponseMessage( mw_encryptedData( -, mw_SymmetricCiphertext_aes128ccm ))))))) -> value v_response { tc_ac.stop; if (f_verify_pki_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, vc_eaCertificate, v_response.response.body.binary_body.ieee1609dot2_data, true, v_etsi_ts_102941_data) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": LOG: Receive ", v_etsi_ts_102941_data, " ***"); log("*** " & testcasename() & ": DEBUG: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16)))), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log if (match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16))))) { log("*** " & testcasename() & ": PASS: Well-secured EA certificate received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Unexpected message received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SEC_PKI_SND_EA_BV_08 /** * @desc If the responseCode is 0, the InnerECResponse shall also contain an (enrolment) certificate. *
       * Pics Selection: PICS_IUT_EA_ROLE
       * Expected behaviour:
       *     ensure that {
       *         when {
       *             the IUT receives an EnrolmentRequestMessage
       *         }
       *         then {
       *             the IUT sends an EtsiTs103097Data-Encrypted structure
       *                 containing an encrypted EtsiTs103097Data-Signed structure
       *                     containing tbsData
       *                         containing EtsiTS102941Data
       *                             containing InnerECResponse
       *                                 containing an enrolment certificate
       *         }
       *     }
       * 
* * @see ETSI TS ITS-00546v006 TP 30 * @reference ETSI TS 102 941, clause 6.2.3.2.2 */ testcase TC_SEC_PKI_SND_EA_BV_09() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key; var Oct32 v_public_compressed_key; var integer v_compressed_mode; var Oct32 v_request_hash; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Oct16 v_aes_sym_key; var Oct16 v_encrypted_sym_key; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var HeaderLines v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_http_build_inner_ec_request(v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); f_init_default_headers_list(-, "inner_ec_request", v_headers); httpPort.send( m_http_request( m_http_request_post( PICS_HTTP_POST_URI, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body tc_ac.start; alt { [] httpPort.receive( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentResponseMessage( mw_encryptedData( { mw_recipientInfo_pskRecipInfo }, mw_SymmetricCiphertext_aes128ccm ))))))) -> value v_response { tc_ac.stop; if (f_verify_pki_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, vc_eaCertificate, v_response.response.body.binary_body.ieee1609dot2_data, true, v_etsi_ts_102941_data) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": LOG: Receive ", v_etsi_ts_102941_data, " ***"); log("*** " & testcasename() & ": DEBUG: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16), mw_etsiTs103097Certificate(-, mw_toBeSignedCertificate_ec, -)))), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log if (match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16), mw_etsiTs103097Certificate(-, mw_toBeSignedCertificate_ec, -))))) { if (f_verify_ec_certificate(v_etsi_ts_102941_data.content.enrolmentResponse.certificate, v_public_compressed_key, v_compressed_mode) == true) { log("*** " & testcasename() & ": PASS: Well-secured EC certificate received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: EC certificate is not proerly formated ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } } else { log("*** " & testcasename() & ": FAIL: Unexpected message received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SEC_PKI_SND_EA_BV_09 /** * @desc If the responseCode is 0, the InnerECResponse shall also contain an (enrolment) certificate. *
       * Pics Selection: PICS_IUT_EA_ROLE
       * Expected behaviour:
       *     ensure that {
       *         when {
       *             the IUT receives an EnrolmentRequestMessage
       *         }
       *         then {
       *             the IUT sends an EtsiTs103097Data-Encrypted structure
       *                 containing an encrypted EtsiTs103097Data-Signed structure
       *                     containing tbsData
       *                         containing EtsiTS102941Data
       *                             containing InnerECResponse
       *                                 containing an enrolment certificate
       *         }
       *     }
       * 
