/** * @Author ETSI / STF545 * @version $URL$ * $Id$ * @desc Testcases file for Security Protocol * @reference ETSI TS ITS-00546v006 * @copyright ETSI Copyright Notification * No part may be reproduced except as authorized by written permission. * The copyright and the foregoing restriction extend to reproduction in all media. * All rights reserved. */ module ItsPki_TestCases { // Libcommon import from LibCommon_Time all; import from LibCommon_VerdictControl all; import from LibCommon_Sync all; import from LibCommon_BasicTypesAndValues all; import from LibCommon_DataStrings all; // LibIts import from IEEE1609dot2BaseTypes language "ASN.1:1997" all; import from IEEE1609dot2 language "ASN.1:1997" all; import from EtsiTs102941BaseTypes language "ASN.1:1997" all; import from EtsiTs102941TypesEnrolment language "ASN.1:1997" all; import from EtsiTs102941TypesAuthorization language "ASN.1:1997" all; import from EtsiTs102941TypesAuthorizationValidation language "ASN.1:1997" all; import from EtsiTs102941MessagesCa language "ASN.1:1997" all; import from EtsiTs103097Module language "ASN.1:1997" all; import from ITS_Container language "ASN.1:1997" all; import from CAM_PDU_Descriptions language "ASN.1:1997" all; // LibItsCommon import from LibItsCommon_TypesAndValues all; import from LibItsCommon_Functions all; import from LibItsCommon_TypesAndValues all; import from LibItsCommon_ASN1_NamedNumbers all; // LibItsGeoNetworking import from LibItsGeoNetworking_TypesAndValues all; import from LibItsGeoNetworking_Functions all; import from LibItsGeoNetworking_Templates all; import from LibItsGeoNetworking_Pics all; import from LibItsGeoNetworking_TestSystem all; // LibItsSecurity import from LibItsSecurity_TypesAndValues all; import from LibItsSecurity_TestSystem all; import from LibItsSecurity_Templates all; import from LibItsSecurity_Functions all; import from LibItsSecurity_Pixits all; import from LibItsSecurity_Pics all; // LibItsHttp import from LibItsHttp_TypesAndValues all; import from LibItsHttp_Templates all; import from LibItsHttp_BinaryTemplates all; import from LibItsHttp_Functions all; import from LibItsHttp_TestSystem all; // LibItsPki import from LibItsPki_TypesAndValues all; import from LibItsPki_Templates all; import from LibItsPki_Functions all; import from LibItsPki_TestSystem all; import from LibItsPki_Pics all; import from LibItsPki_Pixits all; // ItsPki import from ItsPki_Pixits all; /** * @desc 5.2 ITS-S behaviour */ group itss_behavior { group itss_helpers { function f_verify_http_ec_request_from_iut_itss( in Request p_request, in HeaderLines p_headers, out InnerEcRequest p_inner_ec_request, out HttpMessage p_response, out integer p_result, in template octetstring p_its_id := PICS_ITS_S_CANONICAL_ID, in template SignerIdentifier p_signer := m_signerIdentifier_self, in EnrolmentResponseCode p_force_response_code := ok ) runs on ItsPkiHttp { // Local variables var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var EtsiTs102941Data v_etsi_ts_102941_data; var Oct16 v_request_hash; var Oct16 v_aes_enc_key; var InnerEcResponse v_inner_ec_response; var template (value) HttpMessage v_response; log(">>> f_verify_http_ec_request_from_iut_itss: ", p_request); p_result := 0; if (f_verify_pki_request_message(vc_eaPrivateEncKey, vc_eaWholeHash/*salt*/, vc_eaWholeHash, p_request.body.binary_body.ieee1609dot2_data, true, v_request_hash, v_etsi_ts_102941_data, v_aes_enc_key) == false) { // Cannot decrypt the message // Send error message v_response := m_http_response(m_http_response_ko(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers, 400, "Bad request")); // Initialize v_reponse with an error message // Set verdict p_result := -1; } else { log("f_verify_http_ec_request_from_iut_itss: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentRequest(mw_innerEcRequestSignedForPop(mw_signedData(sha256, mw_toBeSignedData(-, mw_headerInfo_inner_pki_request), p_signer))))); // TODO In TITAN, this is the only way to get the unmatching in log if (match(v_etsi_ts_102941_data.content, mw_enrolmentRequest(mw_innerEcRequestSignedForPop(mw_signedData(sha256, mw_toBeSignedData(-, mw_headerInfo_inner_pki_request), p_signer)))) == false) { // Send error message f_http_build_inner_ec_response(p_inner_ec_request/*Not required*/, cantparse, v_request_hash, -, -, v_aes_enc_key, v_inner_ec_response, v_ieee1609dot2_signed_and_encrypted_data); // Set verdict p_result := -2; } else { // Verify signature of mw_innerEcRequestSignedForPop if (f_verify_inner_ec_request_signed_for_pop(v_etsi_ts_102941_data, p_inner_ec_request) == false) { // Send error message f_http_build_inner_ec_response(p_inner_ec_request/*Not required*/, cantparse, v_request_hash, -, -, v_aes_enc_key, v_inner_ec_response, v_ieee1609dot2_signed_and_encrypted_data); v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers)); // Set verdict p_result := -3; } else { log("f_verify_http_ec_request_from_iut_itss: match ", match(p_inner_ec_request, mw_innerEcRequest(p_its_id, -, mw_certificate_subject_attributes({mw_appPermissions(c_its_aid_SCR, ?)})))); // TODO In TITAN, this is the only way to get the unmatching in log if (match(p_inner_ec_request, mw_innerEcRequest(p_its_id, -, mw_certificate_subject_attributes({mw_appPermissions(c_its_aid_SCR, ?)}))) == false) { // Send error message: Not enrolmentrequest f_http_build_inner_ec_response(p_inner_ec_request, badcontenttype, v_request_hash, -, -, v_aes_enc_key, v_inner_ec_response, v_ieee1609dot2_signed_and_encrypted_data); v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers)); // Set verdict p_result := -4; } else { // Send OK message log("f_verify_http_ec_request_from_iut_itss: Receive ", p_inner_ec_request); if (p_force_response_code == ok) { f_http_build_inner_ec_response(p_inner_ec_request, ok, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_inner_ec_response, v_ieee1609dot2_signed_and_encrypted_data); } else { log("f_verify_http_ec_request_from_iut_itss: Succeed buit force error code ", p_force_response_code); f_http_build_inner_ec_response(p_inner_ec_request, p_force_response_code, v_request_hash, -, -, v_aes_enc_key, v_inner_ec_response, v_ieee1609dot2_signed_and_encrypted_data); } v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers)); // Set verdict p_result := 0; } } } } p_response := valueof(v_response); log("<<< f_verify_http_ec_request_from_iut_itss: p_response: ", p_response); log("<<< f_verify_http_ec_request_from_iut_itss: p_result: ", p_result); } // End of function f_verify_http_ec_request_from_iut_itss function f_verify_http_at_request_from_iut_itss( in Request p_request, in HeaderLines p_headers, out InnerAtRequest p_inner_at_request, out HttpMessage p_response, out integer p_result, in template octetstring p_its_id := PICS_ITS_S_CANONICAL_ID, in AuthorizationResponseCode p_force_response_code := ok ) runs on ItsPkiHttp { // Local variables var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var EtsiTs102941Data v_etsi_ts_102941_data; var Oct16 v_request_hash; var Oct16 v_aes_enc_key; var InnerAtResponse v_inner_at_response; var template (value) HttpMessage v_response; log(">>> f_verify_http_at_request_from_iut_itss:", p_request); p_result := 0; if (f_verify_pki_request_message(vc_eaPrivateEncKey, vc_eaWholeHash/*salt*/, vc_eaWholeHash, p_request.body.binary_body.ieee1609dot2_data, true, v_request_hash, v_etsi_ts_102941_data, v_aes_enc_key) == false) { // Cannot decrypt the message // Send error message v_response := m_http_response(m_http_response_ko(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers, 400, "Bad request")); // Initialize v_reponse with an error message // Set verdict p_result := -1; } else { log("f_verify_http_at_request_from_iut_itss: match ", match(v_etsi_ts_102941_data.content, mw_authorizationRequest(mw_innerAtRequest))); // TODO In TITAN, this is the only way to get the unmatching in log if (match(v_etsi_ts_102941_data.content, mw_authorizationRequest(mw_innerAtRequest)) == false) { // Send error message f_http_build_authorization_response(p_inner_at_request, its_aa_cantparse, v_request_hash, -, -, v_aes_enc_key, v_inner_at_response, v_ieee1609dot2_signed_and_encrypted_data); // Set verdict p_result := -2; } else { // Verify signature of mw_innerATRequestSignedForPop if (f_verify_inner_at_request_signed_for_pop(v_etsi_ts_102941_data, p_inner_at_request) == false) { // Send error message f_http_build_authorization_response(p_inner_at_request, its_aa_cantparse, v_request_hash, -, -, v_aes_enc_key, v_inner_at_response, v_ieee1609dot2_signed_and_encrypted_data); v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers)); // Set verdict p_result := -3; } else { log("f_verify_http_at_request_from_iut_itss: match ", match(p_inner_at_request, mw_innerAtRequest(mw_publicKeys, -, mw_shared_at_request, mw_ec_signature))); // TODO In TITAN, this is the only way to get the unmatching in log if (match(p_inner_at_request, mw_innerAtRequest(mw_publicKeys, -, mw_shared_at_request, mw_ec_signature)) == false) { // TODO To be refined // Send error message: Not enrolmentrequest f_http_build_authorization_response(p_inner_at_request, its_aa_badcontenttype, v_request_hash, -, -, v_aes_enc_key, v_inner_at_response, v_ieee1609dot2_signed_and_encrypted_data); v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers)); // Set verdict p_result := -4; } else { // Send OK message log("f_verify_http_at_request_from_iut_itss: Receive ", p_inner_at_request); if (p_force_response_code == ok) { f_http_build_authorization_response(p_inner_at_request, ok, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_inner_at_response, v_ieee1609dot2_signed_and_encrypted_data); } else { log("f_verify_http_at_request_from_iut_itss: Succeed built force error code ", p_force_response_code); f_http_build_authorization_response(p_inner_at_request, p_force_response_code, v_request_hash, -, -, v_aes_enc_key, v_inner_at_response, v_ieee1609dot2_signed_and_encrypted_data); } v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers)); // Set verdict p_result := 0; } } } } p_response := valueof(v_response); log("<<< f_verify_http_at_request_from_iut_itss: p_response: ", p_response); log("<<< f_verify_http_at_request_from_iut_itss: p_result: ", p_result); } // End of function f_verify_http_at_request_from_iut_itss /** * @desc Await CA message using the default AT certificate */ altstep a_await_cam_with_current_cert( in HashedId8 p_certificate_digest, in EtsiTs103097Certificate p_certificate ) runs on ItsPkiItss { [PICS_SEC_SHA256 == true] geoNetworkingPort.receive( mw_geoNwInd( mw_geoNwSecPdu( mw_etsiTs103097Data_signed( mw_signedData( sha256, mw_toBeSignedData( mw_signedDataPayload, mw_headerInfo_cam ), mw_signerIdentifier_certificate( mw_etsiTs103097Certificate( mw_issuerIdentifier_sha256AndDigest( p_certificate.issuer.sha256AndDigest ), mw_toBeSignedCertificate_at( -, p_certificate.toBeSigned.verifyKeyIndicator ) ) ) ) ), mw_geoNwShbPacket ))) { } [PICS_SEC_SHA384 == true] geoNetworkingPort.receive( mw_geoNwInd( mw_geoNwSecPdu( mw_etsiTs103097Data_signed( mw_signedData( sha384, mw_toBeSignedData( mw_signedDataPayload, mw_headerInfo_cam ), mw_signerIdentifier_certificate( mw_etsiTs103097Certificate( mw_issuerIdentifier_sha384AndDigest( p_certificate.issuer.sha384AndDigest ), mw_toBeSignedCertificate_at( -, p_certificate.toBeSigned.verifyKeyIndicator ) ) ) ) ), mw_geoNwShbPacket ))) { } } // End of altstep a_await_cam_with_current_cert } // End of group itss_helpers group itss_enrolment_request { /** * @desc Check that IUT sends an enrolment request when triggered. *
       * Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT
       * Initial conditions: 
       *     with {
       *         the IUT being in the "initial state"
       *     }
       * Expected behaviour:
       *     ensure that {
       *         when {
       *             the IUT is triggered to requested a new Enrolment Certificate (EC)
       *         }
       *         then {
       *             the IUT sends to EA an EnrolmentRequestMessage
       *         }
       *     }
       * 
* * @see ETSI TS 103 525-2 v0.0.10 SECPKI_ITSS_ENR_01_BV * @reference ETSI TS 102 941 [2], clause 6.1.3 */ testcase TC_SECPKI_ITSS_ENR_01_BV() runs on ItsMtc /*system ItsPkiItssSystem*/ { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_ENROLMENT) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfMtcUp(v_itss, v_ea); // Start component v_itss.start(f_TC_SECPKI_ITSS_ENR_01_BV_itss()); v_ea.start(f_TC_SECPKI_ITSS_ENR_01_BV_pki()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup f_cfMtcDown(v_itss, v_ea); } // End of testcase TC_SECPKI_ITSS_ENR_01_BV group f_TC_SECPKI_ITSS_ENR_01_BV { function f_TC_SECPKI_ITSS_ENR_01_BV_itss() runs on ItsPkiItss /*system ItsPkiItssSystem*/ { // Local variables var HashedId8 v_certificate_digest; var EtsiTs103097Certificate v_certificate; // Test component configuration vc_hashedId8ToBeUsed := PX_IUT_DEFAULT_CERTIFICATE; f_cfUp_itss(); // Test adapter configuration // Preamble f_readCertificate(vc_hashedId8ToBeUsed, v_certificate); f_getCertificateDigest(vc_hashedId8ToBeUsed, v_certificate_digest); // Wait for IUT certificate geoNetworkingPort.clear; tc_ac.start; alt { [] a_await_cam_with_current_cert(v_certificate_digest, v_certificate) { tc_ac.stop; f_selfOrClientSyncAndVerdict(c_prDone, e_success); } [] geoNetworkingPort.receive( mw_geoNwInd( mw_geoNwSecPdu( mw_etsiTs103097Data_signed ))) { repeat; } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected CA message not received ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_timeout); } } // End of 'alt' statement // Test Body f_sendUtTriggerEnrolmentRequestPrimitive(); log("*** " & testcasename() & ": PASS: Enrolment trigger sent succesfully ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); // Postamble f_cfDown_itss(); } // End of function f_TC_SECPKI_ITSS_ENR_01_BV_itss function f_TC_SECPKI_ITSS_ENR_01_BV_pki() runs on ItsPkiHttp /*system ItsPkiHttpSystem*/ { // Local variable var HeaderLines v_headers; var HttpMessage v_request; // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_init_default_headers_list(-, "inner_ec_response", v_headers); f_selfOrClientSyncAndVerdict(c_prDone, e_success); // Test Body tc_ac.start; alt { [] a_await_at_http_response_from_iut( mw_http_request( mw_http_request_post( PICS_HTTP_POST_URI_EC, -, mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentRequestMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo/*(vc_eaHashedId8)*/, * }, mw_SymmetricCiphertext_aes128ccm )))))), v_request ) { var HttpMessage v_response; var integer v_result; var InnerEcRequest v_inner_ec_request; tc_ac.stop; // Verify IUT response f_verify_http_ec_request_from_iut_itss(v_request.request, v_headers, v_inner_ec_request, v_response, v_result); // Send response if (isvalue(v_response)) { httpPort.send(v_response); } // Set verdict if (v_result == 0) { log("*** " & testcasename() & ": PASS: InnerEcRequest received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Failed to verify EA an EnrolmentRequestMessage ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of function f_TC_SECPKI_ITSS_ENR_01_BV_pki } // End of group f_TC_SECPKI_ITSS_ENR_01_BV /** * @desc If the enrolment request of the IUT is an initial enrolment request, the itsId * (contained in the InnerECRequest) shall be set to the canonical identifier, the * signer (contained in the outer EtsiTs1030971Data-Signed) shall be set to self and * the outer signature shall be computed using the canonical private key. *
       * Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT
       * Expected behaviour:
       *     ensure that {
       *         when {
       *             the IUT is requested to send an EnrolmentRequestMessage
       *         }
       *         then {
       *             the IUT sends an EtsiTs103097Data-Encrypted
       *                 containing an encrypted EtsiTs103097Data-Signed
       *                     containing EtsiTs103097Data
       *                          containing InnerECRequestSignedForPOP
       *                             containing InnerEcRequest
       *                                 containing itsId
       *                                     indicating the canonical identifier of the ITS-S 
       *                 and containing signer
       *                     declared as self
       *                 and containing signature 
       *                     computed using the canonical private key
       *         }
       *     }
       * 
* * @see ETSI TS 103 525-2 v0.0.10 SECPKI_ITSS_ENR_02_BV * @reference ETSI TS 102 941, clause 6.1.3 */ testcase TC_SECPKI_ITSS_ENR_02_BV() runs on ItsMtc /*system ItsPkiItssSystem*/ { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_ENROLMENT) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfMtcUp(v_itss, v_ea); // Start component v_itss.start(f_TC_SECPKI_ITSS_ENR_01_BV_itss()); v_ea.start(f_TC_SECPKI_ITSS_ENR_01_BV_pki()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup f_cfMtcDown(v_itss, v_ea); } // End of testcase TC_SECPKI_ITSS_ENR_02_BV /** * @desc In presence of a valid EC, the enrolment request of the IUT is a rekeying enrolment request with the itsId (contained in the InnerECRequest) and the SignerIdentifier (contained in the outer EtsiTs1030971Data-Signed) both declared as digest containing the HashedId8 of the EC and the outer signature computed using the current valid EC private key corresponding to the verification public key. *
       * Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT and PICS_SECPKI_REENROLMENT
       * Expected behaviour:
       *     ensure that {
       *         when {
       *             the IUT is requested to send an EnrolmentRequestMessage
       *         }
       *         then {
       *             the IUT sends an EtsiTs103097Data-Encrypted
       *                 containing an encrypted EtsiTs103097Data-Signed
       *                     containing EtsiTs103097Data
       *                          containing InnerECRequestSignedForPOP
       *                             containing InnerEcRequest
       *                                 containing itsId
       *                                     declared as digest containing the HashedId8 of the EC identifier
       *                 and containing signer
       *                     declared as digest containing the HashedId8 of the EC identifier 
       *                 and containing signature 
       *                     computed using the current valid EC private key corresponding to the verification public key
       *         }
       *     }
       * 
* * @see ETSI TS 103 525-2 v0.0.10 SECPKI_ITSS_ENR_03_BV * @reference ETSI TS 102 941, clause 6.1.3 */ testcase TC_SECPKI_ITSS_ENR_03_BV() runs on ItsMtc /*system ItsPkiItssSystem*/ { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_ENROLMENT or not PICS_SECPKI_REENROLMENT) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT and PICS_SECPKI_REENROLMENT required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfMtcUp(v_itss, v_ea); // Start component v_itss.start(f_TC_SECPKI_ITSS_ENR_03_BV_itss()); v_ea.start(f_TC_SECPKI_ITSS_ENR_03_BV_pki()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup f_cfMtcDown(v_itss, v_ea); } // End of testcase TC_SECPKI_ITSS_ENR_03_BV group f_TC_SECPKI_ITSS_ENR_03_BV { function f_TC_SECPKI_ITSS_ENR_03_BV_itss() runs on ItsPkiItss /*system ItsPkiItssSystem*/ { // Local variables var HashedId8 v_certificate_digest; var EtsiTs103097Certificate v_certificate; // Test component configuration vc_hashedId8ToBeUsed := PX_IUT_DEFAULT_CERTIFICATE; f_cfUp_itss(); // Test adapter configuration // Preamble f_readCertificate(vc_hashedId8ToBeUsed, v_certificate); f_getCertificateDigest(vc_hashedId8ToBeUsed, v_certificate_digest); // Wait for IUT certificate geoNetworkingPort.clear; tc_ac.start; alt { [] a_await_cam_with_current_cert(v_certificate_digest, v_certificate) { tc_ac.stop; f_selfOrClientSyncAndVerdict(c_prDone, e_success); } [] geoNetworkingPort.receive( mw_geoNwInd( mw_geoNwSecPdu( mw_etsiTs103097Data_signed ))) { repeat; } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected CA message not received ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_timeout); } } // End of 'alt' statement // Test Body f_sendUtTriggerEnrolmentRequestPrimitive(); log("*** " & testcasename() & ": PASS: Enrolment trigger sent succesfully ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); // Postamble f_cfDown_itss(); } // End of function f_TC_SECPKI_ITSS_ENR_03_BV_itss function f_TC_SECPKI_ITSS_ENR_03_BV_pki() runs on ItsPkiHttp /*system ItsPkiHttpSystem*/ { // Local variable var HeaderLines v_headers; var HttpMessage v_request; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_init_default_headers_list(-, "inner_ec_response", v_headers); f_selfOrClientSyncAndVerdict(c_prDone, e_success); // Test Body tc_ac.start; alt { [] a_await_at_http_response_from_iut( mw_http_request( mw_http_request_post( PICS_HTTP_POST_URI_EC, -, mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentRequestMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo/*(vc_eaHashedId8)*/, * }, mw_SymmetricCiphertext_aes128ccm )))))), v_request ) { var integer v_result; var InnerEcRequest v_inner_ec_request; var HttpMessage v_response; tc_ac.stop; // Verify IUT response f_verify_http_ec_request_from_iut_itss( v_request.request, v_headers, v_inner_ec_request, v_response, v_result, PICS_ITS_S_CANONICAL_ID, // containing itsId declared as digest containing the HashedId8 of the EC identifier m_signerIdentifier_digest(PICS_ITS_S_CANONICAL_ID)); // containing signer declared as digest containing the HashedId8 of the EC identifier // Send response if (isvalue(v_response)) { httpPort.send(v_response); } // Set verdict if (v_result == 0) { log("*** " & testcasename() & ": PASS: InnerEcRequest received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Failed to verify EA an EnrolmentRequestMessage ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of function f_TC_SECPKI_ITSS_ENR_03_BV_pki } // End of group f_TC_SECPKI_ITSS_ENR_03_BV /** * @desc If the EC is revoked, the IUT returns to the state 'initialized'. *
       * Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT and PICS_SECPKI_CRL
       * Expected behaviour:
       *     ensure that {
       *         when {
       *             the IUT is informed about a revocation of its EC
       *         }
       *         then {
       *             the IUT returns to the "initialized" state
