diff --git a/README.md b/README.md index 3274655116c9ed74294825cd910dcd8948b5d542..cdade3d510f49200c723e86d74b3bf7e87d477ca 100644 --- a/README.md +++ b/README.md @@ -106,18 +106,19 @@ NOTE The user password is vagrant. ### Using Docker Pre-requisites on your host machine: -- Install Virtualbox +- Install Virtualbox (For Windows host only) - Install Docker Procedure for a Windows host machine: -- On your host machine, open a the Docker Quickstart Terminal +- On your host machine, open a the Docker Quickstart Terminal and change to a working folder such as ./temp/docker_its Procedure for a Linux host machine: -- On your host machine, open a terminal and change to a working folder such as $HOME/temp +- On your host machine, open a terminal and change to a working folder such as $HOME/temp/docker_its -On your host machine, clone the following items from ETSI ITS protocols project: -- The docket folder -- The .jenkins.sh script file (hidden file) +On your host machine, download the following items from ETSI ITS protocols project: +- The docker folder +- The .jenkins.sh script file (hidden file) and add the execution rights on it +- Check the rights of the script files and the folders From the your current directory, execute the following commands: diff --git a/ccsrc/Externals/LibItsSecurity_externals.cc b/ccsrc/Externals/LibItsSecurity_externals.cc index 015df3d1b6a7e286e969b96ff1e4cdc0900941a7..f628cd13f071e9b0349ac78b79b3a3bf163f9029 100644 --- a/ccsrc/Externals/LibItsSecurity_externals.cc +++ b/ccsrc/Externals/LibItsSecurity_externals.cc @@ -587,7 +587,8 @@ namespace LibItsSecurity__Functions * \return The HMAC value resized to 16-byte */ OCTETSTRING fx__hmac__sha256(const OCTETSTRING& p__k, const OCTETSTRING& p__m) { - loggers::get_instance().log(">>> fx__hmac__sha256"); + loggers::get_instance().log_msg(">>> fx__hmac__sha256: p__k=", p__k); + loggers::get_instance().log_msg(">>> fx__hmac__sha256: p__m=", p__m); hmac h(hash_algorithms::sha_256); // TODO Use ec_encryption_algorithm OCTETSTRING t; @@ -595,8 +596,8 @@ namespace LibItsSecurity__Functions loggers::get_instance().warning("fx__hmac__sha256: Failed to generate HMAC"); return OCTETSTRING(0, nullptr); } - loggers::get_instance().log_msg("fx__hmac__sha256: HMAC: ", t); + loggers::get_instance().log_msg("<<< fx__hmac__sha256: HMAC: ", t); return t; } @@ -1183,7 +1184,7 @@ namespace LibItsSecurity__Functions return TRUE; } - BOOLEAN fx__store__certificate(const CHARSTRING& p__cert__id, const OCTETSTRING& p__cert, const OCTETSTRING& p__private__key, const OCTETSTRING& p__public__key__x, const OCTETSTRING& p__public__key__y, const OCTETSTRING& p__public__key__compressed, const INTEGER& p__public__key__compressed__mode, const OCTETSTRING& p__hash, const OCTETSTRING& p__hashid8, const OCTETSTRING& p__issuer, const OCTETSTRING_template& p__private__enc__key, const OCTETSTRING_template& p__public__enc__key__x, const OCTETSTRING_template& p__public__enc__key__y, const OCTETSTRING_template& p__public__enc__compressed__key, const INTEGER_template& p__public__enc__key__compressed__mode) { + BOOLEAN fx__store__certificate(const CHARSTRING& p__cert__id, const OCTETSTRING& p__cert, const OCTETSTRING& p__private__key, const OCTETSTRING& p__public__key__x, const OCTETSTRING& p__public__key__y, const OCTETSTRING& p__public__key__compressed, const INTEGER& p__public__key__compressed__mode, const OCTETSTRING& p__hash, const OCTETSTRING& p__hash__256, const OCTETSTRING& p__hashid8, const OCTETSTRING& p__issuer, const OCTETSTRING_template& p__private__enc__key, const OCTETSTRING_template& p__public__enc__key__x, const OCTETSTRING_template& p__public__enc__key__y, const OCTETSTRING_template& p__public__enc__compressed__key, const INTEGER_template& p__public__enc__key__compressed__mode) { loggers::get_instance().log(">>> fx__store__certificate: '%s'", static_cast(p__cert__id)); int result; @@ -1191,9 +1192,9 @@ namespace LibItsSecurity__Functions const OCTETSTRING private_enc_key = p__private__enc__key.valueof(); const OCTETSTRING public_enc_key_x = p__public__enc__key__x.valueof(); const OCTETSTRING public_enc_key_y = p__public__enc__key__y.valueof(); - result = security_services::get_instance().store_certificate(p__cert__id, p__cert, p__private__key, p__public__key__x, p__public__key__y, p__public__key__compressed, p__public__key__compressed__mode, p__hash, p__hashid8, p__issuer, p__private__enc__key.valueof(), p__public__enc__key__x.valueof(), p__public__enc__key__y.valueof(), p__public__enc__compressed__key.valueof(), p__public__enc__key__compressed__mode.valueof()); + result = security_services::get_instance().store_certificate(p__cert__id, p__cert, p__private__key, p__public__key__x, p__public__key__y, p__public__key__compressed, p__public__key__compressed__mode, p__hash, p__hash__256, p__hashid8, p__issuer, p__private__enc__key.valueof(), p__public__enc__key__x.valueof(), p__public__enc__key__y.valueof(), p__public__enc__compressed__key.valueof(), p__public__enc__key__compressed__mode.valueof()); } else { - result = security_services::get_instance().store_certificate(p__cert__id, p__cert, p__private__key, p__public__key__x, p__public__key__y, p__public__key__compressed, p__public__key__compressed__mode, p__hash, p__hashid8, p__issuer, OCTETSTRING(0, nullptr), OCTETSTRING(0, nullptr), OCTETSTRING(0, nullptr), OCTETSTRING(0, nullptr), INTEGER(-1)); + result = security_services::get_instance().store_certificate(p__cert__id, p__cert, p__private__key, p__public__key__x, p__public__key__y, p__public__key__compressed, p__public__key__compressed__mode, p__hash, p__hash__256, p__hashid8, p__issuer, OCTETSTRING(0, nullptr), OCTETSTRING(0, nullptr), OCTETSTRING(0, nullptr), OCTETSTRING(0, nullptr), INTEGER(-1)); } return (result == 0); @@ -1293,6 +1294,25 @@ namespace LibItsSecurity__Functions return TRUE; } + /** + * \brief Read the whole-hash of the certificate using SHA 256 + * \param p_certificate_id the certificate identifier + * \param p_hash the expected certificate + * \return true on success, false otherwise + */ + BOOLEAN fx__readCertificateHash256( + const CHARSTRING& p__certificateId, + OCTETSTRING& p__hash + ) { + loggers::get_instance().log(">>> fx__readCertificateHash256: '%s'", static_cast(p__certificateId)); + + if (security_services::get_instance().read_certificate_hash_sha_256(p__certificateId, p__hash) == -1) { + return FALSE; + } + + return TRUE; + } + /** * \brief Read the private keys for the specified certificate * \param p_certificate_id the keys identifier diff --git a/ccsrc/Protocols/Security/certificates_loader.cc b/ccsrc/Protocols/Security/certificates_loader.cc index ac218dff0f90de1390e4e12b92bc50b5ed4c668e..76dcfe3dfe4a4f577893309a88a60d8163ab5637 100644 --- a/ccsrc/Protocols/Security/certificates_loader.cc +++ b/ccsrc/Protocols/Security/certificates_loader.cc @@ -240,41 +240,51 @@ int certificates_loader::build_certificates_cache(std::set(hash) + hash.lengthof() - 8); - issuer = decoded_certificate.issuer().sha256AndDigest(); - } else if (decoded_certificate.issuer().ischosen(IEEE1609dot2::IssuerIdentifier::ALT_sha384AndDigest)) { + } else if (public_key_x.lengthof() == 48) { sha384 sha; sha.generate(certificate, hash); loggers::get_instance().log_msg("certificates_loader::build_certificates_cache: Whole-certificate SHA-384 hash: ", hash); hashed_id = OCTETSTRING(8, static_cast(hash) + hash.lengthof() - 8); + } else { + hash = OCTETSTRING(0, nullptr); + hash_sha_256 = OCTETSTRING(0, nullptr); + hashed_id = int2oct(0, 8); + } + loggers::get_instance().log_msg("certificates_loader::build_certificates_cache: hash: ", hash); + loggers::get_instance().log_msg("certificates_loader::build_certificates_cache: hashed_id: ", hashed_id); + + if (decoded_certificate.issuer().ischosen(IEEE1609dot2::IssuerIdentifier::ALT_sha256AndDigest)) { + issuer = decoded_certificate.issuer().sha256AndDigest(); + } else if (decoded_certificate.issuer().ischosen(IEEE1609dot2::IssuerIdentifier::ALT_sha384AndDigest)) { issuer = decoded_certificate.issuer().sha384AndDigest(); } else if (decoded_certificate.issuer().ischosen(IEEE1609dot2::IssuerIdentifier::ALT_self__)) { + OCTETSTRING h; if (decoded_certificate.issuer().self__() == IEEE1609dot2BaseTypes::HashAlgorithm::sha256) { sha256 sha; - sha.generate(certificate, hash); + sha.generate(certificate, h); //loggers::get_instance().log_msg("certificates_loader::build_certificates_cache: Whole-certificate SHA-256 hash: ", hash); } else { sha384 sha; - sha.generate(certificate, hash); + sha.generate(certificate, h); //loggers::get_instance().log_msg("certificates_loader::build_certificates_cache: Whole-certificate SHA-384 hash: ", hash); } - hashed_id = OCTETSTRING(8, static_cast(hash) + hash.lengthof() - 8); - issuer = hashed_id; + issuer = OCTETSTRING(8, static_cast(h) + h.lengthof() - 8); } else { - hash = OCTETSTRING(0, nullptr); - hashed_id = int2oct(0, 8); issuer = int2oct(0, 8); } - //loggers::get_instance().log_msg("certificates_loader::build_certificates_cache: hash: ", hash); - //loggers::get_instance().log_msg("certificates_loader::build_certificates_cache: hashed_id: ", hashed_id); - //loggers::get_instance().log_msg("certificates_loader::build_certificates_cache: issuer: ", issuer); + loggers::get_instance().log_msg("certificates_loader::build_certificates_cache: issuer: ", issuer); // Create new record security_db_record* p = new security_db_record( @@ -283,6 +293,7 @@ int certificates_loader::build_certificates_cache(std::set(p_hmac), &length); + loggers::get_instance().log_to_hexa("hmac::generate: ", (unsigned char*)static_cast(p_hmac), length); // Resize the hmac if (_hash_algorithms == hash_algorithms::sha_256) { p_hmac = OCTETSTRING(16, static_cast(p_hmac)); diff --git a/ccsrc/Protocols/Security/security_cache.cc b/ccsrc/Protocols/Security/security_cache.cc index 443ce955e598df2957827cccdbf0be744d6fc090..7bdb3648c99ec2a47b6534056286309e98edf1f8 100644 --- a/ccsrc/Protocols/Security/security_cache.cc +++ b/ccsrc/Protocols/Security/security_cache.cc @@ -200,6 +200,19 @@ int security_cache::get_hash(const std::string& p_certificate_id, OCTETSTRING& p return 0; } +int security_cache::get_hash_sha_256(const std::string& p_certificate_id, OCTETSTRING& p_hash) const { + loggers::get_instance().log(">>> security_cache::get_hash_sha_256: '%s'", p_certificate_id.c_str()); + + std::map >::const_iterator it = _certificates.find(p_certificate_id); + if (it == _certificates.cend()) { + loggers::get_instance().warning("security_cache::get_hash_sha_256: record not found"); + return -1; + } + p_hash = it->second.get()->hash_sha_256(); + + return 0; +} + int security_cache::get_private_key(const std::string& p_certificate_id, OCTETSTRING& p_private_key) const { loggers::get_instance().log(">>> security_cache::get_private_key: '%s'", p_certificate_id.c_str()); @@ -293,11 +306,11 @@ bool security_cache::fill_vector(OCTETSTRING& p_vector, const OCTETSTRING& p_org return false; } -int security_cache::store_certificate(const CHARSTRING& p_cert_id, const OCTETSTRING& p_cert, const OCTETSTRING& p_private_key, const OCTETSTRING& p_public_key_x, const OCTETSTRING& p_public_key_y, const OCTETSTRING& p_public_compressed_key, const INTEGER& p_public_compressed_key_mode, const OCTETSTRING& p_hash, const OCTETSTRING& p_hashed_id8, const OCTETSTRING& p_issuer, const OCTETSTRING& p_private_enc_key, const OCTETSTRING& p_public_enc_key_x, const OCTETSTRING& p_public_enc_key_y, const OCTETSTRING& p_public_enc_compressed_key, const INTEGER& p_public_enc_compressed_key_mode) { +int security_cache::store_certificate(const CHARSTRING& p_cert_id, const OCTETSTRING& p_cert, const OCTETSTRING& p_private_key, const OCTETSTRING& p_public_key_x, const OCTETSTRING& p_public_key_y, const OCTETSTRING& p_public_compressed_key, const INTEGER& p_public_compressed_key_mode, const OCTETSTRING& p_hash, const OCTETSTRING& p_hash_sha_256, const OCTETSTRING& p_hashed_id8, const OCTETSTRING& p_issuer, const OCTETSTRING& p_private_enc_key, const OCTETSTRING& p_public_enc_key_x, const OCTETSTRING& p_public_enc_key_y, const OCTETSTRING& p_public_enc_compressed_key, const INTEGER& p_public_enc_compressed_key_mode) { loggers::get_instance().log_msg(">>> security_cache::store_certificate: ", p_cert_id); std::string key(static_cast(p_cert_id)); - OCTETSTRING cert, private_key, public_key_x, public_key_y, public_comp_key, hash, hashed_id8, issuer; + OCTETSTRING cert, private_key, public_key_x, public_key_y, public_comp_key, hash, hash_sha_256, hashed_id8, issuer; OCTETSTRING private_enc_key, public_enc_key_x, public_enc_key_y, public_enc_comp_key; security_cache::fill_vector(cert, p_cert); @@ -311,6 +324,7 @@ int security_cache::store_certificate(const CHARSTRING& p_cert_id, const OCTETST } security_cache::fill_vector(hash, p_hash); + security_cache::fill_vector(hash_sha_256, p_hash_sha_256); security_cache::fill_vector(hashed_id8, p_hashed_id8); security_cache::fill_vector(issuer, p_issuer); @@ -332,6 +346,7 @@ int security_cache::store_certificate(const CHARSTRING& p_cert_id, const OCTETST decoded_certificate, issuer, // Hashed ID for the issuer hash, // Whole-certificate hash + hash_sha_256, // Whole-certificate hash using SHA-256 hashed_id8, // Whole-certificate hashed ID private_key, // Private key public_key_x, // Public key X-coordinate @@ -379,6 +394,7 @@ void security_cache::dump() const { loggers::get_instance().log_msg("security_cache::dump: issuer = ", p->issuer()); loggers::get_instance().log_msg("security_cache::dump: hashed_id = ", p->hashed_id()); loggers::get_instance().log_msg("security_cache::dump: hash = ", p->hash()); + loggers::get_instance().log_msg("security_cache::dump: hash_sha_256 = ", p->hash_sha_256()); loggers::get_instance().log_msg("security_cache::dump: private_key = ", p->private_key()); loggers::get_instance().log_msg("security_cache::dump: public_key_x = ", p->public_key_x()); loggers::get_instance().log_msg("security_cache::dump: public_key_y = ", p->public_key_y()); diff --git a/ccsrc/Protocols/Security/security_cache.hh b/ccsrc/Protocols/Security/security_cache.hh index 885de7407cb5c33ae7f567e7b42d8a153127c1e6..f34e559e18d367a2a268c0e720401d96454596e9 100644 --- a/ccsrc/Protocols/Security/security_cache.hh +++ b/ccsrc/Protocols/Security/security_cache.hh @@ -57,6 +57,7 @@ public: /*! \publicsection */ int get_issuer(const std::string& p_certificate_id, OCTETSTRING& p_hashed_id_issuer) const; int get_hashed_id(const std::string& p_certificate_id, OCTETSTRING& p_hashed_id) const; int get_hash(const std::string& p_certificate_id, OCTETSTRING& p_hash) const; + int get_hash_sha_256(const std::string& p_certificate_id, OCTETSTRING& p_hash) const; int get_private_key(const std::string& p_certificate_id, OCTETSTRING& p_private_key) const; int get_public_keys(const std::string& p_certificate_id, OCTETSTRING& p_public_key_x, OCTETSTRING& p_public_key_y) const; int get_public_comp_key(const std::string& p_certificate_id, OCTETSTRING& p_public_comp_key, INTEGER& p_comp_mode) const; @@ -64,7 +65,7 @@ public: /*! \publicsection */ int get_public_enc_keys(const std::string& p_certificate_id, OCTETSTRING& p_public_enc_key_x, OCTETSTRING& p_public_enc_key_y) const; int get_public_enc_comp_key(const std::string& p_certificate_id, OCTETSTRING& p_public_enc_comp_key, INTEGER& p_enc_comp_mode) const; - virtual int store_certificate(const CHARSTRING& p_cert_id, const OCTETSTRING& p_cert, const OCTETSTRING& p_private_key, const OCTETSTRING& p_public_key_x, const OCTETSTRING& p_public_key_y, const OCTETSTRING& p_public_compressed_key, const INTEGER& p_public_compressed_key_mode, const OCTETSTRING& p_hash, const OCTETSTRING& p_hashid8, const OCTETSTRING& p_issuer, const OCTETSTRING& p_private_enc_key, const OCTETSTRING& p_public_enc_key_x, const