* * @see ETSI TS ITS-00546v006 TP 31 * @reference ETSI TS 102 941, clause 6.2.3.2.2 */ testcase TC_SEC_PKI_SND_EA_BV_10() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key; var Oct32 v_public_compressed_key; var integer v_compressed_mode; var Oct32 v_request_hash; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Oct16 v_aes_sym_key; var Oct16 v_encrypted_sym_key; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var HeaderLines v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_http_build_invalid_enrolment_request(v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); f_init_default_headers_list(-, "inner_ec_request", v_headers); httpPort.send( m_http_request( m_http_request_post( PICS_HTTP_POST_URI, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body tc_ac.start; alt { [] httpPort.receive( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentResponseMessage( mw_encryptedData( -, mw_SymmetricCiphertext_aes128ccm ))))))) -> value v_response { tc_ac.stop; if (f_verify_pki_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, vc_eaCertificate, v_response.response.body.binary_body.ieee1609dot2_data, true, v_etsi_ts_102941_data) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": LOG: Receive ", v_etsi_ts_102941_data, " ***"); if (match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ko))) { log("*** " & testcasename() & ": PASS: Well-secured EA certificate received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Unexpected message received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SEC_PKI_SND_EA_BV_10 } // End of group enrolment_response group authorization_validation_response { /** * @desc The AuthorizationValidationResponse message shall be sent by the EA to the AA across the interface * at reference point S4 in response to a received AuthorizationValidationRequest message *
       * Pics Selection: PICS_IUT_EA_ROLE
       * Initial conditions: 
       *     with {
       *         the IUT being in the "operational state"
       *     }
       * Expected behaviour:
       *     ensure that {
       *         when {
       *             the IUT receives a AuthorizationValidationRequest  message
       *         }
       *         then {
       *             the IUT sends a AuthorizationValidationResponse message
       *                 across the reference point S4 to the AA
       *         }
       *     }
       * 
* * @see ETSI TS ITS-00546v006 TP AuthValRes_1_EA * @reference ETSI TS 102 941, clause 6.2.3.4 */ testcase TC_SEC_PKI_SND_EA_BV_11() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key; var Oct32 v_public_compressed_key; var integer v_compressed_mode; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var HeaderLines v_headers; var HttpMessage v_response; // Test control if (not PICS_IUT_EA_ROLE or PICS_IUT_COMBINED_EA_AA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE and not PICS_IUT_COMBINED_EA_AA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(); // Test adapter configuration // Preamble f_http_build_authorization_validation_request(v_private_key, v_public_compressed_key, v_compressed_mode, v_ieee1609dot2_signed_and_encrypted_data); f_init_default_headers_list(-, "inner_ec_request", v_headers); httpPort.send( m_http_request( m_http_request_post( PICS_HTTP_POST_URI, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body tc_ac.start; alt { [] httpPort.receive( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationValidationResponseMessage( mw_encryptedData( -, mw_SymmetricCiphertext_aes128ccm ))))))) -> value v_response { tc_ac.stop; log("*** " & testcasename() & ": PASS: AuthorizationValidationResponse received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SEC_PKI_SND_EA_BV_11 /** * @desc The AuthorizationValidationResponse message shall be sent by the EA to the AA across the interface * at reference point S4 in response to a received AuthorizationValidationRequest message *
       * Pics Selection: PICS_IUT_EA_ROLE
       * Initial conditions: 
       *     with {
       *         the IUT being in the "operational state"
       *     }
       * Expected behaviour:
       *     ensure that {
       *         when {
       *             the IUT receives a AuthorizationValidationRequest  message
       *         }
       *         then {
       *             the IUT sends a AuthorizationValidationResponse message
       *                 across the reference point S4 to the AA
       *         }
       *     }
       * 
* * @see ETSI TS ITS-00546v006 TP AuthValRes_1_EA * @reference ETSI TS 102 941, clause 6.2.3.4 */ testcase TC_SEC_PKI_SND_EA_BV_12() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key; var Oct32 v_public_compressed_key; var integer v_compressed_mode; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var HeaderLines v_headers; var HttpMessage v_response; // Test control if (not PICS_IUT_EA_ROLE or PICS_IUT_COMBINED_EA_AA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE and not PICS_IUT_COMBINED_EA_AA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(); // Test adapter configuration // Preamble f_http_build_authorization_validation_request(v_private_key, v_public_compressed_key, v_compressed_mode, v_ieee1609dot2_signed_and_encrypted_data); f_init_default_headers_list(-, "inner_ec_request", v_headers); httpPort.send( m_http_request( m_http_request_post( PICS_HTTP_POST_URI, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body