       *         }
       *     }
       * 
* * @see ETSI TS 103 525-2 v0.0.10 SECPKI_ITSS_ENR_04_BV * @reference ETSI TS 102 941, clause 6.1.3, 6.2.3.2.1 */ testcase TC_SECPKI_ITSS_ENR_04_BV() runs on ItsMtc /*system ItsPkiItssSystem*/ { // Local variables var Oct32 v_private_key; var Oct32 v_public_key_x; var Oct32 v_public_key_y; var Oct32 v_public_compressed_key; var integer v_compressed_mode; var ItsPkiItss v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_ENROLMENT or not PICS_SECPKI_CRL) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT and PICS_SECPKI_CRL required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration // Synchronization // Cleanup setverdict(inconc); } // End of TC_SECPKI_ITSS_ENR_04_BV /** * @desc If the EC expires, the IUT returns to the state 'initialized'. *
       * Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT
       * Expected behaviour:
       *     ensure that {
       *         when {
       *             the EC of the IUT expires
       *         }
       *         then {
       *             the IUT returns to the "initialized" state
       *         }
       *     }
       * 
* * @see ETSI TS 103 525-2 v0.0.10 SECPKI_ITSS_ENR_05_BV * @reference ETSI TS 102 941, clause 6.1.3, 6.2.3.2.1 */ testcase TC_SECPKI_ITSS_ENR_05_BV() runs on ItsMtc /*system ItsPkiItssSystem*/ { // Local variables var Oct32 v_private_key; var Oct32 v_public_key_x; var Oct32 v_public_key_y; var Oct32 v_public_compressed_key; var integer v_compressed_mode; var ItsPkiItss v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_ENROLMENT) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration // Synchronization // Cleanup setverdict(inconc); } // End of TC_SECPKI_ITSS_ENR_05_BV /** * @desc For each enrolment request, the ITS-S shall generate a new verification key pair corresponding to an approved signature algorithm as specified in TS 103 097. *
       * Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT and not PICS_SECPKI_REENROLMENT
       * Expected behaviour:
       *     ensure that {
       *         when {
       *             the IUT is requested to send multiple EnrolmentRequestMessage
       *         }
       *         then {
       *             each EnrolmentRequestMessage
       *                 contains a different and unique verification key pair within the InnerECRequest
       *         }
       *     }
       * 
* * @see ETSI TS 103 525-2 v0.0.10 SECPKI_ITSS_ENR_06_BV * @reference ETSI TS 102 941, clause 6.1.3 */ testcase TC_SECPKI_ITSS_ENR_06_BV() runs on ItsMtc /*system ItsPkiItssSystem*/ { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_ENROLMENT or PICS_SECPKI_REENROLMENT) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT and not PICS_SECPKI_REENROLMENT required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration v_itss.start(f_TC_SECPKI_ITSS_ENR_06_BV_itss()); v_ea.start(f_TC_SECPKI_ITSS_ENR_06_BV_pki()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup } // End of TC_SECPKI_ITSS_ENR_06_BV group f_TC_SECPKI_ITSS_ENR_06_BV { function f_TC_SECPKI_ITSS_ENR_06_BV_itss() runs on ItsPkiItss /*system ItsPkiItssSystem*/ { // Local variables var HashedId8 v_certificate_digest; var EtsiTs103097Certificate v_certificate; // Test component configuration f_cfUp_itss(); // Test adapter configuration // Preamble // First enrolment geoNetworkingPort.clear; tc_ac.start; alt { [] a_await_cam_with_current_cert(v_certificate_digest, v_certificate) { tc_ac.stop; f_sendUtTriggerEnrolmentRequestPrimitive(); f_selfOrClientSyncAndVerdict(c_prDone, e_success); } [] geoNetworkingPort.receive( mw_geoNwInd( mw_geoNwSecPdu( mw_etsiTs103097Data_signed ))) { repeat; } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected CA message not received ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_timeout); } } // End of 'alt' statement // Test Body // Re-enrolment for (var integer v_i := 0; v_i < PX_RE_ENROLMENT_COUNTER; v_i := v_i + 1) { f_sendUtTriggerEnrolmentRequestPrimitive(); f_sleep(PX_RE_ENROLMENT_DELAY); } // End of 'for' statement log("*** " & testcasename() & ": PASS: Enrolment trigger sent succesfully ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); // Postamble f_cfDown_itss(); } // End of function f_TC_SECPKI_ITSS_ENR_06_BV_itss function f_TC_SECPKI_ITSS_ENR_06_BV_pki() runs on ItsPkiHttp /*system ItsPkiHttpSystem*/ { // Local variable var integer v_counter := 0; var HeaderLines v_headers; var HttpMessage v_request; var HttpMessage v_response; var InnerEcRequest v_inner_ec_request; var ListOfPublicVerificationKey v_generated_keys; var integer v_result; // Test component configuration f_cfHttpUp(); // Test adapter configuration // Preamble f_init_default_headers_list(-, "inner_ec_response", v_headers); // Wait for the first enrolment response tc_ac.start; alt { [] a_await_at_http_response_from_iut( mw_http_request( mw_http_request_post( PICS_HTTP_POST_URI_EC, -, mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentRequestMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo/*(vc_eaHashedId8)*/, * }, mw_SymmetricCiphertext_aes128ccm )))))), v_request ) { tc_ac.stop; // Verify IUT response f_verify_http_ec_request_from_iut_itss(v_request.request, v_headers, v_inner_ec_request, v_response, v_result); // Send response if (isvalue(v_response)) { httpPort.send(v_response); } // Set verdict if (v_result == 0) { v_generated_keys[v_counter] := v_inner_ec_request.publicKeys.verificationKey; v_counter := v_counter + 1; f_selfOrClientSyncAndVerdictTestBody(c_prDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Failed to verify EA an EnrolmentRequestMessage ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_error); } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_timeout); } } // End of 'alt' statement // Test Body tc_ac.start; alt { [] a_await_at_http_response_from_iut( mw_http_request( mw_http_request_post( PICS_HTTP_POST_URI_EC, -, mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentRequestMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo/*(vc_eaHashedId8)*/, * }, mw_SymmetricCiphertext_aes128ccm )))))), v_request ) { tc_ac.stop; // Verify IUT response f_verify_http_ec_request_from_iut_itss(v_request.request, v_headers, v_inner_ec_request, v_response, v_result); // Send response if (isvalue(v_response)) { httpPort.send(v_response); } // Set verdict if (v_result == 0) { log("*** " & testcasename() & ": LOG: ", match(v_generated_keys, superset(v_inner_ec_request.publicKeys.verificationKey)), "***"); if (match(v_generated_keys, superset(v_inner_ec_request.publicKeys.verificationKey))) { v_generated_keys[v_counter] := v_inner_ec_request.publicKeys.verificationKey; v_counter := v_counter + 1; f_selfOrClientSyncAndVerdictTestBody(c_prDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Duplication of generated public keys ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_error); } } else { log("*** " & testcasename() & ": FAIL: Failed to verify EA an EnrolmentRequestMessage ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_error); } } [] tc_ac.timeout { if (v_counter == PX_RE_ENROLMENT_COUNTER) { log("*** " & testcasename() & ": PASS: InnerEcRequest received with different key pairs ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of function f_TC_SECPKI_ITSS_ENR_06_BV_pki } // End of f_TC_SECPKI_ITSS_ENR_06_BV /** * @desc Within the InnerECRequest, the requestedSubjectAttributes shall not contain a certIssuePermissions field. *
       * Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT
       * Expected behaviour:
       *     ensure that {
       *         when {
       *             the IUT is requested to send an EnrolmentRequestMessage
       *         }
       *         then {
       *             the IUT sends an EtsiTs103097Data-Encrypted
       *                 containing an encrypted EtsiTs103097Data-Signed
       *                     containing EtsiTs103097Data
       *                         containing InnerECRequestSignedForPOP
       *                             containing InnerEcRequest
       *                                 containing requestedSubjectAttributes
       *                                     not containing certIssuePermissions 
       *         }
       *     }
       * 
* * @see ETSI TS 103 525-2 v0.0.10 SECPKI_ITSS_ENR_07_BV * @reference ETSI TS 102 941, clause 6.2.3.2.1 */ testcase TC_SECPKI_ITSS_ENR_07_BV() runs on ItsMtc /*system ItsPkiItssSystem*/ { // Local variables var Oct32 v_private_key; var Oct32 v_public_key_x; var Oct32 v_public_key_y; var Oct32 v_public_compressed_key; var integer v_compressed_mode; var ItsPkiItss v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_ENROLMENT) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration v_itss.start(f_TC_SECPKI_ITSS_ENR_01_BV_itss()); v_ea.start(f_TC_SECPKI_ITSS_ENR_01_BV_pki()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup } // End of TC_SECPKI_ITSS_ENR_07_BV /** * @desc In the headerInfo of the tbsData of the InnerECRequestSignedForPOP all other components * of the component tbsdata.headerInfo except generationTime and psid are not used and absent. * The psid shall be set to "secured certificate request" as assigned in ETSI TS 102 965 and * the generationTime shall be present. *
       * Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT
       * Expected behaviour:
       *     ensure that {
       *         when {
       *             the IUT is requested to send an EnrolmentRequestMessage
       *         }
       *         then {
       *             the IUT sends an EtsiTs103097Data-Encrypted
       *                 containing an encrypted EtsiTs103097Data-Signed
       *                     containing EtsiTs103097Data
       *                         containing InnerECRequestSignedForPOP
       *                             containing tbsData
       *                                 containing headerInfo
       *                                     containing psid
       *                                         indicating AID_CERT_REQ
       *                                     and containing generationTime
       *                                     and not containing any other component of tbsdata.headerInfo
       *         }
       *     }
       * 
* * @see ETSI TS 103 525-2 v0.0.10 SECPKI_ITSS_ENR_08_BV * @reference ETSI TS 102 941, clause 6.2.3.2.1 */ testcase TC_SECPKI_ITSS_ENR_08_BV() runs on ItsMtc /*system ItsPkiItssSystem*/ { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_ENROLMENT) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration v_itss.start(f_TC_SECPKI_ITSS_ENR_01_BV_itss()); v_ea.start(f_TC_SECPKI_ITSS_ENR_01_BV_pki()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup } // End of TC_SECPKI_ITSS_ENR_08_BV /** * @desc In the headerInfo of the tbsData of the outer EtsiTs102941Data-Signed all other components * of the component tbsdata.headerInfo except generationTime and psid are not used and absent. * The psid shall be set to "secured certificate request" as assigned in ETSI TS 102 965 and * the generationTime shall be present. *
       * Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT
       * Expected behaviour:
       *     ensure that {
       *         when {
       *             the IUT is requested to send an EnrolmentRequestMessage
       *         }
       *         then {
       *             the IUT sends an EtsiTs103097Data-Encrypted
       *                 containing an encrypted EtsiTs103097Data-Signed
       *                     containing EtsiTs103097Data
       *                         containing InnerECRequestSignedForPOP
       *                             containing tbsData
       *                                 containing headerInfo
       *                                     containing psid
       *                                         indicating AID_CERT_REQ
       *                                     and containing generationTime
       *                                     and not containing any other component of tbsdata.headerInfo
       *         }
       *     }
       * 
* * @see ETSI TS 103 525-2 v0.0.10 SECPKI_ITSS_ENR_09_BV * @reference ETSI TS 102 941, clause 6.2.3.2.1 */ testcase TC_SECPKI_ITSS_ENR_09_BV() runs on ItsMtc /*system ItsPkiItssSystem*/ { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_ENROLMENT) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration v_itss.start(f_TC_SECPKI_ITSS_ENR_01_BV_itss()); v_ea.start(f_TC_SECPKI_ITSS_ENR_01_BV_pki()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup } // End of TC_SECPKI_ITSS_ENR_09_BV /** * @desc The EtsiTs103097Data-Encrypted containing the correctly encrypted ciphertext and a recipients * component containing one instance of RecipientInfo of choice certRecipInfo containing the * hashedId8 of the EA certificate in recipientId and the encrypted data encryption key in encKey. * The data encryption key is encrypted using the public key found in the EA certificate referenced * in the recipientId. *
       * Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT
       * Expected behaviour:
       *     ensure that {
       *         when {
       *             the IUT is requested to send an EnrolmentRequestMessage
       *         }
       *         then {
       *             the IUT sends an EtsiTs103097Data-Encrypted
       *                 containing recipients
       *                     containing exactly one instance of RecipientInfo of choice certRecipInfo
       *                         containing recipientId
       *                             indicating the hashedId8
       *                                 referencing to the EA certificate
       *                                     containing encryptionKey (KEY)
       *                      and containing encKey
       *                          being a symmetric key (SYMKEY) encrypted using the key KEY
       *                  containing ciphertext
       *                      which is encrypted using the symmetric key SYMKEY contained in encKey
       *         }
       *     }
       * 
* * @see ETSI TS 103 525-2 v0.0.10 SECPKI_ITSS_ENR_10_BV * @reference ETSI TS 102 941, clause 6.2.3.2.1 */ testcase TC_SECPKI_ITSS_ENR_10_BV() runs on ItsMtc /*system ItsPkiItssSystem*/ { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_ENROLMENT) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration v_itss.start(f_TC_SECPKI_ITSS_ENR_01_BV_itss()); v_ea.start(f_TC_SECPKI_ITSS_ENR_01_BV_pki()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup } // End of TC_SECPKI_ITSS_ENR_10_BV /** * @desc In the inner signed data structure (InnerECRequestSignedForPOP), the signature is computed * on InnerECRequest with the private key corresponding to the new verificationKey to prove * possession of the generated verification key pair. *
       * Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT
       * Expected behaviour:
       *     ensure that {
       *         when {
       *             the IUT is requested to send an EnrolmentRequestMessage
       *         }
       *         then {
       *             the IUT sends an EtsiTs103097Data-Encrypted
       *                 containing an encrypted EtsiTs103097Data-Signed
       *                     containing EtsiTs103097Data
       *                         containing InnerECRequestSignedForPOP
       *                             containing tbsData
       *                                 containing InnerEcRequest
       *                                     containing verificationKey (VKEY)
       *                              containing signature
       *                                  computed on InnerECRequest
       *                                      using the private key corresponding to VKEY
       *                                          contained in InnerECRequest
       *         }
       *     }
       * 
* * @see ETSI TS 103 525-2 v0.0.10 SECPKI_ITSS_ENR_11_BV * @reference ETSI TS 102 941, clause 6.2.3.2.1 */ testcase TC_SECPKI_ITSS_ENR_11_BV() runs on ItsMtc /*system ItsPkiItssSystem*/ { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_ENROLMENT) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration v_itss.start(f_TC_SECPKI_ITSS_ENR_01_BV_itss()); v_ea.start(f_TC_SECPKI_ITSS_ENR_01_BV_pki()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup } // End of TC_SECPKI_ITSS_ENR_11_BV /** * @desc Check that signing of Enrolment Request message is permitted by the EC certificate. *
       * Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT and PICS_SECPKI_REENROLMENT 
       * Expected behaviour:
       *     ensure that {
       *         when {
       *             the IUT is requested to send an EnrolmentRequestMessage
       *         }
       *         then {
       *             the IUT sends an EtsiTs103097Data-Encrypted
       *                 containing an encrypted EtsiTs103097Data-Signed
       *                     containing signer
       *                         containing digest
       *                             indicating HashedId8 of the EC certificate
       *                                 containing appPermissions
       *                                     containing an item of type PsidSsp
       *                                         containing psid
       *                                             indicating AID_CERT_REQ
       *                                         and containing ssp
       *                                             containing opaque[0] (version) 
       *                                                 indicating 1
       *                                             containing opaque[1] (value) 
       *                                                 indicating "Enrolment Request" (bit 1) set to 1
       *         }
       *     }
       * 
* * @see ETSI TS 103 525-2 v0.0.10 SECPKI_ITSS_ENR_12_BV * @reference ETSI TS 102 941, clause 6.1.3, 6.2.3.2.1 */ testcase TC_SECPKI_ITSS_ENR_12_BV() runs on ItsMtc /*system ItsPkiItssSystem*/ { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_ENROLMENT or not PICS_SECPKI_REENROLMENT ) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT and PICS_SECPKI_REENROLMENT required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration v_itss.start(f_TC_SECPKI_ITSS_ENR_03_BV_itss()); v_ea.start(f_TC_SECPKI_ITSS_ENR_03_BV_pki()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup } // End of TC_SECPKI_ITSS_ENR_12_BV } // End of group itss_enrolment_request group itss_enrolment_response { /** * @desc If an enrolment request fails, the IUT returns to the state 'initialized. *
       * Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT
       * Expected behaviour:
       *     ensure that {
       *         when {
       *             the IUT is requested to send an EnrolmentRequestMessage
       *             and the EnrolmentResponseMessage is received
       *                 containing a responseCode different than 0
       *         }
       *         then {
       *             the IUT returns to the "initialized" state
       *         }
       *     }
       * 
* * @see ETSI TS 103 525-2 v0.0.10 SECPKI_ITSS_ENR_RECV_01_BV * @reference ETSI TS 102 941, clause 6.1.3, 6.2.3.2.1 */ testcase TC_SECPKI_ITSS_ENR_RECV_01_BV() runs on ItsMtc /*system ItsPkiItssSystem*/ { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_ENROLMENT) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfMtcUp(v_itss, v_ea); // Start component v_itss.start(f_TC_SECPKI_ITSS_ENR_01_BV_itss()); v_ea.start(f_TC_SECPKI_ITSS_ENR_01_BV_pki()); /* v_itss.start(f_TC_SECPKI_ITSS_ENR_RECV_01_BV_itss()); */ /* v_ea.start(f_TC_SECPKI_ITSS_ENR_RECV_01_BV_pki()); */ // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup f_cfMtcDown(v_itss, v_ea); } // End of TC_SECPKI_ITSS_ENR_RECV_01_BV group f_TC_SECPKI_ITSS_ENR_RECV_01_BV { function f_TC_SECPKI_ITSS_ENR_RECV_01_BV_itss() runs on ItsPkiItss /*system ItsPkiItssSystem*/ { // Local variables var HashedId8 v_certificate_digest; var EtsiTs103097Certificate v_certificate; // Test component configuration vc_hashedId8ToBeUsed := PX_IUT_DEFAULT_CERTIFICATE; f_cfUp_itss(); // Test adapter configuration // Preamble f_readCertificate(vc_hashedId8ToBeUsed, v_certificate); f_getCertificateDigest(vc_hashedId8ToBeUsed, v_certificate_digest); // Wait for IUT certificate geoNetworkingPort.clear; tc_ac.start; alt { [] a_await_cam_with_current_cert(v_certificate_digest, v_certificate) { tc_ac.stop; f_sendUtTriggerEnrolmentRequestPrimitive(); f_selfOrClientSyncAndVerdict(c_prDone, e_success); } [] geoNetworkingPort.receive( mw_geoNwInd( mw_geoNwSecPdu( mw_etsiTs103097Data_signed ))) { repeat; } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected CA message not received ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_timeout); } } // End of 'alt' statement // Test Body geoNetworkingPort.clear; tc_ac.start; alt { [] a_await_cam_with_current_cert(v_certificate_digest, v_certificate) { tc_ac.stop; log("*** " & testcasename() & ": PASS: OBU is still initial certificate ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } [] geoNetworkingPort.receive( mw_geoNwInd( mw_geoNwSecPdu( mw_etsiTs103097Data_signed ))) { log("*** " & testcasename() & ": FAIL: OBU has changed its certificate ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected CA message not received ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfDown_itss(); } // End of function f_TC_SECPKI_ITSS_ENR_RECV_01_BV_itss function f_TC_SECPKI_ITSS_ENR_RECV_01_BV_pki() runs on ItsPkiHttp /*system ItsPkiHttpSystem*/ { // Local variable var HeaderLines v_headers; var HttpMessage v_request; // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_init_default_headers_list(-, "inner_ec_response", v_headers); tc_ac.start; alt { [] a_await_at_http_response_from_iut( mw_http_request( mw_http_request_post( PICS_HTTP_POST_URI_EC, -, mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentRequestMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo/*(vc_eaHashedId8)*/, * }, mw_SymmetricCiphertext_aes128ccm )))))), v_request ) { var HttpMessage v_response; var integer v_result; var InnerEcRequest v_inner_ec_request; tc_ac.stop; // Verify IUT response f_verify_http_ec_request_from_iut_itss(v_request.request, v_headers, v_inner_ec_request, v_response, v_result, -, -, cantparse); // Send response forcing error code if (isvalue(v_response)) { httpPort.send(v_response); } // Set verdict if (v_result == 0) { log("*** " & testcasename() & ": INFO: InnerEcRequest received ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Failed to verify EA an EnrolmentRequestMessage ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_error); } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_timeout); } } // End of 'alt' statement // Test Body log("*** " & testcasename() & ": PASS: InnerEcRequest received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); // Postamble f_cfHttpDown(); } // End of function f_TC_SECPKI_ITSS_ENR_RECV_01_BV_pki } // End of group f_TC_SECPKI_ITSS_ENR_RECV_01_BV /** * @desc The IUT is capable of parsing and handling of positive EnrolmentResponse messages * containing the requested EC. In case of a successful enrolment, the IUT switches * to the state 'enrolled'. *
       * Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT
       * Expected behaviour:
       *     ensure that {
       *         when {
       *             the IUT is requested to send an initial EnrolmentRequestMessage
       *             and when the IUT receives a subsequent EnrolmentResponseMessage as an answer of the EA
       *                 containing a responseCode
       *                     indicating 0
       *                 and containing an enrolment certificate
       *         }
       *         then {
       *             the IUT switches to the "enrolled" state
       *         }
       *     }
       * 
* * @see ETSI TS 103 525-2 v0.0.10 SECPKI_ITSS_ENR_RECV_02_BV * @reference ETSI TS 102 941, clause 6.1.3, 6.2.3.2.1 */ testcase TC_SECPKI_ITSS_ENR_RECV_02_BV() runs on ItsMtc /*system ItsPkiItssSystem*/ { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_ENROLMENT) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfMtcUp(v_itss, v_ea); // Start component v_itss.start(f_TC_SECPKI_ITSS_ENR_01_BV_itss()); v_ea.start(f_TC_SECPKI_ITSS_ENR_01_BV_pki()); /* v_itss.start(f_TC_SECPKI_ITSS_ENR_RECV_02_BV_itss()); */ /* v_ea.start(f_TC_SECPKI_ITSS_ENR_RECV_02_BV_pki()); */ // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup f_cfMtcDown(v_itss, v_ea); } // End of testcase TC_SECPKI_ITSS_ENR_RECV_02_BV group f_TC_SECPKI_ITSS_ENR_RECV_02_BV { function f_TC_SECPKI_ITSS_ENR_RECV_02_BV_itss() runs on ItsPkiItss /*system ItsPkiItssSystem*/ { // Local variables var HashedId8 v_certificate_digest; var EtsiTs103097Certificate v_certificate; // Test component configuration vc_hashedId8ToBeUsed := PX_IUT_DEFAULT_CERTIFICATE; f_cfUp_itss(); // Test adapter configuration // Preamble f_readCertificate(vc_hashedId8ToBeUsed, v_certificate); f_getCertificateDigest(vc_hashedId8ToBeUsed, v_certificate_digest); // Wait for IUT certificate geoNetworkingPort.clear; tc_ac.start; alt { [] a_await_cam_with_current_cert(v_certificate_digest, v_certificate) { tc_ac.stop; f_sendUtTriggerEnrolmentRequestPrimitive(); f_selfOrClientSyncAndVerdict(c_prDone, e_success); } [] geoNetworkingPort.receive( mw_geoNwInd( mw_geoNwSecPdu( mw_etsiTs103097Data_signed ))) { repeat; } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected CA message not received ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_timeout); } } // End of 'alt' statement // Test Body geoNetworkingPort.clear; tc_ac.start; alt { [] a_await_cam_with_current_cert(v_certificate_digest, v_certificate) { repeat; // OBU is till using old certificate } [] geoNetworkingPort.receive( mw_geoNwInd( mw_geoNwSecPdu( mw_etsiTs103097Data_signed ))) { log("*** " & testcasename() & ": PASS: OBU is using a new certificate ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } [] tc_ac.timeout { log("*** " & testcasename() & ": FAIL: Expected CA message not received ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_error); } } // End of 'alt' statement // Postamble f_cfDown_itss(); } // End of function f_TC_SECPKI_ITSS_ENR_RECV_02_BV_itss function f_TC_SECPKI_ITSS_ENR_RECV_02_BV_pki() runs on ItsPkiHttp /*system ItsPkiHttpSystem*/ { // Local variable var HeaderLines v_headers; var HttpMessage v_request; // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_init_default_headers_list(-, "inner_ec_response", v_headers); f_selfOrClientSyncAndVerdict(c_prDone, e_success); // Test Body tc_ac.start; alt { [] a_await_at_http_response_from_iut( mw_http_request( mw_http_request_post( PICS_HTTP_POST_URI_EC, -, mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentRequestMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo/*(vc_eaHashedId8)*/, * }, mw_SymmetricCiphertext_aes128ccm )))))), v_request ) { var HttpMessage v_response; var integer v_result; var InnerEcRequest v_inner_ec_request; tc_ac.stop; // Verify IUT response f_verify_http_ec_request_from_iut_itss(v_request.request, v_headers, v_inner_ec_request, v_response, v_result, -, -, cantparse); // Send response forcing error code if (isvalue(v_response)) { httpPort.send(v_response); } // Set verdict if (v_result == 0) { log("*** " & testcasename() & ": PASS: InnerEcRequest received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Failed to verify EA an EnrolmentRequestMessage ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of function f_TC_SECPKI_ITSS_ENR_RECV_02_BV_pki } // End of group f_TC_SECPKI_ITSS_ENR_RECV_02_BV } // End of group itss_enrolment_response group itss_authorization_request { /** * @desc Check that the ITS-S send the Authorization Request message to the Authorization Authority (AA) to request an authorization ticket. *
       * Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION
       * Initial conditions: 
       *     with {
       *         the IUT being in the "operational state"
       *     }
       * Expected behaviour:
       *     ensure that {
       *         when {
       *             the IUT is triggered to requested a new Authorization Ticket (AT)
       *         }
       *         then {
       *             the IUT sends EtsiTs103097Data to the AA
       *         }
       *     }
       * 
* * @see ETSI TS 103 525-2 v0.0.10 SECPKI_ITSS_AUTH_01_BV * @reference ETSI TS 102 941 [2], clause 6.2.3.3.0 */ testcase TC_SECPKI_ITSS_AUTH_01_BV() runs on ItsMtc /*system ItsPkiItssSystem*/ { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_AUTHORIZATION) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfMtcUp(v_itss, v_ea); // Start component v_itss.start(f_TC_SECPKI_ITSS_AUTH_01_BV_itss()); v_ea.start(f_TC_SECPKI_ITSS_AUTH_01_BV_pki()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup f_cfMtcDown(v_itss, v_ea); } // End of testcase TC_SECPKI_ITSS_AUTH_01_BV group f_TC_SECPKI_ITSS_AUTH_01_BV { function f_TC_SECPKI_ITSS_AUTH_01_BV_itss() runs on ItsPkiItss /*system ItsPkiItssSystem*/ { // Local variables var HashedId8 v_certificate_digest; var EtsiTs103097Certificate v_certificate; // Test component configuration vc_hashedId8ToBeUsed := PX_IUT_DEFAULT_CERTIFICATE; f_cfUp_itss(); // Test adapter configuration // Preamble f_readCertificate(vc_hashedId8ToBeUsed, v_certificate); f_getCertificateDigest(vc_hashedId8ToBeUsed, v_certificate_digest); // Wait for IUT certificate geoNetworkingPort.clear; tc_ac.start; alt { [] a_await_cam_with_current_cert(v_certificate_digest, v_certificate) { tc_ac.stop; if (PX_TRIGGER_EC_BEFORE_AT) { f_sendUtTriggerEnrolmentRequestPrimitive(); } f_selfOrClientSyncAndVerdict(c_prDone, e_success); } [] geoNetworkingPort.receive( mw_geoNwInd( mw_geoNwSecPdu( mw_etsiTs103097Data_signed ))) { repeat; } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected CA message not received ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_timeout); } } // End of 'alt' statement // Test Body f_sendUtTriggerAuthorizationRequestPrimitive(); log("*** " & testcasename() & ": PASS: Enrolment trigger sent succesfully ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); // Postamble f_cfDown_itss(); } // End of function f_TC_SECPKI_ITSS_AUTH_01_BV_itss function f_TC_SECPKI_ITSS_AUTH_01_BV_pki() runs on ItsPkiHttp /*system ItsPkiHttpSystem*/ { // Local variable var HeaderLines v_headers; var HttpMessage v_request; var InnerEcResponse v_inner_ec_response; // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble if (PX_TRIGGER_EC_BEFORE_AT) { if (f_await_ec_request_send_response(v_inner_ec_response) == true) { log("*** " & testcasename() & ": INFO: Enrolment succeed ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_success); } else { log("*** " & testcasename() & ": INCONC: Enrolment failed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } } else { f_selfOrClientSyncAndVerdict(c_prDone, e_success); } // Test Body tc_ac.start; alt { [] a_await_at_http_response_from_iut( mw_http_request( mw_http_request_post( PICS_HTTP_POST_URI_EC, -, mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentRequestMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo/*(vc_aaHashedId8)*/, * }, mw_SymmetricCiphertext_aes128ccm )))))), v_request ) { var HttpMessage v_response; var integer v_result; var InnerAtRequest v_inner_at_request; tc_ac.stop; // Verify IUT response f_verify_http_at_request_from_iut_itss(v_request.request, v_headers, v_inner_at_request, v_response, v_result); // Send response if (isvalue(v_response)) { httpPort.send(v_response); } // Set verdict if (v_result == 0) { log("*** " & testcasename() & ": PASS: InnerEcRequest received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Failed to verify EA an EnrolmentRequestMessage ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of function f_TC_SECPKI_ITSS_AUTH_01_BV_pki } // End of group f_TC_SECPKI_ITSS_AUTH_01_BV /** * @desc Check that the AuthorizationRequest message is encrypted and sent to only one Authorization Authority. *
       * Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION
       * Initial conditions: 
       *     with {
       *         the IUT being in the "operational state"
       *             authorized with CERT_AA certificate
       *     }
       * Expected behaviour:
       *     ensure that {
       *         when {
       *             the IUT is triggered to requested a new Authorization Ticket (AT)
       *         }
       *         then {
       *             the IUT sends EtsiTs103097Data to the AA
       *                 containing content.encryptedData.recipients
       *                     indicating size 1
       *                     and containing the instance of RecipientInfo
       *                         containing certRecipInfo
       *                             containing recipientId
       *                                 indicating HashedId8 of the CERT_AA
       *         }
       *     }
       * 
* * @see ETSI TS 103 525-2 v0.0.10 SECPKI_ITSS_AUTH_02_BV * @reference ETSI TS 102 941 [2], clause 6.2.3.3.1 */ testcase TC_SECPKI_ITSS_AUTH_02_BV() runs on ItsMtc /*system ItsPkiItssSystem*/ { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_AUTHORIZATION) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfMtcUp(v_itss, v_ea); // Start component v_itss.start(f_TC_SECPKI_ITSS_AUTH_01_BV_itss()); v_ea.start(f_TC_SECPKI_ITSS_AUTH_01_BV_pki()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup f_cfMtcDown(v_itss, v_ea); } // End of testcase TC_SECPKI_ITSS_AUTH_02_BV /** * @desc Check that the AuthorizationRequest message is encrypted using the encryptionKey found in the AA certificate referenced in recipientId. *
       * Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION
       * Initial conditions: 
       *     with {
       *         the IUT being in the "operational state"
       *             authorized with CERT_AA certificate
       *                 containing encryptionKey (AA_ENC_PUB_KEY)
       *     }
       * Expected behaviour:
       *     ensure that {
       *         when {
       *             the IUT is triggered to requested a new Authorization Ticket (AT)
       *         }
       *         then {
       *             the IUT sends EtsiTs103097Data to the AA
       *                 containing content.encryptedData
       *                     containing ciphertext
       *                         containing data
       *                             encrypted using AA_ENC_PUB_KEY
       *         }
       *     }
       * 
* * @see ETSI TS 103 525-2 v0.0.10 SECPKI_ITSS_AUTH_03_BV * @reference ETSI TS 102 941 [2], clause 6.2.3.3.1 */ testcase TC_SECPKI_ITSS_AUTH_03_BV() runs on ItsMtc /*system ItsPkiItssSystem*/ { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_AUTHORIZATION) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfMtcUp(v_itss, v_ea); // Start component v_itss.start(f_TC_SECPKI_ITSS_AUTH_01_BV_itss()); v_ea.start(f_TC_SECPKI_ITSS_AUTH_01_BV_pki()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup f_cfMtcDown(v_itss, v_ea); } // End of testcase TC_SECPKI_ITSS_AUTH_03_BV /** * @desc Check that the AuthorizationRequest message is never reused the same encryption key and nonce. *
       * Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION
       * Initial conditions: 
       *     with {
       *         the IUT being in the "operational state"
       *     }
       * Expected behaviour:
       *     ensure that {
       *         when {
       *             the IUT is triggered to requested a new Authorization Ticket (AT)
       *         }
       *         then {
       *             the IUT sends EtsiTs103097Data to the AA
       *                 containing content.encryptedData
       *                     containing ciphertext.aes128ccm.nonce
       *                         indicating value not equal to the nonce in N previous messages
       *                 and containing recipients[0].certRecipInfo.encKey
       *                     containing encrypted symmetric key (S_KEY)
       *                         indicating symmetric key not equal to the key was used in N previous messages
       *         }
       *     }
       * 
* * @see ETSI TS 103 525-2 v0.0.10 SECPKI_ITSS_AUTH_04_BV * @reference ETSI TS 102 941 [2], clause 6.2.3.3.1 */ testcase TC_SECPKI_ITSS_AUTH_04_BV() runs on ItsMtc /*system ItsPkiItssSystem*/ { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_AUTHORIZATION) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfMtcUp(v_itss, v_ea); // Start component v_itss.start(f_TC_SECPKI_ITSS_AUTH_04_BV_itss()); v_ea.start(f_TC_SECPKI_ITSS_AUTH_04_BV_pki()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup f_cfMtcDown(v_itss, v_ea); } // End of testcase TC_SECPKI_ITSS_AUTH_04_BV group f_TC_SECPKI_ITSS_AUTH_04_BV { function f_TC_SECPKI_ITSS_AUTH_04_BV_itss() runs on ItsPkiItss /*system ItsPkiItssSystem*/ { // Local variables var HashedId8 v_certificate_digest; var EtsiTs103097Certificate v_certificate; // Test component configuration f_cfUp_itss(); // Test adapter configuration // Preamble // First enrolment geoNetworkingPort.clear; tc_ac.start; alt { [] a_await_cam_with_current_cert(v_certificate_digest, v_certificate) { tc_ac.stop; if (PX_TRIGGER_EC_BEFORE_AT) { f_sendUtTriggerEnrolmentRequestPrimitive(); f_selfOrClientSyncAndVerdict(c_prDone, e_success); } } [] geoNetworkingPort.receive( mw_geoNwInd( mw_geoNwSecPdu( mw_etsiTs103097Data_signed ))) { repeat; } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected CA message not received ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_timeout); } } // End of 'alt' statement // Test Body // N authorization for (var integer v_i := 0; v_i < PX_RE_AUTHORIZATION_COUNTER; v_i := v_i + 1) { f_sendUtTriggerAuthorizationRequestPrimitive(); f_sleep(PX_RE_AUTHORIZATION_DELAY); } // End of 'for' statement log("*** " & testcasename() & ": PASS: Enrolment trigger sent succesfully ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); // Postamble f_cfDown_itss(); } // End of function f_TC_SECPKI_ITSS_AUTH_04_BV_itss function f_TC_SECPKI_ITSS_AUTH_04_BV_pki() runs on ItsPkiHttp /*system ItsPkiHttpSystem*/ { // Local variable var integer v_counter := 0; var HeaderLines v_headers; var HttpMessage v_request; var HttpMessage v_response; var InnerAtRequest v_inner_at_request; var ListOfPublicVerificationKey v_generated_keys; var integer v_result; // Test component configuration f_cfHttpUp(); // Test adapter configuration // Preamble f_init_default_headers_list(-, "inner_at_response", v_headers); // Wait for the first enrolment response tc_ac.start; alt { [] a_await_at_http_response_from_iut( mw_http_request( mw_http_request_post( PICS_HTTP_POST_URI_EC, -, mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentRequestMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo/*(vc_aaHashedId8)*/, * }, mw_SymmetricCiphertext_aes128ccm )))))), v_request ) { tc_ac.stop; // Verify IUT response f_verify_http_at_request_from_iut_itss(v_request.request, v_headers, v_inner_at_request, v_response, v_result); // Send response if (isvalue(v_response)) { httpPort.send(v_response); } // Set verdict if (v_result == 0) { v_generated_keys[v_counter] := v_inner_at_request.publicKeys.verificationKey; v_counter := v_counter + 1; f_selfOrClientSyncAndVerdictTestBody(c_prDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Failed to verify EA an EnrolmentRequestMessage ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_error); } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_timeout); } } // End of 'alt' statement // Test Body tc_ac.start; alt { [] a_await_at_http_response_from_iut( mw_http_request( mw_http_request_post( PICS_HTTP_POST_URI_AT, -, mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentRequestMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo/*(vc_aaHashedId8)*/, * }, mw_SymmetricCiphertext_aes128ccm )))))), v_request ) { tc_ac.stop; // Verify IUT response f_verify_http_at_request_from_iut_itss(v_request.request, v_headers, v_inner_at_request, v_response, v_result); // Send response if (isvalue(v_response)) { httpPort.send(v_response); } // Set verdict if (v_result == 0) { log("*** " & testcasename() & ": LOG: ", match(v_generated_keys, superset(v_inner_at_request.publicKeys.verificationKey)), "***"); if (match(v_generated_keys, superset(v_inner_at_request.publicKeys.verificationKey))) { v_generated_keys[v_counter] := v_inner_at_request.publicKeys.verificationKey; v_counter := v_counter + 1; f_selfOrClientSyncAndVerdictTestBody(c_prDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Duplication of generated public keys ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_error); } } else { log("*** " & testcasename() & ": FAIL: Failed to verify EA an EnrolmentRequestMessage ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_error); } } [] tc_ac.timeout { if (v_counter == PX_RE_AUTHORIZATION_COUNTER) { log("*** " & testcasename() & ": PASS: InnerAtRequest received with different key pairs ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of function f_TC_SECPKI_ITSS_AUTH_04_BV_pki } // End of group f_TC_SECPKI_ITSS_AUTH_04_BV /** * @desc Check that the Authozation request protocol version is set to 1. *
       * Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION
       * Initial conditions: 
       *     with {
       *         the IUT being in the "operational state"
       *     }
       * Expected behaviour:
       *     ensure that {
       *         when {
       *             the IUT is triggered to requested a new Authorization Ticket (AT)
       *         }
       *         then {
       *             the IUT sends EtsiTs103097Data to the AA
       *                 containing version
       *                     indicating value 1
       *                 and containing content
       *                     containing autihorizationRequest
       *         }
       *     }
       * 
* * @see ETSI TS 103 525-2 v0.0.10 SECPKI_ITSS_AUTH_05_BV * @reference ETSI TS 102 941 [2], clause 6.2.3.3.1 */ testcase TC_SECPKI_ITSS_AUTH_05_BV() runs on ItsMtc /*system ItsPkiItssSystem*/ { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_AUTHORIZATION) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfMtcUp(v_itss, v_ea); // Start component v_itss.start(f_TC_SECPKI_ITSS_AUTH_01_BV_itss()); v_ea.start(f_TC_SECPKI_ITSS_AUTH_01_BV_pki()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup f_cfMtcDown(v_itss, v_ea); } // End of testcase TC_SECPKI_ITSS_AUTH_05_BV } // End of group itss_authorization_request group itss_authorization_response { // TODO } // End of group itss_authorization_response group itss_ctl_handling { // TODO } // End of group itss_ctl_handling group itss_crl_handling { // TODO } // End of group itss_crl_handling } // End of group itss_behavior group ea_behavior { group ea_helpers { } // End of group ea_helpers group enrolment_request_handling { /** * @desc The EnrolmentResponse message shall be sent by the EA to the ITS-S across the interface at * reference point S3 in response to a received EnrolmentRequest message. *
       * Pics Selection: PICS_IUT_EA_ROLE
       * Initial conditions: 
       *     with {
       *         the IUT being in the "operational state"
       *     }
       * Expected behaviour:
       *     ensure that {
       *         when {
       *             the IUT receives an EnrolmentRequestMessage across the interface at the reference point S3
       *         }
       *         then {
       *             the IUT answers with an EnrolmentResponseMessage across the interface at reference point S3
       *         }
       *     }
       * 
* * @see ETSI TS 103 525-2 v0.0.10 TP SECPKI_EA_ENR_RCV_01_BV * @reference ETSI TS 102 941, clause 6.2.3.2.2 */ testcase TC_SECPKI_EA_ENR_RCV_01_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key; var Oct32 v_public_compressed_key; var integer v_compressed_mode; var Oct32 v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var HashedId8 v_aes_sym_key_hashed_id8; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var HeaderLines v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_http_build_inner_ec_request(v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); v_aes_sym_key_hashed_id8 := f_HashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to macth the response f_init_default_headers_list(-, "inner_ec_request", v_headers); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_EC, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_ac.start; alt { [] a_await_ec_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentResponseMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo/*(v_aes_sym_key_hashed_id8)*/, * }, mw_SymmetricCiphertext_aes128ccm )))))), v_response ) { tc_ac.stop; if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, v_etsi_ts_102941_data) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": PASS: InnerEcResponse received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_EA_ENR_RCV_01_BV /** * @desc Check that EA doesn't accept Enrolment rekeying request when enrolment is not permitted * by signing certificate. *