OCTETSTRING& p_public_enc_key_y, const OCTETSTRING& p_public_enc_compressed_key, const INTEGER& p_public_enc_compressed_key_mode); + virtual int store_certificate(const CHARSTRING& p_cert_id, const OCTETSTRING& p_cert, const OCTETSTRING& p_private_key, const OCTETSTRING& p_public_key_x, const OCTETSTRING& p_public_key_y, const OCTETSTRING& p_public_compressed_key, const INTEGER& p_public_compressed_key_mode, const OCTETSTRING& p_hash, const OCTETSTRING& p_hash_sha_256, const OCTETSTRING& p_hashid8, const OCTETSTRING& p_issuer, const OCTETSTRING& p_private_enc_key, const OCTETSTRING& p_public_enc_key_x, const OCTETSTRING& p_public_enc_key_y, const OCTETSTRING& p_public_enc_compressed_key, const INTEGER& p_public_enc_compressed_key_mode); virtual int clear(); diff --git a/ccsrc/Protocols/Security/security_db.cc b/ccsrc/Protocols/Security/security_db.cc index 9e5381739cebc192bfca4abd4bf1c635d2de3744..54f0b4b707b919bcc78f51ce3c17d4849f7ccf82 100644 --- a/ccsrc/Protocols/Security/security_db.cc +++ b/ccsrc/Protocols/Security/security_db.cc @@ -40,10 +40,10 @@ int security_db::load_from_files(const std::string& p_db_path) { return 0; } -int security_db::store_certificate(const CHARSTRING& p_cert_id, const OCTETSTRING& p_cert, const OCTETSTRING& p_private_key, const OCTETSTRING& p_public_key_x, const OCTETSTRING& p_public_key_y, const OCTETSTRING& p_public_compressed_key, const INTEGER& p_public_compressed_key_mode, const OCTETSTRING& p_hash, const OCTETSTRING& p_hashed_id8, const OCTETSTRING& p_issuer, const OCTETSTRING& p_private_enc_key, const OCTETSTRING& p_public_enc_key_x, const OCTETSTRING& p_public_enc_key_y, const OCTETSTRING& p_public_enc_compressd_key, const INTEGER& p_public_enc_compressed_key_mode) { +int security_db::store_certificate(const CHARSTRING& p_cert_id, const OCTETSTRING& p_cert, const OCTETSTRING& p_private_key, const OCTETSTRING& p_public_key_x, const OCTETSTRING& p_public_key_y, const OCTETSTRING& p_public_compressed_key, const INTEGER& p_public_compressed_key_mode, const OCTETSTRING& p_hash, const OCTETSTRING& p_hash_sha_256, const OCTETSTRING& p_hashed_id8, const OCTETSTRING& p_issuer, const OCTETSTRING& p_private_enc_key, const OCTETSTRING& p_public_enc_key_x, const OCTETSTRING& p_public_enc_key_y, const OCTETSTRING& p_public_enc_compressd_key, const INTEGER& p_public_enc_compressed_key_mode) { loggers::get_instance().log_msg(">>> security_db::store_certificate: ", p_cert_id); - if (security_cache::store_certificate(p_cert_id, p_cert, p_private_key, p_public_key_x, p_public_key_y, p_public_compressed_key, p_public_compressed_key_mode, p_hash, p_hashed_id8, p_issuer, p_private_enc_key, p_public_enc_key_x, p_public_enc_key_y, p_public_enc_compressd_key, p_public_enc_compressed_key_mode) != 0) { + if (security_cache::store_certificate(p_cert_id, p_cert, p_private_key, p_public_key_x, p_public_key_y, p_public_compressed_key, p_public_compressed_key_mode, p_hash, p_hash_sha_256, p_hashed_id8, p_issuer, p_private_enc_key, p_public_enc_key_x, p_public_enc_key_y, p_public_enc_compressd_key, p_public_enc_compressed_key_mode) != 0) { return -1; } diff --git a/ccsrc/Protocols/Security/security_db.hh b/ccsrc/Protocols/Security/security_db.hh index fd2b4a4bbcdb4a88dd7aff562871689a9c1b662c..78fae1d52840753a2193c247bdbe40842476e204 100644 --- a/ccsrc/Protocols/Security/security_db.hh +++ b/ccsrc/Protocols/Security/security_db.hh @@ -38,7 +38,7 @@ public: /*! \publicsection */ * \param[in] p_cert_id The certificate identifier * \return 0 on success, -1 otherwise */ - int store_certificate(const CHARSTRING& p_cert_id, const OCTETSTRING& p_cert, const OCTETSTRING& p_private_key, const OCTETSTRING& p_public_key_x, const OCTETSTRING& p_public_key_y, const OCTETSTRING& p_public_compressed_key, const INTEGER& p_public_compressed_key_mode, const OCTETSTRING& p_hash, const OCTETSTRING& p_hashid8, const OCTETSTRING& p_issuer, const OCTETSTRING& p_private_enc_key, const OCTETSTRING& p_public_enc_key_x, const OCTETSTRING& p_public_enc_key_y, const OCTETSTRING& p_public_enc_compressed_key, const INTEGER& p_public_enc_compressed_key_mode); + int store_certificate(const CHARSTRING& p_cert_id, const OCTETSTRING& p_cert, const OCTETSTRING& p_private_key, const OCTETSTRING& p_public_key_x, const OCTETSTRING& p_public_key_y, const OCTETSTRING& p_public_compressed_key, const INTEGER& p_public_compressed_key_mode, const OCTETSTRING& p_hash, const OCTETSTRING& p_hash_sha_256, const OCTETSTRING& p_hashid8, const OCTETSTRING& p_issuer, const OCTETSTRING& p_private_enc_key, const OCTETSTRING& p_public_enc_key_x, const OCTETSTRING& p_public_enc_key_y, const OCTETSTRING& p_public_enc_compressed_key, const INTEGER& p_public_enc_compressed_key_mode); private: /*! \privatesection */ /*! diff --git a/ccsrc/Protocols/Security/security_db_record.cc b/ccsrc/Protocols/Security/security_db_record.cc index 841381a6ae96f3f51703cee05b2551d70b1cf2f7..d1b8e830b1675496f38ffd8fb1f2c8b068a9d600 100644 --- a/ccsrc/Protocols/Security/security_db_record.cc +++ b/ccsrc/Protocols/Security/security_db_record.cc @@ -20,6 +20,7 @@ security_db_record::security_db_record( const IEEE1609dot2::CertificateBase& p_decoded_certificate, const OCTETSTRING& p_hashed_id_issuer, const OCTETSTRING& p_hash, + const OCTETSTRING& p_hash_sha_256, const OCTETSTRING& p_hashed_id, const OCTETSTRING& p_pr_key, const OCTETSTRING& p_pu_key_x, @@ -30,7 +31,7 @@ security_db_record::security_db_record( const OCTETSTRING& p_pu_enc_key_y, const OCTETSTRING& p_pu_enc_comp_key, const bool p_to_be_saved - ): _algorithm{ec_elliptic_curves::nist_p_256}, _certificate_id(p_certificate_id), _certificate(p_certificate), _hashed_id_issuer(p_hashed_id_issuer), _hash(p_hash), _hashed_id(p_hashed_id), _pr_key(p_pr_key), _pu_key_x(p_pu_key_x), _pu_key_y(p_pu_key_y), _pu_comp_key(p_pu_comp_key), _pr_enc_key(p_pr_enc_key), _pu_enc_key_x(p_pu_enc_key_x), _pu_enc_key_y(p_pu_enc_key_y), _pu_enc_comp_key(p_pu_enc_comp_key), _to_be_saved(p_to_be_saved), _decoded_certificate(static_cast(p_decoded_certificate.clone())) { + ): _algorithm{ec_elliptic_curves::nist_p_256}, _certificate_id(p_certificate_id), _certificate(p_certificate), _hashed_id_issuer(p_hashed_id_issuer), _hash(p_hash), _hash_sha_256(p_hash_sha_256), _hashed_id(p_hashed_id), _pr_key(p_pr_key), _pu_key_x(p_pu_key_x), _pu_key_y(p_pu_key_y), _pu_comp_key(p_pu_comp_key), _pr_enc_key(p_pr_enc_key), _pu_enc_key_x(p_pu_enc_key_x), _pu_enc_key_y(p_pu_enc_key_y), _pu_enc_comp_key(p_pu_enc_comp_key), _to_be_saved(p_to_be_saved), _decoded_certificate(static_cast(p_decoded_certificate.clone())) { } security_db_record::~security_db_record() { diff --git a/ccsrc/Protocols/Security/security_db_record.hh b/ccsrc/Protocols/Security/security_db_record.hh index f48532aec76d468f91949a92d5240372c0aac973..05a2eb053850f435c89be5acf81eb6ceaf3f2abb 100644 --- a/ccsrc/Protocols/Security/security_db_record.hh +++ b/ccsrc/Protocols/Security/security_db_record.hh @@ -30,7 +30,8 @@ class security_db_record { std::string _certificate_id; /*!< Certificate storage*/ OCTETSTRING _certificate; /*!< COER storage */ OCTETSTRING _hashed_id_issuer; /*!< Hash id 8 of the issuer certificate */ - OCTETSTRING _hash; /*!< Certificate hash storage */ // TODO Check if it's usefull, otherwise remove it + OCTETSTRING _hash; /*!< Certificate hash storage */ + OCTETSTRING _hash_sha_256; /*!< Certificate hash SHA 256 storage, for encryption (IEEE 1609.2 Clause 5.3.5 Public key encryption algorithms: ECIES */ OCTETSTRING _hashed_id; /*!< Certificate hash id 8 storage */ OCTETSTRING _pr_key; /*!< Private key storage */ OCTETSTRING _pu_key_x; /*!< Public key X-coordinate storage */ @@ -47,7 +48,7 @@ public: /*! \publicsection */ /*! * \brief Default ctor */ - explicit security_db_record(): _algorithm{ec_elliptic_curves::nist_p_256}, _certificate_id(), _certificate(), _hashed_id_issuer(), _hash(), _hashed_id(), _pr_key(), _pu_key_x(), _pu_key_y(), _pu_comp_key(), _pr_enc_key(), _pu_enc_key_x(), _pu_enc_key_y(), _pu_enc_comp_key(), _to_be_saved(false), _decoded_certificate(nullptr) { }; + explicit security_db_record(): _algorithm{ec_elliptic_curves::nist_p_256}, _certificate_id(), _certificate(), _hashed_id_issuer(), _hash(), _hash_sha_256(), _hashed_id(), _pr_key(), _pu_key_x(), _pu_key_y(), _pu_comp_key(), _pr_enc_key(), _pu_enc_key_x(), _pu_enc_key_y(), _pu_enc_comp_key(), _to_be_saved(false), _decoded_certificate(nullptr) { }; /*! * \brief Specialised ctor * \param[in] p_certificate_id The certificate identifier @@ -55,6 +56,7 @@ public: /*! \publicsection */ * \param[in] p_decoded_certificate The decoded certificate * \param[in] p_hashed_id_issuer The HashedId of the certificate issuer * \param[in] p_hash The whole-certificate hash + * \param[in] p_hash_sha_256 The whole-certificate hash using SHA-256 * \param[in] p_hashed_id The whole-certificate hashed id * \param[in] p_pr_key The private signature key * \param[in] p_pu_key_x The public X-coordinate signature key @@ -66,7 +68,7 @@ public: /*! \publicsection */ * \param[in] p_pu_enc_comp_key_y The public compressed coordinate encryption key * \param[in] p_to_be_saved Set to true to save on disk this certificate.Default: true */ - security_db_record(const std::string& p_certificate_id, const OCTETSTRING& p_certificate, const IEEE1609dot2::CertificateBase& p_decoded_certificate, const OCTETSTRING& p_hashed_id_issuer, const OCTETSTRING& p_hash, const OCTETSTRING& p_hashed_id, const OCTETSTRING& p_pr_key, const OCTETSTRING& p_pu_key_x, const OCTETSTRING& p_pu_key_y, const OCTETSTRING& p_pu_comp_key, const OCTETSTRING& p_pr_enc_key, const OCTETSTRING& p_pu_enc_key_x, const OCTETSTRING& p_pu_enc_key_y, const OCTETSTRING& p_pu_enc_comp_key_y, const bool p_to_be_saved = true); + security_db_record(const std::string& p_certificate_id, const OCTETSTRING& p_certificate, const IEEE1609dot2::CertificateBase& p_decoded_certificate, const OCTETSTRING& p_hashed_id_issuer, const OCTETSTRING& p_hash, const OCTETSTRING& p_hash_sha_256, const OCTETSTRING& p_hashed_id, const OCTETSTRING& p_pr_key, const OCTETSTRING& p_pu_key_x, const OCTETSTRING& p_pu_key_y, const OCTETSTRING& p_pu_comp_key, const OCTETSTRING& p_pr_enc_key, const OCTETSTRING& p_pu_enc_key_x, const OCTETSTRING& p_pu_enc_key_y, const OCTETSTRING& p_pu_enc_comp_key_y, const bool p_to_be_saved = true); /*! * \brief Default dtor @@ -108,6 +110,13 @@ public: /*! \publicsection */ * \return The whole-certificate hashed id */ inline const OCTETSTRING& hash() const { return _hash; }; + /*! + * \inline + * \fn const OCTETSTRING& hash_sha_256() const; + * \brief Retrieve the whole-certificate hashed id + * \return The whole-certificate hashed id + */ + inline const OCTETSTRING& hash_sha_256() const { return _hash_sha_256; }; inline const OCTETSTRING& issuer() const { return _hashed_id_issuer; }; inline const OCTETSTRING& private_key() const { return _pr_key; }; inline const OCTETSTRING& public_key_x() const { return _pu_key_x; }; diff --git a/ccsrc/Protocols/Security/security_services.cc b/ccsrc/Protocols/Security/security_services.cc index ff58bef49580d80eb2bbb742851ffbd75a5289ad..98377b56f378f829c22d86f878533112c54293e8 100644 --- a/ccsrc/Protocols/Security/security_services.cc +++ b/ccsrc/Protocols/Security/security_services.cc @@ -68,7 +68,7 @@ int security_services::setup(params& p_params) { // FIXME Rename this method return 0; } -int security_services::store_certificate(const CHARSTRING& p_cert_id, const OCTETSTRING& p_cert, const OCTETSTRING& p_private_key, const OCTETSTRING& p_public_key_x, const OCTETSTRING& p_public_key_y, const OCTETSTRING& p_public_comp_key, const INTEGER& p_public_comp_key_mode, const OCTETSTRING& p_hash, const OCTETSTRING& p_hashid8, const OCTETSTRING& p_issuer, const OCTETSTRING& p_private_enc_key, const OCTETSTRING& p_public_enc_key_x, const OCTETSTRING& p_public_enc_key_y, const OCTETSTRING& p_public_enc_compressed_key, const INTEGER& p_public_enc_key_compressed_mode) { +int security_services::store_certificate(const CHARSTRING& p_cert_id, const OCTETSTRING& p_cert, const OCTETSTRING& p_private_key, const OCTETSTRING& p_public_key_x, const OCTETSTRING& p_public_key_y, const OCTETSTRING& p_public_comp_key, const INTEGER& p_public_comp_key_mode, const OCTETSTRING& p_hash, const OCTETSTRING& p_hash_sha_256, const OCTETSTRING& p_hashid8, const OCTETSTRING& p_issuer, const OCTETSTRING& p_private_enc_key, const OCTETSTRING& p_public_enc_key_x, const OCTETSTRING& p_public_enc_key_y, const OCTETSTRING& p_public_enc_compressed_key, const INTEGER& p_public_enc_key_compressed_mode) { loggers::get_instance().log_msg(">>> security_services::store_certificate: ", p_cert_id); // Sanity checks @@ -76,7 +76,7 @@ int security_services::store_certificate(const CHARSTRING& p_cert_id, const OCTE loggers::get_instance().warning("security_services::store_certificate: Not initialised"); return -1; } - return _security_db.get()->store_certificate(p_cert_id, p_cert, p_private_key, p_public_key_x, p_public_key_y, p_public_comp_key, p_public_comp_key_mode, p_hash, p_hashid8, p_issuer, p_private_enc_key, p_public_enc_key_x, p_public_enc_key_y, p_public_enc_compressed_key, p_public_enc_key_compressed_mode); + return _security_db.get()->store_certificate(p_cert_id, p_cert, p_private_key, p_public_key_x, p_public_key_y, p_public_comp_key, p_public_comp_key_mode, p_hash, p_hash_sha_256, p_hashid8, p_issuer, p_private_enc_key, p_public_enc_key_x, p_public_enc_key_y, p_public_enc_compressed_key, p_public_enc_key_compressed_mode); } int security_services::verify_and_extract_gn_payload(const OCTETSTRING& p_secured_gn_payload, const bool p_verify, IEEE1609dot2::Ieee1609Dot2Data& p_ieee_1609dot2_data, OCTETSTRING& p_unsecured_gn_payload, params& p_params) { @@ -1234,11 +1234,13 @@ int security_services::extract_encryption_keys(const IEEE1609dot2::CertificateBa return -1; } loggers::get_instance().log_msg("security_services::extract_and_store_certificate: Encoded certificate=", enc_cert); + OCTETSTRING hash_cert_sha_256; + hash_sha256(enc_cert, hash_cert_sha_256); + loggers::get_instance().log_msg("security_services::extract_and_store_certificate: hash_cert_sha_256= ", hash_cert_sha_256); int result = -1; if (p_certificate.issuer().ischosen(IEEE1609dot2::IssuerIdentifier::ALT_sha256AndDigest)) { // Calculate the hash according to the hashId - OCTETSTRING hash_cert; - hash_sha256(enc_cert, hash_cert); + OCTETSTRING hash_cert(hash_cert_sha_256); loggers::get_instance().log_msg("security_services::extract_and_store_certificate: hash_cert= ", hash_cert); const OCTETSTRING hashed_id8 = substr(hash_cert, hash_cert.lengthof() - 8, 8); // Retrieve the certificate identifier from digest @@ -1274,6 +1276,7 @@ int security_services::extract_encryption_keys(const IEEE1609dot2::CertificateBa public_comp_key, public_comp_key_mode, hash_cert, + hash_cert_sha_256, hashed_id8, p_certificate.issuer().sha256AndDigest(), OCTETSTRING(0, nullptr), // Encryption private not used @@ -1323,6 +1326,7 @@ int security_services::extract_encryption_keys(const IEEE1609dot2::CertificateBa public_comp_key, public_comp_key_mode, hash_cert, + hash_cert_sha_256, hashed_id8, p_certificate.issuer().sha384AndDigest(), OCTETSTRING(0, nullptr), // Encryption private not used @@ -1353,6 +1357,10 @@ int security_services::read_certificate_hash(const CHARSTRING& p_certificate_id, return _security_db.get()->get_hash(std::string(static_cast(p_certificate_id)), p_hash); } +int security_services::read_certificate_hash_sha_256(const CHARSTRING& p_certificate_id, OCTETSTRING& p_hash) const { + return _security_db.get()->get_hash_sha_256(std::string(static_cast(p_certificate_id)), p_hash); +} + int security_services::read_certificate_from_digest(const OCTETSTRING& p_digest, CHARSTRING& p_certificate_id) const { std::string certificate_id; if (_security_db.get()->get_certificate_id(p_digest, certificate_id) != -1) { diff --git a/ccsrc/Protocols/Security/security_services.hh b/ccsrc/Protocols/Security/security_services.hh index ff280bf663b39a27dd3e64feebf0dd062694604d..384ed5fbf2e3b2e74ee683c41beb9d95441aad4e 100644 --- a/ccsrc/Protocols/Security/security_services.hh +++ b/ccsrc/Protocols/Security/security_services.hh @@ -102,13 +102,14 @@ public: /*! \publicsection */ int setup(params &p_params); - int store_certificate(const CHARSTRING& p_cert_id, const OCTETSTRING& p_cert, const OCTETSTRING& p_private_key, const OCTETSTRING& p_public_key_x, const OCTETSTRING& p_public_key_y, const OCTETSTRING& p_public_comp_key, const INTEGER& p_public_comp_key_mode, const OCTETSTRING& p_hash, const OCTETSTRING& p_hashid8, const OCTETSTRING& p_issuer, const OCTETSTRING& p_private_enc_key, const OCTETSTRING& p_public_enc_key_x, const OCTETSTRING& p_public_enc_key_y, const OCTETSTRING& p_public_enc_compressed_key, const INTEGER& p_public_enc_key_compressed_mode); + int store_certificate(const CHARSTRING& p_cert_id, const OCTETSTRING& p_cert, const OCTETSTRING& p_private_key, const OCTETSTRING& p_public_key_x, const OCTETSTRING& p_public_key_y, const OCTETSTRING& p_public_comp_key, const INTEGER& p_public_comp_key_mode, const OCTETSTRING& p_hash, const OCTETSTRING& p_hash_sha_256, const OCTETSTRING& p_hashid8, const OCTETSTRING& p_issuer, const OCTETSTRING& p_private_enc_key, const OCTETSTRING& p_public_enc_key_x, const OCTETSTRING& p_public_enc_key_y, const OCTETSTRING& p_public_enc_compressed_key, const INTEGER& p_public_enc_key_compressed_mode); inline void set_position(const int p_latitude, const int p_longitude, const int p_elevation = 0) { _latitude = p_latitude; _longitude = p_longitude; _elevation = p_elevation; }; int read_certificate(const CHARSTRING& p_certificate_id, OCTETSTRING& p_certificate) const; int read_certificate_digest(const CHARSTRING& p_certificate_id, OCTETSTRING& p_digest) const; int read_certificate_hash(const CHARSTRING& p_certificate_id, OCTETSTRING& p_hash) const; + int read_certificate_hash_sha_256(const CHARSTRING& p_certificate_id, OCTETSTRING& p_hash) const; int read_certificate_from_digest(const OCTETSTRING& p_digest, CHARSTRING& p_certificate_id) const; int read_certificate_from_hashed_id3(const OCTETSTRING& p_digest, CHARSTRING& p_certificate_id) const; int read_private_key(const CHARSTRING& p_certificate_id, OCTETSTRING& p_private_key) const; diff --git a/etc/AtsPki/AtsPki_Cnit.cfg_ b/etc/AtsPki/AtsPki_Cnit.cfg_ index dfc0ce3b909952f964accba1a23b1699962c6320..c16a34b0f6df54d099844a4923275f08230654c1 100644 --- a/etc/AtsPki/AtsPki_Cnit.cfg_ +++ b/etc/AtsPki/AtsPki_Cnit.cfg_ @@ -9,19 +9,28 @@ LibItsSecurity_Pixits.PX_CERTIFICATE_POOL_PATH := "/home/vagrant/tmp" LibItsSecurity_Pixits.PX_IUT_SEC_CONFIG_NAME := "asn1c_cert" LibItsHttp_Pics.PICS_HEADER_CONTENT_TYPE := "application/x-its-request" -LibItsHttp_Pics.PICS_HEADER_HOST := "etsi-dc-noes.labtlclivorno.it" #192.168.171.18 -LibItsPki_Pics.PICS_HTTP_POST_URI_EC :="/dc/ea/validate" -LibItsPki_Pics.PICS_HTTP_POST_URI_AT :="/dc/aa" -LibItsPki_Pics.PICS_HTTP_POST_URI_ATV :="/dc" +LibItsHttp_Pics.PICS_HEADER_HOST := "etsi-dc-noes.labtlclivorno.it" -LibItsPki_Pics.PICS_ITS_S_SIGN_NITSP256_PRIVATE_KEY := '5C25F97607DFC62972A147FAD8B7A7C939569F0F95ECD4C641724A68B51836E5'O -LibItsPki_Pics.PICS_ITS_S_SIGN_NISTP256_PUBLIC_KEY := '020144E5174B0AFDA86BDB8B643B68D40030F5BDB9A9F090C64852CC3C20C9D5AD'O -LibItsPki_Pics.PICS_ITS_S_CANONICAL_ID := '1B4CA1210123AE900BBE6C3EBAE7E87DA20DBDAB1E7B2EC0691C51C1021900AA'O -LibItsPki_Pics.PICS_TS_EA_CERTIFICATE_ID := "CERT_CNIT_EA" -LibItsPki_Pics.PICS_TS_AA_CERTIFICATE_ID := "CERT_CNIT_AA" +LibItsPki_Pics.PICS_HTTP_POST_URI_EC :="/dc/ea" +LibItsPki_Pics.PICS_HTTP_POST_URI_AT :="/dc/aa" +LibItsPki_Pics.PICS_HTTP_POST_URI_ATV :="/dc/ea/validate" -LibItsPki_Pixits.PICS_PKI_AUTH_POP := false # Not private key available +#LibItsPki_Pics.PICS_ITS_S_WITH_PRIVACY := false +LibItsPki_Pics.PICS_ITS_S_SIGN_NITSP256_PRIVATE_KEY := '5C25F97607DFC62972A147FAD8B7A7C939569F0F95ECD4C641724A68B51836E5'O +LibItsPki_Pics.PICS_ITS_S_SIGN_NISTP256_PUBLIC_KEY := '020144E5174B0AFDA86BDB8B643B68D40030F5BDB9A9F090C64852CC3C20C9D5AD'O +LibItsPki_Pics.PICS_ITS_S_CANONICAL_ID := '455453492D4954532D303031'O + +LibItsPki_Pics.PICS_TS_EA_CERTIFICATE_ID := "CERT_CNIT_EA" +LibItsPki_Pics.PICS_TS_AA_CERTIFICATE_ID := "CERT_TS_A_AA" +LibItsPki_Pics.PICS_IUT_AA_CERTIFICATE_ID := "CERT_CNIT_AA" +LibItsPki_Pics.PICS_TS_CA_CERTIFICATE_ID := "CERT_CNIT_RCA" + +#LibItsPki_Pics.PICS_PKI_AUTH_POP := false # Do not use Signed for PoP in Authorization requet + # Required for SECPKI_AA_AUTH_RCV_02_BV +#LibItsPki_Pics.PICS_SECPKI_REENROLMENT := false # Check in logs the pattern '==> EC ' to find the required information for re-enrolment + +#LibItsPki_Pixits.PX_INCLUDE_ENCRYPTION_KEYS := false # No encryption key in Authorization request LibItsPki_Pics.PICS_SECPKI_REENROLMENT := false LibItsPki_Pixits.PX_EC_PRIVATE_KEY := '73AD688448117EFF50BCB044AA9CFD7932023B7A2C62887A1D3B99FED2B5237C'O @@ -46,32 +55,113 @@ LogEventTypes:= Yes system.httpPort.params := "HTTP(codecs=http_its:http_etsi_ieee1609dot2_codec)/TCP(debug=1,server=etsi-dc-noes.labtlclivorno.it)" [EXECUTE] -# The EnrolmentResponse message shall be sent by the EA to the ITS-S across the interface at reference point S3 in response -# to a received EnrolmentRequest message +# The EnrolmentResponse message shall be sent by the EA to the ITS-S across the interface at reference point S3 in response to a received EnrolmentRequest message #ItsPki_TestCases.TC_SECPKI_EA_ENR_RCV_01_BV -# Check that EA doesn't accept Enrolment rekeying request when enrolment is not permitted by signing certificate -#ItsPki_TestCases.TC_SECPKI_EA_ENR_RCV_02_BI -# The EnrolmentResponse message shall be encrypted using an ETSI TS 103 097 approved algorithm and the encryption shall be -#done with the same AES key as the one used by the ITS-S requestor for the encryption of the EnrolmentRequest message. +# Check that EA doesn't accept Enrolment rekeying request when enrolment is not permitted by signing certificate (not containing an item of type PsidSsp) +#ItsPki_TestCases.TC_SECPKI_EA_ENR_RCV_02_BI_01 +# Check that EA doesn't accept Enrolment rekeying request when enrolment is not permitted by signing certificate (containing opaque[0] (version) indicating other value than 1) +#ItsPki_TestCases.TC_SECPKI_EA_ENR_RCV_02_BI_02 +# Check that EA doesn't accept Enrolment rekeying request when enrolment is not permitted by signing certificate (containing opaque[1] (value) indicating "Enrolment Request" (bit 1) set to 0) +#ItsPki_TestCases.TC_SECPKI_EA_ENR_RCV_02_BI_03 + +# Enroll an ITS-Station, but with a canonical-ID, that is not registered. +#ItsPki_TestCases.TC_SECPKI_EA_ENR_RCV_05_BI +# Enroll the ITS-Station, but the CSR re-quests more permissions than the issuer allows, i.e. request for security management SSP bit which is not set in the EA SSP +#ItsPki_TestCases.TC_SECPKI_EA_ENR_RCV_06_BI +# Enroll the ITS-Station, but the CSR requests a AID permission that the issuer does not allow, i.e. request for CAM AID +#ItsPki_TestCases.TC_SECPKI_EA_ENR_RCV_07_BI +# Enroll the ITS-Station, but the expiring date of the CSR is before the start date of the EA +#ItsPki_TestCases.TC_SECPKI_EA_ENR_RCV_08_BI +# Enroll the ITS-Station, but the start date of the CSR is before the start date of the EA +#ItsPki_TestCases.TC_SECPKI_EA_ENR_RCV_09_BI +# Enroll the ITS-Station, but the expiring date of the CSR is after the expiring date of the EA +#ItsPki_TestCases.TC_SECPKI_EA_ENR_RCV_10_BI +# Enroll the ITS-Station, but the start date of the CSR is after the expiring date of the EA +#ItsPki_TestCases.TC_SECPKI_EA_ENR_RCV_11_BI +# Enroll the ITS-Station, but the lifetime of the EC would be grater than allowed (considering values in C-ITS CP) +#ItsPki_TestCases.TC_SECPKI_EA_ENR_RCV_12_BI +# Enroll the ITS-Station, but the inner PoP signature in the CSR, created with the EC private key, can not be verified with the provided public key +#ItsPki_TestCases.TC_SECPKI_EA_ENR_RCV_13_BI + +# The EnrolmentResponse message shall be encrypted using an ETSI TS 103 097 approved algorithm and the encryption shall be done with the same AES key as the one used by the ITS-S requestor for the encryption of the EnrolmentRequest message. #ItsPki_TestCases.TC_SECPKI_EA_ENR_01_BV +# The EnrolmentResponse message shall be encrypted using an ETSI TS 103 097 approved algorithm and the encryption shall be done with the same AES key as the one used by the ITS-S requestor for the encryption of the EnrolmentRequest message. #ItsPki_TestCases.TC_SECPKI_EA_ENR_02_BV +# The outermost structure is an EtsiTs103097Data-Encrypted structure containing the component recipients containing one instance of RecipientInfo of choice pskRecipInfo, which contains the HashedId8 of the symmetric key used by the ITS-S to encrypt the EnrolmentRequest message to which the response is built and containing the component ciphertext, once decrypted, contains an EtsiTs103097Data-Signed structure #ItsPki_TestCases.TC_SECPKI_EA_ENR_03_BV +# If the ITS-S has been able to decrypt the content, this expected EtsiTs103097Data-Signed structure shall contain hashId, tbsData, signer and signature. The hashId shall indicate the hash algorithm to be used as specified in ETSI TS 103 097, the signer shall be declared as a digest, containing the HashedId8 of the EA certificate and the signature over tbsData shall be computed using the EA private key corresponding to its publicVerificationKey found in the referenced EA certificate #ItsPki_TestCases.TC_SECPKI_EA_ENR_04_BV +# Within the headerInfo of the tbsData, the psid shall be set to secured certificate request as assigned in ETSI TS 102 965 and the generationTime shall be present #ItsPki_TestCases.TC_SECPKI_EA_ENR_05_BV +# Within the headerInfo of the tbsData, aside from psid and generationTime, all other components of the component tbsData.headerInfo not used and absent #ItsPki_TestCases.TC_SECPKI_EA_ENR_06_BV +# The EtsiTS102941Data shall contain the version set to v1 (integer value set to 1) and the content set to InnerECResponse #ItsPki_TestCases.TC_SECPKI_EA_ENR_07_BV -#ItsPki_TestCases.TC_SECPKI_EA_ENR_01_BV +# The InnerECResponse shall contain the requestHash, which is the left-most 16 octets of the SHA256 digest of the EtsiTs103097Data - Signed structure received in the request and a responseCode indicating the result of the request #ItsPki_TestCases.TC_SECPKI_EA_ENR_08_BV +# If the responseCode is 0, the InnerECResponse shall also contain an (enrolment) certificate #ItsPki_TestCases.TC_SECPKI_EA_ENR_09_BV +# If the responseCode is different than 0, the InnerECResponse shall not contain a certificate #ItsPki_TestCases.TC_SECPKI_EA_ENR_10_BV +# Check that signing of Enrolment response message is permitted by the EA certificate #ItsPki_TestCases.TC_SECPKI_EA_ENR_11_BV +# Check that generated EC certificate contains only allowed permissions +#ItsPki_TestCases.TC_SECPKI_EA_ENR_12_BV -# The AuthorizationValidationResponse message shall be sent by the EA to the AA across the interface at reference point S4 -#in response to a received AuthorizationValidationRequest message -ItsPki_TestCases.TC_SECPKI_EA_AUTHVAL_RCV_01_BV +# The AuthorizationValidationResponse message shall be sent by the EA to the AA across the interface at reference point S4 in response to a received AuthorizationValidationRequest message +#ItsPki_TestCases.TC_SECPKI_EA_AUTHVAL_RCV_01_BV +# Check that EA doesn't accept Authorization Validation Request when SharedAtRequest is signed with certificate without appropriate permissions +ItsPki_TestCases.TC_SECPKI_EA_AUTHVAL_RCV_02_BI +# The EtsiTs103097Data-Encrypted is build with the component recipients containing one instance of RecipientInfo of choice pskRecipInfo, which contains the HashedId8 of the symmetric key used by the ITS-S to encrypt the AuthorizationRequest message to which the response is built and the component ciphertext containing the encrypted representation of the EtsiTs103097Data-Signed. The encryption uses a ETSI TS 103 097 [3] approved algorithm +#ItsPki_TestCases.TC_SECPKI_EA_AUTHVAL_01_BV +# To read an authorization validation response, the AA shall receive an EtsiTs103097Data-Encrypted structure, containing a EtsiTs103097Data-Signed structure, containing a EtsiTs102941Data structure, containing an AuthorizationValidationResponse structure +#ItsPki_TestCases.TC_SECPKI_EA_AUTHVAL_02_BV +# The AuthorizationValidationResponse structure contains the requestHash being the left-most 16 octets of the SHA256 digest of the EtsiTs103097Data-Signed structure received in the AuthorizationValidationRequest and a responseCode +#ItsPki_TestCases.TC_SECPKI_EA_AUTHVAL_03_BV +# If the responseCode is 0, the AuthorizationValidationResponse structure contains the component confirmedSubjectAttributes with the attributes the EA wishes to confirm, except for certIssuePermissions which is not allowed to be present +#ItsPki_TestCases.TC_SECPKI_EA_AUTHVAL_04_BV +# If the responseCode is different than 0, the AuthorizationValidationResponse structure does not contain the component confirmedSubjectAttributes +#ItsPki_TestCases.TC_SECPKI_EA_AUTHVAL_05_BV +# The component version of the EtsiTs102941Data structure is set to v1 (integer value set to 1) +#ItsPki_TestCases.TC_SECPKI_EA_AUTHVAL_06_BV + +# Check that the EA/AA is able to decrypt the AuthorizationRequest message using the encryption private key corresponding to the recipient certificate... #ItsPki_TestCases.TC_SECPKI_AA_AUTH_RCV_01_BV +# Check that the AA is able to decrypt the AuthorizationRequest message using the encryption private key corresponding to the recipient certificate... +#ItsPki_TestCases.TC_SECPKI_AA_AUTH_RCV_02_BV +# Check that the AA skips the AuthorizationRequest message if it is not addressed to this AA +#ItsPki_TestCases.TC_SECPKI_AA_AUTH_RCV_03_BI +# Check that the AA skips the AuthorizationRequest message if it unable to decrypt the encKey +#ItsPki_TestCases.TC_SECPKI_AA_AUTH_RCV_04_BI +# Check that the AA skips the AuthorizationRequest message if it unable to decrypt the encKey +#ItsPki_TestCases.TC_SECPKI_AA_AUTH_RCV_05_BI +# Check that the AA rejects the AuthorizationRequest message if it unable to verify the POP signature +#ItsPki_TestCases.TC_SECPKI_AA_AUTH_RCV_06_BI +# Check that the AA rejects the AuthorizationRequest message if it unable to verify the integrity of the request using hmacKey +#ItsPki_TestCases.TC_SECPKI_AA_AUTH_RCV_07_BI +# Send a correctly encoded AT request, but the ITS-Station is not enrolled at the EA +#ItsPki_TestCases.TC_SECPKI_AA_AUTH_RCV_08_BI +# Send an AT request, but the inner signer (valid EC) is not issued by the EA which is known / trusted by the AA. The AA trusts only EAs listet on the RCA-CTL +#ItsPki_TestCases.TC_SECPKI_AA_AUTH_RCV_09_BI +# Send an AT request, but the generation time of the CSR is in the past +#ItsPki_TestCases.TC_SECPKI_AA_AUTH_RCV_10_BI +# Send an AT request, but the generation time of the CSR is in the future +#ItsPki_TestCases.TC_SECPKI_AA_AUTH_RCV_11_BI +# Send an AT request, but the expiry date of the CSR is before the start date of the EC +#ItsPki_TestCases.TC_SECPKI_AA_AUTH_RCV_12_BI +# Send an AT request, but the start date of the CSR is before the start date of the EC +#ItsPki_TestCases.TC_SECPKI_AA_AUTH_RCV_13_BI +# Send an AT request, but the expiry date of the CSR is after the expiry date of the EC +#ItsPki_TestCases.TC_SECPKI_AA_AUTH_RCV_14_BI +# Send an AT request, but the start date of the CSR is after the expiring date of the EC +#ItsPki_TestCases.TC_SECPKI_AA_AUTH_RCV_15_BI +# Send