tc_ac.start; alt { [] httpPort.receive( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationValidationResponseMessage( mw_encryptedData( -, mw_SymmetricCiphertext_aes128ccm ))))))) -> value v_response { tc_ac.stop; log("*** " & testcasename() & ": PASS: AuthorizationValidationResponse received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SEC_PKI_SND_EA_BV_12 } // End of group authorization_validation_response } // End of group ea_behavior group aa_behavior { group authorization_request { /** * @desc Check that the EA/AA is able to decrypt the AuthorizationRequest message using the encryption private key corresponding to the recipient certificate * Check that the EA/AA is able to verify the inner signature * Check that the EA/AA is able to verify the request authenticity using the hmacKey verification * Check that the EA/AA sends the AuthorizationValidationRequest message to the correspondent EA *
       * Pics Selection: PICS_IUT_COMBINED_EA_AA_ROLE
       * Initial conditions: 
       *     with {
       *          the EA/AA in "operational state"
       *              authorized with the certificate CERT_AA
       *                  containing encryptionKey (AA_ENC_PUB_KEY)
       *     }
       * Expected behaviour:
       *     ensure that {
       *         when {
       *            the IUT receives an EtsiTs103097Data message
       *                containing content.encryptedData
       *                    containing recipients
       *                        containing the instance of RecipientInfo
       *                            containing certRecipInfo
       *                                containing recipientId
       *                                    indicating HashedId8 of the certificate CERT_AA
       *                                and containing encKey
       *                                    indicating symmetric key (S_KEY)
       *                                        encrypted with the private key correspondent to the AA_ENC_PUB_KEY
       *                    and containing cyphertext (ENC_DATA)
       *                        containing encrypted representation of the EtsiTs103097Data-Signed
       *                            containing content.signedData
       *                                containing hashId
       *                                    indicating valid hash algorythm
       *                and containing signer
       *                    containing self
       *                and containing tbsData (SIGNED_DATA)
       *                    containing payload
       *                        containing EtsiTs102941Data
       *                            containing content.authorizationRequest
       *                                containing publicKeys.verificationKey (V_KEY)
       *                                and containing hmacKey (HMAC)
       *                                and containing sharedAtRequest
       *                                    containing keyTag (KEY_TAG)
       *                                    and containing eaId (EA_ID)
       (                                        indicating HashedId8 of the known EA certificate
       *                and containing signature (SIGNATURE)
       *         }
       *         then {
       *            the IUT is able to decrypt the S_KEY
       *                using the private key
       *                    corresponding to the AA_ENC_PUB_KEY
       *            and the IUT is able to decrypt the cypthertext ENC_DATA
       *                using the S_KEY
       *            and the IUT is able to verify the signature SIGNATURE over the SIGNED_DATA
       *                using the V_KEY
       *            and the IUT is able to verify integrity of HMAC and KEY_TAG
       *            and the IUT sends the AuthorizationValidationRequest message to the EA
       *                identified by the EA_ID
       *         }
       *     }
       * 
* * @see ETSI TS ITS-00546v006 TP BV * @reference ETSI TS 102 941, clause 6.2.3.3.1 */ testcase TC_SEC_PKI_SND_EA_AA_BV_01() runs on ItsPkiHttp system ItsPkiHttpSystem { var Oct32 v_private_key_ec; var Oct32 v_public_compressed_key_ec; var integer v_compressed_mode_ec; var InnerEcResponse v_inner_ec_response; var Oct32 v_private_key_at; var Oct32 v_public_compressed_key_at; var integer p_compressed_mode_at; var Oct32 v_private_enc_key_at; var Oct32 v_public_compressed_enc_key_at; var integer v_compressed_enc_mode_at; var Oct32 v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var HeaderLines v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_COMBINED_EA_AA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_COMBINED_EA_AA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble if (f_await_http_inner_ec_request_response(v_private_key_ec, v_public_compressed_key_ec, v_compressed_mode_ec, v_inner_ec_response) == true) { log("*** " & testcasename() & ": INFO: Enrolment