       * Pics Selection: PICS_IUT_EA_ROLE
       * Initial conditions: 
       *     with {
       *         the IUT being in the "operational state"
       *     }
       * Expected behaviour:
       *     ensure that {
       *         when {
       *             the IUT receives an EnrolmentRequestMessage
       *                 containing an encrypted EtsiTs103097Data-Signed
       *                     containing signer
       *                         containing digest
       *                             indicating HashedId8 of the certificate CERT
       *                                 containing appPermissions
       *                                     not containing an item of type PsidSsp
       *                                         containing psid
       *                                             indicating AID_CERT_REQ
       *                                     or containing an item of type PsidSsp
       *                                         containing psid
       *                                             indicating AID_CERT_REQ
       *                                         and containing ssp
       *                                             containing opaque[0] (version)
       *                                                 indicating other value than 1
       *                                             or containing opaque[1] (value)
       *                                                 indicating "Enrolment Request" (bit 1) set to 0
       *         }
       *         then {
       *             the IUT answers with an EnrolmentResponseMessage
       *                 containing InnerECResponse
       *                     containing responseCode
       *                         indicating "deniedpermissions"
       *         }
       *     }
       * 
* * @see ETSI TS 103 525-2 v0.0.10 TP SECPKI_EA_ENR_RCV_02_BI * @reference ETSI TS 102 941, clause B.5 */ testcase TC_SECPKI_EA_ENR_RCV_02_BI() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key; var Oct32 v_public_compressed_key; var integer v_compressed_mode; var Oct32 v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var HeaderLines v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp("CERT_TS_A_EA_AA_AUTHVAL_RCV_02_BI_01", PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_http_build_inner_ec_request(v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); f_init_default_headers_list(-, "inner_ec_request", v_headers); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_EC, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_ac.start; alt { [] a_await_ec_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentResponseMessage( mw_encryptedData( -, mw_SymmetricCiphertext_aes128ccm )))))), v_response ) { tc_ac.stop; if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, v_etsi_ts_102941_data) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log(match(v_etsi_ts_102941_data, mw_etsiTs102941Data_inner_ec_response(mw_innerEcResponse_ko(substr(v_request_hash, 0, 16))))); if (match(v_etsi_ts_102941_data, mw_etsiTs102941Data_inner_ec_response(mw_innerEcResponse_ko(substr(v_request_hash, 0, 16)))) == false) { log("*** " & testcasename() & ": FAIL: Invalid InnerEcResponse received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": PASS: InnerEcResponse received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_EA_ENR_RCV_02_BI } // End of group enrolment_request_handling group enrolment_response { /** * @desc The EnrolmentResponse message shall be encrypted using an ETSI TS 103 097 approved * algorithm and the encryption shall be done with the same AES key as the one used * by the ITS-S requestor for the encryption of the EnrolmentRequest message *
       * Pics Selection: PICS_IUT_EA_ROLE
       * Expected behaviour:
       *     ensure that {
       *         when {
       *             the IUT receives an EnrolmentRequestMessage
       *                 containing encKey
       *                     containing an encrypted AES key (SYMKEY)
       *         }
       *         then {
       *             the IUT answers with an EnrolmentResponseMessage
       *                 containing cipherTex
       *                     being encrypted using SYMKEY
       *         }
       *     }
       * 
* * @see ETSI TS 103 525-2 v0.0.10 TP SECPKI_EA_ENR_01_BV * @reference ETSI TS 102 941, clause 6.2.3.2.2 */ testcase TC_SECPKI_EA_ENR_01_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key; var Oct32 v_public_compressed_key; var integer v_compressed_mode; var Oct32 v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var HeaderLines v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_http_build_inner_ec_request(v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); f_init_default_headers_list(-, "inner_ec_request", v_headers); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body httpPort.send( m_http_request( m_http_request_post( PICS_HTTP_POST_URI_EC, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_ac.start; alt { [not(PICS_MULTIPLE_END_POINT)] httpPort.receive( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentResponseMessage( mw_encryptedData( -, mw_SymmetricCiphertext_aes128ccm ))))))) -> value v_response { tc_ac.stop; if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, v_etsi_ts_102941_data) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": LOG: Receive ", v_etsi_ts_102941_data, " ***"); log("*** " & testcasename() & ": DEBUG: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16)))), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log if (match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16))))) { log("*** " & testcasename() & ": PASS: InnerEcResponse received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Unexpected message received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } } } [not(PICS_MULTIPLE_END_POINT)] httpPort.receive( mw_http_response( mw_http_response_ko )) { tc_ac.stop; log("*** " & testcasename() & ": FAIL: Unexpected message received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_EA_ENR_01_BV /** * @desc The EnrolmentResponse message shall be encrypted using an ETSI TS 103 097 approved * algorithm and the encryption shall be done with the same AES key as the one used * by the ITS-S requestor for the encryption of the EnrolmentRequest message. *
       * Pics Selection: PICS_IUT_EA_ROLE
       * Expected behaviour:
       *     ensure that {
       *         when {
       *             the IUT receives an EnrolmentRequestMessage
       *                 containing encKey
       *                     containing an encrypted AES key (SYMKEY)
       *         }
       *         then {
       *             the IUT answers with an EnrolmentResponseMessage
       *                 containing cipherTex
       *                     being encrypted
       *                         using SYMKEY
       *                         and using an ETSI TS 103 097 approved algorithm
       *         }
       *     }
       * 
* * @see ETSI TS 103 525-2 v0.0.10 TP 22 * @reference ETSI TS 102 941, clause 6.2.3.2.2 */ testcase TC_SECPKI_EA_ENR_02_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key; var Oct32 v_public_compressed_key; var integer v_compressed_mode; var Oct32 v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var HeaderLines v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_http_build_inner_ec_request(v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); f_init_default_headers_list(-, "inner_ec_request", v_headers); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body httpPort.send( m_http_request( m_http_request_post( PICS_HTTP_POST_URI_EC, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_ac.start; alt { [not(PICS_MULTIPLE_END_POINT)] httpPort.receive( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentResponseMessage( mw_encryptedData( -, mw_SymmetricCiphertext_aes128ccm ))))))) -> value v_response { tc_ac.stop; if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, v_etsi_ts_102941_data) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": LOG: Receive ", v_etsi_ts_102941_data, " ***"); log("*** " & testcasename() & ": DEBUG: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16)))), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log if (match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16))))) { log("*** " & testcasename() & ": PASS: InnerEcResponse received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Unexpected message received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } } } [not(PICS_MULTIPLE_END_POINT)] httpPort.receive( mw_http_response( mw_http_response_ko )) { tc_ac.stop; log("*** " & testcasename() & ": FAIL: Unexpected message received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_EA_ENR_02_BV /** * @desc The outermost structure is an EtsiTs103097Data-Encrypted structure containing * the component recipients containing one instance of RecipientInfo of choice * pskRecipInfo, which contains the HashedId8 of the symmetric key used by the * ITS-S to encrypt the EnrolmentRequest message to which the response is built * and containing the component ciphertext, once decrypted, contains an * EtsiTs103097Data-Signed structure *
       * Pics Selection: PICS_IUT_EA_ROLE
       * Expected behaviour:
       *     ensure that {
       *         when {
       *             the IUT receives an EnrolmentRequestMessage
       *         }
       *         then {
       *             the IUT sends an EtsiTs103097Data-Encrypted structure
       *                 containing recipients
       *                     containing one instance of RecipientInfo of choice pskRecipInfo
       *                         containing the HashedId8 of the symmetric key used to encrypt the EnrolmentRequestMessage
       *                 and containing cipherText
       *                     being an encrypted EtsiTs103097Data-Signed structure
       *         }
       *     }
       * 
* * @see ETSI TS 103 525-2 v0.0.10 TP SECPKI_EA_ENR_03_BV * @reference ETSI TS 102 941, clause 6.2.3.2.2 */ testcase TC_SECPKI_EA_ENR_03_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key; var Oct32 v_public_compressed_key; var integer v_compressed_mode; var Oct32 v_request_hash; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Oct16 v_aes_sym_key; var Oct16 v_encrypted_sym_key; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var HeaderLines v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_http_build_inner_ec_request(v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); f_init_default_headers_list(-, "inner_ec_request", v_headers); httpPort.send( m_http_request( m_http_request_post( PICS_HTTP_POST_URI_EC, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body tc_ac.start; alt { [not(PICS_MULTIPLE_END_POINT)] httpPort.receive( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentResponseMessage( mw_encryptedData( -, mw_SymmetricCiphertext_aes128ccm ))))))) -> value v_response { tc_ac.stop; if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, v_etsi_ts_102941_data) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": LOG: Receive ", v_etsi_ts_102941_data, " ***"); log("*** " & testcasename() & ": DEBUG: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16)))), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log if (match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16))))) { log("*** " & testcasename() & ": PASS: InnerEcResponse received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Unexpected message received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_EA_ENR_03_BV /** * @desc If the ITS-S has been able to decrypt the content, this expected EtsiTs103097Data-Signed structure shall * contain hashId, tbsData, signer and signature. The hashId shall indicate the hash algorithm to be used as * specified in ETSI TS 103 097, the signer shall be declared as a digest, containing the HashedId8 of the * EA certificate and the signature over tbsData shall be computed using the EA private key corresponding to * its publicVerificationKey found in the referenced EA certificate. *
       * Pics Selection: PICS_IUT_EA_ROLE
       * Expected behaviour:
       *     ensure that {
       *         when {
       *             the IUT receives an EnrolmentRequestMessage
       *         }
       *         then {
       *             the IUT sends an EtsiTs103097Data-Encrypted structure
       *                 containing an encrypted EtsiTs103097Data-Signed structure
       *                     containing hashId
       *                        indicating the hash algorithm to be used as specified in ETSI TS 103 097
       *                     and containing tbsData
       *                     and containing signer
       *                         declared as a digest
       *                             containing the HashedId8 of the EA certificate
       *                     and containing signature
       *                         computed over tbsData
       *                             using the EA private key
       *                                 corresponding to the publicVerificationKey found in the referenced EA certificate
       *         }
       *     }
       * 
* * @see ETSI TS 103 525-2 v0.0.10 TP SECPKI_EA_ENR_04_BV * @reference ETSI TS 102 941, clause 6.2.3.2.2 */ testcase TC_SECPKI_EA_ENR_04_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key; var Oct32 v_public_compressed_key; var integer v_compressed_mode; var Oct32 v_request_hash; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Oct16 v_aes_sym_key; var Oct16 v_encrypted_sym_key; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var HeaderLines v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_http_build_inner_ec_request(v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); f_init_default_headers_list(-, "inner_ec_request", v_headers); httpPort.send( m_http_request( m_http_request_post( PICS_HTTP_POST_URI_EC, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body tc_ac.start; alt { [not(PICS_MULTIPLE_END_POINT)] httpPort.receive( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentResponseMessage( mw_encryptedData( -, mw_SymmetricCiphertext_aes128ccm ))))))) -> value v_response { tc_ac.stop; if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, v_etsi_ts_102941_data) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": LOG: Receive ", v_etsi_ts_102941_data, " ***"); log("*** " & testcasename() & ": DEBUG: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16)))), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log if (match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16))))) { if (f_verify_ec_certificate(v_etsi_ts_102941_data.content.enrolmentResponse.certificate, vc_eaCertificate, v_public_compressed_key, v_compressed_mode) == false) { log("*** " & testcasename() & ": FAIL: Cannot verify EC certificate signature ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": PASS: Well-secured EA certificate received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } } else { log("*** " & testcasename() & ": FAIL: Unexpected message received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_EA_ENR_04_BV /** * @desc Within the headerInfo of the tbsData, the psid shall be set to “secured certificate request� as assigned in * ETSI TS 102 965 and the generationTime shall be present. *
       * Pics Selection: PICS_IUT_EA_ROLE
       * Expected behaviour:
       *     ensure that {
       *         when {
       *             the IUT receives an EnrolmentRequestMessage
       *         }
       *         then {
       *             the IUT sends an EtsiTs103097Data-Encrypted structure
       *                 containing an encrypted EtsiTs103097Data-Signed structure
       *                     containing tbsData
       *                         containing headerInfo
       *                             containing psid
       *                                 indicating AID_CERT_REQ
       *                             and containing generationTime
       *         }
       *     }
       * 
* * @see ETSI TS 103 525-2 v0.0.10 TP SECPKI_EA_ENR_05_BV * @reference ETSI TS 102 941, clause 6.2.3.2.2 */ testcase TC_SECPKI_EA_ENR_05_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key; var Oct32 v_public_compressed_key; var integer v_compressed_mode; var Oct32 v_request_hash; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Oct16 v_aes_sym_key; var Oct16 v_encrypted_sym_key; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var HeaderLines v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_http_build_inner_ec_request(v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); f_init_default_headers_list(-, "inner_ec_request", v_headers); httpPort.send( m_http_request( m_http_request_post( PICS_HTTP_POST_URI_EC, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body tc_ac.start; alt { [not(PICS_MULTIPLE_END_POINT)] httpPort.receive( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentResponseMessage( mw_encryptedData( -, mw_SymmetricCiphertext_aes128ccm ))))))) -> value v_response { tc_ac.stop; if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, v_etsi_ts_102941_data) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": LOG: Receive ", v_etsi_ts_102941_data, " ***"); log("*** " & testcasename() & ": DEBUG: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16)))), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log if (match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16))))) { if (f_verify_ec_certificate(v_etsi_ts_102941_data.content.enrolmentResponse.certificate, vc_eaCertificate, v_public_compressed_key, v_compressed_mode)) { log("*** " & testcasename() & ": PASS: Well-secured EC certificate received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Cannot verify EC certificate signature ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } } else { log("*** " & testcasename() & ": FAIL: Unexpected message received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_EA_ENR_05_BV /** * @desc Within the headerInfo of the tbsData, aside from psid and generationTime, * all other components of the component tbsData.headerInfo not used and absent. *
       * Pics Selection: PICS_IUT_EA_ROLE
       * Expected behaviour:
       *     ensure that {
       *         when {
       *             the IUT receives an EnrolmentRequestMessage
       *         }
       *         then {
       *             the IUT sends an EtsiTs103097Data-Encrypted structure
       *                 containing an encrypted EtsiTs103097Data-Signed structure
       *                     containing tbsData
       *                         containing headerInfo
       *                             containing psid
       *                             and containing generationTime
       *         }
       *     }
       * 
* * @see ETSI TS 103 525-2 v0.0.10 TP SECPKI_EA_ENR_06_BV * @reference ETSI TS 102 941, clause 6.2.3.2.2 */ testcase TC_SECPKI_EA_ENR_06_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key; var Oct32 v_public_compressed_key; var integer v_compressed_mode; var Oct32 v_request_hash; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Oct16 v_aes_sym_key; var Oct16 v_encrypted_sym_key; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var HeaderLines v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_http_build_inner_ec_request(v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); f_init_default_headers_list(-, "inner_ec_request", v_headers); httpPort.send( m_http_request( m_http_request_post( PICS_HTTP_POST_URI_EC, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body tc_ac.start; alt { [not(PICS_MULTIPLE_END_POINT)] httpPort.receive( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentResponseMessage( mw_encryptedData( -, mw_SymmetricCiphertext_aes128ccm ))))))) -> value v_response { tc_ac.stop; if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, v_etsi_ts_102941_data) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": LOG: Receive ", v_etsi_ts_102941_data, " ***"); log("*** " & testcasename() & ": DEBUG: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16)))), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log if (match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16))))) { if (f_verify_ec_certificate(v_etsi_ts_102941_data.content.enrolmentResponse.certificate, vc_eaCertificate, v_public_compressed_key, v_compressed_mode)) { log("*** " & testcasename() & ": PASS: Well-secured EC certificate received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Cannot verify EC certificate signature ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } } else { log("*** " & testcasename() & ": FAIL: Unexpected message received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_EA_ENR_06_BV /** * @desc The EtsiTS102941Data shall contain the version set to v1 (integer value set to 1) * and the content set to InnerECResponse. *
       * Pics Selection: PICS_IUT_EA_ROLE
       * Expected behaviour:
       *     ensure that {
       *         when {
       *             the IUT receives an EnrolmentRequestMessage
       *         }
       *         then {
       *             the IUT sends an EtsiTs103097Data-Encrypted structure
       *                 containing an encrypted EtsiTs103097Data-Signed structure
       *                     containing tbsData
       *                         containing EtsiTS102941Data
       *                             containing version
       *                                 indicating v1 (integer value set to 1)
       *         }
       *     }
       * 