an AT request, but the expiry date of the CSR is after now + maximum pre-loading period (considering values in C-ITS CP) +#ItsPki_TestCases.TC_SECPKI_AA_AUTH_RCV_16_BI + +# Check that the AA sends AuthorizationValidationRequest after receiving of the AuthorizationRequest +#ItsPki_TestCases.TC_SECPKI_AA_AUTHVAL_01_BV [MAIN_CONTROLLER] # The options herein control the behavior of MC. diff --git a/etc/AtsPki/AtsPki_Idnomic.cfg_ b/etc/AtsPki/AtsPki_Idnomic.cfg_ index 154279dfc49750cf04d79ab646bcfe77a7e10bf8..44ae19b132a1289f6c88f98cba5421f34d4d8cba 100644 --- a/etc/AtsPki/AtsPki_Idnomic.cfg_ +++ b/etc/AtsPki/AtsPki_Idnomic.cfg_ @@ -11,9 +11,9 @@ LibItsSecurity_Pixits.PX_IUT_SEC_CONFIG_NAME := "asn1c_cert" LibItsHttp_Pics.PICS_HEADER_CONTENT_TYPE := "application/x-its-request" LibItsPki_Pics.PICS_MULTIPLE_END_POINT := true -LibItsPki_Pics.PICS_HEADER_HOST_EC := "ea.utopia.plugtests2019.innovation.keynectis.net" -LibItsPki_Pics.PICS_HEADER_HOST_ATV := "ea.utopia.plugtests2019.innovation.keynectis.net" -LibItsPki_Pics.PICS_HEADER_HOST_AT := "aa.utopia.plugtests2019.innovation.keynectis.net" +LibItsPki_Pics.PICS_HEADER_HOST_EC := "ea.utopia.plugtests2019.innovation.keynectis.net" +LibItsPki_Pics.PICS_HEADER_HOST_ATV := "ea.utopia.plugtests2019.innovation.keynectis.net" +LibItsPki_Pics.PICS_HEADER_HOST_AT := "aa.utopia.plugtests2019.innovation.keynectis.net" LibItsPki_Pics.PICS_HTTP_POST_URI_EC := "/" LibItsPki_Pics.PICS_HTTP_POST_URI_AT := "/" @@ -21,9 +21,10 @@ LibItsPki_Pics.PICS_HTTP_POST_URI_ATV := "/" LibItsPki_Pics.PICS_ITS_S_SIGN_NITSP256_PRIVATE_KEY := '5C25F97607DFC62972A147FAD8B7A7C939569F0F95ECD4C641724A68B51836E5'O LibItsPki_Pics.PICS_ITS_S_SIGN_NISTP256_PUBLIC_KEY := '020144E5174B0AFDA86BDB8B643B68D40030F5BDB9A9F090C64852CC3C20C9D5AD'O LibItsPki_Pics.PICS_ITS_S_CANONICAL_ID := '455453492D4954532D303031'O + LibItsPki_Pics.PICS_TS_EA_CERTIFICATE_ID := "CERT_IDNOMIC_EA" -LibItsPki_Pics.PICS_TS_AA_CERTIFICATE_ID := "CERT_IUT_A_AA" # "CERT_IUT_A_AA" is the wrong one, should be "CERT_TS_A_AA"? -LibItsPki_Pics.PICS_IUT_AA_CERTIFICATE_ID := "CERT_IDNOMIC_AA" +LibItsPki_Pics.PICS_TS_AA_CERTIFICATE_ID := "CERT_TS_A_AA" +LibItsPki_Pics.PICS_IUT_AA_CERTIFICATE_ID := "CERT_IDNOMIC_AA2" LibItsPki_Pics.PICS_TS_CA_CERTIFICATE_ID := "CERT_IDNOMIC_RCA" #LibItsPki_Pics.PICS_PKI_AUTH_POP := false # Do not use Signed for PoP in Authorization requet @@ -32,9 +33,11 @@ LibItsPki_Pics.PICS_TS_CA_CERTIFICATE_ID := "CERT_IDNOMIC_RCA" #LibItsPki_Pixits.PX_INCLUDE_ENCRYPTION_KEYS := false # No encryption key in Authorization request -#LibItsPki_Pixits.PX_VE_ALG := e_nist_p256 # e_brainpool_p256_r1 or e_brainpool_p384_r1 -LibItsPki_Pixits.PX_EC_ALG_FOR_EC := e_brainpool_p256_r1 # e_nist_p256, e_brainpool_p256_r1 -LibItsPki_Pixits.PX_EC_ALG_FOR_AT := e_brainpool_p256_r1 # e_nist_p256, e_brainpool_p256_r1 +#LibItsPki_Pixits.PX_VE_ALG := e_brainpool_p256_r1 # e_nist_p256, e_brainpool_p256_r1 or e_brainpool_p384_r1 +#LibItsPki_Pixits.PX_EC_ALG_FOR_EC := e_brainpool_p256_r1 # e_nist_p256, e_brainpool_p256_r1 +#LibItsPki_Pixits.PX_EC_ALG_FOR_ATV := e_brainpool_p256_r1 # e_nist_p256, e_brainpool_p256_r1 +#LibItsPki_Pixits.PX_EC_ALG_FOR_EC_SIGN := e_brainpool_p256_r1 # e_nist_p256, e_brainpool_p256_r1 +LibItsPki_Pixits.PX_EC_ALG_FOR_AT := e_brainpool_p256_r1 # e_nist_p256, e_brainpool_p256_r1 #LibItsPki_Pixits.PX_EC_PRIVATE_KEY := '170D1EA638C300BD16F0025768C0F1FAA6BE23963E46AD10F79103914265D294'O #LibItsPki_Pixits.PX_EC_HASH := 'DFEFC2A74C8ADD0C8B74B958EE072229D25DEAAAE30D134193D091890E8F3C2C'O @@ -64,64 +67,111 @@ system.httpAtPort.params := "HTTP(codecs=http_its:http_etsi_ieee1609dot2_codec)/ [EXECUTE] # The EnrolmentResponse message shall be sent by the EA to the ITS-S across the interface at reference point S3 in response to a received EnrolmentRequest message -ItsPki_TestCases.TC_SECPKI_EA_ENR_RCV_01_BV -# Check that EA doesn't accept Enrolment rekeying request when enrolment is not permitted by signing certificate -#ItsPki_TestCases.TC_SECPKI_EA_ENR_RCV_02_BI +#ItsPki_TestCases.TC_SECPKI_EA_ENR_RCV_01_BV + +# Check that EA doesn't accept Enrolment rekeying request when enrolment is not permitted by signing certificate (not containing an item of type PsidSsp) +#ItsPki_TestCases.TC_SECPKI_EA_ENR_RCV_02_BI_01 +# Check that EA doesn't accept Enrolment rekeying request when enrolment is not permitted by signing certificate (containing opaque[0] (version) indicating other value than 1) +#ItsPki_TestCases.TC_SECPKI_EA_ENR_RCV_02_BI_02 +# Check that EA doesn't accept Enrolment rekeying request when enrolment is not permitted by signing certificate (containing opaque[1] (value) indicating "Enrolment Request" (bit 1) set to 0) +#ItsPki_TestCases.TC_SECPKI_EA_ENR_RCV_02_BI_03 + +# Enroll an ITS-Station, but with a canonical-ID, that is not registered. #ItsPki_TestCases.TC_SECPKI_EA_ENR_RCV_05_BI +# Enroll the ITS-Station, but the CSR re-quests more permissions than the issuer allows, i.e. request for security management SSP bit which is not set in the EA SSP #ItsPki_TestCases.TC_SECPKI_EA_ENR_RCV_06_BI +# Enroll the ITS-Station, but the CSR requests a AID permission that the issuer does not allow, i.e. request for CAM AID #ItsPki_TestCases.TC_SECPKI_EA_ENR_RCV_07_BI +# Enroll the ITS-Station, but the expiring date of the CSR is before the start date of the EA #ItsPki_TestCases.TC_SECPKI_EA_ENR_RCV_08_BI -#ItsPki_TestCases.TC_SECPKI_EA_ENR_RCV_08_BI +# Enroll the ITS-Station, but the start date of the CSR is before the start date of the EA #ItsPki_TestCases.TC_SECPKI_EA_ENR_RCV_09_BI +# Enroll the ITS-Station, but the expiring date of the CSR is after the expiring date of the EA #ItsPki_TestCases.TC_SECPKI_EA_ENR_RCV_10_BI +# Enroll the ITS-Station, but the start date of the CSR is after the expiring date of the EA #ItsPki_TestCases.TC_SECPKI_EA_ENR_RCV_11_BI +# Enroll the ITS-Station, but the lifetime of the EC would be grater than allowed (considering values in C-ITS CP) #ItsPki_TestCases.TC_SECPKI_EA_ENR_RCV_12_BI +# Enroll the ITS-Station, but the inner PoP signature in the CSR, created with the EC private key, can not be verified with the provided public key #ItsPki_TestCases.TC_SECPKI_EA_ENR_RCV_13_BI # The EnrolmentResponse message shall be encrypted using an ETSI TS 103 097 approved algorithm and the encryption shall be done with the same AES key as the one used by the ITS-S requestor for the encryption of the EnrolmentRequest message. #ItsPki_TestCases.TC_SECPKI_EA_ENR_01_BV +# The EnrolmentResponse message shall be encrypted using an ETSI TS 103 097 approved algorithm and the encryption shall be done with the same AES key as the one used by the ITS-S requestor for the encryption of the EnrolmentRequest message. #ItsPki_TestCases.TC_SECPKI_EA_ENR_02_BV +# The outermost structure is an EtsiTs103097Data-Encrypted structure containing the component recipients containing one instance of RecipientInfo of choice pskRecipInfo, which contains the HashedId8 of the symmetric key used by the ITS-S to encrypt the EnrolmentRequest message to which the response is built and containing the component ciphertext, once decrypted, contains an EtsiTs103097Data-Signed structure #ItsPki_TestCases.TC_SECPKI_EA_ENR_03_BV +# If the ITS-S has been able to decrypt the content, this expected EtsiTs103097Data-Signed structure shall contain hashId, tbsData, signer and signature. The hashId shall indicate the hash algorithm to be used as specified in ETSI TS 103 097, the signer shall be declared as a digest, containing the HashedId8 of the EA certificate and the signature over tbsData shall be computed using the EA private key corresponding to its publicVerificationKey found in the referenced EA certificate #ItsPki_TestCases.TC_SECPKI_EA_ENR_04_BV +# Within the headerInfo of the tbsData, the psid shall be set to secured certificate request as assigned in ETSI TS 102 965 and the generationTime shall be present #ItsPki_TestCases.TC_SECPKI_EA_ENR_05_BV +# Within the headerInfo of the tbsData, aside from psid and generationTime, all other components of the component tbsData.headerInfo not used and absent #ItsPki_TestCases.TC_SECPKI_EA_ENR_06_BV +# The EtsiTS102941Data shall contain the version set to v1 (integer value set to 1) and the content set to InnerECResponse #ItsPki_TestCases.TC_SECPKI_EA_ENR_07_BV +# The InnerECResponse shall contain the requestHash, which is the left-most 16 octets of the SHA256 digest of the EtsiTs103097Data - Signed structure received in the request and a responseCode indicating the result of the request #ItsPki_TestCases.TC_SECPKI_EA_ENR_08_BV +# If the responseCode is 0, the InnerECResponse shall also contain an (enrolment) certificate #ItsPki_TestCases.TC_SECPKI_EA_ENR_09_BV -#ItsPki_TestCases.TC_SECPKI_EA_ENR_10_BV +# If the responseCode is different than 0, the InnerECResponse shall not contain a certificate +ItsPki_TestCases.TC_SECPKI_EA_ENR_10_BV +# Check that signing of Enrolment response message is permitted by the EA certificate #ItsPki_TestCases.TC_SECPKI_EA_ENR_11_BV +# Check that generated EC certificate contains only allowed permissions #ItsPki_TestCases.TC_SECPKI_EA_ENR_12_BV -# -#ItsPki_TestCases.TC_SECPKI_EA_AUTHVAL_RCV_01_BV +# The AuthorizationValidationResponse message shall be sent by the EA to the AA across the interface at reference point S4 in response to a received AuthorizationValidationRequest message +ItsPki_TestCases.TC_SECPKI_EA_AUTHVAL_RCV_01_BV +# Check that EA doesn't accept Authorization Validation Request when SharedAtRequest is signed with certificate without appropriate permissions #ItsPki_TestCases.TC_SECPKI_EA_AUTHVAL_RCV_02_BI -# +# The EtsiTs103097Data-Encrypted is build with the component recipients containing one instance of RecipientInfo of choice pskRecipInfo, which contains the HashedId8 of the symmetric key used by the ITS-S to encrypt the AuthorizationRequest message to which the response is built and the component ciphertext containing the encrypted representation of the EtsiTs103097Data-Signed. The encryption uses a ETSI TS 103 097 [3] approved algorithm #ItsPki_TestCases.TC_SECPKI_EA_AUTHVAL_01_BV +# To read an authorization validation response, the AA shall receive an EtsiTs103097Data-Encrypted structure, containing a EtsiTs103097Data-Signed structure, containing a EtsiTs102941Data structure, containing an AuthorizationValidationResponse structure #ItsPki_TestCases.TC_SECPKI_EA_AUTHVAL_02_BV +# The AuthorizationValidationResponse structure contains the requestHash being the left-most 16 octets of the SHA256 digest of the EtsiTs103097Data-Signed structure received in the AuthorizationValidationRequest and a responseCode #ItsPki_TestCases.TC_SECPKI_EA_AUTHVAL_03_BV +# If the responseCode is 0, the AuthorizationValidationResponse structure contains the component confirmedSubjectAttributes with the attributes the EA wishes to confirm, except for certIssuePermissions which is not allowed to be present #ItsPki_TestCases.TC_SECPKI_EA_AUTHVAL_04_BV -#ItsPki_TestCases.TC_SECPKI_EA_AUTHVAL_05_BV +# If the responseCode is different than 0, the AuthorizationValidationResponse structure does not contain the component confirmedSubjectAttributes +ItsPki_TestCases.TC_SECPKI_EA_AUTHVAL_05_BV +# The component version of the EtsiTs102941Data structure is set to v1 (integer value set to 1) #ItsPki_TestCases.TC_SECPKI_EA_AUTHVAL_06_BV -#ItsPki_TestCases.TC_SECPKI_EA_AUTHVAL_07_BV -# +# Check that the EA/AA is able to decrypt the AuthorizationRequest message using the encryption private key corresponding to the recipient certificate... #ItsPki_TestCases.TC_SECPKI_AA_AUTH_RCV_01_BV +# Check that the AA is able to decrypt the AuthorizationRequest message using the encryption private key corresponding to the recipient certificate... #ItsPki_TestCases.TC_SECPKI_AA_AUTH_RCV_02_BV +# Check that the AA skips the AuthorizationRequest message if it is not addressed to this AA #ItsPki_TestCases.TC_SECPKI_AA_AUTH_RCV_03_BI +# Check that the AA skips the AuthorizationRequest message if it unable to decrypt the encKey #ItsPki_TestCases.TC_SECPKI_AA_AUTH_RCV_04_BI +# Check that the AA skips the AuthorizationRequest message if it unable to decrypt the encKey #ItsPki_TestCases.TC_SECPKI_AA_AUTH_RCV_05_BI +# Check that the AA rejects the AuthorizationRequest message if it unable to verify the POP signature #ItsPki_TestCases.TC_SECPKI_AA_AUTH_RCV_06_BI +# Check that the AA rejects the AuthorizationRequest message if it unable to verify the integrity of the request using hmacKey #ItsPki_TestCases.TC_SECPKI_AA_AUTH_RCV_07_BI +# Send a correctly encoded AT request, but the ITS-Station is not enrolled at the EA #ItsPki_TestCases.TC_SECPKI_AA_AUTH_RCV_08_BI +# Send an AT request, but the inner signer (valid EC) is not issued by the EA which is known / trusted by the AA. The AA trusts only EAs listet on the RCA-CTL #ItsPki_TestCases.TC_SECPKI_AA_AUTH_RCV_09_BI +# Send an AT request, but the generation time of the CSR is in the past #ItsPki_TestCases.TC_SECPKI_AA_AUTH_RCV_10_BI +# Send an AT request, but the generation time of the CSR is in the future #ItsPki_TestCases.TC_SECPKI_AA_AUTH_RCV_11_BI +# Send an AT request, but the expiry date of the CSR is before the start date of the EC #ItsPki_TestCases.TC_SECPKI_AA_AUTH_RCV_12_BI +# Send an AT request, but the start date of the CSR is before the start date of the EC #ItsPki_TestCases.TC_SECPKI_AA_AUTH_RCV_13_BI +# Send an AT request, but the expiry date of the CSR is after the expiry date of the EC #ItsPki_TestCases.TC_SECPKI_AA_AUTH_RCV_14_BI +# Send an AT request, but the start date of the CSR is after the expiring date of the EC +#ItsPki_TestCases.TC_SECPKI_AA_AUTH_RCV_15_BI +# Send an AT request, but the expiry date of the CSR is after now + maximum pre-loading period (considering values in C-ITS CP) +#ItsPki_TestCases.TC_SECPKI_AA_AUTH_RCV_16_BI -# +# Check that the AA sends AuthorizationValidationRequest after receiving of the AuthorizationRequest #ItsPki_TestCases.TC_SECPKI_AA_AUTHVAL_01_BV [MAIN_CONTROLLER] diff --git a/etc/AtsPki/AtsPki_Iss.cfg_ b/etc/AtsPki/AtsPki_Iss.cfg_ new file mode 100644 index 0000000000000000000000000000000000000000..8fc6452aee23b6b6571aa2fa30c3c9ed9b7e04d5 --- /dev/null +++ b/etc/AtsPki/AtsPki_Iss.cfg_ @@ -0,0 +1,134 @@ +[MODULE_PARAMETERS] +# This section shall contain the values of all parameters that are defined in your TTCN-3 modules. + +# Enable Security support +LibItsGeoNetworking_Pics.PICS_GN_SECURITY := true +# Root path to access certificate stored in files, identified by certficate ID +LibItsSecurity_Pixits.PX_CERTIFICATE_POOL_PATH := "/home/vagrant/tmp" +# Configuration sub-directory to access certificate stored in files +LibItsSecurity_Pixits.PX_IUT_SEC_CONFIG_NAME := "asn1c_cert" + +LibItsHttp_Pics.PICS_HEADER_CONTENT_TYPE := "application/x-its-request" + +LibItsPki_Pics.PICS_MULTIPLE_END_POINT := true +LibItsPki_Pics.PICS_HEADER_HOST_EC := "ea.dev.au.c2x.isscms.com" +LibItsPki_Pics.PICS_HEADER_HOST_ATV := "ea.dev.au.c2x.isscms.com" +LibItsPki_Pics.PICS_HEADER_HOST_AT := "aa.dev.au.c2x.isscms.com" + +LibItsPki_Pics.PICS_HTTP_POST_URI_EC := "/" +LibItsPki_Pics.PICS_HTTP_POST_URI_AT := "/" +LibItsPki_Pics.PICS_HTTP_POST_URI_ATV := "/" +LibItsPki_Pics.PICS_ITS_S_SIGN_NITSP256_PRIVATE_KEY := '5C25F97607DFC62972A147FAD8B7A7C939569F0F95ECD4C641724A68B51836E5'O +LibItsPki_Pics.PICS_ITS_S_SIGN_NISTP256_PUBLIC_KEY := '020144E5174B0AFDA86BDB8B643B68D40030F5BDB9A9F090C64852CC3C20C9D5AD'O +LibItsPki_Pics.PICS_ITS_S_CANONICAL_ID := '455453492D4954532D303031'O + +LibItsPki_Pics.PICS_TS_EA_CERTIFICATE_ID := "CERT_ISS_EA" +LibItsPki_Pics.PICS_TS_AA_CERTIFICATE_ID := "CERT_TS_A_AA" +LibItsPki_Pics.PICS_IUT_AA_CERTIFICATE_ID := "CERT_ISS_AA" +LibItsPki_Pics.PICS_TS_CA_CERTIFICATE_ID := "CERT_ISS_RCA" + +#LibItsPki_Pics.PICS_PKI_AUTH_POP := false # Do not use Signed for PoP in Authorization requet + # Required for SECPKI_AA_AUTH_RCV_02_BV +#LibItsPki_Pics.PICS_SECPKI_REENROLMENT := false # Check in logs the pattern '==> EC ' to find the required information for re-enrolment + +#LibItsPki_Pixits.PX_INCLUDE_ENCRYPTION_KEYS := false # No encryption key in Authorization request + +#LibItsPki_Pixits.PX_VE_ALG := e_nist_p256 # e_brainpool_p256_r1 or e_brainpool_p384_r1 +#LibItsPki_Pixits.PX_EC_ALG_FOR_EC := e_brainpool_p256_r1 # e_nist_p256, e_brainpool_p256_r1 +#LibItsPki_Pixits.PX_EC_ALG_FOR_AT := e_brainpool_p256_r1 # e_nist_p256, e_brainpool_p256_r1 + +#LibItsPki_Pixits.PX_EC_PRIVATE_KEY := '170D1EA638C300BD16F0025768C0F1FAA6BE23963E46AD10F79103914265D294'O +#LibItsPki_Pixits.PX_EC_HASH := 'DFEFC2A74C8ADD0C8B74B958EE072229D25DEAAAE30D134193D091890E8F3C2C'O +#LibItsPki_Pixits.PX_EC_HASHED_ID8 := '93D091890E8F3C2C'O + +[LOGGING] +# In this section you can specify the name of the log file and the classes of events +# you want to log into the file or display on console (standard error). + +LogFile := "../logs/%e.