succeed ***"); f_selfOrClientSyncAndVerdictTestBody(c_prDone, e_success); } else { log("*** " & testcasename() & ": INCONC: Enrolment failed ***"); f_selfOrClientSyncAndVerdictTestBody(c_prDone, e_timeout); } // Test Body f_http_build_authorization_request(v_inner_ec_response.certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, p_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); f_init_default_headers_list(-, "authorization_request", v_headers); httpPort.send( m_http_request( m_http_request_post( PICS_HTTP_POST_URI, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_ac.start; alt { [] httpPort.receive( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationResponseMessage( mw_encryptedData( -, mw_SymmetricCiphertext_aes128ccm ))))))) -> value v_response { tc_ac.stop; if (f_verify_pki_message(v_private_key_at, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, vc_eaCertificate, v_response.response.body.binary_body.ieee1609dot2_data, false, v_etsi_ts_102941_data) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": LOG: Receive ", v_etsi_ts_102941_data, " ***"); log(match(v_etsi_ts_102941_data.content, mw_authorizationResponse(mw_innerAtResponse_ok(substr(v_request_hash, 0, 16), mw_etsiTs103097Certificate(-, mw_toBeSignedCertificate_ec, -))))); // TODO In TITAN, this is the only way to get the unmatching in log if (match(v_etsi_ts_102941_data.content, mw_authorizationResponse(mw_innerAtResponse_ok(substr(v_request_hash, 0, 16), mw_etsiTs103097Certificate(-, mw_toBeSignedCertificate_ec, -))))) { // TODO Refined expected mw_signature_ecdsaNistP256 log("*** " & testcasename() & ": PASS: Well-secured AT certificate received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Unexpected message received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SEC_PKI_SND_EA_AA_BV_01 /** * @desc Check that the AA is able to decrypt the AuthorizationRequest message using the encryption private key corresponding to the recipient certificate * Check that the AA is able to verify the inner signature * Check that the AA is able to verify the request authenticity using the hmacKey verification * Check that the AA sends the AuthorizationValidationRequest message to the correspondent EA *
       * Pics Selection: PICS_IUT_AA_ROLE
       * Initial conditions: 
       *     with {
       *          the AA in "operational state"
       *              authorized with the certificate CERT_AA
       *                  containing encryptionKey (AA_ENC_PUB_KEY)
       *     }
       * Expected behaviour:
       *     ensure that {
       *         when {
       *            the IUT receives an EtsiTs103097Data message
       *                containing content.encryptedData
       *                    containing recipients
       *                        containing the instance of RecipientInfo
       *                            containing certRecipInfo
       *                                containing recipientId
       *                                    indicating HashedId8 of the certificate CERT_AA
       *                                and containing encKey
       *                                    indicating symmetric key (S_KEY)
       *                                        encrypted with the private key correspondent to the AA_ENC_PUB_KEY
       *                    and containing cyphertext (ENC_DATA)
       *                        containing encrypted representation of the EtsiTs103097Data-Signed
       *                            containing content.signedData
       *                                containing hashId
       *                                    indicating valid hash algorythm
       *                and containing signer
       *                    containing self
       *                and containing tbsData (SIGNED_DATA)
       *                    containing payload
       *                        containing EtsiTs102941Data
       *                            containing content.authorizationRequest
       *                                containing publicKeys.verificationKey (V_KEY)
       *                                and containing hmacKey (HMAC)
       *                                and containing sharedAtRequest
       *                                    containing keyTag (KEY_TAG)
       *                                    and containing eaId (EA_ID)
       (                                        indicating HashedId8 of the known EA certificate
       *                and containing signature (SIGNATURE)
       *         }
       *         then {
       *            the IUT is able to decrypt the S_KEY
       *                using the private key
       *                    corresponding to the AA_ENC_PUB_KEY
       *            and the IUT is able to decrypt the cypthertext ENC_DATA
       *                using the S_KEY
       *            and the IUT is able to verify the signature SIGNATURE over the SIGNED_DATA
       *                using the V_KEY