* * @see ETSI TS 103 525-2 v0.0.10 TP SECPKI_EA_ENR_07_BV * @reference ETSI TS 102 941, clause 6.2.3.2.2 */ testcase TC_SECPKI_EA_ENR_07_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key; var Oct32 v_public_compressed_key; var integer v_compressed_mode; var Oct32 v_request_hash; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Oct16 v_aes_sym_key; var Oct16 v_encrypted_sym_key; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var HeaderLines v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_http_build_inner_ec_request(v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); f_init_default_headers_list(-, "inner_ec_request", v_headers); httpPort.send( m_http_request( m_http_request_post( PICS_HTTP_POST_URI_EC, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body tc_ac.start; alt { [not(PICS_MULTIPLE_END_POINT)] httpPort.receive( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentResponseMessage( mw_encryptedData( -, mw_SymmetricCiphertext_aes128ccm ))))))) -> value v_response { tc_ac.stop; if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, v_etsi_ts_102941_data) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": LOG: Receive ", v_etsi_ts_102941_data, " ***"); log("*** " & testcasename() & ": DEBUG: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16)))), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log if (match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16))))) { log("*** " & testcasename() & ": PASS: Well-secured EA certificate received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Unexpected message received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_EA_ENR_07_BV /** * @desc The InnerECResponse shall contain the requestHash, which is the left-most 16 octets of the SHA256 digest of the * EtsiTs103097Data - Signed structure received in the request and a responseCode indicating the result of the request. *
       * Pics Selection: PICS_IUT_EA_ROLE
       * Expected behaviour:
       *     ensure that {
       *         when {
       *             the IUT receives an EnrolmentRequestMessage
       *         }
       *         then {
       *             the IUT sends an EtsiTs103097Data-Encrypted structure
       *                 containing an encrypted EtsiTs103097Data-Signed structure
       *                     containing tbsData
       *                         containing EtsiTS102941Data
       *                             containing requestHash
       *                                 indicating the left-most 16 octets of the SHA256 digest of the EtsiTs103097Data-Signed structure received in the request
       *                             and containing responseCode
       *         }
       *     }
       * 
* * @see ETSI TS 103 525-2 v0.0.10 TP SECPKI_EA_ENR_08_BV * @reference ETSI TS 102 941, clause 6.2.3.2.2 */ testcase TC_SECPKI_EA_ENR_08_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key; var Oct32 v_public_compressed_key; var integer v_compressed_mode; var Oct32 v_request_hash; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Oct16 v_aes_sym_key; var Oct16 v_encrypted_sym_key; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var HeaderLines v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_http_build_inner_ec_request(v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); f_init_default_headers_list(-, "inner_ec_request", v_headers); httpPort.send( m_http_request( m_http_request_post( PICS_HTTP_POST_URI_EC, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body tc_ac.start; alt { [not(PICS_MULTIPLE_END_POINT)] httpPort.receive( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentResponseMessage( mw_encryptedData( -, mw_SymmetricCiphertext_aes128ccm ))))))) -> value v_response { tc_ac.stop; if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, v_etsi_ts_102941_data) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": LOG: Receive ", v_etsi_ts_102941_data, " ***"); log("*** " & testcasename() & ": DEBUG: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16)))), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log if (match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16))))) { log("*** " & testcasename() & ": PASS: Well-secured EA certificate received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Unexpected message received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_EA_ENR_08_BV /** * @desc If the responseCode is 0, the InnerECResponse shall also contain an (enrolment) certificate. *
       * Pics Selection: PICS_IUT_EA_ROLE
       * Expected behaviour:
       *     ensure that {
       *         when {
       *             the IUT receives an EnrolmentRequestMessage
       *         }
       *         then {
       *             the IUT sends an EtsiTs103097Data-Encrypted structure
       *                 containing an encrypted EtsiTs103097Data-Signed structure
       *                     containing tbsData
       *                         containing EtsiTS102941Data
       *                             containing InnerECResponse
       *                                 containing an enrolment certificate
       *         }
       *     }
       * 
* * @see ETSI TS 103 525-2 v0.0.10 TP SECPKI_EA_ENR_09_BV * @reference ETSI TS 102 941, clause 6.2.3.2.2 */ testcase TC_SECPKI_EA_ENR_09_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key; var Oct32 v_public_compressed_key; var integer v_compressed_mode; var Oct32 v_request_hash; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Oct16 v_aes_sym_key; var Oct16 v_encrypted_sym_key; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var HeaderLines v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_http_build_inner_ec_request(v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); f_init_default_headers_list(-, "inner_ec_request", v_headers); httpPort.send( m_http_request( m_http_request_post( PICS_HTTP_POST_URI_EC, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body tc_ac.start; alt { [not(PICS_MULTIPLE_END_POINT)] httpPort.receive( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentResponseMessage( mw_encryptedData( { mw_recipientInfo_pskRecipInfo }, mw_SymmetricCiphertext_aes128ccm ))))))) -> value v_response { tc_ac.stop; if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, v_etsi_ts_102941_data) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": LOG: Receive ", v_etsi_ts_102941_data, " ***"); log("*** " & testcasename() & ": DEBUG: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16), mw_etsiTs103097Certificate(-, mw_toBeSignedCertificate_ec, -)))), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log if (match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16), mw_etsiTs103097Certificate(-, mw_toBeSignedCertificate_ec, -))))) { if (f_verify_ec_certificate(v_etsi_ts_102941_data.content.enrolmentResponse.certificate, vc_eaCertificate, v_public_compressed_key, v_compressed_mode) == true) { log("*** " & testcasename() & ": PASS: Well-secured EC certificate received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: EC certificate is not proerly formated ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } } else { log("*** " & testcasename() & ": FAIL: Unexpected message received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_EA_ENR_09_BV /** * @desc If the responseCode is different than 0, the InnerECResponse shall not contain a certificate. *
       * Pics Selection: PICS_IUT_EA_ROLE
       * Expected behaviour:
       *     ensure that {
       *         when {
       *             the IUT receives an EnrolmentRequestMessage
       *         }
       *         then {
       *             the IUT sends an EtsiTs103097Data-Encrypted structure
       *                 containing an encrypted EtsiTs103097Data-Signed structure
       *                     containing tbsData
       *                         containing EtsiTS102941Data
       *                             containing InnerECResponse
       *                                 not containing a certificate
       *         }
       *     }
       * 
* * @see ETSI TS 103 525-2 v0.0.10 TP SECPKI_EA_ENR_10_BV * @reference ETSI TS 102 941, clause 6.2.3.2.2 */ testcase TC_SECPKI_EA_ENR_10_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key; var Oct32 v_public_compressed_key; var integer v_compressed_mode; var Oct32 v_request_hash; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Oct16 v_aes_sym_key; var Oct16 v_encrypted_sym_key; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var HeaderLines v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_http_build_invalid_enrolment_request(v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); f_init_default_headers_list(-, "inner_ec_request", v_headers); httpPort.send( m_http_request( m_http_request_post( PICS_HTTP_POST_URI_EC, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body tc_ac.start; alt { [not(PICS_MULTIPLE_END_POINT)] httpPort.receive( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentResponseMessage( mw_encryptedData( -, mw_SymmetricCiphertext_aes128ccm ))))))) -> value v_response { tc_ac.stop; if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, v_etsi_ts_102941_data) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": LOG: Receive ", v_etsi_ts_102941_data, " ***"); if (match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ko))) { log("*** " & testcasename() & ": PASS: Well-secured EA certificate received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Unexpected message received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_EA_ENR_10_BV /** * @desc Check that signing of Enrolment response message is permitted by the EA certificate. *
       * Pics Selection: PICS_IUT_EA_ROLE
       * Expected behaviour:
       *     ensure that {
       *         when {
       *             the IUT receives an EnrolmentRequestMessage
       *         }
       *         then {
       *             the IUT sends an EtsiTs103097Data-Encrypted structure
       *                 containing an encrypted EtsiTs103097Data-Signed structure
       *                     containing signer
       *                         declared as a digest
       *                             containing the HashedId8 of the EA certificate
       *                                 containing appPermissions
       *                                     containing an item of type PsidSsp
       *                                         containing psid
       *                                             indicating AID_CERT_REQ
       *                                         and containing ssp
       *                                             containing opaque[0] (version) 
       *                                                 indicating 1
       *                                             containing opaque[1] (value) 
       *                                                 indicating bit "Enrolment Response" (5) set to 1
       *         }
       *     }
       * 
* * @see ETSI TS 103 525-2 v0.0.10 TP SECPKI_EA_ENR_11_BV * @reference ETSI TS 102 941, clause B[5] */ testcase TC_SECPKI_EA_ENR_11_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key; var Oct32 v_public_compressed_key; var integer v_compressed_mode; var Oct32 v_request_hash; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Oct16 v_aes_sym_key; var Oct16 v_encrypted_sym_key; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var HeaderLines v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_http_build_inner_ec_request(v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); f_init_default_headers_list(-, "inner_ec_request", v_headers); httpPort.send( m_http_request( m_http_request_post( PICS_HTTP_POST_URI_EC, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body tc_ac.start; alt { [not(PICS_MULTIPLE_END_POINT)] httpPort.receive( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentResponseMessage( mw_encryptedData( { mw_recipientInfo_pskRecipInfo }, mw_SymmetricCiphertext_aes128ccm ))))))) -> value v_response { tc_ac.stop; if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, v_etsi_ts_102941_data) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": LOG: Receive ", v_etsi_ts_102941_data, " ***"); log("*** " & testcasename() & ": DEBUG: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16), mw_etsiTs103097Certificate(-, mw_toBeSignedCertificate_ec, -)))), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log if (match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16), mw_etsiTs103097Certificate(-, mw_toBeSignedCertificate_ec, -))))) { if (f_verify_ec_certificate(v_etsi_ts_102941_data.content.enrolmentResponse.certificate, vc_eaCertificate, v_public_compressed_key, v_compressed_mode) == true) { log("*** " & testcasename() & ": PASS: Well-secured EC certificate received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: EC certificate is not proerly formated ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } } else { log("*** " & testcasename() & ": FAIL: Unexpected message received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_EA_ENR_11_BV /** * @desc Check that generated EC certificate contains only allowed permissions. *
       * Pics Selection: PICS_IUT_EA_ROLE
       * Expected behaviour:
       *     ensure that {
       *         when {
       *             the IUT receives an EnrolmentRequestMessage
       *         }
       *         then {
       *             the EC_CERT
       *                 containing appPermissions
       *                     containing an item of type PsidSsp
       *                         containing psid
       *                             indicating AID_CERT_REQ
       *                         and containing ssp
       *                             containing opaque[0] (version) 
       *                                 indicating 1
       *                             containing opaque[1] (value) 
       *                                 indicating "Enrolment Request" (bit 0) set to 1
       *                                 indicating "Authorization Request" (bit 1) set to 1
       *                                 indicating other bits set to 0
       *                     and NOT containing an item of type PsidSsp
       *                         containing psid
       *                             indicating AID_CTL
       *                     and NOT containing an item of type PsidSsp
       *                         containing psid
       *                             indicating AID_CRL
       *         }
       *     }
       * 
* * @see ETSI TS 103 525-2 v0.0.10 TP SECPKI_EA_ENR_12_BV * @reference ETSI TS 102 941, clause B[5] */ testcase TC_SECPKI_EA_ENR_12_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key; var Oct32 v_public_compressed_key; var integer v_compressed_mode; var Oct32 v_request_hash; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Oct16 v_aes_sym_key; var Oct16 v_encrypted_sym_key; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var HeaderLines v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_http_build_inner_ec_request(v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); f_init_default_headers_list(-, "inner_ec_request", v_headers); httpPort.send( m_http_request( m_http_request_post( PICS_HTTP_POST_URI_EC, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body tc_ac.start; alt { [not(PICS_MULTIPLE_END_POINT)] httpPort.receive( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentResponseMessage( mw_encryptedData( { mw_recipientInfo_pskRecipInfo }, mw_SymmetricCiphertext_aes128ccm ))))))) -> value v_response { tc_ac.stop; if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, v_etsi_ts_102941_data) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": LOG: Receive ", v_etsi_ts_102941_data, " ***"); log("*** " & testcasename() & ": DEBUG: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16), mw_etsiTs103097Certificate(-, mw_toBeSignedCertificate_ec, -)))), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log if (match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16), mw_etsiTs103097Certificate(-, mw_toBeSignedCertificate_ec, -))))) { if (f_verify_ec_certificate(v_etsi_ts_102941_data.content.enrolmentResponse.certificate, vc_eaCertificate, v_public_compressed_key, v_compressed_mode) == true) { log("*** " & testcasename() & ": PASS: Well-secured EC certificate received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: EC certificate is not proerly formated ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } } else { log("*** " & testcasename() & ": FAIL: Unexpected message received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_EA_ENR_12_BV } // End of group enrolment_response group authorization_validation_request { group atv_helpers { function f_verify_http_at_request_from_iut_atv( in Request p_request, out Oct16 p_aes_sym_key, out Oct16 p_authentication_vector, out Oct32 p_request_hash, out InnerAtRequest p_inner_at_request, out integer p_result ) runs on ItsPkiHttp { // Local variables var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var EtsiTs102941Data v_etsi_ts_102941_data; var Oct16 v_request_hash; var Oct16 v_aes_enc_key; var InnerAtResponse v_inner_ec_request; log(">>> f_verify_http_at_request_from_iut_atv: p_request= ", p_request); p_result := 0; if (f_verify_pki_request_message(vc_aaPrivateEncKey, vc_aaWholeHash/*salt*/, vc_aaWholeHash, p_request.body.binary_body.ieee1609dot2_data, true, v_request_hash, v_etsi_ts_102941_data, v_aes_enc_key) == false) { // Set verdict p_result := -1; } else { log("f_verify_http_at_request_from_iut_atv: Receive ", v_etsi_ts_102941_data); /*log(match(v_etsi_ts_102941_data.content, mw_authorizationValidationRequest(mw_authorizationValidationRequest_ok(substr(p_request_hash, 0, 16), mw_certificate_subject_attributes(p_inner_at_request.sharedAtRequest.requestedSubjectAttributes.appPermissions, p_inner_at_request.sharedAtRequest.requestedSubjectAttributes.id, p_inner_at_request.sharedAtRequest.requestedSubjectAttributes.validityPeriod))))); // TODO In TITAN, this is the only way to get the unmatching in log if (match(v_etsi_ts_102941_data.content, mw_authorizationValidationRequest(mw_authorizationValidationRequest_ok(substr(p_request_hash, 0, 16), mw_certificate_subject_attributes(p_inner_at_request.sharedAtRequest.requestedSubjectAttributes.appPermissions, p_inner_at_request.sharedAtRequest.requestedSubjectAttributes.id, p_inner_at_request.sharedAtRequest.requestedSubjectAttributes.validityPeriod)))) == false) { // Set verdict p_result := -2; } else { // TODO Refined expected mw_signature_ecdsaNistP256 log("f_verify_http_at_request_from_iut_atv: Well-secured AT certificate received"); }*/ } log("<<< f_verify_http_at_request_from_iut_atv: p_inner_at_request= ", p_inner_at_request); log("<<< f_verify_http_at_request_from_iut_atv: p_aes_sym_key= ", p_aes_sym_key); log("<<< f_verify_http_at_request_from_iut_atv: p_authentication_vector= ", p_authentication_vector); log("<<< f_verify_http_at_request_from_iut_atv: p_request_hash= ", p_request_hash); log("<<< f_verify_http_at_request_from_iut_atv: p_result: ", p_result); } // End of function f_verify_http_at_request_from_iut_atv function f_verify_http_at_response_from_iut_atv( in InnerAtRequest p_inner_at_request, in Response p_response, in octetstring p_private_key, in Oct16 p_aes_sym_key, in Oct16 p_authentication_vector, in Oct32 p_request_hash, out InnerAtResponse p_inner_at_response, out integer p_result ) runs on ItsPkiHttp { // Local variables var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var EtsiTs102941Data v_etsi_ts_102941_data; var Oct16 v_aes_enc_key; var InnerEcResponse v_inner_ec_response; log(">>> f_verify_http_at_response_from_iut_atv: p_inner_at_request= ", p_inner_at_request); log(">>> f_verify_http_at_response_from_iut_atv: p_response= ", p_response); log(">>> f_verify_http_at_response_from_iut_atv: p_private_key= ", p_private_key); log(">>> f_verify_http_at_response_from_iut_atv: p_aes_sym_key= ", p_aes_sym_key); log(">>> f_verify_http_at_response_from_iut_atv: p_authentication_vector= ", p_authentication_vector); log(">>> f_verify_http_at_response_from_iut_atv: p_request_hash= ", p_request_hash); p_result := 0; if (f_verify_pki_response_message(p_private_key, p_aes_sym_key, p_authentication_vector, vc_eaWholeHash, p_response.body.binary_body.ieee1609dot2_data, true, v_etsi_ts_102941_data) == false) { // Set verdict p_result := -1; } else { log("f_verify_http_at_response_from_iut_atv: Receive ", v_etsi_ts_102941_data); log(match(v_etsi_ts_102941_data.content, mw_authorizationValidationResponse(mw_authorizationValidationResponse_ok(substr(p_request_hash, 0, 16), mw_certificate_subject_attributes(p_inner_at_request.sharedAtRequest.requestedSubjectAttributes.appPermissions, p_inner_at_request.sharedAtRequest.requestedSubjectAttributes.id, p_inner_at_request.sharedAtRequest.requestedSubjectAttributes.validityPeriod))))); // TODO In TITAN, this is the only way to get the unmatching in log if (match(v_etsi_ts_102941_data.content, mw_authorizationValidationResponse(mw_authorizationValidationResponse_ok(substr(p_request_hash, 0, 16), mw_certificate_subject_attributes(p_inner_at_request.sharedAtRequest.requestedSubjectAttributes.appPermissions, p_inner_at_request.sharedAtRequest.requestedSubjectAttributes.id, p_inner_at_request.sharedAtRequest.requestedSubjectAttributes.validityPeriod)))) == false) { // Set verdict p_result := -2; } else { // TODO Refined expected mw_signature_ecdsaNistP256 log("f_verify_http_at_response_from_iut_atv: Well-secured AT certificate received"); } } log("<<< f_verify_http_at_response_from_iut_atv: p_result: ", p_result); } // End of function f_verify_http_at_response_from_iut_atv } // End of group atv_helpers /** * @desc The AuthorizationValidationResponse message shall be sent by the EA to the AA across the interface * at reference point S4 in response to a received AuthorizationValidationRequest message *
       * Pics Selection: PICS_IUT_EA_ROLE
       * Initial conditions: 
       *     with {
       *         the IUT being in the "operational state"
       *     }
       * Expected behaviour:
       *     ensure that {
       *         when {
       *             the IUT receives a AuthorizationValidationRequest message
       *         }
       *         then {
       *             the IUT sends a AuthorizationValidationResponse message
       *                 across the reference point S4 to the AA
       *         }
       *     }
       * 