%h-%r.%s" +FileMask := LOG_ALL | USER | DEBUG | MATCHING +ConsoleMask := LOG_ALL | USER | DEBUG | MATCHING +#FileMask := ERROR | WARNING | USER | MATCHING | EXECUTOR_RUNTIME | VERDICTOP +#ConsoleMask := ERROR | WARNING | USER | MATCHING | EXECUTOR_RUNTIME | VERDICTOP +LogSourceInfo := Stack +LogEntityName:= Yes +LogEventTypes:= Yes +#TimeStampFormat := DateTime + +[TESTPORT_PARAMETERS] +# Multiple HTTP component ports +system.httpEcPort.params := "HTTP(codecs=http_its:http_etsi_ieee1609dot2_codec)/TCP(server=ea.dev.au.c2x.isscms.com)" +system.httpAtVPort.params := "HTTP(codecs=http_its:http_etsi_ieee1609dot2_codec)/TCP(server=ea.dev.au.c2x.isscms.com)" +#system.httpAtVPort.params := "HTTP(codecs=http_its:http_etsi_ieee1609dot2_codec)/TCP(debug=1,server_mode=1,server=192.168.1.41,local_port=80)" # Multiple HTTP component ports specific to TC_SECPKI_AA_AUTHVAL_xx +system.httpAtPort.params := "HTTP(codecs=http_its:http_etsi_ieee1609dot2_codec)/TCP(server=aa.dev.au.c2x.isscms.com)" + + +[EXECUTE] +# The EnrolmentResponse message shall be sent by the EA to the ITS-S across the interface at reference point S3 in response to a received EnrolmentRequest message +ItsPki_TestCases.TC_SECPKI_EA_ENR_RCV_01_BV +# Check that EA doesn't accept Enrolment rekeying request when enrolment is not permitted by signing certificate +#ItsPki_TestCases.TC_SECPKI_EA_ENR_RCV_02_BI +#ItsPki_TestCases.TC_SECPKI_EA_ENR_RCV_05_BI +#ItsPki_TestCases.TC_SECPKI_EA_ENR_RCV_06_BI +#ItsPki_TestCases.TC_SECPKI_EA_ENR_RCV_07_BI +#ItsPki_TestCases.TC_SECPKI_EA_ENR_RCV_08_BI +#ItsPki_TestCases.TC_SECPKI_EA_ENR_RCV_08_BI +#ItsPki_TestCases.TC_SECPKI_EA_ENR_RCV_09_BI +#ItsPki_TestCases.TC_SECPKI_EA_ENR_RCV_10_BI +#ItsPki_TestCases.TC_SECPKI_EA_ENR_RCV_11_BI +#ItsPki_TestCases.TC_SECPKI_EA_ENR_RCV_12_BI +#ItsPki_TestCases.TC_SECPKI_EA_ENR_RCV_13_BI + +# The EnrolmentResponse message shall be encrypted using an ETSI TS 103 097 approved algorithm and the encryption shall be done with the same AES key as the one used by the ITS-S requestor for the encryption of the EnrolmentRequest message. +#ItsPki_TestCases.TC_SECPKI_EA_ENR_01_BV +#ItsPki_TestCases.TC_SECPKI_EA_ENR_02_BV +#ItsPki_TestCases.TC_SECPKI_EA_ENR_03_BV +#ItsPki_TestCases.TC_SECPKI_EA_ENR_04_BV +#ItsPki_TestCases.TC_SECPKI_EA_ENR_05_BV +#ItsPki_TestCases.TC_SECPKI_EA_ENR_06_BV +#ItsPki_TestCases.TC_SECPKI_EA_ENR_07_BV +#ItsPki_TestCases.TC_SECPKI_EA_ENR_08_BV +#ItsPki_TestCases.TC_SECPKI_EA_ENR_09_BV +#ItsPki_TestCases.TC_SECPKI_EA_ENR_10_BV +#ItsPki_TestCases.TC_SECPKI_EA_ENR_11_BV +#ItsPki_TestCases.TC_SECPKI_EA_ENR_12_BV + +# +#ItsPki_TestCases.TC_SECPKI_EA_AUTHVAL_RCV_01_BV +#ItsPki_TestCases.TC_SECPKI_EA_AUTHVAL_RCV_02_BI + +# +#ItsPki_TestCases.TC_SECPKI_EA_AUTHVAL_01_BV +#ItsPki_TestCases.TC_SECPKI_EA_AUTHVAL_02_BV +#ItsPki_TestCases.TC_SECPKI_EA_AUTHVAL_03_BV +#ItsPki_TestCases.TC_SECPKI_EA_AUTHVAL_04_BV +#ItsPki_TestCases.TC_SECPKI_EA_AUTHVAL_05_BV +#ItsPki_TestCases.TC_SECPKI_EA_AUTHVAL_06_BV +#ItsPki_TestCases.TC_SECPKI_EA_AUTHVAL_07_BV + +# +#ItsPki_TestCases.TC_SECPKI_AA_AUTH_RCV_01_BV +#ItsPki_TestCases.TC_SECPKI_AA_AUTH_RCV_02_BV +#ItsPki_TestCases.TC_SECPKI_AA_AUTH_RCV_03_BI +#ItsPki_TestCases.TC_SECPKI_AA_AUTH_RCV_04_BI +#ItsPki_TestCases.TC_SECPKI_AA_AUTH_RCV_05_BI +#ItsPki_TestCases.TC_SECPKI_AA_AUTH_RCV_06_BI +#ItsPki_TestCases.TC_SECPKI_AA_AUTH_RCV_07_BI +#ItsPki_TestCases.TC_SECPKI_AA_AUTH_RCV_08_BI +#ItsPki_TestCases.TC_SECPKI_AA_AUTH_RCV_09_BI +#ItsPki_TestCases.TC_SECPKI_AA_AUTH_RCV_10_BI +#ItsPki_TestCases.TC_SECPKI_AA_AUTH_RCV_11_BI +#ItsPki_TestCases.TC_SECPKI_AA_AUTH_RCV_12_BI +#ItsPki_TestCases.TC_SECPKI_AA_AUTH_RCV_13_BI +#ItsPki_TestCases.TC_SECPKI_AA_AUTH_RCV_14_BI + +# +#ItsPki_TestCases.TC_SECPKI_AA_AUTHVAL_01_BV + +[MAIN_CONTROLLER] +# The options herein control the behavior of MC. +KillTimer := 10.0 +LocalAddress := 127.0.0.1 +TCPPort := 12000 +NumHCs := 1 + diff --git a/etc/AtsPki/AtsPki_Microsec.cfg_ b/etc/AtsPki/AtsPki_Microsec.cfg_ index e4d7cb6abc7e469a3763b84268d1b4dc65940581..30556beb850d3898a3f7fceaba8c00ffacb60890 100644 --- a/etc/AtsPki/AtsPki_Microsec.cfg_ +++ b/etc/AtsPki/AtsPki_Microsec.cfg_ @@ -10,6 +10,7 @@ LibItsSecurity_Pixits.PX_CERTIFICATE_POOL_PATH := "/home/vagrant/tmp" LibItsSecurity_Pixits.PX_IUT_SEC_CONFIG_NAME := "asn1c_cert" LibItsHttp_Pics.PICS_HEADER_CONTENT_TYPE := "application/x-its-request" + LibItsHttp_Pics.PICS_HEADER_HOST := "v2x-pki-test.microsec.com" LibItsPki_Pics.PICS_HTTP_POST_URI_EC := "/v2x_ea_nistp256/ecRequest" @@ -20,6 +21,7 @@ LibItsPki_Pics.PICS_HTTP_POST_URI_ATV := "/v2x_ea_nistp256/authValRequest" LibItsPki_Pics.PICS_ITS_S_SIGN_NITSP256_PRIVATE_KEY := '5C25F97607DFC62972A147FAD8B7A7C939569F0F95ECD4C641724A68B51836E5'O LibItsPki_Pics.PICS_ITS_S_SIGN_NISTP256_PUBLIC_KEY := '020144E5174B0AFDA86BDB8B643B68D40030F5BDB9A9F090C64852CC3C20C9D5AD'O LibItsPki_Pics.PICS_ITS_S_CANONICAL_ID := '45534352595054000000000000000011'O + LibItsPki_Pics.PICS_TS_EA_CERTIFICATE_ID := "CERT_MICROSEC_EA" LibItsPki_Pics.PICS_TS_AA_CERTIFICATE_ID := "CERT_TS_A_AA" LibItsPki_Pics.PICS_IUT_AA_CERTIFICATE_ID := "CERT_MICROSEC_AA" @@ -31,9 +33,10 @@ LibItsPki_Pics.PICS_TS_CA_CERTIFICATE_ID := "CERT_MICROSEC_RCA" #LibItsPki_Pixits.PX_INCLUDE_ENCRYPTION_KEYS := false # No encryption key in Authorization request -#LibItsPki_Pixits.PX_VE_ALG := e_brainpool_p256_r1 # e_nist_p256 or e_brainpool_p384_r1 -#LibItsPki_Pixits.PX_EC_ALG_FOR_EC := e_brainpool_p256_r1 # e_nist_p256 -#LibItsPki_Pixits.PX_EC_ALG_FOR_AT := e_brainpool_p384_r1 # e_nist_p256 o e_brainpool_p384_r1 +#LibItsPki_Pixits.PX_VE_ALG := e_brainpool_p256_r1 # e_nist_p256 or e_brainpool_p384_r1 +#LibItsPki_Pixits.PX_EC_ALG_FOR_EC := e_brainpool_p256_r1 # e_nist_p256 +#LibItsPki_Pixits.PX_EC_ALG_FOR_AT := e_brainpool_p384_r1 # e_nist_p256 o e_brainpool_p384_r1 +#LibItsPki_Pixits.PX_EC_ALG_FOR_EC_SIGN := e_brainpool_p256_r1 # e_nist_p256, e_brainpool_p256_r1 #LibItsPki_Pixits.PX_EC_PRIVATE_KEY := '170D1EA638C300BD16F0025768C0F1FAA6BE23963E46AD10F79103914265D294'O #LibItsPki_Pixits.PX_EC_HASH := 'DFEFC2A74C8ADD0C8B74B958EE072229D25DEAAAE30D134193D091890E8F3C2C'O @@ -59,67 +62,111 @@ system.httpPort.params := "HTTP(codecs=http_its:http_etsi_ieee1609dot2_codec)/TC [EXECUTE] # The EnrolmentResponse message shall be sent by the EA to the ITS-S across the interface at reference point S3 in response to a received EnrolmentRequest message -#ItsPki_TestCases.TC_SECPKI_EA_ENR_RCV_01_BV -# Check that EA doesn't accept Enrolment rekeying request when enrolment is not permitted by signing certificate +ItsPki_TestCases.TC_SECPKI_EA_ENR_RCV_01_BV + +# Check that EA doesn't accept Enrolment rekeying request when enrolment is not permitted by signing certificate (not containing an item of type PsidSsp) #ItsPki_TestCases.TC_SECPKI_EA_ENR_RCV_02_BI_01 -ItsPki_TestCases.TC_SECPKI_EA_ENR_RCV_02_BI_02 +# Check that EA doesn't accept Enrolment rekeying request when enrolment is not permitted by signing certificate (containing opaque[0] (version) indicating other value than 1) +#ItsPki_TestCases.TC_SECPKI_EA_ENR_RCV_02_BI_02 +# Check that EA doesn't accept Enrolment rekeying request when enrolment is not permitted by signing certificate (containing opaque[1] (value) indicating "Enrolment Request" (bit 1) set to 0) #ItsPki_TestCases.TC_SECPKI_EA_ENR_RCV_02_BI_03 + +# Enroll an ITS-Station, but with a canonical-ID, that is not registered. #ItsPki_TestCases.TC_SECPKI_EA_ENR_RCV_05_BI +# Enroll the ITS-Station, but the CSR re-quests more permissions than the issuer allows, i.e. request for security management SSP bit which is not set in the EA SSP #ItsPki_TestCases.TC_SECPKI_EA_ENR_RCV_06_BI +# Enroll the ITS-Station, but the CSR requests a AID permission that the issuer does not allow, i.e. request for CAM AID #ItsPki_TestCases.TC_SECPKI_EA_ENR_RCV_07_BI +# Enroll the ITS-Station, but the expiring date of the CSR is before the start date of the EA #ItsPki_TestCases.TC_SECPKI_EA_ENR_RCV_08_BI +# Enroll the ITS-Station, but the start date of the CSR is before the start date of the EA #ItsPki_TestCases.TC_SECPKI_EA_ENR_RCV_09_BI +# Enroll the ITS-Station, but the expiring date of the CSR is after the expiring date of the EA #ItsPki_TestCases.TC_SECPKI_EA_ENR_RCV_10_BI +# Enroll the ITS-Station, but the start date of the CSR is after the expiring date of the EA #ItsPki_TestCases.TC_SECPKI_EA_ENR_RCV_11_BI +# Enroll the ITS-Station, but the lifetime of the EC would be grater than allowed (considering values in C-ITS CP) #ItsPki_TestCases.TC_SECPKI_EA_ENR_RCV_12_BI +# Enroll the ITS-Station, but the inner PoP signature in the CSR, created with the EC private key, can not be verified with the provided public key #ItsPki_TestCases.TC_SECPKI_EA_ENR_RCV_13_BI # The EnrolmentResponse message shall be encrypted using an ETSI TS 103 097 approved algorithm and the encryption shall be done with the same AES key as the one used by the ITS-S requestor for the encryption of the EnrolmentRequest message. #ItsPki_TestCases.TC_SECPKI_EA_ENR_01_BV +# The EnrolmentResponse message shall be encrypted using an ETSI TS 103 097 approved algorithm and the encryption shall be done with the same AES key as the one used by the ITS-S requestor for the encryption of the EnrolmentRequest message. #ItsPki_TestCases.TC_SECPKI_EA_ENR_02_BV +# The outermost structure is an EtsiTs103097Data-Encrypted structure containing the component recipients containing one instance of RecipientInfo of choice pskRecipInfo, which contains the HashedId8 of the symmetric key used by the ITS-S to encrypt the EnrolmentRequest message to which the response is built and containing the component ciphertext, once decrypted, contains an EtsiTs103097Data-Signed structure #ItsPki_TestCases.TC_SECPKI_EA_ENR_03_BV +# If the ITS-S has been able to decrypt the content, this expected EtsiTs103097Data-Signed structure shall contain hashId, tbsData, signer and signature. The hashId shall indicate the hash algorithm to be used as specified in ETSI TS 103 097, the signer shall be declared as a digest, containing the HashedId8 of the EA certificate and the signature over tbsData shall be computed using the EA private key corresponding to its publicVerificationKey found in the referenced EA certificate #ItsPki_TestCases.TC_SECPKI_EA_ENR_04_BV +# Within the headerInfo of the tbsData, the psid shall be set to secured certificate request as assigned in ETSI TS 102 965 and the generationTime shall be present #ItsPki_TestCases.TC_SECPKI_EA_ENR_05_BV +# Within the headerInfo of the tbsData, aside from psid and generationTime, all other components of the component tbsData.headerInfo not used and absent #ItsPki_TestCases.TC_SECPKI_EA_ENR_06_BV +# The EtsiTS102941Data shall contain the version set to v1 (integer value set to 1) and the content set to InnerECResponse #ItsPki_TestCases.TC_SECPKI_EA_ENR_07_BV +# The InnerECResponse shall contain the requestHash, which is the left-most 16 octets of the SHA256 digest of the EtsiTs103097Data - Signed structure received in the request and a responseCode indicating the result of the request #ItsPki_TestCases.TC_SECPKI_EA_ENR_08_BV +# If the responseCode is 0, the InnerECResponse shall also contain an (enrolment) certificate #ItsPki_TestCases.TC_SECPKI_EA_ENR_09_BV +# If the responseCode is different than 0, the InnerECResponse shall not contain a certificate #ItsPki_TestCases.TC_SECPKI_EA_ENR_10_BV +# Check that signing of Enrolment response message is permitted by the EA certificate #ItsPki_TestCases.TC_SECPKI_EA_ENR_11_BV +# Check that generated EC certificate contains only allowed permissions #ItsPki_TestCases.TC_SECPKI_EA_ENR_12_BV -# +# The AuthorizationValidationResponse message shall be sent by the EA to the AA across the interface at reference point S4 in response to a received AuthorizationValidationRequest message #ItsPki_TestCases.TC_SECPKI_EA_AUTHVAL_RCV_01_BV +# Check that EA doesn't accept Authorization Validation Request when SharedAtRequest is signed with certificate without appropriate permissions #ItsPki_TestCases.TC_SECPKI_EA_AUTHVAL_RCV_02_BI -# +# The EtsiTs103097Data-Encrypted is build with the component recipients containing one instance of RecipientInfo of choice pskRecipInfo, which contains the HashedId8 of the symmetric key used by the ITS-S to encrypt the AuthorizationRequest message to which the response is built and the component ciphertext containing the encrypted representation of the EtsiTs103097Data-Signed. The encryption uses a ETSI TS 103 097 [3] approved algorithm #ItsPki_TestCases.TC_SECPKI_EA_AUTHVAL_01_BV +# To read an authorization validation response, the AA shall receive an EtsiTs103097Data-Encrypted structure, containing a EtsiTs103097Data-Signed structure, containing a EtsiTs102941Data structure, containing an AuthorizationValidationResponse structure #ItsPki_TestCases.TC_SECPKI_EA_AUTHVAL_02_BV +# The AuthorizationValidationResponse structure contains the requestHash being the left-most 16 octets of the SHA256 digest of the EtsiTs103097Data-Signed structure received in the AuthorizationValidationRequest and a responseCode #ItsPki_TestCases.TC_SECPKI_EA_AUTHVAL_03_BV +# If the responseCode is 0, the AuthorizationValidationResponse structure contains the component confirmedSubjectAttributes with the attributes the EA wishes to confirm, except for certIssuePermissions which is not allowed to be present #ItsPki_TestCases.TC_SECPKI_EA_AUTHVAL_04_BV +# If the responseCode is different than 0, the AuthorizationValidationResponse structure does not contain the component confirmedSubjectAttributes #ItsPki_TestCases.TC_SECPKI_EA_AUTHVAL_05_BV +# The component version of the EtsiTs102941Data structure is set to v1 (integer value set to 1) #ItsPki_TestCases.TC_SECPKI_EA_AUTHVAL_06_BV -#ItsPki_TestCases.TC_SECPKI_EA_AUTHVAL_07_BV -# +# Check that the EA/AA is able to decrypt the AuthorizationRequest message using the encryption private key corresponding to the recipient certificate... #ItsPki_TestCases.TC_SECPKI_AA_AUTH_RCV_01_BV +# Check that the AA is able to decrypt the AuthorizationRequest message using the encryption private key corresponding to the recipient certificate... #ItsPki_TestCases.TC_SECPKI_AA_AUTH_RCV_02_BV +# Check that the AA skips the AuthorizationRequest message if it is not addressed to this AA #ItsPki_TestCases.TC_SECPKI_AA_AUTH_RCV_03_BI +# Check that the AA skips the AuthorizationRequest message if it unable to decrypt the encKey #ItsPki_TestCases.TC_SECPKI_AA_AUTH_RCV_04_BI +# Check that the AA skips the AuthorizationRequest message if it unable to decrypt the encKey #ItsPki_TestCases.TC_SECPKI_AA_AUTH_RCV_05_BI +# Check that the AA rejects the AuthorizationRequest message if