       *            and the IUT is able to verify integrity of HMAC and KEY_TAG
       *            and the IUT sends the AuthorizationValidationRequest message to the EA
       *                identified by the EA_ID
       *         }
       *     }
       * 
* * @see ETSI TS ITS-00546v006 TP BV * @reference ETSI TS 102 941, clause 6.2.3.3.1 */ testcase TC_SEC_PKI_SND_AA_BV_01() runs on ItsPkiHttp system ItsPkiHttpSystem { var Oct32 v_private_key_ec; var Certificate v_ec_certificate; var octetstring v_private_key_at; var octetstring v_public_compressed_key_at; var integer p_compressed_mode_at; var Oct32 v_private_enc_key_at; var Oct32 v_public_compressed_enc_key_at; var integer v_compressed_enc_mode_at; var Oct32 v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var HeaderLines v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_AA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_AA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble if (f_generate_ec_certificate(v_private_key_ec, v_ec_certificate) == false) { log("*** " & testcasename() & ": INCONC: Failed to generate EC certificate ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } log("*** " & testcasename() & ": INFO: Generate EC certificate successful ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body f_http_build_authorization_request(v_ec_certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, p_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); f_init_default_headers_list(-, "authorization_request", v_headers); httpPort.send( m_http_request( m_http_request_post( PICS_HTTP_POST_URI, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_ac.start; alt { [] httpPort.receive( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationResponseMessage( mw_encryptedData( -, mw_SymmetricCiphertext_aes128ccm ))))))) -> value v_response { tc_ac.stop; if (f_verify_pki_message(v_private_key_at, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, vc_eaCertificate, v_response.response.body.binary_body.ieee1609dot2_data, false, v_etsi_ts_102941_data) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": LOG: Receive ", v_etsi_ts_102941_data, " ***"); if (match(v_etsi_ts_102941_data.content, mw_authorizationResponse(mw_innerAtResponse_ok))) { log("*** " & testcasename() & ": PASS: Well-secured AT certificate received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Unexpected message received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SEC_PKI_SND_AA_BV_01 /** * @desc Check that the AA is able to decrypt the AuthorizationRequest message using the encryption private key corresponding to the recipient certificate * Check that the AA is able to verify the request authenticity using the hmacKey verification * Check that the AA sends the AuthorizationValidationRequest message to the correspondent EA *
       * Pics Selection: PICS_IUT_AA_ROLE
       * Initial conditions: 
       *     with {
       *          the AA in "operational state"
       *              authorized with the certificate CERT_AA
       *                  containing encryptionKey (AA_ENC_PUB_KEY)
       *     }
       * Expected behaviour:
       *     ensure that {
       *         when {
       *            the IUT receives an EtsiTs103097Data message
       *                containing content.encryptedData
       *                    containing recipients
       *                        containing the instance of RecipientInfo
       *                            containing certRecipInfo
       *                                containing recipientId
       *                                    indicating HashedId8 of the certificate CERT_AA
       *                                and containing encKey
       *                                    indicating symmetric key (S_KEY)
       *                                        encrypted with the private key correspondent to the AA_ENC_PUB_KEY
       *                    and containing cyphertext (ENC_DATA)
       *                        containing EtsiTs102941Data
       *                            containing content.authorizationRequest
       *                                containing hmacKey (HMAC)
       *                                and containing sharedAtRequest
       *                                    containing keyTag (KEY_TAG)
       *                                    and containing eaId (EA_ID)
       *                                        indicating HashedId8 of the known EA certificate
       *         }
       *         then {
       *            the IUT is able to decrypt the S_KEY
       *                using the private key
       *                    corresponding to the AA_ENC_PUB_KEY
       *            and the IUT is able to decrypt the cypthertext ENC_DATA
       *                using the S_KEY
       *            and the IUT is able to verify integrity of HMAC and KEY_TAG
       *            and the IUT sends the AuthorizationValidationRequest message to the EA