* * @see ETSI TS 103 525-2 v0.0.10 TP SECPKI_EA_AUTHVAL_RCV_01_BV * @reference ETSI TS 102 941, clause 6.2.3.4 */ testcase TC_SECPKI_EA_AUTHVAL_RCV_01_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key_ec; var Oct32 v_public_compressed_key_ec; var integer v_compressed_key_mode_ec; var InnerEcResponse v_inner_ec_response; var Oct32 v_private_key_at; var Oct32 v_public_compressed_key_at; var integer v_compressed_key_mode_at; var Oct32 v_private_enc_key_at; var Oct32 v_public_compressed_enc_key_at; var integer v_compressed_enc_mode_at; var InnerAtRequest v_inner_at_request; var Oct32 v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var HashedId8 v_aes_sym_key_hashed_id8; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var HeaderLines v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, cc_taCert_A_AA); // Test adapter configuration // Preamble // Trigger an enrolment request if (f_await_http_inner_ec_request_response(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_response, false/*Escrypt*/) == false) { log("*** " & testcasename() & ": INCONC: Enrolment failed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } else { log("*** " & testcasename() & ": INFO: Enrolment succeed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } log("*** " & testcasename() & ": DEBUG: v_inner_ec_response= ", v_inner_ec_response); log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec); // Generate an InnerAtRequest if (f_generate_inner_at_request(vc_aaCertificate, vc_aaHashedId8, vc_eaCertificate, vc_eaWholeHash/*salt*/, vc_eaHashedId8, v_inner_ec_response.certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, v_compressed_key_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_inner_at_request) == false) { log("*** " & testcasename() & ": ERROR: Failed to generate AuthorizationValidationRequest ***"); f_selfOrClientSyncAndVerdict("error", e_error); } log("*** " & testcasename() & ": DEBUG: v_inner_at_request= ", v_inner_at_request); log("*** " & testcasename() & ": DEBUG: v_private_key_at= ", v_private_key_at); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body f_http_build_authorization_validation_request(v_inner_at_request, v_public_compressed_key_at, v_compressed_key_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); v_aes_sym_key_hashed_id8 := f_HashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to macth the response f_init_default_headers_list(-, "inner_atv_request", v_headers); f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_ATV, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_ac.start; alt { [] a_await_atv_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationResponseMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo/*(v_aes_sym_key_hashed_id8)*/, * }, mw_SymmetricCiphertext_aes128ccm )))))), v_response ) { var integer v_result; var InnerAtResponse v_inner_at_response; tc_ac.stop; f_verify_http_at_response_from_iut_atv(v_inner_at_request, v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_inner_at_response, v_result); // Set verdict if (v_result == 0) { log("*** " & testcasename() & ": PASS: Well-secured AT certificate received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Failed to verify AT response ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_EA_AUTHVAL_RCV_01_BV /** * @desc Check that EA doesn't accept Authorization Validation Request when * SharedAtRequest is signed with certificate without appropriate * permissions *
       * Pics Selection: PICS_IUT_EA_ROLE
       * Initial conditions: 
       *     with {
       *         the IUT being in the "operational state"
       *     }
       * Expected behaviour:
       *     ensure that {
       *         when {
       *             the IUT receives a AuthorizationValidationRequest  message
       *         }
       *         then {
       *             the IUT sends a AuthorizationValidationResponse message
       *                 across the reference point S4 to the AA
       *         }
       *     }
       * 
* * @see ETSI TS 103 525-2 v0.0.10 TP SECPKI_EA_AUTHVAL_RCV_02_BI * @reference ETSI TS 102 941, clause B[5] */ testcase TC_SECPKI_EA_AUTHVAL_RCV_02_BI() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key_ec; var Oct32 v_public_compressed_key_ec; var integer v_compressed_key_mode_ec; var InnerEcResponse v_inner_ec_response; var Oct32 v_private_key_at; var Oct32 v_public_compressed_key_at; var integer v_compressed_key_mode_at; var Oct32 v_private_enc_key_at; var Oct32 v_public_compressed_enc_key_at; var integer v_compressed_enc_mode_at; var InnerAtRequest v_inner_at_request; var Oct32 v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var HashedId8 v_aes_sym_key_hashed_id8; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var HeaderLines v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp("CERT_TS_EA_AUTHVAL_RCV_02_BI_02", cc_taCert_A_AA); // Test adapter configuration // Preamble // Trigger an enrolment request if (f_await_http_inner_ec_request_response(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_response) == false) { log("*** " & testcasename() & ": INCONC: Enrolment failed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } else { log("*** " & testcasename() & ": INFO: Enrolment succeed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } log("*** " & testcasename() & ": DEBUG: v_inner_ec_response= ", v_inner_ec_response); log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec); // Generate an InnerAtRequest if (f_generate_inner_at_request(vc_aaCertificate, vc_aaHashedId8, vc_eaCertificate, vc_eaWholeHash/*salt*/, vc_eaHashedId8, v_inner_ec_response.certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, v_compressed_key_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_inner_at_request) == false) { log("*** " & testcasename() & ": ERROR: Failed to generate AuthorizationValidationRequest ***"); f_selfOrClientSyncAndVerdict("error", e_error); } log("*** " & testcasename() & ": DEBUG: v_inner_at_request= ", v_inner_at_request); log("*** " & testcasename() & ": DEBUG: v_private_key_at= ", v_private_key_at); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body f_http_build_authorization_validation_request(v_inner_at_request, v_public_compressed_key_at, v_compressed_key_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); v_aes_sym_key_hashed_id8 := f_HashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to macth the response f_init_default_headers_list(-, "inner_atv_request", v_headers); f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_ATV, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_ac.start; alt { [] a_await_atv_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationResponseMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo/*(v_aes_sym_key_hashed_id8)*/, * }, mw_SymmetricCiphertext_aes128ccm )))))), v_response ) { var integer v_result; var InnerAtResponse v_inner_at_response; tc_ac.stop; if (f_verify_pki_response_message(v_private_key_at, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, v_etsi_ts_102941_data) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log(match(v_etsi_ts_102941_data, mw_etsiTs102941Data_inner_ec_response(mw_innerEcResponse_ko(substr(v_request_hash, 0, 16))))); if (match(v_etsi_ts_102941_data, mw_etsiTs102941Data_inner_ec_response(mw_innerEcResponse_ko(substr(v_request_hash, 0, 16)))) == false) { log("*** " & testcasename() & ": FAIL: Invalid InnerEcResponse received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": PASS: InnerEcResponse received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_EA_AUTHVAL_RCV_02_BI } // End of group authorization_validation_request group authorization_validation_response { /** * @desc The EtsiTs103097Data-Encrypted is build with the component recipients containing one instance of RecipientInfo * of choice pskRecipInfo, which contains the HashedId8 of the symmetric key used by the ITS-S to encrypt the * AuthorizationRequest message to which the response is built and the component ciphertext containing the encrypted * representation of the EtsiTs103097Data-Signed. The encryption uses a ETSI TS 103 097 [3] approved algorithm. *
       * Pics Selection: PICS_IUT_EA_ROLE
       * Initial conditions: 
       * Expected behaviour:
       *     ensure that {
       *         when {
       *             the IUT receives a AuthorizationValidationRequest message
       *                 containing encKey
       *                     containing the encrypted symmetric data encryption key (SYMKEY)
       *         }
       *         then {
       *             the IUT sends a AuthorizationValidationResponse message
       *                 containing EtsiTs103097Data-Encrypted
       *                     containing recipients
       *                         containing one instance of RecipientInfo of choice pskRecipInfo
       *                             indicating the HashedId8 of SYMKEY
       *                     and containing ciphertext
       *                         containing EtsiTs103097Data-Signed
       *                             being encrypted using SYMKEY and an ETSI TS 103 097 approved algorithm
       *         }
       *     }
       * 
* * @see ETSI TS 103 525-2 v0.0.10 TP SECPKI_EA_AUTHVAL_01_BV * @reference ETSI TS 102 941, clause 6.2.3.4.2 */ testcase TC_SECPKI_EA_AUTHVAL_01_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key_ec; var Oct32 v_public_compressed_key_ec; var integer v_compressed_key_mode_ec; var InnerEcResponse v_inner_ec_response; var Oct32 v_private_key_at; var Oct32 v_public_compressed_key_at; var integer v_compressed_key_mode_at; var Oct32 v_private_enc_key_at; var Oct32 v_public_compressed_enc_key_at; var integer v_compressed_enc_mode_at; var InnerAtRequest v_inner_at_request; var Oct32 v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var HashedId8 v_aes_sym_key_hashed_id8; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var HeaderLines v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, cc_taCert_A_AA); // Test adapter configuration // Preamble // Trigger an enrolment request if (f_await_http_inner_ec_request_response(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_response) == false) { log("*** " & testcasename() & ": INCONC: Enrolment failed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } else { log("*** " & testcasename() & ": INFO: Enrolment succeed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } log("*** " & testcasename() & ": DEBUG: v_inner_ec_response= ", v_inner_ec_response); log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec); // Generate an InnerAtRequest if (f_generate_inner_at_request(vc_aaCertificate, vc_aaHashedId8, vc_eaCertificate, vc_eaWholeHash/*salt*/, vc_eaHashedId8, v_inner_ec_response.certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, v_compressed_key_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_inner_at_request) == false) { log("*** " & testcasename() & ": ERROR: Failed to generate AuthorizationValidationRequest ***"); f_selfOrClientSyncAndVerdict("error", e_error); } log("*** " & testcasename() & ": DEBUG: v_inner_at_request= ", v_inner_at_request); log("*** " & testcasename() & ": DEBUG: v_private_key_at= ", v_private_key_at); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body f_http_build_authorization_validation_request(v_inner_at_request, v_public_compressed_key_at, v_compressed_key_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); v_aes_sym_key_hashed_id8 := f_HashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to macth the response f_init_default_headers_list(-, "inner_atv_request", v_headers); f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_ATV, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_ac.start; alt { [] a_await_atv_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationResponseMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo/*(v_aes_sym_key_hashed_id8)*/, * }, mw_SymmetricCiphertext_aes128ccm )))))), v_response ) { var integer v_result; var InnerAtResponse v_inner_at_response; tc_ac.stop; f_verify_http_at_response_from_iut_atv(v_inner_at_request, v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_inner_at_response, v_result); // Set verdict if (v_result == 0) { log("*** " & testcasename() & ": PASS: Well-secured AT certificate received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Failed to verify AT response ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_EA_AUTHVAL_01_BV /** * @desc To read an authorization validation response, the AA shall receive an EtsiTs103097Data-Encrypted structure, * containing a EtsiTs103097Data-Signed structure, containing a EtsiTs102941Data structure, containing an * AuthorizationValidationResponse structure. *
       * Pics Selection: PICS_IUT_EA_ROLE
       * Initial conditions: 
       * Expected behaviour:
       *     ensure that {
       *         when {
       *             the IUT receives a AuthorizationValidationRequest message
       *         }
       *         then {
       *             the IUT sends a AuthorizationValidationResponse message
       *                 containing EtsiTs103097Data-Signed
       *                     containing AuthorizationValidationResponse
       *         }
       *     }
       * 
* * @see ETSI TS 103 525-2 v0.0.10 TP SECPKI_EA_AUTHVAL_02_BV * @reference ETSI TS 102 941, clause 6.2.3.4.2 */ testcase TC_SECPKI_EA_AUTHVAL_02_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key_ec; var Oct32 v_public_compressed_key_ec; var integer v_compressed_key_mode_ec; var InnerEcResponse v_inner_ec_response; var Oct32 v_private_key_at; var Oct32 v_public_compressed_key_at; var integer v_compressed_key_mode_at; var Oct32 v_private_enc_key_at; var Oct32 v_public_compressed_enc_key_at; var integer v_compressed_enc_mode_at; var InnerAtRequest v_inner_at_request; var Oct32 v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var HashedId8 v_aes_sym_key_hashed_id8; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var HeaderLines v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, cc_taCert_A_AA); // Test adapter configuration // Preamble // Trigger an enrolment request if (f_await_http_inner_ec_request_response(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_response) == false) { log("*** " & testcasename() & ": INCONC: Enrolment failed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } else { log("*** " & testcasename() & ": INFO: Enrolment succeed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } log("*** " & testcasename() & ": DEBUG: v_inner_ec_response= ", v_inner_ec_response); log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec); // Generate an InnerAtRequest if (f_generate_inner_at_request(vc_aaCertificate, vc_aaHashedId8, vc_eaCertificate, vc_eaWholeHash/*salt*/, vc_eaHashedId8, v_inner_ec_response.certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, v_compressed_key_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_inner_at_request) == false) { log("*** " & testcasename() & ": ERROR: Failed to generate AuthorizationValidationRequest ***"); f_selfOrClientSyncAndVerdict("error", e_error); } log("*** " & testcasename() & ": DEBUG: v_inner_at_request= ", v_inner_at_request); log("*** " & testcasename() & ": DEBUG: v_private_key_at= ", v_private_key_at); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body f_http_build_authorization_validation_request(v_inner_at_request, v_public_compressed_key_at, v_compressed_key_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); v_aes_sym_key_hashed_id8 := f_HashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to macth the response f_init_default_headers_list(-, "inner_atv_request", v_headers); f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_ATV, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_ac.start; alt { [] a_await_atv_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationResponseMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo/*(v_aes_sym_key_hashed_id8)*/, * }, mw_SymmetricCiphertext_aes128ccm )))))), v_response ) { var integer v_result; var InnerAtResponse v_inner_at_response; tc_ac.stop; f_verify_http_at_response_from_iut_atv(v_inner_at_request, v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_inner_at_response, v_result); // Set verdict if (v_result == 0) { log("*** " & testcasename() & ": PASS: Well-secured AT certificate received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Failed to verify AT response ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_EA_AUTHVAL_02_BV /** * @desc The AuthorizationValidationResponse structure contains the requestHash being the left-most 16 octets of * the SHA256 digest of the EtsiTs103097Data-Signed structure received in the AuthorizationValidationRequest * and a responseCode. *
       * Pics Selection: PICS_IUT_EA_ROLE
       * Initial conditions: 
       * Expected behaviour:
       *     ensure that {
       *         when {
       *             the IUT receives a AuthorizationValidationRequest message
       *                 containing EtsiTs103097Data-Signed structure (REQDSS)
       *         }
       *         then {
       *             the IUT sends a AuthorizationValidationResponse message
       *                 containing EtsiTs103097Data-Signed
       *                     containing EtsiTs102941Data
       *                         containing AuthorizationValidationResponse
       *                             containing requestHash
       *                                 indicating the left-most 16 octets of the SHA256 digest of REQDSS
       *                             and containing responseCode
       *         }
       *     }
       * 
* * @see ETSI TS 103 525-2 v0.0.10 TP SECPKI_EA_AUTHVAL_03_BV * @reference ETSI TS 102 941, clause 6.2.3.4.2 */ testcase TC_SECPKI_EA_AUTHVAL_03_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key_ec; var Oct32 v_public_compressed_key_ec; var integer v_compressed_key_mode_ec; var InnerEcResponse v_inner_ec_response; var Oct32 v_private_key_at; var Oct32 v_public_compressed_key_at; var integer v_compressed_key_mode_at; var Oct32 v_private_enc_key_at; var Oct32 v_public_compressed_enc_key_at; var integer v_compressed_enc_mode_at; var InnerAtRequest v_inner_at_request; var Oct32 v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var HashedId8 v_aes_sym_key_hashed_id8; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var HeaderLines v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, cc_taCert_A_AA); // Test adapter configuration // Preamble // Trigger an enrolment request if (f_await_http_inner_ec_request_response(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_response) == false) { log("*** " & testcasename() & ": INCONC: Enrolment failed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } else { log("*** " & testcasename() & ": INFO: Enrolment succeed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } log("*** " & testcasename() & ": DEBUG: v_inner_ec_response= ", v_inner_ec_response); log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec); // Generate an InnerAtRequest if (f_generate_inner_at_request(vc_aaCertificate, vc_aaHashedId8, vc_eaCertificate, vc_eaWholeHash/*salt*/, vc_eaHashedId8, v_inner_ec_response.certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, v_compressed_key_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_inner_at_request) == false) { log("*** " & testcasename() & ": ERROR: Failed to generate AuthorizationValidationRequest ***"); f_selfOrClientSyncAndVerdict("error", e_error); } log("*** " & testcasename() & ": DEBUG: v_inner_at_request= ", v_inner_at_request); log("*** " & testcasename() & ": DEBUG: v_private_key_at= ", v_private_key_at); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body f_http_build_authorization_validation_request(v_inner_at_request, v_public_compressed_key_at, v_compressed_key_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); v_aes_sym_key_hashed_id8 := f_HashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to macth the response f_init_default_headers_list(-, "inner_atv_request", v_headers); f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_ATV, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_ac.start; alt { [] a_await_atv_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationResponseMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo/*(v_aes_sym_key_hashed_id8)*/, * }, mw_SymmetricCiphertext_aes128ccm )))))), v_response ) { var integer v_result; var InnerAtResponse v_inner_at_response; tc_ac.stop; f_verify_http_at_response_from_iut_atv(v_inner_at_request, v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_inner_at_response, v_result); // Set verdict if (v_result == 0) { log("*** " & testcasename() & ": PASS: Well-secured AT certificate received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Failed to verify AT response ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_EA_AUTHVAL_03_BV } // End of group authorization_validation_response group authorization_response { // TODO } // End of group authorization_response group ca_ceetificate_request { // TODO } // End of group ca_ceetificate_request } // End of group ea_behavior group aa_behavior { group aa_helpers { function f_verify_http_at_response_from_iut_aa( in Response p_response, in octetstring p_private_key, in Oct16 p_aes_sym_key, in Oct16 p_authentication_vector, in Oct32 p_request_hash, out InnerAtResponse p_inner_at_response, out integer p_result ) runs on ItsPkiHttp { // Local variables var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var EtsiTs102941Data v_etsi_ts_102941_data; var Oct16 v_aes_enc_key; var InnerEcResponse v_inner_ec_response; log(">>> f_verify_http_at_response_from_iut_aa: p_response= ", p_response); log(">>> f_verify_http_at_response_from_iut_aa: p_private_key= ", p_private_key); log(">>> f_verify_http_at_response_from_iut_aa: p_aes_sym_key= ", p_aes_sym_key); log(">>> f_verify_http_at_response_from_iut_aa: p_authentication_vector= ", p_authentication_vector); log(">>> f_verify_http_at_response_from_iut_aa: p_request_hash= ", p_request_hash); p_result := 0; if (f_verify_pki_response_message(p_private_key, p_aes_sym_key, p_authentication_vector, vc_aaWholeHash, p_response.body.binary_body.ieee1609dot2_data, true, v_etsi_ts_102941_data) == false) { // Set verdict p_result := -1; } else { log("f_verify_http_at_response_from_iut_aa: Receive ", v_etsi_ts_102941_data); log(match(v_etsi_ts_102941_data.content, mw_authorizationResponse(mw_innerAtResponse_ok(-/*Escryptsubstr(p_request_hash, 0, 16)*/, mw_etsiTs103097Certificate(-, mw_toBeSignedCertificate_at, -))))); // TODO In TITAN, this is the only way to get the unmatching in log if (match(v_etsi_ts_102941_data.content, mw_authorizationResponse(mw_innerAtResponse_ok(-/*Escryptsubstr(p_request_hash, 0, 16)*/, mw_etsiTs103097Certificate(-, mw_toBeSignedCertificate_at, -)))) == false) { log(match(v_etsi_ts_102941_data.content, mw_authorizationResponse(mw_innerAtResponse_ko))); if (match(v_etsi_ts_102941_data.content, mw_authorizationResponse(mw_innerAtResponse_ko)) == false) { // Set verdict p_result := -2; } else { // Set verdict p_result := -3; } } else { // Verify AT Certificate signature if (f_verifyCertificateSignatureWithIssuingCertificate(v_etsi_ts_102941_data.content.authorizationResponse.certificate, vc_aaCertificate) == false) { // Set verdict p_result := -4; } log("f_verify_http_at_response_from_iut_aa: Well-secured AT certificate received"); } } log("<<< f_verify_http_at_response_from_iut_aa: p_result: ", p_result); } // End of function f_verify_http_at_response_from_iut_aa } // End of group aa_helpers group authorization_request { /** * @desc Check that the EA/AA is able to decrypt the AuthorizationRequest message using the encryption private key corresponding to the recipient certificate * Check that the EA/AA is able to verify the inner signature * Check that the EA/AA is able to verify the request authenticity using the hmacKey verification * Check that the EA/AA sends the AuthorizationValidationRequest message to the correspondent EA *