it unable to verify the POP signature #ItsPki_TestCases.TC_SECPKI_AA_AUTH_RCV_06_BI +# Check that the AA rejects the AuthorizationRequest message if it unable to verify the integrity of the request using hmacKey #ItsPki_TestCases.TC_SECPKI_AA_AUTH_RCV_07_BI +# Send a correctly encoded AT request, but the ITS-Station is not enrolled at the EA #ItsPki_TestCases.TC_SECPKI_AA_AUTH_RCV_08_BI +# Send an AT request, but the inner signer (valid EC) is not issued by the EA which is known / trusted by the AA. The AA trusts only EAs listet on the RCA-CTL #ItsPki_TestCases.TC_SECPKI_AA_AUTH_RCV_09_BI +# Send an AT request, but the generation time of the CSR is in the past #ItsPki_TestCases.TC_SECPKI_AA_AUTH_RCV_10_BI +# Send an AT request, but the generation time of the CSR is in the future #ItsPki_TestCases.TC_SECPKI_AA_AUTH_RCV_11_BI +# Send an AT request, but the expiry date of the CSR is before the start date of the EC #ItsPki_TestCases.TC_SECPKI_AA_AUTH_RCV_12_BI +# Send an AT request, but the start date of the CSR is before the start date of the EC #ItsPki_TestCases.TC_SECPKI_AA_AUTH_RCV_13_BI +# Send an AT request, but the expiry date of the CSR is after the expiry date of the EC #ItsPki_TestCases.TC_SECPKI_AA_AUTH_RCV_14_BI +# Send an AT request, but the start date of the CSR is after the expiring date of the EC #ItsPki_TestCases.TC_SECPKI_AA_AUTH_RCV_15_BI +# Send an AT request, but the expiry date of the CSR is after now + maximum pre-loading period (considering values in C-ITS CP) #ItsPki_TestCases.TC_SECPKI_AA_AUTH_RCV_16_BI -# +# Check that the AA sends AuthorizationValidationRequest after receiving of the AuthorizationRequest #ItsPki_TestCases.TC_SECPKI_AA_AUTHVAL_01_BV [MAIN_CONTROLLER] diff --git a/etc/AtsPki/AtsPki_Siemens.cfg_ b/etc/AtsPki/AtsPki_Siemens.cfg_ index f6c5ef4539d8b0704b6e2cacede96522f879c1f5..c3770fda542baf7d9ca2d5a6936ca50c7a068dd2 100644 --- a/etc/AtsPki/AtsPki_Siemens.cfg_ +++ b/etc/AtsPki/AtsPki_Siemens.cfg_ @@ -23,7 +23,7 @@ LibItsSecurity_Pixits.PX_IUT_SEC_CONFIG_NAME := "asn1c_cert" #LibItsSecurity_Pics.PICS_SEC_FIXED_KEYS := true # Seed LibItsHttp_Pics.PICS_HEADER_CONTENT_TYPE := "application/x-its-request" -LibItsHttp_Pics.PICS_HEADER_HOST := "192.168.42.4" +LibItsHttp_Pics.PICS_HEADER_HOST := "172.14.5.253" LibItsPki_Pics.PICS_HTTP_POST_URI_EC := "/ea/enrolment" LibItsPki_Pics.PICS_HTTP_POST_URI_AT := "/aa/authorization" @@ -136,18 +136,18 @@ LogEventTypes:= Yes # Single GeoNetworking component port # its_aid = 36 CAM # its_aid = 37 DENM -system.geoNetworkingPort.params := "GN(ll_address=4C5E0C14D2EB,latitude=43551050,longitude=10298730,distanceA=1500,distanceB=1500,angle=0,device_mode=0,secured_mode=1,its_aid=36,certificate=CERT_TS_A_AT,sec_db_path=/home/vagrant/tmp/asn1c_cert)/ETH(mac_src=e2b7b30429eb)/PCAP(mac_src=e2b7b30429eb,nic=eth1,filter=and ether proto 0x8947)" +system.geoNetworkingPort.params := "GN(ll_address=4C5E0C14D2EB,latitude=43551050,longitude=10298730,distanceA=1500,distanceB=1500,angle=0,device_mode=0,secured_mode=1,its_aid=36,certificate=CERT_TS_A_AT,sec_db_path=/home/vagrant/tmp/test/certificates/asn1c_cert)/ETH(mac_src=080027d5428a)/PCAP(mac_src=080027d5428a,nic=eth2,filter=and ether proto 0x8947)" # Single HTTP component port -system.httpPort.params := "HTTP(codecs=http_its:http_etsi_ieee1609dot2_codec)/TCP(debug=1,server_mode=1,server=192.168.42.4,port=80,local_port=80,use_ssl=0)" +system.httpPort.params := "HTTP(codecs=http_its:http_etsi_ieee1609dot2_codec)/TCP(debug=1,server_mode=1,server=172.24.5.252,port=80,local_port=80,use_ssl=0)" # GeoNetworking UpperTester port based on UDP -system.utPort.params := "UT_PKI/UDP(dst_ip=192.168.42.2,src_port=12345)" +system.utPort.params := "UT_PKI/UDP(dst_ip=172.24.5.253)" [EXECUTE] # Check that IUT sends an enrolment request when triggered. -#ItsPki_TestCases.TC_SECPKI_ITSS_ENR_01_BV +ItsPki_TestCases.TC_SECPKI_ITSS_ENR_01_BV # If the enrolment request of the IUT is an initial enrolment request, the itsId (contained in the InnerECRequest) shall be set to the canonical identifier, the signer (contained in the outer EtsiTs1030971Data-Signed) shall be set to self and the outer signature shall be computed using the canonical private key. #ItsPki_TestCases.TC_SECPKI_ITSS_ENR_02_BV # In presence of a valid EC, the enrolment request of the IUT is a rekeying enrolment request with the itsId (contained in the InnerECRequest) and the SignerIdentifier (contained in the outer EtsiTs1030971Data-Signed) both declared as digest containing the HashedId8 of the EC and the outer signature computed using the current valid EC private key corresponding to the verification public key. @@ -155,7 +155,7 @@ system.utPort.params := "UT_PKI/UDP(dst_ip=192.168.42.2,src_port=12345)" #ItsPki_TestCases.TC_SECPKI_ITSS_ENR_06_BV #ItsPki_TestCases.TC_SECPKI_ITSS_ENR_07_BV -ItsPki_TestCases.TC_SECPKI_ITSS_AUTH_01_BV +#ItsPki_TestCases.TC_SECPKI_ITSS_AUTH_01_BV [MAIN_CONTROLLER] # The options herein control the behavior of MC. diff --git a/etc/AtsSecurity/AtsSecurity_codha.cf_ b/etc/AtsSecurity/AtsSecurity_codha.cf_ new file mode 100644 index 0000000000000000000000000000000000000000..d572a78681a425f9733e4420eb1f6a9c4199e85c --- /dev/null +++ b/etc/AtsSecurity/AtsSecurity_codha.cf_ @@ -0,0 +1,316 @@ + +[MODULE_PARAMETERS] +# This section shall contain the values of all parameters that are defined in your TTCN-3 modules. + +# The GeoNetworking address of the IUT. +LibItsGeoNetworking_Pics.PICS_GN_LOCAL_GN_ADDR := { + typeOfAddress := e_initial, # e_manual(1) e_initial (0) + stationType := e_unknown, + stationCountryCode := 0, #33, + mid := '020000000000'O +} +#LibItsGeoNetworking_Pics.PICS_GN_LOCAL_GN_ADDR := { +# typeOfAddress := e_initial, +# stationType := e_unknown, #e_roadSideUnit, +# stationCountryCode := 0, #33, +# mid := '4c5e0c14d2ea'O +#} # Simu + +LibItsGeoNetworking_Pixits.PX_GN_UPPER_LAYER := e_btpB +LibItsBtp_Pixits.PX_DESTINATION_PORT := 2001 +LibItsBtp_Pixits.PX_DESTINATION_PORT_INFO := 2001 + +# Enable Security support +LibItsGeoNetworking_Pics.PICS_GN_SECURITY := true +# Root path to access certificate stored in files, identified by certficate ID +LibItsSecurity_Pixits.PX_CERTIFICATE_POOL_PATH := "/home/vagrant/tmp" +# Configuration sub-directory to access certificate stored in files +LibItsSecurity_Pixits.PX_IUT_SEC_CONFIG_NAME := "asn1c_cert" + +#ItsSecurity_Pics.PICS_CERTFICATES_VAR := 6; + +[LOGGING] +# In this section you can specify the name of the log file and the classes of events +# you want to log into the file or display on console (standard error). + +LogFile := "../logs/%e.%h-%r.%s" +FileMask := LOG_ALL | USER | DEBUG | MATCHING +ConsoleMask := LOG_ALL | USER | DEBUG | MATCHING +#FileMask := ERROR | WARNING | USER | MATCHING | EXECUTOR_RUNTIME | VERDICTOP +#ConsoleMask := ERROR | WARNING | USER | MATCHING | EXECUTOR_RUNTIME | VERDICTOP +LogSourceInfo := Stack +LogEntityName:= Yes +LogEventTypes:= Yes +#TimeStampFormat := DateTime + +[TESTPORT_PARAMETERS] +# In this section you can specify parameters that are passed to Test Ports. +# CAM Layer +# next_header : btpA|btpB (overwrite BTP.type) +# header_type : tsb|gbc +# header_sub_type : sh (single hop) +# DENM Layer +# next_header : btpA|btpB (overwrite BTP.type) +# header_type : tsb|gbc +# BTP Layer +# type : btpA|btpB +# destination port: dst_port +# source port : src_port +# device_mode : Set to 1 if the layer shall encapsulate upper layer PDU +# device_mode : Set to 1 if the layer shall encapsulate upper layer PDU +# GN Layer +# ll_address : GeoNetworking address of the Test System +# latitude : latitude of the Test System +# longitude : longitude of the Test System +# beaconing : Set to 1 if GnLayer shall start beaconing +# Beaconning timer expiry: expiry (ms) +# device_mode : Set to 1 if the layer shall encapsulate upper layer PDU +# secured_mode : Set to 1 if message exchanges shall be signed +# encrypted_mode : Set to 1 if message exchanges shall be encrypted +# NOTE: For signed & encrypted message exchanges, both secured_mode and encrypted_mode shall be set to 1 +# sec_db_path : Path to the certificates and keys storage location +# hash : Hash algorithm to be used when secured mode is set +# Authorized values are SHA-256 or SHA-384 +# Default: SHA-256 +# signature : Signature algorithm to be used when secured mode is set +# Authorized values are NISTP-256, NISTP-384, BP-256 and BP-384 +# Default: NISTP-256 +# cypher : Cyphering algorithm to be used when secured mode is set +# Authorized values are NISTP-256, BP-256 and BP-384 +# Default: NISTP-256 +# Ethernet layer +# mac_src :Source MAC address +# mac_bc :Broadcast address +# eth_type : Ethernet type +# Commsignia layer +# mac_src : Device MAC address, used to discard packets +# To indicate no filering, use the value 000000000000 +# mac_bc : Broadcast address +# eth_type : Ethernet type, used to discard packets +# target_host : Device address +# target_port : Device port +# source_port : Test System port +# interface_id: Interface id, used to discard packets +# tx_power : TX power (dB) +# UDP layer (IP/UDP based on Pcap) +# dst_ip : destination IPv4 address (aa.bb.cc.dd) +# dst_port: destination port +# src_ip : source IPv4 address (aa.bb.cc.dd) +# src_port: source port +# Pcap layer +# mac_src : Source MAC address, used to exclude from capture the acket sent by the Test System +# filter : Pcap filter (compliant with tcpdump syntax) +# Online mode: +# nic: Local NIC +# If set, online mode is used +# Offline mode (nic is present but not set): +# file : File to read +# frame_offset: Frame offset, used to skip packets with frame number < frame_offset +# time_offset : Time offset, used to skip packets with time offset < time_offset +# save_mode : 1 to save sent packet, 0 otherwise + +# Single GeoNetworking component port +# its_aid = 36 CAM +# its_aid = 37 DENM +# its_aid = 141 GeonNet mgnt +system.geoNetworkingPort.params := "GN(ll_address=4C5E0C14D2EB,latitude=43551050,longitude=10298730,distanceA=1500,distanceB=1500,angle=0,device_mode=0,secured_mode=0,its_aid=36)/ETH(mac_src=080027d5428a)/PCAP(mac_src=080027d5428a,nic=eth2,filter=and ether proto 0x8947)" + +#system.utPort.params := "UT_GN/UDP(dst_ip=10.100.60.27)" +system.utPort.params := "UT_CAM/UDP(dst_ip=10.100.60.136)" +#system.utPort.params := "UT_DENM/UDP(dst_ip=10.100.60.136)" + +system.camUtPort.params := "UT_CAM/UDP(dst_ip=10.100.60.136)" +#system.denmUtPort.params := "UT_DENM/UDP(dst_ip=10.100.60.27)" + +[EXECUTE] + +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_GENMSG_01_BV +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_GENMSG_02_BV + +#Check that ITS-S sends a Ieee1609Dot2Data containing protocol version set to 3 +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_MSG_01_BV + +# ------------------------- CAM --------------------------- +# Check that IUT sends the secured CAM using SignedData container. +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_CAM_01_BV + +# Check that IUT sends the secured CAM containing the HeaderInfo field psid set to 'AID_CAM'. +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_CAM_02_BV + +# Check that IUT sends the secured CAM with the HeaderInfo containing generationTime +# and doesn't containing expiryTime, generationLocation, encryptionKey, p2pcdLearningRequest, missingCrlIdentifier. +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_CAM_03_BV + +# Check that IUT sends the secured CAM containing signer containing either certificate or digest; +# Check that signing certificate has permissions to sign CAM messages. +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_CAM_04_BV + +# Check that IUT calculate the digest of certificate using proper hash algorithm; +# Check that IUT canonicalize certificates before hash calculation. +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_CAM_05_BV + +# Check that IUT sends the secured CAM containing the signing certificate when over the time of one +# second no other secured CAM contained the certificate was sent. +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_CAM_06_BV + +# Check that IUT sends the secured CAM containing the signing certificate when the timeout of one second +# has been expired after the previous CAM containing the certificate. +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_CAM_07_BV + +# Check that IUT sends the secured CAM containing the signing certificate when the IUT received CAM from an unknown ITS-S. +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_CAM_08_BV + +# Check that IUT restarts the certificate sending timer when the certificate has been sent. +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_CAM_09_BV + +# Check that the IUT sends certificate request when it receives secured CAM containing +# digest of unknown certificate as a message signer. +# (PICS_SEC_P2P_AT_DISTRIBUTION) +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_CAM_10_BV + +# Check that the IUT sends certificate request when it receives secured CAM +# containing certificate signed by unknown AA certificate. +# (PICS_SEC_P2P_AT_DISTRIBUTION and PICS_SEC_SHA256) +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_CAM_11_01_BV + +# Check that the IUT sends certificate request when it receives secured CAM +# containing certificate signed by unknown AA certificate. +# (PICS_SEC_P2P_AT_DISTRIBUTION and PICS_SEC_SHA384) +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_CAM_11_02_BV + +# Check that IUT sends the secured CAM containing the signing certificate when it received +# a CAM containing a request for unrecognized certificate that matches with the currently +# used AT certificate ID of the IUT. +# (PICS_SEC_P2P_AT_DISTRIBUTION) +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_CAM_12_BV + +# Check that IUT sends the secured CAM containing the AA certificate in the requestedCertificate +# headerInfo field when it received a CAM containing a request for unrecognized certificate that +# matches with the currently used AA certificate ID of the IUT. +# (PICS_SEC_P2P_AT_DISTRIBUTION) +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_CAM_13_BV + +# Check that IUT sends the secured CAM containing the AA certificate in the requestedCertificate headerInfo +# field when it received a CAM containing a request for unrecognized certificate that matches with the known +# AA certificate ID which is not currently used by the IUT. +# (PICS_SEC_P2P_AA_DISTRIBUTION) +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_CAM_14_BV + +# Check that the IUT doesn't send a secured CAM containing the AA certificate in the requestedCertificate +# headerInfo field when it was previously requested and already received from another ITS-S. +# (PICS_SEC_P2P_AA_DISTRIBUTION) +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_CAM_15_BV + +# Check that the IUT doesn't send a secured CAM containing the AA certificate in the requestedCertificate +# headerInfo field when it contains certificate in the signer field. +# (PICS_SEC_P2P_AA_DISTRIBUTION) +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_CAM_16_BV + +# Check that the IUT send a secured CAM containing the AA certificate in the +# requestedCertificate headerInfo field with the next CAM containing digest as a signer info. +# (PICS_SEC_P2P_AA_DISTRIBUTION) +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_CAM_17_BV + +# Check that IUT sends the secured CAM containing generation time and this time is inside the validity period of the signing certificate; +# Check that message generation time value is realistic +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_CAM_18_BV + +# Check that IUT sends the secured CAM containing the 'data' field in signed data payload, +# containing the EtsiTs103097Data of type unsecured, contained the