       *                identified by the EA_ID
       *         }
       *     }
       * 
* * @see ETSI TS ITS-00546v006 TP BV * @reference ETSI TS 102 941, clause 6.2.3.3.1 */ testcase TC_SEC_PKI_SND_AA_BV_02() runs on ItsPkiHttp system ItsPkiHttpSystem { var Oct32 v_private_key; var Oct32 v_public_compressed_key; var integer v_compressed_mode; var Oct32 v_request_hash; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var HeaderLines v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_AA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_AA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp( PICS_TS_CERTIFICATE_ID, // TS role is ITS-S PICS_IUT_AA_CERTIFICATE_ID // Peer certificate, IUT ); // Test adapter configuration // Preamble // TODO f_http_build_inner_at_request(v_private_key, v_public_compressed_key, v_compressed_mode, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); f_init_default_headers_list(-, -, v_headers); httpPort.send( m_http_request( m_http_request_post( PICS_HTTP_POST_URI, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body tc_ac.start; alt { [] httpPort.receive( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationResponseMessage( mw_encryptedData( -, mw_SymmetricCiphertext_aes128ccm ))))))) -> value v_response { tc_ac.stop; /*if (f_verify_pki_message(vc_eaPrivateEncKey, vc_eaPeerWholeHash, vc_eaCertificate, v_response.response.body.binary_body.ieee1609dot2_data, false, v_etsi_ts_102941_data, v_request_hash) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": LOG: Receive ", v_etsi_ts_102941_data, " ***"); if (match(v_etsi_ts_102941_data.content, mw_authorizationValidationResponse(mw_authorizationValidationResponse_ok))) { // TODO Refined expected mw_authorizationValidationResponse_ok log("*** " & testcasename() & ": PASS: Well-secured EA certificate received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Unexpected message received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } }*/ } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SEC_PKI_SND_AA_BV_02 /** * @desc Check that the AA skips the AuthorizationRequest message if it is not addressed to this AA *
       * Pics Selection: PICS_IUT_AA_ROLE
       * Initial conditions: 
       *     with {
       *          the AA in "operational state"
       *              authorized with the certificate CERT_AA
       *                  containing encryptionKey (AA_ENC_PUB_KEY)
       *     }
       * Expected behaviour:
       *     ensure that {
       *         when {
       *            the IUT receives an EtsiTs103097Data message
       *                containing content.encryptedData
       *                    containing recipients
       *                        containing the instance of RecipientInfo
       *                            containing certRecipInfo
       *                                containing recipientId
       *                                    indicating value
       *                                        NOT equal to the HashedId8 of the certificate CERT_AA
       *                                and containing encKey
       *                                    indicating symmetric key (S_KEY)
       *                                        encrypted with the private key correspondent to the AA_ENC_PUB_KEY
       *         }
       *         then {
       *            the IUT does not send the AuthorizationValidationRequest message
       *         }
       *     }
       * 
* * @see ETSI TS ITS-00546v006 TP BV * @reference ETSI TS 102 941, clause 6.2.3.3.1 */ testcase TC_SEC_PKI_SND_AA_BV_03() runs on ItsPkiHttp system ItsPkiHttpSystem { var Oct32 v_private_key; var Oct32 v_public_compressed_key; var integer v_compressed_mode; var Oct32 v_request_hash; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var HeaderLines v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_AA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_AA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp( PICS_TS_CERTIFICATE_ID, // TS role is ITS-S PICS_IUT_AA_CERTIFICATE_ID // Peer certificate, IUT ); // Test adapter configuration // Preamble // TODO f_http_build_inner_at_request(v_private_key, v_public_compressed_key, v_compressed_mode, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); f_init_default_headers_list(-, -, v_headers); httpPort.send( m_http_request( m_http_request_post( PICS_HTTP_POST_URI, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body tc_noac.start; alt { [] httpPort.receive( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationResponseMessage( mw_encryptedData( -, mw_SymmetricCiphertext_aes128ccm ))))))) -> value v_response { tc_noac.stop; log("*** " & testcasename() & ": FAIL: Unexpected message received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } [] tc_noac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SEC_PKI_SND_AA_BV_03 } // End of group authorization_request } // End of group aa_beavior } // End of module ItsPki_TestCases