       * Pics Selection: PICS_IUT_AA_ROLE and not PICS_PKI_AUTH_POP
       * Initial conditions: 
       *     with {
       *          the EA/AA in "operational state"
       *              authorized with the certificate CERT_AA
       *                  containing encryptionKey (AA_ENC_PUB_KEY)
       *     }
       * Expected behaviour:
       *     ensure that {
       *         when {
       *            the IUT receives an EtsiTs103097Data message
       *                containing content.encryptedData
       *                    containing recipients
       *                        containing the instance of RecipientInfo
       *                            containing certRecipInfo
       *                                containing recipientId
       *                                    indicating HashedId8 of the certificate CERT_AA
       *                                and containing encKey
       *                                    indicating symmetric key (S_KEY)
       *                                        encrypted with the private key correspondent to the AA_ENC_PUB_KEY
       *                    and containing cyphertext (ENC_DATA)
       *                        containing encrypted representation of the EtsiTs103097Data-Signed
       *                            containing content.signedData
       *                                containing hashId
       *                                    indicating valid hash algorythm
       *                and containing signer
       *                    containing self
       *                and containing tbsData (SIGNED_DATA)
       *                    containing payload
       *                        containing EtsiTs102941Data
       *                            containing content.authorizationRequest
       *                                containing publicKeys.verificationKey (V_KEY)
       *                                and containing hmacKey (HMAC)
       *                                and containing sharedAtRequest
       *                                    containing keyTag (KEY_TAG)
       *                                    and containing eaId (EA_ID)
       *                                        indicating HashedId8 of the known EA certificate
       *                and containing signature (SIGNATURE)
       *         }
       *         then {
       *            the IUT is able to decrypt the S_KEY
       *                using the private key
       *                    corresponding to the AA_ENC_PUB_KEY
       *            and the IUT is able to decrypt the cypthertext ENC_DATA
       *                using the S_KEY
       *            and the IUT is able to verify the signature SIGNATURE over the SIGNED_DATA
       *                using the V_KEY
       *            and the IUT is able to verify integrity of HMAC and KEY_TAG
       *            and the IUT sends the AuthorizationValidationRequest message to the EA
       *                identified by the EA_ID
       *         }
       *     }
       * 
* * @see ETSI TS 103 525-2 v0.0.10 SECPKI_AA_AUTH_RCV_01_BV * @reference ETSI TS 102 941, clause 6.2.3.3.1 */ testcase TC_SECPKI_AA_AUTH_RCV_01_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { var Oct32 v_private_key_ec; var Oct32 v_public_compressed_key_ec; var integer v_compressed_key_mode_ec; var InnerEcResponse v_inner_ec_response; var Oct32 v_private_key_at; var Oct32 v_public_compressed_key_at; var integer p_compressed_mode_at; var Oct32 v_private_enc_key_at; var Oct32 v_public_compressed_enc_key_at; var integer v_compressed_enc_mode_at; var Oct32 v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var HashedId8 v_aes_sym_key_hashed_id8; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var HeaderLines v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_AA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_AA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble if (f_await_http_inner_ec_request_response(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_response) == false) { log("*** " & testcasename() & ": INCONC: Enrolment failed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } else { log("*** " & testcasename() & ": INFO: Enrolment succeed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } log("*** " & testcasename() & ": DEBUG: v_inner_ec_response= ", v_inner_ec_response); log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec); // Test Body f_http_build_authorization_request(v_inner_ec_response.certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, p_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); v_aes_sym_key_hashed_id8 := f_HashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to macth the response f_init_default_headers_list(-, "inner_at_request", v_headers); f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_AT, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_ac.start; alt { [] a_await_at_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationResponseMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo/*(v_aes_sym_key_hashed_id8)*/, * }, mw_SymmetricCiphertext_aes128ccm )))))), v_response ) { var integer v_result; var InnerAtResponse v_inner_at_response; tc_ac.stop; f_verify_http_at_response_from_iut_aa(v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_inner_at_response, v_result); // Set verdict if (v_result == 0) { log("*** " & testcasename() & ": PASS: Well-secured AT certificate received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Failed to verify AT response ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_AA_AUTH_RCV_01_BV /** * @desc Check that the AA is able to decrypt the AuthorizationRequest message using the encryption private key corresponding to the recipient certificate * Check that the AA is able to verify the request authenticity using the hmacKey verification * Check that the AA sends the AuthorizationValidationRequest message to the correspondent EA *
       * Pics Selection: PICS_IUT_AA_ROLE
       * Initial conditions: 
       *     with {
       *          the EA/AA in "operational state"
       *              authorized with the certificate CERT_AA
       *                  containing encryptionKey (AA_ENC_PUB_KEY)
       *     }
       * Expected behaviour:
       *     ensure that {
       *         when {
       *            the IUT receives an EtsiTs103097Data message
       *                containing content.encryptedData
       *                    containing recipients
       *                        containing the instance of RecipientInfo
       *                            containing certRecipInfo
       *                                containing recipientId
       *                                    indicating HashedId8 of the certificate CERT_AA
       *                                and containing encKey
       *                                    indicating symmetric key (S_KEY)
       *                                        encrypted with the private key correspondent to the AA_ENC_PUB_KEY
       *                    and containing cyphertext (ENC_DATA)
       *                        containing EtsiTs102941Data
       *                            containing content.authorizationRequest
       *                                containing publicKeys.verificationKey (V_KEY)
       *                                and containing hmacKey (HMAC)
       *                                and containing sharedAtRequest
       *                                    containing keyTag (KEY_TAG)
       *                                    and containing eaId (EA_ID)
       *                                        indicating HashedId8 of the known EA certificate
       *         }
       *         then {
       *            the IUT is able to decrypt the S_KEY
       *                using the private key
       *                    corresponding to the AA_ENC_PUB_KEY
       *            and the IUT is able to decrypt the cypthertext ENC_DATA
       *                using the S_KEY
       *            and the IUT is able to verify integrity of HMAC and KEY_TAG
       *            and the IUT sends the AuthorizationValidationRequest message to the EA
       *                identified by the EA_ID
       *         }
       *     }
       * 
* * @see ETSI TS 103 525-2 v0.0.10 SECPKI_AA_AUTH_RCV_02_BV * @reference ETSI TS 102 941, clause 6.2.3.3.1 */ testcase TC_SECPKI_AA_AUTH_RCV_02_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { var Oct32 v_private_key_ec; var Oct32 v_public_compressed_key_ec; var integer v_compressed_key_mode_ec; var InnerEcResponse v_inner_ec_response; var Oct32 v_private_key_at; var Oct32 v_public_compressed_key_at; var integer p_compressed_mode_at; var Oct32 v_private_enc_key_at; var Oct32 v_public_compressed_enc_key_at; var integer v_compressed_enc_mode_at; var Oct32 v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var HashedId8 v_aes_sym_key_hashed_id8; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var HeaderLines v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_AA_ROLE or PICS_PKI_AUTH_POP) { log("*** " & testcasename() & ": PICS_IUT_AA_ROLE and not PICS_PKI_AUTH_POP required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble if (f_await_http_inner_ec_request_response(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_response) == false) { log("*** " & testcasename() & ": INCONC: Enrolment failed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } else { log("*** " & testcasename() & ": INFO: Enrolment succeed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } log("*** " & testcasename() & ": DEBUG: v_inner_ec_response= ", v_inner_ec_response); log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec); // Test Body f_http_build_authorization_request(v_inner_ec_response.certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, p_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); v_aes_sym_key_hashed_id8 := f_HashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to macth the response f_init_default_headers_list(-, "inner_at_request", v_headers); f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_AT, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_ac.start; alt { [] a_await_at_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationResponseMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo/*(v_aes_sym_key_hashed_id8)*/, * }, mw_SymmetricCiphertext_aes128ccm )))))), v_response ) { var integer v_result; var InnerAtResponse v_inner_at_response; tc_ac.stop; f_verify_http_at_response_from_iut_aa(v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_inner_at_response, v_result); // Set verdict if (v_result == 0) { log("*** " & testcasename() & ": PASS: Well-secured AT certificate received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Failed to verify AT response ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_AA_AUTH_RCV_02_BV /** * @desc Check that the AA skips the AuthorizationRequest message if it is not addressed to this AA *
       * Pics Selection: PICS_IUT_AA_ROLE
       * Initial conditions: 
       *     with {
       *          the EA/AA in "operational state"
       *              authorized with the certificate CERT_AA
       *                  containing encryptionKey (AA_ENC_PUB_KEY)
       *     }
       * Expected behaviour:
       *     ensure that {
       *         when {
       *            the IUT receives an EtsiTs103097Data message
       *                containing content.encryptedData
       *                    containing recipients
       *                        containing the instance of RecipientInfo
       *                            containing certRecipInfo
       *                                containing recipientId
       *                                    NOT equal to the HashedId8 of the certificate CERT_AA
       *                                and containing encKey
       *                                    indicating symmetric key (S_KEY)
       *                                        encrypted with the private key correspondent to the AA_ENC_PUB_KEY
       *         }
       *         then {
       *            the IUT does not send the AuthorizationValidationRequest message
       *         }
       *     }
       * 
* * @see ETSI TS 103 525-2 v0.0.10 SECPKI_AA_AUTH_RCV_03_BI * @reference ETSI TS 102 941, clause 6.2.3.3.1 */ testcase TC_SECPKI_AA_AUTH_RCV_03_BI() runs on ItsPkiHttp system ItsPkiHttpSystem { var Oct32 v_private_key_ec; var Oct32 v_public_compressed_key_ec; var integer v_compressed_key_mode_ec; var InnerEcResponse v_inner_ec_response; var Oct32 v_private_key_at; var Oct32 v_public_compressed_key_at; var integer p_compressed_mode_at; var Oct32 v_private_enc_key_at; var Oct32 v_public_compressed_enc_key_at; var integer v_compressed_enc_mode_at; var Oct32 v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var HashedId8 v_aes_sym_key_hashed_id8; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var HeaderLines v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_AA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_AA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble if (f_await_http_inner_ec_request_response(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_response) == false) { log("*** " & testcasename() & ": INCONC: Enrolment failed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } else { log("*** " & testcasename() & ": INFO: Enrolment succeed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } log("*** " & testcasename() & ": DEBUG: v_inner_ec_response= ", v_inner_ec_response); log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec); // Test Body f_http_build_authorization_request(v_inner_ec_response.certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, p_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); v_aes_sym_key_hashed_id8 := f_HashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to macth the response v_ieee1609dot2_signed_and_encrypted_data.content.encryptedData.recipients[0].pskRecipInfo := int2oct(314259265, 8); f_init_default_headers_list(-, "inner_at_request", v_headers); f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_AT, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_noac.start; alt { [] a_await_at_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationResponseMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo/*(v_aes_sym_key_hashed_id8)*/, * }, mw_SymmetricCiphertext_aes128ccm )))))), v_response ) { tc_noac.stop; log("*** " & testcasename() & ": FAIL: IUT shall not process the request ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } [] a_await_at_http_response_from_iut(mw_http_response(mw_http_response_ko), v_response) { tc_noac.stop; log("*** " & testcasename() & ": PASS: IUT has rejected the request ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } [] tc_noac.timeout { log("*** " & testcasename() & ": PASS: IUT has discarded the request ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_AA_AUTH_RCV_03_BI /** * @desc Check that the AA skips the AuthorizationRequest message if it unable to decrypt the encKey *
       * Pics Selection: PICS_IUT_AA_ROLE
       * Initial conditions: 
       *     with {
       *          the EA/AA in "operational state"
       *              authorized with the certificate CERT_AA
       *                  containing encryptionKey (AA_ENC_PUB_KEY)
       *     }
       * Expected behaviour:
       *     ensure that {
       *         when {
       *            the IUT receives an EtsiTs103097Data message
       *                containing content.encryptedData
       *                    containing recipients
       *                        containing the instance of RecipientInfo
       *                            containing certRecipInfo
       *                                containing recipientId
       *                                    indicating value
       *                                        equal to the HashedId8 of the certificate CERT_AA
       *                                and containing encKey
       *                                    indicating symmetric key (S_KEY)
       *                                        encrypted with the OTHER private key correspondent to the AA_ENC_PUB_KEY
       *         }
       *         then {
       *            the IUT does not send the AuthorizationValidationRequest message
       *         }
       *     }
       * 
* * @see ETSI TS 103 525-2 v0.0.10 SECPKI_AA_AUTH_RCV_04_BI * @reference ETSI TS 102 941, clause 6.2.3.3.1 */ testcase TC_SECPKI_AA_AUTH_RCV_04_BI() runs on ItsPkiHttp system ItsPkiHttpSystem { var Oct32 v_private_key_ec; var Oct32 v_public_compressed_key_ec; var integer v_compressed_key_mode_ec; var InnerEcResponse v_inner_ec_response; var Oct32 v_private_key_at; var Oct32 v_public_compressed_key_at; var integer p_compressed_mode_at; var Oct32 v_private_enc_key_at; var Oct32 v_public_compressed_enc_key_at; var integer v_compressed_enc_mode_at; var Oct32 v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var HashedId8 v_aes_sym_key_hashed_id8; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var HeaderLines v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_AA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_AA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble if (f_await_http_inner_ec_request_response(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_response) == false) { log("*** " & testcasename() & ": INCONC: Enrolment failed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } else { log("*** " & testcasename() & ": INFO: Enrolment succeed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } log("*** " & testcasename() & ": DEBUG: v_inner_ec_response= ", v_inner_ec_response); log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec); // Test Body f_http_build_authorization_request_with_wrong_private_key(v_inner_ec_response.certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, p_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); v_aes_sym_key_hashed_id8 := f_HashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to macth the response f_init_default_headers_list(-, "inner_at_request", v_headers); f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_AT, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_noac.start; alt { [] a_await_at_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationResponseMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo/*(v_aes_sym_key_hashed_id8)*/, * }, mw_SymmetricCiphertext_aes128ccm )))))), v_response ) { tc_noac.stop; log("*** " & testcasename() & ": FAIL: IUT shall not process the request ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } [] a_await_at_http_response_from_iut(mw_http_response(mw_http_response_ko), v_response) { tc_noac.stop; log("*** " & testcasename() & ": PASS: IUT has rejected the request ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } [] tc_noac.timeout { log("*** " & testcasename() & ": PASS: IUT has discarded the request ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_AA_AUTH_RCV_04_BI /** * @desc Check that the AA skips the AuthorizationRequest message if it unable to decrypt the encKey *
       * Pics Selection: PICS_IUT_AA_ROLE
       * Initial conditions: 
       *     with {
       *          the EA/AA in "operational state"
       *              authorized with the certificate CERT_AA
       *                  containing encryptionKey (AA_ENC_PUB_KEY)
       *     }
       * Expected behaviour:
       *     ensure that {
       *         when {
       *            the IUT receives an EtsiTs103097Data message
       *                containing content.encryptedData
       *                    containing recipients[0].encKey
       *                        indicating encrypted symmetric key (S_KEY)
       *                    and containing cyphertext (ENC_DATA)
       *                        encrypted with the OTHER key than S_KEY
       *         }
       *         then {
       *            the IUT does not send the AuthorizationValidationRequest message
       *         }
       *     }
       * 