CAM payload +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_CAM_19_BV + +# Check that the IUT sends the secured CAM signed with the certificate containing appPermisions +# allowing to sign CA messages +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_CAM_20_BV + +# Check that IUT sends the secured CAM containing signature; +# Check that the signature is calculated over the right fields +# and using right hash algorythm by cryptographically verifying the signature +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_CAM_21_BV + +# Check that IUT sends the secured CAM containing signature containing the ECC point of type set to +# either compressed_lsb_y_0, compressed_lsb_y_1 or x_coordinate_only. +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_CAM_22_BV + +# Check that IUT doesn't send secured CAMs if IUT is authorized with AT certificate doesn't allowing sending messages in this location. +ItsSecurity_TestCases.TC_SEC_ITSS_SND_CAM_23_BV + +# Check that IUT doesn't send the secured CAM if IUT is configured to use an AT certificate without +# region validity restriction and generation location is outside of the region of the issuing AA certificate. +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_CAM_24_BV + +# Check that IUT doesn't send secured CAMs if all AT certificates installed on the IUT was expired. +#ItsSecurity_Pics.PICS_CERTFICATE_ID_VARIANT := "CERT_IUT_A1_AT" +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_CAM_25_BV + +# Check that IUT doesn't send secured CAMs if all AT certificates installed on the IUT have the starting time in the future. +#ItsSecurity_Pics.PICS_CERTFICATE_ID_VARIANT := "CERT_IUT_A2_AT" +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_CAM_26_BV + +# Check that IUT doesn't send secured CAMs if IUT doesn't possess an AT certificate allowing sending CAM by its appPermissions. +#ItsSecurity_Pics.PICS_CERTFICATE_ID_VARIANT := "CERT_IUT_A3_AT" +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_CAM_27_BV + +#--------------------------------------- DENM ------------------------------------------ +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_DENM_01_BV +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_DENM_02_BV +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_DENM_03_BV +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_DENM_04_BV +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_DENM_05_BV +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_DENM_06_BV +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_DENM_07_BV +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_DENM_08_BV +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_DENM_09_BV +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_DENM_10_BV +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_DENM_11_BV +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_DENM_12_BV +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_DENM_13_BV +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_DENM_14_BV +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_DENM_15_BV +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_DENM_16_BV +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_DENM_17_BV +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_DENM_18_BV + +#--------------------------------------- OTHER MESSAGES ------------------------------------------ +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_GENMSG_01_BV +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_GENMSG_02_BV +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_GENMSG_03_BV +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_GENMSG_04_BV +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_GENMSG_05_BV +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_GENMSG_06_BV +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_GENMSG_07_BV +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_GENMSG_08_BV + +#--------------------------------------- CERTIFICATE TESTING ------------------------------------------ +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_CERT_01_BV +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_CERT_02_BV +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_CERT_03_BV +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_CERT_04_BV +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_CERT_05_BV +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_CERT_06_BV +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_CERT_07_BV +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_CERT_08_BV +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_CERT_09_BV +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_CERT_10_BV +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_CERT_11_BV +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_CERT_12_BV +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_CERT_13_BV +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_CERT_14_BV +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_CERT_15_BV +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_CERT_16_BV +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_CERT_17_BV +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_CERT_18_BV +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_CERT_19_BV +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_CERT_20_BV +#ItsSecurity_TestCases.TC_SEC_ITSS_SND_CERT_21_BV + +#--------------------------------------- Internal tests (to be removed) ------------------------------------------ +#ItsSecurity_TestCases.TC_TEST_1 + +[MAIN_CONTROLLER] +# The options herein control the behavior of MC. +KillTimer := 10.0 +LocalAddress := 127.0.0.1 +TCPPort := 12000 +NumHCs := 1 + diff --git a/ttcn/AtsPki/ItsPki_TestCases.ttcn b/ttcn/AtsPki/ItsPki_TestCases.ttcn index dcb74788d4a7766abaa1d5f4689087d82b709df1..acdcf977ea65d43adfb623d3e5586d20d347c2d8 100644 --- a/ttcn/AtsPki/ItsPki_TestCases.ttcn +++ b/ttcn/AtsPki/ItsPki_TestCases.ttcn @@ -2779,8 +2779,8 @@ module ItsPki_TestCases { log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { - log(match(v_etsi_ts_102941_data, mw_etsiTs102941Data_inner_ec_response(mw_innerEcResponse_ko(substr(v_request_hash, 0, 16), deniedrequest)))); - if (match(v_etsi_ts_102941_data, mw_etsiTs102941Data_inner_ec_response(mw_innerEcResponse_ko(substr(v_request_hash, 0, 16), deniedrequest))) == false) { + log(match(v_etsi_ts_102941_data, mw_etsiTs102941Data_inner_ec_response(mw_innerEcResponse_ko(substr(v_request_hash, 0, 16), deniedpermissions)))); + if (match(v_etsi_ts_102941_data, mw_etsiTs102941Data_inner_ec_response(mw_innerEcResponse_ko(substr(v_request_hash, 0, 16), deniedpermissions))) == false) { log("*** " & testcasename() & ": FAIL: Invalid InnerEcResponse received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { @@ -3970,7 +3970,7 @@ module ItsPki_TestCases { } // End of testcase TC_SECPKI_EA_ENR_04_BV /** - * @desc Within the headerInfo of the tbsData, the psid shall be set to “secured certificate request� as assigned in + * @desc Within the headerInfo of the tbsData, the psid shall be set to secured certificate request as assigned in * ETSI TS 102 965 and the generationTime shall be present. * 
        * Pics Selection: PICS_IUT_EA_ROLE
@@ -5097,7 +5097,7 @@ module ItsPki_TestCases {
         log("*** " & testcasename() & ": DEBUG: v_inner_ec_response= ", v_inner_ec_response);
         log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec);
         // Generate an InnerAtRequest
-        if (f_generate_inner_at_request(vc_aaCertificate, vc_aaHashedId8, vc_eaCertificate, vc_eaWholeHash/*salt*/, vc_eaHashedId8, v_inner_ec_response.certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, v_compressed_key_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_inner_at_request) == false) {
+        if (f_generate_inner_at_request(vc_aaCertificate, -, vc_aaHashedId8, vc_eaCertificate, vc_eaWholeHash/*salt*/, vc_eaHashedId8, v_inner_ec_response.certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, v_compressed_key_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_inner_at_request) == false) {
           log("*** " & testcasename() & ": ERROR: Failed to generate AuthorizationValidationRequest ***");
           f_selfOrClientSyncAndVerdict("error", e_error);
         }
@@ -5234,7 +5234,7 @@ module ItsPki_TestCases {
         log("*** " & testcasename() & ": DEBUG: v_inner_ec_response= ", v_inner_ec_response);
         log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec);
         // Generate an InnerAtRequest
-        if (f_generate_inner_at_request(vc_aaCertificate, vc_aaHashedId8, vc_eaCertificate, vc_eaWholeHash/*salt*/, vc_eaHashedId8, v_inner_ec_response.certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, v_compressed_key_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_inner_at_request) == false) {
+        if (f_generate_inner_at_request(vc_aaCertificate, -, vc_aaHashedId8, vc_eaCertificate, vc_eaWholeHash/*salt*/, vc_eaHashedId8, v_inner_ec_response.certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, v_compressed_key_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_inner_at_request) == false) {
           log("*** " & testcasename() & ": ERROR: Failed to generate AuthorizationValidationRequest ***");
           f_selfOrClientSyncAndVerdict("error", e_error);
         }
@@ -5384,7 +5384,7 @@ module ItsPki_TestCases {
         log("*** " & testcasename() & ": DEBUG: v_inner_ec_response= ", v_inner_ec_response);
         log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec);
         // Generate an InnerAtRequest
-        if (f_generate_inner_at_request(vc_aaCertificate, vc_aaHashedId8, vc_eaCertificate, vc_eaWholeHash/*salt*/, vc_eaHashedId8, v_inner_ec_response.certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, v_compressed_key_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_inner_at_request) == false) {
+        if (f_generate_inner_at_request(vc_aaCertificate, -, vc_aaHashedId8, vc_eaCertificate, vc_eaWholeHash/*salt*/, vc_eaHashedId8, v_inner_ec_response.certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, v_compressed_key_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_inner_at_request) == false) {
           log("*** " & testcasename() & ": ERROR: Failed to generate AuthorizationValidationRequest ***");
           f_selfOrClientSyncAndVerdict("error", e_error);
         }
@@ -5518,7 +5518,7 @@ module ItsPki_TestCases {
         log("*** " & testcasename() & ": DEBUG: v_inner_ec_response= ", v_inner_ec_response);
         log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec);
         // Generate an InnerAtRequest
-        if (f_generate_inner_at_request(vc_aaCertificate, vc_aaHashedId8, vc_eaCertificate, vc_eaWholeHash/*salt*/, vc_eaHashedId8, v_inner_ec_response.certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, v_compressed_key_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_inner_at_request) == false) {
+        if (f_generate_inner_at_request(vc_aaCertificate, -, vc_aaHashedId8, vc_eaCertificate, vc_eaWholeHash/*salt*/, vc_eaHashedId8, v_inner_ec_response.certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, v_compressed_key_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_inner_at_request) == false) {
           log("*** " & testcasename() & ": ERROR: Failed to generate AuthorizationValidationRequest ***");
           f_selfOrClientSyncAndVerdict("error", e_error);
         }
@@ -5657,7 +5657,7 @@ module ItsPki_TestCases {
         log("*** " & testcasename() & ": DEBUG: v_inner_ec_response= ", v_inner_ec_response);
         log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec);
         // Generate an InnerAtRequest
-        if (f_generate_inner_at_request(vc_aaCertificate, vc_aaHashedId8, vc_eaCertificate, vc_eaWholeHash/*salt*/, vc_eaHashedId8, v_inner_ec_response.certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, v_compressed_key_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_inner_at_request) == false) {
+        if (f_generate_inner_at_request(vc_aaCertificate, -, vc_aaHashedId8, vc_eaCertificate, vc_eaWholeHash/*salt*/, vc_eaHashedId8, v_inner_ec_response.certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, v_compressed_key_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_inner_at_request) == false) {
           log("*** " & testcasename() & ": ERROR: Failed to generate AuthorizationValidationRequest ***");
           f_selfOrClientSyncAndVerdict("error", e_error);
         }
@@ -5796,7 +5796,7 @@ module ItsPki_TestCases {
         log("*** " & testcasename() & ": DEBUG: v_inner_ec_response= ", v_inner_ec_response);
         log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec);
         // Generate an InnerAtRequest
-        if (f_generate_inner_at_request(vc_aaCertificate, vc_aaHashedId8, vc_eaCertificate, vc_eaWholeHash/*salt*/, vc_eaHashedId8, v_inner_ec_response.certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, v_compressed_key_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_inner_at_request) == false) {
+        if (f_generate_inner_at_request(vc_aaCertificate, -, vc_aaHashedId8, vc_eaCertificate, vc_eaWholeHash/*salt*/, vc_eaHashedId8, v_inner_ec_response.certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, v_compressed_key_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_inner_at_request) == false) {
           log("*** " & testcasename() & ": ERROR: Failed to generate AuthorizationValidationRequest ***");
           f_selfOrClientSyncAndVerdict("error", e_error);
         }
@@ -5933,7 +5933,7 @@ module ItsPki_TestCases {
         log("*** " & testcasename() & ": DEBUG: v_inner_ec_response= ", v_inner_ec_response);
         log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec);
         // Generate an InnerAtRequest
-        if (f_generate_inner_at_request(vc_aaCertificate, vc_aaHashedId8, vc_eaCertificate, vc_eaWholeHash/*salt*/, vc_eaHashedId8, v_inner_ec_response.certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, v_compressed_key_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_inner_at_request) == false) {
+        if (f_generate_inner_at_request(vc_aaCertificate, -, vc_aaHashedId8, vc_eaCertificate, vc_eaWholeHash/*salt*/, vc_eaHashedId8, v_inner_ec_response.certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, v_compressed_key_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_inner_at_request) == false) {
           log("*** " & testcasename() & ": ERROR: Failed to generate AuthorizationValidationRequest ***");
           f_selfOrClientSyncAndVerdict("error", e_error);
         }
@@ -6067,7 +6067,7 @@ module ItsPki_TestCases {
         log("*** " & testcasename() & ": DEBUG: v_inner_ec_response= ", v_inner_ec_response);
         log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec);
         // Generate an InnerAtRequest
-        if (f_generate_inner_at_request(vc_aaCertificate, vc_aaHashedId8, vc_eaCertificate, vc_eaWholeHash/*salt*/, vc_eaHashedId8, v_inner_ec_response.certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, v_compressed_key_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_inner_at_request) == false) {
+        if (f_generate_inner_at_request(vc_aaCertificate, -, vc_aaHashedId8, vc_eaCertificate, vc_eaWholeHash/*salt*/, vc_eaHashedId8, v_inner_ec_response.certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, v_compressed_key_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_inner_at_request) == false) {
           log("*** " & testcasename() & ": ERROR: Failed to generate AuthorizationValidationRequest ***");
           f_selfOrClientSyncAndVerdict("error", e_error);
         }
@@ -8399,7 +8399,7 @@ module ItsPki_TestCases {
         
         // Postamble
         f_cfHttpDown();
-      } // End of testcase TC_SECPKI_AA_AUTH_RCV_15_BI
+      } // End of testcase TC_SECPKI_AA_AUTH_RCV_16_BI
       
     } // End of group authorization_request
 
@@ -8493,7 +8493,7 @@ module ItsPki_TestCases {
           // Preamble
           // Generate EC certificate
           f_generate_inner_ec_request(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_request);
-          f_generate_ec_certificate_for_inner_ec_response(v_inner_ec_request, v_private_key_ec, vc_eaWholeHash, v_ec_certificate)
+          f_generate_ec_certificate_for_inner_ec_response(v_inner_ec_request, v_private_key_ec, vc_eaWholeHash, v_ec_certificate);
           // Send AuthorizationRequest
           f_http_build_authorization_request(v_ec_certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, v_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
           v_aes_sym_key_hashed_id8 := f_HashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to macth the response
diff --git a/ttcn/AtsRSUsSimulator/ItsRSUsSimulator_Functions.ttcn b/ttcn/AtsRSUsSimulator/ItsRSUsSimulator_Functions.ttcn
index e65952a235fab740b25964366a3e96f26b757575..1d9a8eb89de91b3d55045fb4d1472a463c404241 100644
--- a/ttcn/AtsRSUsSimulator/ItsRSUsSimulator_Functions.ttcn
+++ b/ttcn/AtsRSUsSimulator/ItsRSUsSimulator_Functions.ttcn
@@ -1031,7 +1031,7 @@ module ItsRSUsSimulator_Functions {
         }
         [vc_cam == true] cfPort.receive(UtCamTrigger: { changeCurvature := ? }) -> value v_utCamTrigger {
           log("v_utCamTrigger = ", v_utCamTrigger);
-          if (ispresent(vc_rsuMessagesValueList[vc_rsu_id].cam.cam.camParameters.highFrequencyContainer.basicVehicleContainerHighFrequency)) {
+          if (ischosen(vc_rsuMessagesValueList[vc_rsu_id].cam.cam.camParameters.highFrequencyContainer.basicVehicleContainerHighFrequency)) {
             cfPort.send(UtCamResults: { utCamTriggerResult := true } );
             vc_rsuMessagesValueList[vc_rsu_id].cam.cam.camParameters.highFrequencyContainer.basicVehicleContainerHighFrequency.curvature.curvatureValue := v_utCamTrigger.changeCurvature;
           } else {
@@ -1041,7 +1041,7 @@ module ItsRSUsSimulator_Functions {
         }
         [vc_cam == true] cfPort.receive(UtCamTrigger: { changeHeading := ? }) -> value v_utCamTrigger {
           log("v_utCamTrigger = ", v_utCamTrigger);
-          if (ispresent(vc_rsuMessagesValueList[vc_rsu_id].cam.cam.camParameters.highFrequencyContainer.basicVehicleContainerHighFrequency)) {
+          if (ischosen(vc_rsuMessagesValueList[vc_rsu_id].cam.cam.camParameters.highFrequencyContainer.basicVehicleContainerHighFrequency)) {
             cfPort.send(UtCamResults: { utCamTriggerResult := true } );
             vc_rsuMessagesValueList[vc_rsu_id].cam.cam.camParameters.highFrequencyContainer.basicVehicleContainerHighFrequency.heading.headingValue := valueof(vc_rsuMessagesValueList[vc_rsu_id].cam.cam.camParameters.highFrequencyContainer.basicVehicleContainerHighFrequency.heading.headingValue) + v_utCamTrigger.changeHeading;
           } else {
diff --git a/ttcn/AtsRSUsSimulator/ItsRSUsSimulator_Templates.ttcn b/ttcn/AtsRSUsSimulator/ItsRSUsSimulator_Templates.ttcn
index f250af294ab41e2a9e9b1fd281a1df481dbb8901..335512d612307ea11f319a002294a32bc9566197 100644
--- a/ttcn/AtsRSUsSimulator/ItsRSUsSimulator_Templates.ttcn
+++ b/ttcn/AtsRSUsSimulator/ItsRSUsSimulator_Templates.ttcn
@@ -11,13 +11,11 @@ module ItsRSUsSimulator_Templates {
     import from SPATEM_PDU_Descriptions language "ASN.1:1997" all;
     import from IVIM_PDU_Descriptions language "ASN.1:1997" all;
     import from IVI language "ASN.1:1997" all;
-    //import from EVCSN_PDU_Descriptions language "ASN.1:1997" all;
     import from SSEM_PDU_Descriptions language "ASN.1:1997" all;
     import from DSRC language "ASN.1:1997" all;
     
     // LibItsCommon
     import from LibItsCommon_ASN1_NamedNumbers all;
-    //    import from LibItsCommon_ASN1_ISDSRC_NamedNumbers all;
     import from LibItsCommon_Functions all;
     import from LibCommon_DataStrings all;
     
diff --git a/ttcn/AtsSecurity/ItsSecurity_Functions.ttcn b/ttcn/AtsSecurity/ItsSecurity_Functions.ttcn
index 75f3abfb98db942e04fe0edda1d92664ded28ead..bfff3080c311c7fb1e08338277f0b3d2765dd8b7 100644
--- a/ttcn/AtsSecurity/ItsSecurity_Functions.ttcn
+++ b/ttcn/AtsSecurity/ItsSecurity_Functions.ttcn
@@ -73,7 +73,7 @@ module ItsSecurity_Functions {
             // Local variables
             var GnNonSecuredPacket v_gnNonSecuredPacket;
             var octetstring v_gnPayload;
-            var EtsiTs103097Data v_securedMessage := {};
+            var EtsiTs103097Data v_securedMessage;
             
             log(">>> f_prepareSecuredCam");
             
@@ -162,7 +162,7 @@ module ItsSecurity_Functions {
             // Local variables
             var GnNonSecuredPacket v_gnNonSecuredPacket;
             var octetstring v_gnPayload;
-            var template (value) Ieee1609Dot2Data v_securedMessage := {};
+            var template (value) Ieee1609Dot2Data v_securedMessage;
             
             // Build signed Ieee1609Dot2Data
             v_gnNonSecuredPacket := valueof(m_geoNwShbPacket(
@@ -265,7 +265,7 @@ module ItsSecurity_Functions {
         ) runs on ItsGeoNetworking return GeoNetworkingPdu {
             
             // Local variables
-            var GeoNetworkingPdu v_securedGnPdu := {};//f_prepareSecuredCam_Bo(p_configId, p_protocolVersion, p_trailerStatus, p_headerFields, p_issuerIdentifier);
+            var GeoNetworkingPdu v_securedGnPdu;//f_prepareSecuredCam_Bo(p_configId, p_protocolVersion, p_trailerStatus, p_headerFields, p_issuerIdentifier);
             
 //            log("v_securedGnPdu = ", v_securedGnPdu);
             f_sendGeoNetMessage(valueof(m_geoNwReq_linkLayerBroadcast(v_securedGnPdu)));
@@ -296,7 +296,7 @@ module ItsSecurity_Functions {
             var GnNonSecuredPacket v_gnNonSecuredPacket;
             var octetstring v_gnPayload;
             var LongPosVector v_longPosVectorNodeB := f_getPosition(c_compNodeB); // Use NodeB
-            var template (value) Ieee1609Dot2Data v_securedMessage := {};
+            var template (value) Ieee1609Dot2Data v_securedMessage;
             var template (value) SituationContainer v_situation := m_situation(LibItsCommon_ASN1_NamedNumbers.CauseCodeType_vehicleBreakdown_, LibItsCommon_ASN1_NamedNumbers.VehicleBreakdownSubCauseCode_unavailable_);
             
             // Build signed Ieee1609Dot2Data
@@ -386,7 +386,7 @@ module ItsSecurity_Functions {
             var GnNonSecuredPacket v_gnNonSecuredPacket;
             var octetstring v_gnPayload;
             var LongPosVector v_longPosVectorNodeB := f_getPosition(c_compNodeB); // Use NodeB
-            var template (value) Ieee1609Dot2Data v_securedMessage := {};
+            var template (value) Ieee1609Dot2Data v_securedMessage;
             var template (value) SituationContainer v_situation := m_situation(LibItsCommon_ASN1_NamedNumbers.CauseCodeType_vehicleBreakdown_, LibItsCommon_ASN1_NamedNumbers.VehicleBreakdownSubCauseCode_unavailable_);
             
             // Build signed Ieee1609Dot2Data
@@ -524,7 +524,7 @@ module ItsSecurity_Functions {
             var GnNonSecuredPacket v_gnNonSecuredPacket;
             var octetstring v_gnPayload;
             var LongPosVector v_longPosVectorNodeB := f_getPosition(c_compNodeB); // Use NodeB
-            var template (value) Ieee1609Dot2Data v_securedMessage := {};
+            var template (value) Ieee1609Dot2Data v_securedMessage;
             
             // Build signed Ieee1609Dot2Data
             v_gnNonSecuredPacket := valueof(
@@ -584,7 +584,7 @@ module ItsSecurity_Functions {
             var GnNonSecuredPacket v_gnNonSecuredPacket;
             var octetstring v_gnPayload;
             var LongPosVector v_longPosVectorNodeB := f_getPosition(c_compNodeB); // Use NodeB
-            var template (value) Ieee1609Dot2Data v_securedMessage := {};
+            var template (value) Ieee1609Dot2Data v_securedMessage;
             
             // Build signed Ieee1609Dot2Data
             v_gnNonSecuredPacket := valueof(
diff --git a/ttcn/AtsSecurity/ItsSecurity_TestCases.ttcn b/ttcn/AtsSecurity/ItsSecurity_TestCases.ttcn
index 6ac722e3edb4f075c1b77a5c670bf364881b302a..ab5657c2582f18b28b1dd9326954cb9591d6c059 100644
--- a/ttcn/AtsSecurity/ItsSecurity_TestCases.ttcn
+++ b/ttcn/AtsSecurity/ItsSecurity_TestCases.ttcn
@@ -3865,7 +3865,7 @@ module ItsSecurity_TestCases {
                 
                 
                 // Test component configuration
-                vc_hashedId8ToBeUsed := PICS_CERTFICATES_FOI[PICS_CERTFICATES_VAR].certificate_id
+                vc_hashedId8ToBeUsed := PICS_CERTFICATES_FOI[PICS_CERTFICATES_VAR].certificate_id;
                 f_cf01Up();
                 
                 // Test adapter configuration
@@ -3944,7 +3944,7 @@ module ItsSecurity_TestCases {
                 
                 
                 // Test component configuration
-                vc_hashedId8ToBeUsed := PICS_CERTFICATES_FOI[PICS_CERTFICATES_VAR].certificate_id
+                vc_hashedId8ToBeUsed := PICS_CERTFICATES_FOI[PICS_CERTFICATES_VAR].certificate_id;
                 f_cf01Up();
                 
                 // Test adapter configuration
diff --git a/ttcn/LibIts b/ttcn/LibIts
index 969b2095a7263b6f5f405650d2d985b92b587d47..77f9d4cf66a865cf5809503bc3e1f1039fe750cd 160000
--- a/ttcn/LibIts
+++ b/ttcn/LibIts
@@ -1 +1 @@
-Subproject commit 969b2095a7263b6f5f405650d2d985b92b587d47
+Subproject commit 77f9d4cf66a865cf5809503bc3e1f1039fe750cd