* * @see ETSI TS 103 525-2 v0.0.10 SECPKI_AA_AUTH_RCV_05_BI * @reference ETSI TS 102 941, clause 6.2.3.3.1 */ testcase TC_SECPKI_AA_AUTH_RCV_05_BI() runs on ItsPkiHttp system ItsPkiHttpSystem { var Oct32 v_private_key_ec; var Oct32 v_public_compressed_key_ec; var integer v_compressed_key_mode_ec; var InnerEcResponse v_inner_ec_response; var Oct32 v_private_key_at; var Oct32 v_public_compressed_key_at; var integer p_compressed_mode_at; var Oct32 v_private_enc_key_at; var Oct32 v_public_compressed_enc_key_at; var integer v_compressed_enc_mode_at; var Oct32 v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var HashedId8 v_aes_sym_key_hashed_id8; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var HeaderLines v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_AA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_AA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble if (f_await_http_inner_ec_request_response(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_response) == false) { log("*** " & testcasename() & ": INCONC: Enrolment failed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } else { log("*** " & testcasename() & ": INFO: Enrolment succeed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } log("*** " & testcasename() & ": DEBUG: v_inner_ec_response= ", v_inner_ec_response); log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec); // Test Body f_http_build_authorization_request(v_inner_ec_response.certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, p_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); v_aes_sym_key_hashed_id8 := f_HashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to macth the response if (ischosen(v_ieee1609dot2_signed_and_encrypted_data.content.encryptedData.recipients[0].certRecipInfo.encKey.eciesNistP256)) { v_ieee1609dot2_signed_and_encrypted_data.content.encryptedData.recipients[0].certRecipInfo.encKey.eciesNistP256.c[1] := 'aa'O; v_ieee1609dot2_signed_and_encrypted_data.content.encryptedData.recipients[0].certRecipInfo.encKey.eciesNistP256.c[2] := 'bb'O; } else { v_ieee1609dot2_signed_and_encrypted_data.content.encryptedData.recipients[0].certRecipInfo.encKey.eciesBrainpoolP256r1.c[1] := 'aa'O; v_ieee1609dot2_signed_and_encrypted_data.content.encryptedData.recipients[0].certRecipInfo.encKey.eciesBrainpoolP256r1.c[2] := 'bb'O; } f_init_default_headers_list(-, "inner_at_request", v_headers); f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_AT, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_noac.start; alt { [] a_await_at_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationResponseMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo/*(v_aes_sym_key_hashed_id8)*/, * }, mw_SymmetricCiphertext_aes128ccm )))))), v_response ) { tc_noac.stop; log("*** " & testcasename() & ": FAIL: IUT shall not process the request ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } [] a_await_at_http_response_from_iut(mw_http_response(mw_http_response_ko), v_response) { tc_noac.stop; log("*** " & testcasename() & ": PASS: IUT has rejected the request ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } [] tc_noac.timeout { log("*** " & testcasename() & ": PASS: IUT has discarded the request ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_AA_AUTH_RCV_05_BI /** * @desc Check that the AA rejects the AuthorizationRequest message if it unable to verify the POP signature *
       * Pics Selection: PICS_IUT_AA_ROLE
       * Initial conditions: 
       *     with {
       *          the EA/AA in "operational state"
       *              authorized with the certificate CERT_AA
       *                  containing encryptionKey (AA_ENC_PUB_KEY)
       *     }
       * Expected behaviour:
       *     ensure that {
       *         when {
       *            the IUT is received the EtsiTs103097Data message
       *                containing content.encryptedData.cyphertext
       *                    containing encrypted representation of the EtsiTs103097Data-Signed (SIGNED_DATA)
       *                        containing content.signedData
       *                            containing tbsData
       *                                containing payload
       *                                    containing EtsiTs102941Data
       *                                        containing content.authorizationRequest
       *                                            containing publicKeys.verificationKey (V_KEY)
       *                        and containing signature (SIGNATURE)
       *                            indicating value calculated with OTHER key than private key correspondent to V_KEY
       *         }
       *         then {
       *            the IUT does not send the AuthorizationValidationRequest message
       *            and the IUT sends to the TS the AuthorizationResponse message
       *                containing authorizationResponse
       *                    containing requestHash
       *                        indicating the leftmost 16 bits of the SHA256 value
       *                            calculated over the SIGNED_DATA
       *                and containing responseCode
       *                    indicating the value NOT EQUAL to 0
       *                and not containing certificate
       *         }
       *     }
       * 
* * @see ETSI TS 103 525-2 v0.0.10 SECPKI_AA_AUTH_RCV_06_BI * @reference ETSI TS 102 941, clause 6.2.3.3.1 */ testcase TC_SECPKI_AA_AUTH_RCV_06_BI() runs on ItsPkiHttp system ItsPkiHttpSystem { var Oct32 v_private_key_ec; var Oct32 v_public_compressed_key_ec; var integer v_compressed_key_mode_ec; var InnerEcResponse v_inner_ec_response; var Oct32 v_private_key_at; var Oct32 v_public_compressed_key_at; var integer p_compressed_mode_at; var Oct32 v_private_enc_key_at; var Oct32 v_public_compressed_enc_key_at; var integer v_compressed_enc_mode_at; var Oct32 v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var HashedId8 v_aes_sym_key_hashed_id8; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var HeaderLines v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_AA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_AA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble if (f_await_http_inner_ec_request_response(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_response) == false) { log("*** " & testcasename() & ": INCONC: Enrolment failed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } else { log("*** " & testcasename() & ": INFO: Enrolment succeed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } log("*** " & testcasename() & ": DEBUG: v_inner_ec_response= ", v_inner_ec_response); log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec); // Test Body f_http_build_authorization_request_with_wrong_pop(v_inner_ec_response.certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, p_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); v_aes_sym_key_hashed_id8 := f_HashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to macth the response f_init_default_headers_list(-, "inner_at_request", v_headers); f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_AT, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_ac.start; alt { [] a_await_at_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationResponseMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo/*(v_aes_sym_key_hashed_id8)*/, * }, mw_SymmetricCiphertext_aes128ccm )))))), v_response ) { var integer v_result; var InnerAtResponse v_inner_at_response; tc_ac.stop; // Verify IUT response f_verify_http_at_response_from_iut_aa(v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_inner_at_response, v_result); // Set verdict if (v_result == -3) { log("*** " & testcasename() & ": PASS: IUT has rejected the request ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: IUT shall not process the request ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } } [] a_await_at_http_response_from_iut(mw_http_response(mw_http_response_ko), v_response) { tc_ac.stop; log("*** " & testcasename() & ": FAIL: IUT shall not respond with HTTP error ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } [] tc_ac.timeout { log("*** " & testcasename() & ": FAIL: No response received from the IUT ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_AA_AUTH_RCV_06_BI /** * @desc Check that the AA rejects the AuthorizationRequest message if it unable to verify the integrity of the request using hmacKey *
       * Pics Selection: PICS_IUT_AA_ROLE
       * Initial conditions: 
       *     with {
       *          the EA/AA in "operational state"
       *              authorized with the certificate CERT_AA
       *                  containing encryptionKey (AA_ENC_PUB_KEY)
       *     }
       * Expected behaviour:
       *     ensure that {
       *         when {
       *            the IUT is received the EtsiTs103097Data message
       *                containing EtsiTs102941Data
       *                    containing content.authorizationRequest
       *                        containing hmacKey (HMAC)
       *                        and containing sharedAtRequest
       *                            containing keyTag (KEY_TAG)
       *                                indicating wrong value
       *         }
       *         then {
       *            the IUT does not send the AuthorizationValidationRequest message
       *            and the IUT sends to the TS the AuthorizationResponse message
       *                containing authorizationResponse
       *                    containing requestHash
       *                        indicating the leftmost 16 bits of the SHA256 value
       *                            calculated over the X_HASH_STRUCTURE
       *                and containing responseCode
       *                    indicating the value NOT EQUAL to 0
       *                and not containing certificate
       *         }
       *     }
       * 
* * @see ETSI TS 103 525-2 v0.0.10 SECPKI_AA_AUTH_RCV_07_BI * @reference ETSI TS 102 941, clause 6.2.3.3.1 */ testcase TC_SECPKI_AA_AUTH_RCV_07_BI() runs on ItsPkiHttp system ItsPkiHttpSystem { var Oct32 v_private_key_ec; var Oct32 v_public_compressed_key_ec; var integer v_compressed_key_mode_ec; var InnerEcResponse v_inner_ec_response; var Oct32 v_private_key_at; var Oct32 v_public_compressed_key_at; var integer p_compressed_mode_at; var Oct32 v_private_enc_key_at; var Oct32 v_public_compressed_enc_key_at; var integer v_compressed_enc_mode_at; var Oct32 v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var HashedId8 v_aes_sym_key_hashed_id8; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var HeaderLines v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_AA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_AA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble if (f_await_http_inner_ec_request_response(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_response) == false) { log("*** " & testcasename() & ": INCONC: Enrolment failed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } else { log("*** " & testcasename() & ": INFO: Enrolment succeed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } log("*** " & testcasename() & ": DEBUG: v_inner_ec_response= ", v_inner_ec_response); log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec); // Test Body f_http_build_authorization_request_with_wrong_hmac(v_inner_ec_response.certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, p_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); v_aes_sym_key_hashed_id8 := f_HashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to macth the response f_init_default_headers_list(-, "inner_at_request", v_headers); f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_AT, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_ac.start; alt { [] a_await_at_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationResponseMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo/*(v_aes_sym_key_hashed_id8)*/, * }, mw_SymmetricCiphertext_aes128ccm )))))), v_response ) { var integer v_result; var InnerAtResponse v_inner_at_response; tc_ac.stop; // Verify IUT response f_verify_http_at_response_from_iut_aa(v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_inner_at_response, v_result); // Set verdict if (v_result == -3) { log("*** " & testcasename() & ": PASS: IUT has rejected the request ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: IUT shall not process the request ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } } [] a_await_at_http_response_from_iut(mw_http_response(mw_http_response_ko), v_response) { tc_ac.stop; log("*** " & testcasename() & ": FAIL: IUT shall not respond with HTTP error ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } [] tc_ac.timeout { log("*** " & testcasename() & ": FAIL: No response received from the IUT ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_AA_AUTH_RCV_07_BI } // End of group authorization_request group authorization_validation_request { /** * @desc Check that the AA sends AuthorizationValidationRequest after receiving of the AuthorizationRequest. *
       * Pics Selection: PICS_IUT_AA_ROLE
       * Initial conditions: 
       *     with {
       *         the EA in "operational" state
       *             authorized with CERT_EA certificate
       *     }
       * Expected behaviour:
       *     ensure that {
       *         when {
       *            the IUT received the AuthorizationRequest
       *         }
       *         then {
       *            the IUT sends the EtsiTs103097Data message to the ITSS
       *         }
       *     }
       * 
* * @see ETSI TS 103 525-2 v0.0.10 SECPKI_AA_AUTHVAL_01_BV * @reference ETSI TS 102 941, clause 6.2.3.3.2 */ testcase TC_SECPKI_AA_AUTHVAL_01_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { var Oct32 v_private_key_ec; var Oct32 v_public_compressed_key_ec; var integer v_compressed_key_mode_ec; var InnerEcRequest v_inner_ec_request; var EtsiTs103097Certificate v_ec_certificate; var Oct32 v_private_key_at; var Oct32 v_public_compressed_key_at; var integer v_compressed_mode_at; var Oct32 v_private_enc_key_at; var Oct32 v_public_compressed_enc_key_at; var integer v_compressed_enc_mode_at; var octetstring v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var HashedId8 v_aes_sym_key_hashed_id8; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var HeaderLines v_headers; var HttpMessage v_request; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; var Oct16 v_aes_enc_key; var InnerAtRequest v_inner_at_request; var InnerAtResponse v_inner_at_response; // Test control if (not PICS_IUT_AA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_AA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(cc_taCert_A_EA, PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble // Generate EC certificate f_generate_inner_ec_request(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_request); f_generate_ec_certificate_for_inner_ec_response(v_inner_ec_request, v_private_key_ec, vc_eaWholeHash, v_ec_certificate) f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body // Send AuthorizationRequest f_http_build_authorization_request(v_ec_certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, v_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); v_aes_sym_key_hashed_id8 := f_HashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to macth the response f_init_default_headers_list(-, "inner_at_request", v_headers); f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_AT, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_ac.start; alt { [] a_await_atv_http_request_from_iut( // Wait for authorizationValidation Request from IUT to EA mw_http_request( mw_http_request_post( PICS_HTTP_POST_URI_ATV, -, mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationRequestMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo, * }, mw_SymmetricCiphertext_aes128ccm )))))), v_request ) { var integer v_result; tc_ac.stop; f_verify_http_at_request_from_iut_atv(v_request.request, v_aes_sym_key, v_authentication_vector, v_request_hash, v_inner_at_request, v_result); // Set verdict if (v_result == 0) { log("*** " & testcasename() & ": PASS: IUT has sent AuthorizationValidation request ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Failed to verify AuthorizationValidation request ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } } [] a_await_at_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationRequestMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo, * }, mw_SymmetricCiphertext_aes128ccm )))))), v_response ) { var integer v_result; tc_ac.stop; f_verify_http_at_response_from_iut_aa(v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_inner_at_response, v_result); log("*** " & testcasename() & ": FAIL: Unexptected response ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble if (isvalue(v_inner_at_request)) { // Send AuthorizationValidation response to finalize the exchange log("*** " & testcasename() & ": INFO: Send AuthorizationValidation response to finalize the exchange ***"); f_init_default_headers_list(-, "inner_atv_response", v_headers); f_http_build_authorization_response(v_inner_at_request, ok, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_inner_at_response, v_ieee1609dot2_signed_and_encrypted_data); f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_AT, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); } // TODO Wait for AuthorizationResponse f_cfHttpDown(); } // End of testcase TC_SECPKI_AA_AUTHVAL_01_BV } // End of authorization_validation_request group authorization_validation_response { /** * @desc Check that the AA sends AuthorizationResponse after receiving the AuthorizationRequest. *
       * Pics Selection: PICS_IUT_AA_ROLE
       * Initial conditions: 
       *     with {
       *          the ITSS in "enrolled" state
       *          the EA in "operational" state
       *          and the IUT(AA) in "operational" state
       *          and the IUT had received the AuthorizationRequest from the ITSS
       *          and the IUT sent the AuthorizationValidationRequest
       *     }
       * Expected behaviour:
       *     ensure that {
       *         when {
       *            the IUT received the AuthorizationValidationResponseMessage
       *         }
       *         then {
       *            the IUT sends the EtsiTs103097Data message to the ITSS
       *         }
       *     }
       * 
* * @see ETSI TS 103 525-2 v0.0.10 SECPKI_AA_AUTHVAL_RCV_01_BV * @reference ETSI TS 102 941, clause 6.2.3.3.2 */ testcase TC_SECPKI_AA_AUTHVAL_RCV_01_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { var Oct32 v_private_key_ec; var Oct32 v_public_compressed_key_ec; var integer v_compressed_key_mode_ec; var InnerEcRequest v_inner_ec_request; var EtsiTs103097Certificate v_ec_certificate; var Oct32 v_private_key_at; var Oct32 v_public_compressed_key_at; var integer v_compressed_mode_at; var Oct32 v_private_enc_key_at; var Oct32 v_public_compressed_enc_key_at; var integer v_compressed_enc_mode_at; var octetstring v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var HashedId8 v_aes_sym_key_hashed_id8; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var HeaderLines v_headers; var HttpMessage v_request; var EtsiTs102941Data v_etsi_ts_102941_data; var Oct16 v_aes_enc_key; var InnerAtRequest v_inner_at_request; var InnerAtResponse v_inner_at_response; // Test control if (not PICS_IUT_AA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_AA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(cc_taCert_A_EA, PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble // Generate EC certificate f_generate_inner_ec_request(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_request); f_generate_ec_certificate_for_inner_ec_response(v_inner_ec_request, v_private_key_ec, vc_eaWholeHash, v_ec_certificate) f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body // Send AuthorizationRequest f_http_build_authorization_request(v_ec_certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, v_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); v_aes_sym_key_hashed_id8 := f_HashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to macth the response f_init_default_headers_list(-, "inner_at_request", v_headers); f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_AT, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_ac.start; alt { [] a_await_atv_http_request_from_iut( // Wait for authorizationValidation Request from IUT to EA mw_http_request( mw_http_request_post( PICS_HTTP_POST_URI_ATV, -, mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationRequestMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo, * }, mw_SymmetricCiphertext_aes128ccm )))))), v_request ) { var integer v_result; tc_ac.stop; f_verify_http_at_request_from_iut_atv(v_request.request, v_aes_sym_key, v_authentication_vector, v_request_hash, v_inner_at_request, v_result); // Set verdict if (v_result == 0) { log("*** " & testcasename() & ": PASS: Well-secured AT certificate received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Failed to verify AT response ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble if (isvalue(v_inner_at_request)) { // Send AuthorizationValidation response to finalize the exchange log("*** " & testcasename() & ": INFO: Send AuthorizationValidation response to finalize the exchange ***"); f_init_default_headers_list(-, "inner_atv_response", v_headers); f_http_build_authorization_response(v_inner_at_request, ok, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_inner_at_response, v_ieee1609dot2_signed_and_encrypted_data); f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_AT, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); } // TODO Wait for AuthorizationResponse f_cfHttpDown(); } // End of testcase TC_SECPKI_AA_AUTHVAL_RCV_01_BV /** * @desc Check that AA doesn't accept Authorization Validation Response message when this message is * signed with certificate without appropriate permissions *
       * Pics Selection: PICS_IUT_AA_ROLE
       * Initial conditions: 
       *     with {
       *          the ITSS in "enrolled" state
       *          the EA in "operational" state
       *          and the IUT(AA) in "operational" state
       *          and the IUT had received the AuthorizationRequest from the ITSS
       *          and the IUT sent the AuthorizationValidationRequest
       *     }
       * Expected behaviour:
       *     ensure that {
       *         when {
       *            the IUT receives the AuthorizationValidationResponseMessage
       *                containing signer
       *                    containing digest
       *                        indicating HashedId8 of the certificate
       *                    containing appPermissions
       *                        not containing an item of type PsidSsp
       *                        containing psid
       *                            indicating AID_CERT_REQ
       *                        or containing an item of type PsidSsp
       *                            containing psid
       *                                indicating AID_CERT_REQ
       *                        and containing ssp
       *                             containing opaque[0] (version) 
       *                                 indicating other value than 1
       *                        or containing opaque[1] (value) 
       *                            indicating "AuthorizationValidationResponse" (bit 4) set to 0
       *         }
       *         then {
       *            the IUT answers with an AuthorisationValidationResponseMessage
       *                containing responseCode
       *                    indicating non-zero value
       *         }
       *     }
       * 
* * @see ETSI TS 103 525-2 v0.0.10 SECPKI_AA_AUTHVAL_RCV_02_BI * @reference ETSI TS 102 941, clause 6.2.3.3.2 */ testcase TC_SECPKI_AA_AUTHVAL_RCV_02_BI() runs on ItsPkiHttp system ItsPkiHttpSystem {} // End of testcase TC_SECPKI_AA_AUTHVAL_RCV_02_BI } // End of group authorization_validation_response } // End of group aa_beavior } // End of module ItsPki_TestCases